Dealing With Laptops in a Business Network?

lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"

Re:Here's a start for you.

[Dan+Ost]

The laptops at work come locked down and you can't do anything until a tech
visits. Rather than wait for days until a tech comes, some people wipe the
drive and reinstall windows, thus negating any benefit of locking the machine
down in the first place.

The moral of the story is if you have access to the hardware, then the machine
isn't really locked down.

Re:VPN, policies, etc.

[DutchSter]

Now the worst: "Policies also restrict the user from installing software that isn't deployed via SMS." If you intend to use this at all, you will have to heavily tailor the policies for different users. Developers will need one, or often multiple compilers installed, as well as tools for every piece of the development process like Java runtimes and Cygwin or Rendermonkey and model loaders depending on their job at the time. Content creators may need to add arbitrary plug-ins for software that the company may only own one or two copies of. Modelers may need Pro-E on one machine and Maya on another. Look at who your users are and consider what they need before forming a network policy.

Where I work, we've found it helpful to have multiple domains with different policies. All the developers have access to the MAINDEV domain, and they have administrative rights to those workstations. There's also a MAINTEST domain where devlopers have mid-level access, and then MAINPROD which is the corporate network - on this, developers are just like anyone else, limited rights. Each of the domains are on their own physical subnets with firewalls between them. For example, a developer can TS into his MAINDEV workstation from his MAINPROD workstation, but not transfer files. In fact, we keep all the development machines physically under lock and key as part of the server farm and require TS/Raritan for any type of console access. When push comes to shove, there's a web interface for rebuilding DEV and TEST workstations.

As for apps required on the main corporate domain, there's a small group of people who are full-time dedicated to scripting apps and their related plug ins. Access to the apps is controlled strictly by AD groups, which is good because it then forces the install script to run as opposed to the user configuring as they see fit. At the same time, it also gives us license compliance. Regular workstation scans are run at random intervals to compare the applications that each workstation reports as installed to the active directory groups that the user is a member of. Any difference is sent to an administrator who will remotely access the workstation and assess the situation. If it turns out there is unauthorized software, the user is booted immediately from the machine and their user ID is locked out until they call the help desk. At that point, there's a procedure to go through where someone has to come out and reimage your machine, no questions asked.

As to the idea of employees rebuilding their machines, any machine that attempts to connect to a network segment is checked to see if it is a member of the domain it is trying to get an IP address on. If the answer is NO, it is investigated. Hooking an unauthorized PC to any network segment is an immediate termination situation - I've seen it enforced many times, and on people who are "too important" to be bothered by such policy drivel.

Getting the OK for this policy was easy - the costs of unauthorized software, from license compliance costs, and the potential of employee/company downtime was presented to the Board of Directors and they directed the CEO to adopt the policy, in full. It also worked well that the policy was sold at about the time that SOX was coming in as the latest buzzword, so it really was an easy sell.

Re:VPN, policies, etc.

[DutchSter]

I'd be interested to know what software you use to perform all this.. Any chance of telling? :)

Nothing fancy actually - it's pretty much all Active Directory, SMS, and Perl scripting. Some strategically placed network probes on the DHCP server allow us to listen for incoming DHCP requests, and the response with the IP address allocated. A filter with an event handling logic runs on the probe which then calls a Perl script to runs an NBTSTAT against the computer to see what it's a member of and does an LDAP lookup to see that the workstation name is in one of the offcial AD OUs. The script has the ability to manage the switch and shutdown ports, send emails, etc.

I'm not entirely sure of how exactly it's all accomplished since that's a different area of my department, but I know the 10,000 foot view. I do not know what Network filtering software they're using for the sniffer probe. Really, the trick is effective use of Group Policy, and the grunts to physically back it up (that is, enforcing the policy outside the computer world - the guys who make visits to you and your manager for violators, etc). As to the different physical segments for the network, that's as simple as having the electricians run extra Cat5 to a different patch panel in a different room and then connecting the different segments via Stonegate firewalls.