We recently switched to allowing only Power User rights on notebook computers. We have a set of notebooks we loan...
out to employees with desktops when they need to travel. Currently, those users login with an account named "loaner" and use scripts and webmail to access the network. Discussion has come up that those accounts should have local admin rights in case a user is stuck at a remote location and needs the rights. Should we grant them local admin rights?
Unfortunately, the convenient and easy access you want to provide to your laptop users also provides the same convenience and accessibility to those with malicious intent. Also, a malicious user doesn't even have to hack into a laptop they just have to steal it. Once it's in their possession, they have access to any company information on the laptop, including sensitive customer and employee information, confidential company plans or a host of any other privileged information. A prospective laptop thief can also hang around an airport lounge or Starbucks, for example, and wait to steal an unattended laptop. Again, no hacking tools or fancy network tricks are required.
The other access control method you mention for your floating laptops -- a single user ID and password for all the laptops -- also creates opportunities for malicious access and use. While it may be a hassle to set up, each user -- not each laptop -- should have their own unique user ID and password for accessing their account on the laptop. Set up an access management system for this. Otherwise, from an information security perspective, you'll have a single point of failure. If one laptop is compromised, the thief can access any other laptop.
One popular enterprise tool is SafeBoot. It's available for many different types of mobile devices, not just laptops. If a laptop has SafeBoot, unless they have the right logon credentials, or user ID and password, all they'll get is an encrypted drive with useless scrambled data. PGP, another vendor, offers a similar product for disk encryption.
Also, before installing any encryption software, conduct a thorough risk analysis of the data that resides on the laptop, and ask yourself the following questions during this process:
- Who is using the laptop and why?
- What is the laptop being used for and what data is carried on it?
- Is the data sensitive customer data, or marketing presentations with publicly available information about the company? This will determine the risk level and whether disk encryption is even worth the cost.
- Can the laptop be used for accessing the corporate network from a remote location? If so, how much access is granted? Is it for accessing e-mail, or for going deeper into company file servers with sensitive information?
Visit our resource center for news, tips and expert advice on improving Web access control.
Dig Deeper on Web authentication and access control
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading