Laptop Security

Our department has a thousand Microsoft Windows 7 laptops roaming outside the agency. They access the company via VPN. Many of these users are V.I.P. customers log in only every several months or more.

We currently have a security policy in place that disables systems that have not communicated back within 30 days. Also, we rely on making sure all systems in the domain are patched and up-to-date to pass our accreditation.

My question is this:

What would you suggest as a solution to this problem? The requirement here is that we must pass our security standards and stay up to date on patches while still maintaining connectivity and access to our paying V.I.P. customers.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would create an OU for the VIP computers and modify the policy for that container to not disable computer accounts.
As for the updates, set them to update themselves automatically straight from Microsoft as opposed to WSUS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bill BachPresident and Btrieve GuruCommented:
This is really not a technical problem, but a personnel problem.  If your security policy has an obvious raison d'être (HIPAA data, financial data, etc.), then this should be explained to the VIP's.  Explain that this is for their safety and security as well.  Then, set up an Email system that contacts any user who has not signed in within 21 days and reminds them of the policy, then send another message at 28 days, 29 days, and 30 days, with increasing urgency.  On the 31st day, send out a different message telling them the process for reactivating their system.

No matter what other technical solution you try to build, the simple fact is that there is no way to guarantee that these systems connect every month, so this process would at least serve as a gentle reminder.
Ess KayEntrapenuerCommented:
looks like you will have to run all the security from your own agency, not on the laptops.

Unless you want to risk adding a program which forces an update on the laptops. As long as it doesnt update that second, it shouldnt be a problem, but they can be uninstalled. So your best bet is to keep the hive secure, and perhaps add a two tier authentication
HACKL1FEAuthor Commented:
I am told we must not disable VIP laptops, but we still must remain secure and pass security scans. I like the idea of putting the systems into an external network hive. We just need to make sure Outlook and SharePoint works, which should be easy enough. Access to file servers that are scripted on log on... that may be an issue.

I appreciate the ideas coming in so far.
Ess KayEntrapenuerCommented:
the only solution i can think of is to have a hive as you say, which has limited access to the internal network

A two part authentication, one part to log into VPN

a second one being a vertification code being emailed or text messaged to the user
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.