This might be a good application for Windows Terminal Server or Citrix. As you suggest, keep all the data on the corporate server. You still may have the potential for the user copying and saving data or printing confidential information but you could at least have a policy that says this is not allowed.
Not strong enough in my opinion but maybe legally sufficient. John Christiansen, what do you say concerning the legal sufficiency of a policy to that effect?
>>> John E Jewkes-AAA0OR <aar0mi@private> 11/30/01 08:10PM >>>
OR, as we did at ThrustMaster (Now CenterSpan Communications) when I
was there, We set up two separate dial-in accounts for those folks who
did
work from home. One which allowed them ONLY access to the Intranet for
at home work, and one that allowed ONLY access to the Internet. All their
secure information was kept on a Server at work, not in the home PC, and
'Auto-Login' was NOT allowed. For example, when dialing up for the
Intranet,
all their secure data was on 'Network Drive 'I:', but the dial-in access
automatic
redirected their data to Drive U:. Anyone attempting to log-in using a
direct link
to Drive I: was assumed to be a hacker, and was locked out. It took a
request
via person to the IT manager, Paul, to get the connect autority reset.
When dialing up for the Internet, All login was redirected by
script to Drive
W: again, anyone trying to go directly to Drive X: would be blocked.
Pretty good
set-up in my opinion. (IMO)... ;-)
hope this info gives someone a thought.
73 de John Jewkes W6HNC/AAA0OR
US Army MARS State Director, Oregon
On Fri, 30 Nov 2001 18:33:48 -0800 jradke@private writes:
Heidi,
Strictly my opinion but take into consideration:
Users VPN to corporate via the Internet so what should they be able to
access? You want them to follow the same security policy that you have to
protect your users at work! FREQUENTLY users connect to the Internet,
startup their VPN tunnel to work and leave it up all day (while they also
surf the net) all the while their home PC has a very tasty connection to
corporates network! What's easier to hack? A home PC running 98,ME, or
your corporate firewall?
Enforce the security policy by preventing the users from accessing the
Internet through their local ISP connection. Most VPN solutions can setup
the user profile to use the secured tunnel as the default gateway not the
Internet. This means if the user wants to access the Internet they must
do so through the tunnel using the rules setup on your firewall. You can
also disallow the user from accessing the Internet through the tunnel at
all! Understand that the purpose of the tunnel is to gain access to
network resources securely, remotely and for work purposes. If the user
needs to access the net then they need to do it when not connected to
corporate.
In brief, do not allow users access to the Internet except through the
corporate firewall, if at all.
-JGR
-----Original Message-----
From: Heidi [mailto:mcps@private]
Sent: Friday, November 30, 2001 2:56 PM
To: CRIME
Subject: Re: CRIME secure mail programs/internet
Thank you to all who have responded to my questions. All your
suggestions are very much appreciated and will help me greatly with
trying to point out these security/confidentiality issues to this
organization. I am always open to more suggestions and recommendations.
Thank you. Heidi
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:36 PDT