Those pesky mobile users.

They are all too often the bane of security folks everywhere as they regularly seem to be system 0 for malware infections, tend to be administrative users on their systems more frequently, can go months (or years) at a time between office visits and of course, can never be without their systems as no laptop = no productivity and since many times they are the ones who sell the goods and provide the services that provide for our (or at least my) paycheck ...

So how to let them do what they need to do while making sure their system is secure as is the corporate network they VPN into?

Unless you have great policies including enforceable HR policies that make users accountable for thier actions, and a defense in depth approach that ensures AV and patches are up to date and checked before connecting to the network, renamed administrative accounts, proper file system permissions etc... you are at some level at the mercy of the action(s) of your users.

If you find yourself short a few policies and technical controls, user education becomes key.

Message #1 - "With great power comes great responsibility".  Sure, it's kind of corny and maybe being a local admin on your own system isn't "great power" but you get the idea.  Educating your mobile users as to what is acceptable and allowed (policy or no policy) can bring a big return on a small investment assuming they actually do as you request.

because ...

Message #2 - "Just because you can, doesn't necessarily mean that you should."  Yes mister user, I know you're an admin on your machine.  Yes I understand you're experiencing poor performance but that doesn't mean you should uninstall your AV software, install every spyware remover, registry cleaner and any other widget guaranteed on some web page somewhere to do what you want.  For the record, you can format your hard drive.  I wouldn't suggest it though.  ;)

Of course many of us are mobile users and we would never do anything insecure, right?

So what are your tips and tricks for keeping your mobile workforce working and not bringing down the rest of the network?  If you have any good stories surrounding mobile users, send them in as well and we'll publish the best ones changing the names as needed to protect the innocent -and- the guilty.

-Christopher Carboni

Update #1:

Thanks to everyone who has written in so far.  Most of the tips sent in so far were technical tips centering around user management.  Creating regular users and then using various techniques (seperate account, runas, scripting ...) to allow them to do things like set up network from hotels, change power settings ...

Dave summed up those tips and also offers a tip on keeping users accountable.

"Here are some things I've found useful regarding mobile users who insist on having admin access.

First create a policy of n strikes and you're out as admin on the system. If the user is running as admin and his machine is compromised as the result of some action that didn't have a defined business need (i.e. installing some new game they downloaded or cute screen saver or reading some electronic postcard, etc.) that's one strike. If it happens n times, they have their admin access revoked for a period of m months or weeks."

I think I'll try that one myself.  Thanks Dave! 

Update #2

We received more responses.  Here is a little update on how some of you deal with the mobile user.

Nick voiced what most of us think, but are sometimes to scared to say.  Reduce the number of laptops.  Many people see a laptops a status symbol, but most probably do not need them at all or any longer.  Make users justify on a regular basis why they need a laptop.  

Other ways of reducing the numbers (Thanks Nick)

• Have a decent pool of loaner laptops, and manage & maintain it properly. If users can borrow a decent & reliable laptop at short notice, they are less likely to want one for themselves.
• Only for Citrix shops...but we have a solution where users who just need to do a little work from home use their own home PC's with the Citrix web client installed and hit our Citrix presentation server in the DMZ - has reduced laptop purchases by about 60%.

Another reader suggests that mobile users

“always use VPN to connect; even when they are in the office. We don't even allow the mobile computers to be attached to the corporate LAN. We run a completely separate wifi network with its own internet connection in our office for visitors and mobile users”

Jason (thanks)  provides some config tips

 “ All of my mobile users are on Windows XP Pro. I have come up with a set of configurations that allow me to set a user without admin privileges on their laptops.”

• Tip 1: Place the user in the Network Configuration Operators group. This allows them to connect and setup their network connections while on the road and in hotels if needed.
• Tip 2: Edit the registry so users can adjust their power settings. Nothing can be more frustrating than someone giving a presentation and their laptop go in to sleep mode. This MSDN blog provides details; http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx