Wireless Networking - securing mobile users at hotspots

10-05-2006, 01:45 PM

so far I have only had 'remote' users. By 'remote' I mean I have been in
control of the machine they are using *and* the network (home) they are
connecting from. I securely configure their home router, I supply them with
a company laptop that picks up our group policy before leaving, has our
company AV software, and is configured with a VPN connection to our network.
After connecting to VPN user's RDP to their desktops.

I realize the setup I'm using now would not work for 'mobile' users
connecting from public wi-fi hotspots and such since I don't have control of
those networks. Is it just a matter of adding a good host-based personal
firewall into the mix? (if so, any recommendations on whats currently a good
one would be appreciated, it seems to change every time I check)

any input on this in general would be greatly appreciated.

djc

10-05-2006, 02:01 PM

Hi,

I can recommend you a firewall that comes with Windows XP SP2. You can even
use group policy to configure it.

--
Mike
Microsoft MVP - Windows Security

"djc" <> wrote in message
news:...
> so far I have only had 'remote' users. By 'remote' I mean I have been in
> control of the machine they are using *and* the network (home) they are
> connecting from. I securely configure their home router, I supply them
> with a company laptop that picks up our group policy before leaving, has
> our company AV software, and is configured with a VPN connection to our
> network. After connecting to VPN user's RDP to their desktops.
>
> I realize the setup I'm using now would not work for 'mobile' users
> connecting from public wi-fi hotspots and such since I don't have control
> of those networks. Is it just a matter of adding a good host-based
> personal firewall into the mix? (if so, any recommendations on whats
> currently a good one would be appreciated, it seems to change every time I
> check)
>
> any input on this in general would be greatly appreciated.
>

10-05-2006, 02:13 PM

Ya, I'm aware of it, but I was under the impression it would not suffice.
Not as robust as third party packages and too easily manipulated by
malicious code. Thats what I'm told anyway. I guess you disagree with that?
Using GPO's is certianly a bonus, but would changes in GPO's be picked up
over VPN?

"Miha Pihler [MVP]" <mihap-> wrote in message
news:...
> Hi,
>
> I can recommend you a firewall that comes with Windows XP SP2. You can
> even use group policy to configure it.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "djc" <> wrote in message
> news:...
>> so far I have only had 'remote' users. By 'remote' I mean I have been in
>> control of the machine they are using *and* the network (home) they are
>> connecting from. I securely configure their home router, I supply them
>> with a company laptop that picks up our group policy before leaving, has
>> our company AV software, and is configured with a VPN connection to our
>> network. After connecting to VPN user's RDP to their desktops.
>>
>> I realize the setup I'm using now would not work for 'mobile' users
>> connecting from public wi-fi hotspots and such since I don't have control
>> of those networks. Is it just a matter of adding a good host-based
>> personal firewall into the mix? (if so, any recommendations on whats
>> currently a good one would be appreciated, it seems to change every time
>> I check)
>>
>> any input on this in general would be greatly appreciated.
>>
>
>

10-05-2006, 02:42 PM

Hi,

Malware will need administrative privileges to e.g. disable Windows
Firewall. As long as your users are local administrators on their computers,
malware will be able to do just about anything and it doesn't matter what
firewall you install on the computer. So, first step in securing your
clients is to make sure that users are not local administrators.
Updating Group Policies over VPN depends mostly on VPN configuration and
Group Policy settings. If you set it up correctly (be careful about filters
between clients and domain controllers) they will be able to update group
policy settings over VPN.

--
Mike
Microsoft MVP - Windows Security

"djc" <> wrote in message
news:...
> Ya, I'm aware of it, but I was under the impression it would not suffice.
> Not as robust as third party packages and too easily manipulated by
> malicious code. Thats what I'm told anyway. I guess you disagree with
> that? Using GPO's is certianly a bonus, but would changes in GPO's be
> picked up over VPN?
>
> "Miha Pihler [MVP]" <mihap-> wrote in message
> news:...
>> Hi,
>>
>> I can recommend you a firewall that comes with Windows XP SP2. You can
>> even use group policy to configure it.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "djc" <> wrote in message
>> news:...
>>> so far I have only had 'remote' users. By 'remote' I mean I have been in
>>> control of the machine they are using *and* the network (home) they are
>>> connecting from. I securely configure their home router, I supply them
>>> with a company laptop that picks up our group policy before leaving, has
>>> our company AV software, and is configured with a VPN connection to our
>>> network. After connecting to VPN user's RDP to their desktops.
>>>
>>> I realize the setup I'm using now would not work for 'mobile' users
>>> connecting from public wi-fi hotspots and such since I don't have
>>> control of those networks. Is it just a matter of adding a good
>>> host-based personal firewall into the mix? (if so, any recommendations
>>> on whats currently a good one would be appreciated, it seems to change
>>> every time I check)
>>>
>>> any input on this in general would be greatly appreciated.
>>>
>>
>>
>
>

10-05-2006, 04:01 PM

yep yep on the local admin thing. None of my users run with admin
priveleges.

on the gpo thing. You mentioning being careful about filters between client
and DC brought up some questions:
1) would the windows firewall, by default, also apply to the 'vpn'
connection?

2) if the answer to 1 is no, can you make it apply to the vpn connection?

3) can you configure windows firewall rules seperately for different network
adapters, including vpn?

"Miha Pihler [MVP]" <mihap-> wrote in message
news:...
> Hi,
>
> Malware will need administrative privileges to e.g. disable Windows
> Firewall. As long as your users are local administrators on their
> computers, malware will be able to do just about anything and it doesn't
> matter what firewall you install on the computer. So, first step in
> securing your clients is to make sure that users are not local
> administrators.
> Updating Group Policies over VPN depends mostly on VPN configuration and
> Group Policy settings. If you set it up correctly (be careful about
> filters between clients and domain controllers) they will be able to
> update group policy settings over VPN.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "djc" <> wrote in message
> news:...
>> Ya, I'm aware of it, but I was under the impression it would not suffice.
>> Not as robust as third party packages and too easily manipulated by
>> malicious code. Thats what I'm told anyway. I guess you disagree with
>> that? Using GPO's is certianly a bonus, but would changes in GPO's be
>> picked up over VPN?
>>
>> "Miha Pihler [MVP]" <mihap-> wrote in message
>> news:...
>>> Hi,
>>>
>>> I can recommend you a firewall that comes with Windows XP SP2. You can
>>> even use group policy to configure it.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "djc" <> wrote in message
>>> news:...
>>>> so far I have only had 'remote' users. By 'remote' I mean I have been
>>>> in control of the machine they are using *and* the network (home) they
>>>> are connecting from. I securely configure their home router, I supply
>>>> them with a company laptop that picks up our group policy before
>>>> leaving, has our company AV software, and is configured with a VPN
>>>> connection to our network. After connecting to VPN user's RDP to their
>>>> desktops.
>>>>
>>>> I realize the setup I'm using now would not work for 'mobile' users
>>>> connecting from public wi-fi hotspots and such since I don't have
>>>> control of those networks. Is it just a matter of adding a good
>>>> host-based personal firewall into the mix? (if so, any recommendations
>>>> on whats currently a good one would be appreciated, it seems to change
>>>> every time I check)
>>>>
>>>> any input on this in general would be greatly appreciated.
>>>>
>>>
>>>
>>
>>
>
>

10-10-2006, 07:31 PM

Hi,

If you select "Protect all network connections" it will also raise a
firewall on VPN connection.

All policies apply to all inbound connections regardless of adapter. In
general you could try using IPSelc Filters -- but they can be quite hard to
manage.

--
Mike
Microsoft MVP - Windows Security

"djc" <> wrote in message
news:uX$...
> yep yep on the local admin thing. None of my users run with admin
> priveleges.
>
> on the gpo thing. You mentioning being careful about filters between
> client and DC brought up some questions:
> 1) would the windows firewall, by default, also apply to the 'vpn'
> connection?
>
> 2) if the answer to 1 is no, can you make it apply to the vpn connection?
>
> 3) can you configure windows firewall rules seperately for different
> network adapters, including vpn?
>
>
> "Miha Pihler [MVP]" <mihap-> wrote in message
> news:...
>> Hi,
>>
>> Malware will need administrative privileges to e.g. disable Windows
>> Firewall. As long as your users are local administrators on their
>> computers, malware will be able to do just about anything and it doesn't
>> matter what firewall you install on the computer. So, first step in
>> securing your clients is to make sure that users are not local
>> administrators.
>> Updating Group Policies over VPN depends mostly on VPN configuration and
>> Group Policy settings. If you set it up correctly (be careful about
>> filters between clients and domain controllers) they will be able to
>> update group policy settings over VPN.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "djc" <> wrote in message
>> news:...
>>> Ya, I'm aware of it, but I was under the impression it would not
>>> suffice. Not as robust as third party packages and too easily
>>> manipulated by malicious code. Thats what I'm told anyway. I guess you
>>> disagree with that? Using GPO's is certianly a bonus, but would changes
>>> in GPO's be picked up over VPN?
>>>
>>> "Miha Pihler [MVP]" <mihap-> wrote in message
>>> news:...
>>>> Hi,
>>>>
>>>> I can recommend you a firewall that comes with Windows XP SP2. You can
>>>> even use group policy to configure it.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "djc" <> wrote in message
>>>> news:...
>>>>> so far I have only had 'remote' users. By 'remote' I mean I have been
>>>>> in control of the machine they are using *and* the network (home) they
>>>>> are connecting from. I securely configure their home router, I supply
>>>>> them with a company laptop that picks up our group policy before
>>>>> leaving, has our company AV software, and is configured with a VPN
>>>>> connection to our network. After connecting to VPN user's RDP to their
>>>>> desktops.
>>>>>
>>>>> I realize the setup I'm using now would not work for 'mobile' users
>>>>> connecting from public wi-fi hotspots and such since I don't have
>>>>> control of those networks. Is it just a matter of adding a good
>>>>> host-based personal firewall into the mix? (if so, any recommendations
>>>>> on whats currently a good one would be appreciated, it seems to change
>>>>> every time I check)
>>>>>
>>>>> any input on this in general would be greatly appreciated.
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

10-12-2006, 09:07 PM

ok, thanks

"Miha Pihler [MVP]" <mihap-> wrote in message
news:...
> Hi,
>
> If you select "Protect all network connections" it will also raise a
> firewall on VPN connection.
>
> All policies apply to all inbound connections regardless of adapter. In
> general you could try using IPSelc Filters -- but they can be quite hard
> to manage.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "djc" <> wrote in message
> news:uX$...
>> yep yep on the local admin thing. None of my users run with admin
>> priveleges.
>>
>> on the gpo thing. You mentioning being careful about filters between
>> client and DC brought up some questions:
>> 1) would the windows firewall, by default, also apply to the 'vpn'
>> connection?
>>
>> 2) if the answer to 1 is no, can you make it apply to the vpn connection?
>>
>> 3) can you configure windows firewall rules seperately for different
>> network adapters, including vpn?
>>
>>
>> "Miha Pihler [MVP]" <mihap-> wrote in message
>> news:...
>>> Hi,
>>>
>>> Malware will need administrative privileges to e.g. disable Windows
>>> Firewall. As long as your users are local administrators on their
>>> computers, malware will be able to do just about anything and it doesn't
>>> matter what firewall you install on the computer. So, first step in
>>> securing your clients is to make sure that users are not local
>>> administrators.
>>> Updating Group Policies over VPN depends mostly on VPN configuration and
>>> Group Policy settings. If you set it up correctly (be careful about
>>> filters between clients and domain controllers) they will be able to
>>> update group policy settings over VPN.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "djc" <> wrote in message
>>> news:...
>>>> Ya, I'm aware of it, but I was under the impression it would not
>>>> suffice. Not as robust as third party packages and too easily
>>>> manipulated by malicious code. Thats what I'm told anyway. I guess you
>>>> disagree with that? Using GPO's is certianly a bonus, but would changes
>>>> in GPO's be picked up over VPN?
>>>>
>>>> "Miha Pihler [MVP]" <mihap-> wrote in message
>>>> news:...
>>>>> Hi,
>>>>>
>>>>> I can recommend you a firewall that comes with Windows XP SP2. You can
>>>>> even use group policy to configure it.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "djc" <> wrote in message
>>>>> news:...
>>>>>> so far I have only had 'remote' users. By 'remote' I mean I have been
>>>>>> in control of the machine they are using *and* the network (home)
>>>>>> they are connecting from. I securely configure their home router, I
>>>>>> supply them with a company laptop that picks up our group policy
>>>>>> before leaving, has our company AV software, and is configured with a
>>>>>> VPN connection to our network. After connecting to VPN user's RDP to
>>>>>> their desktops.
>>>>>>
>>>>>> I realize the setup I'm using now would not work for 'mobile' users
>>>>>> connecting from public wi-fi hotspots and such since I don't have
>>>>>> control of those networks. Is it just a matter of adding a good
>>>>>> host-based personal firewall into the mix? (if so, any
>>>>>> recommendations on whats currently a good one would be appreciated,
>>>>>> it seems to change every time I check)
>>>>>>
>>>>>> any input on this in general would be greatly appreciated.
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

10-05-2006, 02:01 PM	#2
Miha Pihler [MVP] Posts: n/a	Re: securing mobile users at hotspots Hi, I can recommend you a firewall that comes with Windows XP SP2. You can even use group policy to configure it. -- Mike Microsoft MVP - Windows Security "djc" <> wrote in message news:... > so far I have only had 'remote' users. By 'remote' I mean I have been in > control of the machine they are using and the network (home) they are > connecting from. I securely configure their home router, I supply them > with a company laptop that picks up our group policy before leaving, has > our company AV software, and is configured with a VPN connection to our > network. After connecting to VPN user's RDP to their desktops. > > I realize the setup I'm using now would not work for 'mobile' users > connecting from public wi-fi hotspots and such since I don't have control > of those networks. Is it just a matter of adding a good host-based > personal firewall into the mix? (if so, any recommendations on whats > currently a good one would be appreciated, it seems to change every time I > check) > > any input on this in general would be greatly appreciated. >

10-05-2006, 02:13 PM	#3
djc Posts: n/a	Re: securing mobile users at hotspots Ya, I'm aware of it, but I was under the impression it would not suffice. Not as robust as third party packages and too easily manipulated by malicious code. Thats what I'm told anyway. I guess you disagree with that? Using GPO's is certianly a bonus, but would changes in GPO's be picked up over VPN? "Miha Pihler [MVP]" <mihap-> wrote in message news:... > Hi, > > I can recommend you a firewall that comes with Windows XP SP2. You can > even use group policy to configure it. > > -- > Mike > Microsoft MVP - Windows Security > > "djc" <> wrote in message > news:... >> so far I have only had 'remote' users. By 'remote' I mean I have been in >> control of the machine they are using and the network (home) they are >> connecting from. I securely configure their home router, I supply them >> with a company laptop that picks up our group policy before leaving, has >> our company AV software, and is configured with a VPN connection to our >> network. After connecting to VPN user's RDP to their desktops. >> >> I realize the setup I'm using now would not work for 'mobile' users >> connecting from public wi-fi hotspots and such since I don't have control >> of those networks. Is it just a matter of adding a good host-based >> personal firewall into the mix? (if so, any recommendations on whats >> currently a good one would be appreciated, it seems to change every time >> I check) >> >> any input on this in general would be greatly appreciated. >> > >

10-05-2006, 02:42 PM	#4
Miha Pihler [MVP] Posts: n/a	Re: securing mobile users at hotspots Hi, Malware will need administrative privileges to e.g. disable Windows Firewall. As long as your users are local administrators on their computers, malware will be able to do just about anything and it doesn't matter what firewall you install on the computer. So, first step in securing your clients is to make sure that users are not local administrators. Updating Group Policies over VPN depends mostly on VPN configuration and Group Policy settings. If you set it up correctly (be careful about filters between clients and domain controllers) they will be able to update group policy settings over VPN. -- Mike Microsoft MVP - Windows Security "djc" <> wrote in message news:... > Ya, I'm aware of it, but I was under the impression it would not suffice. > Not as robust as third party packages and too easily manipulated by > malicious code. Thats what I'm told anyway. I guess you disagree with > that? Using GPO's is certianly a bonus, but would changes in GPO's be > picked up over VPN? > > "Miha Pihler [MVP]" <mihap-> wrote in message > news:... >> Hi, >> >> I can recommend you a firewall that comes with Windows XP SP2. You can >> even use group policy to configure it. >> >> -- >> Mike >> Microsoft MVP - Windows Security >> >> "djc" <> wrote in message >> news:... >>> so far I have only had 'remote' users. By 'remote' I mean I have been in >>> control of the machine they are using and the network (home) they are >>> connecting from. I securely configure their home router, I supply them >>> with a company laptop that picks up our group policy before leaving, has >>> our company AV software, and is configured with a VPN connection to our >>> network. After connecting to VPN user's RDP to their desktops. >>> >>> I realize the setup I'm using now would not work for 'mobile' users >>> connecting from public wi-fi hotspots and such since I don't have >>> control of those networks. Is it just a matter of adding a good >>> host-based personal firewall into the mix? (if so, any recommendations >>> on whats currently a good one would be appreciated, it seems to change >>> every time I check) >>> >>> any input on this in general would be greatly appreciated. >>> >> >> > >

10-05-2006, 04:01 PM	#5
djc Posts: n/a	Re: securing mobile users at hotspots yep yep on the local admin thing. None of my users run with admin priveleges. on the gpo thing. You mentioning being careful about filters between client and DC brought up some questions: 1) would the windows firewall, by default, also apply to the 'vpn' connection? 2) if the answer to 1 is no, can you make it apply to the vpn connection? 3) can you configure windows firewall rules seperately for different network adapters, including vpn? "Miha Pihler [MVP]" <mihap-> wrote in message news:... > Hi, > > Malware will need administrative privileges to e.g. disable Windows > Firewall. As long as your users are local administrators on their > computers, malware will be able to do just about anything and it doesn't > matter what firewall you install on the computer. So, first step in > securing your clients is to make sure that users are not local > administrators. > Updating Group Policies over VPN depends mostly on VPN configuration and > Group Policy settings. If you set it up correctly (be careful about > filters between clients and domain controllers) they will be able to > update group policy settings over VPN. > > -- > Mike > Microsoft MVP - Windows Security > > "djc" <> wrote in message > news:... >> Ya, I'm aware of it, but I was under the impression it would not suffice. >> Not as robust as third party packages and too easily manipulated by >> malicious code. Thats what I'm told anyway. I guess you disagree with >> that? Using GPO's is certianly a bonus, but would changes in GPO's be >> picked up over VPN? >> >> "Miha Pihler [MVP]" <mihap-> wrote in message >> news:... >>> Hi, >>> >>> I can recommend you a firewall that comes with Windows XP SP2. You can >>> even use group policy to configure it. >>> >>> -- >>> Mike >>> Microsoft MVP - Windows Security >>> >>> "djc" <> wrote in message >>> news:... >>>> so far I have only had 'remote' users. By 'remote' I mean I have been >>>> in control of the machine they are using and the network (home) they >>>> are connecting from. I securely configure their home router, I supply >>>> them with a company laptop that picks up our group policy before >>>> leaving, has our company AV software, and is configured with a VPN >>>> connection to our network. After connecting to VPN user's RDP to their >>>> desktops. >>>> >>>> I realize the setup I'm using now would not work for 'mobile' users >>>> connecting from public wi-fi hotspots and such since I don't have >>>> control of those networks. Is it just a matter of adding a good >>>> host-based personal firewall into the mix? (if so, any recommendations >>>> on whats currently a good one would be appreciated, it seems to change >>>> every time I check) >>>> >>>> any input on this in general would be greatly appreciated. >>>> >>> >>> >> >> > >

10-10-2006, 07:31 PM	#6
Miha Pihler [MVP] Posts: n/a	Re: securing mobile users at hotspots Hi, If you select "Protect all network connections" it will also raise a firewall on VPN connection. All policies apply to all inbound connections regardless of adapter. In general you could try using IPSelc Filters -- but they can be quite hard to manage. -- Mike Microsoft MVP - Windows Security "djc" <> wrote in message news:uX$... > yep yep on the local admin thing. None of my users run with admin > priveleges. > > on the gpo thing. You mentioning being careful about filters between > client and DC brought up some questions: > 1) would the windows firewall, by default, also apply to the 'vpn' > connection? > > 2) if the answer to 1 is no, can you make it apply to the vpn connection? > > 3) can you configure windows firewall rules seperately for different > network adapters, including vpn? > > > "Miha Pihler [MVP]" <mihap-> wrote in message > news:... >> Hi, >> >> Malware will need administrative privileges to e.g. disable Windows >> Firewall. As long as your users are local administrators on their >> computers, malware will be able to do just about anything and it doesn't >> matter what firewall you install on the computer. So, first step in >> securing your clients is to make sure that users are not local >> administrators. >> Updating Group Policies over VPN depends mostly on VPN configuration and >> Group Policy settings. If you set it up correctly (be careful about >> filters between clients and domain controllers) they will be able to >> update group policy settings over VPN. >> >> -- >> Mike >> Microsoft MVP - Windows Security >> >> "djc" <> wrote in message >> news:... >>> Ya, I'm aware of it, but I was under the impression it would not >>> suffice. Not as robust as third party packages and too easily >>> manipulated by malicious code. Thats what I'm told anyway. I guess you >>> disagree with that? Using GPO's is certianly a bonus, but would changes >>> in GPO's be picked up over VPN? >>> >>> "Miha Pihler [MVP]" <mihap-> wrote in message >>> news:... >>>> Hi, >>>> >>>> I can recommend you a firewall that comes with Windows XP SP2. You can >>>> even use group policy to configure it. >>>> >>>> -- >>>> Mike >>>> Microsoft MVP - Windows Security >>>> >>>> "djc" <> wrote in message >>>> news:... >>>>> so far I have only had 'remote' users. By 'remote' I mean I have been >>>>> in control of the machine they are using and the network (home) they >>>>> are connecting from. I securely configure their home router, I supply >>>>> them with a company laptop that picks up our group policy before >>>>> leaving, has our company AV software, and is configured with a VPN >>>>> connection to our network. After connecting to VPN user's RDP to their >>>>> desktops. >>>>> >>>>> I realize the setup I'm using now would not work for 'mobile' users >>>>> connecting from public wi-fi hotspots and such since I don't have >>>>> control of those networks. Is it just a matter of adding a good >>>>> host-based personal firewall into the mix? (if so, any recommendations >>>>> on whats currently a good one would be appreciated, it seems to change >>>>> every time I check) >>>>> >>>>> any input on this in general would be greatly appreciated. >>>>> >>>> >>>> >>> >>> >> >> > >

10-05-2006, 01:45 PM	#1
	securing mobile users at hotspots so far I have only had 'remote' users. By 'remote' I mean I have been in control of the machine they are using and the network (home) they are connecting from. I securely configure their home router, I supply them with a company laptop that picks up our group policy before leaving, has our company AV software, and is configured with a VPN connection to our network. After connecting to VPN user's RDP to their desktops. I realize the setup I'm using now would not work for 'mobile' users connecting from public wi-fi hotspots and such since I don't have control of those networks. Is it just a matter of adding a good host-based personal firewall into the mix? (if so, any recommendations on whats currently a good one would be appreciated, it seems to change every time I check) any input on this in general would be greatly appreciated. djc

10-12-2006, 09:07 PM	#7
djc Posts: n/a	Re: securing mobile users at hotspots ok, thanks "Miha Pihler [MVP]" <mihap-> wrote in message news:... > Hi, > > If you select "Protect all network connections" it will also raise a > firewall on VPN connection. > > All policies apply to all inbound connections regardless of adapter. In > general you could try using IPSelc Filters -- but they can be quite hard > to manage. > > -- > Mike > Microsoft MVP - Windows Security > > "djc" <> wrote in message > news:uX$... >> yep yep on the local admin thing. None of my users run with admin >> priveleges. >> >> on the gpo thing. You mentioning being careful about filters between >> client and DC brought up some questions: >> 1) would the windows firewall, by default, also apply to the 'vpn' >> connection? >> >> 2) if the answer to 1 is no, can you make it apply to the vpn connection? >> >> 3) can you configure windows firewall rules seperately for different >> network adapters, including vpn? >> >> >> "Miha Pihler [MVP]" <mihap-> wrote in message >> news:... >>> Hi, >>> >>> Malware will need administrative privileges to e.g. disable Windows >>> Firewall. As long as your users are local administrators on their >>> computers, malware will be able to do just about anything and it doesn't >>> matter what firewall you install on the computer. So, first step in >>> securing your clients is to make sure that users are not local >>> administrators. >>> Updating Group Policies over VPN depends mostly on VPN configuration and >>> Group Policy settings. If you set it up correctly (be careful about >>> filters between clients and domain controllers) they will be able to >>> update group policy settings over VPN. >>> >>> -- >>> Mike >>> Microsoft MVP - Windows Security >>> >>> "djc" <> wrote in message >>> news:... >>>> Ya, I'm aware of it, but I was under the impression it would not >>>> suffice. Not as robust as third party packages and too easily >>>> manipulated by malicious code. Thats what I'm told anyway. I guess you >>>> disagree with that? Using GPO's is certianly a bonus, but would changes >>>> in GPO's be picked up over VPN? >>>> >>>> "Miha Pihler [MVP]" <mihap-> wrote in message >>>> news:... >>>>> Hi, >>>>> >>>>> I can recommend you a firewall that comes with Windows XP SP2. You can >>>>> even use group policy to configure it. >>>>> >>>>> -- >>>>> Mike >>>>> Microsoft MVP - Windows Security >>>>> >>>>> "djc" <> wrote in message >>>>> news:... >>>>>> so far I have only had 'remote' users. By 'remote' I mean I have been >>>>>> in control of the machine they are using and the network (home) >>>>>> they are connecting from. I securely configure their home router, I >>>>>> supply them with a company laptop that picks up our group policy >>>>>> before leaving, has our company AV software, and is configured with a >>>>>> VPN connection to our network. After connecting to VPN user's RDP to >>>>>> their desktops. >>>>>> >>>>>> I realize the setup I'm using now would not work for 'mobile' users >>>>>> connecting from public wi-fi hotspots and such since I don't have >>>>>> control of those networks. Is it just a matter of adding a good >>>>>> host-based personal firewall into the mix? (if so, any >>>>>> recommendations on whats currently a good one would be appreciated, >>>>>> it seems to change every time I check) >>>>>> >>>>>> any input on this in general would be greatly appreciated. >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search