Security for Laptops

[C M]

Hi guy's,

I have been trying to find a way to implement a security mechanism for when laptops connect to our network...visitors from other office....sales/support team.....VPN.....obviously this is a huge security hole....one trail of thought i had was to include a Virus Scanner in the logon script that would scan for any viruses?

Anybody else have these concerns or have implemented anything to resolve it?

Thanks

Chris

[Tuttle]

Concerns, yes, solution, not yet.

Policy is important. Non-company machines should never touch the network until IT has had a look at them, and even then they should be kept as isolated as possible. If possible, have a DMZ for visitors' machines which is behind a firewall that lets them browse the Internet, access a printer and that's about it.

VPN clients should be similarly sandboxed if possible - obviously they need a bit more access, but consider restricting them to things like Terminal Services instead of allowing the remote machines direct access to company file servers etc.

Company machines need to be kept patched and virus-scanned - one policy we're looking at implementing is that any laptop which has been disconnected for longer than x (and is therefore at risk of new viruses or exploits) needs to be updated and checked offline before being reattached. Notebooks etc need to have personal firewalls installed, and the employees who have them need to use them for company business only, not their kids' games and web surfing.

Cisco are bringing out products which can enforce that virus scanning bit at a technical level - machines which don't have minimum patch levels and virus definitions are automatically disconnected from the network. Won't be cheap though.

I guess what you can do depends on how much time/effort/money you have available. If you have time to do some more research, the reading room at www.sans.org has some useful stuff, and you might find BS7799 (which is identical to ISO/IEC 17799) useful.

[Country_73]

We're still looking into this issue at our work also.
So far we have been able to take care of our own laptop users, visitors etc.. still looking into.
For our regular laptop users we had one of our guys create a VBScript which sits in their Start Up list. Anyone that logs into that machine will run this script. It will verify the network the laptop is hooked into. If the address matches our network, it is then directed to a database that holds all of the patches, service packs, etc.. then scans the laptop for those items. If everything matches, they are allowed a connection and everything seems like normal. If something doesn't match, a little window will pop up telling them what they are missing and that they need to contact the Help Desk. (It disables their network connection and will not allow them on the network until the problem is resolved)
All we have to do is keep the database up to date with the information (what our network requires, where to look on the machine to make sure it's up to date).
We've already setup a database with all of the hotfixes and service packs that we have applied this year and it usually only takes a couple of minutes to go through the whole process.

[C M]

Hi Guys.

Thanks for the replies, i thought about a DMZ also....i thought about, launching a virus scanner from a logon script...whether its a light scanner tha can be run from the command line....or if there is a way to get Norton AV 2003 to be run from the command line.

I wouldnt like salesmen being so close to the servers desktop from home through TS.....im going to try restrict the VPN user account this morning.

Thanks. CM