05-02-2004, 10:21 PM
Again, something we entirely agree about.
To the idea some people have that one must be an expert with computers before using one. Not every car driver is Mario Andretti or his pit crew. Imagine the chaos if automobiles were as susceptible to external hacking as computer OS's. The problem with much of the internet is that it was designed and built with little forethought to mailice.
MS is to blame for not turning off services that most users do not use by default. MS is to blame for building into their architecture, Active X which has Administrator authority over the entire machine. Even if one is very, very aware of all MS foibles, you cannot be any safer to the unexplored bug that is awaiting discovery. Just be thankful when you get the patch installed before the worm has done it's damage.
That said, I have very few problems in my shop.
Beyond the natural defenses of a firewall, here are my rules;
1] No dangerous or large attachments -- I have an e-mail (and Bayesian spam) filter remove every known executable and deliver to the sender and receiver the message that "Email is not to be used for file transfer." If you want to do file transfer use the FTP server. Each server, including the e-mail server, scans itself for malware.
2] All machines on the network must have an active Anti-Virus software that attempts to update its signatures every day, and performs a full system scan. The results are collated and reported to the administrator to review in the morning.
3] All machines on the network have automatic patch updates installed, either RPM's or WindowsUpdate.
4] All daily usage accounts are not Administrator accounts and have no authority to alter the OS, or core files on even the local system. Administrator accounts are used for applying changes only. My users cannot even install Shockwave without getting the help desk's approval.
Even with these precautions I had one incident this spring. An external infected laptop (an executive's) was attached to the network and infected an embedded OS in our phone system with Nachi. Prior to that incident, the phone system was managed by the telecom vendor. But, after that incident I decided that any device on the network had to be fully managed and monitored by us.
There is of course a bigger picture solution. PKI. But, then again, no one really wants to sacrifice all privacy for security.
To the idea some people have that one must be an expert with computers before using one. Not every car driver is Mario Andretti or his pit crew. Imagine the chaos if automobiles were as susceptible to external hacking as computer OS's. The problem with much of the internet is that it was designed and built with little forethought to mailice.
MS is to blame for not turning off services that most users do not use by default. MS is to blame for building into their architecture, Active X which has Administrator authority over the entire machine. Even if one is very, very aware of all MS foibles, you cannot be any safer to the unexplored bug that is awaiting discovery. Just be thankful when you get the patch installed before the worm has done it's damage.
That said, I have very few problems in my shop.
Beyond the natural defenses of a firewall, here are my rules;
1] No dangerous or large attachments -- I have an e-mail (and Bayesian spam) filter remove every known executable and deliver to the sender and receiver the message that "Email is not to be used for file transfer." If you want to do file transfer use the FTP server. Each server, including the e-mail server, scans itself for malware.
2] All machines on the network must have an active Anti-Virus software that attempts to update its signatures every day, and performs a full system scan. The results are collated and reported to the administrator to review in the morning.
3] All machines on the network have automatic patch updates installed, either RPM's or WindowsUpdate.
4] All daily usage accounts are not Administrator accounts and have no authority to alter the OS, or core files on even the local system. Administrator accounts are used for applying changes only. My users cannot even install Shockwave without getting the help desk's approval.
Even with these precautions I had one incident this spring. An external infected laptop (an executive's) was attached to the network and infected an embedded OS in our phone system with Nachi. Prior to that incident, the phone system was managed by the telecom vendor. But, after that incident I decided that any device on the network had to be fully managed and monitored by us.
There is of course a bigger picture solution. PKI. But, then again, no one really wants to sacrifice all privacy for security.
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.
![[Image: yVR5oE.png]](http://imagizer.imageshack.com/img924/329/yVR5oE.png)
![[Image: VKQ0KLG.png]](http://i.imgur.com/VKQ0KLG.png)