Danger kruts' Small Office Security Config 2019

[kruts]

We have a small office (7 workstations - Windows 10 and 1 Windows 2016 Server)

I currently have Bitdefender GravityZone installed on all stations and server and I am in the process of locking down server and stations by white listing applications, dll and scripts using Applocker

As we receive a lot of emails with attachments, mostly office files, pdf and some image (jpg, png etc) I would like an area where the employee can download and open the attachment safely like a sandbox. I started sandboxie and it worked well but it looks like it is coming to the end of its life and is quite brittle and breaks with windows updates so now I downloaded RE:hips and it looks promising but I cannot work it out but I have not looked into the doco but struggling to understand how to open excel or something similar..seems to not work...anyway

I imagined if I had a scanning tool like Bitdefender and a sandbox application to open files safely in and a decent applocker policy then this would be a solid security setup but my knowledge in this if fairly limited

I ma wondering if there are any 'security holes' I have missed to running a network of this size? also apps like VoodooShield and OSarmour and RansomOff, do they just work in the same was as bitdefender? are they the same class of software?

Also watched these two reviews of bitdefender and it really does not look that good




My employees are pretty well educated and careful but really would like to know if i have any glaring omissions or security holes in my thinking?

 

[harlan4096]

@kruts:

• Check if enabled/enable Device Seucioryt -> SmartScreen for W10.
• You may set UAC to max.
• As for "Disk Imaging Backup", You may add Macrium Reflect Free or AOEMI Backupper, both are free and reliably.
• Consider also to run manual backups of important data to external devices and/or in cloud services.
• As for "Virus and Malware Removal Tools", You may add: MalWareBytes Free, EmsiSoft Emergengy Kit, Norton Power Eraser, and HitManPro Free.
• As for "Web Privacy", You may add uBlock Origin or AdGuard AdBlocker extension to Your browsers, also a VPN service (if needed).
• A PassWord Manager would be welcome also.
• About ReHips, provably @Umbra may give You some suggestions...

Please kindly reflect Your changes editing Your config, and announcing them here, thanks for sharing

 

[kruts]

Can several different antivirus and antimalware software exist side by side on the same machine? I always thought that they got in each other's way

 

[harlan4096]

No, never recommended... my suggestions are tools for on demand scans (and as a complement), and without real-time protection...

 

[oldschool]

I recommend using Edge Chromium which has built-in Smartscreen and anti-tracking/adblocking. Can be configured to harden it beyond default settings. It's actually a better browser than Chrome.

 

[Gandalf_The_Grey]

I recommend using Edge Chromium which has built-in Smartscreen and anti-tracking/adblocking. Can be configured to harden it beyond default settings. It's actually a better browser than Chrome.

While I agree, and use it, the stable version is not officially released yet.
That should be a no go for a business environment.

 

[oldschool]

While I agree, and use it, the stable version is not officially released yet.
That should be a no go for a business environment.

You are correct. So OP should know that Edge Old has an excellent app container which also happens to be a secure way to view PDFs.

Edit: FYI I did find this on deploying in a business environment: Deploying Brave and Microsoft Edge Dev Browsers in Citrix CVAD environments

 

[ForgottenSeer 823865]

About REHIPS and Excel, you shouldn't have any problems, clicking on a excel file should open it sandboxed. Unless you applied some restrictions or use a 3rd party software that hamper ReHIPS.
MS Office rules are hardcoded and it's IE (sandbox) is installed by default if ReHIPS detect MS Office.
you should visit ReHIPS forum and open a thread about your issue, the dev is very present and will give you an answer or even fix it for you via remote session.

 

[LDogg]

- UAC set to Max
- No excuses to have device security set to off, make sure Smartscreen is enabled
- If you're a business you may want to have a look at Enterprise/business versions of Macrium/Aomei
- Have a weekly company discourse about Phishing, opening attachments et al
- Depending on the type of business you are, extensions may or not be needed depending on the type of security platform your servers are hosted on
- I would not recommend Ransomoff, some settings can be very aggressive. OSArmor I would recommend
- Hoping you have covered the basics in all works stations by having restricted access to your employees computers whilst on server with Limited User Accounts and one Admin account which you can access to update/install from
- In regards to emails, do you use a client or Microsoft Outlook?
- VDS is a software I wouldn't recommend for use on your system as a workstation as actions done by your employees could be blocked, and you need to take out more extra training to teach your employees on how VDS would work, I think the same situation would apply to OSA as well, these types of software are more geared towards home users, rather than Companies or businesses
- Have some sort of web filter put in place for your network as well, this is highly advisable

Probably have missed something, but I hope this does help you.

~LDogg