Slashdot Mirror
Dealing With Laptops in a Business Network?
lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"
Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.
Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.
Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"
Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.
Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.
Trolling is a art,
Nip the virus problem in the bud: keep OSX up to date on all the laptops.
*ducks*
Direct away from face when opening.
Every employee needs a laptop?
:)
I work for a large company, my boss excidedly says, "Hey do you want to trade your desktop in for a laptop?" I sternly reply, "Hell No!" Confused he asks, "Well why not?" I respond, "Well, I don't want to work from home and I don't want to be responsible for a $2000 computer which isn't mine."
Now I have 4 desktops under my desk
it's a sig, wtf?
Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...
Faronics sells this.
What are we going to do tonight Brain?
Just point out to the notebook users that they're working overtime from home for free.
Software sucks. Open Source sucks less.
Posting as AC to protect my job, however our method is quite extensive, and the high-level details are worth sharing for others to learn from.
:-) Email can be accessed via web, Outlook/Evolution (ick) or Thunderbird via IMAP.
My company's (a large online e-tailer and book seller) approach involves several methods to protect remote machines and limit access.
For remote access, a customized platform agnostic VPN device (running an embedded linux) piggy-back's onto the laptop. The device is powered by the laptop's USB port, and acts as a firewall in addition to a VPN gateway. The device can connect to the internet either via it's built-in compact-flash wireless card (supports WEP or open wireless) or an ethernet connection. When the tunnel is down, the laptop is still well protected by said firewall. When the tunnel is up, all traffic is routed through the VPN tunnel, and subject to corporate firewall rules. The VPN device is tied to the laptop's MAC address, and will not work with any other machine unless reprovisioned by an admin with appropriate rights. The user must authenticate on the device (which updates credentials each time it connects) before access is granted internally, and only the provisioned user has access to login to the device. Three failed login attempts will delete the data on the device, rendering it useless to any theif, and requiring it to be reimaged by corporate IT. The only means of accessing corporate data from "the outside" is via this device or a direct dial-up. There is zero access to internal systems without either of these methods (not even webmail). Dial-up numbers cannot be modified by the user which prevents them from connecting to any random ISP.
I don't know if either connection is dropped into a DMZ for further protection, however the local VPN device does packet filter certain types of packets on the way out for extra measure.
On the software side, the machines (when running Windows of some sort) run an antivirus and policy enforcement suite which is maintained by a corporate server. Policies enforce encrpytion of the user's mydocs directory should the laptop be otherwise compromised. Policies also restrict the user from installing software that isn't deployed via SMS. Additionally, anti-spyware software is installed on the machine to allow IT to remove threats. Because users must connect to the corporate network to do most job functions, these tools remain fairly up-to-date.
To protect the laptop, user passwords are changed regularly and a strong password requirement is enforced in addition to a fairly long password history retention to prevent reuse. Usernames are not retained in the login screen. Laptop screens are forced to lock after a short amount of time to prevent unattended access.
For browsing, users are permitted either IE or Firefox, however most users prefer the latter
I'm not sure on the size of your company, but if your budget allows, this seems to be highly secure and admitedly, well thought out means of enforcing security and protecting networks.
Require absolute standardization. Create a custom installation image similiar to the standard desktop installation including all utilities and software licenses required for the job. Do not give the users administrator rights to anything. Require them to hook the laptop up to the network every week or so to receive updates, patches, and submit to a system scan for unauthorized software and files.
If the system is determined to not meet company standards, give the employee a day to remove personal and work files, and then take the computer back to your IT cave, scrub the hard drive, and re-install the standard image from scratch before giving it back to the employee.
If the company has purchased the laptop, it must be very very clear that the laptop, and everything on it, belongs to the company, period. Policies like this will help keep "innocent" employees from accidentally bringing back something hazardous to the company network, and any employee savvy enough to work around the restrictions should also have the skillz to avoid undetected malware.
And if you have trouble employees who keep getting caught with unauthorized files, software, or who keep bringing back malware infested machines, your security policy and the measures required to circumvent the policies ought to be enough ammunition to support firing them for cause. Or at least confiscating their computer, locking their account, and demoting them to a job that doesn't require the use of a computer. Like janitor or something.
Make it very clear that as their job depends on them having access to a computer, and their access to a computer absolutely depends on them taking care of it and following company policy, if they do something to cause their network and computer privledges to be revoked then they will either be moved to a less technical job or released.
My company works in a very similiar fashion, except that we have the threat of jail time thrown in just for flavor. Guess what... Nobody f**ks with the IT guys and the very very few who violate policy and get caught become well publicized examples of how to ruin you life. Is installing that intardnet solitare game, or peeking at the porn site worth your job? How about worth half your salary for 3 months and a month in jail before you get fired? Well, most companies don't need to go that far, but the general idea that messing with the IT resources is dangerous to company survival is something that nobody will seriously consider unless the both the policies AND actions taken to enforce those policies are black and white. No questions askes, fail to bring in your laptop for a weekly update/scan and you lose compter network privledges until you comply. Fail to comply 3 times or get caught violating the rules 3 times, and lose privledges until reinstated by the appropriate company VP, board member, co-owner, whatever.
If you let people take advantage of the IT department, EVERYONE will bypass the rules. Sure, most slashdot readers could do that without causing harm and many could do it without any real risk of getting caught, but chances are that some of the policy breakers will be relatively incompetent and one single person can bring down the entire company, if the security compliance policies are not clearly defined and rigorously enforced, with real penalties for violations and repeat violators.
I've been on both ends of the corporate IT stick... Been beaten for sidestepping policy, and done the beating later on when it was my turn to enforce policy. There can't be any question in anyone's mind that the policies simply can't be broken without consequences, no exceptions.
Go ahead and do it differently, if you don't mind seeing your company on "CNN Money" next week as being the latest gropu who just let some intruder walk away with your customer database or all your company's proprietary info. Yea, that happened to my company too, with some stuff that had been outsouced. Sucks to know that access to my entire personal financial records have been stolen not once, not twice, but three times due to incompetent IT departments my company has outsourced to.
Well, a lot of corporations don't differentiate. When replacement time comes around, we can get either a desktop or a laptop. Most people have latops.
There's so much you can't do on a Windows machine without Administrative access as to make it useless to own one.
No, your sole job is not to keep the machine stable and locked down. Your bloody job is to provide support for the infrastructure and not be Mordac the Preventer in IT.
Lost at C:>. Found at C.
I would suggest to the poster that ONLY company issued machines be allowed to ever connect to the company systems, in or outside the perimeter. The "locked down" bare bones configuration are standard practice with better defense contractors and large financial companies, especially brokerage firms...I know this from experience. SecurId two part logins through VPN that basically only let you access your desk top system and only as your employee identity tend limit unauthorized access. And be very careful with wireless. If it is tolerated at all, be darn sure users don't ever get a chance to work without encryption turned on.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.