After collecting a list from each queried computer, I placed all the lists in a directory and parsed them with the command
C:\>logparser "SELECT Text AS
Domain, Count(*) AS Total INTO
TrustedSites.txt FROM
TrustedSites*.txt GROUP BY
Domain HAVING Total > 1
ORDER BY Total DESC"
-i:textline -o:nat -rtp:-1
This query gathers the domain names from all the trusted-sites lists and sorts them by frequency of use across all machines, excluding those domain names that appear just once on a list. The aggregate list consisted of several hundred trusted domain names. I manually reviewed the list and removed domains that were obviously inappropriate, such as known porn or spyware sites. In the end, my trusted-sites list probably read a lot like a list of the top 500 Web sites.
I realized that there was no reason not to accept all hosts for each domain on the list. So rather than allowing www.microsoft.com, sup port.microsoft.com, windowsupdate .microsoft.com, and download.micro soft.com, for example, I could use a wildcard and allow *.microsoft.com. Using wildcards made putting my list back into the registry much simpler.
To make a list I could easily import to the registry, I ran yet another Log Parser query, but this time the output format was a bit more complicated. To create a properly formatted .reg file, I created a template file by saving the text shown in Figure 1 to a file named reg.tpl. The following command uses the -tpl parameter to format the output using the specified template:
C:\> logparser "SELECT Domain
INTO TrustedSites.reg FROM
TrustedSites.txt" -i:tsv
-iSeparator:space -nSep:2
-nFields:2 -o:tpl -tpl:reg.tpl
This action creates a file, Trusted-Sites.reg, which you can double-click to add to the registry.
Because I was populating the trusted-sites list, I also thought it prudent to populate the restricted-sites list. This task was much easier, because the work had already been done for me. To add sites to the Restricted Sites zone, I used several other programs that add their own lists of restricted sites, including IESPYAD (available at http://www.spywarewarrior.com/uiuc/resource.htm), which adds a list of known undesirable sites and domains to IE's Restricted Sites zone. (There is no equivalent to a Restricted Sites zone in Firefox.)
Building the VMs
The VM template I built was just a basic XP SP2 installation. To keep things simple, I used the built-in securews.inf security template to set the system's security policy.
Because the VMs needed effective protection from malware threats, I loaded several free antivirus and antimalware applications: Javacool Software SpywareBlaster, Clam AntiVirus, the Microsoft Windows Defender beta, and Spybot-Search & Destroy. Many of these tools' features overlapped, which I felt made the coverage more comprehensive.
After I hardened and preconfigured the OS, I installed the latest patches and created a new account for users to log on to. Rather than managing a second set of account credentials for each user, I created one user account on the base image, installed the image on every machine, and required the user to change the password at the next logon. When users first boot their VM, they have to set a password on that account. Although a fully managed domain dedicated to the VMs would have allowed more precise control over each account, using one account was a simple solution that still met the design goals.
(Virtual) Mission Accomplished
After establishing some basic security policies—I convinced company management to forbid the use of peer-topeer applications, a common source of spyware—and conducting some basic user training, I deployed the image across the network. Initially, there was some user resistance, but that quickly disappeared after users became comfortable using the VMs, and especially after they found that most of their Web sites worked without any problems. To the users, I made the Internet work; to the administrators, I made it work securely.
Register
