Protect your business against Ransomware and Malware.

More and more virus and malware are released everyday on the internet. The Anti-Virus vendors are struggeling to keep up. And we IT Pros are doing what we can to protect our business from ransomware and malware.

From the Avecto Microsoft Vulnerabilities Report 2015

  • 86% of Critical vulnerabilities affecting Windows could be mitigated
    by removing admin rights.
  • 99.5% of all vulnerabilities in Internet Explorer could be mitigated by
    removing admin rights.
  • 82% of vulnerabilities affecting Microsoft Office could be mitigated
    by removing admin rights.
  • 85% of Remote Code Execution vulnerabilities could be mitigated by
    removing admin rights.
  • 82% Critical vulnerabilities affecting Windows 10 could be mitigated
    by removing admin rights.
  • 100% of the vulnerabilities in Office 2016, the latest
    version of Microsoft’s software, could have been mitigated by admin
    rights removal.

 

 

 

 

 

 

 

 

Today there are two different type of anti-virus vendors:

  • The one that still uses local signature files that are downloaded every X hours from a server or from the Internet.
  • And the one that sends an MD5 hasch of every new file to a cloud based database to check if the file is ok.

There are almost released one milion new malware threats everyday. Try to fit a signature file that has knowledge about all those files on your laptop.
The Leaders in Gartners Magic Quadrant are the one that are still using the local signature files and they don’t have knowledge about all known threats.
If you look att the Visionaries they are doing some new thinking and are doing the scanning in the cloud against a large database of known threats.

 

 

 
If you are using vendor technique one or two dosen’t mather your users can still get virus on the computers.

So what is the best way to protect your computers from virus?

  • No Local admins. (if local admin is needed create an special admin account for the user that can be used with Microsoft Run As function.)
  • Use Local Administrator Password Solution (LAPS) from Microsoft for users that need admin rights.
  • Cloud based antivirus.
  • GPO AppLocker.
  • To protect files from ransomware make sure your users only have access to the shared files that they need to have access to. That way you reduces the risk that your hole files server is encrypted and no one can work until you have done a restore.
  • Backup and test restore of files and systems.

 

 

 

 

 

 

 

 

Getting started with GPO – AppLocker.

  1. Create a new group in ADUC (Active Directory Users and Computers) name it for example GPO-AppLocker
  2. Put your test computers in the group.
  3. Create a new GPO and link it to your computer OU.
  4. Change so that the GPO is only applied to your test group.

 

Edit the new GPO.

Navigate to Computer Configuration/Windows Settings/Security Settings/Application Control Policies/AppLocker

Click Configure rule enforcement.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configure AppLocker to Enforce Rules or Audit Only. With Audit only an event will be logged to the eventlog.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Create the rules.
Start with the Default Rules and then add more paths to folders if nessesary.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Have your test users test all of the company programs that your are using.

When you are done testing change the GPO security filtering so that the GPO is applied to Authenticated Users.

You can read more about AppLocker on the link below.

https://technet.microsoft.com/library/mt431725(v=vs.85).aspx

You can read more about LAPS on the link below.
https://www.microsoft.com/en-us/download/details.aspx?id=46899

 

// Chris Steding

 

This entry was posted in GPO, Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *