Stopping Adware and Spyware on Windows w/ Citrix?

SilverDivan asks: "A fairly large non-profit charity organization recently asked me how they can permanently take care of the spyware and adware problem that is plaguing their computing environment. I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer. So, I am planning to make a recommendation to publish Internet Explorer on a Citrix Farm, and let the users use the IE published on Citrix instead of the locally installed IE This way they can lock down the IE to their heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks. Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse. Has anyone implemented a similar solution before? What was your experience? Will it work? How can you configure the Citrix environment to best handle a situation like this?"

Remove Microsoft :)

[tlacicer]

You could always run Win4Lin [slashdot.org] Terminal Services [slashdot.org]. Then you could run a linux server farm and still let users run their windows desktops. Then you could let them do what ever they want.

Once you remove Microsoft from the important job, it gets pretty easy :)

Re:Remove Microsoft :)

[arkanes]

Sweet holy jesus. Did you actually read anything or do you have a "Use linux" postbot? Win4Lin won't solve any of the problems mentioned, although it would be a lot cheaper than a Citrix farm.

A possibly better alternative would be to secure IE using AD policies (and migrate to AD if they aren't on one), and standardize on Firefox/Mozilla for everything except these specific applications. Use a proxy server if neccesary. You could do this with Citrix also but a Citrix farm is a huge chunk of change and I don't see why you'd want to spend that much just for this.

In fact, a good transparent proxy might be sufficent anyway - simply restrict anything with an IE user-agent to the specific IE only applications required.

Re:Remove Microsoft :)

[Dysan2k]

A good proxy coupled with something like Privoxy works wonders. I use privoxy at the office (believe me, it takes the beating and keeps moving) and I've been very happy with the results. Configuration is pretty easy once you grasp it, but you do have to know regexp's a bit. Drop this in front of the winders boxes, and you can block sites, block domains, crunch cookies, and help keep at least some of the crap out of the machines.

The largest problem desktop-wise that I've seen has been people taking lapto

all half-assed patches

[passthecrackpipe]

They are all half assed patches. I find, time and time again, that it is better, faster, and cheaper to remove the dependency on IE - like, re-write the app or use a vendor that actually supports decent, secure software.

Citrix?!? Just to run Internet Explorer?!? Absolute rubbish. Fix the real issue instead just doing a half assed patchjob like that. What's wrong with you whippersnappers....

Are you hard of reading?

[Anonymous Coward]

You seemed to have missed the "take your business to a vendor that has a clue" part.

Re:Remove Microsoft :)

[walt-sjc]

You use privoxy and are happy? I find it annoying... Not from the functionality aspect (where the filtering is awesome) but from the user experience. The proxy does not "forward" the HTML page until it has been 100% received by privoxy. The end result is that you sit there waiting and waiting for a long page to load in your browser and you don't even get a partial page until privoxy gets the whole thing. See the FAQ [privoxy.org]

This also means that no connections are opened to load images or CSS, etc. until your brows

Re:Remove Microsoft :)

[shadowmas]

my experiance is that securing IE using policies is not really a solution. the worst spyware usually install themselves using vulnerabilities in IE so even browings at a high security level dont really help. installing the latest patches as soon as they come doesnt help either since cuz spyware writers are much faster at exploiting vulneratbilities than microsoft is at patching the browser/os.

RTFA

[missing000]

Comeon man, it's on the front page.

"they access outside applications that only run in Internet Explorer"

If they need IE, they need IE. Removing windows won't help them access these sites at all.

Re:RTFA

[tlacicer]

Yeah, I know, I read the article. So let them run IE under the Win$lin TS. What is the worst that could happen that particular users windows session needs to be restored. under win4lin that would take all of a couple minutes. And if you did a nightly back up of their bookmarks and userfiles, you could restore them too.

I fail to see the problem here.

Firefox Extension

[KilobyteKnight]

Make them use Firefox with this extension [mozilla.org]. Then they only use IE for the sites that require it. Those, one would hope, should be reasonably safe.

Re:Firefox Extension

[TopShelf]

To further that point, if he really wanted to do the Citrix thing to support IE use where absolutely necessary, he could set up the bookmarks and preferences to support just those sites and applications. Heck, he could even whitelist those sites so IE could ONLY be used at those sites. Firefox could then be the standard for all other web browsing.

Re:Firefox Extension

[rednip]

That's a good idea for a single user, or small close knit group. If you have a large group, sooner or later someone will 'let the cat out of the bag' and tell these outside orgs that you'all are using firefox; Then they'll blame any problems on the 'bad browser' and refuse to help until you start using the 'right browser'.

Personally, I would start my solution using the IEAK (last time I looked it was free from Microsoft) ,which would allow a very customized IE. Also using automatic updates (if XP), or f

Re:Firefox Extension

[jessecurry]

That's a good idea for a single user, or small close knit group. If you have a large group, sooner or later someone will 'let the cat out of the bag' and tell these outside orgs that you'all are using firefox; Then they'll blame any problems on the 'bad browser' and refuse to help until you start using the 'right browser'.

I doubt that the outside orgs will have anything to do with the troubleshooting process. They would probably only hear good things.
Having an attitude like this is what keeps Microsoft

Re:Firefox Extension

[rednip]

I doubt that the outside orgs will have anything to do with the troubleshooting process.

I work on web based applications which are used by client companies every day, and my company uses web based applications from other vendors. During the acceptance phase, we often hear comments like, this doesn't' look right, blah, blah, blah. The contract which are created between us and our client companies are often very specific about 'supported browsers', using a different browser would make us or them in violat

Re:Firefox Extension

[jessecurry]

I doubt if you have ever worked in or used a corporate help desk, but they tend to be very specific about what software/configurations they are willing to support.

I have actually worked in a corporate help desk environment, as recently as 2 weeks ago.
We attempted to minimize losses from spyware/adware damage and also allow users the most freedom with their software selection. Admittedly, we were stuck using some Microsoft technology( mostly on the server side), but we actively encouraged users to switch

Re:Firefox Extension

[rednip]

My brother uses Ofoto to distribute photos of my niece, I decided to sign up and upload pics of my son, when I tried to use their online tools to correct red-eye, they were telling me that flash wasn't installed in my FireFox browser. I sent a question to the help desk. This is the reply the I got today...
(please not the "ensure security" part)

Hello Eric,

Thank you for contacting the Ofoto Customer Service Team.

If you are experiencing difficulty uploading, viewing, purchasing, or editing on Ofoto's

Re:Firefox Extension

[jessecurry]

basically, it looks as if they are operating under the assumption that you are using internet explorer, but not the latest version.
This is most likely a form letter that they send out to cover 99% of complaints. When looking at the vulnerabilities that have been exposed to the general public upgrading to the latest version of IE does look a little more secure.
Just out of curiosity, how did you phrase your question?

Re:Firefox Extension

[rednip]

Question for Ofoto: You system won't let me edit photos with my firefox browser, It incorrectly finds that I am using Netscape 1.0 (which I am not).

I replied back saying:

Thank you very kindy for the form letter, my question wasn't about IE, it was about Firefox. It has Flash installed but the site will not load the flash tools, becuase the script is poorly written, and it insists that flash is not loaded on my browser. At no point does your website say that it is only written for IE. What's odd is

Re:Firefox Extension

[jessecurry]

thank you for the clarification. Hopefully, OFoto takes the "proper" approach and attempts to help their customers get their work done on time using the tools that they find to be the most useable.

Re:Firefox Extension

[netdudeuk]

"In my understanding, a help desk is there to help the users accomplish their goals in a fast, efficient manner, not dictate what technologies they must use."

It depends on what you mean by 'help desk'. In the classic sense of there being a group of people simply taking calls and dealing with faults, I would say that they should not in any way be moving users onto alternatives (regarless of the vendor / source and licensing terms). There are people who have the official responsibility to drive IT strategy

Re:Firefox Extension

[jessecurry]

IT departments need to keep the number of supported applications at a managable level. They cannot be experts at dealing with everything.

Yes this is very true, but if given the choice between two pieces of software that the help desk staff is equally capable of supporting, one would tend to suggest the software that would cause the fewest number of problems. Our biggest problem at the time was malware, we found that the few sites FireFox had a problem rendering were much less of a problem than the 1000

All of this is unnecessary….

[Saeed al-Sahaf]

Virtually all the issues with spyware involve the ability of normal users to install executables themselves, and the solution is simple: Only allow people with Admin rights to install executables and change system settings. Please don't bleat about how developers and certain other groups need the ability to install and change things, we are not talking about developers, we are talking about average corporate users.

Where I work (US Air Force), this type of policy has not created any problems at all, and f

Re:All of this is unnecessary….

[El_Servas]

True.

At least in my company, not giving the average-corporate-user admin rights works wonders.

I know it's not the ultimate solution, but it helps a lot to keep the playground a lil' safer.

Re:All of this is unnecessary….

[bloo9298]

The parent post is the best so far. Windows has perfectly reasonable authorization mechanisms, and if folk don't use them, they deserve what they get. I would add that it would be worth using a group policy to prevent all but a white-listed set of executables from running (for the proletariat at least).

Re:All of this is unnecessary….

[Zorilla]

I'm in the Air Force as well, and only limiting a few people to having admin rights seems to cause only those admins to install spyware and prevent me from removing it. At least at the last base I worked, I could easily fix any problems where may have been, but here, I have to put up with unremovable desktop icons, startup items, being unable to defrag (wtf?), being unable to get better system drivers installed, etc.

Firewall.

[Pig Hogger]

Just firewall everything for port 80 EXCEPT the external application sites.

If they need to surf with no limits, put-up a Squid caching proxy and let them use Firefox.

Re:Firewall.

[ravenspear]

Firewalling port 80 is a horrible solution.

There are plenty of reasons why any business might need to access sites that aren't regularly used.

Re:Firewall.

[ScuzzMonkey]

Yeah; a better way to do it might be to install Firefox for default browsing and then point IE to a heavily locked down proxy only allowing access to the required business sites.

surely..

[gl4ss]

theres dozens of ways to maintain bookmarks.

offer them a customisiable startpage or something for instance.

del.icio.us for bookmarks

[TRS-80]

Set them up with del.icio.us [del.icio.us] accounts for their bookmarks, then have a bookmark for del.icio.us in the default profile.

Tell them to complain to their vendors

[kalidasa]

About writing IE only applications. It's the web, for heaven's sake - the idea is that it's not supposed to depend upon any given application.

Re:Tell them to complain to their vendors

[MyLongNickName]

And while you are at it, tell them to spit in the air while riding a bicycle.

Sites require IE?

[Anonymous Coward]

My bet is the outside sites they access only say they require IE. Try changing the user agent string in firefox so it looks like IE (with prefbar extension for example), and the sites will likely work just fine. It's worth trying anyway.

Re:Sites require IE?

[NetNifty]

Yes, that's possible (hell, it happened to me yesterday with a questionairre thing from Nokia, itsaid to "upgrade" to IE6 or Netscape, but changing the UserAgent fixed that), but a lot of corp "web-based" stuff is ActiveX and changing the UserAgent won't help that, although there was an ActiveX extension for Firefox [www.iol.ie], I think it's dead now as it says on the site it doesn't support Firefox 0.9 or 1.0.

Do They Really Need IE?

[rueger]

I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer.

Maybe this is an obvious question, but have they actually tested these applications on FF or Opera? I'm sure that somone in the company has told them that they only work on IE, but it seems quite possible that FF would handle them just fine.

Guys who design for IE generally don't have clue about other options.

Re:Do They Really Need IE?

[angle_slam]

There are sites that do not work on Firefox. For some reason, gmail crashes my Firefox about 1 out of every 3 times I log in. Annoying as hell, especially if I have multiple tabs open, because I lose all my tabs. It never crashes IE, so I don't know what is wrong.

Also, it seems that the Firefox pop-up blocker is too effective. Even if I allow it to do pop-ups, some sites still don't work. I just wish the web designers would stop relying on pop ups to display information. Annoying as hell. Also, flash apps d

Re:Do They Really Need IE?

[exhilaration]

For some reason, gmail crashes my Firefox about 1 out of every 3 times I log in.

It's just you. I have a dozen friends and family members that have switched to Firefox and use it access Gmail - not one has a problem.

Many options. Depends on what you want.

[TheLink]

Use profiles, store the bookmarks elsewhere on a file server. You can then set the rights to stuff accordingly, and backup stuff regularly.

Better if you run the IE as a different user. e.g. normal user account = John_Doe. normal user's IE account = John_Doe-IE.

Then allow John_Doe to have access to John_Doe-IE's files, but not vice-versa.

Huh?

[Anonymous Coward]

Tools -> internet options -> Security

For "internet zone", turn off everything, including activeX.

For your "access outside applications that only run in Internet Explorer" but them in the trusted sites, and nothing else.

Install firefox and let them use that for the "intar web".

Please let me know where I can send the bill.

Mod parent up, it's 100% effective and 100% free!

[MarcQuadra]

Seriously, IE does have some security features, the default setup is abysmal, but you can tweak-up the security for the whole world, and put the outside app into the 'trusted sites' zone. Problem solved. I've done it and it works.

BTW, you still have to keep your boxes patched, but that's a no-brainer anyway.

Other possibilites

[mnmn]

There was a way to open a link in a new window without displaying the window's address bar. Couple that with putting up a link like so:
iexplore.exe http://site.com

And removing all links to iexplore.exe elsewhere...

And a better example:
enforce proxy servers (setup as admin in win2k, and leave the users unprivileged), setup a squid proxy server that only allows the site, and do not setup any proxies for firefox...

How about this one:
Hack a spyware and find out how they redirect people's URLs. use that and infect your own machines, so any address in IE takes them to that website. Use firefox for everywhere else.

And make sure you disable activex!!!

Re:Other possibilites

[technos]

That isn't really too hard.

Just add an entry to the registry declaring that any address http and ftp is now prefixed.

Here's a cheap and easy way to do this on 2K/XP (Mabye other Win32 OS, dunno about those)

Say you want your users only accessing the company web application hosted at www.server.com/webapp/ with IE.

Change the default in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C u rr entVersion\URL\DefaultPrefix

from "http://" to "http://www.server.com/webapp/"

and then change all the sub entries in

HK

Group Policy

[Chester K]

Can't they just "lock down IE to their heart's content" via Group Policy? Or perhaps an outbound proxy that only allows access to the specified pages when the user agent is IE's?

Citrix seems like a little overkill for this problem.

Some successful anecdotes

[eyeball]

I know of a guy who works in a real estate office, who has to access everything through citrix. All employees have individual logins, and are able to maintain their own preferences, email, and other stuff.

I used a similar setup where I work. We set up a win2k server box with terminal services (essentially citrix), so we could keep one stable desktop while we were constantly messing with our own desktops (or like in my case, I was using unix with rdesktop client).

Managing virus and malware on one common se

Thin clients

[llefler]

If they are serious about going the Citrix/Terminal Services route, you might consider moving all of their applications to the server and migrating them to cheap thin clients on their desktop. From an administration perspective, managing the machines becomes a lot easier. They can't install anything on their local machines. Most don't need to have access to install anything to the server. No virus software needed for the clients. Actually, no client management at all. If one breaks, you just replace it beca

Inevitable Bad Joke Time...

[One Childish N00b]

Windows is like a high maintenance wife. Everything is nice to look at, but it cleans out your wallet and there is a lot of down time.

I don't know about you, dude, but I'd be a happy man if my girlfriend went down as much as my Windows install does.

Too Obvious?

[rudy_wayne]

Maybe this is too simple and obvious, but how about, Don't go to websites that install spuware/adware!!

Re:Too Obvious?

[skinfitz]

Evidently you have never managed a network with average users. Seriously - I know it's that simple, you know it's that simple, and users will swear blind that they will follow your advice, yet they clearly won't.

For example, your users will tell you that they would never surf for pr0n and so on.

Your proxy logs WILL show that pr0n surfing has gone on.

Noone admits to it. Obviously the logs must be wrong huh?

Time and time again it is proven that asking users to do (or rather, not to do) things is a waste

Re:Too Obvious?

[Glonoinha]

Actually nobody where I work surfs for porn - well a few guys did last year and within minutes the stormtroopers walked up and grabbed them, escorted them out of the building while HR out-processed them on way out. Zero tolerance policy enforced by some fairly visible insta-firing a few people that didn't catch a clue early enough and ... no porn, no spyware, no adware.

It's actually pretty simply, and brutally effective - particularly in today's economic environment.

'Just say No' actually works, if appli

Have you looked at all the alternatives?

[orangepeel]

Maybe something like Deep Freeze [faronics.com] would solve your problem.

Each restart eradicates all changes and resets the computer to its original state, right down to the last byte.

There'd still be risks during a session of course. Then again, most of the truly evil stuff I see doesn't turn up until after the system has been rebooted and all the user-installed trash in registry gets launched.

Great solution...

[vwjeff]

I work for the local school district's IT department and we use Deep Freeze in all of our labs. What can I say, it's great.

We use the Professional version. This allows the computer to maintain itself. The computers are set to shutdown each night at 4:30 except Friday. On Friday at 5:00, Deep Freeze turns itself off and locks the keyboard and mouse. Windows updates are performed, virus defs updated, and hard drive defragmented. Sure since Deep Freeze is installed we don't need to do all of this but we

Reality Check

[klausner]

Deploying Citrix to an organization of the size you imply would be a HUGE expense. Doing so for a single application is absurd. If this charity is as big as you say, let them use their clout to have the IE sites updated.

Lock down Javascript

[AndroidCat]

If they have to use IE then they probably need Javascript switched on too. That seems to be a major entrance for malware, and with all the legal wrangling over Java with Sun, I doubt MS is giving it much priority. I always install Sun's Java engine/plug-in for IE, and in process it scrapes away MS's Javascript code (Java != Javascript, of course).

At one point in May-ish, with a fresh install, I brought everything up to date, set the security settings, but forgot to trash MS's Javascript .. and promptly pic

Re:Lock down Javascript

[SkunkPussy]

Java != JavaScript

Sun's Java settlement has zero impact on M$'s implementation of ECMAScript.

Re:Lock down Javascript

[SkunkPussy]

ok I now see that you have addressed my main point word for word in your comment. :-P

ActiveX

[286]

I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer

Hehe. I am betting that the outside app. relies on ActiveX. Which would explane might acount for more spyware getting loaded up. ActiveX would be the only real show stoper for going with Mozilla/FireFox, as others have pointed out.

How to resolve with Citrix

[skinfitz]

Quite simple. Firstly you give your users Firefox to stop the spyware problem.

Now, for the external IE only applications, you create them as applications in Citrix and give each an icon on the user's desktop. If the user wants to use one of the external apps, they click the app icon which will launch a Citrix'ified IE window with the app in it. Obviously configure the Citrix IE to remove the address bar.

Two helpful steps

[mdielmann]

Let me preface this by saying that I'm not a Citrix administrator or a web site administrator, but here's two things that might make this simpler on many of the fronts you listed.

1. Make a custom home page for IE on the Citrix Server. Include links to where they enter all these custom IE applications so they can get to them in one click after starting IE.

2. Optional. Disable pretty much every domain but the ones these custom apps are on. A thorough test should verify if they will (currently) work in that configuration.

This might be a better option than using the anonymous option in Citrix, which will mean that they can still use bookmarks (but to what?) and preferences (good for all those passwords), and you will have abuse-tracking logs.

Re:

[account_deleted]

Comment removed based on user account deletion

Cold hard truth

[shade2600]

If it is a significant problem, they will be interested enough to learn how to avoid it. If it is not a big deal, they are not going to care. If you can't educate their users to avoid this problem, either your a bad teacher, or they don't really care about avoiding it. If their management is asking you to fix the problem, tell their management to point out the simple fact that these things are easily avoided. The answer is NOT always technical guys. Sometimes it is social. If you treat them like a bun

Don't waste your time

[fsck!]

Spyware can't screw up your computer for you when you don't even have the rights to screw it up yourself. Just take away administrative rights and stay on top of updates. Some institutions take this to the next level and run with all users as guests, and use logon scripts to build the user environment when needed. You will occasionally find software from sloppy vendors that don't do things in a clean way with respect to permissions, but if enough people come to their senses about admin rights, the few remai

Accountability w/ Citrix?

[rocket rancher]

Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse.

I'm not sure you *can* maintain accountability using anon published apps in Citrix. If you want accountability, you need to know who was doing what, and when they were doing it. Citrix will log routine connection stuff like the host name and date/time of any client making an ICA connection to the farm, if you have logging enabled. But that really isn't granular enough to be useful for accountability.

IE on Citrix/WTS

[MeanMF]

You do not have to use anonymous access to get to the server. Mandatory profiles may do the trick as well. That way they can use their normal user IDs to log in, but still get a clean copy of the profile every time. You can also set where bookmarks are stored using group policy or the IEAK so they can keep some degree of personal settings. You could either redirect it to a network share or back to the user's local computer.

Classic Security

[Bios_Hakr]

There is no reason to have spyware infected PCs in a corporate environment.

At home, everyone runs, by default, as administrator. But, at work, there is no reason to do this.

Try this:

1. Format a PC and reinstall with ALL the applications they absolutely need. Make sure you launch all the apps at least once so that they can finish writing everything that needs to be for setup to complete.

2. Create a group for all the users on that PC. If you are using AD or other Domain logins, you can skip this step

anti-spam proxy

[Jjeff1]

Trend Micro makes IWSS, which is a proxy that has built in anti-virus, including filtering out assorted spyware/malware.

I can't recommend the product too highly, it seems somewhat immature, though it does block the spyware/adware as advertised.

Install a Content filtering system

[dcrisp]

Why not install a content filtering system such as Webmarshal or another inbound web filtering program.

Use group policies to force the use of a proxy and make this machine the proxy machine.
Then you set the rules on the WebMarshal box to what you want. You can install a virus scanner and such.

I use webmarshal in my enviroment, and whilst its not the greatest. (It IS a big brother monitoring device), it keeps my systems clean and protected from viruses and trojans and other illicit content that enters a

Don't use `traditional` bookmarks & menus.

[JPyObjC Dude]

I hate suggesting things that support continued use of IE but since we are talking charity here it is:

You can probably wrap the browser session with a frame navigator (like ask jeeves...) where the controlling frame has all the navigation buttons and necessary menu items and even an address bar. When the browser starts up, hide all top menus and only show the buttons and menus you want them to see via DHTML. You could even create a bookmark based system using DHTML and some simple server side storage. The

proxy IE

[smoon]

Since the "IE-only" sites are presumably known, set up a sqid proxy that only allows access to those specific sites. Set everyones IE to use the proxy server.

Then to allow access to the wider internet, set up firefox w/out a proxy, or (more secure) firewall off ports 80 and 443 and proxy firefox through a different squid server which allows more-or-less open access.

Note that it's virtually impossible to 'lock down' IE under citrix since you can hit the 'help' menu which has a link to 'web help' which give