securing an office with laptops

I would appreciate advice on securing an office ~ 20 computers - at least 2
are laptops (which of course leave the office at times).
Windows 2000/XP.
Naturally networked environment.

This is one small department of a large company (2000+desktops/laptops).

The solution I would like would prevent anyone who stole a laptop from
accessing the network, or the data on the laptop.
Similarly if someone was to try to logon from a desktop in the office
without authority they would need to have more than the computer pswd.

Encryption of the hard drives is not a solution as the department manager
would not accept that as a solution. Also any solution needs
to be at least duplicated so time would not be lost if a logon device/pswd
is not available (media safe on site for storage of a second access device).
Additionally some of the desktops need to be available for up to 5 users who
would need to be able to sign on independent of other users.

Everything in the department is secured behind a secure keycard door.

Is there a simple device that would allow for extra security on all the
computers in the department.

This department is subject to HIPPA rules.

TIA for all input

someone

someone wrote:

> I would appreciate advice on securing an office ~ 20 computers - at least 2
> are laptops (which of course leave the office at times).
> Windows 2000/XP.
> Naturally networked environment.
>
> This is one small department of a large company (2000+desktops/laptops).
>
> The solution I would like would prevent anyone who stole a laptop from
> accessing the network, or the data on the laptop.
> Similarly if someone was to try to logon from a desktop in the office
> without authority they would need to have more than the computer pswd.
>
> Encryption of the hard drives is not a solution as the department manager
> would not accept that as a solution. Also any solution needs
> to be at least duplicated so time would not be lost if a logon device/pswd
> is not available (media safe on site for storage of a second access device).
> Additionally some of the desktops need to be available for up to 5 users who
> would need to be able to sign on independent of other users.
>
> Everything in the department is secured behind a secure keycard door.
>
> Is there a simple device that would allow for extra security on all the
> computers in the department.
>
> This department is subject to HIPPA rules.
>
> TIA for all input
>
>

And what software is the server(s) running? Win 2003 Server has some
ability to set policies on outside connections and if the user does not
meet the policy requirements they cannot logon.

Also, the newer USB keys can be used for certain purposes so maybe those
could provide another layer of security and contain the connection
program, no key and the laptop has no connection information I believe.

There are also keycard readers for added security (used by everyone at
Microsoft) which may also require a PIN so you get two layers of security.


g-w

zz

"someone" <> wrote in message news:<a_6tc.48946$Md.12407@lakeread05>...

> The solution I would like would prevent anyone who stole a laptop from
> accessing the network, or the data on the laptop.
> Similarly if someone was to try to logon from a desktop in the office
> without authority they would need to have more than the computer pswd.

Our network is locked down in that one must authenticate to the PDC
before any other servers are available. From outside the network,
two-factor authentication is required to access, and access is either
via VPN on a hardline or Citrix.

The Dell laptops we use offer a HDD password. This password must be
used in order to access the hard drive and cannot be reset or wiped
out. The computer can be booted from floppy or CD but the HDD is
powered down and unavailable. And we use the same password for each
laptop to keep support simple. This only prevents access to the drive
at boot-up.

Data Security policies keep sensitive data off the laptop drives, and
we continually monitor for compliance.

As for LAN access from internal workstations, we don't worry too much
about that because we are a physically secure facility, so one needs
to know how to access the building before they can access a
workstation. We limit the hours an account can be used and how many
consecutive sessions. In some cases, we also limit the workstations
that the account can be used from, usually for our high turnover
positions, temporary staff, and new hires on probation.

N1POP

>
>Data Security policies keep sensitive data off the laptop drives, and
>we continually monitor for compliance.
>

This is the key element, keeping data off the drives where the
Administrator loses control of it when the laptops go portable. Our
organizations used networked "P" drives (P for personal) for all
critical files and these are only accessible only at network logon and
via a password.

It pays to study why laptops are needed for your organization. If it
is for Sales Demos and Power Point Presentations, then only those
files should be transported using some of the techniques mentioned
earlier. Employees should be trained in the rudements of computer
security.

If employees are demanding convenience and are doing work at home or
at remote locations, they should be logging into your network via a
secure encrypted VPN program.

Beachcomber

Beachcomber

> This is one small department of a large company (2000+desktops/laptops).

No way. Fraud Triagle:

AINSLEY: ( West Wing ) ... "80% of violators are white. Fraudulent
employees are 3 times more likely to be married. They're 4 times more
likely to be men. 16 times more likely to be managers and executives.
And guess what professor .. They are 5 times more likely to have
post graduate degrees. .... and 85% of them will commit fraud given
the right circumstances .. "

You are just kidding yourself if you think some form of academic
security measures will prevent theft of critical company data.
The only solution(s) .. and you need to go take a series of
courses in business ethics .. are to refuse to generate so-called
"critical" data that will liable you in a court of law. When some
CEO calls you in and requests that you "make book" on a group
of employees, realize that it is that man who you should be
keeping track of instead. Most times, "critical data" is just
another word for "White Collar Crime".

johns

johns

www.safeboot.com

Simon.

"someone" <> wrote in message
news:a_6tc.48946$Md.12407@lakeread05...
> I would appreciate advice on securing an office ~ 20 computers - at least
2
> are laptops (which of course leave the office at times).
> Windows 2000/XP.
> Naturally networked environment.
>
> This is one small department of a large company (2000+desktops/laptops).
>
> The solution I would like would prevent anyone who stole a laptop from
> accessing the network, or the data on the laptop.
> Similarly if someone was to try to logon from a desktop in the office
> without authority they would need to have more than the computer pswd.
>
> Encryption of the hard drives is not a solution as the department manager
> would not accept that as a solution. Also any solution needs
> to be at least duplicated so time would not be lost if a logon device/pswd
> is not available (media safe on site for storage of a second access
device).
> Additionally some of the desktops need to be available for up to 5 users
who
> would need to be able to sign on independent of other users.
>
> Everything in the department is secured behind a secure keycard door.
>
> Is there a simple device that would allow for extra security on all the
> computers in the department.
>
> This department is subject to HIPPA rules.
>
> TIA for all input
>
>

Simon Hunt