Allow only specific file types on a wired LAN

T

T_Tech

Active member
Joined
Oct 8, 2019
Posts
30
Hi Everyone,

I am kindly asking for advice on how to prevent viruses and other malware from spreading to other computers connected to a wired Local Area Network.

A photo printing studio has a reception area with computers that accept customer's media (sd, microsd, usb etc) and the studio operators select and edit the desired prints and send them via wired LAN to the printing room that houses the printers and associated equipment.

I am looking for a way to prevent viruses from being sent to the printing room via the network as I have grown tired of restoring the printing software from cloned images of the hard disks, recovering customer's data and disinfecting multiple hard disks.

Any suggestions would be appreciated including using Linux.

Thanks in advance,

T_Tech
 
Well for sure, the first thing you need to do is shore up the computers the customer's use in that reception area. They should be catching any malware before it gets sent over your network.

If me, I would limit customer access to the fewest number of computers possible - one would be good.

If possible, perhaps those reception room computers could be taken off line during business hours so if a customer inserts an infected device, the malware cannot go anywhere. Then they could be put back on-line for updates and such.

What OS is on those computers? Is the OS fully updated? What security is on those systems? Is that security fully updated? And is that security set to scan all removable devices as soon as it is inserted?

Those studio operators should be properly trained, instructed and held responsible for scanning scan those media devices.

And the computers in the printing room need to be fully updated and properly secured too.
 
Hi Digerati, thanks for the suggestions.

The computers in the reception areas use Windows 7 and in the past, I have installed and updated Avast antivirus only to find out a month later that the operators had uninstalled Avast and installed SMADAV which does not offer much protection. The explanation was that Avast deleted some customers' data.

I do not work there and can not verify that claim but I do remember an irate newly-wed groom that they sent to me to recover his wedding pictures!
I used Testdisk and R-Studio to get them back.

They do not have internet access so I arranged to update the machines weekly using downloaded virus definitions.

The computer in the printing room that is networked to the reception room computers is also Windows 7.

The Fuji Frontier 370 printer uses two computers: a "Frontend" computer that processes the prints to be sent to the printer (by order, colour adjustment etc) and an LP Controller that controls the printer via a 1394 Firewire cable.The computers use Windows 2000 and Windows XP required by the Fuji software.

Some time ago, we disconnected the Frontend computer from the networked machine and tried the air-gap method using a usb thumb drive to transfer the pictures to the Frontend after scanning with the antivirus on the Windows 7 machine.

When the printer broke down recently due to a faulty laser, I found that most of the hard disks, including the backup copies, were infected so I am trying to find another solution that does not require human input.

I am also considering setting up the reception computers without administrator privileges which the person that installed the system should have done.

I will work on your suggestions when I go there later in the week.

Thanks,

T_Tech
 
T_Tech said:
I am also considering setting up the reception computers without administrator privileges which the person that installed the system should have done.
Click to expand...
That would be wise - as would migrating all the computers to W10 or Linux.

However, you said you don't work there. So not sure what sort of responsibility and authority you have. But if you get the responsibility, then you must have the authority to exercise that responsibility too (that's just Management 101). And if me, I would ensure if any of those operators mess with the security I set up, that would be grounds for discipline or even dismissal.

If you don't get that support from the boss, then not sure what you can do - other than drastically raise your rates.
 
I was thinking of Linux but they use Photoshop to edit pictures. Maybe I could use Linux to connect the reception to the printing room ?

What about the firewall ? I have never gone into the Windows Firewall much but have read that it is possible to configure it to block certain file types.

The boss is part of the problem, focusing on the financial aspects of the business and ignoring technical advice. Photo printing is dying out due to Whatsapp and other apps that make picture sharing easy from any part of the world in seconds.

T_Tech
 
T_Tech said:
What about the firewall ? I have never gone into the Windows Firewall much but have read that it is possible to configure it to block certain file types.
Click to expand...
But malware comes in all forms, including legitimate file types.
T_Tech said:
he boss is part of the problem, focusing on the financial aspects of the business
Click to expand...
Then he needs to be aware of the cost of downtime and recovery time when these systems get infected - to include the cost of upsetting customers because those reception area computers are down due to malware.
 
Digerati said:
But malware comes in all forms, including legitimate file types.
Click to expand...

Agreed and there are so many image file types....

Digerati said:
Then he needs to be aware of the cost of downtime and recovery time when these systems get infected - to include the cost of upsetting customers because those reception area computers are down due to malware.
Click to expand...

He knows because malware also affects the printer software and I charge for each visit to repair his systems.

I am considering setting up the reception area to use Linux and then use one computer without a user accessible interface to automatically scan for malware and send the prints to the printing room.

Any thoughts ?

T_Tech
 
If the machines are running Windows 7 Pro, it would be a good idea to lock them down as much as possible with Group Policy - for example whitelisting allowed programs, disabling access to settings etc. Make sure the computer's aren't using admin accounts either, and set UAC to maximum.

Are the users just taking the files off the memory card/camera and copying them over to the printing computer using Windows Explorer? Not sure if I'm getting this right, but this might work:

1. Create a folder on the reception area computer to act as a watch folder. Files are copied into this local folder from the customer's memory card/camera
2. Create a new user account that can read/write to the file share on the printing computers. This must be a completely stand-alone account. D
3. Create a robocopy script (or similar with a 3rd party replication tool such as Bvckup (Bvckup 2 | Simple fast backup) to copy files with specific extensions over to the file share and delete them once copied. Use this new user account for this job, and do not mount the file share in Explorer.

With this method, the end-users never have access to the file share and it only allows files with allowed extensions onto the printing computers. Whilst this won't stop everything, it will prevent simple exe's and scripts from ending up on the print computers.

Shout if this doesn't make sense and I'll try and explain it a bit better!

If the share was running off a Windows Server box, then I'd just recommend using FSRM (File Server Resource Manager (FSRM) overview), which lets you screen files on the share and only allow specific formats to be stored (Server 2012 - Deny file extensions on shared folders - Alexandre VIOT).
 
Thank you so much Tekno Venus, this sounds perfect.

I will research the robocopy script and let you know if I get stuck as I am more comfortable with a soldering iron and oscilloscope :)

The reception computers appear as folders on the printing room computer network.

Thank you so much,

T_Tech
 
Hi Everyone, here's a brief progress report:

I first thought of using one computer as a server and looked into some of the available server operating systems, FreeNAS, Apache, Plex Media Server, Ubuntu Server, CentOS Server and Windows Server 2008 R2 but abandoned the idea considering it overkill for the application.

I was attracted to Ubuntu Server as it is less than 900 MB (Windows Server 2008 R2 is 2.9 GB) and has no GUI although one can be installed.

I downloaded bvckup2-setup-1.80.5.0.exe but it is expensive ($29 - $149).

I am using WSUS Offline (Windows Server Update Services) to download updates for Windows 7 x86 and x64 to make updating the machines easier. It has been running for eleven hours and is not finished yet.

The next step is to make a list of all the picture file formats that are commonly used here. I use FastStone Image Viewer to view and convert picture files and it supports the following formats:

"It supports all major graphic formats (BMP, JPEG, JPEG 2000, animated GIF, PNG, PCX, PSD, EPS, TIFF, WMF, ICO and TGA) and popular digital camera RAW formats (CRW, CR2, NEF, PEF, RAF, MRW, ORF, SRF, SR2, ARW, RW2 and DNG)."

I will look through the hard disks to try to narrow the list down if necessary.

I will definitely need help with the robocopy script but I will get to that when I set up three computers to test. Evidently, Powershell could also be used ?

I'll be back.

T_Tech
 
The wsusoffline1181 folder size is currently 2.79 GB and it is currently downloading 15 of 232 updates.

I'll be back, some time in the future.

T_Tech
 
Happy to help with the Robocopy script if you go that route. Yes, Powershell is also an option for scripting if you wanted to.

Bvckup was only a suggestion as I use it all the time and know it's reliable, but it's not free.

I agree a full server is probably overkill, as it will obviously need extra maintenance to keep running. I'm a big fan of Ubuntu/Debian (run Ubuntu on my work laptop, and a variety of Debian servers in my home lab) so can recommend them if you went that route. Would definitely avoid Server 2008R2 as it's based on Windows 7 and is end of life in January. If you went with Windows Server, I could only recommend going with 2012R2 at a push or 2016.

WSUS Offline is a pretty neat tool, but note that it only downloads the core Windows Updates - i.e any updates specific to your hardware and some feature updates aren't downloaded. Also, since Windows 7 is end of life in Jan as well, there won't be any more updates after then.

Overall, in terms of what I think you should do, in priority order:

1 - Ensure all machines are fully up to date and patched
2 - Make sure that users are using standard user accounts and create a separate admin account they don't know the password to.
3 - Set User Account Control to maximum in Windows 7
4 - Configure Group Policies (if you're running Windows 7 Pro) to lock down the computers as much as possible.
5 - Set up the watch folder system with Robocopy


I note you said the printing PCs are running Windows 2K and XP - are those 100% disconnected from the internet? In Windows XP Pro, you can use Software Restriction Policies (SRP) to prevent users from running programs and executables they're not allowed to: Hardening Windows XP with Software Restriction Policies. You could also set up SRP on Windows 7 Pro if you had it and wanted to. Also, make sure that the user account in XP is also a standard user, not an administrator.

Also, to help secure the XP machine, I would install and configure Microsoft EMET (Enhanced Mitigation Experience Toolkit). Whilst EMET is discontinued by Microsoft and no longer receives support as of last year, it still works fine on XP and allows you to enable security features that are now core in modern versions of Windows but didn't exist back when XP was released. You can download EMET here: Download Enhanced Mitigation Experience Toolkit (EMET) 5.5 from Official Microsoft Download Center and find more info here: Quickly Secure Your Computer With Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

Appreciate I'm throwing lots of information at you, so let me know if you want any more detail about anything in particular.
 
Hi, I'm back.

The WSUS updates completed and verified successfully, 6.52 GB which includes x86 and x64 Global (multilingual updates), updates for C++ and .NET frameworks and I selected Use 'security only updates' instead of 'quality rollups' due to some of the problems that rollups have caused.

WSUS offline unfortunately does not have the option to pause and resume the downloads. This was brought up on the WSUS Offline forum and Technet but I found this Trick on the internet to suspend and resume the wget process in Resource Monitor and it worked perfectly. I needed to pause and resume because the internet line drops out and needs to be restarted and also to recharge the data account.

I only hope that the updates do not cause problems. Last year on 18th June, this laptop suffered a BSOD after an update was incompatible with Macrium Reflect driver pssnaps.sys (there is a similar incomplete thread here in the forum). I tried for a week to fix the 500 GB HDD with online help, eventually giving up and using it's parent, a 320 GB HDD from which it was cloned.

I am thrilled to hear that you are a Linux fan. I mentioned my desire to learn Linux in my introduction when I joined the forum so if we could do the script in Ubuntu Server, that might be an easier solution and a great learning experience.

The computers are not connected to the internet and they have lost the usb dongle modem that they had.

Thanks, for the five point checklist. I will use Windows Update to install any additional required patches after running WSUS.

The printing room computers with XP and Win2K run dedicated Fuji software that runs automatically on startup with the Fuji software GUI. The only way to get into the system settings is by using task manager to kill all the Fuji applications then the desktop becomes available so tampering is probably not an issue. The problems occur when malware gets into the hard disks.

I used to use EMET a few years ago but can't remember why I uninstalled it, probably due to a problem. I vaguely remember DEP, heap spray and problems that I had with Yahoo's website.

A researcher published a method to bypass it if I remember correctly.I will install it and let you know if I have any problems as it is not very user friendly.

I welcome all the info that you have provided and have been searching for more. I have read about the Unitrix Exploit and other ways that malware disguises itself.

I will be offline for some time as I will be setting up the computers.

Regards,

T_Tech
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top