General discussion


Securing Laptops using existing tools

By gopap ·
Security has been the buzz word in the IT industry since last 4 years but these days Virtualization and Cloud Computing is making news. I have met many Companies, who proposed end point security tools, data prevention tools to secure the devices. The fact is that no matter how sophisticated tools you have unless the employees are aware about today?s security challenges these tools will make no sense.

Security education is the toughest part of the over security implementation. Moreover investing in tools will not help unless the administrators or IT team efficiently uses them. What is the point in case the tool generates logs or reports and then nobody looks at them?

The point is we need ?Proactive Security? not ?Reactive Security? and in Proactive Security, human involvement is more; tools are only helps to improve effectiveness of Proactive Approach. One of my ex-CTOs taught me that whenever you have ?a need? first you need to see whether the existing tools can achieve those goals; if the answer is no then I should start looking newer tools.

And he was right! My experience in securing the laptops was interesting. I did not ask the companies to invest in new tools, rather optimized usage of available technologies to achieve the objectives at an acceptable level. Here are some of the things I have done:

1. The first thing was to protect the laptops from normal threats like virus, Trojans, spyware etc. The antivirus program used by us was not very efficient. Moreover the sudden surge in usage of internet datacards, USB devices, broadband etc created problems because they were ?Unfiltered? Internet. In a corporate environment you can use products like Websense or IronPort but then what about data cards or USB devices. The only way is to put a client software like the one BlueCoat offers.

We did not want to add one more client as the company has already invested in a centralized web filtering solution. So to address this threat following steps were taken:

a. Lock down the laptops using active directory templates

The laptops were moved to a specific OU on which a customized policy was installed. Some of the policy configurations were ? internet explorer security customization, windows firewall etc.

b. Withdraw local administrator permissions to laptop user

Standardize programs, do a good one time setup to ensure smooth operations and then withdraw administrative permission. The fact is that if you surf internet using a normal user account the chances of infection is very less because this way malicious programs cant write to system folders or registry very easily. Still there are chances like if the virus is doing escalation of privileges or exploiting an un-patched vulnerability.

Initially this move created lot of uproar in the users but we have spent lot of time in educating them and addressing the issues arising from this move, gradually everything settled down.

c. Implementing Windows Firewall through group policy

Using the built-in windows firewall we have locked down the traffic to only necessary one, most importantly blocked most of incoming traffic and file sharing. One of the main source of virus propagation is through shares. This configuration ensure that there are no unprotected and vulnerable network shares.

d. Scripting for checking mis-configurations and fixing them

We have used VB scripts to ensure that the user is not part of administrator group or making sure that windows firewall or antivirus service is not disabled.

2. During the past few years the company has seen many instances of laptop theft. To address the data security issues arising from such cases I have asked to evaluate a suitable product which can encrypt the hard disc.

My team has evaluated all leading products and found that none of the was usable in our environment. We found that some products slowed down the system considerably, some crashed the laptops and some complicated the process. In short none of the solutions offered a seamless user experience. We need security but at the same time we cant compromise the very basic need of a good user experience. The leading products in this space definitely needs improvement. Other people may have a different experience but in my case we have extensively tried several tools but failed to find one.

Although we have not closed the requirement but we found an interim or temporary method.

My company uses Dell laptops and the BIOS offers a capability called Hard Disc password protection. This is different from BIOS protection because without putting the password you cant open the HDD. Even if you attach the HDD as a slave, you still cant open the hard disc. This may not be the best protection but atleast offers a basic protection without investing anything.

Many of these steps must have restricted some of the user capabilities the most affected ones were IT team who needs to install many tools constantly. They were given an alternate account to be used for installing software or they were asked to use isolated test servers.

One can argue that Right Managements tools or Data Leak Prevention tools can do a better job. I don?t deny that. But the main reasons for not going for specialized tools is:

1. Company is engaged in a business generating low margins. Unlike financial institutions, petroleum companies, we did not get high margins and the recession added more pressure.
2. A laptop already has so many security related clients (anti-virus, antispyware, backup, patching etc), installing few more would slow down the system.
3. How many applications the administrators are going to manage? I haven?t found a single product which has all the related features in a ?usable form?
4. Every year the company is going spend lot of money in subscriptions and support

I understand that specialized tools provide more but there isn?t a single one which addressed most of the needs, how many clients software we are going to manage?

There is so many things you can achieve with the existing software which you may already have invested. Well it takes lot of time and effort to understand them and tweak. In our case the results were amazing !

Your views and suggestions are welcome !

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums