Making your laptops traveling fortresses

MORE ON THIS TOPIC Featured Topic: Battening down Windows In this collection of stories, SearchWin2000.com takes a look at the locks on Windows. Are yours battened down against the dark side of IT? Featured topic: Bulletproof windows -- reining in users What network hasn't suffered because a user downloaded a game that turned out to be a Trojan horse? Check out the security resources in this Featured Topic to learn how to keep your users in line. Webcast: Top 10 XP security problems (and solutions) In this webcast, security expert Roberta Bragg separates the hype from the reality on Windows XP, distinguishes the good from the bad and delineates essential versus non-essential XP features.

When I was growing up, "locking down the notebook" meant doing your own work and not allowing your friends to copy your homework. We didn't know diddly about locking down a notebook computer; they didn't exist.

Today, people use notebook computers everywhere and for everything. Critical, sensitive corporate and private data goes with them, and it is as vulnerable to attack, theft and destruction as a small child's lunch money when the school bully comes around. And yet even those charged with maintaining notebooks for corporate users still don't know diddly about locking them down.

Let's you and I change that. Here are 13 things you need to do to lock down laptops.

While some suggestions are extreme -- and may be impossible to follow in some circumstances -- you can painlessly institute many of them on a Windows 2000/XP Professional system. Whether you're worried about your own machine, or you're pulling together a program for thousands of laptops, these steps will ensure better security.

1. Use a physical lock! All your defensive techniques will mean little if anyone can walk away with the box. Don't forget to ensure that laptop hard drives are protected, too. With many modern laptops, you can prevent removal of hard drives when the system is locked. Purchase laptops with this facility and use it, or remove hard drives and lock them in a safe when laptops must be left unattended.

2. Use encryption to protect sensitive files, and protect the encryption keys. Windows Encrypting File System (EFS) provides strong protection, but it requires two things. First, you must use strong passwords or other authentication factors (biometrics, smart cards and the like). If someone can log on as you, that person can decrypt and read your encrypted files. Likewise, prevent unauthorized access to the local Administrator account of a standalone Windows 2000 system. This account serves as the EFS Recovery Agent, so it can also decrypt your files. Second, export the keys to a floppy disk, delete the keys from the hard drive, and keep the floppy separate from the laptop while traveling. Re-import the keys when you need to access current files or encrypt new ones. Then export the keys before you shut the system down again. (No keys, no decryption.)

3. Develop, apply and audit the use of a security template. Security templates can include strong account policies, restrict user rights, apply auditing and set various security options. You can import security templates into Group Policy and then broadcast to thousands of computers, or use them locally. You can also audit them, which means you can confirm that your secure settings remain in place. If they've changed, reading audit logs will show who modified them.

4. Vet all applications before installing them, and rigorously remove all unapproved applications, or flash a new build of the system periodically. When laptops are periodically built from scratch, users give up on loading their own software or storing private data. Help desk calls are reduced as well.

5. Remove or disable vendor-installed phone-home utilities. Uncheck XP's automatic updating, unless this is your patching strategy (see below). Remove Media Player's ability to identify you and disable Universal Plug and Play. But also look elsewhere. Earthlink, Toshiba and others attempt to provide you with automatic update services.

6. Formally adopt an updating strategy -- the strategy you use will depend on the number of laptops you have to defend. Possibilities include Windows Update, Baseline Security Analyzer and Software Update Services.

7. Determine application and access rules for users of all types and implement using Group Policy. Here's where you can lock down IE, NetMeeting and Control Panel, clean up the desktop and regain administrative control. You can do it in an organized fashion and apply it mercilessly across kazillions of user machines.

8. Provide a hostile territory spare drive for users traveling to hostile territory. Pre-install this drive, or provide instructions on how to install it. Hostile-territory drives include no company data or software, and no way to connect back to the company. Users can surf the Internet, use chat and participate in third-party networks, but even if the computer is compromised, exposure is limited to recent user activity. Train users not to discuss confidential data while in hostile territory. And what's hostile territory? It includes public wireless networks, technical conference networks and other third-party, untrusted networks. Why do you think people flock to security conferences that focus on the vulnerabilities of wireless networks? Do you really believe all users of a public wireless network are innocent, well behaved and ethical?

9. Limit access to and use of wireless networking cards and access points. Don't allow just anyone to set up a wireless access point. Access points provide a huge hole in your corporate defense. Unscrupulous users may be able to connect to your network from outside the building, right around your firewall. But do set up firewalled wireless access points for employees. Consider every machine with a wireless card a potential access point for intruders. How do you know which wireless network they're joining?

10. Lock down Internet Explorer. With IE's numerous security configurations, you can stop the use of JavaScript or Active X controls, cookies and other activities. While this may severely restrict cruising the Net, does every user need to do so unrestricted? Use IE zones to define particular places, say the company intranet, partner sites and approved vendor sites, where fewer restrictions may apply.

11. Purchase laptop-tracking services. If you don't, when a laptop gets stolen or lost, you have little hope of reclaiming it. Laptop tracking services run in the background on the laptop and send their location to the tracking service. If your laptop is stolen, you alert the service company, and it starts looking for your laptop's message. When the thief or the new owner connects to the Internet, he's caught. Interestingly, when company laptops are reported stolen, the culprit is most commonly an employee who took the box for himself and lied about how it disappeared.

12. Provide and use antivirus software and keep it updated.

13. Train users in OPSEC. OPSEC is a military strategy that examines your fortress from the enemy's viewpoint. This enables you to apply defensive strategies. If you train your users in OPSEC, perhaps they'll realize how vulnerable their laptop computer and its data is and act to protect them.

About the author

Roberta Bragg, MCSE, CISSP, MCT, MCP, is a well-known Windows security consultant, columnist and speaker. Her publishing credits include "ISA Training Guide," "MCSE Windows 2000 Network Security Design" and "Windows 2000 Security."