Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Businesses Networking Portables Security Worms

Dealing With Laptops in a Business Network? 106

Posted by Cliff from the portable-intrusion-vectors dept.
lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"
This discussion has been archived. No new comments can be posted.

Dealing With Laptops in a Business Network? More

Dealing With Laptops in a Business Network?

Comments Filter:

  • Here's a start for you. (Score:5, Informative)

    by grub ( 11606 ) <slashdot@grub.net> on Thursday September 15, 2005 @12:46PM (#13567550) Homepage Journal

    Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.

    Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.

    Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"

    Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.

    Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.

    • DMZ-like subnets are a great idea but really, if you lock down the laptop before giving it to the employee and insure that they can't install crap or otherwise modify and crap on your rock_solid configuration through local/group/security policys, then you have one less thing to worry about. I haven't really had more of a problem with laptops than I have had with PCs.
      • I like the DMZ method as another layer of security. A laptop that has been on the road for a while may not have had updates installed. So the person hooks it up when they get back home from a trip and whammo the latest Windows worm gets them.
        • The latest? Try one from months ago...I ended up removing SASSER from my brother's business laptop not too long ago. It seems he hadn't used that particular one online for several months, and didn't see anything wrong with hooking it up to the Internet without patching it. It lasted about fifteen minutes.

      • Re:Here's a start for you. (Score:5, Interesting)

        by Dan Ost ( 415913 ) on Thursday September 15, 2005 @02:41PM (#13568920)
        The laptops at work come locked down and you can't do anything until a tech
        visits. Rather than wait for days until a tech comes, some people wipe the
        drive and reinstall windows, thus negating any benefit of locking the machine
        down in the first place.

        The moral of the story is if you have access to the hardware, then the machine
        isn't really locked down.

        • Re:Here's a start for you. (Score:4, Informative)

          by karnal ( 22275 ) on Thursday September 15, 2005 @03:40PM (#13569476)
          If you attempt to wipe the machines where I work, you shoot yourself in the foot.

          At that point, if you want to install any work related software, you need to be a member of the domain/active directory. If not, you don't get connected, either while in the office or via VPN.

          Of which, you can't install the necessary VPN software unless you are in the office, or we ship you a cd.

          We haven't had anyone try to get around this yet. I think it's safe to say the people who work on them in my business realize they'd be down a lot harder if they tried to....

        • The laptops at work come locked down and you can't do anything until a tech visits. Rather than wait for days until a tech comes, some people wipe the drive and reinstall windows, thus negating any benefit of locking the machine down in the first place.

          If your users are smart enough to reinstall Windows are you really worried about them getting Spyware and crap onto your network?

          Besides, haven't you ever heard of a BIOS password and removing the CD/Floppy from the boot order?

          • A BIOS password is easily defeated if you have access to the
            hardware (usually a jumper for a desktop, often a switch under
            the keyboard for a laptop).

            • A BIOS password is easily defeated if you have access to the hardware (usually a jumper for a desktop, often a switch under the keyboard for a laptop).

              And again I go back to my point that the employees who are smart enough to reset the BIOS password on a laptop are the ones that are least likely to pose a security risk. In fact they are probably the ones least likely to want to reinstall Windows in the first place.

              And where I work if you bypass my security arrangements (be it BIOS passwords or lack of

    • Block spyware sites on your firewall and log it.

      What's the best list of sites to check against?

      • Re:Here's a start for you. (Score:2, Informative)

        by grub ( 11606 )

        We have a bunch in our PIX configs. Here's a few to start (and some may be old or broken, we don't actively check) I usually google around for the spyware places. Not sure how this will wrap...

        : www.xcelent.biz evilness. see http://www.theregister.co.uk/2004/09/22/opt-out_ex ploit/
        access-list CSM-acl-Ginside deny ip any host 61.218.79.53

        : gator.com [SPYWARE]
        access-list CSM-acl-Ginside deny ip any 64.94.89.0 255.255.255.0
        access-list CSM-acl-Ginside deny ip any 204.238.120.0 255.255.255.0
        access-list CSM-a

        • Excellent start. Thanks.

          I'm hoping somebody has a text or DNS blacklist like we have for spammers. Just one of those things that benefits from collective effort.

          • I forgot about this one too. At home I took the hosts file which you can get for Spybot Search & Destroy and used some of the names from there. Of course you'll have to nslookup machines from the hosts file and add the real IPs to your firewall.

            Googling for that will get you some nice hosts files.

    • Re:Here's a start for you. (Score:1, Funny)

      by Anonymous Coward
      Bad move, it's company property with company information but many people think the other way around.
      So they think it's company information with company property?
    • I've done something similar to this on my home network. We have 8 PCs there, for various purposes, and wireless which friends use when they come over.

      Basically I have two subnets - 192.168.60.x (trusted) and 192.168.61.x (untrusted). Any computer that I don't explicitly put in the trust segment goes on 192.168.61.x, and can only send data out to the internet.

      Untrust doesn't get SMB access to my server, ssh, nothing. They also can't communicate with the trust segment unless the computer on the trust segmen

      • Re:Here's a start for you. (Score:1, Informative)

        by Anonymous Coward
        You have a false sense of security. The two subnets share the same broadcast domain. The second any malware uses any protocol other than IP, you're fucked.

        Really, VLANs aren't that expensive to set up, especially with the kind of setup you have. You don't need 100 managed switches. You need one. You can pick up a bunch of old Bay Networks gear on eBay on the cheap. I'd recommend a 350T. It is a sixteen port 10/100 switch capable of trunking and VLANS. Configurable through SNMP and a pretty straightforward t
        • I'll definitely look into that switch. And yeah, I'm aware of the broadcast problem and the fact that my setup isn't fool proof at all. I have yet to come across a worm that doesn't use IP though. I also don't have anything other than IP enabled on any of the machines.

          I have a question about the switch, how would that work if I only had one switch, since I have hubs in some areas of the house. Wouldn't it make sense to replace each hub with a switch, because I have trusted and untrusted devices on the same

    • Put your laptops on a DMZ-like subnet.

      In our office most people have laptops instead of desktops. They need to interoperate.

      Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"

      It does. Our administrator tried to turn on a policy whereby several times a day, the antivirus would start up. Problem, for some machines, it takes hours to run. The developers almost killed him because the machines were unusable dur

      • Bullocks. No one, outside of developers and other IT staff, needs to install software. If you needs software installed, contact the IT staff, who'll take care of it.

        Likewise, you're machine shouldn't talk to any other users machine directly. You should be talking to servers.

  • insurrection (Score:3, Insightful)

    by St. Arbirix ( 218306 ) <matthew...townsend@@@gmail...com> on Thursday September 15, 2005 @12:48PM (#13567566) Homepage Journal
    Nip the virus problem in the bud: keep OSX up to date on all the laptops.

    *ducks*
  • There are just some risks that have to be accepted if you are going to do business. Other /.ers will hopefully point out all kinds of useful ways to mitigate the risks, and that is a good thing, but no system will ever be perfect. So there has to be some way to judge other than perfect-vs-flawed. Good approaches will strike a balance between letting people get things done, and having security. Don't assume you can get to perfection, but don't let that stop you from trying to make things better.
  • Make them use a VPN and personal firewall at all times. With broadband, thisis easier than ever. Sizing your VPN setup is the hardest part.

  • laptop == teh suck (Score:2, Insightful)

    by vbrtrmn ( 62760 )
    Every employee needs a laptop?

    I work for a large company, my boss excidedly says, "Hey do you want to trade your desktop in for a laptop?" I sternly reply, "Hell No!" Confused he asks, "Well why not?" I respond, "Well, I don't want to work from home and I don't want to be responsible for a $2000 computer which isn't mine."

    Now I have 4 desktops under my desk :)

    • Yes you need a laptop. Very useful for meetings, everytime the subject goes to something uninteresting you can get work done, and then pull back to the meeting instantly when it becomes useful. Not as productive as you would be when not at the meeting, but a lot more interesting and productive than the typical meeting.

      When in a meeting with co-workers (the boss is not there), it is more useful, you can take notes, look-up code, or search for information without leaving the meeting.

      Now if the choice is

    • Now I have 4 desktops under my desk :)

      Then you can't really call them "desktops," can you? ;-)
    • Unfortunatly no, I was being sarcastic. It didn't come accross very clearly though. many of my employees *think* they need a laptop when really they just need to work less.

      -Zan
    • Now I have 4 desktops under my desk :)

      Also known in my state (Wisconsin) as a personal space heater.
  • For company security make sure that *all* sensitive date is centrally located which can only be accessed outside office premises using a VPN. Make use of web-apps rather than on client-side apps (like colalborative document management, central project management etc)

    For malware, make sure that there are firm groupwide subscriptions to antivirus and spyware programs. Many of the good packages allow for mandatory updates, and they should be insisted upon in a corporate set up.

    • That doesn't address the problem of users bringing their laptops into the pristine office network after being on those filthy home networks. Spyware and anti-virus help prevent only common viruses and spyware, but does not stop new viruses, or plug security holes.. (think about it). It also does nothing about customized trojans, say from a competitor, a mistress, a low-traffic malicious website. Do you make sure that all users are running Adobe Acrobat 7.0.3? The latest Real Player? Otherwise, a target

  • Deepfreeze (Score:5, Informative)

    by QuantumRiff ( 120817 ) on Thursday September 15, 2005 @01:12PM (#13567819)
    Great program, reboot your PC, and all changes are reset. It is so much fun to load Kazaa onto a computer, reboot it, and it is all gone.. Of course, you have to get them trained to save absolutely everything to a Pen drive..

    Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...

    Faronics sells this. [faronics.com]

    • We looked in depth at Deep Freeze where I work (a healthcare provider). It wasn't suitable for a number of reasons:

      • We have a lot of one-of-a-kind apps from vendors that didn't work with it. Sure, you can say if the vendor won't fix it, get another vendor, but tell GE when they hold a lot of patents on something and are the only vendor for something. They have you by the balls and they know it. Same for Ernst and Young with financials apps, etc.
      • Patching. There's no good way to apply patches via SMS

  • I've been wondering if it would be feasible to lock the laptops WAY down (bare minimum of applications to connect) and have people use "Terminal Services" to operate an internal computer rather than having everything installed on the "remote" computer.

    Seems like it would be easier to control and avoid problems that way (and if you use NomachineNX, you can use the same "terminal" client for VNC and X11 logins as well...)

    • I'm sure it's possible. But then the laptops would be useless away from a network connection. If wireless IP ever becomes really pervasive, we'll undoubtable see people doing this.

      • It would definitely reduce the functionality of the laptop away from networks, but wouldn't necessarily make them useless. "Windows Server 2003" appears to support a redirected local drive which appears as a "share" on the terminal session. Users who are going to be away from a network but NEED to work on something can use that to copy the file to the local drive before they disconnect, and then re-upload when they reconnect later.

        That would slightly compromise the "nothing stays on the local system" but

    • Or, why not leave the laptops wide open, but filter all traffic from them on your corporate network except for the port for Terminal Services. The managers would complain about synchronization issues, no doubt, but c'est la vie.

      Other than that we just have to keep AV/AS stuff running and up to date, and have scary policies regarding installation of non-approved applications to hopefully cut that down.

      But please put Winamp on that list. Let's be realistic too, okay?
    • This is what I would love to be able to do.

      By installing the bare minimum (maybe even linux running from compact flash) and locking it down so they are only allowed to connect to a terminal server certainly has it's advantages.

      They would need to be able to connect through ... LAN, dialup, broadband, wireless (office, motel, airport, web cafe etc), mobile data, directly or via a VPN. Of course, those tools would need to be installed and have a nicely locked down configuration that they can't f$#% with.

    • I've been wondering if it would be feasible to lock the laptops WAY down (bare minimum of applications to connect) and have people use "Terminal Services" to operate an internal computer rather than having everything installed on the "remote" computer.

      Kind of defeats the purpose of having a laptop, though...

  • Simple (Score:4, Insightful)

    by booch ( 4157 ) <slashdot2010@cra ... m ['k.c' in gap]> on Thursday September 15, 2005 @01:18PM (#13567911) Homepage
    Just point out to the notebook users that they're working overtime from home for free.
  • Treat them like machines on the internet, since you have no control over the machine itself. (I've seen people reinstall the OS because they can't get their kid's game to play.)

    Assume the machines have viruses and trojans, and spyware throught the wazoo.

    Oh, have a policy that every 4 months, people have to turn in their machines in for maintenance and reassignment. They won't think of these machines as "theirs" and they won't install crap (like their palm-pilot synch software).

    I'm still out on filesystem en

  • Policy and control (Score:2, Offtopic)

    by martin ( 1336 )
    Find out what the risks are and create an AUP (acceptable use policy) around the risks.

      Get the users to sign the AUP.

      put controls around the AUP - eg make sure the users can't install their own software and do this for then with LanDesk or similar. No use of IE, Firewall only etc etc..
    • This has got to be the stupidest suggestion yet: make it illegal to get a virus, and nobody will get a virus!

      This AUP will crumble when someone wants to see something in Flash, or use a Pen Drive, or plug into their friend's printer, or ... well, do anything.
    • If I had points, I'd mod you up.

      Too frequently, policies are overlooked as a solution to security concerns. The old adage about being unable to apply a technical solution to a social problem fits like a glove.

      Draft a policy about laptop use, run it by whatever department heads or HR people you need, and mandate that anyone using a company laptop read and sign it.

      Hopefully just the act of having read this will hammer home the point that these are not personal property, and for those remaining cases of abuse

  • VPN, policies, etc. (Score:3, Informative)

    by Anonymous Coward on Thursday September 15, 2005 @02:13PM (#13568616)
    Posting as AC to protect my job, however our method is quite extensive, and the high-level details are worth sharing for others to learn from.

    My company's (a large online e-tailer and book seller) approach involves several methods to protect remote machines and limit access.

    For remote access, a customized platform agnostic VPN device (running an embedded linux) piggy-back's onto the laptop. The device is powered by the laptop's USB port, and acts as a firewall in addition to a VPN gateway. The device can connect to the internet either via it's built-in compact-flash wireless card (supports WEP or open wireless) or an ethernet connection. When the tunnel is down, the laptop is still well protected by said firewall. When the tunnel is up, all traffic is routed through the VPN tunnel, and subject to corporate firewall rules. The VPN device is tied to the laptop's MAC address, and will not work with any other machine unless reprovisioned by an admin with appropriate rights. The user must authenticate on the device (which updates credentials each time it connects) before access is granted internally, and only the provisioned user has access to login to the device. Three failed login attempts will delete the data on the device, rendering it useless to any theif, and requiring it to be reimaged by corporate IT. The only means of accessing corporate data from "the outside" is via this device or a direct dial-up. There is zero access to internal systems without either of these methods (not even webmail). Dial-up numbers cannot be modified by the user which prevents them from connecting to any random ISP.

    I don't know if either connection is dropped into a DMZ for further protection, however the local VPN device does packet filter certain types of packets on the way out for extra measure.

    On the software side, the machines (when running Windows of some sort) run an antivirus and policy enforcement suite which is maintained by a corporate server. Policies enforce encrpytion of the user's mydocs directory should the laptop be otherwise compromised. Policies also restrict the user from installing software that isn't deployed via SMS. Additionally, anti-spyware software is installed on the machine to allow IT to remove threats. Because users must connect to the corporate network to do most job functions, these tools remain fairly up-to-date.

    To protect the laptop, user passwords are changed regularly and a strong password requirement is enforced in addition to a fairly long password history retention to prevent reuse. Usernames are not retained in the login screen. Laptop screens are forced to lock after a short amount of time to prevent unattended access.

    For browsing, users are permitted either IE or Firefox, however most users prefer the latter :-) Email can be accessed via web, Outlook/Evolution (ick) or Thunderbird via IMAP.

    I'm not sure on the size of your company, but if your budget allows, this seems to be highly secure and admitedly, well thought out means of enforcing security and protecting networks.

  • Lock the sons of a bitches down hard. Don't allow the laptop user to install software. Don't allow them to run as an administrator account. Use policies to allow them to perform any administrative tasks that they might need, such as being able to change their IP address. Use a corporate-controlled firewall, preferably using a firewall that allows you to set a global policy and force it enabled. This is a host-based firewall, besides the actual corporate one to the Internet. Turn off all unecessary ser

    • I knew I forgot something above.

      Don't let your laptop machines on the same network as your desktops. Keep them on their own little quarantined network. In fact, the more you can quarantine each machine from each other, the better off you're going to be if something does get onto one of these laptops. The simplest thing to remember is that you control the laptop and need to lock it down as much as humanly possibly, but at the same time, the laptop is the front-line soldier on the battlezone of the Intern

    • The real problem with laptops is that most IT departments treat them differently than they would a desktop. Don't. Don't give your laptop users administrative access, no matter how much they complain. It is your job to keep the machine in a usable state, no matter what they do to it, so don't allow them to do things that you know will break it.

      Well, a lot of corporations don't differentiate. When replacement time comes around, we can get either a desktop or a laptop. Most people have latops.

      There's so muc

      • Maybe you misunderstood that I said that specific permissions be granted via policy, rather than blanket administration rights. Besides, I've been doing this for a long time now, and locked down machines tend to work better, have less problems, and users tend to be happier. The ones that get upset are the "Joe Admins" out there that think because they can admin their home box with their pirated copy of Windows XP, that they know anything about professional corporate environments. Remember that you don't

  • At my workplace, all of these are enforced. The rules are so strict that you can be fired if you violate these rules. Each laptop comes with IT downloader that IT can push updates. Also, there is a list of banned software and hardware.

  • absolute standardization (Score:5, Insightful)

    by eagl ( 86459 ) on Thursday September 15, 2005 @03:16PM (#13569254) Journal
    Require absolute standardization. Create a custom installation image similiar to the standard desktop installation including all utilities and software licenses required for the job. Do not give the users administrator rights to anything. Require them to hook the laptop up to the network every week or so to receive updates, patches, and submit to a system scan for unauthorized software and files.

    If the system is determined to not meet company standards, give the employee a day to remove personal and work files, and then take the computer back to your IT cave, scrub the hard drive, and re-install the standard image from scratch before giving it back to the employee.

    If the company has purchased the laptop, it must be very very clear that the laptop, and everything on it, belongs to the company, period. Policies like this will help keep "innocent" employees from accidentally bringing back something hazardous to the company network, and any employee savvy enough to work around the restrictions should also have the skillz to avoid undetected malware.

    And if you have trouble employees who keep getting caught with unauthorized files, software, or who keep bringing back malware infested machines, your security policy and the measures required to circumvent the policies ought to be enough ammunition to support firing them for cause. Or at least confiscating their computer, locking their account, and demoting them to a job that doesn't require the use of a computer. Like janitor or something.

    Make it very clear that as their job depends on them having access to a computer, and their access to a computer absolutely depends on them taking care of it and following company policy, if they do something to cause their network and computer privledges to be revoked then they will either be moved to a less technical job or released.

    My company works in a very similiar fashion, except that we have the threat of jail time thrown in just for flavor. Guess what... Nobody f**ks with the IT guys and the very very few who violate policy and get caught become well publicized examples of how to ruin you life. Is installing that intardnet solitare game, or peeking at the porn site worth your job? How about worth half your salary for 3 months and a month in jail before you get fired? Well, most companies don't need to go that far, but the general idea that messing with the IT resources is dangerous to company survival is something that nobody will seriously consider unless the both the policies AND actions taken to enforce those policies are black and white. No questions askes, fail to bring in your laptop for a weekly update/scan and you lose compter network privledges until you comply. Fail to comply 3 times or get caught violating the rules 3 times, and lose privledges until reinstated by the appropriate company VP, board member, co-owner, whatever.

    If you let people take advantage of the IT department, EVERYONE will bypass the rules. Sure, most slashdot readers could do that without causing harm and many could do it without any real risk of getting caught, but chances are that some of the policy breakers will be relatively incompetent and one single person can bring down the entire company, if the security compliance policies are not clearly defined and rigorously enforced, with real penalties for violations and repeat violators.

    I've been on both ends of the corporate IT stick... Been beaten for sidestepping policy, and done the beating later on when it was my turn to enforce policy. There can't be any question in anyone's mind that the policies simply can't be broken without consequences, no exceptions.

    Go ahead and do it differently, if you don't mind seeing your company on "CNN Money" next week as being the latest gropu who just let some intruder walk away with your customer database or all your company's proprietary info. Yea, that happened to my company too, with some stuff that had been outsouced. Sucks to know that access to my entire personal financial records have been stolen not once, not twice, but three times due to incompetent IT departments my company has outsourced to.
    • Well if it's anything other than a threat please tell me how you managed it?

      SFAIK You cannot got to jail for a civil offense and and breach of contract is a civil offense, unless it's the government top secret part of the contract you breach.
      • Certain ummm "organizations" serve up jail time for a wide variety of misbehavior. And even in the general corporate world, many acts can get you jail time. I guarantee if a microsoft employee walked out with their internal development library and customer database, and then got caught, they'd go to jail. Heck, they're jailing kids who break into corporate networks and play around, and if it comes to prosecution of a crime, the punishment isn't going to be all that different if they're doing it from insi
        • Taking company secrets is thief, which is a criminal offense, so you could persue the tieft with the possibility of jail time for the thief.
          Generally missuse of a laptop (installing kazaa, browsing porn, screwing up all the settings etc...) would only be a breach of contract which is a civil offense.

          Maybe you have different laws in the states from the UK/EU (laws where a civil offense results in jail time), but the fact that the civil trial of OJ Simpson for murder resulted in financial compensation and not
          • Ok, I'll be blunt.

            Military. Willfully breaking almost ANY rule, no matter how small, carries the potential punishment of confinement and/or real jail time, before getting fired.
            • Well, that's generally treason or something along those lines, not something slapped into anyold contract to prevent people installing kazaa on their laptops like the original post suggested.

    • Re:absolute standardization (Score:4, Insightful)

      by anomaly ( 15035 ) <tom DOT cooper3 AT gmail DOT com> on Thursday September 15, 2005 @04:20PM (#13569851)
      Great in theory, lousy in practice. For what it's worth, I worked for years as a part of the desktop management team for a Fortune 500 company. I switched jobs about a year ago. On my corporate-issued laptop, I have the full suite of applications 'certified' to work on the reference build of XP.

      I just checked and found that as a part of DOING MY JOB, I need 50 - count them - 50 utilities that are not provided, certified, or approved to go on my laptop. I'm not a developer, but I am a tech lead for implementation of a COTS product deployed on a J2EE app server. Those 50 utilities include:
      Cygwin, jEdit, filezilla, ultravnc, SP2 & a RAM defragger (b/c my laptop won't hibernate without it) ldap tools, putty, gaim, pdf utilities, an HTML editor, and many others. Pretty much none of these would be 'corporate approved' and without them, my job would be MUCH harder.

      I can edit config files in notepad, which *is* corporate certified. It it the most efficient tool? No way! Editing in jEdit is much richer and faster - syntax highlighting for perl, xml, shell scripts, batch files, etc.

      This also does not address the issue with the fact that without local admin I'd be unable to install print drivers for my network-attached printer at home. I also would be unable to connect to my wireless LAN at home, because I would not be able to configure the WEP settings. Do I do real work at home? Yup.

      Here's my point: I'm not using my laptop as a personal computer. My kids never touch dad's work laptop, and my personal software is installed on my personal PCs. Without local admin, my job would be MUCH harder. Is it expensive for our company to let me have a unique config? Probably. How expensive would it be to not let me have the tools I need to do my job?

      What makes sense? In my view, you're penny wise and pound foolish to prevent me from installing the tools I need.

      just my .02

      Respectfully,
      Anomaly
      • This is the real problem, in my opinion. I've never worked at a company where they had both the will and the ability to totally lock down the machines, AND the will and ability to be quickly responsive to installation and authorization requests. This gets especially bad when IT people get to make policy instead of being responsible for implementing it.

        It can take *6 months* to get approval to install a no-cost, industry standard application (Eclipse, for example). Too many IT departments get into this us

    • I would suggest to the poster that ONLY company issued machines be allowed to ever connect to the company systems, in or outside the perimeter. The "locked down" bare bones configuration are standard practice with better defense contractors and large financial companies, especially brokerage firms...I know this from experience. SecurId two part logins through VPN that basically only let you access your desk top system and only as your employee identity tend limit unauthorized access. And be very careful
    • Wrong.

      Good luck getting this kind of policy enforced with the sales drones. They are an entirely different breed, and I guarantee that if a sales guy can't get to texanholdmpokr.com, it will be your fault.

      He just has to say, "I cant get to the internet and make my deals/leads", and your policy will become the problem. The boss hears, "IT is keeping me from doing my job".

      This problem goes much deeper than some simple policy changes.

  • I work for a gov. agency that has a lot of laptop users. We also use Exchange/Outlook and have limited mailbox sizes to 150MB. The biggest problem that we have is that users want to store their Archive PST files on their laptop and then scream at us when their HD dies and they lose their old emails. It's a no win situation for us.. Management won't authorize more Exchange server space; if we force them to store their PST on a file server, they complain; if they lose a PST on a bad laptop HD they complain.

    I'
    • i have a perl script that i wrote that copies psts to network storage, is hacky, but it works
    • The problem with that is that PSTs can be big and it might take awhile to do the copy. I have to ensure it won't run when the user is on dialup or VPN.

      This will just require you checking to see what subnet the laptop is currently on before copying. That's what my current systems do - it won't copy the files unless you are in the "office network" environment, based on the subnet.
    • Look into BackupPC. It's pretty god for backing up laptops.
    • The biggest problem that we have is that users want to store their Archive PST files on their laptop and then scream at us when their HD dies and they lose their old emails. It's a no win situation for us.. Management won't authorize more Exchange server space; if we force them to store their PST on a file server, they complain; if they lose a PST on a bad laptop HD they complain.

      [...]

      Any suggestions!?!?!?

      Folder Redirection (put them in My Documents and redirect it) or a dedicated share that's mapped wit

    • Couldn't you use roaming profiles?

      Then put the .pst in the user's homedir, and set outlook to use it.
    • The solution would be simple if users weren't so addicted to Outlook.

      I replaced Exchange with Postfix and Courier IMAP, and I'm a happy mail admin since.

      For the client side, I always hated Outlook, so I installed Thunderbird on all machines.

      Unfortunately, out of a dozen users, only one seems to prefer Thunderbird. The others insist on using Outlook 2003, despite all the problems they regularly have with it. For example, Outlook doesn't start, complaining that the server is not accessible or something. They
  • I have never had a laptop at the IT places I worked.
  • First, if you want control of the laptops, be sure to set a bios password and disable booting from devices other than the hard disk. This will keep most people from installing their own operating system.

    Second, if a machine gets really fucked up, you'll want to be able to fix it quickly. I suggest using disk images. You'll need to partition the disk drive so that you can re-image without wiping out the user's files. Remember that with NTFS, you can mount a partition in any empty folder. You know what to do
  • ...lack of physical security means lack of assurance of any security.

    If you don't control the laptops, don't trust them to behave. Design your network and servers -- the things you can control -- with the idea that they can be 'attacked' from anywhere; Internet or intranet.

  • Notebooks logon via a seperate server, they have their own IP address range whenever on the network and their own DHCP server. The link between the notebook servers and the rest of the network is firewalled.

    Ed Almos
    Budapest, Hungary
  • All these pathetic posts about locking down the (l)users make me want to hurl. You are trying to use technical means to solve a social problem, and IT WILL NOT WORK. And by the way, who the hell are you, to tell me what I do or don't need to use my computer for. Get over yourselves, you BOFH wannabes.

    Your job is to provide me with the IT tools I need to do my job. Have all the policies you want, but the second those policies keep me from doing my job, they have to give way.

    How about this? You give me adm
    • I'd have to agree partially- Yes - users need/must have the right mix of software and hardware to do their jobs. Their computer is a business tool. One privledge model for an entire organization doesn't work. Systems need to be locked down - for security reasons- an default install with admin prives reading email, accessing the web is asking for trouble. Protect the users from them selfs. Users are NOT sysadmins- users are paid to do their job, admins are paid to do their job. Users responsibility is to
  • Bolt the laptops to the desks.
  • I work in my jobs IT Dept... and I use a laptop... my solution? I asked them for an Apple laptop. Never have to fuss about my wireless card, never have worries about viruses, never have to fret about updating... best thing that IT ever did for me.

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close