Reducing The Negative Impact of Laptops

Mark Brunelli wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change settings is risk prone. Fortunately, larger corporations that install Microsoft Windows XP Professional usually don't grant the laptop user full administrative rights. The same cannot be said of smaller businesses, many of which simply purchase laptops from the local store -- laptops pre-installed with Windows XP Home Edition. "

Linux

[mysqlrocks]

Better still, use the truly secure Linux operating system. Six months after making the change, you will not use Windows again. The cost of Linux is also much less than the cost of upgrading Windows XP Home Edition to Windows XP Professional.

Unfortunately Linux isn't as easy to use for most people. How about suggesting that they use a Mac? Macs are secure and are easy to use.

Re:Linux

[MellerTime]

I have to agree... Everyone always brings up 'switch to Linux instead!' when you mention Windows security problems. That's great in theory, and I'm sure your network admin might actually do that. Then again, he's probably not the one bringing the virus onto your network in the first place.

The real world situation is that people are idiots. They can't even use the big pretty blue buttons in Windows XP, much less Linux. If they don't know that the big Novell login screen with the buttons saying 'Press Ctrl + Alt + Del to begin.' is telling them they should press those keys to get started, what chance is there they'll know what to do with one of the somewhat useless messages Gnome generates when an application crashes? (And yes, that most certainly was a 100% true story... I shit you not!)

Besides, I know our company builds their applications from scratch. While we are moving more to a web-based application model, we still have 95% of our programs written in Delphi, and even support a legacy DOS-based system. There's no way we'd get all that ported to Linux any time in the next 2 years, even if we dropped everything until it was done.

The point is, stop suggesting the supposedly "ideal" scenario that no one will ever be able to obtain. We're stuck with Windows (at least for the time being anyway), so we may as well focus on THAT problem and try to do the best we can with the tools we have. Let's worry about keeping Billy the marketing Intern from bringing Klez onto our network first, and THEN worry about changing the world later...

Re:Linux

[nukem996]

ummmm maybe if they only use the command line. Have your users use KDE, my 90 year old grandfather uses it just fine. Infact I think KDE would be much easier to switch to then Mac. Many of the features such as Start, file browsing, and look are the same.

Re:Linux

[LDoggg_]

The point is, stop suggesting the supposedly "ideal" scenario that no one will ever be able to obtain.

Because everyone is using a collection of software comprised of 95% home grown Delphi apps?

So you're stuck with windows. Fine.
Some people aren't, and the suggestion of using Linux is legitimate.

Let's worry about keeping Billy the marketing Intern from bringing Klez onto our network first, and THEN worry about changing the world later...

You worry about your network. No need to try discourage others willing to try to change things now.

Re:Linux

[ozmanjusri]

Ever seen a help system for a Linux distro?

Well, there's that little red-and-white lifesaver icon. That'll bring up the help system in Gnome or KDE. Then there's the speech bubble with the ? in it, that'll give you context-sensitive help. Or you could just start the KDE help center app and search in that. Or maybe you could open a terminal and type "apropos " and Linux would tell you which commands are relevant. Then you could type "man " or "info " and get some compact reading material. If you're still stuck, you could look into whichever distro you're using's forums. People there are almost always ready to assist. Or you could pay for commercial support - plenty of people willing to take money for tech support. Then there's http://www.linuxhelp.net/, which seems quite, umm, helpful. Typing "linux help" into a search engine will give you just under two hundred million hits to look into too - maybe one of those might be useful, do you think? Of course, for the traditionalists, there's always usenet. If you log onto any of the several hundred groups devoted to the various flavours of Linux, there just might be something to look at perhaps? Or maybe there's a local Linux User Group you could phone and talk to a real geek.

Apart from that, you're right. Linux does really leave you high and dry.

Re:Linux

[wfberg]

When Microsoft added the windows keys, they just needed to create a new keyboard layout and map two (three?) new scan codes - something trivial to do. Making the windows key generate a hardware interrupt would have required modifying the BIOS - something a lot harder for MS to do.

It's trivial to wire the windows key in such a way that pressing it has the same effect as pressing ctrl, alt and del simultaneously.

In fact, it's easier than adding a new scancode. Just have the ctrl, alt and del circuits on the keyboard run through the windows key as well.

As a side benefit, you could now be sure that the start menu is always the OSes start menu.

Never mind the fact that once windows takes over, the BIOS doesn't have a thing to say about ctrl+alt+del anymore. (If it did, your computer would reset) Windows could just as easily make a different scancode, or a combination like Alt+SysReq, the secure attention key. In fact, Alt+SysReq is what linux kernels trap for debugging purposes; no user mode program can intercept Alt+SysReq.

So, I have to disagree here. The windows key is just marketing. They could've also added copy and paste buttons, and volume up+down buttons to the windows approved layout, but didn't. Now those keys are all over the place in all sorts of "multimedia" keyboards, along with insane buttons for checking e-mail etc.

Some standard security items..

[knightinshiningarmor]

It's very true that laptops are a higher risk than desktops.

1) Most laptops now have wireless cards. If this is the case, use an encrypted connection to an AP.

2) Even then, use as many encrypted streams as you can (ssh, https, pop3s/imaps, etc.).

3) Physical security. It's easy for anyone to run off with your computer. So keep track of it... don't leave it on the table at the library.

Laptops get around too much

[MichaelSmith]

Until recently I was involved in administrating a linux server on a network of windows workstations. The server primarly operated as a gateway to the internet.

Every now and then some horrible worm would get lose on the network and fill the internet connection with crap. I would get the blame for it of course (internet not working).

Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere. I think it must be something about the way he uses that system; what sites he goes to, probably; which causes it to be so riddled with viruses.

I am not managing that system any more. Good riddance. The versatility of laptops is letting them down in this instance. If the owner is a bit of an idiot no amount of management will keep them out of trouble.

Re:Laptops get around too much

[(H)elix1]

Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere. I think it must be something about the way he uses that system; what sites he goes to, probably; which causes it to be so riddled with viruses.

You would not believe the crap you have to deal with on hotel networks. If anyone is counting on the firewalls keep the network clean, guess again. This has to be at the machine level, each one an island. I keep the shield up on my laptop and (knock on wood) have yet to have an issue - but most of the broad band connections your typical road warrior deals with is a cesspool of worms, viruses, and other such nasties.

Re:Laptops get around too much

[jkuff]

Part of the problem is the default settings of Windows XP Home and Professional. I really wish there was a "secure laptop" Local Security Policy profile that a user could select to automatically configure all of the XP services, etc. Whenever I purchase a new laptop, I have to spend a whole day disabling potentially insecure things like UnPNP, Telnet, Remote Desktop, Remote Registry, SSDP discovery, guest account, default file and printer sharing, etc. and setting up IPSec policies.

What I really want is an easy way to automatically configure these things for a laptop that I NEVER want to be accessed (i.e. remotely controlled) from the outside, nor share any files or resources. It is shameful how many ports are opened by default, which makes the naive user even more prone to picking up nasty trojans and viruses.

Well that solves a pesky problem

"...laptop users are inclined to be rather autonomously minded..."

How many people have struggled with the problem of free will. I know I have. The idea of free will is ages old and unresolved until now. Now we know laptop users have free will. Tyranny got you down? Buy a laptop.

Please tell me your joking

[nukem996]

The GPL does state that any changes made to the kernel has to be open source but if you did everything as a modules(does not touch the kernel source just lets the kernel load this to extend the kernel) you could of kept it closed source and stuck with Linux. Many companies do this such as nvidia and ati. You should of done some research before spending time and money and planned to do this as a module.

Damn you XP Home

[max99ted]

As a small business IT support guy, I see this all the time. Lawyer X or Dentist Y grabs the latest laptop deal from Dell, brings it to work, and finds out he can't connect to the 'server', which either leads to some kind of limited workaround or an overpriced 'upgrade' to Pro, both costing them money (my time or a sticker, registry fix + more of my time). I'm always telling clients to ASK ME FIRST before buying something but as anyone in the same business will know, that can be rare.

Windows security

[CDMA_Demo]

From the top of the article: In any network setting, laptop and notebook PCs can pose special security risks, particularly those running Microsoft Windows XP Home Edition...

Like I mentioned once before, the default setting for users on windows always administrator which automatically lowers your armour. After that, using internet explorer, you visit a greek jokes website that installs an ActiveX control on your system. The activex then downloads its friendly spyware and adware, and they in turn continue feeding on your bandwidth and cpu power by repeating the process. While they are doing this, these programs discover they are able to modify the registry and are also able to change settings so they run as soon as windows boots up!! How exciting. You are fucked, my friend!

From usenet: The primary shortcoming in Linux is that it retains the concept of a "superuser". If someone can manage to get themselves logged on as "root", then they have the keys to the kingdom. Now imagine what a malicious demon will feel when it finds itself running under Administrator inside a Windows machine!!!

Re:Windows security

[EiZei]

And the worse part is that while using Linux with only a user account is perfectly fine using Windows with anything less than administrator can be quite a pain in the ass because of the poorly coded software that wont settle for anything less than administrative rights.

My company is doing this lockdown approach

[cheezus_es_lard]

I'm involved in a 'new technology' pilot for the IT department in my company, a Fortune 100 presence, and they're looking to force this down our throats. I'm a consulting network engineer, and I have a distinct need to be able to install a very large suite of custom applications, as well as make changes to network settings, etc. as part of my daily work. I can understand the potential security risks, but if it makes me unable to do my job producing revenue for the company, it's an unacceptable change.

I will fight this, because users need rights too.

Re:My company is doing this lockdown approach

[mrbooze]

What I've heard of some businesses doing is giving developers/consultants/whatever two hard drives per laptop. One hard drive has the "corporate" image on it with full access to the network, email, etc. The second hard drive has the "developer" image, which they can mess with to their heart's content, but that has limited ability to affect the network.

As an long-time IT person myself, I can see the ways in which that would make my job easier, but it also just seemed ridiculously restritictive on the ability of people to do their work. Can't check email or your outlook calendar and write code at the same time?

Laptop Lockdown

[jcnnghm]

Laptops that are permitted out of the office have to be setup as untrusted devices. Run separate cables, or make the user login wirelessly allowing limited, if any, local network access, but allowing full Internet access.

Basically, you have your primary LAN of machines that never leave the office, and your wireless lan of laptops that are blocked from the primary lan. Both networks should be able to connect to the Internet, and laptop users would be required to connect to network services just as if they were out of the office.

Good wireless AP's should be able to block laptop to laptop communications, so that all the wireless network provides is internet access. Your network services should be hardened from Internet attacks already, and if they are not that should be addressed before any laptop related issue. /*
  This has worked relatively well for me, might have a huge whole I don't see
*/

A slight amendment is in order...

[PetoskeyGuy]

This should read...

Mark Brunelli, News Editor of searchEnterpriseLinux.com wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change set

I don't mind plugging articles for your own site, but at least practice full disclosure.
http://searchenterpriselinux.techtarget.com/meetEd itorial/0,289131,sid39,00.html

Re:is'nt it mandatory

[boomgopher]

Oh please, I'm a developer, and there is NO WAY I could function if I was not allowed to install my own software. Nor would I be willing to keep asking Joe IT install something for me.

I'd pull out the harddrive and do my own OS install if it came down to it. And no - I've not gotten a single virus/worm in the past 8 years...

This is where you find a support solution.

[Agarax]

Get a freakin' help system in place so that I don't have to waste time clicking at stuff, getting annoyed, and then decide to give up altogether because it didn't work.

Well, for a Unbuntu end user there is always just paying for real techsupport. I know Redhat can help out with getting Wine to work (saw it happen), dont know about Canonical.

For a business I would never even consider using a specific distro unless there was a live person on the other end of a phone line. It just wouldn't happen otherwise.

Redhat, Canonical, and Novell all offer excellent support for Linux, you cant go wrong.

Re:Moronic...

[flatass]

You are both missing the point here a bit. The discussion should be focused on business machines. IMHO employees workstations should be configured to allow them to do their job. (thats a period at the end there) Anything else in Windows invites time wasted by the employee screwing with things they ought not be screwing with, and time wasted by admins cleaing up after them.

I locked my sister's kids out of windows XP Home..

[kesuki]

Just by adding a second account in the control panel, and changing the (default) administrator account to have a relatively secure password.

Since when does having windows XP Home edition prevent you from adding multiple users, some of them restricted users who can't install software? is it because you only know how to use XP pro's tools to manage security? you don't know how to lock down IE with the help of a few simple freeware utilities you can download off the internet ;)

I don't get it :) why do small businesses need to buy XP pro when XP home has enough of the features to do everything that is 'easier' to do in XP Pro?

If I'm missing some big reason please tell me, other than XP pro costs at least $120 more (oem pricing) why someone needs to run Pro to do something i did on XP home just last weekend...

DMZ

[Craig+Ringer]

What really helps for this sort of use is a DMZ configuration. Laptops get put on dedicated network ports on a separate VLAN (if your switch doesn't support 'em, time to get one that does, or build parallel infrastructure), or even on a wireless network. Either way, all laptops go onto a network that arrives at a single dedicated port (physical or vlan'd virtual) on the firewall. The firewall treats that as untrusted as it would a DMZ, and only offers public external services to it.

If your laptop users want to get at internal network services, they use their IMAP+TLS, TLS-secured authenticated SMTP, etc - same as they do on the road. File access - WebDAV with SSL and client certificates.

If you must, then expose some "internal" services - but only the sort, such as TCP/IP database access ports, that won't be affected by most win32 worms.

If you isolate laptops from your network core even when they're on site, you'll be a lot better off. With half decent switches you can even configure things so that laptops *can't* be used on the "standard" ports by MAC-locking each port to its appropriate host. If a user knows enough to change the MAC address on their laptop to match their desktop, then change the plugs, you're probably beyond technical solutions (and into "fire them if they don't understand how to follow rules") anyway.

Pocket Knife

[Graymalkin]

Most computer users are not qualified administrators, in fact many of them are borderline computer illiterate. This isn't to say these people are dumb, they're just not very computer savvy. Such users tend to be able to use software they've been trained on or are familiar with but aren't likely to know exactly how it works. They click an icon, type in some values, and things happen. They don't need to know or care that the app is just a VB SOAP client talking to a web service via SSL hosted on the company's server farm. The guy down the hall in accounting needs to know how to do stuff in Excel, not how to write Excel.

That being said, these people aren't necessarily qualified to administer their own equipment. Some might have a bit of technical prowess but a majority of normal users are just that. So why are they put in charge of managing their own equipment and why are they able to take company information and property with them to get stolen or dropped down a flight of stairs? If they've got light communication needs how about Blackberries or Treos or some other connected devices. Quite a bit can be done through secured web interfaces or through web services with lightweight front ends. A little bit of well designed caching and users would be hard pressed to notice the company's database didn't exist on their little handheld device.

This approach isn't going to solve everyone's problems but it works for some in two major ways. The first is any single field employee can't take the sum of a company's data with them somewhere to have it hijacked by either action or omission. They're also not terribly likely to plug into an office machine and infect the whole network with some new Windows worm. A lost PDA might mean the company is out a few hundred dollars worth of equipment and maybe some confidential documents. A PDA that runs only application/web service front end software is really only out the value of the lost hardware.

If you've got responsible users you can probably trust them with full fledged laptops. For those that are almost more trouble than they're worth, give them cool gadgets they can work on but do limited amounts of damage with. This is of course in addition to better network security in and out of the office. If you've giving even advanced users a laptop to take home let them only take with them the data they absolutely need to get their job done. You don't want a laptop with 98,000 personal records on it stolen or something.

Re:Pocket Knife

[Anne+Thwacks]

This isn't to say these people are dumb

Maybe you have forgotten, or maybe not, but 50% of people are of below average intelligence.

I'd bet good money that a good portion of those of above average intelligence, are not working for someone else in a capacity where they have to take their work home with them.

Companies - the kind of person that is willing to take home his/her work home on a laptop is generally unsuitable for the task. (See Groucho Marx on Club Membership)

It happened where I used to work

[R3d+M3rcury]

Actually, the last large corporation I worked for caught Code Red from a salesman's laptop. This salesman was in Australia, far away from the IT Department.

Even better: It was a security company.

Best of all: It was the Mac team that brought it to the IT Department's attention.

Well, go and set up the Computer correctly

[dzafez]

Make your checklist and go through it with any Notebook that is introduced to the Company.

# encrypted /home (I don't remember what it is called on Windows) prevents a lot of ugly
things we see from stolen Notebooks nowadays.

# /home (he did it again) must be mirrored (possibly unencrypted) on a Server, (I think
you got to check for the term server side
profiles)

# No Administrative rights! I mean absolutely no administrative rights on the standard
working User!

# The Notebook needs to go back to IT-Department on sporatic calls once or twice
a year to check if the user breached the security rules of the Company (...pr0n, fun tools...)

# automatic windows updates, asap ! (Hell yea I know we like to know what is beeing installed,
but this notebook is not allway available for the Admin)

# Centralized AV-Updates (this puts the power back to the Admin, we like that)

# All connections to the LAN from anywhere go through a VPN, even WLAN.

# Once you have done the whole setup, you may want to use dd (or ghost or ...) to take a
image of the notebooks Harddrive. So you never need to so this for this Notebook again.

# YES, please document what you did, so the next Notebook will not be such a pain. This
also gives you the possibility to review the security every now and then.

I surely forgot something, but this is a starter! Feel free to put more on the lis /. folks!

Re:Well, go and set up the Computer correctly

When issued a company laptop by control freaks, the following steps are in order:

# Copy an image the laptop's hard drive up to your machine at home

# Shrink the existing partition and install a boot loader

# Install the operating system and software of your choice, with full administrative rights

# Hit the road and enjoy!

# When eye-tee asks for the laptop to check up on you, take an image of it the way you like it, then restore the image saved in the first step and give the pristine laptop to eye-tee

# If original image is unavailable, ensure the hard disk is zeroized and act dumb, then return it

~~~

......and be replaced with someone who'd deal.

[Vandil+X]

If I have to carry a laptop to which I don't have admin rights to, I'd quit.

...and be replaced with someone who'd deal.

I'm a sysadmin. All Mac OS X and Windows notebooks I deploy are preconfigured, tested, verified, and locked down. Even Classic.

If any special apps or hardware is needed, it has to be dropped off during the "preconfigured" part of the process.

The truth here is you are being furnished with a portable workstation, not a personal surfboard.

Nine times out of ten, when some one pages/calls their IT department at 2am because their laptop broke, it's because they were doing something they weren't supposed to do, like install personal software and hardware.

I'm sorry, but if you call me at 2am because installing Flight Simulator broke your machine, and now you can't do your PowerPoint presentation (the work task at hand) I'm going to laugh at you, hang up, and report you to my boss.

How about this for a compromise

[Julian+Morrison]

IT boss to employee: "you have two choices:

1) A laptop with admin rights, that has no direct access to our LAN, but only a connection to a special quarantine server, which we will use to check everything you upload before letting it out onto our LAN, or...

2) A laptop with no admin rights, locked down so tight you can't even change your own wallpaper, but which is a full peer on the LAN.

You get to pick whichever suits your working style best."

How about 10,000 laptops with XP Home?

[Demerara]

I was recently involved in an international procurement where 10,000 laptops were supplied with XP Home. The mission-critical application on the laptops was highly secure - all data was encrypted to a high degree but the laptops themselves were wide open to attack or, more likely, inadvertent denial of service by ignorant or curious users.

By the time I flagged this appalling oversight, the procurement process was too far advanced. So, a US$44 million procurement went ahead using XP Home on the kits.

The application? Electronic Voter Registration in a large sub-saharan country in Africa.

So it's not just small businesses who drop the ball.

The budget will never be there to upgrade to XP Pro. And they simply don't have the skills to replace XP with a Linux distro and port the application (which is proprietary anyway).

Does anyone have thoughts on what can be done to improve the security of XP Home?

Laptops are a security risk

[thethibs]

It's a fundamental rule of systems engineering that workstations are part of the user, not part of the system. This is especially true of laptops.

Any sysadmin that thinks limiting user privileges on the workstation is solving a security problem is fooling herself. System security needs to be set up on the assumption that all workstations are hostile.