2. Browser lockdown
Although I'm a user of open-source software such as Mozilla Firefox and Google Chrome, I'm going to address browser security with a focus on the browser with the most market share in the enterprise: Microsoft Internet Explorer. All current browser usage statistics put Explorer at the top of the heap, and because Microsoft dominates the corporate desktop space, its penetration there is even greater.
Microsoft has made many strides in beefing up Internet Explorer's security, and many of those are available in the Active Directory through Group Policy. The Active Directory is not only a centralized directory service offering authentication and authorization for your Windows domain, but it also can control security policies throughout your Windows environment. Group Policy allows administrators to centrally control the configuration of Internet Explorer and thus efficiently lock down an entire enterprise's browsers.
Internet Explorer versions 8 and 9 offer nearly 1,500 configurable settings, so you would be hard-pressed to say it's not flexible enough to meet your security requirements. Of particular use to the enterprise is the ability to control the user interface by disabling certain menus or configuration options:
- tweaking security zones (which allow you to set the level of trust that the client or browser should have)
- setting up smart screen filters (which help protect from malicious phishing or malware sites)
- using Active X control and filtering (which provide the ability to control add-ons)
- managing and blocking downloads, and more.
Books have been written on this subject, but suffice it to say you might want to explore these features to further lock down your enterprise browsers.
3. Filtering proxy with malware scanning
As an additional layer of security and as part of an effort to add depth to your defenses, a filtering proxy with malware scanning can prove invaluable. Vendors offer products such as unified threat management devices and dedicated filtering proxies with advanced Layer 7 filtering and anti-malware scanning.
These devices allow you to have additional deep application-layer insight into the traffic coming into your enterprise; coupling them with URL blocking, malware scanning and enhanced logging should provide overall cost reduction and performance improvement.
4. Evolved anti-malware defense
Anti-malware has evolved from simple signature and engine models and can now include heuristics or behavior-based functions. This is a welcome evolution in light of today's many Web threats.
Features such as malicious URL detection, advanced client-side firewalls, light host intrusion detection, sandboxing and white- or blacklisting applications are all now available. These anti-malware defenses add an additional layer of proactive defense to your enterprise at one of its key weak points. Your anti-malware suite should have many of these core features and great management tools to maintain it in your enterprise; if it doesn't, it's time to start shopping around.