Slashdot Mirror
Dealing With Laptops in a Business Network?
lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"
Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.
Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.
Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"
Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.
Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.
Trolling is a art,
Nip the virus problem in the bud: keep OSX up to date on all the laptops.
*ducks*
Direct away from face when opening.
There are just some risks that have to be accepted if you are going to do business. Other /.ers will hopefully point out all kinds of useful ways to mitigate the risks, and that is a good thing, but no system will ever be perfect. So there has to be some way to judge other than perfect-vs-flawed. Good approaches will strike a balance between letting people get things done, and having security. Don't assume you can get to perfection, but don't let that stop you from trying to make things better.
Make them use a VPN and personal firewall at all times. With broadband, thisis easier than ever. Sizing your VPN setup is the hardest part.
Every employee needs a laptop?
:)
I work for a large company, my boss excidedly says, "Hey do you want to trade your desktop in for a laptop?" I sternly reply, "Hell No!" Confused he asks, "Well why not?" I respond, "Well, I don't want to work from home and I don't want to be responsible for a $2000 computer which isn't mine."
Now I have 4 desktops under my desk
it's a sig, wtf?
For malware, make sure that there are firm groupwide subscriptions to antivirus and spyware programs. Many of the good packages allow for mandatory updates, and they should be insisted upon in a corporate set up.
Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...
Faronics sells this.
What are we going to do tonight Brain?
I've been wondering if it would be feasible to lock the laptops WAY down (bare minimum of applications to connect) and have people use "Terminal Services" to operate an internal computer rather than having everything installed on the "remote" computer.
Seems like it would be easier to control and avoid problems that way (and if you use NomachineNX, you can use the same "terminal" client for VNC and X11 logins as well...)
Hacker Public Radio is our Friend
Just point out to the notebook users that they're working overtime from home for free.
Software sucks. Open Source sucks less.
Treat them like machines on the internet, since you have no control over the machine itself. (I've seen people reinstall the OS because they can't get their kid's game to play.)
Assume the machines have viruses and trojans, and spyware throught the wazoo.
Oh, have a policy that every 4 months, people have to turn in their machines in for maintenance and reassignment. They won't think of these machines as "theirs" and they won't install crap (like their palm-pilot synch software).
I'm still out on filesystem encryption. I think it does not really block determined hackers, especially if they have government funding.
Finally, the reason why people get paid good money to find solutions is that these problems are not trivial. Good luck.
"Piter, too, is dead."
Find out what the risks are and create an AUP (acceptable use policy) around the risks.
Get the users to sign the AUP.
put controls around the AUP - eg make sure the users can't install their own software and do this for then with LanDesk or similar. No use of IE, Firewall only etc etc..
That's a very elitist attitude. What about the people in marketing and sales who are likely to be clueless about computers have to learn something totally new to them? If they aren't a serious computer geek, they get fired?
I don't know what kind of world you think we live in, but Linux is not for everyone. Period. It has a wonderful place in the server world, and for some desktop users who really are into computers, but for your average sales drone, it has no place.
People will use what they're familiar with, and if you try to teach them something new, they will be very reluctant to learn it.
Also, what about central administration of the system? With Linux that's nearly impossible to do for anything other than users and groups. Try rolling out patches and security fixes to 1000 Linux computers in one swipe. That's pretty much impossible to do. On the other hand, Microsoft's Active Directory does a wonderful job of this, as does Apple's Remote Desktop. I've yet to see anything in Linux that even comes close to this functionality.
Another feature that you won't find in a Linux environment that's very important to corporations is Exchange. People want their shared calendars, people want their central user directory, and people want to be able to simply type in a person's name to send them an email, instead of remembering a full email address.
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo!
This has got to be the stupidest suggestion yet: make it illegal to get a virus, and nobody will get a virus!
... well, do anything.
This AUP will crumble when someone wants to see something in Flash, or use a Pen Drive, or plug into their friend's printer, or
I want to delete my account but Slashdot doesn't allow it.
Posting as AC to protect my job, however our method is quite extensive, and the high-level details are worth sharing for others to learn from.
:-) Email can be accessed via web, Outlook/Evolution (ick) or Thunderbird via IMAP.
My company's (a large online e-tailer and book seller) approach involves several methods to protect remote machines and limit access.
For remote access, a customized platform agnostic VPN device (running an embedded linux) piggy-back's onto the laptop. The device is powered by the laptop's USB port, and acts as a firewall in addition to a VPN gateway. The device can connect to the internet either via it's built-in compact-flash wireless card (supports WEP or open wireless) or an ethernet connection. When the tunnel is down, the laptop is still well protected by said firewall. When the tunnel is up, all traffic is routed through the VPN tunnel, and subject to corporate firewall rules. The VPN device is tied to the laptop's MAC address, and will not work with any other machine unless reprovisioned by an admin with appropriate rights. The user must authenticate on the device (which updates credentials each time it connects) before access is granted internally, and only the provisioned user has access to login to the device. Three failed login attempts will delete the data on the device, rendering it useless to any theif, and requiring it to be reimaged by corporate IT. The only means of accessing corporate data from "the outside" is via this device or a direct dial-up. There is zero access to internal systems without either of these methods (not even webmail). Dial-up numbers cannot be modified by the user which prevents them from connecting to any random ISP.
I don't know if either connection is dropped into a DMZ for further protection, however the local VPN device does packet filter certain types of packets on the way out for extra measure.
On the software side, the machines (when running Windows of some sort) run an antivirus and policy enforcement suite which is maintained by a corporate server. Policies enforce encrpytion of the user's mydocs directory should the laptop be otherwise compromised. Policies also restrict the user from installing software that isn't deployed via SMS. Additionally, anti-spyware software is installed on the machine to allow IT to remove threats. Because users must connect to the corporate network to do most job functions, these tools remain fairly up-to-date.
To protect the laptop, user passwords are changed regularly and a strong password requirement is enforced in addition to a fairly long password history retention to prevent reuse. Usernames are not retained in the login screen. Laptop screens are forced to lock after a short amount of time to prevent unattended access.
For browsing, users are permitted either IE or Firefox, however most users prefer the latter
I'm not sure on the size of your company, but if your budget allows, this seems to be highly secure and admitedly, well thought out means of enforcing security and protecting networks.
Lock the sons of a bitches down hard. Don't allow the laptop user to install software. Don't allow them to run as an administrator account. Use policies to allow them to perform any administrative tasks that they might need, such as being able to change their IP address. Use a corporate-controlled firewall, preferably using a firewall that allows you to set a global policy and force it enabled. This is a host-based firewall, besides the actual corporate one to the Internet. Turn off all unecessary services. Enable anti-virus and don't allow users to disable it.
The real problem with laptops is that most IT departments treat them differently than they would a desktop. Don't. Don't give your laptop users administrative access, no matter how much they complain. It is your job to keep the machine in a usable state, no matter what they do to it, so don't allow them to do things that you know will break it.
At my workplace, all of these are enforced. The rules are so strict that you can be fired if you violate these rules. Each laptop comes with IT downloader that IT can push updates. Also, there is a list of banned software and hardware.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Require absolute standardization. Create a custom installation image similiar to the standard desktop installation including all utilities and software licenses required for the job. Do not give the users administrator rights to anything. Require them to hook the laptop up to the network every week or so to receive updates, patches, and submit to a system scan for unauthorized software and files.
If the system is determined to not meet company standards, give the employee a day to remove personal and work files, and then take the computer back to your IT cave, scrub the hard drive, and re-install the standard image from scratch before giving it back to the employee.
If the company has purchased the laptop, it must be very very clear that the laptop, and everything on it, belongs to the company, period. Policies like this will help keep "innocent" employees from accidentally bringing back something hazardous to the company network, and any employee savvy enough to work around the restrictions should also have the skillz to avoid undetected malware.
And if you have trouble employees who keep getting caught with unauthorized files, software, or who keep bringing back malware infested machines, your security policy and the measures required to circumvent the policies ought to be enough ammunition to support firing them for cause. Or at least confiscating their computer, locking their account, and demoting them to a job that doesn't require the use of a computer. Like janitor or something.
Make it very clear that as their job depends on them having access to a computer, and their access to a computer absolutely depends on them taking care of it and following company policy, if they do something to cause their network and computer privledges to be revoked then they will either be moved to a less technical job or released.
My company works in a very similiar fashion, except that we have the threat of jail time thrown in just for flavor. Guess what... Nobody f**ks with the IT guys and the very very few who violate policy and get caught become well publicized examples of how to ruin you life. Is installing that intardnet solitare game, or peeking at the porn site worth your job? How about worth half your salary for 3 months and a month in jail before you get fired? Well, most companies don't need to go that far, but the general idea that messing with the IT resources is dangerous to company survival is something that nobody will seriously consider unless the both the policies AND actions taken to enforce those policies are black and white. No questions askes, fail to bring in your laptop for a weekly update/scan and you lose compter network privledges until you comply. Fail to comply 3 times or get caught violating the rules 3 times, and lose privledges until reinstated by the appropriate company VP, board member, co-owner, whatever.
If you let people take advantage of the IT department, EVERYONE will bypass the rules. Sure, most slashdot readers could do that without causing harm and many could do it without any real risk of getting caught, but chances are that some of the policy breakers will be relatively incompetent and one single person can bring down the entire company, if the security compliance policies are not clearly defined and rigorously enforced, with real penalties for violations and repeat violators.
I've been on both ends of the corporate IT stick... Been beaten for sidestepping policy, and done the beating later on when it was my turn to enforce policy. There can't be any question in anyone's mind that the policies simply can't be broken without consequences, no exceptions.
Go ahead and do it differently, if you don't mind seeing your company on "CNN Money" next week as being the latest gropu who just let some intruder walk away with your customer database or all your company's proprietary info. Yea, that happened to my company too, with some stuff that had been outsouced. Sucks to know that access to my entire personal financial records have been stolen not once, not twice, but three times due to incompetent IT departments my company has outsourced to.
I work for a gov. agency that has a lot of laptop users. We also use Exchange/Outlook and have limited mailbox sizes to 150MB. The biggest problem that we have is that users want to store their Archive PST files on their laptop and then scream at us when their HD dies and they lose their old emails. It's a no win situation for us.. Management won't authorize more Exchange server space; if we force them to store their PST on a file server, they complain; if they lose a PST on a bad laptop HD they complain.
I'm thinking of implementing some type of VBS login script that will copy the PST to a file server. The problem with that is that PSTs can be big and it might take awhile to do the copy. I have to ensure it won't run when the user is on dialup or VPN. In addition, even if they are on the LAN, it will mean they can't use Outlook while it is copying.
Any suggestions!?!?!?
The problem with that is that PSTs can be big and it might take awhile to do the copy. I have to ensure it won't run when the user is on dialup or VPN.
This will just require you checking to see what subnet the laptop is currently on before copying. That's what my current systems do - it won't copy the files unless you are in the "office network" environment, based on the subnet.
Karnal
Well if it's anything other than a threat please tell me how you managed it?
SFAIK You cannot got to jail for a civil offense and and breach of contract is a civil offense, unless it's the government top secret part of the contract you breach.
thank God the internet isn't a human right.
I would suggest to the poster that ONLY company issued machines be allowed to ever connect to the company systems, in or outside the perimeter. The "locked down" bare bones configuration are standard practice with better defense contractors and large financial companies, especially brokerage firms...I know this from experience. SecurId two part logins through VPN that basically only let you access your desk top system and only as your employee identity tend limit unauthorized access. And be very careful with wireless. If it is tolerated at all, be darn sure users don't ever get a chance to work without encryption turned on.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I have never had a laptop at the IT places I worked.
First, if you want control of the laptops, be sure to set a bios password and disable booting from devices other than the hard disk. This will keep most people from installing their own operating system.
Second, if a machine gets really fucked up, you'll want to be able to fix it quickly. I suggest using disk images. You'll need to partition the disk drive so that you can re-image without wiping out the user's files. Remember that with NTFS, you can mount a partition in any empty folder. You know what to do with that Documents and Settings folder.
Third, how about giving everyone a shot at freedom?
At first, let the users have admin rights. Enforce only basic security precautions. Keep a log of problems with each employee's machine. But if Bob from accounting is doing a lot of Bad Things, escalate the security policy on his machine. Step one would probably be revoking administrator acess. If Bob keeps finding ways to screw things up, use your exclusive admin access to set up a more restrictive security policy. If Bob still finds ways to screw things up, you could use the Final Solution: DeepFreeze.
This is where the log would be very important. When Bob's boss comes to bitch about Bob "not being able to do his job", you can whip it out and show him that you've had twice as many problems with Bob's laptop than anyone else's. You'd also need to have an explicit AUP.
De-escalating policy if an employee shows signs of being more responsible would also be a good idea, and it would give them a reason to start caring about what they run on their machine.
Disclaimer: IANA sysadmin. I haven't tested this policy. It just sounded like a good compromise to me.
"The newly born animals are then whisked off for a quick run through a giant baking oven." --heard on Food Network
If you don't control the laptops, don't trust them to behave. Design your network and servers -- the things you can control -- with the idea that they can be 'attacked' from anywhere; Internet or intranet.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Apparently no-one had an argument with this point :)
Now I have 4 desktops under my desk :)
Also known in my state (Wisconsin) as a personal space heater.
I think you're both right and wrong -- right that Linux isn't the answer yet, but wrong on why.
Yes, it's an elitist attitude. All central control of dispersed machines needs to be or it's a nightmare. We're in the business of restricting the user's ability to do things, and more importantly, to add things.
No, these people really SHOULD be able to learn such a system. A. People are more versitile than you think, and B. The original poster is right -- if any computer literacy is involved in their job description, they should be able to learn a new system, else you're bogged down to one system forever.
(Sales folk should be both computer literate and willing to use systems, if corporate tells them to, because we need to be able to see where they're going and who they're talking to, and what leads they get and pursue. We need to be able to project end of month sales based on the behavior of the salespeople, we need to see how promotions are working in middle of month, not just when the paper-work comes in at 4pm on the 30th, and we need to minimize that paperwork in the first place by using paperless ordering systems.)
But learning a system doesn't mean being able to do everything you used to do. That's the whole point of this elitist way we have to do things. They will be MORE restricted. Period. They won't have admin rights, they won't be able to modify the OS, thy won't be able to add just anything they find that looks neato on the web.
(And Linux is a well designed OS, which means it can run scripts on a timer or on startup, and therefor can self-patch. While that may not be a just-works-right-out-of-the-box-solution
it's very doable with some initial work.)
So on those levels I agree completely with the original poster.
But I think you're right that it's still not a working solution. And that's because we don't have all the apps we need. Our users need, rather. On one hand, Windows is a virus like many claim the GPL to be. You put Windows boxes in the headquarters, and you wind up needing Windows boxes as laptops to interact with those. (You are ABSOLUTLEY RIGHT about Exchange interoperablility.) I hate it, but it's true. And on the other hand, the best sales automation programs are under Windows, and we want them to have the best. So our salesfolk in the field will have Windows boxes for the forseeable future.
We'd need to get rid of most of the central Windows boxes to accomplish this, and we'd need to get very high-quality sales apps under Linux.
But if we had those, and could dump Windows on our laptops, our support staff's life would be easier, we'd spend less on laptops, we'd have more information about how our workers function and control over how our workers function, so as to maximize our investment. (Nightmare as that is in a society in general, those last two are important goals for a buisiness.)
Notebooks logon via a seperate server, they have their own IP address range whenever on the network and their own DHCP server. The link between the notebook servers and the rest of the network is firewalled.
Ed Almos
Budapest, Hungary
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
All these pathetic posts about locking down the (l)users make me want to hurl. You are trying to use technical means to solve a social problem, and IT WILL NOT WORK. And by the way, who the hell are you, to tell me what I do or don't need to use my computer for. Get over yourselves, you BOFH wannabes.
Your job is to provide me with the IT tools I need to do my job. Have all the policies you want, but the second those policies keep me from doing my job, they have to give way.
How about this? You give me admin access to my laptop so that the 15 year old proprietary crapola DOS based compilers and config software that I NEED TO DO MY DAMN JOB will run. In return I promise to take reasonable steps to keep my laptop spyware and virus free. I promise to keep it physically secure, and not let my kids use it.
If you lock down systems hard enough to keep Jane the receptionist from installing the happy kitten screensaver spyware, you will also keep Bob the engineer from downloading and installing the monitor software for the milling machine that just quit and has your main production line down.
Your job has conflicting requirements. Boo hoo, deal with it.
None of them can see the clouds; The polished wings don't care.
Bolt the laptops to the desks.
I work in my jobs IT Dept... and I use a laptop... my solution? I asked them for an Apple laptop. Never have to fuss about my wireless card, never have worries about viruses, never have to fret about updating... best thing that IT ever did for me.
FanFictionRecs.net
I don't know who rated the message you resonded to as troll, guess we are getting troll moderators. There is a lot of truth to it. But to your last message:
I don't know what kind of world you think we live in, but Linux is not for everyone. Period. It has a wonderful place in the server world, and for some desktop users who really are into computers, but for your average sales drone, it has no place.
Now what in business today requires Windows on the PC part? Are we sure our dependance on Microsoft is like heroin? Cannot order entry be done through Linux? Cannot a Linux user surf the web? Can a Linux user not use Java based applications to do busiess?
About the biggest thing business users loose with Linux is users can download Windows spyware and make it work. The WMV file from a porn site might not play. The company will not have to spend as much time and resources maintaining the thing.
Business has lost sight of what the PC is for. It isn't entertainment for 8 hours on non-business activities we should be focusing on. It is a work tool. Users who download spyware that compromize their PC should be fired for being utterly stupid and out of control. If not fired, written up and the repairs charged to their managers department.
And there is an old saying, to change gives you the chance of becoming better. Resistance to change is the admission you don't want to get better. People overrate the negative of change and unrate it's beneits. More importantly, people get over change.
So once we realize the current PC model costs too much in the corporations, maybe more will say no to "How much do you want to pay today" mentality. PONCE - Price of not changing and evolving is stagnation. Windows users change all the time, DOS 2 thru 6, Win 2.0, W3.0, W3.1, W95, W98, W2K, W2003, Win Me, XP, XP2, and soon vista. We change, we must and FUD to the cost of change.
I agree that most of the reason for not wanting to switch is because they're afraid of change, but there are a few smaller things such as Exchange that keep it from happening any faster. Also, most businesses have netadmins who are absolutely clueless about security, and computers in general. I have a friend who works for a company whose IT director is a "FreeBSD admin." I use quotes because the man has no clue how to install FreeBSD from scratch.
This type of thing is commonplace, and I think until we get a new generation of people in IT, changes like this aren't going to happen.
Another example. Everyone I work with at University of Miami is completely stuck on Windows, and don't want to change. There's three FreeBSD servers in my department, two Linux ones, and those are RHEL. The rest are all Windows 2000 server. This isn't going to change anytime soon because all that the people there know is Windows. Not to mention the total lack of security such as using an unencrypted VNC session to admin one of our Win2k servers from anywhere on campus... This isn't an exxageration, the only people who really know FreeBSD and Linux well are my boss and myself.
Once we get people running IT departments who are familiar with Linux or BSD, we'll see that change starting to happen faster.
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo!