How can i stop work laptops being used on home routers for internet?

[manikm]

Hi there,

We'd like to lockdown our office laptops, so that they cannot be used to browse the internet.

They are currently plugging them into their own routers at home to surf the net.

Which of course is a big security risk from our (IT) point of view.

Is it possible to do this?

Thanks!

 

[LawnBoy]

If you take them off of DHCP and set their IP config manually then they won't be able to "see" their home routers (wrong sunbet).

Problem is if they know enough to set the connection back to DHCP.

There may be some policy settings you could use to lock down the IP config, depends on the OS version.

 

[LawnBoy]

err, subnet, not sunbet...

 

[manikm]

LOL i knew what he meant.

we need dhcp on the corporate LAN.

 

[gbaughma]

It's really not so much a technology issue, as a policy issue.

You need to talk to upper management, and get a policy in place that says that it is now allowed.

OR, don't allow them to take their laptops home.



Just my 2¢
"Life gets mighty precious when there's less of it to waste." -Bonnie Raitt "Nick of Time"
--Greg

http://parallel.tzo.com

 

[manikm]

we already have a policy in place.

but in the real world - are you really going to sack a good member of staff thats pulling in a lot of fees for the company>? no.

 

[PcLinuxGuru]

The solution is rather simply. In simple terms you have a caching proxy at the workplace (content filter or whatever you want) obviously they will be unable to access it at home. The only issue you may come across is the ability of the users to install something like firefox. The reason it is an issue is because you can force the proxy and security on lan connections for IE via GPO but I have not found a way to do it for other browsers.

I haven't tried this either but I am assuming most of the gateways are all the same so you can simply static the gateways or possibly all the DNS Servers. So even if they took it home and pulled an IP from the Router the system will still attempt to use your companies DNS servers which won't allow the connections.

 

[cdogg]

If you make sure they don't have "local" admin rights, you won't have to worry about them installing firefox or any other 3rd-party browser.

Then you can apply IE's built-in content filter for no access. Follow the steps here:

http://support.microsoft.com/kb/267930

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[wahnula]

If you make sure they don't have "local" admin rights, you won't have to worry about them installing firefox or any other 3rd-party browser.

...unless they have Portable Firefox on a USB key...

 

[manikm]

we have device control software - so they cannot use any devices unless approved - and they certainly DONT have admin rights.

i think forcing DNS or Gateway entries static to our Companies ISP's should do the trick

i will have a look at that IE thing - thanks cdogg

 

[manikm]

On further investigation, the IE thing is out the question - that has to be for very small companies, or for parents controlling there kids machines.

I think, our best option is to force DNS or GATEWAY addresses to our IP's.

BUT its NIC dependant - so every NIC card has a different windows SID.

Reg key found here:

HKLM\SYSTEM\ControlSet001\Services\{DA65900E-XXXX-XXXX-XXXXXXXXXXXX}Parameters\Tcpip

 

[Sympology]

Do you go through a proxy at work? This isn't my area but what we have is the Proxy LAN settings set in i.e (also uses port 8080) and then access to this page is locked out. This prevents non admins changing the settings so it doesn't work. It's all done via Group Policies.

Stu.

Only the truly stupid believe they know everything.
Stu.. 2004

 

[PRPhx]

Hmmmm.. Is it possible to rename iexplorer.exe to something else???

What you might think about is this:

1) Write a script that renames and moves iexplorer.exe. I would also include code to move/rename firefox and all other browsers. IF company policy states that other browsers aren'r allowed, I'd delete them instead of rename/move.

2) After you rename/move IE6/IE7 I would also change the attritubes to read-only and hidden.

3) Deny all permissions to IE6/IE7.

The above should frustrate the user. Esp. if you change the name of iexplorer and hide it. You might also consider disabling the Administrator Account on each laptop. This way the users chances of changing things are reduced.

Just some thoughts.

 

[acewarlock]

Why have a laptop if you can't use it anywhere but the office, might as well have a desktop. I use mine on the road in hotels and thats what I have it for.

 

[burtsbees]

I would actually hard code the IP address on a whacked out VLAN subnet (like 172.19.66.48 255.255.255.240, which would be good for 14 users...) and deny permission in the registry for them to be able to change the tcp/ip properties...or, MAC address cloning or something like that.

Burt

 

[franklin97355]

Since this is a hardware forum how about a hardware solution? ....chain them to their desks (the laptops not the workers)

The answer is "42"