Dealing With Laptops in a Business Network?

lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"

Here's a start for you.

[grub]

Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.

Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.

Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"

Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.

Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.

Re:Here's a start for you.

[Dan+Ost]

The laptops at work come locked down and you can't do anything until a tech
visits. Rather than wait for days until a tech comes, some people wipe the
drive and reinstall windows, thus negating any benefit of locking the machine
down in the first place.

The moral of the story is if you have access to the hardware, then the machine
isn't really locked down.

Deepfreeze

[QuantumRiff]

Great program, reboot your PC, and all changes are reset. It is so much fun to load Kazaa onto a computer, reboot it, and it is all gone.. Of course, you have to get them trained to save absolutely everything to a Pen drive..

Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...

Faronics sells this.

absolute standardization

[eagl]

Require absolute standardization. Create a custom installation image similiar to the standard desktop installation including all utilities and software licenses required for the job. Do not give the users administrator rights to anything. Require them to hook the laptop up to the network every week or so to receive updates, patches, and submit to a system scan for unauthorized software and files.

If the system is determined to not meet company standards, give the employee a day to remove personal and work files, and then take the computer back to your IT cave, scrub the hard drive, and re-install the standard image from scratch before giving it back to the employee.

If the company has purchased the laptop, it must be very very clear that the laptop, and everything on it, belongs to the company, period. Policies like this will help keep "innocent" employees from accidentally bringing back something hazardous to the company network, and any employee savvy enough to work around the restrictions should also have the skillz to avoid undetected malware.

And if you have trouble employees who keep getting caught with unauthorized files, software, or who keep bringing back malware infested machines, your security policy and the measures required to circumvent the policies ought to be enough ammunition to support firing them for cause. Or at least confiscating their computer, locking their account, and demoting them to a job that doesn't require the use of a computer. Like janitor or something.

Make it very clear that as their job depends on them having access to a computer, and their access to a computer absolutely depends on them taking care of it and following company policy, if they do something to cause their network and computer privledges to be revoked then they will either be moved to a less technical job or released.

My company works in a very similiar fashion, except that we have the threat of jail time thrown in just for flavor. Guess what... Nobody f**ks with the IT guys and the very very few who violate policy and get caught become well publicized examples of how to ruin you life. Is installing that intardnet solitare game, or peeking at the porn site worth your job? How about worth half your salary for 3 months and a month in jail before you get fired? Well, most companies don't need to go that far, but the general idea that messing with the IT resources is dangerous to company survival is something that nobody will seriously consider unless the both the policies AND actions taken to enforce those policies are black and white. No questions askes, fail to bring in your laptop for a weekly update/scan and you lose compter network privledges until you comply. Fail to comply 3 times or get caught violating the rules 3 times, and lose privledges until reinstated by the appropriate company VP, board member, co-owner, whatever.

If you let people take advantage of the IT department, EVERYONE will bypass the rules. Sure, most slashdot readers could do that without causing harm and many could do it without any real risk of getting caught, but chances are that some of the policy breakers will be relatively incompetent and one single person can bring down the entire company, if the security compliance policies are not clearly defined and rigorously enforced, with real penalties for violations and repeat violators.

I've been on both ends of the corporate IT stick... Been beaten for sidestepping policy, and done the beating later on when it was my turn to enforce policy. There can't be any question in anyone's mind that the policies simply can't be broken without consequences, no exceptions.

Go ahead and do it differently, if you don't mind seeing your company on "CNN Money" next week as being the latest gropu who just let some intruder walk away with your customer database or all your company's proprietary info. Yea, that happened to my company too, with some stuff that had been outsouced. Sucks to know that access to my entire personal financial records have been stolen not once, not twice, but three times due to incompetent IT departments my company has outsourced to.