Solved

Locking down laptop security

Posted on 2014-04-11
4
438 Views
Last Modified: 2014-04-15
We have a corporate laptop that is used in different places. I’m looking to force different TCP/IP configurations based on where the laptop is used. Let me know if this is possible.
 
The network experienced hacking attempts every day and I’ve done my best to lock everything down. This laptop is a pain because it’s being used in different locations without my control.
Here are the specs:
 
1.      The laptop runs Win 7 Home premium
2.      If the wired network connection is used, it should default to 10.10.10.9, SM 255.255.255.248, DG 10.10.10.1,  dns 8.8.4.4, 4.4.2.2
3.      The user should be able to change the default into mentioned above if they are out of the office and need something different
4.      If it is changed, it should always default back to the TCP/IP info mentioned above.
5.      If wireless is used, then it can use dynamic TCP/IP but the wireless is normally disabled
6.      If the wireless is enabled, the wired connection should go into disable mode.
0
Comment
Question by:Tony Giangreco
  • 2
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 333 total points
ID: 39995693
looks like you will be better off with host intrusion protection type of s/w (assuming the infra is another layer though it cannot be rely on totally when you go for hotspots,                   usage acceptance still applies). In all case, VPN should be established prior to real internet surfing and etc, disable split tunneling as well so all go through your enterprise proxy for ingress and egress, lockdown the browser proxy setting via GPO, yes it is not foolproof but making it tougher..and layered with deterrence..

can check out Symantec SEP
-Laptops update definitions from internet directly when off-site
-Laptops have tighter firewall rules when off-site
-Source of LiveUpdate server / GUPs based on location in the corp LAN so that updates are not pulled across the WAN
-Differentiate between VPN & LAN connections
-Allow end users to manage SEP client on the end point, basically allow admin / nonadmin usage model for SEP client

Use Case of Location Awareness and Network Threat Protection with SEP (11/12)
http://www.symantec.com/connect/articles/use-case-location-awareness-and-network-threat-protection-sep-1112

Best Practices for Symantec Endpoint Protection Location Awareness
http://www.symantec.com/docs/TECH98211

How to Use Location Awareness as Fault Tolerance for Content Updates
http://www.symantec.com/docs/TECH94265

of course the control of device and application can be considered and balanced with the risk exposure - it is whitelisting approach (SPE also has this)

Symantec Endpoint Protection Application and Device Control
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=adc

How to block or allow device's in Symantec Endpoint Protection
http://www.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection
0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 167 total points
ID: 39998197
The network experienced hacking attempts<< this actually quite normal attempts that is. So your being told an attempt was made but was not actually successful.
Zone Alarm is also very good, but can scare normal folks as it reports to you the ping attacks and hack attempts.
Unless they actually succeed we just have to deal with it by using our firewall
We will always get attempts, maybe disable alerts as they can be quite numerous especially with wireless..Not all are malicious just freeloaders looking free internet access with your wireless.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 39998241
I also do suggest switch to secure browser and maybe whitehat aviator that is stripping away ads and disabling autoplaying of media files, Aviator cuts off two main avenues for malware infection. Furthermore, it blocks tracking software used by online marketing tools such as Google Analytics, Omniture and DoubleClick.
Another is tinywall whitelist or unblock applications by different means. If you are using HIPS software, make sure not to restrict TinyWall in the HIPS software. This usually needs additional configuration in the HIPS software.
0
 
LVL 25

Author Closing Comment

by:Tony Giangreco
ID: 40002948
I will take all suggestions into account and work on locking the laptop down. Thanks!
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Resolve DNS query failed errors for Exchange
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question