On Tue, Feb 02, 2016 at 07:59:55AM -0500, Jason White wrote:
Just wondering what is currently considered best practice for protecting a modern Microsoft Windows machine against malware and exploitation?
dunno, but in my experience, a lot of applications that require windows or specific versions of windows will run just fine on either wine or windows in virtualbox or vmware (vbox's and vmware's graphics support was better than kvm's last time i did this but kvm's has improved greatly since and might be a viable option now) in fact, some that require specific versions of windows work better with wine (where you can set the version to "emulate") than on newer windows. i'd be willing to bet that most of the XP apps that the hospital was depending on would work perfectly well in wine on linux or mac....much of it looks like fairly simple late-90s, early-2000s web apps from what i get to see on screen as a patient. the rest looks like non-descript windows apps. even specialised scientific instruments work fine like this - i remember a few (brand-new, latest models, selling for many tens of thousands of dollars) instruments that absolutely required NT 2000 or something similarly ancient at a $previous_employer. We installed NT under vbox, gave it access to the right PCI-e etc ports, and it just worked. It was configured to boot vbox in full screen mode. the idea was that a) it had no direct access to the rest of the network, the linux host acted as a firewall/bastion host, b) storage of capture data was to a samba share, so if it got compromised, we'd just blow away the NT vm and re-image it. presumably the same can be done with many medical diagnostic instruments. i don't think there is any product or specific procedures that will protect windows machines - you need skilled IT staff who know what they're doing and able to come up with appropriate solutions for the task at hand.
I read an interesting article over the weekend: http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html
I really can't help reading anything to do with Microsoft and "Trusted Computing" as "hardware-enforced vendor lock-in" what they're doing may incidentally benefit some of their customers, but mostly it's misfeatures that benefit MS at the expense of their customers. craig -- craig sanders <cas@taz.net.au>