Solved

Locking down laptop security

Posted on 2014-04-11
4
430 Views
Last Modified: 2014-04-15
We have a corporate laptop that is used in different places. I’m looking to force different TCP/IP configurations based on where the laptop is used. Let me know if this is possible.
 
The network experienced hacking attempts every day and I’ve done my best to lock everything down. This laptop is a pain because it’s being used in different locations without my control.
Here are the specs:
 
1.      The laptop runs Win 7 Home premium
2.      If the wired network connection is used, it should default to 10.10.10.9, SM 255.255.255.248, DG 10.10.10.1,  dns 8.8.4.4, 4.4.2.2
3.      The user should be able to change the default into mentioned above if they are out of the office and need something different
4.      If it is changed, it should always default back to the TCP/IP info mentioned above.
5.      If wireless is used, then it can use dynamic TCP/IP but the wireless is normally disabled
6.      If the wireless is enabled, the wired connection should go into disable mode.
0
Comment
Question by:Tony Giangreco
  • 2
4 Comments
 
LVL 61

Accepted Solution

by:
btan earned 333 total points
Comment Utility
looks like you will be better off with host intrusion protection type of s/w (assuming the infra is another layer though it cannot be rely on totally when you go for hotspots,                   usage acceptance still applies). In all case, VPN should be established prior to real internet surfing and etc, disable split tunneling as well so all go through your enterprise proxy for ingress and egress, lockdown the browser proxy setting via GPO, yes it is not foolproof but making it tougher..and layered with deterrence..

can check out Symantec SEP
-Laptops update definitions from internet directly when off-site
-Laptops have tighter firewall rules when off-site
-Source of LiveUpdate server / GUPs based on location in the corp LAN so that updates are not pulled across the WAN
-Differentiate between VPN & LAN connections
-Allow end users to manage SEP client on the end point, basically allow admin / nonadmin usage model for SEP client

Use Case of Location Awareness and Network Threat Protection with SEP (11/12)
http://www.symantec.com/connect/articles/use-case-location-awareness-and-network-threat-protection-sep-1112

Best Practices for Symantec Endpoint Protection Location Awareness
http://www.symantec.com/docs/TECH98211

How to Use Location Awareness as Fault Tolerance for Content Updates
http://www.symantec.com/docs/TECH94265

of course the control of device and application can be considered and balanced with the risk exposure - it is whitelisting approach (SPE also has this)

Symantec Endpoint Protection Application and Device Control
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=adc

How to block or allow device's in Symantec Endpoint Protection
http://www.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection
0
 
LVL 69

Assisted Solution

by:Merete
Merete earned 167 total points
Comment Utility
The network experienced hacking attempts<< this actually quite normal attempts that is. So your being told an attempt was made but was not actually successful.
Zone Alarm is also very good, but can scare normal folks as it reports to you the ping attacks and hack attempts.
Unless they actually succeed we just have to deal with it by using our firewall
We will always get attempts, maybe disable alerts as they can be quite numerous especially with wireless..Not all are malicious just freeloaders looking free internet access with your wireless.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 333 total points
Comment Utility
I also do suggest switch to secure browser and maybe whitehat aviator that is stripping away ads and disabling autoplaying of media files, Aviator cuts off two main avenues for malware infection. Furthermore, it blocks tracking software used by online marketing tools such as Google Analytics, Omniture and DoubleClick.
Another is tinywall whitelist or unblock applications by different means. If you are using HIPS software, make sure not to restrict TinyWall in the HIPS software. This usually needs additional configuration in the HIPS software.
0
 
LVL 25

Author Closing Comment

by:Tony Giangreco
Comment Utility
I will take all suggestions into account and work on locking the laptop down. Thanks!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now