Securing a Company Network

[bevan1]

Hi All,

With the increase of Randsomware and Hacking attacks I would like your input on how to secure our company network from this.


We are running Windows Server 2003/2008 and 2012

Clients connecting to these are Windows XP/7 and 10.

We are also running RDP.

Any input would be appreciated.

Thanks

 

[roddyp]

This is an easy/hard question.. you need a multi-pronged approach. These are but a few suggestions.

read this book. (its available free online as well) Anderson, R. (2008). Security engineering: a guide to building dependable distributed systems, 2nd ed. Hoboken: John Wiley & Sons.


Get a decent firewall in place and block all unnecessary ports. Not the one on each users machine, but one on your network. Either get a hardware one, or build one yourself. (box with pfsense, etc - many choices)

For your incoming mail, ensure you block or drop all mail attachments with any executable. (Especially .js files. This is often how randsomeware is spread)

Use opendns on your network and force its use on all machines. (www.opendns.com).

Limit your users ability to install software on their machines. (i don't know how viable this is with you)

The list goes on... read the book. seriously. its awesome. Also, research SANS. https://www.sans.org/critical-security-controls/

 

[gregmcc]

Its a fairly open question, but there are tons of things you can do. Off the top of my head:

- Make sure you have a good patching solution in place. You'd be amazed how many hack take place for exploits that were patched years ago.
This includes OS patching as well as application patching
- AV on all devices
- Proxy filtering/AV scanning
- Remove local admin rights to desktops
- Have a decent password policy in place. No default password on any devices/routers/printers/etc
- If you have any internet facing devices - are there in a DMZ? Protected by a proper firewall. Is the code/apps on these servers to to date? Are only the minimal ports required open to get to these devices from the internet (https)
- AV Scanning on email, incoming/outgoing/internal
- Lock down USB devices
- Can anyone plug a machine onto your network? Look at NAC - expensive but you need to weight up risk vs cost.


Where are you running RDP to/from?

Get rid of 2003/XP/7 - its no longer supported or patched.

A bit difficult to summarise everything you need to do - the list is really endless but you need to start with the basics.

 

[bevan1]

Thanks guys,

The RDP runs from Internet Solutions Cloud to each client on the network.

Are there any programs that one has to look out for as i have read that Adobe Reader and Java also have vulnerabilities in them.

 

[Necropolis]

Thanks guys,

The RDP runs from Internet Solutions Cloud to each client on the network.

Are there any programs that one has to look out for as i have read that Adobe Reader and Java also have vulnerabilities in them.

All programs will have vulnerabilities discovered at one point or another - it's the nature of the beast.

 

[gregmcc]

So is RDP on your local network open to the internet?

Everything has vulnerabilities in it - you need to patch all software.

 

[bekdik]

Take a look at TrendMicro solution

 

[Le^stat]

All of the above and run a WSUS server.

 

[krustyrsa]

So is RDP on your local network open to the internet?

Everything has vulnerabilities in it - you need to patch all software.

If that's the case. This company needs to seriously rethink it's network policies and procedures and very fast too!!!.

 

[shadow_man]

Hi All,

With the increase of Randsomware and Hacking attacks I would like your input on how to secure our company network from this.


We are running Windows Server 2003/2008 and 2012

Clients connecting to these are Windows XP/7 and 10.

We are also running RDP.

Any input would be appreciated.

Thanks

The short sarcastic, but no helpful answer you are looking for is to advise you to ditch Windows for something that's a little bit more hardened by default. BSD or Linux as examples. Windows is a hotbed of disease.

 

[The_Librarian]

1. Proper firewall (Smoothwall etc).
2. Implement content filtering and block porn and other undesired websites, especially torrents and downloads. If downloads is needed, have one machine with download access (for example the sysadmin) so that software can be downloaded and scanned first before being copied to a shared (readonly) software folder on the network.
3. Look at this : https://www.foolis,h,i,t.com/cryptoprevent-malware-prevention/ (remove commas)
4. Implement blacklisting on your email server, drop all executables from emails, also those included/hidden in .ZIP files. A real PITA, but due to the nature of the beast, it is a required step.
5. Backups, backups, backups. One method to foil Cryptoware is to have an extra PC (Linux etc) on the network which will connect to the file server, backup data, and disconnect. This way Cryptolocker with network share enumeration will not be able to find and encrypt your backups.
6. Keep more than one backup destination (eg more than one external hard drive, which you will be swapping out on a weekly basis, so should the one backup be overwritten with encrypted files, you can fallback to a clean backup). Best to have backups that are either a couple of days old than no backup at all.
7. Keep in mind that more exotic backup solutions will cost you $$$, the external USB hard drive is a cheap and quick solution.
8. Relax.
9. If anything happens, DO NOT PANIC.

 

[spiderz]

Format ... install Linux

 

[killerbyte]

@bevan1: Sent you a PM.

 

[Gnome]

I would, if I were really paranoid:

Get domain. (eg. mybusiness.com, costs $12 a year if you do it with AWS for example)
Get router like PfSense (the domain name should be used by the router, eg. router name: myrouter, domain: mybusiness.com)
Create local DNS, NTP and transparent proxy.

Wifi with client isolation set to true

Setup servers to use static IP and each server on its own VLAN
Setup static allocation in router
Each server has its own "interface" on the router (which points to the VLAN) to allow fine grained control of access to said server

For each service:
Give the static allocation a good name (eg. myservice.mybusiness.com).
Force SSL for every static allocation (startssl.com allow you to get free SSL certs).
Force safe ciphers on SSL: https://wiki.mozilla.org/Security/Server_Side_TLS

For file shares:
Automated backups/snapshots that cannot be deleted by anyone (except perhaps with certificate authentication & authorization)
Per user permissions on shares

Email:
Since you own the domain, use either Gmail for work or mailgun in conjunction with Gmail.
Gmail already solved the bad email problem, so any incoming mail can be filtered by Gmail.
May as well leverage that.
Outgoing mail can be done directly with Mailgun.

Use opendns on your network and force its use on all machines. (www.opendns.com).

Why would you make DNS a distributed problem in your network?

Point everything to the same local DNS server and have that point at OpenDNS if you like (which break some SA ISP I might add)
But pointing every PC to a DNS server outside of your control is a mistake IMO.

 

[initroot]

I would, if I were really paranoid:

Get domain. (eg. mybusiness.com, costs $12 a year if you do it with AWS for example)
Get router like PfSense (the domain name should be used by the router, eg. router name: myrouter, domain: mybusiness.com)
Create local DNS, NTP and transparent proxy.

Wifi with client isolation set to true

Setup servers to use static IP and each server on its own VLAN
Setup static allocation in router
Each server has its own "interface" on the router (which points to the VLAN) to allow fine grained control of access to said server

For each service:
Give the static allocation a good name (eg. myservice.mybusiness.com).
Force SSL for every static allocation (startssl.com allow you to get free SSL certs).
Force safe ciphers on SSL: https://wiki.mozilla.org/Security/Server_Side_TLS

For file shares:
Automated backups/snapshots that cannot be deleted by anyone (except perhaps with certificate authentication & authorization)
Per user permissions on shares

Email:
Since you own the domain, use either Gmail for work or mailgun in conjunction with Gmail.
Gmail already solved the bad email problem, so any incoming mail can be filtered by Gmail.
May as well leverage that.
Outgoing mail can be done directly with Mailgun.


Why would you make DNS a distributed problem in your network?

Point everything to the same local DNS server and have that point at OpenDNS if you like (which break some SA ISP I might add)
But pointing every PC to a DNS server outside of your control is a mistake IMO.

Agree with the DNS issue.

However this ultimately depends on the environment, current policies etc. OP would have to get management to see the value 1st.
Which might be harder than excepted depending on their knowledge within the field.

OP feel free to PM me. I can assist with the transition.