General discussion


Are your users' home machines secured when they connect to the office?

By jasonhiner Moderator ·
According to a recent survey ( by America Online and the National Cyber Security Alliance, 81 percent of home PC users lack at least one of three critical types of security, but the number of consumers using firewalls and updated antivirus software is improving. What percentage of your users do you think are protected when they connect to the corporate network? Have you taken any steps to help them or put policies in place?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Policies and Protection

by stevegrieshaber In reply to Are your users' home mach ...

We only allow Corporate equipment i.e laptops with approved Firewall and AV software to connect via the corporate VPN. We also have policy in place governing the use of the VPN and corporate resources. Whilst this keeps us pretty secure, updating these can be a nightmare and we do miss some machines in our automated update process, which can pose a risk.

We are now finding that our users are increasingly being asked to work outside the office environment, whether from home or in the field and that we need to rethink the whole mobile/flexible working area.

Collapse -

I'm Scared

by SandyM In reply to Are your users' home mach ...

I am an outsourced sysadmin working for / with an in house IT Manager. He lets home users connect to the network and makes them agree to follow a comprehensive sheet of instructions.

I don't believe you can trust users to follow instructions even on something this fundamental and am just waiting for the first virus intrusion - or worse.

If people need to access the corporate network they should do it with corporate machines that have all necessary protection updated (as it is around here) automatically and without user choice.

BTW we do use webmail, that I think is a much lower level of risk.

Collapse -

Technically relatively simple, motivating people is the question here.

by pvdongen In reply to Are your users' home mach ...

The corporates I work with are all geared up to use simple means that perform the same checks for home PC's as for office PC's. I.e. Desktop FW, Virusscanning, policies, last scan data, virus definitions, spyware. After all that is satisfied, all that can be done is a connection to a Terminal Server is about as much as they're allowed to get.

Most tend to go even further with having managed desktops provided for the folks that work remotely, in which case the exact same rules are applied, but no-one other then the worker (so no his family) has access. Rather then selling this as a negative, people have been given a workstation for the purpose of working remote and were positively affirmed as being "special" enough to receive this "benefit in kind".

The effort here has specifically been on the people management side of the solution. Not raising the expectation that any home PC will be capable of connecting is crucial. Making sure people understand that what is suitable as a home PC is not necessarily the best fit for the corporate network does a lot to address this issue. Providing people with "corporate" remote workstations is seen as a nice incentive and also guards that you can legally put limits on the workstation (after all a home PC is not your property and therefore you can get into several issues). After 3 years writeoff you should be able to let them keep the things. If that doesn't suit you, get them a corporate laptop.

Weighed against costs for traffic jams and resulting lateness and the tendency that people work longer hours when working from home, this is a relatively cheap solution.

Again I would like to stress the technical solution is only a minor (if not substantial part) for the re?nforcement of a corporate business policy. The big job is with getting people motivated to stick with it.

Collapse -

There are alternatives to direct VPN access

by AaronK In reply to Are your users' home mach ...

Something else that can be considered. There are alternative technologies available instead of the traditional VPN devices. There are SSL VPN devices that when connected, can scan a client computer for specific executables (ie, a virus scanner, a firewall, etc) and if those executables aren't running, won't allow the connection. Or, you could use Citrix that provides access through a SSL web page. A user gets access to their applications as if they were in the office, but their computer isn't attached to your network.

Collapse -

We use all three

by Gedda_G In reply to There are alternatives to ...

We use VPN, SSL VPN and Citrix. The combo of all three allows for many different levels of access although it can be troublesome to manage all three. We hope to drop VPN with in the next 6 months since SSL provides much of the same functionality and is far easier for our users to work with. And with SSL VPN a users' access to the network can be more finely controlled.

Collapse -

Citrix encryption without SSL

by TroyH In reply to There are alternatives to ...

Thanks for the suggestions. Concerning Citrix, is it a safe product to run without in a traditional setup where the home computer is running the Citrix client software to connect to the remote Metaframe server instead of it running it through a browser with SSL ?

Collapse -

insure security...

by vmwarez In reply to Are your users' home mach ...

VMWare has come out with a new product last year (or early this year, i don't remember) that lets you insure that when your remote users come in, they are coming from an environmment that is exactly what you have defined. It is called vmware ace. Basically, you create a vm for them to use, set a bunch of policies on it to keep it they way you like it and then, they run this virtual computer from their computer at home... when they enter your network, they are using their ace pc, not their home pc. so no matter how bad their home pc is, as long as it can run the ace player, they have a secure connection. check them out...

a vmware nut...

Collapse -


by vmwarez In reply to insure security...

and let me say just one more thing. end users don't want their own computer to be "locked down" so that it can securely access the company network. If security isn't an inconvenience for them, they're ok with it... but don't expect them to let us come in and turn their home pc into a company pc.

Collapse -

The Real Problem

by Craig_B In reply to Are your users' home mach ...

I agree that most home computers are not up to corporate standards. Companies seem to want you to work from home. So what is the answer, the company should provide you with a computer\vpn access for business use only. However most companies don't want to pay for this equipment but still want you to do more work from home. So people use their home computers to connect and we have the current problem.

Collapse -

That is the real problem

by DemRoyer In reply to The Real Problem

I agree completely. In my company, the owner wants everyone to have access to anything on the network from home - however, the company does not want to pay for any home equipment. We recently put a Work From Home policy into effect, which encourages many users to access the network from their home PCs on the days they opt to work from home (not to mention all the management level people who have been regularly working from home during off hours for years). Basically the deal is "you can work from home occasionally as long as you provide all your own equipment". My team is trying to piece together appropriate security policies and "recommendations" for home PCs, but since HR launched the WFH policy before we had the IT policies in place we are playing catch-up. We are looking to implement a solution that will perform some level of scanning when a user establishes a VPN connection, and will disallow the connection if a firewall or virus scanner is not running on the remote box. Even so, I find myself crossing my fingers and praying that someone doesn't unleash some malevolent virus/malware from their home PC, despite the precautions we've already (and will continue to) put in place.

Given the Executive level position on this issue (it's better to let users have as much access as they need from wherever they happen to be), I don't think we'll ever be 100% secure - hopefully through education, technology, and policies though, we'll be able to maintain a reasonable level of protection while allowing a flexible environment.

Related Discussions

Related Forums