By Manfred Grisebach, July 2017
IST Workstation Services has recognized that laptops that are typically used off campus for periods of six-months-or-more, need to be treated differently than laptops that come-and-go. This document will attempt to identify concerns managers need to take into account for these PCs.
On campus or off, it is important that all clients do NOT regularly use an administrative account, with permissions to make significant local changes. When this is required, Windows allows the logged-on client to enter elevated permissions to accomplish the task (and only that task), and carries on with regular logged on credentials. For PCs away from campus, this becomes even more critical because:
· It leaves the PC in a vulnerable state when unattended and
· It makes it too easy to inadvertently compromise the PC when logged on administratively
Join all PCs and laptops to Nexus, whether-or-not they stay on campus. It’s wise to get the client using the laptop to log on with Nexus credentials, while the laptop is on campus. This way an account and profile is created while a domain controller can be reached.
PLEASE NOTE: These credentials can continue to be used while the laptop is away, even if no contact is made with UW, or its domain controllers, as the credentials stay cached locally on the PC.
The biggest advantage of doing this is that security policies defined within Nexus, by the campus, but also by the individual departments and faculties, are appropriately applied before the laptop is taken away. Another advantage is that if Offline Files settings are applied (like they are in Academic Support areas), that when the laptop is brought back to campus (virtually via VPN, or physically), that local copies of home-drive files are appropriately backed up on campus servers automatically, without client intervention.
Joining Nexus is only a problem if the policies there were not vetted properly first.
Joining Nexus (above) often gets an SCCM client installed as well. This is of immense value when on campus, but only of limited value (at the moment) when away from campus. Again, there is no harm done having this client installed, as it is very small and innocuous.
The advantages of having an SCCM client installed are all while the PC is physically on campus. Because SCCM site boundaries only include the campus intranet, and registered Eduroam clients, one cannot leverage all of the advantages of SCCM via VPN or remote network access.
These are the same as the Pros mentioned above.
Group Policy Objects (GPOs) are still the main tool leveraged to keep PCs secure. By forcing password compliance, and enabling appropriate operating system settings, a client and PC remain protected, using campus-proven techniques that we know will not negatively affect the use of a laptop when it is away from campus. That is the key: identifying and applying only GPOs that allow a laptop to stay safe while away from campus. NOTE: Important policies stay “tattooed” on a PC even when it cannot reach a domain controller, which is why they are so important.
This section does NOT include all of the GPOs that are applied to all PCs as that information is available elsewhere, but rather, focuses on the ones that are important for on-campus but not so good if applied to laptops away from campus too long. It also covers GPOs that help if the PC is away from campus.
- Local Administrator Password Solution (LAPS) – changes the password of the default administrator account after a fixed period of time. Once this is applied, if the laptop no longer checks into Nexus to see when the expiry date is set for, the date is never reached, and the password remains the same. The next time the laptop appears on campus, a change will happen. NOTE: Having it changed at all is still better than never having it changed.
- Drive mapping GPOs – These are of benefit when on campus, but obviously won’t apply when away from campus. Again, not harmful to leave as is.
- Offline Files – Nexus policies work to make a PC as close to an easily replaceable appliance as possible, by storing as much personal data on campus servers as possible, usually to a client’s home-drive (N: drive). Offline files keeps an encrypted copy of this home-drive locally on the PC, so when it’s off campus, it appears there still is a remote N: drive available. Changes are then sync’d with campus servers every time the PC appears on campus (virtually via VPN or physically), which is perfect for the client as on-campus server data is backed up and can be restored, if required. The data on the PC is secure because it is encrypted, so makes for a much better model than not having the PC in the domain, and just storing all files locally.
- User Experience Virtualization (UE_V) saves application customizations to the client’s home-drive (N: drive). This still works when Offline Files has been applied, the combination backs up to campus servers every time the PC ends up on campus (so good).
- Folder Redirection – saves documents to the home-drive, so like UE-V, works when Offline Files is enabled
- Blocking of Updates:
o Turn off access to all Windows Update features: When a PC is on campus, updates are managed by IT, but when a laptop is away, it’s not wise to block access to the Windows Update website.
o Disable Automatic Updates: Same with this. By re-enabling this for remote laptops, at least Microsoft is trying to keep these up-to-date.
- Firewall Rules
o One has to be careful when limiting who-or-what can get to a PC, and how. This works well on campus but may get off-campus clients in a bind when assistance is required.
Please note that the policies listed below are designed to work with tattooed update GPOs from the domain, so this is not a complete list of all policies that need to be applied.
- Windows update “for Business” ??
- Enable Windows Update Power Management, to automatically wake up the system to install scheduled updates (from hibernation). Note: it will not install updates if the system is on battery power.
- (Optional) Turn off auto-restart for updates during active hours (NOTE: May wish to set active hours)
- No auto-restart with logged on users for scheduled automatic updates installations: If enabled, automatic updates will not restart a computer automatically during a schedules installation if a user is logged in to the computer. Instead, automatic updates will notify the user to restart the computer.
- Select when feature updates are received: Corporate apps on campus are tested before IT makes the decision to move to the next version of W10. By setting this value, feature updates can be delayed up to 365 days, keeping the local version more in line with PCs on campus.