Re: Home laptops on a corporate network

[gjgowey () tmo blackberry net]

It's dangerous, but not impossible to guard these systems.  Step one is making sure they're joined to the domain.  Step 
two is making sure the group policies on these systems are very strict (I'd advise putting them in their own ou for 
this reason).  Step three would be to have a remote management solution in place.

Personally I would recommend SMS for managing remote systems.  It's a beast and you need to keep your eye on it, but 
it'll tell you everything you want to know but were afraid to ask (including patches applied and missing).  You can 
also use SMS for software deployment.

It takes a lot of work to secure off site systems, but it can be done.  Just need to really work on setting up your GPs 
right and remote system management.  Personally, I would allocate only corporate provided laptops for this task since 
you can control the imaging and there's no question as to who is the owner of the system.  

Also, disable the local system administrator account on these machines (if a domain admin can't work on it remotely 
then the machine should be treated as broken or compromised and have to be brought in for reimaging).  Make sure they 
can't boot from anything but the hdd and that the bios is password protected (important note: using the same password 
on every system is a very bad idea).  Use a different password per system and keep that information in a central db 
(you could use the systems serial as the pk) for the help desk/noc people to see.  I would also recommend setting the 
startup password (if the laptop allows it - my thinkpad does), but make it a semi easy password (last name of assigned 
owner maybe, but that's up to you) so the user doesn't write it down on a postit note and stick it to the keyboard.

Geoff

Sent from my BlackBerry wireless handheld.  

-----Original Message-----
From: christopherkelley () hotmail com
Date: 8 May 2007 17:11:32 
To:security-basics () securityfocus com
Subject: Re: Home laptops on a corporate network

I'd recommend NOT doing this. Especially if you are trying comply with HIPAA. Keep in mind that you will have little to 
no management capability over these personal laptops, which means you have no ability to verify patch level and AV 
update on these machines that may have EPHI on them. Not to mention the fact that these employees are probably taking 
them home and plugging them into their home networks, where they (or their kids) are running bearshare, gnutella, 
grokster, bitorrent, and surfing to unfiltered web sites. Not only does this mean that they are potentially exposing 
critical data in this manner, it also means they are bringing potentially infested computers into the soft chewy center 
of your network.


Whenever you have an employee with a laptop, you create a liability to your network, allowing them to use personal 
laptops presents an even bigger liability. IMHO, this level of risk is unacceptable, especially from a HIPAA compliance 
standpoint.