2

One of my responsibilities is to manage my mobile users, Sales, Support, Exec, etc. For those out there who do the same how do you do it? I know it's a very broad question but how do you keep them up to date with the latest patches, virus defs, etc and retain their data in the event of a stolen/lost laptop?

TechGuyTJ
  • 792
  • 1
  • 13
  • 26

2 Answers2

2

So based on the lack of response, and the fact that I feel badly that your question got shut down by an answer that doesn't really answer it, this is how we manage our remote users.

So the biggest piece is that we use Windows Terminal Server 2003 for everyone. The advantages include:

less support time for me (I only have one place to install patches and applications)

the users can have their "work" desktop at home.

If we want the computers to run faster, we don't spend money or time upgrading individual machines, we put more memory or hard drives in the server.

If a remote users laptop is stolen, while we do lose the hardware, we lose none of our information, unless a user has that info on the flash drive with the laptop. But his email and these things are still safe back at the main office. Also irate employees cannot "delete" everything when they walk out the door, assuming you are running regular backups on your server that is in a locked closet.

So now to address your questions about security and patches. The truth is I don't worry about them. Before you tar and feather me, here is why. Each machine that is the "dumb terminal" back to the main server runs Windows Steady State. A free application from Microsoft that resets the machine upon restart. They use the remote desktop application to see their desktop (which is encrypted, by default and the encryption can be turned up as well.) If the computer gets infected the user restarts and life is great.

A problem does now occur. You will always need internet access to be able to get their desktop. True, and so there is some user education needed on this point, and in addition I have basic applications (Word, Excel, PowerPoint) installed on the laptop locally so that they can plug flash drives in to show their presentations or save documents to the flash drive when they are on the plane. They bring the flash drive back to the office and we move the files over.

This (like any solution) does not work perfectly, but for us it has been solid, and I don't see that scaling would be much of an issue. Hope this helps.

Matt
  • 433
  • 1
  • 5
  • 10
  • I was with you until you said you didn't patch. Using steady state is a fine idea, but only if implemented with a patching policy. Do you not patch AT ALL? Any malicious web site can, at least for a limited time, hijack and control the system. This may not affect your server directly, other than a little extra CPU overhead. But the user is now accessing websites, email, etc from a compromised host. – Joseph Kern Jun 12 '09 at 18:03
  • the laptop themselves are not patched no, but the main server is. If lacking of patching makes you uncomfortable (which I can understand) put that on the list of things to do as well. However the user, in my scenario, won't be accessing all of those things with the compromised machine. Their data is held on the server, besides the data they would have on their thumb drives of course. – Matt Jun 12 '09 at 21:39
1

I would take a serious look at VMware ACE. Which sounds like a good fit. An encrypted, virtual machine, that can be controlled from afar.

Now, the previous posters comments about WSS and Terminal Server, are valid. I just don't agree about his patching policy, or lack thereof. Patching is incredibly important on systems you think are secure. Otherwise you build a false confidence in a system that never worked.

If a network connection isn't a consideration Terminal Server would work well. If your users have intermittent network access use something like ACE.

Joseph Kern
  • 9,899
  • 4
  • 32
  • 56