If you tell enough stories, perhaps the moral will show up.

2009-11-06

The non-Build Build

From time to time we issue non-build laptops to people who want to use the SSL VPN but don't have a suitable personal machine . It's not a practice that gives me much pleasure, as the temptation will always be to assume that it's OK to put firms data on one of these. And it's not.

So I've been developing a little list: what we should do to a standard manufacturer's XP install so that it can be placed in the permanent, unmanaged care of a regular user. Here's what I have:

  • Truecrypt set up for the system partition. (If there's and I386 on d: or e:, leave that in clear.) Why encryption? 1) because I don't trust them not to put firms data on it, and 2) it's an immediate downer for a thief.
  • The MVPS hosts file. It doesn't auto update, but it's a good start.
  • Default Browser: Chrome. It's not IE so it's under attacker's radar, but it does auto update even if you never run as admin
  • Microsoft AV -- seems to have difficulty with non-admin updates, but better than nothing.
  • The default log in takes you to a non-admin account.
  • Default settings on the Windows firewall, and Windows update.
It's not much -- in particular you can't make Adobe and Java auto update on a non-admin machine, but it is better than nothing.

No comments: