|
Now, let me give you one more fact: the protection is more effective if
it's closer to user. For example, antiviral program on user's computer
has more chances to catch malware, because virus hidden in e-mail
message may be caught then attachment will be saved to disk before
execution. That's why it's important to have antiviral protection in all
possible points: firewalls, e-mail servers, file servers and
workstations. But any antiviral protection still gives no guarantee to
protect you against specially crafted or new malware.
Can we do attachment filtering on workstation? Of cause we can and we
should. Attachment filtering by the means of MUA is most efficient,
because there is no situation possible you have an attachment and this
attachment will not be detected by filter. Many MUAs have an ability to
hide specified types of attachments from user (from example latest
versions of The Bat! and Microsoft Outlook with security update fix
disable some kind of attachments - like .scr or .pif - by default).
Securing user by the means of his MUA is very important. You may want to
make a most restrictive settings. For example it's very important to
keep all incoming mail in restricted sites zone for Outlook/Outlook
Express, and it's nice to disable _all_ active content for this zone
(including safe ActiveX components enabled by default). You may use MUA
integrated software to check content (there are multiple extensions for
Outlook, including Russ Cooper's NoHTML to transform all incoming HTML
messages to plain or RTF text format).
Remember, that usually you needn't to visit every user's workstation to
do a uniform settings - in case of Windows all registry and file based
settings can be done by the means of group policy and logon scripts.
.ADM policy templates is a very powerful tool for administration.
There is still a possibility that after all these measures there's still
a way to bypass your protection and your user will get a trojaned
attachment. Of cause he will launch it and it will not be detected by
antiviral software you use. Will this trojan be executed? No, if you
know something about windows security. You may think that I mean group
policy to only allow user to run specified application, and it's really
weak protection and it may be bypassed. No, I mean file permissions.
After you click some file attached to message this file usually saved to
predefined directory (...\TEMP, ...\Temporary Internet Files\...,
...\attachments\..., ...\cache\..., etc depending on MUA you use). For
what hell user may need to have an execute permissions for files in this
directories?? He needn't. And a good practice is to set "Deny execute
files" or to remove "execute files" special permission for all this
directories . It will also stop users from running different installers,
because installer normally extracts files to TEMP folder and launches
setup from TEMP folder (another protection from installers is removing
WOW or NTVDM if not required, because many installers are Win16
applications). Additionally you may want to give only "add" and execute
for folders permission to user and to give ability to modify or delete
files and folders for Creator Owner to eliminate situation one user can
read temporary files of another user. I have evaluated this
configuration in few networks with excellent results. Windows 95/98/ME
should NEVER be used in corporate network.
Of cause, it's needless to say how important is applying security fixes,
patches, etc to client computer: I saw a lot of organizations where
servers were maintained at highest level while there was no even policy
for testing and applying hotfixes to workstation. Hotfixes, patches, etc
are sometimes only protection against software vulnerabilities
(specially in case of code execution holes there attached file is not
required, like in case of "Buffer overflow in mshtml.dll"
http://www.security.nnov.ru/search/news.asp?binid=1782).
|
