Cross Post - How to prevent a company laptop/device from working on external networks

DustinB3403

From here:

Good morning,

We have a fleet of laptops we currently manage with Static IPs, to prevent them from being used outside of the company network. This is fine, but just another piece to manage and keep track of.

I would prefer to set them DHCP and reserve them we as have infrastructure changes coming down the road and this will be much quicker to deploy the changes.

However, setting them DHCP will allow them to obtain IP address from Public places, employee homes, and potentially other risky places that don't scrutinize our traffic as our corporate firewalls do with all of that UTM. Even though we have A/V on every machine, WE feel that we would be letting our guard down to allow these devices to leave the confines of our corporate network.

So, with that being said, is there a technique to allow us to keep control of the laptops and what networks/subnets they join by using a dhcp reservation - but preventing dhcp from obtaining just "any old" IP address from any network?

Our goal is to not infect or bring a problem from outside into the network by carrying it in. As you know, people are much more likely to do "leisurely" stuff at home with corporate laptop, including -> "insert whatever here", essentially bypassing any web, content filter we have in place in the corporate setting.

Thank you for taking a look - interested in thoughts of how it's "DONE".

So before I go into what I think might work, or why not etc. I'd say that using laptops in a corporation, and restricting their access to anything but the corporate network is possible, albeit very difficult.

Use cases you only want the office staff to be able to have staff meeting while at the office. Leave your work at work mentality.

IRJ

What is the point of having a laptop if it isn't portable?

RamblingBiped

Seems like an issue that should be resolved with company policy, not some overly complicated overly engineered IT/IS solution.

RamblingBiped

If they really distrust their employees THAT much why not just throw monitoring software on the system and reprimand/fire them for not following policy?

DustinB3403

Now I have to ask is the business really not trusting their employees enough to allow the company laptops to connect to outside wireless?

Certainly the business sees a need in the benefit of a laptops portability.

So why not enable encryption on the laptops, and then configure a VPN for the users to connect to while outside of the office?

Encrypting the laptops would at least protect the data at rest from anyone who has the device who can't decrypt it. Stopping unwanted people from both accessing the OS and the corporate network.

While allowing the staff to access work from where ever.

DustinB3403

@RamblingBiped said in Cross Post - How to prevent a company laptop/device from working on external networks:

If they really distrust their employees THAT much why not just throw monitoring software on the system and reprimand/fire them for not following policy?

Well you'd have to have policy, and monitoring software often isn't cheap.

Although I agree with the idea.

DustinB3403

So what I'm seeing as the need is to try and prevent devices from accessing company resources while on anything but the work network.

Which this is exactly what VPN's are for.

You centralize all of your services behind the VPN, and force users to access them while connected to the network.

Redirecting the users My Documents folders etc back to a network share would mean none of the company data could ever be on the laptop.

Putting in a system policy to disable USB storage devices would add another layer of protection in that the data couldn't be copied off.

Of course that doesn't stop someone from using email to send out the files / information.

JaredBusch

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Dashrender

But I do have a question - how does forcing the use of static IPs affect their ability to get on other networks?

Let's assume they do know the password for the wireless network, now that person can go home and install a home network with the same IP range as at work, same SSID and password at work and ta da, they are online!

But if they Don't know the password, then DHCP does not provide the laptop any protection at all. If the users are prevented form joining another wireless network via GP, and you disable the onboard NIC, then DHCP doesn't matter.

JaredBusch

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

Good point - I assumed, my bad.

Then static definitely does nothing to save you.

Does windows have a way to require the adapter to only join a network that has a given domain on it? If not, again, the aforementioned changing of the home network to use the IP of the office network completely bypasses this 'solution.' and portable routers like the one they guy had at ML (though it would need to be one with a wired port as well) would allow that user the ability to use it nearly anywhere.

Dashrender

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

@Dashrender said in Cross Post - How to prevent a company laptop/device from working on external networks:

@JaredBusch said in Cross Post - How to prevent a company laptop/device from working on external networks:

This can be defeated by anyone simply by updating their home network settings to match the laptop.

Granted a lot of users would not know how to do this, but they would figure it out if they wanted.

Such stupid.

this requires that the users know the password for the wireless, assuming the wireless doesn't use a certificate based authentication like was presented at ML Con.

But this idea was the first that popped into my mind.

Who said anything about wireless?

But then now we'd be talking about laptops being on wires - this is a failure in so many ways!

momurda

The OP question is wrong. Their policy on laptops is wrong. Why would users be able to bypass their group policies at home on a domain joined laptop if they aren't admins? There would be no "insert whatever behavior here" that should affect users at home anymore than when at work. For example, their a/v solution would still work at work or at home. Their Windows firewall policies should work inside or outside the office.
The best solution is to make a policy of don't do "insert behavior here" on your company laptops. Then to check compliance when the device is on the corporate network and can be scanned. Then fire the people who break the policy.

edit TLDR Make a policy that bans bad behavior and enforce it.

Dashrender

Lol, all of us here talk about all of these HR policies but the reality is that most smbs don't have the fortitude to actually back up any policies that they make. Instead they would rather use technology to force the issue and not have to worry about the personal confrontation.

momurda

That might be true, but there is no practical way to do what the op wants and have happy and productive employees.
He wants his users to take home a brick every night, write some things in Word locally then bring it to work and connect it to their network. Like its 1995.
Setting up a policy and scanning for violations is much easier to implement and enforce than what SW OP wants. It is that simple. Or, don't treat your employees like slaves or indentured servants.

scottalanmiller

Haven't read replies yet but... if IP addressing is their security mechanism they are screwed already.