Re: Home laptops on a corporate network
- From: gjgowey@xxxxxxxxxxxxxxxxxx
- Date: Tue, 8 May 2007 18:04:10 +0000
It's dangerous, but not impossible to guard these systems. Step one is making sure they're joined to the domain. Step two is making sure the group policies on these systems are very strict (I'd advise putting them in their own ou for this reason). Step three would be to have a remote management solution in place.
Personally I would recommend SMS for managing remote systems. It's a beast and you need to keep your eye on it, but it'll tell you everything you want to know but were afraid to ask (including patches applied and missing). You can also use SMS for software deployment.
It takes a lot of work to secure off site systems, but it can be done. Just need to really work on setting up your GPs right and remote system management. Personally, I would allocate only corporate provided laptops for this task since you can control the imaging and there's no question as to who is the owner of the system.
Also, disable the local system administrator account on these machines (if a domain admin can't work on it remotely then the machine should be treated as broken or compromised and have to be brought in for reimaging). Make sure they can't boot from anything but the hdd and that the bios is password protected (important note: using the same password on every system is a very bad idea). Use a different password per system and keep that information in a central db (you could use the systems serial as the pk) for the help desk/noc people to see. I would also recommend setting the startup password (if the laptop allows it - my thinkpad does), but make it a semi easy password (last name of assigned owner maybe, but that's up to you) so the user doesn't write it down on a postit note and stick it to the keyboard.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: christopherkelley@xxxxxxxxxxx
Date: 8 May 2007 17:11:32
To:security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Home laptops on a corporate network
I'd recommend NOT doing this. Especially if you are trying comply with HIPAA. Keep in mind that you will have little to no management capability over these personal laptops, which means you have no ability to verify patch level and AV update on these machines that may have EPHI on them. Not to mention the fact that these employees are probably taking them home and plugging them into their home networks, where they (or their kids) are running bearshare, gnutella, grokster, bitorrent, and surfing to unfiltered web sites. Not only does this mean that they are potentially exposing critical data in this manner, it also means they are bringing potentially infested computers into the soft chewy center of your network.
Whenever you have an employee with a laptop, you create a liability to your network, allowing them to use personal laptops presents an even bigger liability. IMHO, this level of risk is unacceptable, especially from a HIPAA compliance standpoint.
- References:
- Re: Home laptops on a corporate network
- From: christopherkelley
- Re: Home laptops on a corporate network
- Prev by Date: RE: Home laptops on a corporate network
- Next by Date: RE: Home laptops on a corporate network
- Previous by thread: RE: Home laptops on a corporate network
- Next by thread: Re: Home laptops on a corporate network
- Index(es):
Relevant Pages
|
