Those pesky mobile users.
They are all too often the bane of security folks everywhere as they regularly seem to be system 0 for malware infections, tend to be administrative users on their systems more frequently, can go months (or years) at a time between office visits and of course, can never be without their systems as no laptop = no productivity and since many times they are the ones who sell the goods and provide the services that provide for our (or at least my) paycheck ...
So how to let them do what they need to do while making sure their system is secure as is the corporate network they VPN into?
Unless you have great policies including enforceable HR policies that make users accountable for thier actions, and a defense in depth approach that ensures AV and patches are up to date and checked before connecting to the network, renamed administrative accounts, proper file system permissions etc... you are at some level at the mercy of the action(s) of your users.
If you find yourself short a few policies and technical controls, user education becomes key.
Message #1 - "With great power comes great responsibility". Sure, it's kind of corny and maybe being a local admin on your own system isn't "great power" but you get the idea. Educating your mobile users as to what is acceptable and allowed (policy or no policy) can bring a big return on a small investment assuming they actually do as you request.
Message #2 - "Just because you can, doesn't necessarily mean that you should." Yes mister user, I know you're an admin on your machine. Yes I understand you're experiencing poor performance but that doesn't mean you should uninstall your AV software, install every spyware remover, registry cleaner and any other widget guaranteed on some web page somewhere to do what you want. For the record, you can format your hard drive. I wouldn't suggest it though. ;)
Of course many of us are mobile users and we would never do anything insecure, right?
So what are your tips and tricks for keeping your mobile workforce working and not bringing down the rest of the network? If you have any good stories surrounding mobile users, send them in as well and we'll publish the best ones changing the names as needed to protect the innocent -and- the guilty.
Thanks to everyone who has written in so far. Most of the tips sent in so far were technical tips centering around user management. Creating regular users and then using various techniques (seperate account, runas, scripting ...) to allow them to do things like set up network from hotels, change power settings ...
Dave summed up those tips and also offers a tip on keeping users accountable.
"Here are some things I've found useful regarding mobile users who insist on having admin access.
First create a policy of n strikes and you're out as admin on the system. If the user is running as admin and his machine is compromised as the result of some action that didn't have a defined business need (i.e. installing some new game they downloaded or cute screen saver or reading some electronic postcard, etc.) that's one strike. If it happens n times, they have their admin access revoked for a period of m months or weeks."
I think I'll try that one myself. Thanks Dave!
Oct 4th 2007
Oct 4th 2007
1 decade ago