Reducing The Negative Impact of Laptops

Mark Brunelli wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change settings is risk prone. Fortunately, larger corporations that install Microsoft Windows XP Professional usually don't grant the laptop user full administrative rights. The same cannot be said of smaller businesses, many of which simply purchase laptops from the local store -- laptops pre-installed with Windows XP Home Edition. "

Re:My company is doing this lockdown approach

[mrbooze]

What I've heard of some businesses doing is giving developers/consultants/whatever two hard drives per laptop. One hard drive has the "corporate" image on it with full access to the network, email, etc. The second hard drive has the "developer" image, which they can mess with to their heart's content, but that has limited ability to affect the network.

As an long-time IT person myself, I can see the ways in which that would make my job easier, but it also just seemed ridiculously restritictive on the ability of people to do their work. Can't check email or your outlook calendar and write code at the same time?

Laptop Lockdown

[jcnnghm]

Laptops that are permitted out of the office have to be setup as untrusted devices. Run separate cables, or make the user login wirelessly allowing limited, if any, local network access, but allowing full Internet access.

Basically, you have your primary LAN of machines that never leave the office, and your wireless lan of laptops that are blocked from the primary lan. Both networks should be able to connect to the Internet, and laptop users would be required to connect to network services just as if they were out of the office.

Good wireless AP's should be able to block laptop to laptop communications, so that all the wireless network provides is internet access. Your network services should be hardened from Internet attacks already, and if they are not that should be addressed before any laptop related issue. /*
  This has worked relatively well for me, might have a huge whole I don't see
*/

dear god

[Anonymous Coward]

don't you dare lock down the one fucking machine i have access to that isnt crippled by office manager paranoia. Every time i want to install something I have to explain it to our office manager. "activeperl...huh?" "why the fuck you need java?" Sure, maybe if you're IT laptops suck, but i'm a the lone nerd in a company that does mostly net based research. For me having access to the unlocked travel laptops is the difference between weeks of data entry and spending a couple hours surfing /. while a script does all the work.
As an aside, our laptops have XP home, but our desktops have 2000. I have to ssh into my home computer (Mac), ftp the data file, process, and then ftp the results back. f..kin pain in the ass. nough rambling.

It happened where I used to work

[R3d M3rcury]

Actually, the last large corporation I worked for caught Code Red from a salesman's laptop. This salesman was in Australia, far away from the IT Department.

Even better: It was a security company.

Best of all: It was the Mac team that brought it to the IT Department's attention.

How about this for a compromise

[Julian Morrison]

IT boss to employee: "you have two choices:

1) A laptop with admin rights, that has no direct access to our LAN, but only a connection to a special quarantine server, which we will use to check everything you upload before letting it out onto our LAN, or...

2) A laptop with no admin rights, locked down so tight you can't even change your own wallpaper, but which is a full peer on the LAN.

You get to pick whichever suits your working style best."

Re:Linux

[wfberg]

When Microsoft added the windows keys, they just needed to create a new keyboard layout and map two (three?) new scan codes - something trivial to do. Making the windows key generate a hardware interrupt would have required modifying the BIOS - something a lot harder for MS to do.

It's trivial to wire the windows key in such a way that pressing it has the same effect as pressing ctrl, alt and del simultaneously.

In fact, it's easier than adding a new scancode. Just have the ctrl, alt and del circuits on the keyboard run through the windows key as well.

As a side benefit, you could now be sure that the start menu is always the OSes start menu.

Never mind the fact that once windows takes over, the BIOS doesn't have a thing to say about ctrl+alt+del anymore. (If it did, your computer would reset) Windows could just as easily make a different scancode, or a combination like Alt+SysReq, the secure attention key. In fact, Alt+SysReq is what linux kernels trap for debugging purposes; no user mode program can intercept Alt+SysReq.

So, I have to disagree here. The windows key is just marketing. They could've also added copy and paste buttons, and volume up+down buttons to the windows approved layout, but didn't. Now those keys are all over the place in all sorts of "multimedia" keyboards, along with insane buttons for checking e-mail etc.