General discussion

Locked

Virus Control/Prevention

By itcanada ·
We are a small company of 50 personnel in the engineering industry. Our boss has decided that we should go to stand alone Internet based computers (bullpen style) thus having no internet access on our desk top pc's. He is extremly concerned with us receiving a virus on one of our desktop pc's. If we go to this bullpen style for internet pc's, they will not have access to our data server or our desktop pc's. so if a virus did get in it will only affect the internet bullpen machines. I am one of the 2 IT personnel here. I am looking into further information as to wether this is really necessary. I do not feel we should go to this length. Please provide any relevant web sites or information regarding this.
thank you

info: we have an e-mail server on site
we have our own domain name
we still plan to have e-mail access on our desktop pc's (defeating the purpose?)
help?

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Oz_Media In reply to Virus Control/Prevention

Well I thin kyou're right to question his motives. If you go to a bulpen style and still have email, you haven't resolved anything except perhapse the odd HTML virus or web based mail virus.

I remote manage a Novell network with Inoculan that is great at catching everything, as well as using GroupWise Guardian to reduce SPAM (nice solution if you have GW!).

Another company I work for uses a mix of MS and Novell servers. They use AVG antivirus (they have free and licenced packages available)http://www.grosoft.com that are VERY effective against viruses but they don't have any ANTISPAM protection but a strict office email policy.

If users are educated no SPAM and Viruses, if you have some form of AV protection and hopefully a SPAM solution, you should be fine. Also it is a good idead to implement an email policy (if you dont have one) as to what should be opened, what shouldn't, who they are allowed to communicate with and how they should do it.

Try to push things along to keep the network together. Moving into a ballpen style is a backstep for the company. Instead of cringing away from technology, just implement software (relatively low cost) that will help the company move forward with technology.

It soumds like your boss is scared of technology because he doesn't understand his options. You may get some Brownie points here too by helping him understand and improve the network.

Collapse -

by itcanada In reply to

Poster rated this answer.

Collapse -

by sgt_shultz In reply to Virus Control/Prevention

yep, email on the desktop pretty big hole...
well, i actually think he is thinking along correct lines (being a paranoiac myself) but i think most folks deal with this problem of having public servers connected to internal network by putting public servers in a dmz, in between 2 firewalls. read about them at www.cert.org.
this is what i consider a minimum:
dmz for public servers
computer use and policy manual for safe/allowed computer conduct (you need this to prosecute hackers if you get any)
daily updates for windows critical updates, all windows machines
daily or more often anti-virus updates
weekly virus scans all machines
'strong' passwords, changed as frequently as you can get the users to do it, automatic log-off after hours
constant education of users about current threats and safe practices.

Collapse -

by itcanada In reply to

Poster rated this answer.

Collapse -

by TheChas In reply to Virus Control/Prevention

Look for the ulterior motives.
I suspect that the "real" reason for setting up the bull-pen for internet access is that your boss has concluded that staff is wasting too much time on the internet for non business use.

You are correct, that most viruses are coming in on e-mail, and that you will not have a significant security improvement by eliminating web access on the desktop.

As I said, I suspect that the virus issue is being used as a scapegoat for the true goal of eliminating user access to the internet. So, tread VERY carefully in your efforts to discredit the issue.

I would allow the plan to proceed. But, cover your bases by making sure that the e-mail server is properly protected, and security patches are still installed.

Chas

Collapse -

by itcanada In reply to

Poster rated this answer.

Collapse -

by Curacao_Dejavu In reply to Virus Control/Prevention

Let's say he goes for the bullpen pc's.
You need to run windowsupdate on 50 pc's everytime there's a update. (while you can use SUS or AD to publish the updates nessary)
You need to run antivirus updates on 50 pc's everytime there's a update. (while you can use for example liveupdate administrator from Norton)
You need to install the service packs of office2000 and IE update everytime on 50 (while you can push them via AD)
You need to install and maintain firewalls on all 50 pc's.

Most viruses comes via email but as the blaster virus showed it can be targeted to a pc directly.
So in that case a pc behind a firewall is better solution.

If the bullpens pc's won't be able to access the data and they start to save locally, (you have to back up the data on every pc too) will defeat the whole purpose of a network and domain structure.


I think a solution with keeping the pc's behind the firewall in a network, and installing virusscanner for the email server and a spam filter should be enough protection to against emailbased viruses, and keeping office and IE update should be enough.
if the email server is a exchange server, you can find more information on microsoft.com/exchange
and www.exchangeorg.com and www.exchangefaq.com
For the firewall www.microsoft.com/isa
for the spam and antivirus check the website of norton.

I think techrepublick themself has some articles regarding this and MS has some withepapers too.


Leopold

Collapse -

by Curacao_Dejavu In reply to

except spam you can also filter on content and extensions like .pif and .scr. since a lot of viruses are using dobbel extensions you would be able filter on that too.

Collapse -

by itcanada In reply to

Poster rated this answer.

Collapse -

by mm212 In reply to Virus Control/Prevention

Answer 4 is the best answer I see here. In addition, be sure you have a proxy server (MS ISA for example). This way your workstations won't have a DIRECT connection to the Internet. You can have antivirus on the ISA server, plus you have the browsing logs so using the correct tool, you/your boss can find out if/when anyone abuses their Internet access.

Back to Security Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums