Cross Post - How to prevent a company laptop/device from working on external networks

RamblingBiped

Seems like an issue that should be resolved with company policy, not some overly complicated overly engineered IT/IS solution.

RamblingBiped

If they really distrust their employees THAT much why not just throw monitoring software on the system and reprimand/fire them for not following policy?

DustinB3403

Now I have to ask is the business really not trusting their employees enough to allow the company laptops to connect to outside wireless?

Certainly the business sees a need in the benefit of a laptops portability.

So why not enable encryption on the laptops, and then configure a VPN for the users to connect to while outside of the office?

Encrypting the laptops would at least protect the data at rest from anyone who has the device who can't decrypt it. Stopping unwanted people from both accessing the OS and the corporate network.

While allowing the staff to access work from where ever.

DustinB3403

@RamblingBiped said in Cross Post - How to prevent a company laptop/device from working on external networks:

If they really distrust their employees THAT much why not just throw monitoring software on the system and reprimand/fire them for not following policy?

Well you'd have to have policy, and monitoring software often isn't cheap.

Although I agree with the idea.

DustinB3403

So what I'm seeing as the need is to try and prevent devices from accessing company resources while on anything but the work network.

Which this is exactly what VPN's are for.

You centralize all of your services behind the VPN, and force users to access them while connected to the network.

Redirecting the users My Documents folders etc back to a network share would mean none of the company data could ever be on the laptop.

Putting in a system policy to disable USB storage devices would add another layer of protection in that the data couldn't be copied off.

Of course that doesn't stop someone from using email to send out the files / information.

JaredBusch

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Dashrender

But I do have a question - how does forcing the use of static IPs affect their ability to get on other networks?

Let's assume they do know the password for the wireless network, now that person can go home and install a home network with the same IP range as at work, same SSID and password at work and ta da, they are online!

But if they Don't know the password, then DHCP does not provide the laptop any protection at all. If the users are prevented form joining another wireless network via GP, and you disable the onboard NIC, then DHCP doesn't matter.

JaredBusch

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

Good point - I assumed, my bad.

Then static definitely does nothing to save you.

Does windows have a way to require the adapter to only join a network that has a given domain on it? If not, again, the aforementioned changing of the home network to use the IP of the office network completely bypasses this 'solution.' and portable routers like the one they guy had at ML (though it would need to be one with a wired port as well) would allow that user the ability to use it nearly anywhere.

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

But then now we'd be talking about laptops being on wires - this is a failure in so many ways!

momurda

The OP question is wrong. Their policy on laptops is wrong. Why would users be able to bypass their group policies at home on a domain joined laptop if they aren't admins? There would be no "insert whatever behavior here" that should affect users at home anymore than when at work. For example, their a/v solution would still work at work or at home. Their Windows firewall policies should work inside or outside the office.
The best solution is to make a policy of don't do "insert behavior here" on your company laptops. Then to check compliance when the device is on the corporate network and can be scanned. Then fire the people who break the policy.

edit TLDR Make a policy that bans bad behavior and enforce it.

Dashrender

Lol, all of us here talk about all of these HR policies but the reality is that most smbs don't have the fortitude to actually back up any policies that they make. Instead they would rather use technology to force the issue and not have to worry about the personal confrontation.

momurda

That might be true, but there is no practical way to do what the op wants and have happy and productive employees.
He wants his users to take home a brick every night, write some things in Word locally then bring it to work and connect it to their network. Like its 1995.
Setting up a policy and scanning for violations is much easier to implement and enforce than what SW OP wants. It is that simple. Or, don't treat your employees like slaves or indentured servants.

scottalanmiller

Haven't read replies yet but... if IP addressing is their security mechanism they are screwed already.