• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 455
  • Last Modified:

Locking down laptop security

We have a corporate laptop that is used in different places. I’m looking to force different TCP/IP configurations based on where the laptop is used. Let me know if this is possible.
 
The network experienced hacking attempts every day and I’ve done my best to lock everything down. This laptop is a pain because it’s being used in different locations without my control.
Here are the specs:
 
1.      The laptop runs Win 7 Home premium
2.      If the wired network connection is used, it should default to 10.10.10.9, SM 255.255.255.248, DG 10.10.10.1,  dns 8.8.4.4, 4.4.2.2
3.      The user should be able to change the default into mentioned above if they are out of the office and need something different
4.      If it is changed, it should always default back to the TCP/IP info mentioned above.
5.      If wireless is used, then it can use dynamic TCP/IP but the wireless is normally disabled
6.      If the wireless is enabled, the wired connection should go into disable mode.
0
Tony Giangreco
Asked:
Tony Giangreco
  • 2
3 Solutions
 
btanExec ConsultantCommented:
looks like you will be better off with host intrusion protection type of s/w (assuming the infra is another layer though it cannot be rely on totally when you go for hotspots,                   usage acceptance still applies). In all case, VPN should be established prior to real internet surfing and etc, disable split tunneling as well so all go through your enterprise proxy for ingress and egress, lockdown the browser proxy setting via GPO, yes it is not foolproof but making it tougher..and layered with deterrence..

can check out Symantec SEP
-Laptops update definitions from internet directly when off-site
-Laptops have tighter firewall rules when off-site
-Source of LiveUpdate server / GUPs based on location in the corp LAN so that updates are not pulled across the WAN
-Differentiate between VPN & LAN connections
-Allow end users to manage SEP client on the end point, basically allow admin / nonadmin usage model for SEP client

Use Case of Location Awareness and Network Threat Protection with SEP (11/12)
http://www.symantec.com/connect/articles/use-case-location-awareness-and-network-threat-protection-sep-1112

Best Practices for Symantec Endpoint Protection Location Awareness
http://www.symantec.com/docs/TECH98211

How to Use Location Awareness as Fault Tolerance for Content Updates
http://www.symantec.com/docs/TECH94265

of course the control of device and application can be considered and balanced with the risk exposure - it is whitelisting approach (SPE also has this)

Symantec Endpoint Protection Application and Device Control
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=adc

How to block or allow device's in Symantec Endpoint Protection
http://www.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection
0
 
MereteCommented:
The network experienced hacking attempts<< this actually quite normal attempts that is. So your being told an attempt was made but was not actually successful.
Zone Alarm is also very good, but can scare normal folks as it reports to you the ping attacks and hack attempts.
Unless they actually succeed we just have to deal with it by using our firewall
We will always get attempts, maybe disable alerts as they can be quite numerous especially with wireless..Not all are malicious just freeloaders looking free internet access with your wireless.
0
 
btanExec ConsultantCommented:
I also do suggest switch to secure browser and maybe whitehat aviator that is stripping away ads and disabling autoplaying of media files, Aviator cuts off two main avenues for malware infection. Furthermore, it blocks tracking software used by online marketing tools such as Google Analytics, Omniture and DoubleClick.
Another is tinywall whitelist or unblock applications by different means. If you are using HIPS software, make sure not to restrict TinyWall in the HIPS software. This usually needs additional configuration in the HIPS software.
0
 
Tony GiangrecoAuthor Commented:
I will take all suggestions into account and work on locking the laptop down. Thanks!
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now