August 28th, 2003, 05:14 PM
Ideal desktop Security/Hardening Solution?
Looking to determine what other's are doing to secure desktops. Issues to be considered:
Hardening end-user desktops on Windows 95b, Windows 98, Windows 2000 Pro, Windows XP.
Security and enforcement applies to: Desktop policies either 1) Novell Zenworks, 2) Windows NT4 based domain or 3) Active Directory GPO's, 4) 3rd party solution. In addition, it must include automation and pushing of patches (we've purchased Patchlink for this effort) and it must also consist of some form of notification (NIDS, SYSlog, etc) if any compromises (virus/worm, etc) appear.
Environment is dispersed. Main office has 500-600 desktops and we have over 350 remote sites with about 5-10 PC's each and 4 brand offices with 40-60 desktops. All told, we hover around 4000 devices.
Any suggestions appreciated.
August 28th, 2003, 05:26 PM
We use Novell here and it works fine. Manage all the servers through remote console....manage user ID's and Profiles through console one which is awesome...and push patches or virus scans through login scripts when they log into novell client. Novell Bordermanager for the firewall which we just upgraded...it all actually works pretty well. I never had experience with it before but since i got a job here its been awesome. Very few problems. As well as security, we havnet had any compromises. But one feature i like is the "Intruder Lockout" which if a person gets the login wrong 3 times in a row on a specific machine, it locks out that profile and the user has to notify an administrator to unlock it. It specifies the IP that the logins were being attempted at to see who was doin it and if it was the right person and so forth. We've been fightin this sobig worm and blaster worm for the last week or two and we havnet really had that many infections, we've just been forcin virus scan to run in the login scripts, so virtually anyone connected to the network obviously has been scanned and cleaned. Might wanna just give novell a peak and see what u think...not a bad networking client/admin pack.
August 28th, 2003, 05:34 PM
We're already a mixed environment with 15+ NetWare 6 servers and 40+ Windows 2000/2003 servers. We're making the move away from eDirectory, Zen and GroupWise and going to Win2003, AD and Exchange due to integration issues with portal, mail, etc.
We currently use McAfee on the desktops and push AV via EPO, but McAfee is crap and we're looking for a better way to 1) secure the desktop and 2) get notification if any events occur.
August 28th, 2003, 07:34 PM
VirusScan7.0 from NAI is much better than their older netshield4.5 product. We run that in our environment with EPO managing the updating/scanning of the environment and we have very little issues with it. What we have also done is created 500 bogus entries at the beginning of our exchange directory so that if a virus starts to spread it will more than likely send an email to one of those lists. Once a virus comes into one of those lists it immediately sends a notification to our security/AV team to have somebody lock down that mailbox and work with the user. This works great for the mass mailing type virii. We have 150k+ devices on our network which is global, so being notified of every virus infection on the network really isn't something that is doable.
August 28th, 2003, 08:09 PM
You can Lock down the 2k and XP machine through Group Policy on the 2k servers. There are many things that you can do in Group Policy to lock down these computers.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)