This Microsoft network has been hit by spyware and viruses and I am battling to keep it a float. They are using MS 2003 server r2 (backbone OS) as there main operating system and XP as there workstations. They do not have any policies on the desktop and they allow all of there users to go to any site that they want without restriction. The website was also hacked and is being hosting outside of there network.There are two subnets, one private and one for there clients. They are sperated by only VLANs. They have one MS server that connects to both subnets.Here is a picture of the network:

There current issue are:

I have looked at the routers and there was a bandwidth mismatch that was causing issues but they are stil having drops via the internet.
The web browser constantly drops(http-80)-I believe the virus and or spyware has something to do with this. They are using MicroTrend anti-virus and it is having trouble removing all of the garbage. In addition to the web browser, several Xerox multifunction centers that connected to the LAN where user scan documents and them it send it to the mail server to that is can be read via outlook keeps dropping. There are random issue on this network. I have used wireshark to look at the traffic and all I can get out of it that I am able to view the traffic path, protocols that used and where the packets are droppin, mostly 80 and 8080. I have scanned the firewall using nmap and I can only see that they have 80, 443 open to the public. I would like to implement a Squid and filter for web sites. Also I would like to implement a firewall.

My questions is:

1 - What would be the best way from looking at my diagram from above to secure this network and could the spyware and virus be the root of the issue for the internet dropping. I was told that it has been this way for a long time.?

2 - Would squid be an appropriate solution for a windows based network and will it require a special configuration for this type of setup. Can some also recommend a decent open-source web filter other than Dansguardian. I need something more robust.

3 - I need a network monitoring tool that is able to look at netflow traffic, good mapping, and just decent overall. I have look at zenoss. Any other recommendations?

4 - Would this be a decent approach for security:

Because this question deals primarily with securing a Windows network, I'm gonna move it to General. I will help you out a bit by leaving a redirect in Security for a week, though.

As I read this posting, I am very curious about how "malware and viruses" figure into this.

The single most important factor in administering any network (of whatever type...) is permissions. Users should be "ordinary, limited users," and their access to every resource (particularly the registry and global system files) must be controlled. (They should have access to "their own stuff" and nothing more.)

In my experience, when you flush-away the "it's more 'convenient' to be Administrators or Power Users" mentality, and you identify the shared resources and assign appropriate permissions to each, "problems like this scenario 'go away' for good."

Windows often gets a bad-rap for being "intrinsically insecure" when it actually possesses a security-architecture that is rather baroque and over-engineered. The real problem is that "all that protection is turned off!"

Meanwhile... because of this bad-rap, lots of folks erroneously assume that "it must be 'a virus.'" Yet, as I read your posting, comments like " they are stil having drops via the internet. The web browser constantly drops(http-80)-I believe the virus and or spyware has something to do with this." really stand-out. Unless you can clearly articulate a defensible reason why "viruses and/or spyware" could possibly have any relevance to the problem.

This world is full of "red herrings," and "viruses and/or spyware" have become the ultimate distracting-fish. Messrs. Norton and McAfee have done nothing to discourage this idea...

excellent response. what I forgot to add was that they are using trendmicro worryfree business advanced security and have now gotten the virus and spyware under control. I have never seen a network so infested with so many different types of virus and spyware on all of the machines in this network. Every last machines including the servers. You made an excellent point about needing a restricted policy on the desktops and basically the users can do whatever they want, anywhere from browsing whatever website they want to view to loading whatever they want on the desktop. Many thanks

Thanks.

The essential problem (as I tell clients) is: "The computer is just a machine. It does not know who 'you' are, unless you tell it. Even so, it will execute whatever instructions 'you' give it, whether you knew what was happening or intended for it to be doing so. It does not know what to do, but it can rigorously enforce rules about what not to do."

So...

1. Lock the doors and keep them locked.
2. Give different keys to different people (or even to yourself...) according to their needs and responsibilities.
3. Make backups, automatically.
4. Be reasonably skeptical. Not paranoid, just skeptical.
5. If anyone or anything urges you to do something, don't.

A whole lot of marketing went into the notion of "a virus," because biologically speaking a virus is something that you can "catch" and the only thing you can do about it is either prevention or cure. But: a computer is a machine, not a biological organism.

Would you happen to happen to know of any links explaining exactly what you have explained to me to show to my client. I have done a google search and only seen vague material.