RE: CRIME Ideas?

From: Jerod (jerod@private)
Date: Sun Dec 08 2002 - 20:48:22 PST

Next message: Seth Arnold: "Re: CRIME Ideas?"

Previous message: Vince Alexander: "CRIME Ideas?"
Next in thread: Shaun Savage: "Re: CRIME Ideas?"
Reply: Shaun Savage: "Re: CRIME Ideas?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Also, if you want to change the ACLs with NTFS for the entire hard
drive, but still need all of your programs to work, then you will be
interested in tools by SysInternals called Regmon and Filemon.  You have
to use the combination of these tools to find out what programs require
which registry keys, and which programs require write access to the HD.
It is a painstaking process, but this is how we secure the machines in
the labs at Portland State University.  You have to figure it out,
program by program.

Jerod Alexander
OIT Campus and Networking Services
Security Team
Labs and Classrooms Team
Portland State University

-----Original Message-----
From: owner-crime@private [mailto:owner-crime@private] On Behalf
Of Seth Arnold
Sent: Sunday, December 08, 2002 8:38 PM
To: Vince Alexander
Cc: crime@private; fw@private
Subject: Re: CRIME Ideas?

On Sun, Dec 08, 2002 at 11:39:22AM -0800, Vince Alexander wrote:
> Situation: multiple user stand alone PC with Internet access with Zone
Alarm
> 		Operating system: W2k
> 
> Looking for solutions:
> 
> 1. software to audit URLs visited (with user ID, datetime - if
possible) and 
> capability to access audit log remotely (email out from stand alone?)

The best way to do something like this is to firewall the machine so
that it cannot initiate network traffic except to a web proxy, and have
the web proxy save all URLs visited. 

IE and netscape both have history files, but they are pretty easy to
tamper with, so it is at best an "honour policy".

> 2. How to prevent user saving application files to C:\ drive ( forcing
save to floppy)?

Use NTFS ACLs to prevent filesystem writes to C:. (Right click on C in
an explorer window, hit Properties, and poke around. It ought to be in
there somewhere.)

You may or may not want to make exceptions to this policy for the
browser caches of whichever browsers your users will use.

(You might be surprised to find out just how much software will try to
write to the drive; depending on your applications, this might not be
possible to do. Which would be too bad.)

> Please answer off list.

And prevent the other list members from seeing answers they might also
be interested in? :)

-- 
"Soldiers quartered in a populous town will always occasion two mobs
where they prevent one. They are wretched conservators of the peace."
-- John Adams

Next message: Seth Arnold: "Re: CRIME Ideas?"
Previous message: Vince Alexander: "CRIME Ideas?"
Next in thread: Shaun Savage: "Re: CRIME Ideas?"
Reply: Shaun Savage: "Re: CRIME Ideas?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 21:20:57 PST