You have probably read about the global ransomware attack that’s going on the past 24 hours. The attack is called WannaCry /Wanna Decrypt and has a lot of system administrators awake at night worrying if their system is going to survive the attack. So what can you do to stay sound asleep and to not have to worry about the attack? Well, I’m going to tell you how I think you should setup your workspace security in away that you don’t need to worry.
The global spread of the WannaCry ransomware infection:
Workspace Security must be done in 3 parts: proactive, reactive and active.
To make sure that a virus or ransomware has less chance to do damage or attack your system, you can do the following proactive points:
- Make sure your system is up to date. This must include OS, Java, Flash, Firmware etc. updates.
- As system administrators use two accounts, one without admin rights to check your mail, work on documents, etc. and one with admin rights but with limited internet access to do administrator tasks.
- Check all your NTFS and Share rights and make sure that a user can not access something they’re not supposed to.
- Do (self) audits to find leaks in your system.
- Make sure your firewall is correctly configured.
The reactive part of the workspace security is the anti-virus protection. Make sure it’s up to date and that all your servers have an anti-virus agent installed. In a business environment, make sure to have an anti-virus management server which lets you manage all the agents in one portal. Also, configure the notification because you want to be notified right away when there is a virus outbreak. Fileservers should be scanned regularly and make sure to scan on read and write.
So most system admins leave it with these two parts. They protect their system with anti-virus and do monthly updates. But they’re still vulnerable against ransomware and viruses. This is because they don’t do the last part, which is Active Workspace Security.
Active Workspace security consists of app locking. With app locking malicious programs will not be allowed to execute on your system. A great app locker is the Managed Application feature of the RES ONE Workspace Security module. Explanation of the feature:
This is the AppLocker from RES. It allows you to white-or blacklist applications based on application name, path and/or file hash. This way a virus will not be allowed to start because Virus.exe is not on the whitelist. Even when a virus replaced a whitelist program like Word.exe, with file hashes configured it will not be allowed to start. Managed Applications has a live log which makes it possible to view which applications are being blocked and it has a learning mode to create your whitelist.
The RES ONE Workspace Security module not only contains, in my view, the best app locker, it also comes with a unique feature called Read Only Blanketing.
Read Only Blanketing
Read Only Blanketing presents the whole system drive as a read only disk. This way users can’t change files on the system drive they’re not supposed to. This is a great protection against ransomware because it would not be allowed to change the files on the C drive. RES ONE Workspace allows you to read only blanketing with a white-or blacklist principal. By default, everything is read only until you place it on the whitelist (Authorized Files). To make the migration to Read Only Blanketing easier, RES ONE Workspace has a built-in learning mode at which point it only logs which files are being changed, allowing you to create your whitelist before setting read only blanketing to enabled mode.
*PRO TIP: Try not to add to much Wildcards (*) in your authorized files. Also, you don’t need to authorize everything , just enough for a program to function correctly.
When you combine the proactive, reactive and active security you can stay sound asleep without having to worry that your system is going to be another ransomware or virus victim. So make your life easier with the right Workspace Security! If you have any other security tips, feel free to share them in the comment section.
I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me: