6. Delete Dangerous File Associations on Workstations
Many worms and viruses depend on file associations to execute malicious attachments. Although training users not to open suspicious attachments is a good start, deleting file associations for dangerous files such as .bat, .cmd, and .vbs files is a safer strategy. (Visit http://www.novatone.net/mag/mailsec.htm for a list of file associations you should consider disabling on workstations throughout your network.) When you delete such associations, make sure that doing so won't break any legitimate scripts you depend on. For example, if you want to delete the file association for .vbs files but have a shortcut on your Start menu to a script called update.vbs, you need to change the shortcut so that it doesn't directly link to update.vbs but instead runs wscript update.vbs.
Manually deleting all those script mappings on each workstation in your network would be laborious. Instead, you can create a .reg file to do the work for you. To delete the file association for .vbs files, open Notepad or another text editor, then create a file with the following lines:
REGEDIT4
[-HKEY_CLASSES_ROOT\VBSFile]
REGEDIT4 is a required header that specifies the file type. Copy and edit the second line for each file association you want to delete, replacing VBS with the appropriate extension (e.g., CMDFile). Name the file deleteFileAssociations.reg and save it. Open a command prompt on the local system (to delete the association on the local system only), and type
regedt32 /s deleteFileAssociations.reg
to instruct regedt32 to delete the specified registry subkeys under the HKEY_CLASSES_ROOT registry key, which is where Windows stores file associations. (The sample file, for example, tells regedt32 to delete the VBSFile subkey.) You can use Group Policy and startup scripts (as I described in Tip 2) to deploy the .reg file to all your workstations and execute the file automatically.
Keep in mind, however, that installing a service pack or update can reassociate deleted file associations. Therefore, instead of deleting associations, you might consider reassociating offending file extensions to a harmless program (e.g., notepad.exe) or using a security template to deny Read access for the HKEY_CLASSES_ROOT registry subkeys that correspond to the file associations that you want to disable.
7. Lock Down IE
Nimda spreads through infected Web pages; future worms will certainly follow suit. Even with the built-in security features in Java and other scripting languages, attackers have found many ways to access files on browsing computers' local drives, then access resources on your company's networked servers. Microsoft Internet Explorer (IE) has more than 20 security options that you can customize for four zones: Internet, Local intranet, Trusted sites, and Restricted sites. Disabling ActiveX and scripting is the safest practice but will probably cause complaints from users. A detailed discussion of IE security options is outside the scope of this article but is provided in my six-part series beginning with "Internet Explorer Security Options, Part 1," http://www.secadmininstrator.com, InstantDoc ID 20468.
After you decide on the IE settings you want to use, you don't need to configure them all manually for each workstation: Group Policy comes to the rescue again. In the Active Directory Users and Computers snap-in, edit the Default Domain Policy GPO to open the Group Policy console, then select User Configuration\Windows Settings\Internet Explorer Maintenance to find options for fully configuring IE's security zones. Then, select User Configuration\Administrative Templates\Windows Components\Internet Explorer to find options for disabling users from reconfiguring IE to get around your policies. See "Internet Explorer Security Options, Part 6," http://www.secadministrator.com, InstantDoc ID 21282, for more information and instructions about using Group Policy to control IE. Keep in mind that editing IE security zones might affect Outlook and Outlook Express's behavior because both those applications base their treatment of HTML-based email on IE's security zones.
8. Keep IE, Applications, and Windows Up-To-Date
Almost every week, new vulnerabilities are discovered in Microsoft products (as well as other vendors' products) and new patches are released. CodeRed and Nimda exploited well-known vulnerabilities for which patches had been available for some time. The only way to protect yourself against many vulnerabilities is to load the appropriate patch on a timely basis.
You need to keep more than just Windows and IE up-to-date. Worms can spread through Office, IM programs, and other applications. Whenever your organization begins using a new piece of software on the network, you need to accept responsibility for monitoring and deploying security-related patches. Microsoft Software Update Services (SUS) and Automatic Updates can help (see http://www.microsoft.com/windows2000/windowsupdate/sus/susfaq.asp for more information). And if you set up the proper infrastructure, you can use Group Policy and a few simple scripts or batch files to simplify the task. (For complete instructions and sample code, see "Updating Service Packs and Hotfixes with Boot Scripts," http://www.secadministrator.com, InstantDoc ID 15953.) You can also use Hfnetchk or Microsoft Baseline Security Analyzer (MBSA—which includes Hfnetchk) to scan your network for computers that are missing important security patches.
Think Ahead
Today's blended threats are sophisticated, and you need a sophisticated, multilayered defense strategy to stop them. Besides using perimeter defenses (such as those that Roger A. Grimes describes in "Putting Down an Email Attack," http://www.secadministrator.com, InstantDoc ID 23656, and "Where to Place Your Antivirus Defenses," InstantDoc ID 24050), you can disable unneeded functionality and limit traffic to slow down a worm's potential progress through your network. (As a bonus, following such measures reduces the need to load some patches immediately, such as those that deal with vulnerabilities in a little-used IIS feature or unnecessary Windows service. When you've already disabled such unneeded features and services, you aren't vulnerable to related exploits. Of course, you should ultimately load all patches for maximum security.) And remember, to keep all your computers locked down and up-to-date, think automation. Windows' scripting abilities and Group Policy can make the job much easier.
Register
