Hi Guys
So what's the defined best practise regarding HelpDesk personnel be
given/told local admin account names and passwords on users PC/Workstations
in order to undertake routine fault finding and applications installation?
Help Desk techies also regularly inserts new workstations into the domain
hence they need certain privileges to be able to make new workstations join
the domain. What could be the most secure way given the fact that Servers
are running Win 2k3 and client machines are a combination of WinXP and Win2k.

WALI,

By default all users have the right to add 10 machines to the domain.
You can modify the default domain controller policy (not default domain
policy) to change this.

I routinely create a group for adding machines, and delegate the right
to add machines to this group and domain admins, removing authenticating
users. Sometimes office managers need to add machines such as at a
remote site without local help desk staff, and I could add them to this
group without giving them any other help desk level privilege.

In my experience, the help desk staff needs access to the local admin
accounts. So, I cut and pasted a script together that would change the
local admin passwords and would run the script after any IT personnel
left.

Local admin passwords on the laptops/desktops should certainly be
different than the local admin passwords on your servers.

Walking around the building, I would sometimes hear the users mention
the local admin password and using it to do something they otherwise
couldn't.

I would have to review with the help desk staff the importance of
keeping this password known only to their group, but invariably the help
desk staff would give the password out to users who had ran into an
issue while out of the office. Usually, this was the screen saver
lockout coming on during a Power Point presentation.

So, periodically, I would change the local admin password even if no-one
had left. Also, I created a group that wouldn't apply the screen saver
lockout and asked secretaries to let me know if an exec was traveling so
I could drop them in that group.

Kind Regards,
Scott Ramsdell

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf WALI
Sent: Saturday, February 03, 2007 7:59 AM
To: security-basics (AT) securityfocus (DOT) com
Subject: Helpdesk as local admin

Hi Guys

So what's the defined best practise regarding HelpDesk personnel be
given/told local admin account names and passwords on users
PC/Workstations
in order to undertake routine fault finding and applications
installation?

Help Desk techies also regularly inserts new workstations into the
domain
hence they need certain privileges to be able to make new workstations
join
the domain. What could be the most secure way given the fact that
Servers
are running Win 2k3 and client machines are a combination of WinXP and
Win2k.

If you're worried about your HelpDesk people I'd look into ris. It comes with win2k3 server and allows diskless installation of os' (network boot). The people installing don't even need admin rights if you configure ris just so. Ris can also take care of automatically naming the systems for you too.

Geoff
Sent from my BlackBerry wireless handheld.

Message
From: WALI <hkhasgiwale (AT) gmail (DOT) com>
Date: Sat, 03 Feb 2007 17:58:34
To:security-basics (AT) securityfocus (DOT) com
Subject: Helpdesk as local admin

Hi Guys

So what's the defined best practise regarding HelpDesk personnel be
given/told local admin account names and passwords on users PC/Workstations
in order to undertake routine fault finding and applications installation?

Help Desk techies also regularly inserts new workstations into the domain
hence they need certain privileges to be able to make new workstations join
the domain. What could be the most secure way given the fact that Servers
are running Win 2k3 and client machines are a combination of WinXP and Win2k.

I think the best practice would be to create a helpdesk group with stripped
down admin privileges that are finely tuned to what they require and nothing
more. So in your case only allow them to install applications and add
machines to the domain but things like account creation and modifying
policies should not be available to them.

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf WALI
Sent: Saturday, February 03, 2007 8:59 AM
To: security-basics (AT) securityfocus (DOT) com
Subject: Helpdesk as local admin

Hi Guys

So what's the defined best practise regarding HelpDesk personnel be
given/told local admin account names and passwords on users PC/Workstations
in order to undertake routine fault finding and applications installation?

Help Desk techies also regularly inserts new workstations into the domain
hence they need certain privileges to be able to make new workstations join
the domain. What could be the most secure way given the fact that Servers
are running Win 2k3 and client machines are a combination of WinXP and
Win2k.

Hi Guys,

I want to create an administrator account on the domain for my
helpdesk persons. I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords. Basically, I want do not want to give them the
administrators password and control what be done potentially and
accidentally Can some one assist and let me know how I can do that?
provide me the procedures. Any guidance would be great!

Regards,
Sohail

Best Practices for Delegating Active Directory Administration

Regards,

jq
Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Sohail Sarwar
Sent: Tuesday, March 06, 2007 1:33 PM
To: WALI; security-basics (AT) securityfocus (DOT) com
Subject: local admin/ domain admin

Hi Guys,

I want to create an administrator account on the domain for my
helpdesk persons. I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords. Basically, I want do not want to give them the
administrators password and control what be done potentially and
accidentally Can some one assist and let me know how I can do that?
provide me the procedures. Any guidance would be great!

Regards,
Sohail

Hi Sohail,

Based off the brief description of what you are trying to accomplish,
you can do this via Delegation. Basically create a group and stuff all
of your helpdesk personal into that group then delegate the U that has
all of your users and/or machine accounts to the group that you created
for your helpdesk. For a more detailed answer take look at the
following link:

HTH,

Ryan

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Sohail Sarwar
Sent: Tuesday, March 06, 2007 1:33 PM
To: WALI; security-basics (AT) securityfocus (DOT) com
Subject: local admin/ domain admin

Hi Guys,

I want to create an administrator account on the domain for my
helpdesk persons. I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords. Basically, I want do not want to give them the
administrators password and control what be done potentially and
accidentally Can some one assist and let me know how I can do that?
provide me the procedures. Any guidance would be great!

Regards,
Sohail

Sohail,

You will want to use "delegation", one of the options is something along
the lines of "perform common helpdesk tasks".

By default, all users can add 10 machines to the domain. You can change
that in the Default Domain Controller Policy, note that is different
than the Default Domain Policy.

In my Windows environments, I created a group "CanAddMachines" and
dropped the Helpdesk group in there (W00t! nested groups in 2003). Then
I removed "Everyone" and added "CanAddMachines" in the Default Domain
Controller Policy (right-click the DC U).

What you can delegate is granular, so I never had a need for the built
in options. I created groups CanChangePasswords, and CanCreateUsers,
and delegated rights accordingly. This allowed me to control who on the
Helpdesk could do what. Noobs weren't given the right to change
passwords, for instance.

So, check out "delegation" in AD.

You'll also want to drop the admin accounts, service accounts, etc. into
an U above where you delegate rights to the Helpdesk so they can't
change those passwords. I also dropped CanChangePasswords,
CanCreateUsers and CanAddMachines outside the reach of the Helpdesk.

Kind Regards,
Scott Ramsdell

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Sohail Sarwar
Sent: Tuesday, March 06, 2007 12:33 PM
To: WALI; security-basics (AT) securityfocus (DOT) com
Subject: local admin/ domain admin

Hi Guys,

I want to create an administrator account on the domain for my
helpdesk persons. I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords. Basically, I want do not want to give them the
administrators password and control what be done potentially and
accidentally Can some one assist and let me know how I can do that?
provide me the procedures. Any guidance would be great!

Regards,
Sohail

You can use windows admin kit and install the aduc snap in on an XP machine that way you won't have to give away admin pwd
Sent via BlackBerry from T-Mobile

Message
From: "Sohail Sarwar" <ssarwar (AT) ecredit (DOT) com>
Date: Tue, 6 Mar 2007 13:33:05
To:"WALI" <hkhasgiwale (AT) gmail (DOT) com>,<security-basics (AT) securityfocus (DOT) com>
Subject: local admin/ domain admin

Hi Guys,

I want to create an administrator account on the domain for my
helpdesk persons. I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords. Basically, I want do not want to give them the
administrators password and control what be done potentially and
accidentally Can some one assist and let me know how I can do that?
provide me the procedures. Any guidance would be great!

Regards,
Sohail

Hi All,

I do have a question. I wanted to put out a general
disclaimer like the following in exchange, so that if any employee
send out email to the world out side of the company email, this would be
at the bottom. Can someone direct me on how to do this and implement
this on exchange 2003

This message (including any attachments) contains confidential
information intended for a specific individual and purpose and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.

Thanks!
Sohail

Exchange does not allow you to do this you can only setup this via outlook from each individual user. You need to purchase third party software in order to do this.
Sent via BlackBerry from T-Mobile

Message
From: "Sohail Sarwar" <ssarwar (AT) ecredit (DOT) com>
Date: Mon, 2 Apr 2007 21:00:30
To:"Scott Ramsdell" <Scott.Ramsdell (AT) cellnet (DOT) com>,"WALI" <hkhasgiwale (AT) gmail (DOT) com>, <security-basics (AT) securityfocus (DOT) com>
Subject: how to setup a global disclaimer in exchange 2003

Hi All,

I do have a question. I wanted to put out a general
disclaimer like the following in exchange, so that if any employee
send out email to the world out side of the company email, this would be
at the bottom. Can someone direct me on how to do this and implement
this on exchange 2003

This message (including any attachments) contains confidential
information intended for a specific individual and purpose and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.

Thanks!
Sohail

Most gateway (outbound relay) content filtering solutions have this ability. Some of the exchange level antivirus solutions also have this. I would look into the products (i hope your using one) you are using on your outbound mail relay that does your email content filtering.

Message
From: listbounce (AT) securityfocus (DOT) com on behalf of Sohail Sarwar
Sent: Mon 4/2/2007 9:00 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: how to setup a global disclaimer in exchange 2003

Hi All,

I do have a question. I wanted to put out a general
disclaimer like the following in exchange, so that if any employee
send out email to the world out side of the company email, this would be
at the bottom. Can someone direct me on how to do this and implement
this on exchange 2003

This message (including any attachments) contains confidential
information intended for a specific individual and purpose and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.

Thanks!
Sohail

You can do this by writing your own VBScript and plugging it into Exchange
as a transport agent, try google for more specific infoI think there are
even a few example script examples the last I checked

Lee

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf shaheedpak (AT) gmail (DOT) com
Sent: Monday, April 02, 2007 9:33 PM
To: Sohail Sarwar; listbounce (AT) securityfocus (DOT) com; Scott Ramsdell; WALI;
security-basics (AT) securityfocus (DOT) com
Subject: Re: how to setup a global disclaimer in exchange 2003

Exchange does not allow you to do this you can only setup this via outlook
from each individual user. You need to purchase third party software in
order to do this.
Sent via BlackBerry from T-Mobile

Message
From: "Sohail Sarwar" <ssarwar (AT) ecredit (DOT) com>
Date: Mon, 2 Apr 2007 21:00:30
To:"Scott Ramsdell" <Scott.Ramsdell (AT) cellnet (DOT) com>,"WALI"
<hkhasgiwale (AT) gmail (DOT) com>, <security-basics (AT) securityfocus (DOT) com>
Subject: how to setup a global disclaimer in exchange 2003

Hi All,

I do have a question. I wanted to put out a general
disclaimer like the following in exchange, so that if any employee
send out email to the world out side of the company email, this would be
at the bottom. Can someone direct me on how to do this and implement
this on exchange 2003

This message (including any attachments) contains confidential
information intended for a specific individual and purpose and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.

Thanks!
Sohail

You could try this

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Sohail Sarwar
Sent: Tuesday, April 03, 2007 6:31 AM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: how to setup a global disclaimer in exchange 2003

Hi All,

I do have a question. I wanted to put out a general
disclaimer like the following in exchange, so that if any employee
send out email to the world out side of the company email, this would be
at the bottom. Can someone direct me on how to do this and implement
this on exchange 2003

This message (including any attachments) contains confidential
information intended for a specific individual and purpose and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.

Thanks!
Sohail

DISCLAIMER:

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have
received this email in error please delete it and notify the sender immediately. Before opening any mail and
attachments please check them for viruses and defect.

Hi there,

If exchange 2003 can not do this can exchange 2007 and if
not, do you recommend any third party software ?

Regards,
Sohail

Message
From: shaheedpak (AT) gmail (DOT) com [mailto:shaheedpak (AT) gmail (DOT) com]
Sent: Monday, April 02, 2007 9:33 PM
To: Sohail Sarwar; listbounce (AT) securityfocus (DOT) com; Scott Ramsdell; WALI;
security-basics (AT) securityfocus (DOT) com
Subject: Re: how to setup a global disclaimer in exchange 2003

Exchange does not allow you to do this you can only setup this via
outlook from each individual user. You need to purchase third party
software in order to do this.
Sent via BlackBerry from T-Mobile

Message
From: "Sohail Sarwar" <ssarwar (AT) ecredit (DOT) com>
Date: Mon, 2 Apr 2007 21:00:30
To:"Scott Ramsdell" <Scott.Ramsdell (AT) cellnet (DOT) com>,"WALI"
<hkhasgiwale (AT) gmail (DOT) com>, <security-basics (AT) securityfocus (DOT) com>
Subject: how to setup a global disclaimer in exchange 2003

Hi All,

I do have a question. I wanted to put out a general
disclaimer like the following in exchange, so that if any employee
send out email to the world out side of the company email, this would be
at the bottom. Can someone direct me on how to do this and implement
this on exchange 2003

This message (including any attachments) contains confidential
information intended for a specific individual and purpose and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.

Thanks!
Sohail

Hi All,

Try this; we've used it in several sites already.

Thank you and have a great day,

Bravo

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Sohail Sarwar
Sent: Monday, April 02, 2007 9:27 PM
To: shaheedpak (AT) gmail (DOT) com; listbounce (AT) securityfocus (DOT) com; Scott Ramsdell;
WALI; security-basics (AT) securityfocus (DOT) com
Subject: RE: how to setup a global disclaimer in exchange 2003

Hi there,

If exchange 2003 can not do this can exchange 2007 and if
not, do you recommend any third party software ?

Regards,
Sohail

Message
From: shaheedpak (AT) gmail (DOT) com [mailto:shaheedpak (AT) gmail (DOT) com]
Sent: Monday, April 02, 2007 9:33 PM
To: Sohail Sarwar; listbounce (AT) securityfocus (DOT) com; Scott Ramsdell; WALI;
security-basics (AT) securityfocus (DOT) com
Subject: Re: how to setup a global disclaimer in exchange 2003

Exchange does not allow you to do this you can only setup this via
outlook from each individual user. You need to purchase third party
software in order to do this.
Sent via BlackBerry from T-Mobile

Message
From: "Sohail Sarwar" <ssarwar (AT) ecredit (DOT) com>
Date: Mon, 2 Apr 2007 21:00:30
To:"Scott Ramsdell" <Scott.Ramsdell (AT) cellnet (DOT) com>,"WALI"
<hkhasgiwale (AT) gmail (DOT) com>, <security-basics (AT) securityfocus (DOT) com>
Subject: how to setup a global disclaimer in exchange 2003

Hi All,

I do have a question. I wanted to put out a general
disclaimer like the following in exchange, so that if any employee
send out email to the world out side of the company email, this would be
at the bottom. Can someone direct me on how to do this and implement
this on exchange 2003

This message (including any attachments) contains confidential
information intended for a specific individual and purpose and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.

Thanks!
Sohail

** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PRHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. **

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on their
desktop at home, and connect to the corporate network and production
network, wheat are we really looking at. Are they secure or not.

VPNs are only as secure as you make and maintain them. From your
questions it is evident that you do not have the basic understanding
of the technologies behind it. Try googling for "VPN", paying special
attention to RFCs. You have some homework to do, so go do them.

Two factor authentication would only help the authentication
purpose and to protect the user name and password ?

I am not certain what you mean by "only". The basic tenets of
security suggest that good security can be achieved when you
authenticate potential clients with "something they have, something
they are, and something they do". If you require more than just the
username and password in order to get in (like a smart card or
biometrics), you reduce the chance that an intruder could compromise
the authentication process. Exactly what are you trying to do?

How about restricting them to access, and how about worrying
<snip>

The rest of your questions are valid concerns, and there are many
products out there that will control exactly what corporate resources
the user can access (and the time of day when the user can access
them), and verifying that the client machine the user is using meets
pre-determined security criteria (i.e. updated anti-virus definitions,
no spywares found, up-to-date operating system patches, etc.). As
part of your planning, you must also consider the risks of letting
users use their home machines versus requiring them to use *only*
authorized machines. Again, you need to do some homework and define
more precisely what you are attempting to consider. you have
done so, please post back on the list again with specific questions,
and we'd be glad to help.

SC

VPN is as secure as how well it is implemented and used. Also, the various
encryption algorithms used determine how secure it is. Like everything, it
is as strong as the weakest link and usually in this scenario that means the
home user or their PC.

You're right about the two factor authentication. What were you thinking of
using-smart cards or similar?

Giving home users the list of things they must have in place(AV for example)
is a good idea. Will you allow them to split tunnel from their home
connections or will they have to come through the VPN connection to be able
to browse so that they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you control them when
they're not on a VPN?
Depending on how far you want to go, you could specify that they only use
their laptop for the VPN and have no split and then they can use their home
pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on their
desktop at home, and connect to the corporate network and production
network, wheat are we really looking at. Are they secure or not.

Two factor authentication would only help the authentication
purpose and to protect the user name and password ?

How about restricting them to access, and how about worrying
about their home computer that can be effected.

Has anyone been through this. Any one give home users a list of
requirements that they must have before vpn can be offered to them ?

Should there be some type of desktop policy installed on their
home computer, just to protect the company network ? Any help and
guidance would be great

Regards,
Sohail

There are also technologies like Cisco NAC (among others) that can check and
enforce endpoint compliance with you standards (patch levels, antivirus,
etc.). That should help on the user side if you can't force them to use a
company configured and maintained PC from outside the office.
-Mike

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used.
Also, the various encryption algorithms used determine how
secure it is. Like everything, it is as strong as the weakest
link and usually in this scenario that means the home user or
their PC.

You're right about the two factor authentication. What were
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in
place(AV for example) is a good idea. Will you allow them to
split tunnel from their home connections or will they have to
come through the VPN connection to be able to browse so that
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you
control them when they're not on a VPN?
Depending on how far you want to go, you could specify that
they only use their laptop for the VPN and have no split and
then they can use their home pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on
their desktop at home, and connect to the corporate network
and production network, wheat are we really looking at. Are
they secure or not.

Two factor authentication would only help the
authentication purpose and to protect the user name and password ?

How about restricting them to access, and how about
worrying about their home computer that can be effected.

Has anyone been through this. Any one give home users
a list of requirements that they must have before vpn can be
offered to them ?

Should there be some type of desktop policy installed
on their home computer, just to protect the company network ?
Any help and guidance would be great

Regards,
Sohail

Mike refers to CCA (Cisco Clean Access) , CAS and CAM A great solution
that we just implemented. You can write checks/rules and roles based on
anything you want from a client PC. You can check registry, files,
folders, services, installed aps, updates even write your own custom
stuff that enforces end users agree to your VPN/AUP. It gets setup to
automate the process so non-technical VPN users just have to click a
button to remediate the issue.

It's costly, but ensures that what requirements you set are met before
access is granted.
- Nick

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Michael J. Benedetto
Sent: Tuesday, June 19, 2007 12:07 PM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check
and
enforce endpoint compliance with you standards (patch levels, antivirus,
etc.). That should help on the user side if you can't force them to use
a
company configured and maintained PC from outside the office.
-Mike

Message
From: listbounce@securityfocuscom
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used.
Also, the various encryption algorithms used determine how
secure it is. Like everything, it is as strong as the weakest
link and usually in this scenario that means the home user or
their PC.

You're right about the two factor authentication. What were
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in
place(AV for example) is a good idea. Will you allow them to
split tunnel from their home connections or will they have to
come through the VPN connection to be able to browse so that
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you
control them when they're not on a VPN?
Depending on how far you want to go, you could specify that
they only use their laptop for the VPN and have no split and
then they can use their home pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on
their desktop at home, and connect to the corporate network
and production network, wheat are we really looking at. Are
they secure or not.

Two factor authentication would only help the
authentication purpose and to protect the user name and password ?

How about restricting them to access, and how about
worrying about their home computer that can be effected.

Has anyone been through this. Any one give home users
a list of requirements that they must have before vpn can be
offered to them ?

Should there be some type of desktop policy installed
on their home computer, just to protect the company network ?
Any help and guidance would be great

Regards,
Sohail

Confidentiality note
The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and delete this email and any attachment from your system.

the user logs onto a pre-defined approved host through the VPN
connection, how are you guaranteeing the user only accesses the
resources that were setup? Meaning, how are you preventing the user
from 'hop hosting' or have free access to the intranet?

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Nick Duda
Sent: Tuesday, June 19, 2007 11:44 AM
To: mbenedetto (AT) amnh (DOT) org; Murda Mcloud; Sohail Sarwar; Scott Ramsdell;
WALI; security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

Mike refers to CCA (Cisco Clean Access) , CAS and CAM A great solution
that we just implemented. You can write checks/rules and roles based on
anything you want from a client PC. You can check registry, files,
folders, services, installed aps, updates even write your own custom
stuff that enforces end users agree to your VPN/AUP. It gets setup to
automate the process so non-technical VPN users just have to click a
button to remediate the issue.

It's costly, but ensures that what requirements you set are met before
access is granted.
- Nick

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Michael J. Benedetto
Sent: Tuesday, June 19, 2007 12:07 PM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check
and
enforce endpoint compliance with you standards (patch levels, antivirus,
etc.). That should help on the user side if you can't force them to use
a
company configured and maintained PC from outside the office.
-Mike

Message
From: listbounce@securityfocuscom
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used.
Also, the various encryption algorithms used determine how
secure it is. Like everything, it is as strong as the weakest
link and usually in this scenario that means the home user or
their PC.

You're right about the two factor authentication. What were
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in
place(AV for example) is a good idea. Will you allow them to
split tunnel from their home connections or will they have to
come through the VPN connection to be able to browse so that
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you
control them when they're not on a VPN?
Depending on how far you want to go, you could specify that
they only use their laptop for the VPN and have no split and
then they can use their home pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on
their desktop at home, and connect to the corporate network
and production network, wheat are we really looking at. Are
they secure or not.

Two factor authentication would only help the
authentication purpose and to protect the user name and password ?

How about restricting them to access, and how about
worrying about their home computer that can be effected.

Has anyone been through this. Any one give home users
a list of requirements that they must have before vpn can be
offered to them ?

Should there be some type of desktop policy installed
on their home computer, just to protect the company network ?
Any help and guidance would be great

Regards,
Sohail

Confidentiality note
The information in this email and any attachment may contain
confidential and proprietary information of VistaPrint and/or its
affiliates and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, you are hereby notified that any
review, reliance or distribution by others or forwarding without express
permission is strictly prohibited and may cause liability. In case you
have received this message due to an error in transmission, please
notify the sender immediately and delete this email and any attachment
from your system.

Aside from what everyone else has said you need to consider the legal
impacts as well. If the home machine is owned by the employee then you have
few options. Legally you can not install or force someone to comply with
your standards if you do not own the equipment. You can of course deny them
access to the network, but for example, you can't tell the user that they
have to have xyz software/updates on their machine. Since you don't know
what software is installed on their home computer you are pretty much
opening yourself to a big potential bag of worms here.

If you go down this route I would also suggest you do split tunneling. An
employee can not get in trouble for surfing adult sites on their home
computer if you force all their internet traffic through your Internet pipe
& filters/logging.

Having employees work from home is a great idea. There are some big
technical "what if's" as well as legal "what if's" that need to be thought
out before going down this road.

Easiest solution is to do something like a web based citrix or similar.
Then you don't have to worry about the NAC side or legal side.

I didn't even touch on the licensing issues either, so if you're a Microsoft
shop you need to look at the impact of this as well.

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Michael J. Benedetto
Sent: Tuesday, June 19, 2007 11:07 AM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check and
enforce endpoint compliance with you standards (patch levels, antivirus,
etc.). That should help on the user side if you can't force them to use a
company configured and maintained PC from outside the office.
-Mike

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used.
Also, the various encryption algorithms used determine how
secure it is. Like everything, it is as strong as the weakest
link and usually in this scenario that means the home user or
their PC.

You're right about the two factor authentication. What were
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in
place(AV for example) is a good idea. Will you allow them to
split tunnel from their home connections or will they have to
come through the VPN connection to be able to browse so that
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you
control them when they're not on a VPN?
Depending on how far you want to go, you could specify that
they only use their laptop for the VPN and have no split and
then they can use their home pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on
their desktop at home, and connect to the corporate network
and production network, wheat are we really looking at. Are
they secure or not.

Two factor authentication would only help the
authentication purpose and to protect the user name and password ?

How about restricting them to access, and how about
worrying about their home computer that can be effected.

Has anyone been through this. Any one give home users
a list of requirements that they must have before vpn can be
offered to them ?

Should there be some type of desktop policy installed
on their home computer, just to protect the company network ?
Any help and guidance would be great

Regards,
Sohail

Not sure I understand what you exactly mean, but we don't split tunnel.
Based on the login name that user is configured to a specific "role".
This role is configured with certain trusted routes and ACL's through
the VPN and CCA combo. Basically, when your on the VPN and CCA server
you can only do what we want, including access to limited
websitesetc. If the user wants functionally back, they disconnect
from the VPN.
- Nick

Message
From: Cruse, Kevin [mailto:k-cruse (AT) ti (DOT) com]
Sent: Tuesday, June 19, 2007 2:02 PM
To: Nick Duda; mbenedetto (AT) amnh (DOT) org; Murda Mcloud; Sohail Sarwar; Scott
Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

the user logs onto a pre-defined approved host through the VPN
connection, how are you guaranteeing the user only accesses the
resources that were setup? Meaning, how are you preventing the user
from 'hop hosting' or have free access to the intranet?

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Nick Duda
Sent: Tuesday, June 19, 2007 11:44 AM
To: mbenedetto (AT) amnh (DOT) org; Murda Mcloud; Sohail Sarwar; Scott Ramsdell;
WALI; security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

Mike refers to CCA (Cisco Clean Access) , CAS and CAM A great solution
that we just implemented. You can write checks/rules and roles based on
anything you want from a client PC. You can check registry, files,
folders, services, installed aps, updates even write your own custom
stuff that enforces end users agree to your VPN/AUP. It gets setup to
automate the process so non-technical VPN users just have to click a
button to remediate the issue.

It's costly, but ensures that what requirements you set are met before
access is granted.
- Nick

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Michael J. Benedetto
Sent: Tuesday, June 19, 2007 12:07 PM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check
and
enforce endpoint compliance with you standards (patch levels, antivirus,
etc.). That should help on the user side if you can't force them to use
a
company configured and maintained PC from outside the office.
-Mike

Message
From: listbounce@securityfocuscom
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used.
Also, the various encryption algorithms used determine how
secure it is. Like everything, it is as strong as the weakest
link and usually in this scenario that means the home user or
their PC.

You're right about the two factor authentication. What were
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in
place(AV for example) is a good idea. Will you allow them to
split tunnel from their home connections or will they have to
come through the VPN connection to be able to browse so that
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you
control them when they're not on a VPN?
Depending on how far you want to go, you could specify that
they only use their laptop for the VPN and have no split and
then they can use their home pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on
their desktop at home, and connect to the corporate network
and production network, wheat are we really looking at. Are
they secure or not.

Two factor authentication would only help the
authentication purpose and to protect the user name and password ?

How about restricting them to access, and how about
worrying about their home computer that can be effected.

Has anyone been through this. Any one give home users
a list of requirements that they must have before vpn can be
offered to them ?

Should there be some type of desktop policy installed
on their home computer, just to protect the company network ?
Any help and guidance would be great

Regards,
Sohail

Confidentiality note
The information in this email and any attachment may contain
confidential and proprietary information of VistaPrint and/or its
affiliates and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, you are hereby notified that any
review, reliance or distribution by others or forwarding without express
permission is strictly prohibited and may cause liability. In case you
have received this message due to an error in transmission, please
notify the sender immediately and delete this email and any attachment
from your system.

Confidentiality note
The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and delete this email and any attachment from your system.

Aside from what everyone else has said you need to consider the legal
impacts as well. If the home machine is owned by the employee then
you have
few options. Legally you can not install or force someone to comply
with
your standards if you do not own the equipment. You can of course
deny them
access to the network, but for example, you can't tell the user that
they
have to have xyz software/updates on their machine. Since you don't
know
what software is installed on their home computer you are pretty much
opening yourself to a big potential bag of worms here.

If they are connecting to "your" VPN you "CAN" tell them what the need
to run. If they deny, no accessperiod. We tend to present VPN access
as a "perk" rather than "requirement". If you want to work from home, on
your own equipment then you "WILL" follow our rules, if not get a
company issued laptop/workstation.

With something like CCA, you don't have to worry so much about what the
user has installed but rather what they don't have installed or what
they are not doing. Good VPN ACL's and firewall filters will help
protect against the majority of malware that are on peoples home systems
that like to "phone home" and spread.

If you go down this route I would also suggest you do split tunneling.
An
employee can not get in trouble for surfing adult sites on their home
computer if you force all their internet traffic through your Internet
pipe
& filters/logging.

With content filtering proxy servers you can enforce your corporate
infosec policies (which should detail acceptable use) via VPN. Again, if
your on my VPN you follow company infosec ruleshaving something like
CCA, Firewalls and content filtering proxies without using split
tunneling helps achieve this. When your done doing "work stuff"
disconnect from the VPN and go on with your porn browsing habits.

I don't think there are many legal what'ifs at all with VPN use. The
employee consents to the company's terms, and so long as those terms are
not illegal in itself then all is fair game.

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Herb Steck
Sent: Tuesday, June 19, 2007 3:33 PM
To: security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

Aside from what everyone else has said you need to consider the legal
impacts as well. If the home machine is owned by the employee then you
have
few options. Legally you can not install or force someone to comply
with
your standards if you do not own the equipment. You can of course deny
them
access to the network, but for example, you can't tell the user that
they
have to have xyz software/updates on their machine. Since you don't
know
what software is installed on their home computer you are pretty much
opening yourself to a big potential bag of worms here.

If you go down this route I would also suggest you do split tunneling.
An
employee can not get in trouble for surfing adult sites on their home
computer if you force all their internet traffic through your Internet
pipe
& filters/logging.

Having employees work from home is a great idea. There are some big
technical "what if's" as well as legal "what if's" that need to be
thought
out before going down this road.

Easiest solution is to do something like a web based citrix or similar.
Then you don't have to worry about the NAC side or legal side.

I didn't even touch on the licensing issues either, so if you're a
Microsoft
shop you need to look at the impact of this as well.

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]

Behalf Michael J. Benedetto
Sent: Tuesday, June 19, 2007 11:07 AM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check
and
enforce endpoint compliance with you standards (patch levels, antivirus,

etc.). That should help on the user side if you can't force them to use
a
company configured and maintained PC from outside the office.
-Mike

Message
From: listbounce@securityfocuscom
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used.
Also, the various encryption algorithms used determine how
secure it is. Like everything, it is as strong as the weakest
link and usually in this scenario that means the home user or
their PC.

You're right about the two factor authentication. What were
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in
place(AV for example) is a good idea. Will you allow them to
split tunnel from their home connections or will they have to
come through the VPN connection to be able to browse so that
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you
control them when they're not on a VPN?
Depending on how far you want to go, you could specify that
they only use their laptop for the VPN and have no split and
then they can use their home pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on
their desktop at home, and connect to the corporate network
and production network, wheat are we really looking at. Are
they secure or not.

Two factor authentication would only help the
authentication purpose and to protect the user name and password ?

How about restricting them to access, and how about
worrying about their home computer that can be effected.

Has anyone been through this. Any one give home users
a list of requirements that they must have before vpn can be
offered to them ?

Should there be some type of desktop policy installed
on their home computer, just to protect the company network ?
Any help and guidance would be great

Regards,
Sohail

Confidentiality note
The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and delete this email and any attachment from your system.

>>If you go down this route I would also suggest you do split tunneling.

Do you mean for a more secure setup he should split tunnel? do you mean
for less legal hassle he should split tunnel?(Like Hopper's brother said: I
got confused).
As I said, the split tunneling makes me think 'less secure' precisely
because the user can be surfing pr0n/bearshare etc whilst printing to a
network printer or accessing a share on the file server at the office.

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Herb Steck
Sent: Wednesday, June 20, 2007 5:33 AM
To: security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

Aside from what everyone else has said you need to consider the legal
impacts as well. If the home machine is owned by the employee then you have
few options. Legally you can not install or force someone to comply with
your standards if you do not own the equipment. You can of course deny them
access to the network, but for example, you can't tell the user that they
have to have xyz software/updates on their machine. Since you don't know
what software is installed on their home computer you are pretty much
opening yourself to a big potential bag of worms here.

If you go down this route I would also suggest you do split tunneling. An
employee can not get in trouble for surfing adult sites on their home
computer if you force all their internet traffic through your Internet pipe
& filters/logging.

Having employees work from home is a great idea. There are some big
technical "what if's" as well as legal "what if's" that need to be thought
out before going down this road.

Easiest solution is to do something like a web based citrix or similar.
Then you don't have to worry about the NAC side or legal side.

I didn't even touch on the licensing issues either, so if you're a Microsoft
shop you need to look at the impact of this as well.

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Michael J. Benedetto
Sent: Tuesday, June 19, 2007 11:07 AM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check and
enforce endpoint compliance with you standards (patch levels, antivirus,
etc.). That should help on the user side if you can't force them to use a
company configured and maintained PC from outside the office.
-Mike

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics (AT) securityfocus (DOT) com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used.
Also, the various encryption algorithms used determine how
secure it is. Like everything, it is as strong as the weakest
link and usually in this scenario that means the home user or
their PC.

You're right about the two factor authentication. What were
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in
place(AV for example) is a good idea. Will you allow them to
split tunnel from their home connections or will they have to
come through the VPN connection to be able to browse so that
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you
control them when they're not on a VPN?
Depending on how far you want to go, you could specify that
they only use their laptop for the VPN and have no split and
then they can use their home pc for their own use.

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics (AT) securityfocus (DOT) com
Subject: VPN and Security

Hi there,

I just wanted to put this out there. How secure is VPN.
Meaning, if my users take home the client and install it on
their desktop at home, and connect to the corporate network
and production network, wheat are we really looking at. Are
they secure or not.

Two factor authentication would only help the
authentication purpose and to protect the user name and password ?

How about restricting them to access, and how about
worrying about their home computer that can be effected.

Has anyone been through this. Any one give home users
a list of requirements that they must have before vpn can be
offered to them ?

Should there be some type of desktop policy installed
on their home computer, just to protect the company network ?
Any help and guidance would be great

Regards,
Sohail