Slashdot Mirror
Dealing With Laptops in a Business Network?
lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"
Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.
Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.
Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"
Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.
Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.
Trolling is a art,
Nip the virus problem in the bud: keep OSX up to date on all the laptops.
*ducks*
Direct away from face when opening.
There are just some risks that have to be accepted if you are going to do business. Other /.ers will hopefully point out all kinds of useful ways to mitigate the risks, and that is a good thing, but no system will ever be perfect. So there has to be some way to judge other than perfect-vs-flawed. Good approaches will strike a balance between letting people get things done, and having security. Don't assume you can get to perfection, but don't let that stop you from trying to make things better.
Make them use a VPN and personal firewall at all times. With broadband, thisis easier than ever. Sizing your VPN setup is the hardest part.
Seriously. Any IT manager worth his salt knows that Linux is infinetly more secure than Windows. Therefore, any IT manager who cares about his network and his job, would only deploy laptops with Linux on them. As far as the users are concerned, if they are too dumb to not learn Linux, they should be fired anyways.
Every employee needs a laptop?
:)
I work for a large company, my boss excidedly says, "Hey do you want to trade your desktop in for a laptop?" I sternly reply, "Hell No!" Confused he asks, "Well why not?" I respond, "Well, I don't want to work from home and I don't want to be responsible for a $2000 computer which isn't mine."
Now I have 4 desktops under my desk
it's a sig, wtf?
For malware, make sure that there are firm groupwide subscriptions to antivirus and spyware programs. Many of the good packages allow for mandatory updates, and they should be insisted upon in a corporate set up.
Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...
Faronics sells this.
What are we going to do tonight Brain?
I've been wondering if it would be feasible to lock the laptops WAY down (bare minimum of applications to connect) and have people use "Terminal Services" to operate an internal computer rather than having everything installed on the "remote" computer.
Seems like it would be easier to control and avoid problems that way (and if you use NomachineNX, you can use the same "terminal" client for VNC and X11 logins as well...)
Hacker Public Radio is our Friend
Just point out to the notebook users that they're working overtime from home for free.
Software sucks. Open Source sucks less.
Treat them like machines on the internet, since you have no control over the machine itself. (I've seen people reinstall the OS because they can't get their kid's game to play.)
Assume the machines have viruses and trojans, and spyware throught the wazoo.
Oh, have a policy that every 4 months, people have to turn in their machines in for maintenance and reassignment. They won't think of these machines as "theirs" and they won't install crap (like their palm-pilot synch software).
I'm still out on filesystem encryption. I think it does not really block determined hackers, especially if they have government funding.
Finally, the reason why people get paid good money to find solutions is that these problems are not trivial. Good luck.
"Piter, too, is dead."
Find out what the risks are and create an AUP (acceptable use policy) around the risks.
Get the users to sign the AUP.
put controls around the AUP - eg make sure the users can't install their own software and do this for then with LanDesk or similar. No use of IE, Firewall only etc etc..
This has got to be the stupidest suggestion yet: make it illegal to get a virus, and nobody will get a virus!
... well, do anything.
This AUP will crumble when someone wants to see something in Flash, or use a Pen Drive, or plug into their friend's printer, or
I want to delete my account but Slashdot doesn't allow it.
Posting as AC to protect my job, however our method is quite extensive, and the high-level details are worth sharing for others to learn from.
:-) Email can be accessed via web, Outlook/Evolution (ick) or Thunderbird via IMAP.
My company's (a large online e-tailer and book seller) approach involves several methods to protect remote machines and limit access.
For remote access, a customized platform agnostic VPN device (running an embedded linux) piggy-back's onto the laptop. The device is powered by the laptop's USB port, and acts as a firewall in addition to a VPN gateway. The device can connect to the internet either via it's built-in compact-flash wireless card (supports WEP or open wireless) or an ethernet connection. When the tunnel is down, the laptop is still well protected by said firewall. When the tunnel is up, all traffic is routed through the VPN tunnel, and subject to corporate firewall rules. The VPN device is tied to the laptop's MAC address, and will not work with any other machine unless reprovisioned by an admin with appropriate rights. The user must authenticate on the device (which updates credentials each time it connects) before access is granted internally, and only the provisioned user has access to login to the device. Three failed login attempts will delete the data on the device, rendering it useless to any theif, and requiring it to be reimaged by corporate IT. The only means of accessing corporate data from "the outside" is via this device or a direct dial-up. There is zero access to internal systems without either of these methods (not even webmail). Dial-up numbers cannot be modified by the user which prevents them from connecting to any random ISP.
I don't know if either connection is dropped into a DMZ for further protection, however the local VPN device does packet filter certain types of packets on the way out for extra measure.
On the software side, the machines (when running Windows of some sort) run an antivirus and policy enforcement suite which is maintained by a corporate server. Policies enforce encrpytion of the user's mydocs directory should the laptop be otherwise compromised. Policies also restrict the user from installing software that isn't deployed via SMS. Additionally, anti-spyware software is installed on the machine to allow IT to remove threats. Because users must connect to the corporate network to do most job functions, these tools remain fairly up-to-date.
To protect the laptop, user passwords are changed regularly and a strong password requirement is enforced in addition to a fairly long password history retention to prevent reuse. Usernames are not retained in the login screen. Laptop screens are forced to lock after a short amount of time to prevent unattended access.
For browsing, users are permitted either IE or Firefox, however most users prefer the latter
I'm not sure on the size of your company, but if your budget allows, this seems to be highly secure and admitedly, well thought out means of enforcing security and protecting networks.
Lock the sons of a bitches down hard. Don't allow the laptop user to install software. Don't allow them to run as an administrator account. Use policies to allow them to perform any administrative tasks that they might need, such as being able to change their IP address. Use a corporate-controlled firewall, preferably using a firewall that allows you to set a global policy and force it enabled. This is a host-based firewall, besides the actual corporate one to the Internet. Turn off all unecessary services. Enable anti-virus and don't allow users to disable it.
The real problem with laptops is that most IT departments treat them differently than they would a desktop. Don't. Don't give your laptop users administrative access, no matter how much they complain. It is your job to keep the machine in a usable state, no matter what they do to it, so don't allow them to do things that you know will break it.
At my workplace, all of these are enforced. The rules are so strict that you can be fired if you violate these rules. Each laptop comes with IT downloader that IT can push updates. Also, there is a list of banned software and hardware.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Require absolute standardization. Create a custom installation image similiar to the standard desktop installation including all utilities and software licenses required for the job. Do not give the users administrator rights to anything. Require them to hook the laptop up to the network every week or so to receive updates, patches, and submit to a system scan for unauthorized software and files.
If the system is determined to not meet company standards, give the employee a day to remove personal and work files, and then take the computer back to your IT cave, scrub the hard drive, and re-install the standard image from scratch before giving it back to the employee.
If the company has purchased the laptop, it must be very very clear that the laptop, and everything on it, belongs to the company, period. Policies like this will help keep "innocent" employees from accidentally bringing back something hazardous to the company network, and any employee savvy enough to work around the restrictions should also have the skillz to avoid undetected malware.
And if you have trouble employees who keep getting caught with unauthorized files, software, or who keep bringing back malware infested machines, your security policy and the measures required to circumvent the policies ought to be enough ammunition to support firing them for cause. Or at least confiscating their computer, locking their account, and demoting them to a job that doesn't require the use of a computer. Like janitor or something.
Make it very clear that as their job depends on them having access to a computer, and their access to a computer absolutely depends on them taking care of it and following company policy, if they do something to cause their network and computer privledges to be revoked then they will either be moved to a less technical job or released.
My company works in a very similiar fashion, except that we have the threat of jail time thrown in just for flavor. Guess what... Nobody f**ks with the IT guys and the very very few who violate policy and get caught become well publicized examples of how to ruin you life. Is installing that intardnet solitare game, or peeking at the porn site worth your job? How about worth half your salary for 3 months and a month in jail before you get fired? Well, most companies don't need to go that far, but the general idea that messing with the IT resources is dangerous to company survival is something that nobody will seriously consider unless the both the policies AND actions taken to enforce those policies are black and white. No questions askes, fail to bring in your laptop for a weekly update/scan and you lose compter network privledges until you comply. Fail to comply 3 times or get caught violating the rules 3 times, and lose privledges until reinstated by the appropriate company VP, board member, co-owner, whatever.
If you let people take advantage of the IT department, EVERYONE will bypass the rules. Sure, most slashdot readers could do that without causing harm and many could do it without any real risk of getting caught, but chances are that some of the policy breakers will be relatively incompetent and one single person can bring down the entire company, if the security compliance policies are not clearly defined and rigorously enforced, with real penalties for violations and repeat violators.
I've been on both ends of the corporate IT stick... Been beaten for sidestepping policy, and done the beating later on when it was my turn to enforce policy. There can't be any question in anyone's mind that the policies simply can't be broken without consequences, no exceptions.
Go ahead and do it differently, if you don't mind seeing your company on "CNN Money" next week as being the latest gropu who just let some intruder walk away with your customer database or all your company's proprietary info. Yea, that happened to my company too, with some stuff that had been outsouced. Sucks to know that access to my entire personal financial records have been stolen not once, not twice, but three times due to incompetent IT departments my company has outsourced to.
I work for a gov. agency that has a lot of laptop users. We also use Exchange/Outlook and have limited mailbox sizes to 150MB. The biggest problem that we have is that users want to store their Archive PST files on their laptop and then scream at us when their HD dies and they lose their old emails. It's a no win situation for us.. Management won't authorize more Exchange server space; if we force them to store their PST on a file server, they complain; if they lose a PST on a bad laptop HD they complain.
I'm thinking of implementing some type of VBS login script that will copy the PST to a file server. The problem with that is that PSTs can be big and it might take awhile to do the copy. I have to ensure it won't run when the user is on dialup or VPN. In addition, even if they are on the LAN, it will mean they can't use Outlook while it is copying.
Any suggestions!?!?!?
The problem with that is that PSTs can be big and it might take awhile to do the copy. I have to ensure it won't run when the user is on dialup or VPN.
This will just require you checking to see what subnet the laptop is currently on before copying. That's what my current systems do - it won't copy the files unless you are in the "office network" environment, based on the subnet.
Karnal
Well if it's anything other than a threat please tell me how you managed it?
SFAIK You cannot got to jail for a civil offense and and breach of contract is a civil offense, unless it's the government top secret part of the contract you breach.
thank God the internet isn't a human right.
I would suggest to the poster that ONLY company issued machines be allowed to ever connect to the company systems, in or outside the perimeter. The "locked down" bare bones configuration are standard practice with better defense contractors and large financial companies, especially brokerage firms...I know this from experience. SecurId two part logins through VPN that basically only let you access your desk top system and only as your employee identity tend limit unauthorized access. And be very careful with wireless. If it is tolerated at all, be darn sure users don't ever get a chance to work without encryption turned on.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I have never had a laptop at the IT places I worked.
First, if you want control of the laptops, be sure to set a bios password and disable booting from devices other than the hard disk. This will keep most people from installing their own operating system.
Second, if a machine gets really fucked up, you'll want to be able to fix it quickly. I suggest using disk images. You'll need to partition the disk drive so that you can re-image without wiping out the user's files. Remember that with NTFS, you can mount a partition in any empty folder. You know what to do with that Documents and Settings folder.
Third, how about giving everyone a shot at freedom?
At first, let the users have admin rights. Enforce only basic security precautions. Keep a log of problems with each employee's machine. But if Bob from accounting is doing a lot of Bad Things, escalate the security policy on his machine. Step one would probably be revoking administrator acess. If Bob keeps finding ways to screw things up, use your exclusive admin access to set up a more restrictive security policy. If Bob still finds ways to screw things up, you could use the Final Solution: DeepFreeze.
This is where the log would be very important. When Bob's boss comes to bitch about Bob "not being able to do his job", you can whip it out and show him that you've had twice as many problems with Bob's laptop than anyone else's. You'd also need to have an explicit AUP.
De-escalating policy if an employee shows signs of being more responsible would also be a good idea, and it would give them a reason to start caring about what they run on their machine.
Disclaimer: IANA sysadmin. I haven't tested this policy. It just sounded like a good compromise to me.
"The newly born animals are then whisked off for a quick run through a giant baking oven." --heard on Food Network
If you don't control the laptops, don't trust them to behave. Design your network and servers -- the things you can control -- with the idea that they can be 'attacked' from anywhere; Internet or intranet.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Apparently no-one had an argument with this point :)
Now I have 4 desktops under my desk :)
Also known in my state (Wisconsin) as a personal space heater.
Is the question some form of backhanded astroturfing or what?
The question seems to be asking for what Microsoft calls Network Access Protection and Cisco calls Clean Access or Network access Control(NAC).
These technologies supposedly prevent network access unless the system meets the network's policy requirements. These requirements include user/system authorization, anti-virus, firewall, software, and many other criteria.
If the question is legitimate, it sounds like you would like a Cisco network with Windows Server 2003 and XP laptops. Slashdot heresy!!
P.S. Prepare to write VERY LARGE checks!
Notebooks logon via a seperate server, they have their own IP address range whenever on the network and their own DHCP server. The link between the notebook servers and the rest of the network is firewalled.
Ed Almos
Budapest, Hungary
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
All these pathetic posts about locking down the (l)users make me want to hurl. You are trying to use technical means to solve a social problem, and IT WILL NOT WORK. And by the way, who the hell are you, to tell me what I do or don't need to use my computer for. Get over yourselves, you BOFH wannabes.
Your job is to provide me with the IT tools I need to do my job. Have all the policies you want, but the second those policies keep me from doing my job, they have to give way.
How about this? You give me admin access to my laptop so that the 15 year old proprietary crapola DOS based compilers and config software that I NEED TO DO MY DAMN JOB will run. In return I promise to take reasonable steps to keep my laptop spyware and virus free. I promise to keep it physically secure, and not let my kids use it.
If you lock down systems hard enough to keep Jane the receptionist from installing the happy kitten screensaver spyware, you will also keep Bob the engineer from downloading and installing the monitor software for the milling machine that just quit and has your main production line down.
Your job has conflicting requirements. Boo hoo, deal with it.
None of them can see the clouds; The polished wings don't care.
Bolt the laptops to the desks.
I work in my jobs IT Dept... and I use a laptop... my solution? I asked them for an Apple laptop. Never have to fuss about my wireless card, never have worries about viruses, never have to fret about updating... best thing that IT ever did for me.
FanFictionRecs.net