1

We have users that have purchased their own laptops for VPN use at home. Now they are wanting to bring laptops in and have them on the network for printing etc. We use Panda anti virus and wanted to know if anyone else is dealing with a similar situation of having outside laptops on their network. Do you have the users bring them in to the office on certain intervals to do updates for anti virus? What kind of policies do you have in place for this? Thank you in advance!

15 Spice ups
2

If a user brings in a personal laptop at this point we mandate that they have up to date AV which they purchased on the system. We don’t supply any sopftware on systems we didn’t buy. If they bring in a system that isn’t up to date we turn off their port.

For non-employees we have a seperate VLAN segregated on our firewall that only allows Internet access and limited printing to keep guests away from our corportae data.

3

User laptops are not allowed here except for managers and certain pre-approved personnel. There are only 2 users allowed to connect to our internal network, that being the owner and the head of development, all others connect to our secured wireless and only have access to the internet.

4

I think as a rule most like 99% are against this, for allot of reasons.

Most corp environments have decent GPO’s to lock systems etc…

So if your coworker has a personal laptop and copies over say payroll info with SSN’s or a Contract or RFP and it’s stolen umm you’re in deep doodoo.

The other problem is you have no way to enforce that rule on their systems or them orr make sure they keep a good and up to date AV.

We are implementing Deepfreeze soon so no data will exist on the harddrive only mapped drives for the user.

5

No personal Machines on the domain network. Ever.

We setup a seperate wifi on a dsl line for guests\customers\personal machines - I would never let a personal machine on the network as the risk is simply too high.

Hope this Helps

6

This is a bad trend I am starting to see at businesses.

As above it is usually a bad idea.

Best case if it gets approved

  1. setup a guest network

  2. Attach them to that

  3. Setup Internet printing(internal only) so they can print.

  4. Disable VPN connections from the guest subnet to the main network.

Realistically they shouldn’t allow personal computers to use VPN either. Its awesome when the VP’s son has been browsing some mature sites and infects the whole company.

7

If they already have VPN access, let them in on a separate VLAN and let them VPN in. If you cannot do a separate VLAN, consider bringing in a separate Internet connection (like a cable modem) and put it on its own wireless network. You may have to do some extra training and give them scripts to run to map the printers, but that is MUCH less work than having a malware infected device on the network.

You could also use some kind of Terminal Services implementation including MS, Citrix, or even VDI.

Short of that, you would want some kind of NAC (Network Access Control).

Devices on your network not under your control, especially PCs where the users have Admin rights, is bad juju.

8

bad idea all together… bad juju bad mojo bad karma… you get the point… and for audit reasons… it gedts a bit worse. if you have to conform to any hippa / sox / pci dss / etc… then this could even be criminal…it’s just not a good thing to let employees do this type of activity.

9

For all intents and purposes the vpn you have is just a really long network cable. So unless you already have a vlan setup for vpn users, they have been on your domain with their dirty non-compliant virus-laden laptops ;-). If keeping the network secure is under your purview, I would recommend making sure that these users have some sort of antivirus installed. Since when they log-in, they will have a local ip, you should include them on your scheduled spiceworks scans so as to see if their antivirus is up-to-date. And since they are technically “personal” laptops, you can recommend one of the many free for personal use virus programs, such as Microsoft Security Essentials.

Baring them from the network is another option, however you don’t want to be the network Nazi who impedes your employees ability to be more productive at home. (Unless you have a budget to provide them with company laptops.) Both options have their time and place. I would be comfortable with both depending on the size of your mobile vpn user group. If we are talking about anymore than ten people, I would say no deal. At that point, it becomes too much to manage and option b would be the best.

10

I don’t let anyone connect to our network unless it is one of our work PC’s / Laptops. Even via VPN… its as bad as being directly connected to the network in the office.

11

I agree with almost everything posted above.

Here I do not let any personal system on our network no matter who it is. We have a guest wireless network for them to get to the internet. There are so many things that could go wrong with this.

Copyright issues

viruses / spyware / other garbage

Data theft

HIPPA violations

Exposed data

Data loss

All of this can happen with a person with no bad intentions just not knowing better. Imagine if it was someone with bad intentions.

12

Alex.Mahrou wrote:

For all intents and purposes the vpn you have is just a really long network cable. So unless you already have a vlan setup for vpn users, they have been on your domain with their dirty non-compliant virus-laden laptops ;-). If keeping the network secure is under your purview, I would recommend making sure that these users have some sort of antivirus installed. Since when they log-in, they will have a local ip, you should include them on your scheduled spiceworks scans so as to see if their antivirus is up-to-date. And since they are technically “personal” laptops, you can recommend one of the many free for personal use virus programs, such as Microsoft Security Essentials.

Baring them from the network is another option, however you don’t want to be the network Nazi who impedes your employees ability to be more productive at home. (Unless you have a budget to provide them with company laptops.)

Network Fiend impedes productivity VS HIPPA Violation / Data leakage.

buy new laptop $ 2000 - HIPPA Fine Max Penalty 1.5 Mil

13

Dave4113 wrote:

Alex.Mahrou wrote:

For all intents and purposes the vpn you have is just a really long network cable. So unless you already have a vlan setup for vpn users, they have been on your domain with their dirty non-compliant virus-laden laptops ;-). If keeping the network secure is under your purview, I would recommend making sure that these users have some sort of antivirus installed. Since when they log-in, they will have a local ip, you should include them on your scheduled spiceworks scans so as to see if their antivirus is up-to-date. And since they are technically “personal” laptops, you can recommend one of the many free for personal use virus programs, such as Microsoft Security Essentials.

Baring them from the network is another option, however you don’t want to be the network Nazi who impedes your employees ability to be more productive at home. (Unless you have a budget to provide them with company laptops.)

Network Fiend impedes productivity VS HIPPA Violation / Data leakage.

buy new laptop $ 2000 - HIPPA Fine Max Penalty 1.5 Mil

Did the original post state that this organization is a health care provider? Like I stated, there is a time and place for either option. If you are a health care provider, and you have patient’s information, personal laptop with vpn is a no deal. However, I do not recall the original post stating as such.

14

We have a seperate VLAN for all external computers. Wireless as well as wired access, with rules that only allow access to internet. Giving access to a dirty VLAN to any internal resources of any kind is a bad idea.

15

Would you be able to use System Center Configuration Manager or something similar to force the laptop to have a certain configuration before it joins the network?

16

We are not a health care provider, but I have experienced issues in the past when I have worked for one. It is someone out of our control as IT because if the up high’s say it needs to be done, it has to be done. We don’t have wifi here either but do use a dmz for internet access only separated from the network. It’s not exactly the strictest environment either. We don’t block sites etc.

17

kcorbin wrote:

bad idea all together… bad juju bad mojo bad karma… you get the point… and for audit reasons… it gedts a bit worse. if you have to conform to any hippa / sox / pci dss / etc… then this could even be criminal…it’s just not a good thing to let employees do this type of activity.

Yep totally forgot about SOX compliancy.

If your company ever goes BIG to the point of and IT audit this is a big no no.

18

AEisen wrote:

Would you be able to use System Center Configuration Manager or something similar to force the laptop to have a certain configuration before it joins the network?

That would assume the laptop is on the domain, it’s a personal laptop.

This would require a hardware profile…

19

LOL no implications were made Alex just my take on it. Also you can Substitute Data Loss for HIPPA and you still have the same possibilities.

20

Curtis3363 wrote:

AEisen wrote:

Would you be able to use System Center Configuration Manager or something similar to force the laptop to have a certain configuration before it joins the network?

That would assume the laptop is on the domain, it’s a personal laptop.

This would require a hardware profile…

Are you sure? I thought SCCM 2007 R2 was able to connect to clients over the Internet in Native mode using certificates