Securing Laptops when out side of office.


I have a network with 500 users.  They are all running windows pro xp in a windows 2003 domain env.  About half of the laptop are out of the office 90% of the time.  They connect to the office using citrix/terminal server.  What I would like to do is get some ideas on how to protect these machines.  Some ideas I have are to make sure they have complex passwords, firewalls enabled, EFS data on compueter.  Can someone give me some more ideas on how to proceed.

thanks Jake
Who is Participating?
have a look at Safeguard Easy :
Rich RumbleSecurity SamuraiCommented:
A firewall is probably first and foremost, the XP firewall does a great job of keeping people from connecting to the pc. Anti-virus is a must for any M$ computer, and scheduling updates and scans should also be done. Disabling any unnecessary services should also be done, such as turning off remote registry and the messenger services. Citrix and TS are great measures for keeping your users from infecting others on you lan, that is if it's straight TS/Citrix, not VPN in and then us citrix/TS- with vpn typically a virus will spread via 139 or por 445 to others on the lan, or try to do so through email. Using TS/Cit without a vpn, will assure that the laptop if infected, won't be able to spread over the connection.

Theft is a big problem with laptops, and M$ EFS doesn't offer you much protection as it's trivial these days to reset the admin password and by-pass the restrictions of an EFS file or folder. I'd recommend using a 3rd party application such as PGP or steganos for the file/folder encryption.

Passwords should be complex to be sure, but you may consider leaving the LM version of your passes off these machines, this will force attackers or thieves to spend much more time trying to get the passwords. You can turn off LM hash storage with this registry key:;EN-US;q299656&
And for AD you can set it here:

Also, LM is easily cracked when sniffed, so perhaps you can experiment with turning off lm hashes from being sent also:;en-us;Q239869
Level 2 - Send NTLM authenication only (should be most compatible with your lan... anything else may affect users from being able to connect)

The LM hash of windows is a case Insensitive one-way hash, with a maximum password lenght of 14chars. Those 14 possible chars are broken down into 2 seven char halves.
"THIS_IS_MYPASS" would actually be "this_is" and "_mypass"  which makes cracking go twice as fast (at least)as it would if they were whole
There are now tools that can precompute all possible lm hash's and even ntlm for that matter, and all one has to do is search through 64gig's of text to find them. for ntlm, it's quite a bit more, the pass is case sensitive, and can be up to 127 chars long....

Also xp is able to automate windows updates, so you should try to do that as well. you will also want to inform your users about phishing scams and what to do if they suspect such a scam. Spy-ware can be a big problem, and ActiveX in IE is one of the easiest ways for it to enter your systems. I recommend getting your users to do the following:
1) use an alternate browser, such as FireFox that doesn't support activeX, and is less susceptable to phshing attacks currently
2) do not give your users admin rights to the pc's- when a virus gets on a pc, it's able to run in the same security context as the user, so if the user is an admin, so is the viri
jacobb_2000Author Commented:
Thank you very much for your input.

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

My post will sure not be as long as rich his post (he already told most things ;) ) but still i got something.
XP can have a minimum password lenght, and a password expiry date. You can set, for example a minimum leght of 6 chars, and a maximum usage of 30 days.

Also, there is software availible that wont let your PC boot unless you have an usb stick with a code on it, plugged into your PC. if the laptop would be stolen, it cant be booted (not as easy)
I would add the microsoft antispyware tool.

It's the memory resistent part, I really like.

It checks all times, if some program wants to write to your registry (in certain parts like autorun)

Being still beta, it helps to keep a lot problems away:

So as richrumble and FalconHawk  have already mentioned:

(personal) firewall
no admin rights for users
remove LM hash
strong password
firefox instead of IE
(compare vs. )

(It could be spybot search and destroy -> teatimer, too of cause)

Another thing that you might consider, is keeping an eye on what your employees behavior with their laptop is. or rather, what they use it for. Since it are most probally compagny laptops, i think you can demand that they are used properly, with what i mean, work only. It doesnt mean that they may never visit a site on their own, but to prevent that they go to, lets say, cracks, warez and adult pages. This is because these are the main virus carrying sites. And lets be honest, i dont think you will find noon e in your compagny who has catched a virus of an adult or the like site. And even 1 single virus can wreck havoc

I know that this kind of protection i a bit..... hated by employees, since its like someones watching over their shoulder. Nevertheless, if you just use the laptop where it is there for, there shouldnt be any trouble. For the monitoring part, there are several applications on the net. The one that seemed most interestinf for a network, was this one:

Of course 250 dollar is a lot, but a computer crash can cost you more. If you dont want to pay a lot for software, you can also randomly pick a few users that have to give their laptop back, for a thourough check if its used properly. even if you only take in, lets say 10-50 a month, it will still have the effect that users will watch out. What if you leave clear traces of bad usage, and you have to hand our laptop in?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.