MessageLabs has reported seeing what could become a new twist in phishing scams. These emails contain a script that, once the email is opened, rewrite host files to automatically redirect users to phishing sites when they attempt to visit legitimate banking sites.
The article advised you protect from this particular kind of attack by disabling Windows Scripting Host. However, if your users are technical people and require to use this for their dayto day work, you don't have the luxury.
But you can change the hosts file to read only and enforce it via Group Policy. Here is how:
- In Group Policy Management Console, create a new group policy.
- Go to Computer Configuration | Windows Settings | Security Settings | File System.
- Add the file:
%SystemRoot%\system32\drivers\etc\hosts - Change the permissions of the file to:
Type Name Permission Allow BUILDIN\Administrators Read Allow NT AUTHORITY\SYSTEM Read Allow BUILDIN\Users Read - Save and link this group policy to the desired OU accordingly.
Don't forget to enable security policy enforcement. Best practice is to define this as your baseline policy.
- In Group Policy Management Console again, create a new baseline group policy (or click on your baseline group policy if you already have one).
- Go to Computer Configuration | Administrative Templates | System | Group Policy.
- Click on Security policy processing.
- Choose Enabled radio button, and check the Process even if the Group Policy object have not changed.
- Save and link it to the desired OU accordingly.
