Virus Infection Prevention Best Practices for Small and Midsize Organizations
Published: August 21, 2012
Author: Peter Gubarevich, Microsoft MVP - Enterprise Security
A surprising number of systems administrators, as well as a lot of non-IT people, consider simply installing antivirus program and firewall enough to provide reliable protection from trojans, viruses, and worms. Despite the widespread use of antivirus and firewall solutions, even among use of the best solutions, malware continues its victorius parade on computers all over the world. From this security expert's point of view, this situation occurs because the wrong defense measures are considered to be primary, while the most important ones are completely out of focus.
Limited User Account (LUA) Approach
separation of privileges is a computer security and antivirus protection fundamental. Administrators can do anything they want -- install and remove software, update device drivers and OS components, manage permissions, and (sometimes, without intention) infect a system with viruses. Standard Users are able to surf the Internet, work with business applications, and manage documents and e-mail; but it is impossible for them to "break" or damage anything in the system. Why? Because every application or process being launched, every executable or DLL that works in the background, runs under a user's account context. A virus is not "bad magic," but just another application. It is not possible for a virus to embed itself in a Windows folder or modify a HKLM\..\Run entry in the Registry unless it is launched by someone with administrative privileges.
If you are running software that seems to require administrative privileges, try to figure out what files, folders or registry keys are required to extend permissions by using Process Monitor or Windows Auditing. Only if you are unable to solve that issue, create two accounts for the user: one standard and one administrative. Make sure that individual uses his/her administrative account for particular security-unaware software only.
Application Whitelisting Technology
Unfortunately, there is a lot of malware that runs with Standard User privileges. Even though it cannot corrupt the whole system, it can damage user files and spy on users.
Application whitelisting allows you to maintain a list of programs that are permitted to be launched on a computer, preventing all other software from running.
Note that this approach only deals with executable launching; it does not prevent users from saving files, working with documents, and, in most situations, does not interfere with computer performance! I have implemented SRP in all of my home and business environments, and it is not as painful as those who have never tried it would have you believe. If you are new to application whitelisting and want to try SRP on a single computer, I recommend reading my article entitled, " Preventing computer malware by using SRP."
Group Policy and Security Option Configuration
There are some Group Policy and security settings that are not configured by default, but that are vital for your computer security. In particular, get familiar with Data Execution Prevention (DEP), a feature that is enabled by default for user applications on Windows Server systems.
Many worms and hacking tools like "RDP Brute" employ a "password guess" attack. By enabling an Account Lockout policy, you can considerably lower the risk of being hacked that way.
Having a bad password policy is not much better than not having a password policy at all. Do not require changing passwords too frequently; users will simply write their passwords down on a paper. Instead, educate your users to create considerably long, but easy to remember passwords like "I love my family since 1977!" Not bad for 28 characters with capitals, numbers and special symbols, eh? This type of password would take ages to crack.
Update Your OS and Applications Regularly
The Conficker worm, which exploits a four-year old vulnerability, still spread in the wild. Why? Because far too many organizations do not care to install updates, completely relying on firewall software. Unfortunately for these organizations, there are scenarios where a firewall does not help. For example: the File and Printer Sharing service relies on SMB/CIFS traffic. By blocking this kind of traffic at a host-based firewall, you prevent the fileserver from serving its clients. When an infected computer is connected to the local subnet, a worm like Conficker can exploit a vulnerability in the unpatched SMB server and take over the control with SYSTEM account privileges. There are many vulnerability utilizing exploits for which firewalls and antivirus solutions are useless. As a result, make sure to:
Bad things happen, and your computer may become infected at one time or another. However; I would not play games with malware developers unless I was an antivirus company expert. Malware developers are not fools; they are not interested in creating viruses that can easily be detected and removed from the system. In many cases, cleanup is impossible, and the most reliable solution is often to start from scratch and restore the machine from a confirmed backup or, if that does not exist, set it up like it was new. Other tips:
It seems to be impossible to provide 100% protection from malware, However; all of the virus infection cases I have witnessed over my career stemmed from an action not taken by the systems administrator; and the root cause was either users working with administrative privileges, the absence of application whitelisting configured, or missing updates. If you pay attention to the measures I have outlined above, they will help you achieve a very good level of protection.
About the Author
Peter Gubarevich, MCSE NT4/2000/2003, MCITP:EA, MCT, CCSI (Cisco Certified Systems Instructor), and Certified Ethical Hacker v7 (CEHv), is the co-founder and CEO of an IT outsourcing company based in Riga, Latvia. He also conducts trainings at several universities and institutions, speaks at conferences, and is recognized as a local IT community leader. For the last 15 years, Peter's work has been focused on computer security for small business. You can follow his blog at http://blog.windowsnt.lv.