I started sending out fake fishing emails to employees to learn who the random clickers were and help teach people to avoid bad emails and html links etc.
That's a brilliant idea. Consider it pilfered, thanks.
I wish I could setup all users on a guest account but currently the way this company works, they need admin rights to install software on the road.
What we did is create a 'safe.exe' folder. So the user knows if they want to install something they have to put it in there to run it (only specific users have this folder). All other executables are blocked from everywhere on all Windows systems (except program files etc.) by group policy. What this means is the main mechanism of malware installation is blocked. Also, our firewall blocks all outbound connections not on port 80 (with specific exceptions), so even if malware does somehow run it never gets a chance to connect with its C'n'C. It's been a year since our last infection, on more than 100 Windows installations.
I'm still not letting this be the end of it, working for some time to get a NIDS operating smoothly enough to start the NIPS features.
Edited by TsVk!, 05 June 2014 - 07:09 PM.