We help IT Professionals succeed at work.

managed endpoints for remote admin access

pma111
pma111 asked
on
754 Views
Last Modified: 2012-02-14
Just as a technology neutral discussion – if you let your own employees (IT admins) remotely access the network to perform administrative tasks/systems administration when off site – do you let them use their own personal equipment to hook up to the network – or do you provide them with a “managed endpoint” for such access. If it’s a managed endpoint can you describe the endpoint and what controls you put on it? If you let them remote into the network from their home PC – do you have any additional controls over that kind of admin activity? i.e. what is the risk of letting them use their home PC as opposed to a “managed endpoint”? Ive put it technology neutral but by all means discuss the technology and controls you use.
Comment
Watch Question

Senior Consultant
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I guess one of the benefits of giving them a managed device is you can ensure its security to some extent whereas their own PC could have malware keyloggers etc etc that could obtain their citrix credentials? I am trying to see why companies give admins a company configured/managed device as opposed letting them login using anything they like.

Author

Commented:
Is their a diffrentiation between a remote user and remote admin in your place? I.e. do rules for admins logging in for admin purposes differ than rules from employee just logging in to access word documents or the intranet?
Ayman BakrSenior Consultant
CERTIFIED EXPERT

Commented:
On the VPN layer we don't have rules to differentiate between a normal user and an IT admin. However, as you passed the VPN, user account credentials with all the rights and permissions would apply. Thus a normal user will not be able to do more than use his/her own apps and save their own documents - on the other hand, an admin (depending also on his role) would be able to access his own consoles and tools to do the day-to-day tasks.

As for security concerns - we have the following security controls before a user would successfully connect to his published apps:
1. Juniper will detect the anti-virus on the user's PC and if there is no AV or the AV available is not within the certified list; connection will be rejected
2. Juniper sits in the DMZ behind a firewall and the internal LAN is again behind a firewall
3. When connecting double 'authentication' happen: user's username/password and the user's hard token with PIN number
4. Copy, cut, paste and drag etc... is disabled between the user's session and his/her PC


Regarding the decision of managed endpoint devices versus using any own device:

I believe an organization would take the former decision for the following reasons:
   1. Ensure that the provided devices are up to date with respect to security patches
   2. Periodic screening to ensure that they are virus/malware free
   3. With standardized devices, support becomes easier
   4. Putting security rules in place to restrict use of personal data on those devices

On the other hand I believe an organization taking the latter decision would do so for:
   1. Eliminate the administrative overhead of periodic checks on provided devices
   2. Eliminate the support overhead (ones own personal device would mean that the person is fully responsible to take care of making it functional
   3. Give their employee more freedom in using different technologies for connecting - tablet PCs, mobiles etc...
   4. Aligning IT to business rather than forcing IT on business - that is more flexibility implies more buy-in to your IT department and its services and better image

The above is by no mean comprehensive and it is how I see it. Of course it is a tradeoff between security/flexibility. But with proper controls and security plans more flexibility could be achieved while still have high security to your organization's data.

Author

Commented:
I see - so its more a case of you lease out the laptops to the admins for remote offsite work and then bring them back into the network for maintenance. Or can you manange the remote endpoints via a remote access tool, i.e. push out patches/AV/workstation lockdown policies to the workstation at its remote home office? Please excuse my ignorance.

Out of interest, what types of administrative work would admins need to do from home? Is it really for emergency issues as most normal admin activity I assume takes place at the HQ?
Ayman BakrSenior Consultant
CERTIFIED EXPERT

Commented:
Yes, you are right you will have to bring them back for maintenance. And you are again right, you can manage the endpoint devices remotely without the need to bring them to work, but you will require to have a solution which will be capable of doing this. One of the excellent tools for pushing patches and software in addition to vulnerability management and ranked by Gartner No. 1 in its category (at least since 2008 as I remember) is Precision by Criston (actually now Numara - Criston was acquired by Numara; both are French companies). As for pushing lockdown policies, unfortunately its out of my knowledge.

It will depend on the company. Some companies might make it very flexible for a group of admin/engineers to work all the time from home thus opening all administrative work for them. Some other companies have consultants and support staff who will need to be out of HQ and roam to different clients - again these type of engineers/admin will require to have all types of their day-to-day admin roles. In our company, we are of the type you mentioned. IT admins are provided with remote access to support other employee during weekends while at home or during emergencies in after hours - but as you said, most normal admin activity takes place at the HQ.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.