Reducing The Negative Impact of Laptops

Mark Brunelli wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change settings is risk prone. Fortunately, larger corporations that install Microsoft Windows XP Professional usually don't grant the laptop user full administrative rights. The same cannot be said of smaller businesses, many of which simply purchase laptops from the local store -- laptops pre-installed with Windows XP Home Edition. "

Linux

[mysqlrocks]

Better still, use the truly secure Linux operating system. Six months after making the change, you will not use Windows again. The cost of Linux is also much less than the cost of upgrading Windows XP Home Edition to Windows XP Professional.

Unfortunately Linux isn't as easy to use for most people. How about suggesting that they use a Mac? Macs are secure and are easy to use.

Some standard security items..

[knightinshiningarmor]

It's very true that laptops are a higher risk than desktops.

1) Most laptops now have wireless cards. If this is the case, use an encrypted connection to an AP.

2) Even then, use as many encrypted streams as you can (ssh, https, pop3s/imaps, etc.).

3) Physical security. It's easy for anyone to run off with your computer. So keep track of it... don't leave it on the table at the library.

Please tell me your joking

[nukem996]

The GPL does state that any changes made to the kernel has to be open source but if you did everything as a modules(does not touch the kernel source just lets the kernel load this to extend the kernel) you could of kept it closed source and stuck with Linux. Many companies do this such as nvidia and ati. You should of done some research before spending time and money and planned to do this as a module.

Re:Linux

[nukem996]

ummmm maybe if they only use the command line. Have your users use KDE, my 90 year old grandfather uses it just fine. Infact I think KDE would be much easier to switch to then Mac. Many of the features such as Start, file browsing, and look are the same.

Re:Laptops get around too much

[(H)elix1]

Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere. I think it must be something about the way he uses that system; what sites he goes to, probably; which causes it to be so riddled with viruses.

You would not believe the crap you have to deal with on hotel networks. If anyone is counting on the firewalls keep the network clean, guess again. This has to be at the machine level, each one an island. I keep the shield up on my laptop and (knock on wood) have yet to have an issue - but most of the broad band connections your typical road warrior deals with is a cesspool of worms, viruses, and other such nasties.

Re:Please tell me your joking

[Anonymous Coward]

Wrong. If you release the changes to the GPL'd code to the public THEN you must make the source available. If it's purely in-house, then you can make all the changes you want to without releasing anything.

A slight amendment is in order...

[PetoskeyGuy]

This should read...

Mark Brunelli, News Editor of searchEnterpriseLinux.com wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change set

I don't mind plugging articles for your own site, but at least practice full disclosure.
http://searchenterpriselinux.techtarget.com/meetEd itorial/0,289131,sid39,00.html [techtarget.com]

Re:Windows security

[Anonymous Coward]

Like I mentioned once before...

Damnit!

As I mentioned once before...

Didn't you guys have English class in middle school?

Love,
The Grammar Nazi

This is where you find a support solution.

[Agarax]

Get a freakin' help system in place so that I don't have to waste time clicking at stuff, getting annoyed, and then decide to give up altogether because it didn't work.

Well, for a Unbuntu end user there is always just paying [ubuntu.com] for real techsupport. I know Redhat can help out with getting Wine to work (saw it happen), dont know about Canonical.

For a business I would never even consider using a specific distro unless there was a live person on the other end of a phone line. It just wouldn't happen otherwise.

Redhat, Canonical, and Novell all offer excellent support for Linux, you cant go wrong.

I locked my sister's kids out of windows XP Home..

[kesuki]

Just by adding a second account in the control panel, and changing the (default) administrator account to have a relatively secure password.

Since when does having windows XP Home edition prevent you from adding multiple users, some of them restricted users who can't install software? is it because you only know how to use XP pro's tools to manage security? you don't know how to lock down IE with the help of a few simple freeware utilities you can download off the internet ;)

I don't get it :) why do small businesses need to buy XP pro when XP home has enough of the features to do everything that is 'easier' to do in XP Pro?

If I'm missing some big reason please tell me, other than XP pro costs at least $120 more (oem pricing) why someone needs to run Pro to do something i did on XP home just last weekend...

Well, go and set up the Computer correctly

[dzafez]

Make your checklist and go through it with any Notebook that is introduced to the Company.

# encrypted /home (I don't remember what it is called on Windows) prevents a lot of ugly
things we see from stolen Notebooks nowadays.

# /home (he did it again) must be mirrored (possibly unencrypted) on a Server, (I think
you got to check for the term server side
profiles)

# No Administrative rights! I mean absolutely no administrative rights on the standard
working User!

# The Notebook needs to go back to IT-Department on sporatic calls once or twice
a year to check if the user breached the security rules of the Company (...pr0n, fun tools...)

# automatic windows updates, asap ! (Hell yea I know we like to know what is beeing installed,
but this notebook is not allway available for the Admin)

# Centralized AV-Updates (this puts the power back to the Admin, we like that)

# All connections to the LAN from anywhere go through a VPN, even WLAN.

# Once you have done the whole setup, you may want to use dd (or ghost or ...) to take a
image of the notebooks Harddrive. So you never need to so this for this Notebook again.

# YES, please document what you did, so the next Notebook will not be such a pain. This
also gives you the possibility to review the security every now and then.

I surely forgot something, but this is a starter! Feel free to put more on the lis /. folks!

Re:Pocket Knife

[Anne Thwacks]

This isn't to say these people are dumb

Maybe you have forgotten, or maybe not, but 50% of people are of below average intelligence.

I'd bet good money that a good portion of those of above average intelligence, are not working for someone else in a capacity where they have to take their work home with them.

Companies - the kind of person that is willing to take home his/her work home on a laptop is generally unsuitable for the task. (See Groucho Marx on Club Membership)

How about 10,000 laptops with XP Home?

[Demerara]

I was recently involved in an international procurement where 10,000 laptops were supplied with XP Home. The mission-critical application on the laptops was highly secure - all data was encrypted to a high degree but the laptops themselves were wide open to attack or, more likely, inadvertent denial of service by ignorant or curious users.

By the time I flagged this appalling oversight, the procurement process was too far advanced. So, a US$44 million procurement went ahead using XP Home on the kits.

The application? Electronic Voter Registration in a large sub-saharan country in Africa.

So it's not just small businesses who drop the ball.

The budget will never be there to upgrade to XP Pro. And they simply don't have the skills to replace XP with a Linux distro and port the application (which is proprietary anyway).

Does anyone have thoughts on what can be done to improve the security of XP Home?