Laptop Security

Our department has a thousand Microsoft Windows 7 laptops roaming outside the agency. They access the company via VPN. Many of these users are V.I.P. customers log in only every several months or more.

We currently have a security policy in place that disables systems that have not communicated back within 30 days. Also, we rely on making sure all systems in the domain are patched and up-to-date to pass our accreditation.

My question is this:

What would you suggest as a solution to this problem? The requirement here is that we must pass our security standards and stay up to date on patches while still maintaining connectivity and access to our paying V.I.P. customers.
Who is Participating?
bcrosby007Connect With a Mentor Commented:
I would create an OU for the VIP computers and modify the policy for that container to not disable computer accounts.
As for the updates, set them to update themselves automatically straight from Microsoft as opposed to WSUS.
Bill BachConnect With a Mentor PresidentCommented:
This is really not a technical problem, but a personnel problem.  If your security policy has an obvious raison d'être (HIPAA data, financial data, etc.), then this should be explained to the VIP's.  Explain that this is for their safety and security as well.  Then, set up an Email system that contacts any user who has not signed in within 21 days and reminds them of the policy, then send another message at 28 days, 29 days, and 30 days, with increasing urgency.  On the 31st day, send out a different message telling them the process for reactivating their system.

No matter what other technical solution you try to build, the simple fact is that there is no way to guarantee that these systems connect every month, so this process would at least serve as a gentle reminder.
Ess KayConnect With a Mentor EntrapenuerCommented:
looks like you will have to run all the security from your own agency, not on the laptops.

Unless you want to risk adding a program which forces an update on the laptops. As long as it doesnt update that second, it shouldnt be a problem, but they can be uninstalled. So your best bet is to keep the hive secure, and perhaps add a two tier authentication
HACKL1FEAuthor Commented:
I am told we must not disable VIP laptops, but we still must remain secure and pass security scans. I like the idea of putting the systems into an external network hive. We just need to make sure Outlook and SharePoint works, which should be easy enough. Access to file servers that are scripted on log on... that may be an issue.

I appreciate the ideas coming in so far.
Ess KayEntrapenuerCommented:
the only solution i can think of is to have a hive as you say, which has limited access to the internal network

A two part authentication, one part to log into VPN

a second one being a vertification code being emailed or text messaged to the user
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.