AV & Desktop policy on network

D'Agger

I can open up a separate thread for my query but just on the topic of anti virus.

What would be a common setup for a corporate environment?

We use McAfee locally on machines, yet we don't run scans locally, but rather run a scan from the network twice a week - that and the firewall are out of my jurisdictional.

However on the ground level I'm seeing viruses and malware on user PCs - we turn off the local windows firewall when on home and work networks but have it on for public networks so this should be relatively safe. The main concern I have is that users have admin access on the PCs as they're relatively tech savvy and need to install certain software for programming, remoting etc.

My problem is that, for the number of users we have, there's an increasing amount of my time being spent running scans for users who think they're infected.

Is there anything I can do other than send an email with an updated policy as per how to use laptops outside of work, should we be looking at another solution instead of McAfee?

TIA for any insights

LoLth

Moved this to a new thread as it is quite different form just another "home user AV question".

you're talking about workstations that are part of a network and so dont just have local policies but also have to obey network rules as well as usergroup memberships and locale/zone settings.

problem 1 that I can see is that your local users are admins of their own PC. Relatively tech savvy can be the most dangerous kind as they know enough to get into mischief.

One option I could recommend would be to set up a seperate user account for isntallations etc and have them use "Run as" to kick off installs. otherwise , when they browse the internet they are doing it with an account that has local admin access and thats the permission the malware/virus will have when trying to gain access.

another option: if the software is for testing and not for day to day production, give them virtualbox or vmware player and let them install it in a VM that can be blown away if there are any problems.

If scans are run from a network, then let them request a scan from whoever it is that schedules that. they can initiate a manual scan from the network resource.

NAC: network access control, all portable computers have to pass through a series of checks before they can be given access to the network. one of these could be avirus scan, until teh scan is complete (and clear) they only have access to a remediation subnet with limited resources that are not shared with the networked PCs - say a printer or two and a gateway out to the wibbly wobbly so they can pick up mail through their normal method (OWA / external hosted server/forwarding service etc)

If they are tech savvy, let them scan the machine themselves and make them responsible for any issues found (42 malware items? where the f**k have you been browsing?)

D'Agger

Cheers LoLth, appreciate it.

Nice idea on the user account - my problem right now is upsetting the apple cart and getting changes implemented but that's a different story! That said it does seem like a very simple way of keeping them out of trouble.

Re: The virtual box - will need to check licensing as I know we use VMWare but I'm struggling to get my own VM for a call management server setup - will bring it up during some of the meetings I hope to have in the coming weeks for that though.

The NAC is a bit over my head for now but it's a nice idea and will definitely look into it.

LoLth

virtualbox licensing FAQ:
https://www.virtualbox.org/wiki/Licensing_FAQ

the guest OS may require licensing though.

from technet:
http://blogs.technet.com/b/simonmay/archive/2011/01/13/windows-7-licensing-and-virtual-machines-clarified.aspx

however, I'm fairly sure this is just for volume licensing (or enterprise editions). No idea how this would stack if you are using OEM licenses on the phhysical machines - ie: you buy the OS installed on the machine from Dell or some other company. You'll need to investigate that yourself (windows 7 gave permission for a XP vm and I think windows 8 gives permission for a windows 7 VM but I'm not sure so best bet is to look into it yourself - post back if you find an answer!)

LoLth

vmware player (not workstation or vmware ESXi)
http://www.vmware.com/products/player/faqs.html

looks like its free for personal non-commercial use but you have to buy vmware fusion otherwise.

also, I think windows 7 Ultimate allows for 4 VM instances to be installed on the same *physical* machine as the licensed machine. So if your users run win7 ultimate they could have the base OS for office use/browsing without admin and then 4x Vms for projects/installation testing that they can reset/reinstall from image whenever they need to clear down.

One caveat: VMs, if they have network access (and they will through bridge or nat unless you can find a way to restrict them to host only) will require their own license for anti-virus. If they dont connect to the internet or network, then they should be protected by the host machine's AV setup.

D'Agger

LoLth wrote: »

vmware player (not workstation or vmware ESXi)
http://www.vmware.com/products/player/faqs.html

looks like its free for personal non-commercial use but you have to buy vmware fusion otherwise.

also, I think windows 7 Ultimate allows for 4 VM instances to be installed on the same *physical* machine as the licensed machine. So if your users run win7 ultimate they could have the base OS for office use/browsing without admin and then 4x Vms for projects/installation testing that they can reset/reinstall from image whenever they need to clear down.

One caveat: VMs, if they have network access (and they will through bridge or nat unless you can find a way to restrict them to host only) will require their own license for anti-virus. If they dont connect to the internet or network, then they should be protected by the host machine's AV setup.

Was fairly certain I had heard before that Win7 allows for XP vms to be run off it - I'd assume you'd need a strong enough machine in order to run more than one VM though.

It would certainly help in our situation as we have to remote using Citrix etc. and certain clients still require XP, meaning we have to use shared VMs to allow users to dial in.

If they had their own local XP VM then that'd erradicate the need for the servers I would imagine.

TBH, I'm only in the company a short while and still quite young and inexperienced in IT terms - experience is key I know but I still want to have a better overall understanding of what alternatives are available regarding security and what practices we implement because right now I think there's a good amount of work that could be done to improve things....that could be said for quite a few IT depts. though :pac:

Thanks again for the links & help btw

PlanIT Computing

Per the OEM EULA, you have the right to operate the OEM license as a physical or virtual server provided it stays on the same machine that the OEM License is on.

Volume / Retail licensing is a much easier albeit expensive route if pursuing virtualization technology.