1

The same discussion is always going on at my workplace and customers that I work at. They all want to know, can they use their personal computer to vpn in to work AND/OR they are so frustrated because upper management will not buy new laptops so they want to bring in their own personal laptop and use it.

My personal opinion is a flat out NO. I don’t want the headache of supporting people’s personal computers. I know they will demand local admin access and install some virus or other malware and our entire network gets owned. I’ve been through that before when a corporate person brought in a personal computer that had a virus and it downed the entire network in less then 5 minutes because it was a 0 day exploit. NOT FUN!!!

Now I work for a company that says no to using personal computers, however we were bought by another company that says the exact opposite. In fact they demand that desktops are supplied by the company, but if you want a laptop you have to pay for it yourself.

What are your thoughts?

14 Spice ups
2

We have two ways of dealing with this (other than saying “no”)…

Option 1: They can use their laptop but using our build and under our management. We do the build by script, not image, so not a licensing issue. We install the software, the VPN, the remote management, the AV, etc. it acts just like a business machine but they own the harware and can take it with them (sans software) if and when they go.

Option 2: SSL VPN.

3

That’s ridiculous. Your company is obviously run by tech-ignorant people. If you are the highest position in IT for that company, it is your responsibility to explain the pitfalls, and dangers of such a scenario.

NO PERSONAL PCs.

NO LOCAL ADMINS.

period.

4

We do no local admins. Even the “local admin techs” who are local admins on everyone’s machines are explicitely not admins on their own machines.

5

There are no personal computers hooked into my network. I found one hooked to the network a log time ago. They are no longer with us.

6

J-159 you are right. And along with my boss we continually try to explain why we shouldn’t use personal computers. However they completely ignore us. (The owner of the company thinks email and anti-virus is the same thing; UGH!!!) And the users like I said before are so frustrated because the machines they have now are 5 to 6 years old. They can barely do their jobs.

What I don’t understand is no one wants to use their car for work or anything else they may have personally. BUT yet they want to use their personal computers. It makes no sense to me.

One manager I was speaking with I finally asked him why he thinks its alright to use his personal computer but yet if the company told him to start using his own personal fork lift he would have a problem with that. His reply was that computers are simple machines that hardly require any work but a fork lift requires maintenance.

That made me feel good.

7

I agree completely, there should be no personal computers plugged into the work network. Too much of a threat to introduce a virus into the network, etc. Too much of a headache to support personal computers. I strongly believe that a company’s IT department should never support employees personal computers. This is just asking for trouble, you would have everyone bringing in their personal computers to have them worked on for free, home visits, telephone support. What a nightmare…

The problem is you need everyone in the IT department to buy into this thought process, you get one person that lets it slide and its over. I have seen too many IT guys trying to do “side work” on employees home computers and it takes up time away from the company dealing with “personal” computers issue. That is what the nerd herd or geek squad is for.

Think of it this way, if you work for a painting company should the company go paint your house for you just because they have the resources to do so?

The threat of bringing in a virus on a home computer is extremely real, I have seen one computer take down an national network of 3,000 plus computers.

VPN…from their person computers to the work network, yes if they have proper approval. VPN can be filtered and then network can be protected against their personal computer potential threats.

We are in a whole new dawn of time though… you can buy a netbook for $199 a lot of users have these, whats stopping them from bringing them in to work? To play their MP3’s, check their mail during lunch on their broadband wireless. At my current company they don’t allow anything more than a small radio, what happens when radio isn’t available anymore?

As these cheap personal computers come into play more, NAC will play a much larger role in any secure network.

In regards to the company not flipping the bill for a laptop and they need to buy their own…this is a education issue. Buying and having control over the laptop is priceless. Management needs to understand that computers need to be owned or leased by the company not the individual. There are legal issues, licensing issues, HR issues, all sorts of things that come into play when a employee is allowed to use a personal computer with personal items on their as their primary workstation. What about locking them out of admin rights on their own personal computer…this could get very sticky.

8

Our answer is 'NO" to user owned machines having anything to do with the company network. Anyone who requires remote access gets a workstation and/or laptop for home and/or travel use. I, for example, have three machines of my own on my home network (along with all the machines belonging to other family members) but I have a company issued laptop and a company issued workstation that are connected to my router, but not through my LAN. All of the installed software on these two devices is owned and licensed by the company and no personal doo-dads are permitted.

We also do not provide remote access without a legimate business need for accessing the network and servers. If you are asking for access just to keep up with your email on weekends, well, that’s why you have a Blackberry…

9

Strictly, unequivocally, and always NO! We have had users whine about not being allowed to do that in the past and are reasons are very similar to yours. We have been through the same scenario as you with a user and it just reinforces the support that we get on this policy.

Never-ever-ever and I don’t care what your boss said or who they are - no way, Jose!

10

RDP and SSL VPN only.

11

Nope, not on the wired network. We allow for personal laptops to be used on a “public” wireless VLAN that is segregated from the rest of the network. That means they cannot get to any network resources besides E-mail, and read only acces to their home drive (throught OWA 2007).

12

I like the comments so far on how strict your policies are, sharing these types of “best practices” with management may help a great deal. Along with some horror stories of potential issues with allowing these devices on their network.

I have seen a wide range of opinions by management on this subject over the years. One thing I have found is if its a company with one or two owners they tend to bend rules for certain employees and like to override IT. Public companies have to listen to IT and adhere to more strict controls and policies. I guess what I am saying is it really depends on the company.

I would suggest starting out with sharing best practices from your user groups like this community. Also give them some real world examples of what could happen if they don’t follow your advice.

13

We go with a VPN only stand point and they sign an agreement to let me clean and make sure the computer isnt infected and the prover AV/Firewall/AntiSpyware is installed.

14

When I first started, we allowed everyone to connect via just RDP from whatever computer, what a nightmare.

Now that everyone has a laptop for a work machine, you can only connect with your work laptop via VPN and RDP.

15

We have three things to say about using personal PCs at work: don’t even ask, No way, and no. I have better equipment at home then we have her at the company, but if I have to access something remotely, I still use the company issued laptop. I don’t want to accidently mess my stuff up with special apps we use here, or be responsible for something getting loose that was on my stuff.

16

We’re in the process of looking into 802.1x to prevent people from connecting unauthorized to the network. As is, we have set DHCP to have no available addresses and are using reservations to do sticky addressing. Luckily we have a small enough company to do that, but anyone can set a static and get around that, hence the 802.1x investigation. :slight_smile:

But yeah, my last response on an issue like that was when one of our customers asked to let them have full access to our network - in front of the president of the company and visiting corporate executives. I wasn’t aware that these were our corporate execs at the time so I got a few looks of shock when I commented “Hell no. We maintain confidential customer data from multiple customers and take that very seriously - the only access into our network is through company employees and company assets.”

Later I almost crapped myself when my boss told me that the other suits in the room were top executives from corporate. Figured I was gonna get fired, but last month I got an “Outstanding Performance and Dedication” award from corporate.

Stick to your guns is all I can say. :smiley:

17

Since I go into businesses that do not have their own IT people and we get paid for every serv ice call I like to see people bringing in their own laptops with virus protection that expired over a year previously. For me it is job security.:slight_smile:

We have some businesses that we have to go into every 3 months to do complete cleanups. Often the worst offenders are the owners or senior people. If they ask why the antivirus protection that we installed on their business systems did not protect them I would ask them why they hooked up an infected computer to the network. It would invalidate any warranty claim.

Of course if I worked in those companies I would go ballistic if someone brought in an infected machine and it infected my network; I would not let them in the door with it unless they agreed to let me smash it with a sledge hammer if it ever affected my network (Yeah, great fun). Or I would install a shutdown script on it that had it reboot every 2 minutes and then it would be unuseable and I would deny having any knowledge of what the problem was; also great fun.

Or maybe I could insist that they have a domain logon which would of course require XP Pro/Vista Business, etc which would rule out 99% of the personal computers.

But I really like the idea of putting a shutdown script on their system instead.

18

personal computers are a definate 100% no no on our network. we had a policy which said if anyone brought a laptop into work that we were allowed to take it off them and search the entire computer incase that person had tried to steal data and then not let them have it back until they had gone through an interview with senior management.

we stopped this because i dont think it was legal

19

Users can bring in their laptops here, but they are not allowed to work with them.

They only get Internet access (freelancers especially).

Personal computers are not brought to the AD, and they will not get the VPN access installed.

Nothing has to hook up to our AD that can not be controlled by us regarding AV signatures or preferences like local admins.

20

ImbaAdmin wrote:

Users can bring in their laptops here, but they are not allowed to work with them.

An even better policy would be:

“Users can bring in their laptops here, but they are not allowed to turn them on…”