RE: CRIME Ideas?

From: Jerod (jerod@private)
Date: Sun Dec 08 2002 - 20:48:22 PST

  • Next message: Seth Arnold: "Re: CRIME Ideas?"

    Also, if you want to change the ACLs with NTFS for the entire hard
    drive, but still need all of your programs to work, then you will be
    interested in tools by SysInternals called Regmon and Filemon.  You have
    to use the combination of these tools to find out what programs require
    which registry keys, and which programs require write access to the HD.
    It is a painstaking process, but this is how we secure the machines in
    the labs at Portland State University.  You have to figure it out,
    program by program.
    
    Jerod Alexander
    OIT Campus and Networking Services
    Security Team
    Labs and Classrooms Team
    Portland State University
    
    
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf
    Of Seth Arnold
    Sent: Sunday, December 08, 2002 8:38 PM
    To: Vince Alexander
    Cc: crime@private; fw@private
    Subject: Re: CRIME Ideas?
    
    On Sun, Dec 08, 2002 at 11:39:22AM -0800, Vince Alexander wrote:
    > Situation: multiple user stand alone PC with Internet access with Zone
    Alarm
    > 		Operating system: W2k
    > 
    > Looking for solutions:
    > 
    > 1. software to audit URLs visited (with user ID, datetime - if
    possible) and 
    > capability to access audit log remotely (email out from stand alone?)
    
    The best way to do something like this is to firewall the machine so
    that it cannot initiate network traffic except to a web proxy, and have
    the web proxy save all URLs visited. 
    
    IE and netscape both have history files, but they are pretty easy to
    tamper with, so it is at best an "honour policy".
    
    > 2. How to prevent user saving application files to C:\ drive ( forcing
    save to floppy)?
    
    Use NTFS ACLs to prevent filesystem writes to C:. (Right click on C in
    an explorer window, hit Properties, and poke around. It ought to be in
    there somewhere.)
    
    You may or may not want to make exceptions to this policy for the
    browser caches of whichever browsers your users will use.
    
    (You might be surprised to find out just how much software will try to
    write to the drive; depending on your applications, this might not be
    possible to do. Which would be too bad.)
    
    > Please answer off list.
    
    And prevent the other list members from seeing answers they might also
    be interested in? :)
    
    -- 
    "Soldiers quartered in a populous town will always occasion two mobs
    where they prevent one. They are wretched conservators of the peace."
    -- John Adams
    



    This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 21:20:57 PST