Hi Nicolas,
The first thing you will need to do is get some sort of formal policy
approved at senior management, without this whatever improvements you
want to put in place will be difficult, it not impossible to enforce.
As to specifics:
- we use whole disk encryption on all our laptops from a company
called Safeboot. It is pretty good, there is obviously some
performance impact, but this is not too bad, and the product really is
whole disk - e.g. you cannot get to any data or the O/S without first
entering your Safeboot credentials. Disclaimer - I have no ties to
this company what-so-ever, I'm just mentioning the product we use, I'm
sure there are various other products that perform as well.
- up to date AV, - set to update both from our servers and the web to
allow for people who may not connect to the office frequently.
- Local firewall and IDS - this is set to resist tampering to make
it very difficult to turn off, and also run different firewall configs
depending on your IP - e.g. fairly open in the office, but blocks all
connection attempts when on an IP not from our internal range.
- Wireless - this is set to only connect to a known list of wireless networks.
- VPN - set to not allow split tunneling so that when VPN'd into the
office the laptop cannot connect to any other networks.
- Local Admin - unfortunately due to most users needing to be able to
change network settings etc, and the usual issue of everyone having
had admin rights in the past most of our users do have local admin,
although we are looking at ways to remove this without stopping them
working as they need to.
- All machines are routinely scanned for patching etc when in the
office, but this does mean some laptops aren't scanned as frequently
as is ideal.
- Patches are all applied by WSUS or for non M$ stuff an alternative
deployment solution is used.
Patching, AV updates, and firewall / IDS updates all work over our VPN
as well as when in the office.
Other things you could consider - NAC - to enforce a certain level of
patching / AV etc before machines are allowed on your network, and if
there is a lot of budget data leakage products such as Digital
Guardian.
Various things you could have in your policy that may help with the
above include -
mandating laptops be connected to the office / VPN for a minimum
period each week to ensure they are kept up to date.
Never leave them unattended or in cars etc.
Mandate the use of Kensington locks at all times (even in the office).
Probably loads of other things, this is just off the top of my head,
but I hope it helps.
cheers
Kevin
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Nicolas Arias
Sent: 23 January 2007 13:12
To: security-basics@lists.securityfocus.com
Subject: Notebook policy (need advice)
Hi guys!, in my company we have a lot of notebooks, but theres no formal
security policy about them.
Can you tell me how do you handle this?
Do you give an local admin for the owner?, do you use full disk
encryption?, what about anti-virus and external scans?
Any idea is going to be really preciated.
Cheers!!
