This might be a good application for Windows Terminal Server or Citrix. As you suggest, keep all the data on the corporate server. You still may have the potential for the user copying and saving data or printing confidential information but you could at least have a policy that says this is not allowed. Not strong enough in my opinion but maybe legally sufficient. John Christiansen, what do you say concerning the legal sufficiency of a policy to that effect? >>> John E Jewkes-AAA0OR <aar0mi@private> 11/30/01 08:10PM >>> OR, as we did at ThrustMaster (Now CenterSpan Communications) when I was there, We set up two separate dial-in accounts for those folks who did work from home. One which allowed them ONLY access to the Intranet for at home work, and one that allowed ONLY access to the Internet. All their secure information was kept on a Server at work, not in the home PC, and 'Auto-Login' was NOT allowed. For example, when dialing up for the Intranet, all their secure data was on 'Network Drive 'I:', but the dial-in access automatic redirected their data to Drive U:. Anyone attempting to log-in using a direct link to Drive I: was assumed to be a hacker, and was locked out. It took a request via person to the IT manager, Paul, to get the connect autority reset. When dialing up for the Internet, All login was redirected by script to Drive W: again, anyone trying to go directly to Drive X: would be blocked. Pretty good set-up in my opinion. (IMO)... ;-) hope this info gives someone a thought. 73 de John Jewkes W6HNC/AAA0OR US Army MARS State Director, Oregon On Fri, 30 Nov 2001 18:33:48 -0800 jradke@private writes: Heidi, Strictly my opinion but take into consideration: Users VPN to corporate via the Internet so what should they be able to access? You want them to follow the same security policy that you have to protect your users at work! FREQUENTLY users connect to the Internet, startup their VPN tunnel to work and leave it up all day (while they also surf the net) all the while their home PC has a very tasty connection to corporates network! What's easier to hack? A home PC running 98,ME, or your corporate firewall? Enforce the security policy by preventing the users from accessing the Internet through their local ISP connection. Most VPN solutions can setup the user profile to use the secured tunnel as the default gateway not the Internet. This means if the user wants to access the Internet they must do so through the tunnel using the rules setup on your firewall. You can also disallow the user from accessing the Internet through the tunnel at all! Understand that the purpose of the tunnel is to gain access to network resources securely, remotely and for work purposes. If the user needs to access the net then they need to do it when not connected to corporate. In brief, do not allow users access to the Internet except through the corporate firewall, if at all. -JGR -----Original Message----- From: Heidi [mailto:mcps@private] Sent: Friday, November 30, 2001 2:56 PM To: CRIME Subject: Re: CRIME secure mail programs/internet Thank you to all who have responded to my questions. All your suggestions are very much appreciated and will help me greatly with trying to point out these security/confidentiality issues to this organization. I am always open to more suggestions and recommendations. Thank you. Heidi
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:36 PDT