Avatar of Brian
BrianFlag for United States of America

asked on 

Local SecPol for remote users

What's the best way to setup the local security policy for remote users. Meaning, I have a few people getting laptops for use off-site. I'm looking for any tips/tricks in setting up the local security policies seeing as how these won't be on the domain the majority of the time. Thanks.

All are XP Pro SP2
Windows NetworkingWindows OS

Avatar of undefined
Last Comment
Fatal_Exception
ASKER CERTIFIED SOLUTION
Avatar of chrisandersoon
chrisandersoon

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Well, I manage about 200 remote users..  when I first got involved with this for our company, I wanted to put everyone on the domain so I could control these laptops, but I discovered that many would not come in for months at a time, and that caused real issues with initial logons (cached)... so, after many calls to our helpdesk, I NO LONGER join any laptops to my domain, and just deal with them individually..  I even gave up with limiting their security, and put every user into the Admin Group..  lol, eh?  There comes a time that we just have to trust that the user understands the 'do's and don'ts' of using a computer...

Of course, I do timely maintenance when the users come into the office, including cking AV, making sure their firewalls are on, cleaning for various things including Spyware, etc...
Avatar of chrisandersoon
chrisandersoon

You could use SCAT, create a template, and as they come in implement your policies.  Then remove them from the admin group.  Now this will probably cause more headache for you then the security side of things.  You could also look at a tool like deepfreeze, and this will not allow them to make any system modifications.  But that includes loading printers at home etc.  There really isn't a good solution.
Avatar of Brian
Brian
Flag of United States of America image

ASKER

I was contemplating Fatal's way of doing things. This is how I have approached it in the past - I don't want to be woken up on Saturday b/c someone can't install I-tunes. I typically establish a local profile and a domain profile - local for them, domain for me. I make sure they bring it in to me once a month for a cleaning/updates/etc. I'm leaning away from even establishing a domain profile and just make it stand alone (which is what prompted the post). The obvious policies\settings I have so far are Auto Updates\Disk Quotas\etc - obvious stuff. I was just curious to see if anyone had a common practice that appealed to me or suggestions.

Where my worry truly lies is when I implement a VPN in the coming weeks. Obviously I want my domain GPO's to apply but I'm not quite sure how that's going to pan out.

Also, what is SCAT? I'm not familiar with it....
Just so you know, every one of my remote users access our Domain via a VPN and we use Citrix for our applications...  never heard of SCAT, so will await the response..  :)
Avatar of Brian
Brian
Flag of United States of America image

ASKER

I'll be doing something similar but just using TS - we really only have one application they need to access.
http://www.governmentsecurity.org/articles/Step-by-StepGuidetoUsingtheSecurityConfigurationToolSet.php

SCAT stands for Security Configuration and Analysis Tool

It is access by start..run..mmc.  add remove snap ins

It is how you can configure some security settings.  Maybe not everything you really need but some.
Ah. never heard it called SCAT..  but have used the tool many times!  by using these snap-ins, you can configure custom templates for use in the domain...  

Thanks, Chris...
Avatar of Brian
Brian
Flag of United States of America image

ASKER

Stupid question - the literature I've found on SCAT walks me thru an setting a up a new policy - yet when I try to setup a new policy it requires a template - where would I find one? The folder it points to by default is empty.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Thanks, and hope we helped!

FE
Windows OS
Windows OS

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo