Re: firewall test and NAT

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

A well written response, Leythos. Except I'd say "ignorant" instead of
"stupid" in your second para, otherwise it's spot on IMO.
The reason I say ignorant is the main targets of the
spammer/scammer/social scoundrels often hook the newbie and
inexperienced who haven't yet encountered the problems or had anyone to
lead them to the right areas for Security. There are so many different
things for them to learn, even as they start to pick up on security,
they often go right on inviting the malware in. The anonymity of the
'net sucks.
Twayne



Leythos wrote:
In article <OaNoS8A0JHA.5764@xxxxxxxxxxxxxxxxxxxx>,
ToddAndMargo@xxxxxxxxxxx says...
What triggered my question is a customer who relies on NAT (only,
no firewall), and he is constantly getting tagged with one
v1rus or another. I am trying to get him off IE, get a
standardized decient antivirus, software firewall, and a *real*
firewall.


NAT has nothing to do with him getting malware on his system.

With all of the issues that have been in the media, anyone getting
malware has just got to be stupid, at least for the most part.

If you want to secure a business, since they will never do the right
thing, at least with all my years of dealing with businesses....

Install a firewall that allows content filtering - block EXE, DLL,
etc... from all connections except the Server or a IT Admin's
workstation. You also AV/content filter SMTP, FTP, HTTP, HTTPS
sessions and you block all IN/OUT connections that are not explicitly
needed for business (which should be the standard for any firewall
solution)

Install a managed, corporate type AV solution - like Symantec End
Point Protection - don't give users control of the settings or the
ability to disable it on their workstations.

Install IE settings via Group Policy that the users can't change...

Make all computer users LOCAL USERS, NOT Local Admins....

IE works fine, just make all updates automatic install.

With the above ideas and a little more, I've managed to secure
networks all over the USA and not had a single managed network
compromised in my entire history.



.

Relevant Pages

  • win2k sp3
    ... SP4 would be a pain to install. ... [Im gonna block TCP 139/445 at my firewall as a sure safeguard] ...
    (microsoft.public.windowsupdate)
  • Re: VB6, VB2005, or Something Else?
    ... You think I have one computer only stupid. ... the beta license, then you have agreed to these problems - ... ignorant guy, get lost. ... You have agreed to not install the betas on production machines because ...
    (microsoft.public.vb.general.discussion)
  • Re: Service Pack 1 & 2
    ... but enable to install because of service pack 2. ... >> I recently reinstalled Windows XP home on a new hard disk because the ... >> I tried to install service pack 1 but was rejected from doing so. ... > Why you should use a computer firewall.. ...
    (microsoft.public.windowsupdate)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: I THINK I HAVE A VIRUS MY ANTIVIRUS SCAN WONT EVEN RUN
    ... install some thing ells like ez antivirus or antivier both ahve free triles ... > your computer online - meaning you likely have usernames and passwords ... > Why you should use a computer firewall.. ... > The system restore feature is a new one - first appearing in Windows ...
    (microsoft.public.windowsxp.help_and_support)