Slashdot Mirror
Reducing The Negative Impact of Laptops
Mark Brunelli wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change settings is risk prone. Fortunately, larger corporations that install Microsoft Windows XP Professional usually don't grant the laptop user full administrative rights. The same cannot be said of smaller businesses, many of which simply purchase laptops from the local store -- laptops pre-installed with Windows XP Home Edition. "
I have to agree... Everyone always brings up 'switch to Linux instead!' when you mention Windows security problems. That's great in theory, and I'm sure your network admin might actually do that. Then again, he's probably not the one bringing the virus onto your network in the first place.
The real world situation is that people are idiots. They can't even use the big pretty blue buttons in Windows XP, much less Linux. If they don't know that the big Novell login screen with the buttons saying 'Press Ctrl + Alt + Del to begin.' is telling them they should press those keys to get started, what chance is there they'll know what to do with one of the somewhat useless messages Gnome generates when an application crashes? (And yes, that most certainly was a 100% true story... I shit you not!)
Besides, I know our company builds their applications from scratch. While we are moving more to a web-based application model, we still have 95% of our programs written in Delphi, and even support a legacy DOS-based system. There's no way we'd get all that ported to Linux any time in the next 2 years, even if we dropped everything until it was done.
The point is, stop suggesting the supposedly "ideal" scenario that no one will ever be able to obtain. We're stuck with Windows (at least for the time being anyway), so we may as well focus on THAT problem and try to do the best we can with the tools we have. Let's worry about keeping Billy the marketing Intern from bringing Klez onto our network first, and THEN worry about changing the world later...
Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere. I think it must be something about the way he uses that system; what sites he goes to, probably; which causes it to be so riddled with viruses.
You would not believe the crap you have to deal with on hotel networks. If anyone is counting on the firewalls keep the network clean, guess again. This has to be at the machine level, each one an island. I keep the shield up on my laptop and (knock on wood) have yet to have an issue - but most of the broad band connections your typical road warrior deals with is a cesspool of worms, viruses, and other such nasties.
+++ UGUCAUCGUAUUUCU
From the top of the article: In any network setting, laptop and notebook PCs can pose special security risks, particularly those running Microsoft Windows XP Home Edition...
Like I mentioned once before, the default setting for users on windows always administrator which automatically lowers your armour. After that, using internet explorer, you visit a greek jokes website that installs an ActiveX control on your system. The activex then downloads its friendly spyware and adware, and they in turn continue feeding on your bandwidth and cpu power by repeating the process. While they are doing this, these programs discover they are able to modify the registry and are also able to change settings so they run as soon as windows boots up!! How exciting. You are fucked, my friend!
From usenet: The primary shortcoming in Linux is that it retains the concept of a "superuser". If someone can manage to get themselves logged on as "root", then they have the keys to the kingdom. Now imagine what a malicious demon will feel when it finds itself running under Administrator inside a Windows machine!!!
I'm involved in a 'new technology' pilot for the IT department in my company, a Fortune 100 presence, and they're looking to force this down our throats. I'm a consulting network engineer, and I have a distinct need to be able to install a very large suite of custom applications, as well as make changes to network settings, etc. as part of my daily work. I can understand the potential security risks, but if it makes me unable to do my job producing revenue for the company, it's an unacceptable change.
I will fight this, because users need rights too.
Laptops that are permitted out of the office have to be setup as untrusted devices. Run separate cables, or make the user login wirelessly allowing limited, if any, local network access, but allowing full Internet access.
/*
Basically, you have your primary LAN of machines that never leave the office, and your wireless lan of laptops that are blocked from the primary lan. Both networks should be able to connect to the Internet, and laptop users would be required to connect to network services just as if they were out of the office.
Good wireless AP's should be able to block laptop to laptop communications, so that all the wireless network provides is internet access. Your network services should be hardened from Internet attacks already, and if they are not that should be addressed before any laptop related issue.
This has worked relatively well for me, might have a huge whole I don't see
*/
You don't make the poor richer by making the rich poorer. - Winston Churchill
Just by adding a second account in the control panel, and changing the (default) administrator account to have a relatively secure password.
;)
:) why do small businesses need to buy XP pro when XP home has enough of the features to do everything that is 'easier' to do in XP Pro?
Since when does having windows XP Home edition prevent you from adding multiple users, some of them restricted users who can't install software? is it because you only know how to use XP pro's tools to manage security? you don't know how to lock down IE with the help of a few simple freeware utilities you can download off the internet
I don't get it
If I'm missing some big reason please tell me, other than XP pro costs at least $120 more (oem pricing) why someone needs to run Pro to do something i did on XP home just last weekend...
https://www.gnu.org/philosophy/free-sw.html
Most computer users are not qualified administrators, in fact many of them are borderline computer illiterate. This isn't to say these people are dumb, they're just not very computer savvy. Such users tend to be able to use software they've been trained on or are familiar with but aren't likely to know exactly how it works. They click an icon, type in some values, and things happen. They don't need to know or care that the app is just a VB SOAP client talking to a web service via SSL hosted on the company's server farm. The guy down the hall in accounting needs to know how to do stuff in Excel, not how to write Excel.
That being said, these people aren't necessarily qualified to administer their own equipment. Some might have a bit of technical prowess but a majority of normal users are just that. So why are they put in charge of managing their own equipment and why are they able to take company information and property with them to get stolen or dropped down a flight of stairs? If they've got light communication needs how about Blackberries or Treos or some other connected devices. Quite a bit can be done through secured web interfaces or through web services with lightweight front ends. A little bit of well designed caching and users would be hard pressed to notice the company's database didn't exist on their little handheld device.
This approach isn't going to solve everyone's problems but it works for some in two major ways. The first is any single field employee can't take the sum of a company's data with them somewhere to have it hijacked by either action or omission. They're also not terribly likely to plug into an office machine and infect the whole network with some new Windows worm. A lost PDA might mean the company is out a few hundred dollars worth of equipment and maybe some confidential documents. A PDA that runs only application/web service front end software is really only out the value of the lost hardware.
If you've got responsible users you can probably trust them with full fledged laptops. For those that are almost more trouble than they're worth, give them cool gadgets they can work on but do limited amounts of damage with. This is of course in addition to better network security in and out of the office. If you've giving even advanced users a laptop to take home let them only take with them the data they absolutely need to get their job done. You don't want a laptop with 98,000 personal records on it stolen or something.
I'm a loner Dottie, a Rebel.
Actually, the last large corporation I worked for caught Code Red from a salesman's laptop. This salesman was in Australia, far away from the IT Department.
Even better: It was a security company.
Best of all: It was the Mac team that brought it to the IT Department's attention.