Locking down corporate laptop users
05 July 2007, 02:44 PM
#1
Scooby Regular
Thread Starter
Join Date: Oct 2001
Location: Lovely Lancing in West Sussex
Posts: 3,449
Likes: 0
Received 0 Likes
on
0 Posts
Locking down corporate laptop users
Just a quick question for other like minded people.
How are you controlling Internet Access on your laptop users ? All our desktops are locked down tight than a nun’s chuff but we have always had a problem with laptop users.
Basically we want our laptop users to use our Proxy server when in our office, and have it turned off at home.
However we do not want the user to have any control over it. We want to impose these settings.
We use GPO’s for everything but I’ve tried with KiXtart to added registry entries to our laptops users in a certain subnet but the registry entries are persistent so remain once they leave the office and log on at home.
What should I do?
How are you controlling Internet Access on your laptop users ? All our desktops are locked down tight than a nun’s chuff but we have always had a problem with laptop users.
Basically we want our laptop users to use our Proxy server when in our office, and have it turned off at home.
However we do not want the user to have any control over it. We want to impose these settings.
We use GPO’s for everything but I’ve tried with KiXtart to added registry entries to our laptops users in a certain subnet but the registry entries are persistent so remain once they leave the office and log on at home.
What should I do?
05 July 2007, 03:27 PM
#2
Don't bother, just give then full admin rights. It really isn't worth the hassle. just make sure they can be restored quickly if they screw them up.
btw : lose the Kixstart and start using vbscript or javascript
btw : lose the Kixstart and start using vbscript or javascript
05 July 2007, 03:38 PM
#3
Guest
Posts: n/a
I'm with Intel and there don't seem to be any restrictions evn if you're logged onto the corporate network. Though I never try to access anything that could be dodgy anyway - I have a home PC for that. Not sure if/how they log things though. Also, as now, I'm using the laptop at home via my home BB network and not logged on (via VPN) to the corp. network so they couldn't check anyway ....
I worked in a large bank on Canary Wharf recently and there you were stopped accessing web based mail accounts for security reasons. Plus you would click on the results of a Google search and a big red screen would appear warning you that access was forbidden. Even for some innocuous searches.
Anyhow, no idea how they do it but, as someone said above, why bother? I'd just log people surfing and, if someone's got out of hand, get their manager to have a quiet word. It'll be much less 'big brother' and 'management' will be morer respected.
Just MHO of course ....
Dave
I worked in a large bank on Canary Wharf recently and there you were stopped accessing web based mail accounts for security reasons. Plus you would click on the results of a Google search and a big red screen would appear warning you that access was forbidden. Even for some innocuous searches.
Anyhow, no idea how they do it but, as someone said above, why bother? I'd just log people surfing and, if someone's got out of hand, get their manager to have a quiet word. It'll be much less 'big brother' and 'management' will be morer respected.
Just MHO of course ....
Dave
05 July 2007, 04:46 PM
#4
Scooby Regular
Thread Starter
Join Date: Oct 2001
Location: Lovely Lancing in West Sussex
Posts: 3,449
Likes: 0
Received 0 Likes
on
0 Posts
It's not our choice, our rules and policies are set by HR. We just have to follow them through and enforce them.
There is no way we are giving our laptop users admin access, that's a crazy solution that could impact our entire network.
Webmail is a huge security concern so we have had this disabled for years on our Proxy server. We have write protected USB keys and no CD-RW's.
We are considering a GPO that does not apply settings if it cannot contact the DC's.
Any other views?
Darren
There is no way we are giving our laptop users admin access, that's a crazy solution that could impact our entire network.
Webmail is a huge security concern so we have had this disabled for years on our Proxy server. We have write protected USB keys and no CD-RW's.
We are considering a GPO that does not apply settings if it cannot contact the DC's.
Any other views?
Darren
05 July 2007, 05:57 PM
#5
Microsoft, Fujitsu, Cap-Gemini, IBM, Capita and LogicaCMG are just a few companies I've worked with, and for, that have no laptop security. Mostly working on government contracts that require SC clearance.
And quite how does it impact your entire network? That must mean that it is inherently insecure and poorly designed with little or no protection. What's to stop someone attaching an alternative laptop to the network for example.
In any case can't you use local security policies and enforce them using the gpupdate command.
http://www.microsoft.com/technet/sec.../xpsgch05.mspx
Last edited by KiwiGTI; 05 July 2007 at 06:02 PM.
06 July 2007, 12:00 PM
#6
Scooby Regular
Thread Starter
Join Date: Oct 2001
Location: Lovely Lancing in West Sussex
Posts: 3,449
Likes: 0
Received 0 Likes
on
0 Posts
It's a personal choice and I would not give anyone full access. If we had a large volume of laptop users I might agree but for our handful (20) I'd prefer not too.
We would not be using local policies to lock them down, they would still have our domain policy to lock the unit down (remove Run etc.) and then another policy (to lock down IE) would only apply if it could contact a DC. Is this even possible?
Darren
We would not be using local policies to lock them down, they would still have our domain policy to lock the unit down (remove Run etc.) and then another policy (to lock down IE) would only apply if it could contact a DC. Is this even possible?
Darren
Last edited by darlodge; 06 July 2007 at 12:00 PM. Reason: Me spelling
06 July 2007, 01:50 PM
#7
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
Crazy? No it's the intelligent way to do it, most modern corporations are implementing laptops like this.
Microsoft, Fujitsu, Cap-Gemini, IBM, Capita and LogicaCMG are just a few companies I've worked with, and for, that have no laptop security. Mostly working on government contracts that require SC clearance.
And quite how does it impact your entire network? That must mean that it is inherently insecure and poorly designed with little or no protection. What's to stop someone attaching an alternative laptop to the network for example.
In any case can't you use local security policies and enforce them using the gpupdate command.
http://www.microsoft.com/technet/sec.../xpsgch05.mspx
Microsoft, Fujitsu, Cap-Gemini, IBM, Capita and LogicaCMG are just a few companies I've worked with, and for, that have no laptop security. Mostly working on government contracts that require SC clearance.
And quite how does it impact your entire network? That must mean that it is inherently insecure and poorly designed with little or no protection. What's to stop someone attaching an alternative laptop to the network for example.
In any case can't you use local security policies and enforce them using the gpupdate command.
http://www.microsoft.com/technet/sec.../xpsgch05.mspx
We do allow local admin access but trust me - there is a lot of security bouncing around our network. You can't even plug your laptop in without proving it's got up to date AV and AntiSpyware installed.
Trending Topics
06 July 2007, 03:25 PM
#8
OK, bad wording, of course they have security, I meant that the laptop user is generally added to local admins so they can do as they wish.
Thread
Thread Starter
Forum
Replies
Last Post
shorty87
Full Cars Breaking For Spares
19
22 December 2015 11:59 AM
gazzawrx
Non Car Related Items For sale
13
17 October 2015 06:51 PM
Pro-Line Motorsport
Car Parts For Sale
2
29 September 2015 07:36 PM
shorty87
Wheels And Tyres For Sale
0
29 September 2015 02:18 PM