Enforcing Remote User Policies

Printable View

January 3rd, 2005, 10:08 PM
AngelicKnight

Enforcing Remote User Policies

So I'm currently reading Kevin Mitnick's The Art of Deception, and one thing I'm learning is that a vast multitude of social engineering schemes take advantage of the fact that many companies allow their employees to use telnet or terminal services to remotely access their servers. To the information thief, this provides two potential strategies to unleash:

Social engineering, in which case the info thief learns enough about the firm to call in under the guise of an employee with a request such as "I forgot my password. Can you help?"

Malware in which a hacker or other kind of data thief could, perhaps using aforementioned social engineering techniques, have a trojan or keylogger installed on an employee's home computer, then sit back and gather all the information necessary to remotely connect to a server and have a field day with unlimited data access.

So, personally, I'm not too worried about the first scenario, since I'm the guy you'd have to social engineer to pull that off, and our company's small enough that I know everyone's voices over the phone. However, it's the second possibility that troubles me. The only way to prevent the second scenario (that I can think of) would be to set up a policy that would require employees who connect to our servers from their homes to make use of antivirus, firewalls, and constant updates. However, how could I enforce such a policy? It's not like I can follow them home and inspect their computers. How would/do you deal with this?
January 3rd, 2005, 10:14 PM
MrLinus

This article I did on Senforce might be helpful. Their small business product could be what you're looking for.

Additionally, you might want to look into the Security Configuration Editor for Windows products. If you're dealing with Linux/Unix products, I haven't run into anything that specifically will limit control over the system (then again, issues like AV and other malware isn't the same as Windows).
January 3rd, 2005, 10:21 PM
dinowuff

The only remote access to my LAN is via CISCO VPN. Group policy that all lusers are in requires an active firewall and antivirus prior to connecting. If the kiddies have disabled the antivirus, the VPN connection will terminate at the gateway. Also, I do not allow split tunneling so once a tunnel is initiated, all internet traffic goes through my gateway. At this point IDS, Web filtering and stateful packet filtering takes place.

Doen't matter how or where they connect, If they don't follow the policy they can't log on. Also when I first set the VPN restrictions I had to kind of lie. Said that the firewall and antivirus requirements were part of the latest IOS and couldn't be disabled.

Just a tip to get past teh managers that think they know how stuff works.
January 3rd, 2005, 10:25 PM
MrLinus

Quote:

Doen't matter how or where they connect, If they don't follow the policy they can't log on.

You mean log on to your network? But what if they are using the "work laptop" for personal home surfing (and let's be real here -- it is done). How does your setup prevent them from turning off/disabling their AV, ensuring their AV is up-to-date, ensuring that they have spyware protection, and have appropriate firewall protection on those laptops?
January 3rd, 2005, 10:31 PM
nihil

Well there are two issues:

1. Stuff picked up on the home PC via e-mail/the internet.

2. Stuff inserted via physical access to the machine.

BUT there is also security at the other end:

1. Mac Address

2. Dial into local server rather than via ISP, it will only accept the telephone number of the valid address.

3. Direct telephone line (similar to above, but a dedicated, anonymous line, a bit like burglar and robbery alarm systems)

4. Virtual private networking?

Just a few thoughts :)
January 4th, 2005, 01:58 PM
dinowuff

Ms Mittens. You're correct about logging on to my network.

The work laptops have remote update clients for AV and without the password, disabling would be difficult. Spyware protection and firewall launch at startup and regedit /regedt32 are not available to users. Actually the people who use their work laptop to surf at home are not the issue. (for Me) It's the people who work form home using their personal PC. Here is an example. User logs onto my LAN (using Cisco VPN) from their home - personal PC. I get paged because antivirus at the gateway is doing it's job. Then I get a page saying that one of the latest Trojans is trying to do it's thing. I have the mac address and ip of the offending client. I end the VPN session and disable the user account until I've had a face to face with the user. Only once have I had to set up a null route from an employee's home ip. Should I say former employee.
January 4th, 2005, 03:50 PM
cacosapo

checkpoint has also a feature called like "integrity security client" (cant remember exactly) that allow some checking before establish the vpn tunnel. You can check, for example, if A/V is up and updated, if some enforces are present, if a specific service/program is up, etc...

a good feature on a vpn client is also disallowing the access the internet during the vpn session. I mean, when you are connect to the company thru vpn, all allowed traffic should be thru the tunnel, avoinding some trojan horse to use your home pc as a bridge to enter on company' lan.
January 4th, 2005, 05:49 PM
VanEck

i am not sure about remotely enforcing, but here we make all the users with deployed laptops bring them in at least once a month. from there, we plug them into the lan, make sure they receive all the latest sms pushes and patches, as well as the symantec update from our server. we have a 'laptop' farm where we can do this... it is a big box that can hold multiple laptops, each with their own lan port and power connection. we plug them in batches over the weekend.