Security Basics mailing list archives
RE: Home laptops on a corporate network
From: Shawn <swarzkopf () legolas sinnerz us>
Date: Fri, 11 May 2007 14:49:52 -0400 (EDT)
Wouldn't a regular vpn just open for all kinds of badware they have ontheir home computer? And if you issue a work computer for them it will be used as their normal computer and properly be as infected as their home computer anyways.
No.At least not if your company properly manages it's laptops...our user's privileges are extremely, extremely restricted through group policy/local security settings. They can't web browse. They can't install any software/apps. They can't modify any system settings. They are not at all used in the same manner that the user's "normal" computers are. They do not pose nearly the same risk that the user's "normal" computers do.
Furthermore, users are required to bring their laptops into the office on a regular basis for virus scanning/WSUS patching.
Obviously, you can tailor your own company's group policy to suite your own specific needs.
Again, I don't think comparing company managed equipment to home equipment is a fair comparison at all if the company exercises any decent means of control.
On Fri, 11 May 2007, marc wrote:
Sorry in advance for anything stupid. I'm still just a wannabe newbie in security :) Wouldn't a regular vpn just open for all kinds of badware they have on their home computer? And if you issue a work computer for them it will be used as their normal computer and properly be as infected as their home computer anyways. Why not use a product that can be used with their home computer but one that don't have to be installed. I have this usb key I have been issued at work from this company. http://www.giritech.com/ It's mighty fancy. It will allow me to connect to our citrix server and do my work without any risk of our citrix server being infected by any thing on my work issued laptop. Disclaimer: I do have any relations with giritech I'm just a happy user of their product. And sorry for spelling mistakes, none native English speaker here. :) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Shawn Sent: 11. maj 2007 19:06 To: krymson () gmail com Cc: security-basics () securityfocus com; security-basics-return-44327 () securityfocus com Subject: RE: Home laptops on a corporate network I take it assigning the users who need to work from home company owned/managed laptops, and then providing VPN access to these laptops, is just not an option? Setting up -somewhat- secure access to the corporate network from a staffers home computer just seems like too much trouble and too much risk for what you gain...it'd just be easier to buy/image/issue laptops. On Fri, 11 May 2007, krymson () gmail com wrote:If this scenario is an absolute must, even in the face of HIPAA (andif this were my data, I'd be highly concerned about this company...), then I do like having users VPN into an isolated network segment and then connect to a Terminal Server to do their work.However, not to throw monkeywrenches in, but this solution still doesnothing about keyloggers, screenscrapers, or even a full-blown screen capture program running to record all this data. Even just one frame of a doc open can be enough to spoil your HIPAA party depending on the data these users have access to. Really, there's nothing you can do about this other than disallowing their home systems.You do have to pretend two things: 1) Assume you have the filthiest, most infected, worm-ridden home PCever connecting to your network.2) Assume one of these workers will be wanting to sell this data ormaliciously gather and use it.You can take action against 1, but you're not going to be able toaudit 2 unless you own the devices they are allowed to use.
Current thread:
- RE: Home laptops on a corporate network, (continued)
- RE: Home laptops on a corporate network Adam Rosen (May 08)
- Message not available
- Re: Home laptops on a corporate network Kurt Buff (May 09)
- Message not available
- RE: Home laptops on a corporate network Adam Rosen (May 08)
- Re: Home laptops on a corporate network Kurt Buff (May 08)
- RE: Home laptops on a corporate network Al Saenz (May 08)
- RE: Home laptops on a corporate network Adam Rosen (May 08)
- RE: Home laptops on a corporate network Adam Rosen (May 08)
- Re: Home laptops on a corporate network Kurt Buff (May 09)
- RE: Home laptops on a corporate network krymson (May 11)
- RE: Home laptops on a corporate network Shawn (May 11)
- RE: Home laptops on a corporate network marc (May 14)
- RE: Home laptops on a corporate network Shawn (May 14)
- RE: Home laptops on a corporate network marc (May 14)
- RE: Home laptops on a corporate network Scott Ramsdell (May 14)
- RE: Home laptops on a corporate network Shawn (May 11)