Before the session, I talked to a guy who uses his iPad to manage a lab – insight teacher’s Assistant. Worth a look for our PCC lab.
The presentation started with handouts with the step-by-step directions to restrict software in Group Policy. Beth gave an overview of group policy (which we don’t use enough) and the Group Policy Management Console. She continued with policy precedence. Local to site to domain to org unit. Whitelist or blacklist? Whitelist by directory is coming up. Not a bad idea for the PCC. Computer or user? Hash or software path?
Best practices – if a user can write to a dir, apps shouldn’t run from that dir. If an app can run from a dir, users shouldn’t be able to write to it. Users are local users, not admins. Tips on installing and updating adobe and flash (win update elevates and doesn’t need help). Look for custom install kits. Tips for using virtual machines for gp testing – put the vm in the correct org unit and apply just to that machine until you are happy, then elevate the policy to the whole ou (organizational unit).
Apps usually run from program files, startup folder, windows. Allow windows folder, disallow cmd and regedit – etc – to give more flexibility.
Demos of group policies being applied.
Turn off auto run and push a local hosts policy – if you do nothing else…
Reg entry to turn off IPv6 – might be available through GP. Or cmd line it as a login script through GP. Set the GP to disallow using proxy settings – helpful!!
Mbps.org provides a regularly updated host file that helps to keep staff from malware sites.
Create a folder and share on the server, download host file from Mbps, create GPO – disable DNS client service (in XP) then deploy – TEST.
Category: security
Read/Write/Web today has a story on the dangers of Web 2.0 behind the firewall. They are profiling a company called FaceTime that gives IT departments a way to add web application scanning to their network. Most IT departments do some scanning, at least at the firewall, for malicious applications and sites, but few do any kind of searching for web applications (think Facebook apps, Google’s Team Sites, unsupported IM capabilities, etc.). This company is offering a way to do that. RWW’s take on the matter, in the post Your Web 2.0 App is a Security Threat – ReadWriteWeb is:
Of course, when users become their own I.T. department, they’re unknowingly introducing inherent risks into the previously hardened network infrastructure. Just because a web app is easy to operate, that doesn’t make it safe and secure for enterprise use. As users upload and share sensitive files through these unapproved backchannels or have business-related conversations through web-based IM chatrooms, they might not only be putting their company’s data at risk, they could also be breaking various compliance laws as well.
And this is completely true. The problem isn’t really with the apps, though, it’s with IT departments that refuse to allow *safe* networking practices in their networks. User education, coupled with some monitoring of public sites for confidential information, along with sanctions for misuse of Web 2.0 tools (after the users are educated on proper use, of course) can make Web 2.0 apps part of the IT infrastructure and, consequently, much safer than if the users are off in the “wild west” of web applications, doing things themselves.
I’ve been working on a Tech Report for ALA discussing just how to use these Web 2.0 tools to collaborate with others – and one of the issues that I discuss is the fact that these are publicly facing tools with risks for unintentional leaks of data or confidential information. If your IT department is on the ball and willing to work with you, however, those leaks can be stopped and all of your data can be kept safe – even while you are using these tools to their best effect.
Want more about this? You’ll have to buy the Tech Report next year… until then, however, educating your IT department about the benefits of Web 2.0 applications in the organization will really help to make these things available – in a sanctioned way – for you!
