Originally posted by: Skeeedunt
Holy cow, thanks for all the research mech
I've read through most of your site and try to implement the recommendations you make as best I can (non-admin, full DEP, SRP).
I guess I'm still a little shocked at how mediocre even the better AV products can be at times, so every bit certainly helps.
If it's any comfort, I can take a terribly-vulnerable, out-of-date Win2000 system, loaded with vulnerable, actively-exploited versions of WinAmp, QuickTime, Java Runtime, Flash, IE6 way out of date, etc etc, and if I'm logged onto a non-Admin user account, then the malware in my test files is basically powerless in the end, in real-world attacks (which is how I found the sources for those files). The exploits work, the payloads get delivered and executed, but the simple lack of Admin powers keeps it from succeeding at what it's there to do, whether it's to turn the system into a Spambot, a click-fraud bot, infect it with spyware/adware, stick rootkits on it or whatever. So keep up with the non-Admin thing, it is a valuable proactive defense.
This may change as the bad guys get smarter, and as they encounter Vista in greater numbers, where Admin powers aren't just laying around to be grabbed and exploited (not with UAC enabled, anyway). My SRP page lists several things that I speculate they could accomplish with a temporary one-shot compromise of a non-Admin user account. So there's still value in keeping them from ever getting to that stage, by patching, eliminating unnecessary software entirely, SRP, and user education, among other things.
One thing I'm noticing is that the bad guys love JavaScript. Depending on your scenario, you might want to experiment with a Group Policy that disables JavaScript in the Internet Zone and uses the Trusted Sites zone to allow selected websites to use JavaScript. I have a narrated video how-to if you're interested in experimenting with that idea:
http://mechbgon.bluemonday.org/clips/IE7_tuning.wmv You would simply build a GP that forces those settings machine-wide (Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and you'll see your way from there).
I can't remember if I mentioned it in the video, but if you don't actually need Java in your browsers, you might as well disable it altogether until you need Java, too. It's actively used by the bad guys.
Anyway, enough of my rambling on
Good luck to you and your fleet.