Securing Laptops when out side of office.

Posted on 2005-04-29
Last Modified: 2010-04-11

I have a network with 500 users.  They are all running windows pro xp in a windows 2003 domain env.  About half of the laptop are out of the office 90% of the time.  They connect to the office using citrix/terminal server.  What I would like to do is get some ideas on how to protect these machines.  Some ideas I have are to make sure they have complex passwords, firewalls enabled, EFS data on compueter.  Can someone give me some more ideas on how to proceed.

thanks Jake
Question by:jacobb_2000
    LVL 38

    Expert Comment

    by:Rich Rumble
    A firewall is probably first and foremost, the XP firewall does a great job of keeping people from connecting to the pc. Anti-virus is a must for any M$ computer, and scheduling updates and scans should also be done. Disabling any unnecessary services should also be done, such as turning off remote registry and the messenger services. Citrix and TS are great measures for keeping your users from infecting others on you lan, that is if it's straight TS/Citrix, not VPN in and then us citrix/TS- with vpn typically a virus will spread via 139 or por 445 to others on the lan, or try to do so through email. Using TS/Cit without a vpn, will assure that the laptop if infected, won't be able to spread over the connection.

    Theft is a big problem with laptops, and M$ EFS doesn't offer you much protection as it's trivial these days to reset the admin password and by-pass the restrictions of an EFS file or folder. I'd recommend using a 3rd party application such as PGP or steganos for the file/folder encryption.

    Passwords should be complex to be sure, but you may consider leaving the LM version of your passes off these machines, this will force attackers or thieves to spend much more time trying to get the passwords. You can turn off LM hash storage with this registry key:;EN-US;q299656&
    And for AD you can set it here:

    Also, LM is easily cracked when sniffed, so perhaps you can experiment with turning off lm hashes from being sent also:;en-us;Q239869
    Level 2 - Send NTLM authenication only (should be most compatible with your lan... anything else may affect users from being able to connect)

    The LM hash of windows is a case Insensitive one-way hash, with a maximum password lenght of 14chars. Those 14 possible chars are broken down into 2 seven char halves.
    "THIS_IS_MYPASS" would actually be "this_is" and "_mypass"  which makes cracking go twice as fast (at least)as it would if they were whole
    There are now tools that can precompute all possible lm hash's and even ntlm for that matter, and all one has to do is search through 64gig's of text to find them. for ntlm, it's quite a bit more, the pass is case sensitive, and can be up to 127 chars long....

    Also xp is able to automate windows updates, so you should try to do that as well. you will also want to inform your users about phishing scams and what to do if they suspect such a scam. Spy-ware can be a big problem, and ActiveX in IE is one of the easiest ways for it to enter your systems. I recommend getting your users to do the following:
    1) use an alternate browser, such as FireFox that doesn't support activeX, and is less susceptable to phshing attacks currently
    2) do not give your users admin rights to the pc's- when a virus gets on a pc, it's able to run in the same security context as the user, so if the user is an admin, so is the viri

    Author Comment

    Thank you very much for your input.

    LVL 4

    Expert Comment

    My post will sure not be as long as rich his post (he already told most things ;) ) but still i got something.
    XP can have a minimum password lenght, and a password expiry date. You can set, for example a minimum leght of 6 chars, and a maximum usage of 30 days.

    Also, there is software availible that wont let your PC boot unless you have an usb stick with a code on it, plugged into your PC. if the laptop would be stolen, it cant be booted (not as easy)
    LVL 27

    Expert Comment

    I would add the microsoft antispyware tool.

    It's the memory resistent part, I really like.

    It checks all times, if some program wants to write to your registry (in certain parts like autorun)

    Being still beta, it helps to keep a lot problems away:

    So as richrumble and FalconHawk  have already mentioned:

    (personal) firewall
    no admin rights for users
    remove LM hash
    strong password
    firefox instead of IE
    (compare vs. )

    (It could be spybot search and destroy -> teatimer, too of cause)

    LVL 4

    Expert Comment

    Another thing that you might consider, is keeping an eye on what your employees behavior with their laptop is. or rather, what they use it for. Since it are most probally compagny laptops, i think you can demand that they are used properly, with what i mean, work only. It doesnt mean that they may never visit a site on their own, but to prevent that they go to, lets say, cracks, warez and adult pages. This is because these are the main virus carrying sites. And lets be honest, i dont think you will find noon e in your compagny who has catched a virus of an adult or the like site. And even 1 single virus can wreck havoc

    I know that this kind of protection i a bit..... hated by employees, since its like someones watching over their shoulder. Nevertheless, if you just use the laptop where it is there for, there shouldnt be any trouble. For the monitoring part, there are several applications on the net. The one that seemed most interestinf for a network, was this one:

    Of course 250 dollar is a lot, but a computer crash can cost you more. If you dont want to pay a lot for software, you can also randomly pick a few users that have to give their laptop back, for a thourough check if its used properly. even if you only take in, lets say 10-50 a month, it will still have the effect that users will watch out. What if you leave clear traces of bad usage, and you have to hand our laptop in?
    LVL 1

    Accepted Solution

    have a look at Safeguard Easy :

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now