Tutorial by Brien Posey
JANUARY 10, 2005 (WINDOWSECURITY.COM) – If you asked me to describe the Internet in one sentence, I would have to describe it as the most hostile environment imaginable. Lately, I have been hearing of some companies who are revoking employee Internet access in the interest of protecting their network from spyware, adware, browser hijackers, viruses, and other types of Trojans.
While I can certainly understand the concern, the fact remains that the Internet is a tremendous business resource when used properly. The trick is to allow your employees to access the Internet, but to take steps that protect them, the network itself, and the company.
Unfortunately, there are so many things that you need protection against, that it would be absolutely impossible for me to address them all in a single article. For example, in addition to protecting your company against spyware, you must protect against the disclosure of sensitive information and against the possibility of law suites related to content that enters your company through the Internet. I’m personally against any form of censorship, but in the United States you almost have to set up filters that block employees from accessing certain types of Web sites just to avoid lawsuits from an employee who is out to make a fast buck by claiming to be offended by something that they saw on someone’s monitor.
As I said though, I don’t have enough space to discuss such issues in detail, but these are issues that you must address in order to protect your company. What I want to focus this article on instead is protecting your employees from spyware, adware, browser hijackers, and all of the other nasty parasites that one can pick up through unsafe surfing habits.
You may have seen the article that I wrote last month regarding ways of fighting spyware. Although I fully stand behind the techniques that I discussed in that article, most of those techniques are focused on individual PCs and on cleaning up after an infection has already occurred. This article is in no way intended to replace the information found in that article. Good anti virus software and anti spyware software is absolutely essential. It has always been my philosophy though that anti virus software and anti spyware software should be your organization’s last line of defense, not the first line of defense. After all, why depend on your anti virus/anti spyware software to detect, prevent, or clean an infection, when you could simply block the malicious code altogether?
The Firewall’s Role
I recently cleaned a massive spyware infection off of a neighbor’s computer. She was legitimately surprised that the infection was able to occur because she was running Windows Firewall. Generally speaking, a firewall won’t prevent an infection, but it will help to limit the amount of damage that an infection can do.
To understand why this is the case, you need to understand the nature of the TCP/IP protocol. TCP/IP is made up of roughly 65,000 TCP and 65,000 UDP ports. The easiest way that I can think of to describe these ports is to compare them to channels on a radio. If TCP/IP were FM radio, then a TCP or a UDP port would represent a single channel on the FM band.
Various TCP and UDP ports have been reserved for specific functions, but the vast majority of the ports go unused. A firewall’s job is to block all unused ports so that hackers and malicious software are unable to use them to attack your machine.
The problem with spyware is that most of it exists in the form of ASP or Java scripts that are embedded in a malicious Web page. When you access a Web page, the page is sent to your machine through TCP port 80. The problem is that if spyware code is embedded in a page, then it reaches your PC through the exact same firewall port as a legitimate Web page. There is no way to filter out spyware at the firewall level.
This doesn’t mean that you shouldn’t use a firewall though. Many types of spyware are designed to transmit information about your computer and the way that you use it to someone on the Web. These transmissions typically occur over some obscure TCP or UDP port. You can therefore prevent such spyware from “phoning home” by configuring your firewall so that it filters outbound as well as inbound traffic.
One thing to keep in mind though is that although I definitely recommend enabling the Windows firewall, it is incapable of filtering outbound traffic. You will have to either install a second firewall on each machine or filter outbound traffic through your corporate perimeter firewall.
One of the most important things that you can do to prevent malicious software from infesting your network is to implement some E-mail security. A lot of people assume that if an E-mail message doesn’t include an attachment then the message is safe.
At one time this used to be true, but not anymore. E-mail messages can contain HTML code. This code can call external scripts that can wreck havoc on your machine. The sad part is that you don’t even have to open a message in order to activate the script that it contains. Outlook contains a preview pane that allows you to view the contents of a message without actually opening it. If a malicious message is displayed through Outlook’s preview pane, that is often enough to trigger the malicious code.
There are several things that you can do to prevent malicious code from reaching your users through E-mail. First, install the appropriate anti virus software on both the workstations and your mail server. Make sure that you use the standard server level anti virus protection, plus an anti virus package that’s specially designed for your mail server. For example, in my own organization, I have the normal anti virus software installed on my mail server, but the server also contains anti virus software that’s specifically designed for Exchange Server. This software analyzes every inbound message and removes E-mail based viruses before they ever reach a user’s mailbox.
Doing that will keep viruses at bay, but you also need to protect users against spyware. Most spyware that comes through E-mail arrives attached to SPAM, so its important to install a good, server level, anti SPAM product that will keep SPAM out of the user’s mailboxes.
Finally, you should install Outlook 2003 on the user’s workstations. Outlook 2003 is specially designed not to execute potentially malicious code that may arrive in an E-mail message. Microsoft has also designed Outlook 2003 so that certain types of potentially malicious attachments can’t be opened directly through Outlook.
The last thing that I want to talk about is how you can prevent spyware from infesting your network by making effective use of group policies. As you probably know, group policies are designed to configure the security settings of each workstation as it attaches to the network. What a lot of people don’t realize is that you can control Internet Explorer’s configuration directly through a group policy.
The Internet Explorer related group policy elements can be found by browsing through the group policy tree to User Configuration | Windows Settings | Internet Explorer Maintenance | Security, as shown in Figure A.
Figure A: You can configure Internet Explorer’s security settings through a group policy.
If you double click on the Security Zones and Content Ratings option, you will see a screen that gives you the chance to customize the security and privacy settings. Select the Import the Current Security Zones and Privacy option, click the Modify Settings button, and you will see the familiar Internet Options properties sheet, shown in Figure B. The thing about this properties sheet though is that the settings that you enter will apply to every user that the group policy applies to (assuming that a higher level policy doesn’t block the settings).
Figure B: The Internet options Properties Sheet can be used to configure Internet Explorer for all of your users.
The actual settings that you implement are up to you, but I recommend setting the Internet zone to Medium security, but also blocking any and all ActiveX controls. I recommend setting the Restricted Sites zone to High Security. I also recommend periodically adding known malicious sites to the Restricted Sites zone. There are a lot of places on the Internet where you can download lists of Web sites that are known to be malicious. I also like using a free utility called Spyware Blaster (https://www.javacoolsoftware.com/spywareblaster.html) because it contains its own list of malicious sites. You can copy the list of malicious sites from Spyware Blaster into the Restricted Sites zone.
As you can see, there are numerous steps that you can use to make your corporate network a safer place for those users who routinely use the Internet. None of the tricks that I have shown you will solve the problem by themselves, but by combining these techniques with other good security practices, such as keeping all of your software up to date, you will have a good head start on Internet security.
Tutorial by Brien Posey