securing mobile users at hotspots

[djc]

so far I have only had 'remote' users. By 'remote' I mean I have been in
control of the machine they are using *and* the network (home) they are
connecting from. I securely configure their home router, I supply them with
a company laptop that picks up our group policy before leaving, has our
company AV software, and is configured with a VPN connection to our network.
After connecting to VPN user's RDP to their desktops.

I realize the setup I'm using now would not work for 'mobile' users
connecting from public wi-fi hotspots and such since I don't have control of
those networks. Is it just a matter of adding a good host-based personal
firewall into the mix? (if so, any recommendations on whats currently a good
one would be appreciated, it seems to change every time I check)

any input on this in general would be greatly appreciated.

 

[Miha Pihler [MVP]]

Hi,

I can recommend you a firewall that comes with Windows XP SP2. You can even
use group policy to configure it.

 

[djc]

Ya, I'm aware of it, but I was under the impression it would not suffice.
Not as robust as third party packages and too easily manipulated by
malicious code. Thats what I'm told anyway. I guess you disagree with that?
Using GPO's is certianly a bonus, but would changes in GPO's be picked up
over VPN?

 

[Miha Pihler [MVP]]

Hi,

Malware will need administrative privileges to e.g. disable Windows
Firewall. As long as your users are local administrators on their computers,
malware will be able to do just about anything and it doesn't matter what
firewall you install on the computer. So, first step in securing your
clients is to make sure that users are not local administrators.
Updating Group Policies over VPN depends mostly on VPN configuration and
Group Policy settings. If you set it up correctly (be careful about filters
between clients and domain controllers) they will be able to update group
policy settings over VPN.

 

[djc]

yep yep on the local admin thing. None of my users run with admin
priveleges.

on the gpo thing. You mentioning being careful about filters between client
and DC brought up some questions:
1) would the windows firewall, by default, also apply to the 'vpn'
connection?

2) if the answer to 1 is no, can you make it apply to the vpn connection?

3) can you configure windows firewall rules seperately for different network
adapters, including vpn?

 

[Miha Pihler [MVP]]

Hi,

If you select "Protect all network connections" it will also raise a
firewall on VPN connection.

All policies apply to all inbound connections regardless of adapter. In
general you could try using IPSelc Filters -- but they can be quite hard to
manage.

 

[djc]

ok, thanks

Hi,

If you select "Protect all network connections" it will also raise a
firewall on VPN connection.

All policies apply to all inbound connections regardless of adapter. In
general you could try using IPSelc Filters -- but they can be quite hard
to manage.