What would be the disadvantages of allowing a user to travel to China (business trip) using a domain-joined corporate Windows PC as opposed to a non-domain-joined PC?
Asked
Active
Viewed 169 times
2 Answers
0
It's hard to find any reason why it would be advantageous to sending someone with a non-domain joined PC as opposed to a domain joined PC.
Domain joining a PC has several distinct advantages
- Administrator can control update policies to software and anti-virus
- Administrators can control firewall settings and VPN tunnels / routing
- Policies of all sorts can be forced upon the machine easily and centrally administered (admittedly this can be done with some MDM's)
- Full Disk Encryption can be enforced on the PC
I'm not sure why you would think there is any security disadvantage to this machine being domain joined.
SIDE NOTE : Simply working on the Internet in China poses no additional threat to your system than anywhere else in the world. I'm not sure why people have the misconception that as soon as your laptop hits the Internet in China it will be infected with MalWare. Keep your PC locked, don't hand it over to anyone without witnessing what they're doing to it and pay attention to certificate errors and you (or your employee) should be fine.
-
Small remark to your sidenote: Paying attention to certificate errors is a good point, but if your browsers trusts Chinese CA's then you might have a problem (e.g. https://en.greatfire.org/blog/2014/oct/apple-and-microsoft-trust-chinese-government-protect-your-communication). The risk for a government-sponsored MITM attack is an additional threat that might happen in China. – Michael Dec 23 '14 at 16:15
-
Also, you make the assumption that you have a choice in whether or not you can witness what they do to your laptop. – RoraΖ Dec 23 '14 at 17:15
-
I non-concur with your "SIDE NOTE" assertion. What grounds do you base your statement that there is, effectively, a net-zero Internet-access risk differential between given geographical locations? – Nick Dec 23 '14 at 19:17
-
@Nick You've twisted my words. I said that the country of China does not introduce threats you wouldn't see elsewhere, *not* that the risk is exactly the in each geographical area. That is, if you think that you're only going to face malice in China (even if it happens to be state sponsored) then you would be mistaken. – DKNUCKLES Dec 23 '14 at 20:55
-
@DKNUCKLES Your rebuttal is the same thing. There are different threats that are unique to connecting to the Internet in China than there are elsewhere in the world. Would you also say that (if it were even possible to do so) connecting your laptop to the Internet in North Korea would pose no difference in potential threats than elsewhere in the world? What about plugging into the Internet at a cyber cafe in Nigeria? Or connecting your laptop to the Internet at a cyber-security conference such as BlackHat? Your premise is fallacious, that's all I'm saying. – Nick Dec 23 '14 at 21:03
-
@Nick My rebuttal is not the same thing at all. I acknowledge that different geographical and networks will be higher risk that others, but anyone who is conscious about security should be prudent with operation security no matter where they reside, it should only be "high risk areas" that you describe. I would employ the same OpSec with my critical data and computers in Australia, Switzerland, Canada as I would in China, North Korea or Nigeria. My point is that you should always assume there is a risk and act accordingly. – DKNUCKLES Dec 23 '14 at 21:10
0
On a domain-member PC: There are cached credentials of one (or more) administrators on the device. There are also cached credentials of any users that have logged into the device. There may be other cached credentials such as mapped drives, etc. on the device. Contents of My Documents, etc. may contain sensitive corporate information that has accumulated over time. An insider (while unlikely) could cripple the organization and/or cause great harm (ahem, Snowden...). These credentials and data can be "confiscated" during a customs inspection or while the user is (for whatever reason) separated from their device.
On a stand-alone PC: A freshly-prepared laptop with only the required data contents will be immeasurably more prudent for a traveler to any foreign country (not just China) from the standpoint of possible corporate or government espionage. Additionally, if the user is an insider the content they can steal will be limited to that of what the administrators prepared during the provisioning process.
Nick
- 437
- 2
- 9