Clicky

If you have got corporate PC’s that aren’t going to be network, not going to be joined to the domain, what sort of controls do you need on them in terms of security, management, inventory? Or can you just purchase them and forget about them? I am pretty sure there must be risks and challenges to non networked PC’s, but I’m struggling to get my head around them to be honest. Also I am struggling to determine what sort of misuse people could do with machines not connected to the network, i.e. offline machines.

asked 11/21/2011 08:12

pma111's gravatar image

pma111 ♦♦


16 Answers:
The fact that the networked machines are going to be offline means your users will be using USB sticks, CD roms etc to transfer files onto and off of the machines. With this comes the risk of viruses. So, your first point of call must be anti virus. But how are you going  to keep your definitions up to date without a net work connection? Whatever anti virus solution you choose must have the ability to update offline using a definition file.

Alternatively you can introduce a process by which their USB keys are scanned before being plugged in, this is obviously more risky as people get lazy and computers do not

Where are these PCs going to go? in an office? in a home? with each comes their own challegnes... home environments mean children, friends etc may gain access... an office location would mean muliple user accounts or shared user accounts which may lead to loss of data

Ensure your user accounts are limited
Ensure UAC is left switched on
If you do not want the machines to join a network remove the relevant hardware or disable it in BIOS and put a BIOS password on - people will figure out how plug a cable in sooner or later

How will these users print?
link

answered

itinfserv's gravatar image

itinfserv

Excellent points - any more points from any others most welcome

Not familiar with this concept:

>>Whatever anti virus solution you choose must have the ability to update offline using a definition file.

How will it work?
link

answered 2011-11-22 at 04:22:51

pma111's gravatar image

pma111

Some anti virus solutions allow you to download the latest "updates" from their website, put it on a USB key and then use that file to update the antivirus so it knows all about the latest viruses
link

answered 2011-11-22 at 04:30:51

itinfserv's gravatar image

itinfserv

Ok thanks. Also the point you make

>>an office location would mean muliple user accounts or shared user accounts which may lead to loss of data

Where was you coming from with the offline machine having more user accounts? Is this as they will require local users as opposed domain users?
link

answered 2011-11-22 at 04:32:56

pma111's gravatar image

pma111

You can also use Bit Locker to encryot the hard drive.... whilst this might not be directly usefull to you you can configure it to lock out the users should it detect a hardware change

By default windows will allow you install devices which windows has a signed driver for... USB keys, printers etc... this can be turned off in the local policy

To edit the local policy .. start, run, gpedit.msc

theres lots of stuff in ther you might want to look at.. particulary in computer settings, local settings, security settings
link

answered 2011-11-22 at 04:34:40

itinfserv's gravatar image

itinfserv

If the devices are going to have no network access at all, not even WiFi, and any data is going to be stored on an External device then there are two things you could do.

1 install Deep Freeze so that the device always reboots to a standard image and nothing can be saved to the device at all, or changes made.

2. Install a DLP software prior to passing over the device that can operate offline. Provide them with pre authorised USB stick or HArd Drive, which is encrypted or password protected. The DLP policy needs to block all other USB devices, CDs, etc except the one that you provice for them.
link

answered 2011-11-22 at 04:36:37

antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->'s gravatar image

antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->

You could al.so, enable cached logon for a Domain account, and ensure that they do not have access to the local accounts ata all, forcing them to use an AD account to log on, albeit locally.
link

answered 2011-11-22 at 04:38:07

antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->'s gravatar image

antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->

that would mean it has to be a domain PC without domain access, the computer password would eventually expire potentially causing issues. In my opinion there is more that could go wrong if it was a domain PC with cached credentials

there's a lot you can do with locking machines down, booting into sand box environments, even live environments... but only you know what your users needs and which solution will apply to them. You could provide the requirements and probably get a more precise answer
link

answered 2011-11-22 at 04:39:52

itinfserv's gravatar image

itinfserv

If, say a machine was offline for 6 months:

>>If you do not want the machines to join a network

And the user decides I'll plug it into the LAN again - will anything typically prevent it from doing so? I.e. the user does have a valid domain user - plugs his old PC on - what if anything will stop him accessing the LAN with that PC? Whats the main risks, out of date AV/security patches?
link

answered 2011-11-22 at 04:42:53

pma111's gravatar image

pma111

out of date software but also the fact that the computer password would have expired, its unlikely he would be able to login.. domain computers reset their passwords every 30 days or something like that, if it fails to do so it waits a period of time I cannot remeber off the top of my head and eventually expires. This happens in the background without us knowing
link

answered 2011-11-22 at 04:44:01

itinfserv's gravatar image

itinfserv

I was of the impression - if say your domain password expired but your account wasnt disabled in AD - if you come back, even say 100 days later, enter your last password - if you get it right it prompts you for a new password twice and if you enter those it will let you login. Thats what I was told but I may be wrong.
link

answered 2011-11-22 at 04:45:51

pma111's gravatar image

pma111

Do you have any non networked PC's in your place?

Is it overkill to have an HR documented offline PC policy discussing the issues above?

Or does a network policy at your place cover issues for non networked PC's?
link

answered 2011-11-22 at 04:56:06

pma111's gravatar image

pma111

Im talking about computer passwords not user passwords

I have read up a bit and it seems that actually the password doesnt expire, even though it tries to change every 30 days. When the PC connects after 6 months it will initiate a password change

This will rely on the time being accurate of course

Also if the user changes his/her password on the domain he/she will have to remember to use the old password on the disconnected machine
link

answered 2011-11-22 at 04:58:52

itinfserv's gravatar image

itinfserv

Is it overkill to have an HR documented offline PC policy discussing the issues above?

Or does a network policy at your place cover issues for non networked PC's?
link

answered 2011-11-22 at 05:03:10

pma111's gravatar image

pma111

Depends if your policies and retrictions for off line devices are considerably different from the network policy.

If there are big differences, including policies that are in direct opposition to the network policy, then it would make sense to have different policies. If the standards to be maintained are roughly the same then a single policy should suffice, outlining where there are differences between the two policies.
link

answered 2011-11-24 at 07:17:06

antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->'s gravatar image

antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->

Two different things: i) machines that were joined to domain and are unplugged from the LAN for protracted periods.  Security measure: a) in ActiveDirectory remove the computer(s) from the domain , or b) restrict the hours allowed to logon to basically none
ii) machines that do not belong to the domain, so-called standalone workstations (and basically any laptop someone brings in on their own)  On these machines someone who does have domain credentials can a) try connecting to shares on the network and when prompted that credentials failed try again they can provide domain\user credential with a password current on the server b) use Connect As to connect that way in the first place with alternate (ie domain)

So basically, if someone has a domain username and domain password, they can use most any machine, unless you prevent such connections with policies.  

The only way to prevent ii) would be to 1) servers refuse connections from non-domain workstations even if domain user credentials are given (I expect you may want to do this) 2) use secure network switches whereby MAC addresses of NICs of any and all boxes being attached have to be explicitely added to the network/a whitelist (even MAC addresses can be spoofed/counterfeited though) 3) have separate subnets for guest machines that can "surf the web" but not access the corporate subnet 4) implement IPSec.
IPSec encrypts all traffic on the TCP/IP corporately such that someone cannot just plug in their machine and start hacking away at your servers and computers with the added bonus that if the packet sniff or capture or network monitor (spy on) your traffic it is all encrypted.
Any WiFi access points would have to be managed also.
And in keeping with the security concerns of transferring files via USB ports/sticks, burning DVD/CDs, etc, there is also the possibility of WiFi (usually built-in on laptops) allowing peer-to-peer connections instead of only peer-to-access point.
To manage any possibility of those avenues of information thievery so-called EndPoint security software is installed everywhere corporately, such as Symantec Endpoint, CoSoSys Endpoint http://www.cososys.com/software/endpoint_protector.html  Microsoft Forefront Endpoint protection, etc etc
link

answered 2011-11-24 at 07:24:53

ocanada_techguy's gravatar image

ocanada_techguy

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 11/21/2011 08:12

Seen: 334 times

Last updated: 12/17/2011 06:39

Related questions