*This question is from a SearchWindowsSecurity.com reader:
I'm in a position to redesign our IT systems (network, servers, PCs, software, etc.) this summer, and I am undecided on which path to take. I'd like to disconnect our systems from the Internet so that we don't have to deal with all of the garbage that comes from the Internet via e-mail, browsing, etc. However, I also need to provide Internet access for our company to run its business.
My company has about 50 employees and all have computer
accounts, e-mail and Web access. I'm looking for an innovative solution in which we are not dependent on an arsenal of prevention and detection hardware and software, but instead I'd like our systems to not be vulnerable in the first place. For example, our e-mail gets scanned through four virus detection systems, and we still have seen viruses pass right through since updated virus definitions were not available in time. Yes, we could switch to Macs or Linux or some other less popular systems, but eventually they too will become targets.
So I'm hoping that there is enough good technology available such that we can design an invulnerable system (and/or procedure) for safe computing. As an analogy, we can get lots of advertising in our home snail mailbox, but all we have to do is throw out the stuff we don't want, so only the good mail gets in through our front door. Similar idea regarding a bookstore or library -- we go there to read, watch videos, checkout books or buy books to bring home. So how can we do that in the computer world? Perhaps some kind of user sandbox for any Internet related activity -- e-mail viewing, browsing, downloading, streaming video, etc?
I've seen several possible solutions -- ShadowUser and ShadowSurfer, DeepFreeze and FreezeX, using a thin client connecting to a Citrix server that runs a Web browser and e-mail program (i.e. Internet Explorer and Outlook), etc. The big issue I see with some of these sandbox or freeze programs is that there are some changes that need to be made to a PC or a user's profile as part of their business use of the PC. It seems that it would be difficult to freeze some parts of the profile and/or registry but not others due to the underlying Windows design. One other thought is to buy some one appliance that does it all regarding prevention and detection of bad stuff (however I'd buy this device regardless of my final strategy as a backup filter). I spend a good deal of my time with security issues when my time should be spent improving the IT systems and helping our users take more advantage of software that can help their jobs and the company in general.
I was hoping that someone might have some suggestions? There must be a simple strategy to keep our systems safe other than pulling the Internet plug.