Page 1 of 2 12 LastLast
Results 1 to 15 of 30
  1. #1
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts

    New world of PC security (for me, anyway)

    Hi,
    I am in the process of replacing some computers in my small business. In the past I have kept all computers to the following configuration:
    Windows XP-Pro
    Norton Internet Security
    Secunia PSI - automated
    Malwarebytes - run weekly
    Spybot S&D - scheduled to run nightly (most computers are rebooted at the end of day and left on)
    I am now changing everything to Windows 7 Pro. I read (in Windows Secrets) that the Windows Firewall plus Windows Security Essentials is an adequate replacement for NIS. So would the following configuration give me reasonable security?
    Windows 7-Pro
    Windows Firewall
    Windows Security Essentials
    Secunia PSI - automated
    Malwarebytes - run weekly
    Spybot S&D - scheduled to run nightly
    If there are disagreements, are there any suggestions for alternatives? Keep in mind that they must be as automated as possible as four of the five of us are not computer-literate. (We're all over 45. ) Or anything on the list that I don't need?
    Thanks!

    --Brian

  2. #2
    Gold Lounger
    Join Date
    Oct 2007
    Location
    Johnson City, Tennessee, USA
    Posts
    3,202
    Thanks
    37
    Thanked 215 Times in 202 Posts
    Quote Originally Posted by Backspacer View Post
    Hi,
    I am in the process of replacing some computers in my small business.
    Windows XP-Pro
    If there are disagreements, are there any suggestions for alternatives?
    Brian,

    Hello... This is just my opinion..and not speaking for W.S. Lounge.
    I am currently running XP-Pro, Vista Home Premium, And windows "7" with a mix of 32 and 64 bit OS's (Multi-Boot)
    I run NIS 2011 and Malwarebytes PRO on all OS's ...No "MS" anything.... WHY??

    1. NIS 2011 is completely customizable... and has many features that MS can't even begin to touch... Once setup (the way you choose) ... you don't have to do anything... Updates to security are auto and update real time...(Whenever there available)

    2.Malwarebytes PRO... Is also able to set up to do all (scan\ update) automatically ... Also scans, and offers real time protection that the "Free" does not.... Let the screaming begin Regards Fred
    Last edited by Just Plain Fred; 2011-09-14 at 07:43.
    PlainFred

    None are so hopelessly enslaved as those who falsely believe they are free (J. W. Von Goethe)

  3. The Following User Says Thank You to Just Plain Fred For This Useful Post:

    Backspacer (2011-09-13)

  4. #3
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    You will get different answers from different members of this board. Assuming you are using a router with a hardware firewall, I believe this setup is fine. It is also important to have a good daily data backup program. For a business, an off site copy is recommended in case of a local disaster like a fire.

    Jerry

  5. #4
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    Yes, I am expecting differing opinions and I value them! I hope to see a lot of them and I hope nobody is insulted when I select the solution I think will work best for me.

    I should have mentioned that I use a ZyXel ZyWall-20w router with firewall in it. It's supposed to be a pretty good router. But please don't divert this thread onto opinions of that router. That decision has been made.

    I will probably ask for backup advice in a separate thread.

    Thanks,

    --Brian

  6. #5
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    The only caveat on using MSE in a small business is the EULA. I believe its OK for a small home based business, but they don't call out other small businesses.
    Chuck

  7. #6
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    From my perspective, I have a hardware firewall in my router, a S/W firewall (Online Armor++) and MSE AV/AM. I also have Malwarebytes and Spybot Search and Destroy for manual scans only, no real time from these 2. I have never been successfully attacked. My setup is a non-business setup (used to have a small sideline business, but not any more). I can not comment on the EULA implications. I feel very secure on our 3 PC home network with this setup.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  8. The Following User Says Thank You to Medico For This Useful Post:

    Backspacer (2011-09-13)

  9. #7
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Consider locking down the browser a bit too: install ad-blocking tools and make sure you fully patch Adobe Flash, Adobe Reader, Java and Office.

    Then make sure you run from Standard Accounts rather Admin Accounts: restrict Administrator access to just yourself and limit the Standard Account access times to office hours only.

    Subscribe to and install Open DNS in the Router and setup whatever filters you consider appropriate to protect your business from "idle browsing". Configure wireless access (if you have it) to use a secure password and do not divulge this to users. Secure the router with a complex password.

    MSE is fine for 10 PC's in a business environment;

    MICROSOFT SOFTWARE LICENSE TERMS
    MICROSOFT SECURITY ESSENTIALS
    These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you.
    :
    :
    :
    1. INSTALLATION AND USE RIGHTS.
    a. Home Use. If you are a home user, then you may install and use any number of copies of the software on your personal devices for use by people who reside in your household. As a home user, you may not use the software in any commercial, non-profit, or revenue generating business activities.
    b. Small Business. If you operate a small business, then you may install and use the software on up to ten (10) devices in your business.
    :
    :
    :
    Lots of other stuff to consider about security of your network - blocking USB ports and online cloud storage, installing whole disk encryption, etc...

    Presumably you have a data backup solution too? (Another can of worms with as many solutions as opinions!)

  10. #8
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    We use FireFox. It keeps itself up-to-date and most of its plugins. The Adobe and Java stuff I update when the need becomes apparent to me. Usually Secunia keeps them up-to-date for me. I am switching from MS Office to ThunderBird and Open Office. We don't do anything sophisticated and never will, so that will be enough. Thunderbird is kept up-to-date. I'm not sure what security issues OO might have, though. It doesn't seem that their developers are as on top of things as the Mozilla developers.

    I'm not sure about running from standard accounts. I will try that and see how it works. The computer I'm setting up right now is my wife's remote system. (She logs into it through a VPN to do her buying through the POS because database accesses are painfully slow over the net.) She does most of her own routine maintenance and updating. Once in a while she wishes I had done it, but mostly she does fine. She's pretty smart in spite of spending a lifetime in sales. So the standard option might not fly.

    Install OpenDNS in the router? Do you mean to program their DNS servers into the router or something else? I do use their DNS servers and I think I signed up for an account once long ago but never knew what to do with it.

    Our router has the ability to offer multiple "virtual" wireless networks to the world. I have thought about opening to the public in the DMZ so theoretically nobody can use it to get to my network at all. But I haven't actually done it. I have one with limited access to the Internet only which has a password that my employees are allowed to give out to suppliers. And I have one with full access to our LAN which is heavily protected using encryption with a key that only I know and mac address filtering. I think that's pretty secure. I hope so.

    I am relieved to know that I do not need to violate the EULA to use MSE.

    Thanks

    --Brian

  11. #9
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Firefox and Thunderbird should be ok. Chrome scores well too, as does Google Apps (Gmail for business if you haven't come across it), which you could use via Thunderbird. Adblock plugins will increase the protection against the increasing prevalence of malvertising attacks.

    Java and Adobe Flash & Reader are extremely common attack vectors and should be patched as soon as an update becomes available.

    Standard versus Admin accounts: the situation you describe is more "complicated" than some small businesses with your partner requiring access and there being other influences. However, I still recommend running from Standard Accounts. It is a very well documented risk in Windows systems that the default account is Admin. As users, we have become accustomed to being able to click on something and have the machine bend to our will. Unfortunately, this gives malware a very big toehold and for a business this risk can endanger the bottom line. Although I have no statistics to hand for the rest of the world, most of the malware infections I come across would not get in the door if the machine was run from a Standard Account. Without Admin, some other vector needs to be used to elevate the privileges as well as deliver the payload.

    With an Open DNS account, one can filter all manner of traffic, be it Facebook, adult sites, or cloud based storage thereby maintaining a tight ship and minimising the risks of data loss. You could do that with the hosts files on each PC, but perhaps better to block the traffic in a single place than maintain multiple hosts files across several machines.

    You mention opening a wireless channel in the DMZ. The DMZ normally allows access from the outside world to one or more machines without the protection of the router firewall. I have deployed such techniques before, but only temporarily and for testing of services only. The DMZ is normally a highly insecure area for a business.

    Could you explain a little more about the channel your employees allow your suppliers to access you network? If I'm honest, I got a bit confused at that point.

    P.S. it's late here in Scotland, so have to go offline until the morning now. Perhaps other "Loungers" may have some inputs as well.
    Last edited by Tinto Tech; 2011-09-13 at 19:36. Reason: To go to bed!

  12. The Following User Says Thank You to Tinto Tech For This Useful Post:

    Backspacer (2011-09-13)

  13. #10
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    Oh, I just tried the "Thanks" thing. Weird. And random. Don't know what it's for. Thanks to all of you and I hope clicking the thanks button doesn't close this discussion.

    I do wonder that nobody has commented on my use of SpyBot S&D, though I did see that Ted Meyers uses it manually. Is it no longer needed? It sure has helped me over the years...

    --Brian

  14. #11
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    I can understand the confusion about our wireless networks. Our router allows more than one virtual wireless network on its one set of antennae. Lots of people ask if they can use our WiFi. That's why I was thinking about putting one of the virtual wireless networks through the DMZ. But we heavily use a VPN between our home and our small retail store in a tourist town. So I have resisted setting up the public WiFi-to-DMZ due to possible bandwidth problems. I think I'll just keep resisting it. We have a vendor's wireless network which is password protected and is not allowed access to our LAN. It's for sales reps who want to access their company websites to show us stuff they want to sell. Maybe I should put that one through the DMZ, just in case. Our own company computers are all hard wired, but if my wife brings her laptop in to work it will access through the very tightly secured wireless network.

  15. #12
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    The Malwarebytes should do fine as an AM app alone, but if you want to add SpyBot S&D and run it manually on occasion too, that's fine.
    But don't bog the system down with too many backgrownd running AM apps. MSE is also dual AV/AM.

    I agree with Tinto Tech that your browser ought to be hardened ...and also, browser addons/plugins should be minimized.
    For extra security consider blocking a wide range of websites for your employees usage...like all social media and adult sites, torrent sites, etc.

  16. #13
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    Is it possible to block those general categories of sites? We're all old fogies and I'm the only guy, so adult sites and torrent sites probably aren't an issue, but social media and others might be. I'd happily block them all if I could do it with the stroke of a pen ... uh, of a key. Or is that what the Open DNS will do for me?

  17. #14
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    OK on the wireless setup, got my head round that now! Effectively you are setting up guest access to the internet for suppliers who visit the site, but ring-fencing them away from the internal LAN - something that is quite common. Like you, I would steer away from enabling public access internet. Not just because of the potential for somebody to mount an attack on you, but also because of the possibility of somebody using your network to access illegal material and potentially landing you in trouble with the law.

    Yes, Open DNS does have the capability of "set-and-forget" category filtering. Works quite well too.

    As regard SpyBot S&D. I occasionally use it to assist clean-up after an infection, but the real-time "Tea-Timer" module was very heavy on resources. If it regularly intercepted attacks, perhaps consider if your browsing habits are safe enough (no slur on your good name intended).

  18. #15
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    I also do not use the Tea Timer module in Spybot Search and Destroy. As stated I only use Spybot and Malwarebytes for manual scanning. My thought is anything I can do to ensure my security is worth the time to do.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •