0

I have recently identified a security risk with some of the machines (primarily Windows 10 and MacOS laptops) my company issues to users. Specifically, a small subset of the users are regularly placing their device "directly on the Internet" when working remotely.

I suspect that this is primarily caused by plugging the Ethernet of the machine directly into a cable/DSL modem provided by the ISP for their home Internet connection. And that ISP is issuing a public IP address to our machine when it makes a DHCP request. This has publically exposed RDP, SSH, and other remote services only meant to be accessible from LAN networks.

The people/process solution to this problem will be user education, and I do intend to pursue this route. However, this will always be purely reactive--waiting for users to plug in to the Internet and chasing them down to ask them to stop doing so. I am currently only able to run periodic search queries to find these machines and would not seem to have a way to get automated, immediate alerting when it occurs.

I am wondering if there could be a more proactive, technical solution to this problem. I think that the ideal solution would be one that (a) prevents the configuration of a public IP address onto any of the NICs, especially via DHCP; (b) provides a pop-up message to the user informing them of what has occurred and whom to contact for assistance (i.e., our corporate help desk); and (c) immediately alerts our support staff that this has occurred, if possible.

The machines have various endpoint agents and technologies in place for management, including GPO policies, SCCM, and CrowdStrike. I do not have enough experience with any of these tools to know if it is feasible to create a technical solution using one of them, and I am not personally an administrator of any of these tools in my environment.

I have not yet attempted any particular implementation. It is within my skill set to create a Python script/executable that could check the configured IP addresses every X number of minutes; give the user a pop-up message; remove/change any public IP addresses; and/or possibly send back an alert. However, I'm highly doubtful that I could get approval to deploy this.

I certainly do not have the skill to create a full-time, inline monitoring/blocking agent, so the truly desired implementation would have to come from an existing tool. Is anybody aware of whether GPO, CrowdStrike, or other common endpoint management tools might be able to accomplish this technical solution?

Further, does anybody have any other guidance (people, process, or technology) that they feel might be useful in addressing this risk?

khantext
  • 1
  • [NAT is ***not*** a firewall](https://weberblog.net/why-nat-has-nothing-to-do-with-security/). Would a good solution be Windows firewall rules allowing incoming connections only on domain networks? – vidarlo May 12 '20 at 14:20
  • Let me paraphrase your question in a different light. “*My Company issues laptops with an insecure configuration with many unsecured open ports. These laptops have unsecured RDP, SSH, and other remote services. I am wondering if there could be a more proactive, technical solution to this problem.*” **Yes there is!** – user10216038 May 12 '20 at 23:20
  • No, NAT itself is not a firewall. Most SOHO router/firewall/AP devices, even in their default configuration, do provide firewall capabilities, in addition to only providing NATP on select ports, not a full one-to-one NAT. – khantext May 14 '20 at 13:50
  • > "Let me paraphrase your question in a different light. “My Company issues laptops with an insecure configuration..." Point taken. – khantext May 14 '20 at 13:51
  • I appreciate the idea of using Windows Domain recognition as part of the firewall policy. – khantext May 14 '20 at 13:52

0 Answers0