since we did a network overhaul (defined in detail shortly) 2 years ago, we have had zero incidents of malware/virus’/badware on any machines that we know of (i know i will probably walk into bedlam tomorrow morning after saying that ;). after a recent mailing list conversation, i thought i would share some stuff we have done in detail to help anyone else going about the same process. here we go.
the 30 thousand foot view is this:
- we reformatted every workstation and every server in one weekend (yes, you read that correctly)
- users given user only rights, no power users or administrators.
- we leveraged ms gpo’s to hide the c drive, limit what type of files could be saved, and prevent applications from running unless specifically allowed (application whitelist), etc.
- we utilized ms’s wsus to apply patches across the board, workstations and servers
- we started using a gateway device that did web filtering and also implemented a squid proxy server with whitelists
- a copy of advanced installer was purchased so we could create msi’s to push all software out via gpo’s (this is great for new versions of software, pulling back software, etc)
- we used gpo’s to config the workstation so that it automatically logged into our terminal server farm via single sign on (sso), more or less creating a pseudo thin client out of cheap desktop machines
- if you want a user to do/not do something, don’t ask them. force them.
- prevention is the best medicine