1

Hello folks,

I’m looking for a bit of a sanity check here.

My background is more of a DBA/Hosting position with only minor IT/Sysadmin stuff - software houses and the like in which my users were savvy programmers. As a result I never really had to worry about user education too much (oxymoron in the IT world perhaps) until now.

In my current role, I look after IT for a main office of about 100 users and two satellite offices - one of which is not logically connected to the main site in any way.

One common request I have had lately is users asking for paths to their home folders as well as shared folders, so that they can access files from home via Mac OS and Windows - from their home PCs rather than laptops which they had been allocated by the company. These users, despite having company laptops, refuse to bring them home and instead want to use their home computers for remote working.

Now, my opinion here is basically that giving users unc paths so that they can remote work from home PCs is a considerable security concern. I would rather they use VPN and RDP to their computers in the office, that way the files are more likely to remain inside the company LAN.

Who knows - a user’s home PC could be a Win XP machine with IE6, crawling with viruses like the monkeys from the movie ‘outbreak’.

What are your thoughts? How do you deal with requests like this?

Thanks,

Peter

12 Spice ups
2

The short answer is I say “no”.

I would never give someone direct UNC level access from a personal computer, with or without a VPN since you can’t legislate for the security state of that computer.

As you’ve said, VPN + RDP is as good as we’ll give to non-company machines.

If they have a corporate laptop but refuse to use it they need to be told to do so, involve management if necessary.

11 Spice ups
3

Tell them “VPN or RDP or nothing”. All of our users are cloud based anyway, but even if they weren’t it would be ridiculous to allow them direct access to the company network from an unsecured computer. Also, tell them to start using their freaking laptops issued by the company. IT shouldn’t be bending over backwards to accommodate the low-end complaints users have about wanting to work from home their own way.

If they want to work from home, they need to comply by company rules and use a VPN or RDP or their work laptops. Plenty of options there. Some users are just spoiled.

5 Spice ups
4

In a word: no.

Two words: hell, no!

As the device isn’t controlled by any kind of coherent IT policy, no one knows if the pc has decent AV, if it is current on patches and updates, or even if it is password protected. How many regular people don’t even bother to encrypt their wi-fi?

“Trust me, IT person, I know what I’m doing!”

5 Spice ups
5

No home computer can have vpn access to your network.

Yu can setup a terminal server with a secure connection, or a vpn solution where you can publish each user his own pc to connect to remotely, but “public” computer cannot have network access.

If your users refuse to carry out their laptops home, buy them desktops, save the money and invest it in a good VPN solution (Juniper SSL VPN is my personal recommendation).

5 Spice ups
6

Chaps - thanks for getting back to me.

I completely agree in particular with the comment ‘Some users are just spoiled’. The users who are stamping their feet in this area are the same one’s that management has bent over backwards for, i.e.: They dont just have company phones, they have iPhone 4s. They don’t just have a laptop, they have brand new Sony Vaios, and in a few cases a second laptop (not worth explaining why here). When they have a deadline they can’t meet because they leave things to the last minute, they find some way of blaming their failures on one IT issue or another (though I have ironed most of these out since I started last year).

Spoiled is right.

1 Spice up
7

Remote controlling their office machines is a great idea. However depending upon the capabilities of your VPN, you are also granting them access to your entire network.

I would recommend a using Citrix XenApp/MS Terminal Services/MS Remote Desktop Services that would allow them access your corporate resources using a web browser. The interface presented would then offer them the Remote Desktop Client which they use to connect to their own computer.s. The advantage of this approach over a full VPN is that you can control remote drive mapping and remote printing among others. The Citrix/MS gateway isolates internal and external traffic and prevents direct access to your resources. And it you go this route, you need to be conscious of the need for additional authentication security over username and password. Token systems such as RSA Secure ID/SafeWord/McAfee OTP address this. You also need to consider that with this type of capability, your people may be more inclined to access your resources from public terminal and locations.

Savvy users will always find a way to game the system. Or most of have friends in the know that can help. Playing the opposing side, I can think of many ways to circumvent the controls you are trying to implement. LogMeIn, GoToMyPC, and TeamViewer come to mind from a remote control perspective. Most have built-in file transfer capabilities. Box.net and DropBox come to mind as ways for them to share their own files online. You should consider a good firewall or web gateway that can control these applications. In the case of TeamViewer, it doesn’t even need administrative rights to be run and operates as a reverse http proxy making it difficult for most firewalls and web filters to catch.

1 Spice up
8

We issue laptops for a reason. They need to use what we issue them or work in the office. Even RDP from a home computer to a terminal server or office workstation is somewhat dangerous because if the home pc has a trojan/keylogger, then someone just got a username, password, remote address and full access to whatever the user has…

That said, we have a couple of users that we do allow remote access. But they are special cases and we pay for,install and maintain the security software on their home PC.

2 Spice ups
9

We do not allow personal computer on our corporate systems at all, be it VPN or otherwise. If it was determined that you need access to your files from home, you are given a laptop. End of story. Too many security issues with allowing personal computers to connect to the network. We have also had many people ask if they can just use their personal laptop instead the company issued one or company issued desktop. We deny that as well. Between licensing and security there are too many issues we would have to deal with.

2 Spice ups
10

I’d echo the comments on Juniper SSL VPNs. They’re what we use and they’re very flexible. You can control exactly which machines can access the VPN, and exactly which features each user gets.

It sounds like you have something in place already since you mention company laptops and remote working?

1 Spice up
11

If they refuse to use company supplied equipment the alert management and involve HR since you are doing nothing wrong. They are just lazy, needs to be documented in their file.

1 Spice up
12

Yes, but those things need to have a host on your network, yes? You can get the installed software/services/etc. list from Spiceworks to help spot and kill (KILL IT WITH FIRE!) those apps if they are not allowed.

Additionally, you can get rather creative with firewall rules, DHCP and VPN systems, etc. to make life REALLY hard for those that try to sneak around the company usage rules.

If users want to be sneaky about getting around the rules, I can be just as sneaky about enforcing the rules.

1 Spice up
13

I say no too. They were issued a laptop for a reason. You have no control over the personal stuff nor should you. To protect the network and the user’s files, no personal equipment on the network.

14

Errr… under no circumstances!!!

What is the point in having a company laptop if it doesn’t move??

A terminal services type connection is the safest but even that can be risky as mentioned before.

Is there a company security policy? If not get one sorted. This should cover such things as remote access and connections to the company network.

These users need to wake up to the real world and understand that they are wasting company money!

1 Spice up
15

In terms of what is already in place, its very minimal: sorry to say this but my predecessor was not very good at his job i.e.: servers went un-patched for well over a year in many cases, everyone was using Win XP when I took over last year, loads of IE6 users with every toolbar you can imagine (and a few you couldn’t), the antivirus licensing had expired 7 months before my first day of work so you can imagine the state the place was in - a real challenge to have things on an even keel.

Our VPN solution is a simple MS Forefront TMG setup.

I recently implemented Remote desktop services and published a few RemoteApp programs which has worked well for some pieces of obscure software my users rely on to do their jobs. I have never used it before so I’m just getting to grips with it’s capabilities. I’d like to explore further how I can utilize this to improve user experience of remote working as well as improve security for remote workers. Prior to this, my predecessor had over a half-dozen Win XP vms running on ESXi 3.5 on a Dell Poweredge - just so remote workers could use one program!

I won’t even waste time telling you about the member of lower-middle management who was killing our internet connection by seeding her illegally-downloaded Disney movies via uTorrent in the office. “sorry I forgot to tell uTorrent not to run when Windows starts”. I nearly lost the plot…

16

Tex and the others that say this is an HR issue are right.

For management to allow this behavior, there may be things at work that you need to not step into.

The reasons for tolerating this kind of behavior are:

1.) They bring in so much money that nothing else matter,

2.) They are family

3.) They are providing other benefits to managers that are not “official”

4.) Your managers are in the wrong jobs.

Bottom line is that I agree that you have your IT responsibilities in order, and the root problem is an HR issue.

3 Spice ups
17

The response is “NO”!

Only company equipment is allowed to connect to company resources, and it is checked on a regular basis to verify that all systems are working as installed. This limits the “home users” from claiming that our systems damaged his system. It also allows me to configure the laptop to limit data theft. I set the systems up to only allow specific programs to operate. I do not allow files to be saved locally, and I also restrict USB activity. Working from home is a privilege, but it is a huge security risk as well!

As a final fail-safe, in the event of loss or theft, the systems will self wipe in the event specific parameters are not met. Tamper with the software …system wipes. Tamper with the hardware…the system wipes, fail the log in challenge “too many” times … the system wipes, piss off the IT guys…the system wipes …lol.

VPN RDP Firewall Secure the laptop,

1 Spice up
18

You may also want to consider some sort of two-factor authentication to guard against keystroke loggers on the remote PC. I’m testing www.duosecurity.com now for this very reason.

1 Spice up
19

You have two things going on here. The first is a technical/policy issue: remote access to the network. The second is an HR issue: whiny users allowed to behave like Honey Boo Boo. (If you don’t already know who that is, for the love of all that’s good and right, don’t Google it. You will, of course, but don’t say I didn’t warn you.)

For the first, engage your leadership on a coherent set of policies to address the business need. “Business need” is the key here. Make sure your policies include proper request procedures and what positions (not people - never specify people in a policy!) have authority to authorize various permissions. Once you start pulling the policy thread, odds are you’ll find you need to redo to the entire suite of IT-related policies. This is not a bad thing.

One you have policies in place, configure your technical solutions. Only offer solutions to management that you are more than happy to support. NEVER - under any circumstances - offer a solution you don’t like. That will invariably be the one management selects. Make sure your solution covers security and data integrity.

From there, simply point people to the policies. If the HMFIC constantly overrides the policy in favor of the prima donna(s), express your concerns for business integrity and security in writing. If it doesn’t get better, walk. It’s your reputation and personal integrity on the line. You will have nothing to gain by continuing to poke holes in best practices to accommodate the whims of a few people with political clout. You do, however, have everything to lose. You’ve already indicated that A_Problem_User001 likes to blame IT for their inability to meet project deadlines. If the boss is listening to them, it’s only a matter of time before you’re out.

3 Spice ups
20

Hi Bryce,

Thank you for your input - one would almost imagine that you had first hand experience of the culture in my organization, particularly due to your use of the term ‘prima donna’ - I can assure you we have many.

Wise words