Password management remote users

Hi guys,

We have a headquarter location with about 15 users and AD. Now we are going to have about 30 remote field users who use laptops, how can I manage their password in case they get fired and I need to lock them out of their machine?
LVL 4
Cobra25Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
If you have no network access, you can only use a "passive" protection: if the computer does not contact your network for, let's say 4 weeks, it will change the encryption key via a scheduled task on the machine. Of course this assumes that you have disk encryption in use, which any laptop user should.
Miguel Angel Perez MuñozCommented:
You not specify what OS are you using to deploy AD. Asumming you are using Windows Server essential, you can setup direct access: https://technet.microsoft.com/en-us/library/jj204618.aspx
This gives you ability to disable computer account, user account or even any kind of local account like computer is in local LAN as soon as computer has internet access.
McKnifeCommented:
Miguel, we cannot keep people from logging in to their machine that way that are offline.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Miguel Angel Perez MuñozCommented:
Miguel, we cannot keep people from logging in to their machine that way that are offline.

Sorry but I don´t find where sais laptops has not internet access. As soon as computer has internet access, connects to AD and gets all GPO´s and other stuff, like users disabled accounts or whatever.
McKnifeCommented:
It is a measure against people that are fired. You cannot expect those to be nice and connect to the company network so you can delete their user profiles, can you? And they should be kept from accessing the data - therefore, encryption is the only possible way. If the laptop changes the encryption key, it cannot boot anymore - problem solved.
Cobra25Author Commented:
Miguel, that sounds like a very interesting solution. I've never heard of DirectAccess, but it looks like it syncs everything as if you were connected locally behind the LAN even though you are remote?
Miguel Angel Perez MuñozCommented:
Yes, is like a VPN but not require user launch, is automatic. When computer detects internet access,  itself connects through VPN. This lets you keep all documents on a central server and secure this (using ntfs permissions, making backups) against lost.
McKnifeCommented:
DirectAccess is a good thing, but it cannot help if we would like to keep users from using their computers at some point in time.
Cobra25Author Commented:
McKnife, so i do a password lockout in AD, and they tried to log back in, would they still be able to get in?
McKnifeCommented:
It depends, by default, yes. By default, people may logon without a network connection to AD (offline even) and will authenticate against the cached credentials which will not care what you do at your AD, so they will get in and have access to local resources.

You can configure that it is impossible to logon to the machine if AD cannot be reached - then, they will be locked out. But: imagine their long faces if (before they are fired) they don't get in because something is wrong with their network connection. Who'll be blamed? You. They would need a stable VPN pre-Logon connection.

I hope now you understand why I wrote what I think (and I am sure) is the only way to do a lockout: use encryption, use a task that every few days checks if AD can be reached and if it cannot be reached for a certain defined time, changes the encryption password, shuts down the machine and makes it inaccessible that way.
Cobra25Author Commented:
Mcknife, what if we get a phone call and need to disable someone immediately how would that work? Assume AD is no longer in play since it doesn't seem like that would work
McKnifeCommented:
Your only solution, as I told you, is to make it mandatory to logon to AD. No AD connection, no logon. That would mean network access needs to be available pre-logon whenever they would like to work. It also means that you risk that people from time to time cannot log on although they would like to and would be allowed to.

It's this policy: https://technet.microsoft.com/en-us/library/cc938139.aspx set it to 0. Only then can you do a central lockout.
Cobra25Author Commented:
Is there any other way of doing witbout setting up direct access?
McKnifeCommented:
I am not sure if we understand what you want.
Do your workers save documents to their own laptop? If yes, would you like to be able to disallow access to these documents on their machines some day? If yes, you'll need to disable their accounts and forbid to logon against cached credentials like I described before. If in addition, their laptop is encrypted, they cannot circumvent it.
This does not need direct access setup.
Cobra25Author Commented:
So the remote users have just office software on their pcs and they will probably keep work related documents on their pc.

Now say we need to fire them immediately, I would need to be able to disable them before they can't back into the machine and potentially delete documents, erase their emails and such.
McKnifeCommented:
See my last comment.
Cobra25Author Commented:
So you are saying to the encryption key route then? I am not going to use AD/Direct Access.
McKnifeCommented:
No, what I described in my last comment was not about encryption alone. You need to forbid cached credentials.
Cobra25Author Commented:
Again, I am NOT using AD on the remote machines so the cached credentials are irrelevant
McKnifeCommented:
We talked about using AD as it is the only way to do it. If you don't use AD, you cannot achieve it.
Without AD, using encryption and enforcing a key change from time to time is surely an alternate way, but that will not work immediately but only  in defined time intervals because this would be a pull mechanism initiated by the laptop, while AD-Logons would be a push mechanism initiated by you. I hope the problem is clear by now.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cobra25Author Commented:
So no options outside of AD is what your saying.

Anyone else have any options that would work?
Miguel Angel Perez MuñozCommented:
Syncronizing local documents with a central server and direct access may resolve your problem:

- All local documents are stored on local and sync with folder on premises. You can backup this documents.
- Email is stored on premises email server, you can do backups easily.

When employee is fired, simply disable AD account, Employee can not logon on email or delete any sync document.
Cobra25Author Commented:
Miguel, i dont htink we will  be going down the AD route.

Is there any other way to do this WITHOUT AD??
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
McKnifeCommented:
Solutions have been shown and discussed. Why delete, Lee?
Miguel Angel Perez MuñozCommented:
Why not about Direct access solution? LeeTutor was very interested on: http://www.experts-exchange.com/questions/28737258/Password-management-remote-users.html#a41037210
McKnifeCommented:
It was emphasized that it needs to be a solution without AD.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.