Michael C
asked on
Work from home and contingency setup question
Hi Expert
I was asked to setup a “work from home” and contingency project.
I am thinking to allow staff bring company laptop to home, and connect to their office PC by remote desktop.
One of my challenge:
1. How can prevent the staff from relocating company data? They don’t have administrator right and no USB, but use DHCP. I am thinking they can setup FTP to move out everything
2. We are considering Citrix VDI, but seems too expensive for this and not reliable?
Any good reference?
I was asked to setup a “work from home” and contingency project.
I am thinking to allow staff bring company laptop to home, and connect to their office PC by remote desktop.
One of my challenge:
1. How can prevent the staff from relocating company data? They don’t have administrator right and no USB, but use DHCP. I am thinking they can setup FTP to move out everything
2. We are considering Citrix VDI, but seems too expensive for this and not reliable?
Any good reference?
ASKER
Checked RemotePC is part of VDI, right? The main concern is contingency that once the server down, the whole company PC down.
Applocker seems very good and seems need more time to digest, many thanks for your recommendation
Applocker seems very good and seems need more time to digest, many thanks for your recommendation
Why not configure an always on VPN?
What do you mean, "once the server is down"? If you're building Citrix brokering infra, you build it redundant. Or use Citrix Cloud and then Citrix manage all the infrastructure.
ASKER
Hi Alex, VPN is not secured enough. It is only data transmission encryption, but no data / system protection
Hi James, yes we can setup redundancy to failover. It is hardware side. For system side, there is no redundancy. What we can try is to distribute the VDI on two VM server. Only half user is affected if one of them is down.
For cloud, personally it is more not reliable. I dont like cloud service that it keeps updating the security and feature, and lots of unexpected downtime.
Hi James, yes we can setup redundancy to failover. It is hardware side. For system side, there is no redundancy. What we can try is to distribute the VDI on two VM server. Only half user is affected if one of them is down.
For cloud, personally it is more not reliable. I dont like cloud service that it keeps updating the security and feature, and lots of unexpected downtime.
I've been on Citrix Cloud for over two years and we have had two instances of downtime, both in the 4 hour region.
If you want to be able to tolerate failure of the target machines, then consider some virtual instances as well. If you have pooled machines you can fire them up as required.
If you want to be able to tolerate failure of the target machines, then consider some virtual instances as well. If you have pooled machines you can fire them up as required.
1. How can prevent the staff from relocating company data? They don’t have administrator right and no USB, but use DHCP. I am thinking they can setup FTP to move out everything
Using a vpn to connect from home network into the business network doesn't magically give the user more permissions to do things on the business network. Working at work what is to prevent the user from simply copying the files to a usb drive or dropbox or emailing the files out of the network? Just because they are connecting in to the network differently doesn't change things. The user has the same permissions and access restrictions that they have when the laptop is at work.
Using a vpn to connect from home network into the business network doesn't magically give the user more permissions to do things on the business network. Working at work what is to prevent the user from simply copying the files to a usb drive or dropbox or emailing the files out of the network? Just because they are connecting in to the network differently doesn't change things. The user has the same permissions and access restrictions that they have when the laptop is at work.
ASKER
My scenario is
1. The staff download company files on their laptop from office
2. Then at home, staff connect to their home wifi for internet. But dont connect VPN
3. Then they can do anything they want, right?
So how can I prevent this situation?
In my office, all cloud uploading service and USB is blocked.
1. The staff download company files on their laptop from office
2. Then at home, staff connect to their home wifi for internet. But dont connect VPN
3. Then they can do anything they want, right?
So how can I prevent this situation?
In my office, all cloud uploading service and USB is blocked.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, it is a good question and ppl often asks.
My boss said our role is try our best to prevent it happen. In case there is data leakage, the legal liability will depends on how much we do to prevent it happen.
So take photo is never be avoided, but staff will be rarely do it as it is difficult to take out large volume of data.
For citrix, it is good but very expensive. They have a feature for recording. It is good even not good for privacy, but it really can avoid staff from taking out company data
My boss said our role is try our best to prevent it happen. In case there is data leakage, the legal liability will depends on how much we do to prevent it happen.
So take photo is never be avoided, but staff will be rarely do it as it is difficult to take out large volume of data.
For citrix, it is good but very expensive. They have a feature for recording. It is good even not good for privacy, but it really can avoid staff from taking out company data
set up role based access controls. and sort you data by location, department, job role. and then enable access accordingly.
You could always implement Rights Management, the link will explain.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831364(v=ws.11)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831364(v=ws.11)
You need to control the applications on the desktops if you want to stop them setting up FTP. AppLocker would be your friend here.