Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Portables Hardware

Reducing The Negative Impact of Laptops 221

Mark Brunelli wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change settings is risk prone. Fortunately, larger corporations that install Microsoft Windows XP Professional usually don't grant the laptop user full administrative rights. The same cannot be said of smaller businesses, many of which simply purchase laptops from the local store -- laptops pre-installed with Windows XP Home Edition. "
This discussion has been archived. No new comments can be posted.

Reducing The Negative Impact of Laptops

Comments Filter:
  • Linux (Score:3, Informative)

    by mysqlrocks ( 783488 ) on Friday September 16, 2005 @11:48PM (#13582719) Homepage Journal

    Better still, use the truly secure Linux operating system. Six months after making the change, you will not use Windows again. The cost of Linux is also much less than the cost of upgrading Windows XP Home Edition to Windows XP Professional.

    Unfortunately Linux isn't as easy to use for most people. How about suggesting that they use a Mac? Macs are secure and are easy to use.
    • Re:Linux (Score:4, Insightful)

      by MellerTime ( 915490 ) on Friday September 16, 2005 @11:55PM (#13582756) Homepage
      I have to agree... Everyone always brings up 'switch to Linux instead!' when you mention Windows security problems. That's great in theory, and I'm sure your network admin might actually do that. Then again, he's probably not the one bringing the virus onto your network in the first place.

      The real world situation is that people are idiots. They can't even use the big pretty blue buttons in Windows XP, much less Linux. If they don't know that the big Novell login screen with the buttons saying 'Press Ctrl + Alt + Del to begin.' is telling them they should press those keys to get started, what chance is there they'll know what to do with one of the somewhat useless messages Gnome generates when an application crashes? (And yes, that most certainly was a 100% true story... I shit you not!)

      Besides, I know our company builds their applications from scratch. While we are moving more to a web-based application model, we still have 95% of our programs written in Delphi, and even support a legacy DOS-based system. There's no way we'd get all that ported to Linux any time in the next 2 years, even if we dropped everything until it was done.

      The point is, stop suggesting the supposedly "ideal" scenario that no one will ever be able to obtain. We're stuck with Windows (at least for the time being anyway), so we may as well focus on THAT problem and try to do the best we can with the tools we have. Let's worry about keeping Billy the marketing Intern from bringing Klez onto our network first, and THEN worry about changing the world later...
      • The point is, stop suggesting the supposedly "ideal" scenario that no one will ever be able to obtain.

        Because everyone is using a collection of software comprised of 95% home grown Delphi apps?

        So you're stuck with windows. Fine.
        Some people aren't, and the suggestion of using Linux is legitimate.

        Let's worry about keeping Billy the marketing Intern from bringing Klez onto our network first, and THEN worry about changing the world later...

        You worry about your network. No need to try discourage others
      • That doesn't keep them from switching over to OSX does it? No user friendliness issues in OSX. No virus issues either. And you would think that the 17" powerbook would be the perfect way for upper management to prove they've got the biggest dicks in town at those sales meetings and trade shows. But even bring up Apple gear to your local IT department and they'll fall over themselves to get you out of their office, going on about not supported blah blah blah. Of course, without virusses on the network and w
        • I think that if the user can't figure out how to use ctrl+alt+del, it's not a problem with the software.
          • I think that if the user can't figure out how to use ctrl+alt+del, it's not a problem with the software.

            Why not? If you couldn't work out how to start your car, would it be your fault? It seems to be what you're implying...
            There's too much reliance on the "User is always wrong" approach in producing software and interfaces for it and that if they have a problem, they should just "deal with it". Consumer devices that take this approach just generally fail to catch on. If something says "Press Ctrl+Alt+

            • Why not? If you couldn't work out how to start your car, would it be your fault?

              If a big message popped up on the inside of the windshield (mmmmm... automobile HUDs...) that said "Depress [brake/clutch] and insert key. Turn key clockwise." and they still couldn't figure it out... uhh yeah, that would be my fault.
        • No user friendliness issues in OSX

          If you think you can just sit the average user in front of a Mac and they'll have no issues using it, you're seriously delusional. Remember, these same users have problems with the NT login screen.
      • While we are moving more to a web-based application model, we still have 95% of our programs written in Delphi, and even support a legacy DOS-based system. There's no way we'd get all that ported to Linux any time in the next 2 years, even if we dropped everything until it was done.

        There's WINE and DOSEMU. You don't have to worry about porting them.

        You may not want to and that's your right, but let's not pretend that you can't.

        LK
      • If they don't know that the big Novell login screen with the buttons saying 'Press Ctrl + Alt + Del to begin.' is telling them they should press those keys to get started, what chance is there they'll know what to do with one of the somewhat useless messages Gnome generates when an application crashes?

        These days, the login screen for windows show a little animation of three buttons being pressed simultaneously. Which prevents people from misinterpreting the message to "press ctrl+alt+del" to mean to press t
        • Control-alt-delete predates Microsoft, and can be traced back to IBM. It was a debugging sequence added while the PC was still in testing which sent a hardware interrupt. It is used in NT to log in because it is impossible to write software on a PC that catches it without running at a privileged level.

          When Microsoft added the windows keys, they just needed to create a new keyboard layout and map two (three?) new scan codes - something trivial to do. Making the windows key generate a hardware interrupt

          • Re:Linux (Score:3, Interesting)

            by wfberg ( 24378 )
            When Microsoft added the windows keys, they just needed to create a new keyboard layout and map two (three?) new scan codes - something trivial to do. Making the windows key generate a hardware interrupt would have required modifying the BIOS - something a lot harder for MS to do.

            It's trivial to wire the windows key in such a way that pressing it has the same effect as pressing ctrl, alt and del simultaneously.

            In fact, it's easier than adding a new scancode. Just have the ctrl, alt and del circuits on the k
        • .....but to still misinterpret the "ctrl+alt+del" instruction.....

          Why does there, on a modern computer still have to be such a funky key combination just to get into the system? Apple has it right. Just click on a cute picture next to the users name. After typing a password into the little window that appears the user is logged on. Why does it have to be more complicated? On my win2k computer it works that way, except the user has to type the login name above the password space also.
    • Re:Linux (Score:3, Informative)

      by nukem996 ( 624036 )
      ummmm maybe if they only use the command line. Have your users use KDE, my 90 year old grandfather uses it just fine. Infact I think KDE would be much easier to switch to then Mac. Many of the features such as Start, file browsing, and look are the same.
    • At the place I currently work they need to produce an awfull lot of documentation and other paperwork, so they got a couple of big xerox machines. These machines are of such calibre that they need a complete PC to control them. Guess the OS that runs them? No not linux, Solaris an unix that is way way harder to use.

      And it is isn't Solaris in the background, it is the desktop from wich you control the machine.

      Have the people working with it got any problems with using a real OS instead of the pretty button

    • Linux is perfectly easy to use as a desktop when someone else sets it up for your needs. Easier than Windows or OSX usually.

      It's a lie to say any computer is secure though. Even if it runs Linux or OSX a laptop is more of a security risk for the network simply because it's had more chance to be outside the control of any and all security policy. Never trust that the user's computer is secure.

      Of course Windows is so insecure that I would never allow any employee of mine to connect to my corporate network wit
    • ... on the sucessful deployment of a well crafted stealth-troll. Judging from the response you got it didn't show up on the radars of many of the resident Linux users.

      That being said I agree with you (despite the troll factor). For the average user OS.X is definetly easyer to install and use on a laptop than Linux. I know a number of Linux laptop users and I shudder to think what Joe User would do when confronted with some of the flaming hoops these guys had to jump through, for expample, to get their Wifi
      • For that 100% accurate comment you get a new fan. This is the point I keep making, and the point which Linux zealots keep replying to with "Oh it's easy, download xyz, sudo this, make install, emerge it, recompile the driver and you're done!".

        Linux does not make life easy for the user. OS X does. Windows does to some extent.
  • It's very true that laptops are a higher risk than desktops.

    1) Most laptops now have wireless cards. If this is the case, use an encrypted connection to an AP.

    2) Even then, use as many encrypted streams as you can (ssh, https, pop3s/imaps, etc.).

    3) Physical security. It's easy for anyone to run off with your computer. So keep track of it... don't leave it on the table at the library.
  • by MichaelSmith ( 789609 ) on Friday September 16, 2005 @11:53PM (#13582744) Homepage Journal

    Until recently I was involved in administrating a linux server on a network of windows workstations. The server primarly operated as a gateway to the internet.

    Every now and then some horrible worm would get lose on the network and fill the internet connection with crap. I would get the blame for it of course (internet not working).

    Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere. I think it must be something about the way he uses that system; what sites he goes to, probably; which causes it to be so riddled with viruses.

    I am not managing that system any more. Good riddance. The versatility of laptops is letting them down in this instance. If the owner is a bit of an idiot no amount of management will keep them out of trouble.

    • I think iptables (or some such packet filtering system) would be your friend here. Whatever comes from his wireless NIC has a particular Ethernet address, the first tool of your filtering. After that, whatever matches an infection fingerprint gets rejected. And if you get too many false positives, well, too bad for him, huh?

      But I think you took the smarter route here (no pun intended). Dump it onto someone else to deal with.
    • by (H)elix1 ( 231155 ) <slashdot.helix@nOSPaM.gmail.com> on Saturday September 17, 2005 @12:03AM (#13582793) Homepage Journal
      Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere. I think it must be something about the way he uses that system; what sites he goes to, probably; which causes it to be so riddled with viruses.

      You would not believe the crap you have to deal with on hotel networks. If anyone is counting on the firewalls keep the network clean, guess again. This has to be at the machine level, each one an island. I keep the shield up on my laptop and (knock on wood) have yet to have an issue - but most of the broad band connections your typical road warrior deals with is a cesspool of worms, viruses, and other such nasties.
    • Part of the problem is the default settings of Windows XP Home and Professional. I really wish there was a "secure laptop" Local Security Policy profile that a user could select to automatically configure all of the XP services, etc. Whenever I purchase a new laptop, I have to spend a whole day disabling potentially insecure things like UnPNP, Telnet, Remote Desktop, Remote Registry, SSDP discovery, guest account, default file and printer sharing, etc. and setting up IPSec policies.

      What I really want is a
    • What really helps for this sort of use is a DMZ configuration. Laptops get put on dedicated network ports on a separate VLAN (if your switch doesn't support 'em, time to get one that does, or build parallel infrastructure), or even on a wireless network. Either way, all laptops go onto a network that arrives at a single dedicated port (physical or vlan'd virtual) on the firewall. The firewall treats that as untrusted as it would a DMZ, and only offers public external services to it.

      If your laptop users want
      • Thanks for that. There have been a lot of interesting suggestions in this thread.

        I was only brought in to do the server and they didn't pay me to run the whole system. They had a few people with just just the right amount of knowledge (enough to be able to change things, not enough to be able to do it properly) and I would never have been able to lock them out of their machines, even if I had been paid to maintain them.

        It was too political, nobody was in charge. I am not sorry they decided to go elsewher

        • Yes, it's a difficult situation where your control is limited and those running the other parts of the system aren't concerned about the issues or willing to listen.

          As for the network, if you do get the chance then a good stackable managed switch (ie backplane stacking , not connect-the-uplinks) with serial console is your best friend :-)
    • Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere.

      Your network had a patchbay, right????

      Figure out what port that guy connects his laptop to, and put it on it's own subnet. If you don't have a switch that can vlan, then give him a port direct into a linux/BSD box (of you have to, dedicate an old desktop to him as a firewall. A P75 can handle 10 Mbit without breaking into a sweat. (I only have 10Mbit cards in my BSD box, so I can't

  • by Anonymous Coward
    "...laptop users are inclined to be rather autonomously minded..."

    How many people have struggled with the problem of free will. I know I have. The idea of free will is ages old and unresolved until now. Now we know laptop users have free will. Tyranny got you down? Buy a laptop.

  • Damn you XP Home (Score:3, Insightful)

    by max99ted ( 192208 ) on Saturday September 17, 2005 @12:05AM (#13582801)
    As a small business IT support guy, I see this all the time. Lawyer X or Dentist Y grabs the latest laptop deal from Dell, brings it to work, and finds out he can't connect to the 'server', which either leads to some kind of limited workaround or an overpriced 'upgrade' to Pro, both costing them money (my time or a sticker, registry fix + more of my time). I'm always telling clients to ASK ME FIRST before buying something but as anyone in the same business will know, that can be rare.
  • by cheezus_es_lard ( 557559 ) <cheez17NO@SPAMgmail.com> on Saturday September 17, 2005 @12:09AM (#13582815) Homepage
    I'm involved in a 'new technology' pilot for the IT department in my company, a Fortune 100 presence, and they're looking to force this down our throats. I'm a consulting network engineer, and I have a distinct need to be able to install a very large suite of custom applications, as well as make changes to network settings, etc. as part of my daily work. I can understand the potential security risks, but if it makes me unable to do my job producing revenue for the company, it's an unacceptable change.

    I will fight this, because users need rights too.
    • What I've heard of some businesses doing is giving developers/consultants/whatever two hard drives per laptop. One hard drive has the "corporate" image on it with full access to the network, email, etc. The second hard drive has the "developer" image, which they can mess with to their heart's content, but that has limited ability to affect the network.

      As an long-time IT person myself, I can see the ways in which that would make my job easier, but it also just seemed ridiculously restritictive on the abili
  • Laptop Lockdown (Score:5, Interesting)

    by jcnnghm ( 538570 ) on Saturday September 17, 2005 @12:18AM (#13582851)
    Laptops that are permitted out of the office have to be setup as untrusted devices. Run separate cables, or make the user login wirelessly allowing limited, if any, local network access, but allowing full Internet access.

    Basically, you have your primary LAN of machines that never leave the office, and your wireless lan of laptops that are blocked from the primary lan. Both networks should be able to connect to the Internet, and laptop users would be required to connect to network services just as if they were out of the office.

    Good wireless AP's should be able to block laptop to laptop communications, so that all the wireless network provides is internet access. Your network services should be hardened from Internet attacks already, and if they are not that should be addressed before any laptop related issue. /*
      This has worked relatively well for me, might have a huge whole I don't see
    */
    • I was thinking of a process similar to this. Simply assume that all road-warriors are worm infested. Any access physically on the premise or while away must be done via a VPN. This give you a physical (such as your WLAN idea) and logical (you can block and edit the data how ever you like) separation from the rest of the network. Sure it would probably be a hassle to setup and slower for the User, but it does provide a good separation for the manage and unmanaged machines.
  • if you're running windows servers, lock them down (both externally and internally), lock down your Active Directory.

    If you want XP Home machines to be able to authenticate on the domain, just force them to connect to an internal VPN - their VPN credentials will be used for connections to local services (exchange, file servers, etc...)

  • I just finished reading the "Stolen U.C. Berkley Laptop Recovered" posting. I'd agree with the biggest threat to and of laptops for corporate use is loss/theft. If it's lost chances are someone's going to try to access the contents. There needs to be required encryption of the hdd, the data is probably worth far more than the cost of a replacement. Also restriction of what data can be copied to a company laptop. Over the last day there has been postings on the U of Miami at Ohio and U.C. Berkley student inf
  • by PetoskeyGuy ( 648788 ) on Saturday September 17, 2005 @12:47AM (#13582943)
    This should read...

    Mark Brunelli, News Editor of searchEnterpriseLinux.com wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change set

    I don't mind plugging articles for your own site, but at least practice full disclosure.
    http://searchenterpriselinux.techtarget.com/meetEd itorial/0,289131,sid39,00.html [techtarget.com]
  • For all of you admins that hate when Lawyer X or Dentist Y brings a brand new Dell laptop with XP Home Edition onto your network. How would you react to Teacher ZZZAlpha who brings an iBook or Designer XXX who brings a Powerbook with Tiger?

    I'm just curious.

    We have XP Prof. with Active Directory logins at our school, but I (Teacher ZZZAlpha) often bring my iBook in with me to play MP3s, audiobooks, or show Simpsons episodes that are not out on DVD (I'm a teacher, so I can't afford an iPod). I can login t

    • I wouldnt have a problem with it, assuming it was cleared by those that make the rules. OSX is easy (in theory, never had the chance) to connect to networks, assuming theres no wierd stuff needed to connect to..
    • OS X can join AD networks, XP Home can't. XP Home has also been crippled in a way that makes setting up user permissions an absolute nightmare at best, and I've seen a number of occassions where it simply started assigning permissions to files at random.

      Given that, I'm sure most admins with a clue would far rather have to support i/PBooks on their network than notebooks running XP Home.
  • by kesuki ( 321456 ) on Saturday September 17, 2005 @01:19AM (#13583032) Journal
    Just by adding a second account in the control panel, and changing the (default) administrator account to have a relatively secure password.

    Since when does having windows XP Home edition prevent you from adding multiple users, some of them restricted users who can't install software? is it because you only know how to use XP pro's tools to manage security? you don't know how to lock down IE with the help of a few simple freeware utilities you can download off the internet ;)

    I don't get it :) why do small businesses need to buy XP pro when XP home has enough of the features to do everything that is 'easier' to do in XP Pro?

    If I'm missing some big reason please tell me, other than XP pro costs at least $120 more (oem pricing) why someone needs to run Pro to do something i did on XP home just last weekend...
    • why do small businesses need to buy XP pro when XP home has enough of the features to do everything that is 'easier' to do in XP Pro?

      As far as I have been able to find, there is no practical way to set advanced file permissions on a XP Home OS -- EG, removing all permissions from a troublesome file to preclude "accidental" execution OR reinstallation. And, yes, this is really useful in many security situations.

    • XP Home doesn't support domain authentication. Your average MCSE doesn't know how to handle that and insist on the user buying XP Pro for $500. There are some workarounds, but they are not pretty since they all require the installation of a second authentication system which basically negates the whole purpose of the domain system.
  • Pocket Knife (Score:5, Insightful)

    by Graymalkin ( 13732 ) * on Saturday September 17, 2005 @01:52AM (#13583151)
    Most computer users are not qualified administrators, in fact many of them are borderline computer illiterate. This isn't to say these people are dumb, they're just not very computer savvy. Such users tend to be able to use software they've been trained on or are familiar with but aren't likely to know exactly how it works. They click an icon, type in some values, and things happen. They don't need to know or care that the app is just a VB SOAP client talking to a web service via SSL hosted on the company's server farm. The guy down the hall in accounting needs to know how to do stuff in Excel, not how to write Excel.

    That being said, these people aren't necessarily qualified to administer their own equipment. Some might have a bit of technical prowess but a majority of normal users are just that. So why are they put in charge of managing their own equipment and why are they able to take company information and property with them to get stolen or dropped down a flight of stairs? If they've got light communication needs how about Blackberries or Treos or some other connected devices. Quite a bit can be done through secured web interfaces or through web services with lightweight front ends. A little bit of well designed caching and users would be hard pressed to notice the company's database didn't exist on their little handheld device.

    This approach isn't going to solve everyone's problems but it works for some in two major ways. The first is any single field employee can't take the sum of a company's data with them somewhere to have it hijacked by either action or omission. They're also not terribly likely to plug into an office machine and infect the whole network with some new Windows worm. A lost PDA might mean the company is out a few hundred dollars worth of equipment and maybe some confidential documents. A PDA that runs only application/web service front end software is really only out the value of the lost hardware.

    If you've got responsible users you can probably trust them with full fledged laptops. For those that are almost more trouble than they're worth, give them cool gadgets they can work on but do limited amounts of damage with. This is of course in addition to better network security in and out of the office. If you've giving even advanced users a laptop to take home let them only take with them the data they absolutely need to get their job done. You don't want a laptop with 98,000 personal records [sfgate.com] on it stolen or something.
    • Re:Pocket Knife (Score:3, Informative)

      This isn't to say these people are dumb

      Maybe you have forgotten, or maybe not, but 50% of people are of below average intelligence.

      I'd bet good money that a good portion of those of above average intelligence, are not working for someone else in a capacity where they have to take their work home with them.

      Companies - the kind of person that is willing to take home his/her work home on a laptop is generally unsuitable for the task. (See Groucho Marx on Club Membership)

      • Or they are the people who are intelligent and trusted enough that they can send around an email saying: "I'll be working from home today, send me some email if you really need to get a hold of me." Which is a great perk at my place of work. ;)

        Also, above a certain level of code monkey, you will have to take your laptop on the road occasionally.
  • One of my friends mentioned recently that his company no longer repairs damaged Windows operating systems on laptop computers. They estimated the cost of recovery of virus-infected laptops at $420 per incident. Since the cost of complete replacement is only $500, it does not make sense to attempt recovery.

    I offer to take your company's garbage out for free!

  • by R3d M3rcury ( 871886 ) on Saturday September 17, 2005 @03:21AM (#13583374) Journal
    Actually, the last large corporation I worked for caught Code Red from a salesman's laptop. This salesman was in Australia, far away from the IT Department.

    Even better: It was a security company.

    Best of all: It was the Mac team that brought it to the IT Department's attention.

  • Make your checklist and go through it with any Notebook that is introduced to the Company.

    # encrypted /home (I don't remember what it is called on Windows) prevents a lot of ugly
    things we see from stolen Notebooks nowadays.

    # /home (he did it again) must be mirrored (possibly unencrypted) on a Server, (I think
    you got to check for the term server side
    profiles)

    # No Administrative rights! I mean absolutely no administrative rights on the standard
    working User!

    # The Notebook needs to go back to IT-De

    • by Anonymous Coward
      When issued a company laptop by control freaks, the following steps are in order:

      # Copy an image the laptop's hard drive up to your machine at home

      # Shrink the existing partition and install a boot loader

      # Install the operating system and software of your choice, with full administrative rights

      # Hit the road and enjoy!

      # When eye-tee asks for the laptop to check up on you, take an image of it the way you like it, then restore the image saved in the first step and give the pristine laptop to eye-tee

      # If origi

  • But that's because we don't use that "Windows" software on our notebooks [apple.com].

    It is my first Mac (and certainly won't be my last) have had it for two years... PCs and Windows just can't compare.
  • by Julian Morrison ( 5575 ) on Saturday September 17, 2005 @04:59AM (#13583588)
    IT boss to employee: "you have two choices:

    1) A laptop with admin rights, that has no direct access to our LAN, but only a connection to a special quarantine server, which we will use to check everything you upload before letting it out onto our LAN, or...

    2) A laptop with no admin rights, locked down so tight you can't even change your own wallpaper, but which is a full peer on the LAN.

    You get to pick whichever suits your working style best."
    • Life with Windows: IT Nazism
      Who wants to be a full peer anyway? Maybe the corp. will provide a locked down desktop machine for use when peer status is required.

      Life with OS X: what's the big deal? It's locked up by default and almost self-updating.
  • I'd have to say that in terms of preventing war driving and the like, MAC address filtering is the best thing since... well actually it's really the only thing going to keep unwanted devices off your network. WEP is useless, and WPA is unsupported by most devices.

    The ability to only allow specific devices to operate on a network is very attractive(Hopefully it actually works on most routers). Lazy sysadmins might complain that it entails extra workloads, but honestly lazy admins are half the reason for all
    • I hope you are aware that it doesn't work if somebody wants to hack your network.

      It only works to prevent your neighbor from accidentally using your network.

      If you use WEP, or no encryption the hardware address is sent in the clear and can be picked up by sniffers.

    • Oh, man, what have you been snorting? MAC filtering may keep your little kid sister out, but isn't any help otherwise.

      Cue: EVERY packet has the MAC address in it. So an attacker has to capture exactly ONE packet to get the MAC (actually a partial packet will do too). How hard is that?
  • by Demerara ( 256642 ) on Saturday September 17, 2005 @08:17AM (#13584049) Homepage
    I was recently involved in an international procurement where 10,000 laptops were supplied with XP Home. The mission-critical application on the laptops was highly secure - all data was encrypted to a high degree but the laptops themselves were wide open to attack or, more likely, inadvertent denial of service by ignorant or curious users.

    By the time I flagged this appalling oversight, the procurement process was too far advanced. So, a US$44 million procurement went ahead using XP Home on the kits.

    The application? Electronic Voter Registration in a large sub-saharan country in Africa.

    So it's not just small businesses who drop the ball.

    The budget will never be there to upgrade to XP Pro. And they simply don't have the skills to replace XP with a Linux distro and port the application (which is proprietary anyway).

    Does anyone have thoughts on what can be done to improve the security of XP Home?
    • Does anyone have thoughts on what can be done to improve the security of XP Home?

      Ask Microsoft for licenses for Pro. Remember, it costs them nearly nothing and they might use it for PR or something. Remind them how fun the news stories will be when the system gets hacked and all the Poor Africans (TM) are being betrayed by the White Imperialist Multinational Corporation (TM). The story practically writes itself (even though I personally do not subscribe to that narrative [jerf.org]).
    • Yes, - use routers with port to port security or VLANs. Only allow traffic to flow from server to client - block traffic between clients. This will prevent most shit from spreading.
  • The other day I was at a client's site removing spyware and adware from yet-another-windows computer and wondering why companies put up with this. I can imagine hundreds - if not thousands - of IT guys all wasting their education and talent removing shit from an OS that should never have allowed it on there in the first place. This must be costing the economy billions of dollars. Yet companies continue to buy XP (Pro or Home... both vulnerable) and will almost certainly line up to pay $400 to upgrade to Vis
  • I remember working at place where they confiscated floppies in the lobby but I (outside contractor) was carrying back and forth my laptop with some 10 million records on it. A lot of people are issued a laptop when they dont really need it.
  • It's a fundamental rule of systems engineering that workstations are part of the user, not part of the system. This is especially true of laptops.

    Any sysadmin that thinks limiting user privileges on the workstation is solving a security problem is fooling herself. System security needs to be set up on the assumption that all workstations are hostile.

  • The risks of not being able to do something when you need to, of losing time due to not being able to install the right tool for a task without a prolonged wait, of requiring a large staff of people working on overhead budgets to maintain machines in ways that reduce a user's flexibility to better their processes, etc. are not only extremely high but usually realized risks on a frequent basis for those who work with locked down machines and rely on IT departments for installation. For laptop users who may

  • .... and started handing out these MobiBook PRO's. [route1.com] It's basically a thin client running a customized version of WinCE .Net with RSA security. I use it to connect to my desktop computer (as well as my home computer) and work as if I'm in front of my desktop. The cool part is that my organization keeps all of it's data behind the firewall and corporate policies are still enforced.

    As far as they are concerned, problem solved.
  • A company I used to work for, a fair size place with 6 offices and about 500 employees, didn't care much for me bringing my laptop into work. About every four months my manager would start grumbling that I really shouldn't do that. By some random chance however, each time things were getting despirate, some special need would come up that necessitated my laptop. (there were no company laptops) My machine also had a good hunk of HD space free, scsi with disk recovery tools, and lots of other handy things.
  • Anyone should be able to put any device on your network with all the authentication they can muster and not damage your network. This is security 101. Treat your users as hostile because sometimes, they are!

    Let them use what they can but don't let them break anything that you couldn't fix. Not letting people use the tools you give them is a braindead solution to the problem. Granted, it may be a temporary necessity because your servers and services are next to impossible to secure any other way but long

Life is a game. Money is how we keep score. -- Ted Turner

Working...