Dealing With Laptops in a Business Network? 106
lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"
Here's a start for you. (Score:5, Informative)
Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.
Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.
Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"
Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.
Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.
Re:Here's a start for you. (Score:2)
Re:Here's a start for you. (Score:1)
Re:Here's a start for you. (Score:2)
Re:Here's a start for you. (Score:5, Interesting)
visits. Rather than wait for days until a tech comes, some people wipe the
drive and reinstall windows, thus negating any benefit of locking the machine
down in the first place.
The moral of the story is if you have access to the hardware, then the machine
isn't really locked down.
Re:Here's a start for you. (Score:4, Informative)
At that point, if you want to install any work related software, you need to be a member of the domain/active directory. If not, you don't get connected, either while in the office or via VPN.
Of which, you can't install the necessary VPN software unless you are in the office, or we ship you a cd.
We haven't had anyone try to get around this yet. I think it's safe to say the people who work on them in my business realize they'd be down a lot harder if they tried to....
Re: (Score:2)
Re:Here's a start for you. (Score:2)
hardware (usually a jumper for a desktop, often a switch under
the keyboard for a laptop).
Re: (Score:2)
Re:Here's a start for you. (Score:2)
What's the best list of sites to check against?
Re:Here's a start for you. (Score:2, Informative)
We have a bunch in our PIX configs. Here's a few to start (and some may be old or broken, we don't actively check) I usually google around for the spyware places. Not sure how this will wrap...
Re:Here's a start for you. (Score:2)
I'm hoping somebody has a text or DNS blacklist like we have for spammers. Just one of those things that benefits from collective effort.
Re:Here's a start for you. (Score:1)
I forgot about this one too. At home I took the hosts file which you can get for Spybot Search & Destroy and used some of the names from there. Of course you'll have to nslookup machines from the hosts file and add the real IPs to your firewall.
Googling for that will get you some nice hosts files.
Re:Here's a start for you. (Score:1, Funny)
Re:Here's a start for you. (Score:1)
Basically I have two subnets - 192.168.60.x (trusted) and 192.168.61.x (untrusted). Any computer that I don't explicitly put in the trust segment goes on 192.168.61.x, and can only send data out to the internet.
Untrust doesn't get SMB access to my server, ssh, nothing. They also can't communicate with the trust segment unless the computer on the trust segmen
Re:Here's a start for you. (Score:1, Informative)
Really, VLANs aren't that expensive to set up, especially with the kind of setup you have. You don't need 100 managed switches. You need one. You can pick up a bunch of old Bay Networks gear on eBay on the cheap. I'd recommend a 350T. It is a sixteen port 10/100 switch capable of trunking and VLANS. Configurable through SNMP and a pretty straightforward t
Re:Here's a start for you. (Score:1)
I have a question about the switch, how would that work if I only had one switch, since I have hubs in some areas of the house. Wouldn't it make sense to replace each hub with a switch, because I have trusted and untrusted devices on the same
Re:Here's a start for you. (Score:2)
In our office most people have laptops instead of desktops. They need to interoperate.
It does. Our administrator tried to turn on a policy whereby several times a day, the antivirus would start up. Problem, for some machines, it takes hours to run. The developers almost killed him because the machines were unusable dur
Re:Here's a start for you. (Score:3, Insightful)
Likewise, you're machine shouldn't talk to any other users machine directly. You should be talking to servers.
insurrection (Score:3, Insightful)
*ducks*
No argument (Score:1)
Re:No argument (Score:2)
Risk management (Score:1)
VPN + personal firewall mandatory (Score:2)
Re:Install Linux (Score:1)
That's a very elitist attitude. What about the people in marketing and sales who are likely to be clueless about computers have to learn something totally new to them? If they aren't a serious computer geek, they get fired?
I don't know what kind of world you think we live in, but Linux is not for everyone. Period. It has a wonderful place in the server world, and for some desktop users who really are into computers, but for your average sales drone, it
Re:Install Linux (Score:2)
Yes, it's an elitist attitude. All central control of dispersed machines needs to be or it's a nightmare. We're in the business of restricting the user's ability to do things, and more importantly, to add things.
No, these people really SHOULD be able to learn such a system. A. People are more versitile than you think, and B. The original poster is right -- if any computer literacy is involved in their job descr
Re:Install Linux (Score:2)
I don't know who rated the message you resonded to as troll, guess we are getting troll moderators. There is a lot of truth to it. But to your last message:
I don't know what kind of world you think we live in, but Linux is not for everyone. Period. It has a wonderful place in the server world, and for some desktop users who really are into computers, but for your average sales drone, it has no place.
Now what in business today requires Windows on the PC part? Are we sure our dependance on Microsoft is
Re:Install Linux (Score:1)
I agree that most of the reason for not wanting to switch is because they're afraid of change, but th
laptop == teh suck (Score:2, Insightful)
I work for a large company, my boss excidedly says, "Hey do you want to trade your desktop in for a laptop?" I sternly reply, "Hell No!" Confused he asks, "Well why not?" I respond, "Well, I don't want to work from home and I don't want to be responsible for a $2000 computer which isn't mine."
Now I have 4 desktops under my desk
Re:laptop == teh suck (Score:2)
Yes you need a laptop. Very useful for meetings, everytime the subject goes to something uninteresting you can get work done, and then pull back to the meeting instantly when it becomes useful. Not as productive as you would be when not at the meeting, but a lot more interesting and productive than the typical meeting.
When in a meeting with co-workers (the boss is not there), it is more useful, you can take notes, look-up code, or search for information without leaving the meeting.
Now if the choice is
Re:laptop == teh suck (Score:2)
Then you can't really call them "desktops," can you?
Re:laptop == teh suck (Score:1)
-Zan
Wow... (Score:2)
Also known in my state (Wisconsin) as a personal space heater.
security and malware (Score:2)
For malware, make sure that there are firm groupwide subscriptions to antivirus and spyware programs. Many of the good packages allow for mandatory updates, and they should be insisted upon in a corporate set up.
Re:security and malware (Score:1)
Deepfreeze (Score:5, Informative)
Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...
Faronics sells this. [faronics.com]
Re:Deepfreeze (Score:1, Troll)
Re:Deepfreeze (Score:2)
Nope. You store your dev. env. in a "thawed" partition. In all of the lockdown programs I've used, you have the option of creating a partion that is not blown away on reboot. Deepfreeze and similar programs, when properly configured, are exceptional tools. They offer great virus protection, and even better spyware protect
Re:Deepfreeze (Score:1)
We looked in depth at Deep Freeze where I work (a healthcare provider). It wasn't suitable for a number of reasons:
Re:Deepfreeze (Score:1)
--Sam
"Windows Terminal Server"? (Score:2)
I've been wondering if it would be feasible to lock the laptops WAY down (bare minimum of applications to connect) and have people use "Terminal Services" to operate an internal computer rather than having everything installed on the "remote" computer.
Seems like it would be easier to control and avoid problems that way (and if you use NomachineNX, you can use the same "terminal" client for VNC and X11 logins as well...)
Re:"Windows Terminal Server"? (Score:2)
Re:"Windows Terminal Server"? (Score:2)
It would definitely reduce the functionality of the laptop away from networks, but wouldn't necessarily make them useless. "Windows Server 2003" appears to support a redirected local drive which appears as a "share" on the terminal session. Users who are going to be away from a network but NEED to work on something can use that to copy the file to the local drive before they disconnect, and then re-upload when they reconnect later.
That would slightly compromise the "nothing stays on the local system" but
Re:"Windows Terminal Server"? (Score:2)
Re:"Windows Terminal Server"? (Score:2)
Other than that we just have to keep AV/AS stuff running and up to date, and have scary policies regarding installation of non-approved applications to hopefully cut that down.
But please put Winamp on that list. Let's be realistic too, okay?
Re:"Windows Terminal Server"? (Score:1)
By installing the bare minimum (maybe even linux running from compact flash) and locking it down so they are only allowed to connect to a terminal server certainly has it's advantages.
They would need to be able to connect through ... LAN, dialup, broadband, wireless (office, motel, airport, web cafe etc), mobile data, directly or via a VPN. Of course, those tools would need to be installed and have a nicely locked down configuration that they can't f$#% with.
Re:"Windows Terminal Server"? (Score:2)
Kind of defeats the purpose of having a laptop, though...
Simple (Score:4, Insightful)
Treat them like internet machines (Score:1, Offtopic)
Assume the machines have viruses and trojans, and spyware throught the wazoo.
Oh, have a policy that every 4 months, people have to turn in their machines in for maintenance and reassignment. They won't think of these machines as "theirs" and they won't install crap (like their palm-pilot synch software).
I'm still out on filesystem en
Re:Treat them like internet machines (Score:1)
If the palm-pilot belongs to the employee then they can buy their own laptop and keep it synched on that.
Nothing against palm-pilots. They are great devices for many people.
Policy and control (Score:2, Offtopic)
Get the users to sign the AUP.
put controls around the AUP - eg make sure the users can't install their own software and do this for then with LanDesk or similar. No use of IE, Firewall only etc etc..
Where's the Ha Ha Guy when you need him (Score:1)
This AUP will crumble when someone wants to see something in Flash, or use a Pen Drive, or plug into their friend's printer, or
Re:Where's the Ha Ha Guy when you need him (Score:2)
AUPs, SLAs etc are all needed in order to be able to say "I told you so", albeit in more polite words. The only way you will cover your butt is to have it signed, in writing. Heresay doesn't count.
Re:Where's the Ha Ha Guy when you need him (Score:1)
Re:Where's the Ha Ha Guy when you need him (Score:2)
Re:Policy and control (Score:2)
Too frequently, policies are overlooked as a solution to security concerns. The old adage about being unable to apply a technical solution to a social problem fits like a glove.
Draft a policy about laptop use, run it by whatever department heads or HR people you need, and mandate that anyone using a company laptop read and sign it.
Hopefully just the act of having read this will hammer home the point that these are not personal property, and for those remaining cases of abuse
VPN, policies, etc. (Score:3, Informative)
My company's (a large online e-tailer and book seller) approach involves several methods to protect remote machines and limit access.
For remote access, a customized platform agnostic VPN device (running an embedded linux) piggy-back's onto the laptop. The device is powered by the laptop's USB port, and acts as a firewall in addition to a VPN gateway. The device can connect to the internet either via it's built-in compact-flash wireless card (supports WEP or open wireless) or an ethernet connection. When the tunnel is down, the laptop is still well protected by said firewall. When the tunnel is up, all traffic is routed through the VPN tunnel, and subject to corporate firewall rules. The VPN device is tied to the laptop's MAC address, and will not work with any other machine unless reprovisioned by an admin with appropriate rights. The user must authenticate on the device (which updates credentials each time it connects) before access is granted internally, and only the provisioned user has access to login to the device. Three failed login attempts will delete the data on the device, rendering it useless to any theif, and requiring it to be reimaged by corporate IT. The only means of accessing corporate data from "the outside" is via this device or a direct dial-up. There is zero access to internal systems without either of these methods (not even webmail). Dial-up numbers cannot be modified by the user which prevents them from connecting to any random ISP.
I don't know if either connection is dropped into a DMZ for further protection, however the local VPN device does packet filter certain types of packets on the way out for extra measure.
On the software side, the machines (when running Windows of some sort) run an antivirus and policy enforcement suite which is maintained by a corporate server. Policies enforce encrpytion of the user's mydocs directory should the laptop be otherwise compromised. Policies also restrict the user from installing software that isn't deployed via SMS. Additionally, anti-spyware software is installed on the machine to allow IT to remove threats. Because users must connect to the corporate network to do most job functions, these tools remain fairly up-to-date.
To protect the laptop, user passwords are changed regularly and a strong password requirement is enforced in addition to a fairly long password history retention to prevent reuse. Usernames are not retained in the login screen. Laptop screens are forced to lock after a short amount of time to prevent unattended access.
For browsing, users are permitted either IE or Firefox, however most users prefer the latter
I'm not sure on the size of your company, but if your budget allows, this seems to be highly secure and admitedly, well thought out means of enforcing security and protecting networks.
Re:VPN, policies, etc. (Score:1)
First, let me start with the good. A forced VPN is an excellent idea for laptops. Their wireless connectivity will often be used in airports or other places where open wireless is the only option. Having an encrypted transmission going through the corporate firewall can only be a good thing.
Now the worst: "Policies als
Re: (Score:3, Interesting)
Re:VPN, policies, etc. (Score:2)
Re: (Score:3, Interesting)
Re:VPN, policies, etc. (Score:2)
Re: (Score:2)
Re:VPN, policies, etc. (Score:2)
That's actually quite devious! I'll have to remember that..
There's a simple solution... (Score:2)
Lock the sons of a bitches down hard. Don't allow the laptop user to install software. Don't allow them to run as an administrator account. Use policies to allow them to perform any administrative tasks that they might need, such as being able to change their IP address. Use a corporate-controlled firewall, preferably using a firewall that allows you to set a global policy and force it enabled. This is a host-based firewall, besides the actual corporate one to the Internet. Turn off all unecessary ser
Re:There's a simple solution... (Score:2)
I knew I forgot something above.
Don't let your laptop machines on the same network as your desktops. Keep them on their own little quarantined network. In fact, the more you can quarantine each machine from each other, the better off you're going to be if something does get onto one of these laptops. The simplest thing to remember is that you control the laptop and need to lock it down as much as humanly possibly, but at the same time, the laptop is the front-line soldier on the battlezone of the Intern
Re:There's a simple solution... (Score:3, Insightful)
Well, a lot of corporations don't differentiate. When replacement time comes around, we can get either a desktop or a laptop. Most people have latops.
There's so muc
Re:There's a simple solution... (Score:2)
Maybe you misunderstood that I said that specific permissions be granted via policy, rather than blanket administration rights. Besides, I've been doing this for a long time now, and locked down machines tend to work better, have less problems, and users tend to be happier. The ones that get upset are the "Joe Admins" out there that think because they can admin their home box with their pirated copy of Windows XP, that they know anything about professional corporate environments. Remember that you don't
Updates + AV + Firewall (Score:2)
absolute standardization (Score:5, Insightful)
If the system is determined to not meet company standards, give the employee a day to remove personal and work files, and then take the computer back to your IT cave, scrub the hard drive, and re-install the standard image from scratch before giving it back to the employee.
If the company has purchased the laptop, it must be very very clear that the laptop, and everything on it, belongs to the company, period. Policies like this will help keep "innocent" employees from accidentally bringing back something hazardous to the company network, and any employee savvy enough to work around the restrictions should also have the skillz to avoid undetected malware.
And if you have trouble employees who keep getting caught with unauthorized files, software, or who keep bringing back malware infested machines, your security policy and the measures required to circumvent the policies ought to be enough ammunition to support firing them for cause. Or at least confiscating their computer, locking their account, and demoting them to a job that doesn't require the use of a computer. Like janitor or something.
Make it very clear that as their job depends on them having access to a computer, and their access to a computer absolutely depends on them taking care of it and following company policy, if they do something to cause their network and computer privledges to be revoked then they will either be moved to a less technical job or released.
My company works in a very similiar fashion, except that we have the threat of jail time thrown in just for flavor. Guess what... Nobody f**ks with the IT guys and the very very few who violate policy and get caught become well publicized examples of how to ruin you life. Is installing that intardnet solitare game, or peeking at the porn site worth your job? How about worth half your salary for 3 months and a month in jail before you get fired? Well, most companies don't need to go that far, but the general idea that messing with the IT resources is dangerous to company survival is something that nobody will seriously consider unless the both the policies AND actions taken to enforce those policies are black and white. No questions askes, fail to bring in your laptop for a weekly update/scan and you lose compter network privledges until you comply. Fail to comply 3 times or get caught violating the rules 3 times, and lose privledges until reinstated by the appropriate company VP, board member, co-owner, whatever.
If you let people take advantage of the IT department, EVERYONE will bypass the rules. Sure, most slashdot readers could do that without causing harm and many could do it without any real risk of getting caught, but chances are that some of the policy breakers will be relatively incompetent and one single person can bring down the entire company, if the security compliance policies are not clearly defined and rigorously enforced, with real penalties for violations and repeat violators.
I've been on both ends of the corporate IT stick... Been beaten for sidestepping policy, and done the beating later on when it was my turn to enforce policy. There can't be any question in anyone's mind that the policies simply can't be broken without consequences, no exceptions.
Go ahead and do it differently, if you don't mind seeing your company on "CNN Money" next week as being the latest gropu who just let some intruder walk away with your customer database or all your company's proprietary info. Yea, that happened to my company too, with some stuff that had been outsouced. Sucks to know that access to my entire personal financial records have been stolen not once, not twice, but three times due to incompetent IT departments my company has outsourced to.
threat of jail time (Score:1)
SFAIK You cannot got to jail for a civil offense and and breach of contract is a civil offense, unless it's the government top secret part of the contract you breach.
Re:threat of jail time (Score:2)
Re:threat of jail time (Score:2)
Generally missuse of a laptop (installing kazaa, browsing porn, screwing up all the settings etc...) would only be a breach of contract which is a civil offense.
Maybe you have different laws in the states from the UK/EU (laws where a civil offense results in jail time), but the fact that the civil trial of OJ Simpson for murder resulted in financial compensation and not
Re:threat of jail time (Score:2)
Military. Willfully breaking almost ANY rule, no matter how small, carries the potential punishment of confinement and/or real jail time, before getting fired.
Re:threat of jail time (Score:1)
Re:absolute standardization (Score:4, Insightful)
I just checked and found that as a part of DOING MY JOB, I need 50 - count them - 50 utilities that are not provided, certified, or approved to go on my laptop. I'm not a developer, but I am a tech lead for implementation of a COTS product deployed on a J2EE app server. Those 50 utilities include:
Cygwin, jEdit, filezilla, ultravnc, SP2 & a RAM defragger (b/c my laptop won't hibernate without it) ldap tools, putty, gaim, pdf utilities, an HTML editor, and many others. Pretty much none of these would be 'corporate approved' and without them, my job would be MUCH harder.
I can edit config files in notepad, which *is* corporate certified. It it the most efficient tool? No way! Editing in jEdit is much richer and faster - syntax highlighting for perl, xml, shell scripts, batch files, etc.
This also does not address the issue with the fact that without local admin I'd be unable to install print drivers for my network-attached printer at home. I also would be unable to connect to my wireless LAN at home, because I would not be able to configure the WEP settings. Do I do real work at home? Yup.
Here's my point: I'm not using my laptop as a personal computer. My kids never touch dad's work laptop, and my personal software is installed on my personal PCs. Without local admin, my job would be MUCH harder. Is it expensive for our company to let me have a unique config? Probably. How expensive would it be to not let me have the tools I need to do my job?
What makes sense? In my view, you're penny wise and pound foolish to prevent me from installing the tools I need.
just my
Respectfully,
Anomaly
Re:absolute standardization (Score:2)
It can take *6 months* to get approval to install a no-cost, industry standard application (Eclipse, for example). Too many IT departments get into this us
Re:"if the company has purchased...." (Score:3, Informative)
Re:absolute standardization (Score:2)
Good luck getting this kind of policy enforced with the sales drones. They are an entirely different breed, and I guarantee that if a sales guy can't get to texanholdmpokr.com, it will be your fault.
He just has to say, "I cant get to the internet and make my deals/leads", and your policy will become the problem. The boss hears, "IT is keeping me from doing my job".
This problem goes much deeper than some simple policy changes.
Outlook PST Files (Score:2)
I'
Re:Outlook PST Files (Score:2)
Offtopic, but thread related. (Score:1)
This will just require you checking to see what subnet the laptop is currently on before copying. That's what my current systems do - it won't copy the files unless you are in the "office network" environment, based on the subnet.
Re:Outlook PST Files (Score:1)
Re:Outlook PST Files (Score:2)
[...]
Any suggestions!?!?!?
Folder Redirection (put them in My Documents and redirect it) or a dedicated share that's mapped wit
Re:Outlook PST Files (Score:2)
Then put the
Re:Outlook PST Files (Score:2)
I replaced Exchange with Postfix and Courier IMAP, and I'm a happy mail admin since.
For the client side, I always hated Outlook, so I installed Thunderbird on all machines.
Unfortunately, out of a dozen users, only one seems to prefer Thunderbird. The others insist on using Outlook 2003, despite all the problems they regularly have with it. For example, Outlook doesn't start, complaining that the server is not accessible or something. They
Odd. (Score:2)
How about an escalating security policy? (Score:2)
Second, if a machine gets really fucked up, you'll want to be able to fix it quickly. I suggest using disk images. You'll need to partition the disk drive so that you can re-image without wiping out the user's files. Remember that with NTFS, you can mount a partition in any empty folder. You know what to do
Repeat after me... (Score:2)
If you don't control the laptops, don't trust them to behave. Design your network and servers -- the things you can control -- with the idea that they can be 'attacked' from anywhere; Internet or intranet.
Here's How (Score:2)
Ed Almos
Budapest, Hungary
Too many BOFHs (Score:1)
Your job is to provide me with the IT tools I need to do my job. Have all the policies you want, but the second those policies keep me from doing my job, they have to give way.
How about this? You give me adm
Re:Too many BOFHs (Score:1)
Simple solution (Score:1)
An easy solution... (Score:1)