I ran into this same issue about a year ago. Spyware infested systems, viruses, no network monitoring/policies, etc. The network is around 40 computers, a few servers, mostly Windows 98 desktops. While I could have attempted to do a "Security 101" class, I realized most wouldn't be interested and as a result, it wouldn't be effective. So instead, I profiled the network, uncovered issues (both from a security and usability standpoint) and wrote up a formal proposal that outlined the issues and solutions (using FOSS of course.. :) I setup a FreeBSD 4 firewall (Linux could be used as well, I just prefer the syntax of IPFilter and the ports system) that uses a default deny policy to only allow necessary incoming connections (ie website, mail, ssh) as well as necessary outgoing connections. I setup Postfix with Amavisd-new that processes all incoming and outgoing email for spam (spamassassin) and viruses (clamav). In addition, Postfix uses dnsrbl lists that rejects known spam sites at the connection (about 30% of all incoming email). Amavisd is set to auto-quarantine known executable files attached to email and notifies me to manually deliver them (I think there have been 2 legitimate emails quarantined over the past year). (side note: the current issue of Linux Journal has two articles that discuss the setup & config of postfix/clamav/amavisd/spamassassin). 40% of all incoming email is rejected (dnsrbl lists), another 5-10% is rejected as spam at the server. Historically 50% of all email being received was spam, now this has been significantly reduced. Email that is *probably* spam (low spamassassin value) is delivered with the spam tags so the receipient can decide what to do with the email. AFAIK, the clamav + amavisd blocking of executable attachments has been 100% effective in keeping viruses from entering the LAN. On average, 10 virus emails are stopped per day that would have historically been delivered and possibly run by a user. On the desktop, I have been migrating users to Firefox. In addition to this, I "fix" internet explorer (updated security patches, spywareblaster, adaware, etc..) and move links for Internet Explorer to point to firefox (Blue E = "The Internet" you know..). I have not run into any major issues from users. Most use it and see it as an upgrade from Internet Explorer. Quite a few have asked me where to get it to install on their home systems/recommend it to others, etc. This has done wonders for the spyware/adware/virus issue. For the most part, it is a distant memory for the users. Incase something does get past the firewall/filters, I have setup the firewall to notify me when attempts are made to access external SMTP servers (not from the mail server, of course) and I monitor the postfix logs (daily report) for any abnormal mail server activity that would indicate a mass mailing virus. In addition, an occasional network sweep using tools such as nmap/nessus/etc is conducted to locate other security issues (ie viruses loaded that open a backdoor on the system). The next step I'll probably setup a proxy server (squid/dans guardian or similar) to disallow all use of Internet Explorer except for Windows Update and provide another layer of control (disable access to spyware/adware sites, etc..). Needless to say, most users are unaware of the behind-the-scenes stuff that is occuring. There have been several who have noticed that many problems they have on their home computers don't occur on their work computers (massive spam, spyware, general slowness, etc..) and have asked me about these issues. Of course, I'm more than happy to discuss and recommend ways to combat the issues. Infact, I have a short one page list of tools & recommendations (standard stuff, firewalls, being intelligent about email, using firefox, using a hardware router, adware/spybot/spywareblaster, virus scanner, etc..). I do like when they pop the question "well what do you use on your home computer" .. ".. well I don't use Windows.... " --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss