Dealing With Laptops in a Business Network?

lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"

Here's a start for you.

[grub]

Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.

Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.

Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"

Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.

Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.

Re:Here's a start for you.

[karnal]

If you attempt to wipe the machines where I work, you shoot yourself in the foot.

At that point, if you want to install any work related software, you need to be a member of the domain/active directory. If not, you don't get connected, either while in the office or via VPN.

Of which, you can't install the necessary VPN software unless you are in the office, or we ship you a cd.

We haven't had anyone try to get around this yet. I think it's safe to say the people who work on them in my business realize they'd be down a lot harder if they tried to....

Deepfreeze

[QuantumRiff]

Great program, reboot your PC, and all changes are reset. It is so much fun to load Kazaa onto a computer, reboot it, and it is all gone.. Of course, you have to get them trained to save absolutely everything to a Pen drive..

Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...

Faronics sells this.

VPN, policies, etc.

Posting as AC to protect my job, however our method is quite extensive, and the high-level details are worth sharing for others to learn from.

My company's (a large online e-tailer and book seller) approach involves several methods to protect remote machines and limit access.

For remote access, a customized platform agnostic VPN device (running an embedded linux) piggy-back's onto the laptop. The device is powered by the laptop's USB port, and acts as a firewall in addition to a VPN gateway. The device can connect to the internet either via it's built-in compact-flash wireless card (supports WEP or open wireless) or an ethernet connection. When the tunnel is down, the laptop is still well protected by said firewall. When the tunnel is up, all traffic is routed through the VPN tunnel, and subject to corporate firewall rules. The VPN device is tied to the laptop's MAC address, and will not work with any other machine unless reprovisioned by an admin with appropriate rights. The user must authenticate on the device (which updates credentials each time it connects) before access is granted internally, and only the provisioned user has access to login to the device. Three failed login attempts will delete the data on the device, rendering it useless to any theif, and requiring it to be reimaged by corporate IT. The only means of accessing corporate data from "the outside" is via this device or a direct dial-up. There is zero access to internal systems without either of these methods (not even webmail). Dial-up numbers cannot be modified by the user which prevents them from connecting to any random ISP.

I don't know if either connection is dropped into a DMZ for further protection, however the local VPN device does packet filter certain types of packets on the way out for extra measure.

On the software side, the machines (when running Windows of some sort) run an antivirus and policy enforcement suite which is maintained by a corporate server. Policies enforce encrpytion of the user's mydocs directory should the laptop be otherwise compromised. Policies also restrict the user from installing software that isn't deployed via SMS. Additionally, anti-spyware software is installed on the machine to allow IT to remove threats. Because users must connect to the corporate network to do most job functions, these tools remain fairly up-to-date.

To protect the laptop, user passwords are changed regularly and a strong password requirement is enforced in addition to a fairly long password history retention to prevent reuse. Usernames are not retained in the login screen. Laptop screens are forced to lock after a short amount of time to prevent unattended access.

For browsing, users are permitted either IE or Firefox, however most users prefer the latter :-) Email can be accessed via web, Outlook/Evolution (ick) or Thunderbird via IMAP.

I'm not sure on the size of your company, but if your budget allows, this seems to be highly secure and admitedly, well thought out means of enforcing security and protecting networks.