Virus Infection Prevention Best Practices for Small and Midsize Organizations

Published: August 21, 2012

Author: Peter Gubarevich, Microsoft MVP - Enterprise Security

A surprising number of systems administrators, as well as a lot of non-IT people, consider simply installing antivirus program and firewall enough to provide reliable protection from trojans, viruses, and worms. Despite the widespread use of antivirus and firewall solutions, even among use of the best solutions, malware continues its victorius parade on computers all over the world. From this security expert's point of view, this situation occurs because the wrong defense measures are considered to be primary, while the most important ones are completely out of focus.

I have developed the following infection prevention strategy, a strategy that works very effectively for me and all of my customers:

• Always work with standard-privileged user account.
• Implement application whitelisting.
• Do not leave Group Policy and security settings in the default state.
• Keep your operating system (OS) and applications updated.

Limited User Account (LUA) Approach

The separation of privileges is a computer security and antivirus protection fundamental. Administrators can do anything they want -- install and remove software, update device drivers and OS components, manage permissions, and (sometimes, without intention) infect a system with viruses. Standard Users are able to surf the Internet, work with business applications, and manage documents and e-mail; but it is impossible for them to "break" or damage anything in the system. Why? Because every application or process being launched, every executable or DLL that works in the background, runs under a user's account context. A virus is not "bad magic," but just another application. It is not possible for a virus to embed itself in a Windows folder or modify a HKLM\..\Run entry in the Registry unless it is launched by someone with administrative privileges.

As a result, consider the following rules to be documented and mandatory for execution:

• For administrative staff members, always create two accounts: a limited use one and an administrative one. Make sure that administrative staff members operate under standard privileges as much as possible to perform usual work like Internet surfing and e-mail processing, and that they use administrative account only when necessary.
• Never assign any regular user membership under the Administrators or Power Users (for systems before Windows Vista) groups.

If you are running software that seems to require administrative privileges, try to figure out what files, folders or registry keys are required to extend permissions by using Process Monitor or Windows Auditing. Only if you are unable to solve that issue, create two accounts for the user: one standard and one administrative. Make sure that individual uses his/her administrative account for particular security-unaware software only.

Application Whitelisting Technology

Unfortunately, there is a lot of malware that runs with Standard User privileges. Even though it cannot corrupt the whole system, it can damage user files and spy on users. Application whitelisting allows you to maintain a list of programs that are permitted to be launched on a computer, preventing all other software from running.

For example, you can tell the system: "let programs only run from within the C:\Windows, C:\Program Files and D:\Business Software folders". As a result, no virus can be started from the flash drive E:\, as well as unwanted software from the Desktop folder. If an untrusted executable was accidentaly downloaded from a website or received by email, it would not run if it was stored in a User Profile within either Temporary Internet Files or %Temp% folders, as those would not be permitted by the policy.

The advantages of application whitelisting, over the often more popular "blacklisting" which is utilized in most antivirus solutions, are huge. Based on my experiences with my customers, it has become clear that blacklisting does not make computers secure. While an antivirus program plays "Russian roulette," trying to guess if a particular executable is bad or not, whitelisting considers everything outside the permitted area to be prohibited, thus making the system much more secure. As an added bonus, it also protects from DLL hijacking issues.

Application whitelisting was introduced in Microsoft Windows with Windows XP Professional in 2001 as software restriction policies (SRP) and had continued to be part of the Windows operating system in the form of AppLocker. You can also utilize third-party enterprise-level solutions. Regardless of which technology you utilize, to get the most security benefit out of whitelisting, consider the following rules:

• Do not allow executing software from folders which users can modify;
• Do not permit users to modify folders from which execution is allowed.

Note that this approach only deals with executable launching; it does not prevent users from saving files, working with documents, and, in most situations, does not interfere with computer performance! I have implemented SRP in all of my home and business environments, and it is not as painful as those who have never tried it would have you believe. If you are new to application whitelisting and want to try SRP on a single computer, I recommend reading my article entitled, " Preventing computer malware by using SRP."

Group Policy and Security Option Configuration

There are some Group Policy and security settings that are not configured by default, but that are vital for your computer security. In particular, get familiar with Data Execution Prevention (DEP), a feature that is enabled by default for user applications on Windows Server systems.

• Enable DEP for all services and applications. You can add exclusions later, if needed.

Many worms and hacking tools like "RDP Brute" employ a "password guess" attack. By enabling an Account Lockout policy, you can considerably lower the risk of being hacked that way.

• Enable and configure Account Lockout policy.

Having a bad password policy is not much better than not having a password policy at all. Do not require changing passwords too frequently; users will simply write their passwords down on a paper. Instead, educate your users to create considerably long, but easy to remember passwords like "I love my family since 1977!" Not bad for 28 characters with capitals, numbers and special symbols, eh? This type of password would take ages to crack.

• Enforce an appropriate password policy.
• Review all security options carefully. For example, prohibit storing passwords in LM Hash; implement NTLMv2 authentication, rejecting LM and NTLM authentication if possible; require digital signing of SMB sessions, etc.

Update Your OS and Applications Regularly

The Conficker worm, which exploits a four-year old vulnerability, still spread in the wild. Why? Because far too many organizations do not care to install updates, completely relying on firewall software. Unfortunately for these organizations, there are scenarios where a firewall does not help. For example: the File and Printer Sharing service relies on SMB/CIFS traffic. By blocking this kind of traffic at a host-based firewall, you prevent the fileserver from serving its clients. When an infected computer is connected to the local subnet, a worm like Conficker can exploit a vulnerability in the unpatched SMB server and take over the control with SYSTEM account privileges. There are many vulnerability utilizing exploits for which firewalls and antivirus solutions are useless. As a result, make sure to:

• Update your operating sytem and applications on a regular basis.
• Establish a WSUS infrastructure to achieve better results.

Incident Handling

Bad things happen, and your computer may become infected at one time or another. However; I would not play games with malware developers unless I was an antivirus company expert. Malware developers are not fools; they are not interested in creating viruses that can easily be detected and removed from the system. In many cases, cleanup is impossible, and the most reliable solution is often to start from scratch and restore the machine from a confirmed backup or, if that does not exist, set it up like it was new. Other tips:

• In case of infection detection, always perform an investigation to discover the cause. Once a virus has managed to get into the system, it will use the same way to come back again.
• Do no try to cure the incurable. Consider reinstalling from the latest known clean backup.

Conclusion

It seems to be impossible to provide 100% protection from malware, However; all of the virus infection cases I have witnessed over my career stemmed from an action not taken by the systems administrator; and the root cause was either users working with administrative privileges, the absence of application whitelisting configured, or missing updates. If you pay attention to the measures I have outlined above, they will help you achieve a very good level of protection.