Stopping Adware and Spyware on Windows w/ Citrix? 80
SilverDivan asks: "A fairly large non-profit charity organization recently asked me how they can permanently take care of the spyware and adware problem that is plaguing their computing environment. I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer. So, I am planning to make a recommendation to publish Internet Explorer on a Citrix Farm, and let the users use the IE published on Citrix instead of the locally installed IE This way they can lock down the IE to their heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks. Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse. Has anyone implemented a similar solution before? What was your experience? Will it work? How can you configure the Citrix environment to best handle a situation like this?"
Remove Microsoft :) (Score:1, Insightful)
Once you remove Microsoft from the important job, it gets pretty easy
Re:Remove Microsoft :) (Score:4, Insightful)
A possibly better alternative would be to secure IE using AD policies (and migrate to AD if they aren't on one), and standardize on Firefox/Mozilla for everything except these specific applications. Use a proxy server if neccesary. You could do this with Citrix also but a Citrix farm is a huge chunk of change and I don't see why you'd want to spend that much just for this.
In fact, a good transparent proxy might be sufficent anyway - simply restrict anything with an IE user-agent to the specific IE only applications required.
Re:Remove Microsoft :) (Score:2)
The largest problem desktop-wise that I've seen has been people taking lapto
all half-assed patches (Score:5, Insightful)
Citrix?!? Just to run Internet Explorer?!? Absolute rubbish. Fix the real issue instead just doing a half assed patchjob like that. What's wrong with you whippersnappers....
Are you hard of reading? (Score:1, Funny)
Re:Remove Microsoft :) (Score:2)
This also means that no connections are opened to load images or CSS, etc. until your brows
Re:Remove Microsoft :) (Score:1)
RTFA (Score:1)
"they access outside applications that only run in Internet Explorer"
If they need IE, they need IE. Removing windows won't help them access these sites at all.
Re:RTFA (Score:3, Insightful)
I fail to see the problem here.
Firefox Extension (Score:4, Interesting)
Re:Firefox Extension (Score:2)
Re:Firefox Extension (Score:2)
Personally, I would start my solution using the IEAK (last time I looked it was free from Microsoft) ,which would allow a very customized IE. Also using automatic updates (if XP), or f
Re:Firefox Extension (Score:1)
I doubt that the outside orgs will have anything to do with the troubleshooting process. They would probably only hear good things.
Having an attitude like this is what keeps Microsoft
Re:Firefox Extension (Score:2)
I work on web based applications which are used by client companies every day, and my company uses web based applications from other vendors. During the acceptance phase, we often hear comments like, this doesn't' look right, blah, blah, blah. The contract which are created between us and our client companies are often very specific about 'supported browsers', using a different browser would make us or them in violat
Re:Firefox Extension (Score:1)
I have actually worked in a corporate help desk environment, as recently as 2 weeks ago.
We attempted to minimize losses from spyware/adware damage and also allow users the most freedom with their software selection. Admittedly, we were stuck using some Microsoft technology( mostly on the server side), but we actively encouraged users to switch
Re:Firefox Extension (Score:2)
(please not the "ensure security" part)
Re:Firefox Extension (Score:1)
This is most likely a form letter that they send out to cover 99% of complaints. When looking at the vulnerabilities that have been exposed to the general public upgrading to the latest version of IE does look a little more secure.
Just out of curiosity, how did you phrase your question?
Re:Firefox Extension (Score:2)
I replied back saying:
Re:Firefox Extension (Score:1)
Re:Firefox Extension (Score:1)
It depends on what you mean by 'help desk'. In the classic sense of there being a group of people simply taking calls and dealing with faults, I would say that they should not in any way be moving users onto alternatives (regarless of the vendor / source and licensing terms). There are people who have the official responsibility to drive IT strategy
Re:Firefox Extension (Score:1)
Yes this is very true, but if given the choice between two pieces of software that the help desk staff is equally capable of supporting, one would tend to suggest the software that would cause the fewest number of problems. Our biggest problem at the time was malware, we found that the few sites FireFox had a problem rendering were much less of a problem than the 1000
All of this is unnecessary . (Score:2)
Where I work (US Air Force), this type of policy has not created any problems at all, and f
Re:All of this is unnecessary . (Score:1)
At least in my company, not giving the average-corporate-user admin rights works wonders.
I know it's not the ultimate solution, but it helps a lot to keep the playground a lil' safer.
Re:All of this is unnecessary . (Score:2)
The parent post is the best so far. Windows has perfectly reasonable authorization mechanisms, and if folk don't use them, they deserve what they get. I would add that it would be worth using a group policy to prevent all but a white-listed set of executables from running (for the proletariat at least).
Re:All of this is unnecessary . (Score:2)
Firewall. (Score:1)
If they need to surf with no limits, put-up a Squid caching proxy and let them use Firefox.
Re:Firewall. (Score:2)
There are plenty of reasons why any business might need to access sites that aren't regularly used.
Re:Firewall. (Score:2)
surely.. (Score:2)
offer them a customisiable startpage or something for instance.
del.icio.us for bookmarks (Score:2, Interesting)
Tell them to complain to their vendors (Score:3, Insightful)
Re:Tell them to complain to their vendors (Score:2)
Sites require IE? (Score:2, Insightful)
Re:Sites require IE? (Score:2)
Do They Really Need IE? (Score:2)
Maybe this is an obvious question, but have they actually tested these applications on FF or Opera? I'm sure that somone in the company has told them that they only work on IE, but it seems quite possible that FF would handle them just fine.
Guys who design for IE generally don't have clue about other options.
Re:Do They Really Need IE? (Score:2)
Also, it seems that the Firefox pop-up blocker is too effective. Even if I allow it to do pop-ups, some sites still don't work. I just wish the web designers would stop relying on pop ups to display information. Annoying as hell. Also, flash apps d
Re:Do They Really Need IE? (Score:2)
It's just you. I have a dozen friends and family members that have switched to Firefox and use it access Gmail - not one has a problem.
Many options. Depends on what you want. (Score:2)
Better if you run the IE as a different user. e.g. normal user account = John_Doe. normal user's IE account = John_Doe-IE.
Then allow John_Doe to have access to John_Doe-IE's files, but not vice-versa.
Huh? (Score:3, Informative)
For "internet zone", turn off everything, including activeX.
For your "access outside applications that only run in Internet Explorer" but them in the trusted sites, and nothing else.
Install firefox and let them use that for the "intar web".
Please let me know where I can send the bill.
Mod parent up, it's 100% effective and 100% free! (Score:2)
BTW, you still have to keep your boxes patched, but that's a no-brainer anyway.
Other possibilites (Score:3, Interesting)
iexplore.exe http://site.com
And removing all links to iexplore.exe elsewhere...
And a better example:
enforce proxy servers (setup as admin in win2k, and leave the users unprivileged), setup a squid proxy server that only allows the site, and do not setup any proxies for firefox...
How about this one:
Hack a spyware and find out how they redirect people's URLs. use that and infect your own machines, so any address in IE takes them to that website. Use firefox for everywhere else.
And make sure you disable activex!!!
Re:Other possibilites (Score:3, Interesting)
Just add an entry to the registry declaring that any address http and ftp is now prefixed.
Here's a cheap and easy way to do this on 2K/XP (Mabye other Win32 OS, dunno about those)
Say you want your users only accessing the company web application hosted at www.server.com/webapp/ with IE.
Change the default in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C u rr entVersion\URL\DefaultPrefix
from "http://" to "http://www.server.com/webapp/"
and then change all the sub entries in
HK
Group Policy (Score:4, Interesting)
Citrix seems like a little overkill for this problem.
Some successful anecdotes (Score:2)
I used a similar setup where I work. We set up a win2k server box with terminal services (essentially citrix), so we could keep one stable desktop while we were constantly messing with our own desktops (or like in my case, I was using unix with rdesktop client).
Managing virus and malware on one common se
Thin clients (Score:2)
Inevitable Bad Joke Time... (Score:2)
I don't know about you, dude, but I'd be a happy man if my girlfriend went down as much as my Windows install does.
Too Obvious? (Score:2)
Maybe this is too simple and obvious, but how about, Don't go to websites that install spuware/adware!!
Re:Too Obvious? (Score:2)
For example, your users will tell you that they would never surf for pr0n and so on.
Your proxy logs WILL show that pr0n surfing has gone on.
Noone admits to it. Obviously the logs must be wrong huh?
Time and time again it is proven that asking users to do (or rather, not to do) things is a waste
Re:Too Obvious? (Score:2)
It's actually pretty simply, and brutally effective - particularly in today's economic environment.
'Just say No' actually works, if appli
Have you looked at all the alternatives? (Score:1)
Each restart eradicates all changes and resets the computer to its original state, right down to the last byte.
There'd still be risks during a session of course. Then again, most of the truly evil stuff I see doesn't turn up until after the system has been rebooted and all the user-installed trash in registry gets launched.
Great solution... (Score:2)
We use the Professional version. This allows the computer to maintain itself. The computers are set to shutdown each night at 4:30 except Friday. On Friday at 5:00, Deep Freeze turns itself off and locks the keyboard and mouse. Windows updates are performed, virus defs updated, and hard drive defragmented. Sure since Deep Freeze is installed we don't need to do all of this but we
Reality Check (Score:2)
Lock down Javascript (Score:1)
At one point in May-ish, with a fresh install, I brought everything up to date, set the security settings, but forgot to trash MS's Javascript .. and promptly pic
Re:Lock down Javascript (Score:1)
Sun's Java settlement has zero impact on M$'s implementation of ECMAScript.
Re:Lock down Javascript (Score:1)
ActiveX (Score:1)
Hehe. I am betting that the outside app. relies on ActiveX. Which would explane might acount for more spyware getting loaded up. ActiveX would be the only real show stoper for going with Mozilla/FireFox, as others have pointed out.
How to resolve with Citrix (Score:5, Interesting)
Now, for the external IE only applications, you create them as applications in Citrix and give each an icon on the user's desktop. If the user wants to use one of the external apps, they click the app icon which will launch a Citrix'ified IE window with the app in it. Obviously configure the Citrix IE to remove the address bar.
Two helpful steps (Score:3, Insightful)
1. Make a custom home page for IE on the Citrix Server. Include links to where they enter all these custom IE applications so they can get to them in one click after starting IE.
2. Optional. Disable pretty much every domain but the ones these custom apps are on. A thorough test should verify if they will (currently) work in that configuration.
This might be a better option than using the anonymous option in Citrix, which will mean that they can still use bookmarks (but to what?) and preferences (good for all those passwords), and you will have abuse-tracking logs.
Re: (Score:1)
Cold hard truth (Score:1)
Don't waste your time (Score:1)
Accountability w/ Citrix? (Score:1)
I'm not sure you *can* maintain accountability using anon published apps in Citrix. If you want accountability, you need to know who was doing what, and when they were doing it. Citrix will log routine connection stuff like the host name and date/time of any client making an ICA connection to the farm, if you have logging enabled. But that really isn't granular enough to be useful for accountability.
IE on Citrix/WTS (Score:2)
Classic Security (Score:1)
At home, everyone runs, by default, as administrator. But, at work, there is no reason to do this.
Try this:
1. Format a PC and reinstall with ALL the applications they absolutely need. Make sure you launch all the apps at least once so that they can finish writing everything that needs to be for setup to complete.
2. Create a group for all the users on that PC. If you are using AD or other Domain logins, you can skip this step
anti-spam proxy (Score:1)
I can't recommend the product too highly, it seems somewhat immature, though it does block the spyware/adware as advertised.
Install a Content filtering system (Score:1)
Use group policies to force the use of a proxy and make this machine the proxy machine.
Then you set the rules on the WebMarshal box to what you want. You can install a virus scanner and such.
I use webmarshal in my enviroment, and whilst its not the greatest. (It IS a big brother monitoring device), it keeps my systems clean and protected from viruses and trojans and other illicit content that enters a
Don't use `traditional` bookmarks & menus. (Score:2)
You can probably wrap the browser session with a frame navigator (like ask jeeves...) where the controlling frame has all the navigation buttons and necessary menu items and even an address bar. When the browser starts up, hide all top menus and only show the buttons and menus you want them to see via DHTML. You could even create a bookmark based system using DHTML and some simple server side storage. The
proxy IE (Score:2)
Then to allow access to the wider internet, set up firefox w/out a proxy, or (more secure) firewall off ports 80 and 443 and proxy firefox through a different squid server which allows more-or-less open access.
Note that it's virtually impossible to 'lock down' IE under citrix since you can hit the 'help' menu which has a link to 'web help' which give