Any tips on how to maintain security for mobile and home users?

[TechnoPro]

I work with a company where almost everyone works from home on their PCs or laptops. There are no hardware standards other than being able to run XP, nor can I realistically impose software restrictions since some of these units are family computers. The company is rapidly growing and I am looking for an effective approach to ensuring some baseline of security.

Right now, my loose protocol is as follows:

* PC must run XP with SP2 and all updates
* Broadband users must be behind a router
* Auto updates and Windows Firewall both on (I disable the latter only if a better product is installed)
* Antivirus software must be current (any vendor)

What, if anything, should I add to the list? How often should I audit these machines? By audit, I mean connect via VNC and give a quick checkup for both security and ensure that the critical business apps (Groove, Outlook, etc.) are functioning.

 

[RebateMonger]

You didn't mention any anti-spyware application. I've seen PCs reduced to total insecurity in two or three clicks with spyware/trojan installations. One of the users at a client's office installed something on a Friday evening that:
1) Redirected his DNS to a Russian DNS server
2) Installed BackOrifice
3) Installed a couple of trojan applications
4) Disabled his anti-virus

The SAFEST thing to do would be to bite the bullet and have the company provide PCs and applications. Apply software restriction policies that only lets an Administrator install software. Make the users run in non-Administrative mode (and not "Power User", either). Instruct users to not let family members use the company's PC.

Practically speaking, you have no guarantee of security with user-owned PCs and spouses and children logging onto the PCs. Detection and removal of malware is difficult and expensive and is getting more so all the time. Prevention by education, limitation of user rights, control of user logons, and appropriate software is the best course, but you'll never get it when users own their own computers.

 

[Goosemaster]

Originally posted by: RebateMonger
You didn't mention any anti-spyware application. I've seen PCs reduced to total insecurity in two or three clicks with spyware/trojan installations. One of the users at a client's office installed something on a Friday evening that:
1) Redirected his DNS to a Russian DNS server
2) Installed BackOrifice
3) Installed a couple of trojan applications
4) Disabled his anti-virus

The SAFEST thing to do would be to bite the bullet and have the company provide PCs and applications.

I agree wholeheartledly. Ownership will give you dominion over users' rights and will make life much easier for you. In addition, users can be held accountable for their actions..and misactions.