Why is writing evil scripts to combat the Amigo Browser?
After reading a post about removing unnecessary software, I once again became very sad. The author offers an "effective solution" to get rid of any unwanted software, such as the mentioned "amigo". And if some parts of the script can still be called, well, at least harmless, then deleting and banning the entry "% username% \ AppData \ Local \ Apps" looks like outright sabotage. It’s also bad that some seriously consider a “useful script” similar in mechanics to be an effective measure. This is not the first article from which my cheekbones are reduced, I see that many people don’t understand why they really need to start setting up security in a Windows environment.
I present to my readers my vision of a list of minimally necessary settings and actions (primarily for a Windows domain), in order to never see obscure browsers and reduce the risk of malware to an absolute minimum. Some of the solutions described may seem controversial, and not only that, they are. But in advance I ask, having seen the first sentence of a paragraph, do not rush to write a comment, read the thought to the end, maybe you will have no questions.
Of course, I probably saw this same Amigo several times, but exclusively on users' home machines, but I can’t remember what it looks like.
Items are sorted by importance and priority if you suddenly decide to follow suit. It may be strange for you to make such a choice of sequence, but this is my opinion based on my own experience. I will describe the mandatory basis without which all other actions will be useless. And remember, safety and convenience are most often on a different scale.
0) Always think first with your head.UPD This item was not in the original version of the post, but it was sensibly explained to me that some of the recommendations can even be harmful in a given situation. Do not recklessly follow each how-to and tutorial, correctly weigh the pros and cons, evaluate the risks. Perhaps the time to restore the infrastructure or its node will be several times less expensive than the introduction and support of stringent security measures. But for the vast majority of Windows-users in the organization, tips are quite applicable.
1) NTFS file system. It is unlikely that you expected to see her in the first place, but it is. For some reason, the absolute majority simply skips this point. This is the foundation of Windows security. If you still have Win98 somewhere in your organization, I sincerely sympathize with you. Always be very responsible for setting up NTFS rights. For example, a startup script only needs read access to the Компьют Domain Computers ’accounts, and only give them read access. I remember a case in one office when everyone had write access to the \\ domain.ru \ NETLOGON directory. It is impossible to find out exactly who brought the infection, but the epidemic was epic.
If on Windows 7 you for some reason use FAT, then go write the Amiga removal script.
2) Lack of administrator rights for ALL, from the word at all, including the general one. First of all, it can be extremely difficult to implement precisely because of organizational confrontation, but we must be able to prove it. I succeeded, using the most dangerous malware as ransomware as an example. Who wants to cause a mass epidemic of encrypted data and, at best, provoke a long downtime associated with recovering data from backup, and at worst get serious money and the likelihood of permanent data loss? No one is hunting, the general just in the first place, and everyone else will go by steam engine. By the way, IT professionals, too, but more on that below.
The next aspect related to limited rights is that some software wants to be written not in the user profile, but in the installation directory. First of all, decide, but do you need this software in general? If you really need it, for example, bookkeeping, then you have to conjure. Any, I repeat, any software can be made to work under the user. Sometimes it’s enough just to allow the rights to some ini-configuration file, and sometimes you have to pick up “ProcessMonitor” and carefully, step by step, find out if the next curve is contagious for normal operation.
If you first disable UAC after installation, then write the Amiga removal script further.
3) The current version of Windows.Already quite an obvious point. Unfortunately, XP is over, but still continues to work on a large share of stations around the world. I understand that not everyone can allow the transition to a modern OS for various reasons - financial, technical, or even organizational. But this must be sought. You need to get rid of it as soon as possible. In this regard, I’m lucky to say, I managed to unify the desktop park with just sevens. By the current version of the OS, I mean, including the availability of the latest updates. This is a mandatory rule. Some may argue that updates break the system. Once a year, and the stick shoots, that's right. But what prevents them from running new updates on 10-15% of the PC fleet for several days? This will somewhat slow down the deployment of updates, but will allow testing to the main output in production.
If, secondly, after installing the OS, turn off Windows Update, then do not get distracted from the Amiga script.
4) Continuous software support up to date. Personally, I am too lazy to update user software with my hands and am too worried about possible problems to leave five-year versions of products. Everything is exactly the same as with the paragraph above. It may seem complicated, but I'm tired of repeating already, there is a free solution based on LUP , WSUSPPallowing you to deploy any software using WSUS. Once you figure it out and happiness comes, nothing complicated. There are programs, for example, Unreal Commander version 0.96, which could not correctly write version data to the registry and, by default, tried to get to the root of the system drive. Such a program will not work correctly through LUP. Well, nothing, you can spend a little time and wrap the software in your own installer. By the way, from version 2.x UC has been fixed, it can be put out of the box.
If you deploy software during the first installation, along with ZVER DVD, then I apologize for the time spent, Amigo is waiting!
5) Software Restriction Policy(SRP). Powerful security tool. In fact, the only way to deal with all sorts of Mailrushechki and other things. Like any other tool, it takes time to study and implement, but it's worth it. The principle is simple - because the user does not have admin rights; he cannot write to system directories. Further, you prohibit the launch of programs from anywhere except% WinDir%,% ProgramFiles%,% ProgramFiles% (x86). Now, if the user in a sweet anticipation downloads and tries to launch another registry optimizer, a bolt awaits him. SRP logs unauthorized launch attempts in evenlog, which may help to debug some software startup errors. But the pulp is not in it.
SRP is a tool that can withstand unknown viruses, or those that the antivirus will skip. "Letter from the tax" does not encrypt all databases 1c to hell, the user simply can not start the attachment "Invoice No. 1231233 from 10.26.2015.doc.exe". By the way, I am aware of Applocker, but it is physically absent in XP, and the functionality is almost identical. Now we do not have cars below 7ki, but SRP has historically existed and there is no reason to rewrite something.
If this is too complicated for you, then add the removal of Sputnik.Mailru to the script.
6) Antivirus. So modestly, in the middle of the list. For a long time I do not consider AV-tools a panacea. But I do not belong to the radical AV-haters "I’ve been working without antivirus for 5 years, everything is super." It sounds like “I never used a condom, everything is super!” And I would have gone to the leather in their place, and I checked the campaign with LiveSD. Antivirus should be up and running. Actual, with updated databases, a centralized admin panel and reports. The latter is useful in terms of identifying malicious users who constantly bring viruses to the USB flash drive and visit suspicious sites. Make it so-so-so.
If for you “anti-virus is evil and slows down the computer”, then ... put off the script for Amiga. Go to the venereologist.
7) About admin admin rights . If you locked everything to such an extent that without your knowledge the user and thepercan't sneeze, it's time to find a log in his eye. At some point, I realized that I was, in fact, the main security hole. Yes, I’m quite competent not to crawl anywhere and not to run anything, but I already wrote about “stick and once a year” above. I made the decision to work under the user and found that the administrator’s rights to my computer are rarely needed personally, and to enter users' computers I just run the same Unreal Commander under a separate account. By the way. Get a separate group “Local Admins” and include them in the group “Administrators” on client machines. No need to go to users under the same domain admin. For server admin use terminal access. If this is a CD, then I log in under the Domain Admin. If this is some kind of server 1s, then just under the admin of that server.keeper of asses KeepAss KeePass
If the regular need to enter a password gives you the wildest inconvenience, then here is the next Petrosyanka about Amiga.
8) Work with users . Also an important aspect. It is worthwhile to conduct a preventive conversation, why, for example, you do not need to enter credentials for the proxy if the password entry window appeared unexpectedly and you did not launch the browser. Given the measures taken above, the computer is unlikely to infect the computer, but the actions are suspicious and could potentially lead to data leakage.
Here, in the paragraph about users, I will add a controversial point about the "password policy". We have requirements for the length and complexity of the password, but I do not require a mandatory regular change. The vast majority do not have access from outside, and the remaining 2.5 users are sitting through OpenVPN, and if they already had a “password”, then it was clearly not tied up or intercepted using MITM. As a result, a complex, constantly changing password will not help in any way if it is intercepted from a home computer through a keylogger. On the other hand, everyone else will be terribly tormented each time coming up with a complex password and in order not to forget, sculpt it on a sticker on the monitor. For this, you can beat, deprive of the premium and still in every possible way make fun of users, but in reality this most often does not increase security.You just need to bring to the user "do not tell your password to anyone", so that the password would not be like "1234567". I repeat, the moment is very controversial, but in my case there is no access from the outside, except through the RDP in OpenVPN.
UPD I recommend overpowering the entire post, and then return to the competent comment from Sergey-S-Kovalev and read the thread.
I also never understood the often-held opinion of “Admins” - “well, users are dumb”. Yes, there are fools, they are frankly dumb, but nothing will help. They are stupid in life. Such people run across the road to red and if it is impossible to enclose them from heavy bodily ones, then from dangerous actions at the computer it is very real.
Love users, they are like children, simply thoughtless.
That's it, I'm tired of Amiga.
9) Service accounts . I try to make my own limited account for every non-standard service. For example, the application server 1c nafig does not need admin rights anywhere. We generate a new account, save it in KeePass, enter it in 1s. Forget this account, for the time being. This applies to the vast majority of services and services. Sometimes you need to slightly expand the rights, but in any case it will be a limited account.
10) Backup. Smoothly approach other things that ensure data security. The following items no longer apply exclusively to the Windows domain, but should also be properly configured. If, despite all the efforts, everything was lost, or the user himself was vicious Pinocchio, the quarterly report slammed, then your favorite backup system will help to return everything. It doesn’t matter what you use, it’s important that backups are also integral, check this periodically at idle. By the way, backup, most often need read only rights on protected machines, so remember the point above. Make a limited account, under which the service will go on cars and collect data. Then go over these wheelbarrows and give the uchetka backup read permissions. Meanwhile, the converse is also true. Only the very limited account should have access to the backup storage by record and no one else, from the word at all. For example, administrators can read, but not. In which case it will save backups from the same encryptors.
11) Centralized monitoring . Unlike the item above - a full-fledged security element. You must clearly understand what is happening at a particular point in time. Also, be sure to configure the audit of file servers, will help with the analysis of flights.
12) Proper perimeter protection . The gateway in which you are well versed, all external services in the DMZ. Do not forget about WiFi. We also have it in the DMZ, there is no need for access to the inside of the perimeter. By the way, it is better if not some TI or UG acts as a gateway.
13) To the next indirect itemI would attribute the use of "cloud services". It’s also a very controversial moment, but I’ll try to explain why I decided to mention it. For example, we use traffic rules from Yandex and it completely suits us. Own postman inside or on the hosting would be much more flexible, but in my case this is not necessary. And my own extra service is useless to me. In addition, despite the experience of supporting postmasters, I soberly believe that mail from the same Yandex is more reliable and better protected from viruses and spam than I myself could configure. By the way, CSN here is also from Yandex. The one that is "Safe" and protects against malicious sites, but allows you to log on to redtube.
14) Remote access. Try to wrap access outside in the VPN whenever possible. Yes, it’s less convenient, but much safer than RDP bare back in the cold.
That's basically it. This is not a complete list; it can be continued indefinitely. From the main points, I would also add EMET (we use) and 802.1x for access to the network (we do not use). Surely, I forgot to mention something from the same "fundamental" things, write in the comments.
I present to my readers my vision of a list of minimally necessary settings and actions (primarily for a Windows domain), in order to never see obscure browsers and reduce the risk of malware to an absolute minimum. Some of the solutions described may seem controversial, and not only that, they are. But in advance I ask, having seen the first sentence of a paragraph, do not rush to write a comment, read the thought to the end, maybe you will have no questions.
Of course, I probably saw this same Amigo several times, but exclusively on users' home machines, but I can’t remember what it looks like.
Items are sorted by importance and priority if you suddenly decide to follow suit. It may be strange for you to make such a choice of sequence, but this is my opinion based on my own experience. I will describe the mandatory basis without which all other actions will be useless. And remember, safety and convenience are most often on a different scale.
0) Always think first with your head.UPD This item was not in the original version of the post, but it was sensibly explained to me that some of the recommendations can even be harmful in a given situation. Do not recklessly follow each how-to and tutorial, correctly weigh the pros and cons, evaluate the risks. Perhaps the time to restore the infrastructure or its node will be several times less expensive than the introduction and support of stringent security measures. But for the vast majority of Windows-users in the organization, tips are quite applicable.
1) NTFS file system. It is unlikely that you expected to see her in the first place, but it is. For some reason, the absolute majority simply skips this point. This is the foundation of Windows security. If you still have Win98 somewhere in your organization, I sincerely sympathize with you. Always be very responsible for setting up NTFS rights. For example, a startup script only needs read access to the Компьют Domain Computers ’accounts, and only give them read access. I remember a case in one office when everyone had write access to the \\ domain.ru \ NETLOGON directory. It is impossible to find out exactly who brought the infection, but the epidemic was epic.
If on Windows 7 you for some reason use FAT, then go write the Amiga removal script.
2) Lack of administrator rights for ALL, from the word at all, including the general one. First of all, it can be extremely difficult to implement precisely because of organizational confrontation, but we must be able to prove it. I succeeded, using the most dangerous malware as ransomware as an example. Who wants to cause a mass epidemic of encrypted data and, at best, provoke a long downtime associated with recovering data from backup, and at worst get serious money and the likelihood of permanent data loss? No one is hunting, the general just in the first place, and everyone else will go by steam engine. By the way, IT professionals, too, but more on that below.
The next aspect related to limited rights is that some software wants to be written not in the user profile, but in the installation directory. First of all, decide, but do you need this software in general? If you really need it, for example, bookkeeping, then you have to conjure. Any, I repeat, any software can be made to work under the user. Sometimes it’s enough just to allow the rights to some ini-configuration file, and sometimes you have to pick up “ProcessMonitor” and carefully, step by step, find out if the next curve is contagious for normal operation.
If you first disable UAC after installation, then write the Amiga removal script further.
3) The current version of Windows.Already quite an obvious point. Unfortunately, XP is over, but still continues to work on a large share of stations around the world. I understand that not everyone can allow the transition to a modern OS for various reasons - financial, technical, or even organizational. But this must be sought. You need to get rid of it as soon as possible. In this regard, I’m lucky to say, I managed to unify the desktop park with just sevens. By the current version of the OS, I mean, including the availability of the latest updates. This is a mandatory rule. Some may argue that updates break the system. Once a year, and the stick shoots, that's right. But what prevents them from running new updates on 10-15% of the PC fleet for several days? This will somewhat slow down the deployment of updates, but will allow testing to the main output in production.
If, secondly, after installing the OS, turn off Windows Update, then do not get distracted from the Amiga script.
4) Continuous software support up to date. Personally, I am too lazy to update user software with my hands and am too worried about possible problems to leave five-year versions of products. Everything is exactly the same as with the paragraph above. It may seem complicated, but I'm tired of repeating already, there is a free solution based on LUP , WSUSPPallowing you to deploy any software using WSUS. Once you figure it out and happiness comes, nothing complicated. There are programs, for example, Unreal Commander version 0.96, which could not correctly write version data to the registry and, by default, tried to get to the root of the system drive. Such a program will not work correctly through LUP. Well, nothing, you can spend a little time and wrap the software in your own installer. By the way, from version 2.x UC has been fixed, it can be put out of the box.
If you deploy software during the first installation, along with ZVER DVD, then I apologize for the time spent, Amigo is waiting!
5) Software Restriction Policy(SRP). Powerful security tool. In fact, the only way to deal with all sorts of Mailrushechki and other things. Like any other tool, it takes time to study and implement, but it's worth it. The principle is simple - because the user does not have admin rights; he cannot write to system directories. Further, you prohibit the launch of programs from anywhere except% WinDir%,% ProgramFiles%,% ProgramFiles% (x86). Now, if the user in a sweet anticipation downloads and tries to launch another registry optimizer, a bolt awaits him. SRP logs unauthorized launch attempts in evenlog, which may help to debug some software startup errors. But the pulp is not in it.
SRP is a tool that can withstand unknown viruses, or those that the antivirus will skip. "Letter from the tax" does not encrypt all databases 1c to hell, the user simply can not start the attachment "Invoice No. 1231233 from 10.26.2015.doc.exe". By the way, I am aware of Applocker, but it is physically absent in XP, and the functionality is almost identical. Now we do not have cars below 7ki, but SRP has historically existed and there is no reason to rewrite something.
If this is too complicated for you, then add the removal of Sputnik.Mailru to the script.
6) Antivirus. So modestly, in the middle of the list. For a long time I do not consider AV-tools a panacea. But I do not belong to the radical AV-haters "I’ve been working without antivirus for 5 years, everything is super." It sounds like “I never used a condom, everything is super!” And I would have gone to the leather in their place, and I checked the campaign with LiveSD. Antivirus should be up and running. Actual, with updated databases, a centralized admin panel and reports. The latter is useful in terms of identifying malicious users who constantly bring viruses to the USB flash drive and visit suspicious sites. Make it so-so-so.
If for you “anti-virus is evil and slows down the computer”, then ... put off the script for Amiga. Go to the venereologist.
7) About admin admin rights . If you locked everything to such an extent that without your knowledge the user and the
If the regular need to enter a password gives you the wildest inconvenience, then here is the next Petrosyanka about Amiga.
8) Work with users . Also an important aspect. It is worthwhile to conduct a preventive conversation, why, for example, you do not need to enter credentials for the proxy if the password entry window appeared unexpectedly and you did not launch the browser. Given the measures taken above, the computer is unlikely to infect the computer, but the actions are suspicious and could potentially lead to data leakage.
Here, in the paragraph about users, I will add a controversial point about the "password policy". We have requirements for the length and complexity of the password, but I do not require a mandatory regular change. The vast majority do not have access from outside, and the remaining 2.5 users are sitting through OpenVPN, and if they already had a “password”, then it was clearly not tied up or intercepted using MITM. As a result, a complex, constantly changing password will not help in any way if it is intercepted from a home computer through a keylogger. On the other hand, everyone else will be terribly tormented each time coming up with a complex password and in order not to forget, sculpt it on a sticker on the monitor. For this, you can beat, deprive of the premium and still in every possible way make fun of users, but in reality this most often does not increase security.You just need to bring to the user "do not tell your password to anyone", so that the password would not be like "1234567". I repeat, the moment is very controversial, but in my case there is no access from the outside, except through the RDP in OpenVPN.
UPD I recommend overpowering the entire post, and then return to the competent comment from Sergey-S-Kovalev and read the thread.
I also never understood the often-held opinion of “Admins” - “well, users are dumb”. Yes, there are fools, they are frankly dumb, but nothing will help. They are stupid in life. Such people run across the road to red and if it is impossible to enclose them from heavy bodily ones, then from dangerous actions at the computer it is very real.
Love users, they are like children, simply thoughtless.
That's it, I'm tired of Amiga.
9) Service accounts . I try to make my own limited account for every non-standard service. For example, the application server 1c nafig does not need admin rights anywhere. We generate a new account, save it in KeePass, enter it in 1s. Forget this account, for the time being. This applies to the vast majority of services and services. Sometimes you need to slightly expand the rights, but in any case it will be a limited account.
10) Backup. Smoothly approach other things that ensure data security. The following items no longer apply exclusively to the Windows domain, but should also be properly configured. If, despite all the efforts, everything was lost, or the user himself was vicious Pinocchio, the quarterly report slammed, then your favorite backup system will help to return everything. It doesn’t matter what you use, it’s important that backups are also integral, check this periodically at idle. By the way, backup, most often need read only rights on protected machines, so remember the point above. Make a limited account, under which the service will go on cars and collect data. Then go over these wheelbarrows and give the uchetka backup read permissions. Meanwhile, the converse is also true. Only the very limited account should have access to the backup storage by record and no one else, from the word at all. For example, administrators can read, but not. In which case it will save backups from the same encryptors.
11) Centralized monitoring . Unlike the item above - a full-fledged security element. You must clearly understand what is happening at a particular point in time. Also, be sure to configure the audit of file servers, will help with the analysis of flights.
12) Proper perimeter protection . The gateway in which you are well versed, all external services in the DMZ. Do not forget about WiFi. We also have it in the DMZ, there is no need for access to the inside of the perimeter. By the way, it is better if not some TI or UG acts as a gateway.
13) To the next indirect itemI would attribute the use of "cloud services". It’s also a very controversial moment, but I’ll try to explain why I decided to mention it. For example, we use traffic rules from Yandex and it completely suits us. Own postman inside or on the hosting would be much more flexible, but in my case this is not necessary. And my own extra service is useless to me. In addition, despite the experience of supporting postmasters, I soberly believe that mail from the same Yandex is more reliable and better protected from viruses and spam than I myself could configure. By the way, CSN here is also from Yandex. The one that is "Safe" and protects against malicious sites, but allows you to log on to redtube.
14) Remote access. Try to wrap access outside in the VPN whenever possible. Yes, it’s less convenient, but much safer than RDP bare back in the cold.
That's basically it. This is not a complete list; it can be continued indefinitely. From the main points, I would also add EMET (we use) and 802.1x for access to the network (we do not use). Surely, I forgot to mention something from the same "fundamental" things, write in the comments.