Security Basics mailing list archives
Fwd: Notebook policy (need advice)
From: kevin.fielder () gmail com
Date: Thu, 25 Jan 2007 01:29:58 -0800
Hi Nicolas, The first thing you will need to do is get some sort of formal policy approved at senior management, without this whatever improvements you want to put in place will be difficult, it not impossible to enforce. As to specifics: - we use whole disk encryption on all our laptops from a company called Safeboot. It is pretty good, there is obviously some performance impact, but this is not too bad, and the product really is whole disk - e.g. you cannot get to any data or the O/S without first entering your Safeboot credentials. Disclaimer - I have no ties to this company what-so-ever, I'm just mentioning the product we use, I'm sure there are various other products that perform as well. - up to date AV, - set to update both from our servers and the web to allow for people who may not connect to the office frequently. - Local firewall and IDS - this is set to resist tampering to make it very difficult to turn off, and also run different firewall configs depending on your IP - e.g. fairly open in the office, but blocks all connection attempts when on an IP not from our internal range. - Wireless - this is set to only connect to a known list of wireless networks. - VPN - set to not allow split tunneling so that when VPN'd into the office the laptop cannot connect to any other networks. - Local Admin - unfortunately due to most users needing to be able to change network settings etc, and the usual issue of everyone having had admin rights in the past most of our users do have local admin, although we are looking at ways to remove this without stopping them working as they need to. - All machines are routinely scanned for patching etc when in the office, but this does mean some laptops aren't scanned as frequently as is ideal. - Patches are all applied by WSUS or for non M$ stuff an alternative deployment solution is used. Patching, AV updates, and firewall / IDS updates all work over our VPN as well as when in the office. Other things you could consider - NAC - to enforce a certain level of patching / AV etc before machines are allowed on your network, and if there is a lot of budget data leakage products such as Digital Guardian. Various things you could have in your policy that may help with the above include - mandating laptops be connected to the office / VPN for a minimum period each week to ensure they are kept up to date. Never leave them unattended or in cars etc. Mandate the use of Kensington locks at all times (even in the office). Probably loads of other things, this is just off the top of my head, but I hope it helps. cheers Kevin -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nicolas Arias Sent: 23 January 2007 13:12 To: security-basics () lists securityfocus com Subject: Notebook policy (need advice) Hi guys!, in my company we have a lot of notebooks, but theres no formal security policy about them. Can you tell me how do you handle this? Do you give an local admin for the owner?, do you use full disk encryption?, what about anti-virus and external scans? Any idea is going to be really preciated. Cheers!!
Current thread:
- RE: Notebook policy (need advice) Pranav Lal (Jan 25)
- <Possible follow-ups>
- Fwd: Notebook policy (need advice) kevin . fielder (Jan 25)
- Re: RE: Notebook policy (need advice) Johnny (Jan 26)