2

I was employed as the only system administrator by a company where half of computers are portable ones being taken away for work at home, business trips, visits to clients, etc. having access to practically everything while connected to internal corporate networks.

And most users of computers, even desktops, are administrators. In Windows workgroup(s), no Active Directory/Domain Controller.

  • Update: 35+ Windows 7, XP, Vista workstations and two Windows 2003 servers, one running for terminal services (serving to all the accounting applications), another Windows 2003 Server is for websites/portal and external access from internet. The office (internal networks) is distributed over 2 main locations (one is the main office and another is producing facilities in another city) and the main office has 2 buildings with communication over WiFi.
    The employees (sellers, accountants, lawyers) plug portable computers into internal cable network while at office
    See mor eonformation on my specific situation in my question How to make sure that previous sysadmin has not compromised corporate IT security? [closed]
    Update End

What are the most urgent first steps for securing/re-organizing such IT corporate infrastructure and arguments to convince the top management in their necessity?

6 Answers6

2

Trust nothing. All mobile devices should be placed on their own network segment, which is doesn't have access to the entire infrastructure. This untrusted network should be treated no differently than the open internet. Make sure you expose only the services that are needed to this untrusted network.

Make sure all mobile devices have anti-virus software. I am still skeptical of anti-virus software for phones. Make sure devices are updated regularly.

rook
  • 46,916
  • 10
  • 92
  • 181
  • This is very good theoretical approach. I am here to understand how to (better) realize it practically. As far as, a user is employee, s/he is trusted to everything at corporate network. Restrictions are through application security configuration (accounting applications are used thru terminal services) though not realized practically. – Gennady Vanin Геннадий Ванин Mar 27 '12 at 20:08
2

I would restrict based on what type of data they need access to.

Do they need to store any information locally? If so what kind of data? You may need to force full disk encryption if dealing with sensative data ie SS#'s, CC's etc. You may also have a legal requirement depending on your industry to do so.

If they just need access to MS-Office type files you could run terminal services application publishing and all of the work would be done on the server OR since you mentioned that everything is in a workgroup setting that you might be better off running a program called go-global by graphon. This is definately cheaper than terminal services and you could try out the trial to see if it will work for your application. check out http://www.graphon.com/

How many systems are there and what are they? (XP workstation, win 7 laptop, win2k3 server that isn't running as a domain controller, etc.)

Was there a specific reason why the network is setup as a workgroup?

What kind of data are you looking to protect?

Brad
  • 849
  • 4
  • 7
  • What kind of data do you need to protect? Is there any compliance pieces that need to be considered? Ex. PCI, HIPAA, HITECH compliance? – Brad Mar 27 '12 at 20:06
  • I updated the question. The networks are in workgroups because the company was being extended chaotically by non-IT workers and had no IT staff at all (an external system administrator was called to service specific arising problems). First of all, I am looking to protect integrity of system against eventual malfunctioning, disgruntled insider or previous external system administrator who mostly worked remotely. If to break the server (servicing accounting apps thru terminal sessions) all company would cease to exist. No compliance – Gennady Vanin Геннадий Ванин Mar 27 '12 at 20:22
  • 1
    Since there is no compliance to have to adhere to I would just put the place on lockdown. Force everyone to have to login to a domain controller, force all traffic to be trackable to help eliminate who caused what. Give the minimum required rights for each user. You may want to consider everyone running through terminal sessions and for sure enable loggong on everything, atleast until you know everything is locked down completely. I'd still keep it on provided that your hardware has the necessary horsepower. Lastly build/buy a lantap and sniff your own traffic 24/7 and identify everything. – Brad Mar 27 '12 at 20:41
  • 1
    Once everything is identified, remove and/or block traffic that is not needed since it's just extra network congestion. For external connections I would force ALL external connections by employees via VPN and don't allow split tunnels. Limit all they can do and since many are technical people I would also block stuff through DNS and HOSTS files. They still may be able to get around what you put in place but it will probably take a while. Also if you don't use IPV6, then disable it on the machines and block it on your corporate firewall/IDS, it's an overlooked loophole known by some ;-) – Brad Mar 27 '12 at 20:45
2

Most of this question is beyond my ken, but I have a small suggestion. When it comes to physical security (specifically, the recovery of lost or stolen devices), I'm generally a fan of these guys:

http://preyproject.com/

I've never misplaced any of my property before, but I'm generally a fan of their entire system. It strikes me as intuitive, powerful, customizable, scriptable, etc. I really can't think of anything I would change.

By way of disclosure, I have no affiliation with this company. I'm just a satisfied customer.

Chris Allen Lane
  • 1,037
  • 1
  • 10
  • 13
  • 1
    I almost forgot about preyproject, they offer a free service on a small scale / personal use as well. – Brad Mar 27 '12 at 23:31
1

One of the biggest must haves for any portable devices is LoJack. I've been installing the software on all my work devices for a few years now, and while I haven't had to see it in action, the software is very solid - with a 97% stolen device return rate - with Wi-Fi tracking, although now that many laptops have GPS chips the software now includes that capability also, therefore increasing the return speed.

Aside from that, full-disk encryption (Bitlocker or something similar) is a must, although if for some reason you only need to encrypt some files - TrueCrypt is a must.

Finally - if you can get fingerprint readers on your devices, that can be a nice added layer. Although some devices have facial recognition I know that on the Android a vulnerability was found where using a picture of the device owner fooled the software however I'm not sure if the same issue applies to laptop cameras.

theonlylos
  • 223
  • 1
  • 6
  • Thanks, I shall look into this. But, not only computers but their owners (employees) are portable, some of them I have never seen working 3d week. I have no clue how to install something on portable devices which are not reachable by me – Gennady Vanin Геннадий Ванин Mar 27 '12 at 20:14
1

You should look at some of the large professional services firms which may have 100k mobile users with laptops.

  • do not allow administrator access
  • do not allow them to download files unless they are scanned first
  • patch regularly and update anti-virus
  • use a platform assessment stage on your VPN solution to prevent access if the laptop is not up to date
  • use a firewall configured to prevent split-tunneling
  • configure the browser to only connect via the VPN and whitelist websites

Will add a link once I find the similar question were have answered previously

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Generally these points are either realized or, like not allowing administrator access, obvious and will be put in place ASAP. Can you be more specific with references or examples how to look at large professional services with mobile users? I am developer, not system administrator – Gennady Vanin Геннадий Ванин Mar 27 '12 at 20:18
1

In a business, security is a business decision as much as anything else is. To be truly secure, you can't use equipement you can't control, and that includes mobile computers. But to put that kind of restriction on a business will probably not save in security liability as much money as it will cost in actual lost revenue.

So trying to change the behavior of the suits who bring in the money can be a little problematic. Even if you're right.

Instead, you may want to re-think where you draw your lines. Instead of being trusted, perhaps workstations should be considered hostile and secured and managed individually, locally, independent of the network. "Central" data, whatever that might mean, would then be scanned and vetted on the way in from the workstations based on the assumption that all workstations are attackers. Access to central resources is allowed only through properly-secured and authenticated channels. Non anonymous, passwordless access.

Also, it's a good idea to get into the habit of "cloud" storing all important documents (where "cloud" could be any sort of internet-delivered file synchronization tool; e.g. dropbox, sharepoint, etc.), and regularly wipe and re-provision all company-owned mobile computers.

For the user, it's liberating to be able to take any laptop and have your data simply populate onto it, and it makes hardware failure hardly even an inconvenience. And from your perspective, it hugely simplifies security; every 3 months you wipe it all and start clean on every device.

tylerl
  • 82,225
  • 25
  • 148
  • 226