Security Basics mailing list archives
Fwd: Notebook policy (need advice)
From: "kevin fielder" <kevin.fielder () gmail com>
Date: Wed, 24 Jan 2007 10:01:13 +0000
Hi Nicolas, The first thing you will need to do is get some sort of formal policy approved at senior management, without this whatever improvements you want to put in place will be difficult, it not impossible to enforce. As to specifics: - we use whole disk encryption on all our laptops from a company called Safeboot. It is pretty good, there is obviously some performance impact, but this is not too bad, and the product really is whole disk - e.g. you cannot get to any data or the O/S without first entering your Safeboot credentials. Disclaimer - I have no ties to this company what-so-ever, I'm just mentioning the product we use, I'm sure there are various other products that perform as well. - up to date AV, - set to update both from our servers and the web to allow for people who may not connect to the office frequently. - Local firewall and IDS - this is set to resist tampering to make it very difficult to turn off, and also run different firewall configs depending on your IP - e.g. fairly open in the office, but blocks all connection attempts when on an IP not from our internal range. - Wireless - this is set to only connect to a known list of wireless networks. - VPN - set to not allow split tunneling so that when VPN'd into the office the laptop cannot connect to any other networks. - Local Admin - unfortunately due to most users needing to be able to change network settings etc, and the usual issue of everyone having had admin rights in the past most of our users do have local admin, although we are looking at ways to remove this without stopping them working as they need to. - All machines are routinely scanned for patching etc when in the office, but this does mean some laptops aren't scanned as frequently as is ideal. - Patches are all applied by WSUS or for non M$ stuff an alternative deployment solution is used. Patching, AV updates, and firewall / IDS updates all work over our VPN as well as when in the office. Other things you could consider - NAC - to enforce a certain level of patching / AV etc before machines are allowed on your network, and if there is a lot of budget data leakage products such as Digital Guardian. Various things you could have in your policy that may help with the above include - mandating laptops be connected to the office / VPN for a minimum period each week to ensure they are kept up to date. Never leave them unattended or in cars etc. Mandate the use of Kensington locks at all times (even in the office). Probably loads of other things, this is just off the top of my head, but I hope it helps. cheers Kevin -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nicolas Arias Sent: 23 January 2007 13:12 To: security-basics () lists securityfocus com Subject: Notebook policy (need advice) Hi guys!, in my company we have a lot of notebooks, but theres no formal security policy about them. Can you tell me how do you handle this? Do you give an local admin for the owner?, do you use full disk encryption?, what about anti-virus and external scans? Any idea is going to be really preciated. Cheers!!
Current thread:
- list of university hacked in 2006 Francois Yang (Jan 22)
- Re: list of university hacked in 2006 Brian . D . Turk (Jan 22)
- Re: list of university hacked in 2006 John Hummel (Jan 22)
- Notebook policy (need advice) Nicolas Arias (Jan 23)
- Re: Notebook policy (need advice) Saqib Ali (Jan 24)
- RE: Notebook policy (need advice) Pranav Lal (Jan 24)
- Message not available
- Fwd: Notebook policy (need advice) kevin fielder (Jan 24)
- RE: Notebook policy (need advice) Pranav Lal (Jan 25)
- Notebook policy (need advice) Nicolas Arias (Jan 23)
- RE: Notebook policy (need advice) Tony UcedaVĂ©lez (Jan 25)
- RE: Notebook policy (need advice) Eric Furman (Jan 26)
- RE: Notebook policy (need advice) Patton Roub (Jan 26)
- RE: Notebook policy (need advice) Eric Furman (Jan 26)
- RE: Notebook policy (need advice) Huang, John, GCM (Jan 26)
- Re: Notebook policy (need advice) Eric White (Jan 26)
- Re: Notebook policy (need advice) Eric Furman (Jan 26)
- RE: Notebook policy (need advice) Sipes, Bob (Jan 26)
- RE: Notebook policy (need advice) Steveb (Jan 30)