Why writing scripts to fight Amigo browser is evil?
After reading the post about removing unnecessary software, I once again became very sad. The author offers an "effective solution" to get rid of any unwanted software, such as the mentioned "amigo". And if some parts of the script can still be called, well, at least harmless, then deleting and banning the entry "% username% \ AppData \ Local \ Apps" looks like a frank sabotage. Another bad thing is that some seriously consider this or similar “useful script” in mechanics as an effective measure. This is not the first article, from which my cheekbones reduce, I see that many do not understand where to start setting up security in a Windows environment.
I present to readers my vision of the list of minimum necessary settings and actions (primarily for the Windows domain), in order to never see incomprehensible browsers and reduce the risk of malware to an absolute minimum. Some of the solutions described may seem controversial, and moreover, they are. But I ask you in advance, having seen the first sentence of some item, do not rush to write a comment, read the thought to the end, maybe you will have no questions left.
Of course, I’ve probably seen this very Amigo several times, but only on users' home machines, but I don’t remember what it looks like.
Items are sorted by importance and priority if you suddenly decide to follow the example. It may be strange for you to choose such a sequence, but this is my opinion, based on your own experience. I will describe the mandatory framework, without which all other actions would be useless. And remember, safety and convenience are most often found on different scales.
')
0) Always think first with your head. UPD. This item was not in the original version of the post, but I sensibly explained that some of the recommendations may even be harmful in a given situation. Do not follow recklessly every how-to and tutorial, correctly weigh the pros and cons, assess the risks. Perhaps the time to restore the infrastructure or its site will be several times less expensive than the implementation and support of tough security measures. But for the vast majority of Windows users in the organization tips are quite applicable.
1) NTFS file system . It is unlikely that you expected to see her in the first place, but this is so. For some reason, the absolute majority simply skips this point. This is the foundation of Windows security. If you still have Win98 in your organization, I sincerely sympathize with you. Always take a very responsible attitude towards setting up NTFS rights. For example, a startup script requires read access only to the “Domain Computers” account, and issue only read readings to them. I remember the case in one office, when everyone had write access to the \\ domain.ru \ NETLOGON directory. Who exactly brought the infection is no longer to find out, but the epidemic was epic.
If on Windows 7 you are using FAT for some unknown reason, then go write an Amiga removal script.
2) The lack of administrator rights for ALL , from the word at all, including the general. First of all, this can be extremely difficult to implement precisely because of organizational confrontation, but we must be able to prove. I succeeded, using the example of the most dangerous malware, cryptographers. Who wants to be the cause of a massive epidemic of encrypted data and, at best, provoke a lengthy downtime associated with recovering data from backup, and at worst fall on serious attendants and the likelihood of irretrievable data loss? Nobody wants to hunt, the general is just in the first place, and all the rest will be a locomotive. By the way, IT professionals, too, but more on that below.
The next aspect associated with limited rights is that some software wants to write not to the user profile, but to the installation directory. First of all, decide, do you need this software at all? If you need it badly, for example, this is bookkeeping, you will have to conjure it. Any, I repeat, any software can be made to work under the user. Sometimes it is enough just to allow the rights to some ini-configuration file, and sometimes you have to pick up “ProcessMonitor” and scrupulously, step by step, find out if the next infection curve is necessary for normal operation.
If you are the first thing after the installation disable UAC, then write the script for removing Amiga further.
3) Current Windows version. Already an obvious point. Unfortunately, XP has ended, but still continues to operate at a large share of stations around the world. I understand that not everyone can allow the transition to a modern operating system for various reasons - financial, technical, or even organizational. But this must necessarily strive. Need to get rid of as soon as possible. In this regard, I can say lucky, I managed to unify the park of desktops with sevens only. Under the current version of the OS I understand, including the availability of the latest updates. This is a mandatory rule. Some may argue that updates break the system. Once a year and a stick shoots, that's right. But what prevents to run new updates on 10-15% of the PC fleet in a few days? This will slow down the patch a bit, but will allow testing before the main output in production.
If you are the second thing after installing the OS turn off Windows Update, then do not be distracted from the script for Amiga.
4) Permanent support of software up to date. Personally, I am too lazy to update the user software with my hands and I worry too much about possible problems to keep the five-year versions of the products. Everything is exactly the same as with the paragraph above. This may seem complicated, but I’m already tired of repeating, there is a free solution based on LUP , WSUSPP that allows you to deploy any software using WSUS. Once to understand and comes happiness, nothing complicated. There are programs, for example, Unreal Commander version 0.96, which did not know how to correctly write version data to the registry and, by default, tried to get to the root of the system disk. Such a program to properly support through LUP will not work. Well, nothing, you can spend a little time and wrap the software in your own installer. By the way, from version 2.x UC corrected, you can put out of the box.
If you deploy software with the first installation, along with ZVER DVD, then I apologize for the time spent, Amigo is waiting!
5) Program Restricted Use Policy (SRP). The most powerful security tool. In fact, the only means to deal with all sorts of Mailrus and other things. Like any other tool, it takes time to study and implement, but it's worth it. The principle is simple - because the user does not have admin rights; he cannot write to system directories. Further, you prohibit the launch of programs from anywhere except% WinDir%,% ProgramFiles%,% ProgramFiles% (x86). Now, if the user in anticipation of a sweet shakes and tries to start the next registry optimizer, it is waiting for the bolt. SRP records unauthorized launch attempts on evenlog, which can help to debug some software launch errors. And the very flesh is not in it.
SRP is a tool that can resist unknown viruses, or those that the antivirus misses. The "letter from the tax" does not encrypt all 1c databases to hell, the user simply can not run the attachment "Invoice №1231233 from 10.26.2015.doc.exe". By the way, I'm aware of Applocker, but it is physically absent in XP, and the functionality is almost identical. Now we have no cars below 7ki, but historically there is an SRP and I don’t see any sense in rewriting something.
If this is too difficult for you, then add the “Satellite.Mailru” removal to the script.
6) Antivirus . That's so modest, in the middle of the list. I have not considered AV remedies a panacea for a long time. But I do not belong to the radical AV-hayter "I work without antivirus for 5 years, everything is super." It sounds like "I never used a condom, everything is super!" And I would go to their place in their place, and I checked the campaign for one with LiveSD. Antivirus should be and work. Current, with updated databases, centralized admin panel and reports. The latter is useful in terms of identifying malicious users who constantly bring viruses to the flash drive and visit suspicious sites. Make such a-ta-ta.
If for you "anti-virus is evil and slows down the computer", then ... set aside the script for the Amiga. Go to the venereologist.
7) About admin admin rights . If you have locked everything up to such an extent that without your knowledge the user cannot sneeze, it’s time to find a log in your own eye. At some point, I realized that I was, in fact, the main security hole. Yes, I am quite competent not to crawl anywhere and not to run anything, but I already wrote about “stick and once a year” above. I made the decision to work under the user and found that the admin rights are rarely needed on my computer, and to log on to the users' computers, I simply run the same Unreal Commander under a separate account. By the way. Get a separate group “Local Admins” and enable them in the “Administrators” group on client machines. No need to go to users under the same admin domain. For admin server use terminal access. If this is a CD, then I log in under the Domain Administrator. If this is some kind of server 1c, then just under the admin of that server. Passwords must be different everywhere and let somekeeper KeepAss KeePass deal with memorizing them.
If the regular need to enter a password gives you the wildest inconvenience, then there is another Petrosyanka about Amiga.
8) Work with users . Also an important aspect. It is worth conducting a preventive conversation, why, for example, you do not need to enter credentials for the proxy, if the password entry window appeared unexpectedly and you did not launch the browser. Given the measures taken above, a computer is unlikely to infect a computer, but actions are suspicious and could potentially lead to data leakage.
Here, in the paragraph about users add a controversial point about the "password policy". We have requirements for the length and complexity of the password, but I do not require a mandatory regular shift. The absolute majority does not have access from outside, and the remaining 2.5 users sit through OpenVPN, and if they have already “password” left, then it was clearly not lost or intercepted by means of MITM. As a result, a complex, constantly changing password will not help if it is intercepted from a home computer via a keylogger. On the other hand, all the rest will be terribly agonizing every time they come up with a complex password and not to forget, sculpt it on a monitor sticker. You can beat for it, deprive of bonuses and still mock at users in every possible way, but in reality it often does not increase security. You just need to bring to the user "do not disclose your password to anyone," well, so that the password would not be of the form "1234567". I repeat, the moment is very controversial, but in my case there is no access from outside, except through the RDP in OpenVPN.
UPD. I recommend overpowering the entire post, and then return to a competent comment from Sergey-S-Kovalev and read the twig.
I also never understood the frequently occurring opinion of "Admins" - "well, users are stupid." Yes, there are narrow-minded, there are frankly stupid, but nothing will help this. They are stupid in life. Such people run across the road to red and if it is impossible to fence them off from serious bodily, then from dangerous actions at the computer is very real.
Love users, they are just like children, nonsense is simple.
Everything, I'm sick of Amiga.
9) Office accounts . I try on each non-standard service to do my limited accounting. For example, application server 1c doesn’t need admin rights anywhere. Generate new account, save in KeePass, enter in 1c. We forget this account, for the time being. This applies to the vast majority of services and services. Sometimes it takes a bit more rights, but in any case it will be a limited account.
10) Backup . Smoothly approach other things that ensure data security. The items listed below no longer apply exclusively to the Windows domain, but must also be properly configured. If, in spite of all the efforts, everything is lost, or the user himself is angry with Pinocchio, the quarterly report crashed, then your favorite backup system will help you to return everything. No matter what you use, it is important that there are backups and holistic ones, check it periodically to idle. By the way, backup, most often you need read only rights on the protected machines, so remember the point above. Make a limited account, under which the service will go on the wheelbarrows and collect data. Then go over these wheelbarrows and give the backup account read access. Meanwhile, the reverse is also true. Access to the repository of backups should only be accessed by the limited account, and no one else, from the word at all. You can read, say, admins, but not write. In which case it will save backups from the same encryptors.
11) Centralized monitoring . In contrast to the paragraph above - a full-fledged security element. You must be clear about what is happening at a particular point in time. Also be sure to set up an audit of file servers, will help in the analysis of flights.
12) Proper perimeter protection . The gateway, in which you are well versed, all external services in the DMZ. Do not forget about WiFi. We also have it in the DMZ, there is no need for access inside the perimeter. By the way, it is better if not some TI or UG will act as a gateway.
13) To the next indirect point, I would refer to the use of "cloud services". It is also a very controversial point, but I will try to explain why I decided to mention it. For example, we use traffic rules from Yandex and we are completely satisfied with this. Own pochtar inside or on the hosting would be an order of magnitude more flexible, but in my case there is no need for this. And I don’t need my own service. In addition, despite the experience of postman support, I soberly believe that mail from the same Yandex is more reliable and better protected from viruses and spam than I could configure. By the way, our DNS is also from Yandex. The one that is "Safe" and protects against malicious sites, but allows you to go to the redtube.
14) Remote access . If possible, try to wrap access outside the VPN. Yes, it is less convenient, but much more secure than RDP bare backwards in the cold.
That's basically it. This is not a complete list, it can be continued indefinitely. Of the main points, I would add EMET (use) and 802.1x to access the network (not use). Surely, I forgot to mention something from the same "fundamental" things, write in the comments.
I present to readers my vision of the list of minimum necessary settings and actions (primarily for the Windows domain), in order to never see incomprehensible browsers and reduce the risk of malware to an absolute minimum. Some of the solutions described may seem controversial, and moreover, they are. But I ask you in advance, having seen the first sentence of some item, do not rush to write a comment, read the thought to the end, maybe you will have no questions left.
Of course, I’ve probably seen this very Amigo several times, but only on users' home machines, but I don’t remember what it looks like.
Items are sorted by importance and priority if you suddenly decide to follow the example. It may be strange for you to choose such a sequence, but this is my opinion, based on your own experience. I will describe the mandatory framework, without which all other actions would be useless. And remember, safety and convenience are most often found on different scales.
')
0) Always think first with your head. UPD. This item was not in the original version of the post, but I sensibly explained that some of the recommendations may even be harmful in a given situation. Do not follow recklessly every how-to and tutorial, correctly weigh the pros and cons, assess the risks. Perhaps the time to restore the infrastructure or its site will be several times less expensive than the implementation and support of tough security measures. But for the vast majority of Windows users in the organization tips are quite applicable.
1) NTFS file system . It is unlikely that you expected to see her in the first place, but this is so. For some reason, the absolute majority simply skips this point. This is the foundation of Windows security. If you still have Win98 in your organization, I sincerely sympathize with you. Always take a very responsible attitude towards setting up NTFS rights. For example, a startup script requires read access only to the “Domain Computers” account, and issue only read readings to them. I remember the case in one office, when everyone had write access to the \\ domain.ru \ NETLOGON directory. Who exactly brought the infection is no longer to find out, but the epidemic was epic.
If on Windows 7 you are using FAT for some unknown reason, then go write an Amiga removal script.
2) The lack of administrator rights for ALL , from the word at all, including the general. First of all, this can be extremely difficult to implement precisely because of organizational confrontation, but we must be able to prove. I succeeded, using the example of the most dangerous malware, cryptographers. Who wants to be the cause of a massive epidemic of encrypted data and, at best, provoke a lengthy downtime associated with recovering data from backup, and at worst fall on serious attendants and the likelihood of irretrievable data loss? Nobody wants to hunt, the general is just in the first place, and all the rest will be a locomotive. By the way, IT professionals, too, but more on that below.
The next aspect associated with limited rights is that some software wants to write not to the user profile, but to the installation directory. First of all, decide, do you need this software at all? If you need it badly, for example, this is bookkeeping, you will have to conjure it. Any, I repeat, any software can be made to work under the user. Sometimes it is enough just to allow the rights to some ini-configuration file, and sometimes you have to pick up “ProcessMonitor” and scrupulously, step by step, find out if the next infection curve is necessary for normal operation.
If you are the first thing after the installation disable UAC, then write the script for removing Amiga further.
3) Current Windows version. Already an obvious point. Unfortunately, XP has ended, but still continues to operate at a large share of stations around the world. I understand that not everyone can allow the transition to a modern operating system for various reasons - financial, technical, or even organizational. But this must necessarily strive. Need to get rid of as soon as possible. In this regard, I can say lucky, I managed to unify the park of desktops with sevens only. Under the current version of the OS I understand, including the availability of the latest updates. This is a mandatory rule. Some may argue that updates break the system. Once a year and a stick shoots, that's right. But what prevents to run new updates on 10-15% of the PC fleet in a few days? This will slow down the patch a bit, but will allow testing before the main output in production.
If you are the second thing after installing the OS turn off Windows Update, then do not be distracted from the script for Amiga.
4) Permanent support of software up to date. Personally, I am too lazy to update the user software with my hands and I worry too much about possible problems to keep the five-year versions of the products. Everything is exactly the same as with the paragraph above. This may seem complicated, but I’m already tired of repeating, there is a free solution based on LUP , WSUSPP that allows you to deploy any software using WSUS. Once to understand and comes happiness, nothing complicated. There are programs, for example, Unreal Commander version 0.96, which did not know how to correctly write version data to the registry and, by default, tried to get to the root of the system disk. Such a program to properly support through LUP will not work. Well, nothing, you can spend a little time and wrap the software in your own installer. By the way, from version 2.x UC corrected, you can put out of the box.
If you deploy software with the first installation, along with ZVER DVD, then I apologize for the time spent, Amigo is waiting!
5) Program Restricted Use Policy (SRP). The most powerful security tool. In fact, the only means to deal with all sorts of Mailrus and other things. Like any other tool, it takes time to study and implement, but it's worth it. The principle is simple - because the user does not have admin rights; he cannot write to system directories. Further, you prohibit the launch of programs from anywhere except% WinDir%,% ProgramFiles%,% ProgramFiles% (x86). Now, if the user in anticipation of a sweet shakes and tries to start the next registry optimizer, it is waiting for the bolt. SRP records unauthorized launch attempts on evenlog, which can help to debug some software launch errors. And the very flesh is not in it.
SRP is a tool that can resist unknown viruses, or those that the antivirus misses. The "letter from the tax" does not encrypt all 1c databases to hell, the user simply can not run the attachment "Invoice №1231233 from 10.26.2015.doc.exe". By the way, I'm aware of Applocker, but it is physically absent in XP, and the functionality is almost identical. Now we have no cars below 7ki, but historically there is an SRP and I don’t see any sense in rewriting something.
If this is too difficult for you, then add the “Satellite.Mailru” removal to the script.
6) Antivirus . That's so modest, in the middle of the list. I have not considered AV remedies a panacea for a long time. But I do not belong to the radical AV-hayter "I work without antivirus for 5 years, everything is super." It sounds like "I never used a condom, everything is super!" And I would go to their place in their place, and I checked the campaign for one with LiveSD. Antivirus should be and work. Current, with updated databases, centralized admin panel and reports. The latter is useful in terms of identifying malicious users who constantly bring viruses to the flash drive and visit suspicious sites. Make such a-ta-ta.
If for you "anti-virus is evil and slows down the computer", then ... set aside the script for the Amiga. Go to the venereologist.
7) About admin admin rights . If you have locked everything up to such an extent that without your knowledge the user cannot sneeze, it’s time to find a log in your own eye. At some point, I realized that I was, in fact, the main security hole. Yes, I am quite competent not to crawl anywhere and not to run anything, but I already wrote about “stick and once a year” above. I made the decision to work under the user and found that the admin rights are rarely needed on my computer, and to log on to the users' computers, I simply run the same Unreal Commander under a separate account. By the way. Get a separate group “Local Admins” and enable them in the “Administrators” group on client machines. No need to go to users under the same admin domain. For admin server use terminal access. If this is a CD, then I log in under the Domain Administrator. If this is some kind of server 1c, then just under the admin of that server. Passwords must be different everywhere and let some
If the regular need to enter a password gives you the wildest inconvenience, then there is another Petrosyanka about Amiga.
8) Work with users . Also an important aspect. It is worth conducting a preventive conversation, why, for example, you do not need to enter credentials for the proxy, if the password entry window appeared unexpectedly and you did not launch the browser. Given the measures taken above, a computer is unlikely to infect a computer, but actions are suspicious and could potentially lead to data leakage.
Here, in the paragraph about users add a controversial point about the "password policy". We have requirements for the length and complexity of the password, but I do not require a mandatory regular shift. The absolute majority does not have access from outside, and the remaining 2.5 users sit through OpenVPN, and if they have already “password” left, then it was clearly not lost or intercepted by means of MITM. As a result, a complex, constantly changing password will not help if it is intercepted from a home computer via a keylogger. On the other hand, all the rest will be terribly agonizing every time they come up with a complex password and not to forget, sculpt it on a monitor sticker. You can beat for it, deprive of bonuses and still mock at users in every possible way, but in reality it often does not increase security. You just need to bring to the user "do not disclose your password to anyone," well, so that the password would not be of the form "1234567". I repeat, the moment is very controversial, but in my case there is no access from outside, except through the RDP in OpenVPN.
UPD. I recommend overpowering the entire post, and then return to a competent comment from Sergey-S-Kovalev and read the twig.
I also never understood the frequently occurring opinion of "Admins" - "well, users are stupid." Yes, there are narrow-minded, there are frankly stupid, but nothing will help this. They are stupid in life. Such people run across the road to red and if it is impossible to fence them off from serious bodily, then from dangerous actions at the computer is very real.
Love users, they are just like children, nonsense is simple.
Everything, I'm sick of Amiga.
9) Office accounts . I try on each non-standard service to do my limited accounting. For example, application server 1c doesn’t need admin rights anywhere. Generate new account, save in KeePass, enter in 1c. We forget this account, for the time being. This applies to the vast majority of services and services. Sometimes it takes a bit more rights, but in any case it will be a limited account.
10) Backup . Smoothly approach other things that ensure data security. The items listed below no longer apply exclusively to the Windows domain, but must also be properly configured. If, in spite of all the efforts, everything is lost, or the user himself is angry with Pinocchio, the quarterly report crashed, then your favorite backup system will help you to return everything. No matter what you use, it is important that there are backups and holistic ones, check it periodically to idle. By the way, backup, most often you need read only rights on the protected machines, so remember the point above. Make a limited account, under which the service will go on the wheelbarrows and collect data. Then go over these wheelbarrows and give the backup account read access. Meanwhile, the reverse is also true. Access to the repository of backups should only be accessed by the limited account, and no one else, from the word at all. You can read, say, admins, but not write. In which case it will save backups from the same encryptors.
11) Centralized monitoring . In contrast to the paragraph above - a full-fledged security element. You must be clear about what is happening at a particular point in time. Also be sure to set up an audit of file servers, will help in the analysis of flights.
12) Proper perimeter protection . The gateway, in which you are well versed, all external services in the DMZ. Do not forget about WiFi. We also have it in the DMZ, there is no need for access inside the perimeter. By the way, it is better if not some TI or UG will act as a gateway.
13) To the next indirect point, I would refer to the use of "cloud services". It is also a very controversial point, but I will try to explain why I decided to mention it. For example, we use traffic rules from Yandex and we are completely satisfied with this. Own pochtar inside or on the hosting would be an order of magnitude more flexible, but in my case there is no need for this. And I don’t need my own service. In addition, despite the experience of postman support, I soberly believe that mail from the same Yandex is more reliable and better protected from viruses and spam than I could configure. By the way, our DNS is also from Yandex. The one that is "Safe" and protects against malicious sites, but allows you to go to the redtube.
14) Remote access . If possible, try to wrap access outside the VPN. Yes, it is less convenient, but much more secure than RDP bare backwards in the cold.
That's basically it. This is not a complete list, it can be continued indefinitely. Of the main points, I would add EMET (use) and 802.1x to access the network (not use). Surely, I forgot to mention something from the same "fundamental" things, write in the comments.
Source: https://habr.com/ru/post/269531/
All Articles