darlodge

Now we have locked down all our desktops and have a bit of spare time we are looking at locking down our remote laptop users.

The question is, what can yours do? They all connect over VPN through our RSA/ACE server and then onto the Lan.

From here I see the following as essential:

No Proxy settings unless connecting to network over the VPN (when they use their own internet, they should not access the Proxy Server)
Able to add and remove printers (in case of printer failures, if at a client site etc.)
Able to add and remove devices (USB keys etc.)
Access Shared volume on our File Servers
Remote Support - via Dameware or RDP

Can't think of anything else at the moment

Cheers
Darren

bioforger

iTrader: (1)

Lock downs are the work of the devil

David_Wallis

We dont let them do anything more than their desktop.. less infact..

What kind of users are they?

we are now provide remote access via Citrix Secure Gateway but you could use csg.

All users shouldnt be adding their own printers!

100% restrict them and open what is required only.

David

stevem2k

Users are the work of the devil

darlodge

David,

We have a few travelling sales reps who we see about once maybe twice a year so we usually have to get things right first time as we know its at least 6 months before we see them again. and about 30 laptops users who very occasionaly work form home.

Currently our users (this currently includes all laptop users, excpet the travelling rep) can't even fart without us knowing about it.

However our sales reps have to sometimes add a printer to their laptop, if for example their printer fails and we ship them a new one. We don't want to give them administrator access so we will probally grant Printer Adminstrators (to also manager print jobs)

Darren

thundertiger

i just had all hell break loose when i blocked msn messenger and hotmail access, for work-shy hotel staff.

they pi55 me off and have had certain privileges for 12 months, not anymore.

lock every **** down with 6" nails mate, or they will extract the urine repeatedly!!!

oh, and its quite good fun too. LOL

BOFH

BB

darlodge

We went through that same process a while ago, no personal webmail, no intresting sites

No Messenger, no Pop3 access, just HTTP and even that is logged

Darren

darlodge

Any other things set?

Darren

R1916v

We've just implemented a major lockdown policy when moving to XP. With NT it was more like everythign is open and we lock down as necessary, now it's the opposite

You say you've locked down your desktops, why can't you apply the same policies to the laptops? Ok you're always going ot have extra stuff on laptops and are going to have to change a few things, but surely if you already have a satisfactory policy on desktops what's changed?

Users cannot execute anything we don't want them to, I couldn't possibly go into everything here as there are masses of policies controlling it all.

If there's anything specific you want to know about pm me.

GaryK

Yes its always funny how those who dont need IM and 101 other things as part of their job moan about the fact they cant use it, they are they to work not **** around!

Good on ya!

Gary

boxst

Hello

Just as a matter of interest, what is stopping a user installing their own version of XP, they will still have VPN access to corporate?

Steve

R1916v

Well, if they can't run just any executable they want and don't have admin rights they can't do it form within windows.

If they can't access the bios to boot form cd/another device they can't boot into setup.

Plus I very much doubt that the only access these machines have is through VPN, they should be in a domain if the IT setup is any good, which they will not be able to join as they won't know the account details to join it.

Plus if they did try it would totally go against the companies computer user guidelines and you'd get a serious telling off, maybe sacked.

Also what management systems are implace for your machines (desktops and lapdogs), SMS?

If the original poster wants to pm me with specific details I'm sure I could help

David_Wallis

R1916v, unfortunatley most people dont change the default domain policy to stop each user adding their quota of members to the domain

If a user at our place reinstalled XP, they would be contravining (sp) the computer usage policy by bringing software into work for one. We (IT) would push for instant dismissal - it would be fookin obvious if they did it too.

As for installing printers, if they can establish a VPN connection, can you just not support them over the VPN connection as if they were a 'office' based user??

With them being remote / laptop users I would tie them down even more...

Ill take a screen shot of our corporate desktop if you like

David

R1916v

Yeha a lot of people don't bother, crazy if you ask me

Our desktops aren't locked down as much as some places, but it can still be pretty restrictive.

Diff GPOs apply to laptop users that enable extra restrictions/features like offline files.

darlodge

David,

A copy would be wicked if its possible. Are you using the Group Policy admin tool, if so you should be able to export as an HTML file.

Darren

David_Wallis

Ill have to check the gpo's, i dont particuarly want to share some of it.

darlodge

David,

I quite agree

Darren