Danger kruts' Small Office Security Config 2019

Last updated
Nov 1, 2019
Windows Edition
Enterprise
Security updates
Allow security updates
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
bitdefender gravityzone
Firewall security
Periodic malware scanners
bitdefender gravityzone
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
chrome
Maintenance tools
none
File and Photo backup
yes, nas offline
System recovery
image
Risk factors
    • Browsing to popular websites
    • Working from home
Computer specs
intel nucs

kruts

Level 1
Thread author
Nov 1, 2019
11
We have a small office (7 workstations - Windows 10 and 1 Windows 2016 Server)

I currently have Bitdefender GravityZone installed on all stations and server and I am in the process of locking down server and stations by white listing applications, dll and scripts using Applocker

As we receive a lot of emails with attachments, mostly office files, pdf and some image (jpg, png etc) I would like an area where the employee can download and open the attachment safely like a sandbox. I started sandboxie and it worked well but it looks like it is coming to the end of its life and is quite brittle and breaks with windows updates so now I downloaded RE:hips and it looks promising but I cannot work it out but I have not looked into the doco but struggling to understand how to open excel or something similar..seems to not work...anyway

I imagined if I had a scanning tool like Bitdefender and a sandbox application to open files safely in and a decent applocker policy then this would be a solid security setup but my knowledge in this if fairly limited

I ma wondering if there are any 'security holes' I have missed to running a network of this size? also apps like VoodooShield and OSarmour and RansomOff, do they just work in the same was as bitdefender? are they the same class of software?

Also watched these two reviews of bitdefender and it really does not look that good




My employees are pretty well educated and careful but really would like to know if i have any glaring omissions or security holes in my thinking?
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,730
@kruts:
  • Check if enabled/enable Device Seucioryt -> SmartScreen for W10.
  • You may set UAC to max.
  • As for "Disk Imaging Backup", You may add Macrium Reflect Free or AOEMI Backupper, both are free and reliably.
  • Consider also to run manual backups of important data to external devices and/or in cloud services.
  • As for "Virus and Malware Removal Tools", You may add: MalWareBytes Free, EmsiSoft Emergengy Kit, Norton Power Eraser, and HitManPro Free.
  • As for "Web Privacy", You may add uBlock Origin or AdGuard AdBlocker extension to Your browsers, also a VPN service (if needed).
  • A PassWord Manager would be welcome also.
  • About ReHips, provably @Umbra may give You some suggestions...
Please kindly reflect Your changes editing Your config, and announcing them here, thanks for sharing :giggle:
 

Gandalf_The_Grey

Level 78
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,764
I recommend using Edge Chromium which has built-in Smartscreen and anti-tracking/adblocking. Can be configured to harden it beyond default settings. It's actually a better browser than Chrome.
While I agree, and use it, the stable version is not officially released yet.
That should be a no go for a business environment.
 

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,192
Last edited:
F

ForgottenSeer 823865

About REHIPS and Excel, you shouldn't have any problems, clicking on a excel file should open it sandboxed. Unless you applied some restrictions or use a 3rd party software that hamper ReHIPS.
MS Office rules are hardcoded and it's IE (sandbox) is installed by default if ReHIPS detect MS Office.
you should visit ReHIPS forum and open a thread about your issue, the dev is very present and will give you an answer or even fix it for you via remote session.
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
- UAC set to Max
- No excuses to have device security set to off, make sure Smartscreen is enabled
- If you're a business you may want to have a look at Enterprise/business versions of Macrium/Aomei
- Have a weekly company discourse about Phishing, opening attachments et al
- Depending on the type of business you are, extensions may or not be needed depending on the type of security platform your servers are hosted on
- I would not recommend Ransomoff, some settings can be very aggressive. OSArmor I would recommend
- Hoping you have covered the basics in all works stations by having restricted access to your employees computers whilst on server with Limited User Accounts and one Admin account which you can access to update/install from
- In regards to emails, do you use a client or Microsoft Outlook?
- VDS is a software I wouldn't recommend for use on your system as a workstation as actions done by your employees could be blocked, and you need to take out more extra training to teach your employees on how VDS would work, I think the same situation would apply to OSA as well, these types of software are more geared towards home users, rather than Companies or businesses
- Have some sort of web filter put in place for your network as well, this is highly advisable

Probably have missed something, but I hope this does help you.

~LDogg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top