Cross Post - How to prevent a company laptop/device from working on external networks

DustinB3403

So what I'm seeing as the need is to try and prevent devices from accessing company resources while on anything but the work network.

Which this is exactly what VPN's are for.

You centralize all of your services behind the VPN, and force users to access them while connected to the network.

Redirecting the users My Documents folders etc back to a network share would mean none of the company data could ever be on the laptop.

Putting in a system policy to disable USB storage devices would add another layer of protection in that the data couldn't be copied off.

Of course that doesn't stop someone from using email to send out the files / information.

JaredBusch

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Dashrender

But I do have a question - how does forcing the use of static IPs affect their ability to get on other networks?

Let's assume they do know the password for the wireless network, now that person can go home and install a home network with the same IP range as at work, same SSID and password at work and ta da, they are online!

But if they Don't know the password, then DHCP does not provide the laptop any protection at all. If the users are prevented form joining another wireless network via GP, and you disable the onboard NIC, then DHCP doesn't matter.

JaredBusch

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

Good point - I assumed, my bad.

Then static definitely does nothing to save you.

Does windows have a way to require the adapter to only join a network that has a given domain on it? If not, again, the aforementioned changing of the home network to use the IP of the office network completely bypasses this 'solution.' and portable routers like the one they guy had at ML (though it would need to be one with a wired port as well) would allow that user the ability to use it nearly anywhere.

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

But then now we'd be talking about laptops being on wires - this is a failure in so many ways!

momurda

The OP question is wrong. Their policy on laptops is wrong. Why would users be able to bypass their group policies at home on a domain joined laptop if they aren't admins? There would be no "insert whatever behavior here" that should affect users at home anymore than when at work. For example, their a/v solution would still work at work or at home. Their Windows firewall policies should work inside or outside the office.
The best solution is to make a policy of don't do "insert behavior here" on your company laptops. Then to check compliance when the device is on the corporate network and can be scanned. Then fire the people who break the policy.

edit TLDR Make a policy that bans bad behavior and enforce it.

Dashrender

Lol, all of us here talk about all of these HR policies but the reality is that most smbs don't have the fortitude to actually back up any policies that they make. Instead they would rather use technology to force the issue and not have to worry about the personal confrontation.

momurda

That might be true, but there is no practical way to do what the op wants and have happy and productive employees.
He wants his users to take home a brick every night, write some things in Word locally then bring it to work and connect it to their network. Like its 1995.
Setting up a policy and scanning for violations is much easier to implement and enforce than what SW OP wants. It is that simple. Or, don't treat your employees like slaves or indentured servants.

scottalanmiller

Haven't read replies yet but... if IP addressing is their security mechanism they are screwed already.