Personal computers on a corporate network?!!??!?!

[MacGyver467]

I work for a retail jewelry store with 175+ employees in the store. We recently (past two weeks) added Wireless Access to the network for one laptop. A certain group needed a roaming PC that they could place orders for jewelry on.

After only two weeks, my company is now allowing employees to bring in their personal laptops to use on the corporate network and also allowing them to receive corporate and personal emails with those PCs. I'm now responsible for these personal computers.

I'm totally in disagreement with this new rule. For years, the company has always had a very wary approach to having alot (10 or more) of computers connected to the Internet (a directive from one of the Presidents of the company), and now the General Manager is allowing personal laptops on the network. I can't go above his head and inform the President because that will only create political stress.

To make the situation worse, the very first personal laptop that was brought to me had a ton of spyware and two viruses on it. The risk of a corporate computer being infected went through the roof!

The poll is quite simple: Should a company allow personal computers on the network?

-MacG467

 

[Boscoh]

Nope. For a few reasons:

1) Too much risk from:

• Malware on the users personal PC infecting other corporate computers
• A user downloading sensitive material, trade secrets, or other corporate information to the personal laptop. The laptop could then get stolen, or said employee gets terminated and uses the material against the company.
• The user has some kind of server setup on their laptop. I witnessed a situation at another company once where an employee brought their personal laptop to the office and plugged it in. It was a Linux laptop, with a DHCP and DNS server running. It was pretty bad to say the least.

2) Like you said, you too often become "responsible" for these personal laptops. I refused to become responsible for them at my previous job. I would not support the users' personal computers. If you do that, you start becoming everyone's own personal "Geek Squad."
3) It creates a lot of legal liability. Suppose you don't have a network device that filters out P2P apps, but you rely on GPO's or other client software to do it. Now you've got devices on your network that are not included in this policy. But if the user does illegal things on your network and gets caught, it's you who has to do the explaining.
4) In my experience, users who bring their personal laptops to work do nothing but goof off on the laptop all day and get very little work done.

I may have missed some reasons, but in general it's a very bad idea to allow this to happen.

EDIT: The user can also get you put onto a Blacklist too if they have malware which sends out SPAM. I dont know if you've ever had a company you were working for get put onto a blacklist or not, but it really really sucks.

 

[Baredor]

Categorically ... no.

They may as well fly in a group of hackers to rob them blind and destroy their servers.

 

[jeffmoss26]

i know at my school they let students bring in laptops from home, i know a few that did. they basically would surf all day in class and mess around/try to find proxies/etc...
so in my opinion it's not good for a school's network/systems to have foreign equipment...
i guess in a corporate environment, depends how much it can be monitored. truthfully i don't see a real need for someone to bring in their own computer, a lot of businesses have damn good computers...

 

[mikeblas]

It's pretty easy to set up enough policies to shoo away careless users.

Set up a domain, for example, and require domain credentials in order to use any network resources (including the proxy). That small hurdle will keep much of the riff-raff away.

If it doesn't work, start requiring virus software. Use SMS or a login script to enforce the requirement. If the user doesn't have a current version of the corporate standard installed, boot 'em.

 

[Keetha]

I voted yes but...

I would only do it if port security were enabled, all PCs were approved individually and they were on their own restricted VLAN.

 

[MrGuvernment]

No.

never,

dont do it.

clsoe down the wireless to only allow the mac addy of the laptops for the company, explain the MASSIVE security risk to those ion charge

inform them you WILL NOT support these computers or be held responsibly for any damage they may caiuse.

Otherwise it is your ass on the block for anyone stupidity.,

 

[MooCow]

End users can sometimes be the biggest pain in the ass, especially when they start asking questions about personal home PC issues....

 

[Fark_Maniac]

where's the Hell no! option??

 

[cyr0n_k0r]

clsoe down the wireless to only allow the mac addy of the laptops for the company,

this is your best option.

 

[XOR != OR]

Hell no. Unless they are willing to turn these into corporate machines, with all that entails ( limited users, restrictive proxy, me with admin access ), I would absolutely refuse to admin these machines.

In fact, I would refuse to let them access the network.

I would stake my job on it, btw. As far as I'm concerned, I'd rather find another job where they respect my opinion instead of supporting them.

 

[MooCow]

Maybe require wireless internet service, like the one Verizon, Sprint, and a few other mobile providers offer. Perhaps they offer a multi user plan (kinda like shared family plans but x100 users). That way they can still go on the net and fuck around, while not going through your corporate network, and maybe make a web based file storage service, making personal directories and files accessable from the inside and out. As far as other web based corporate applications, well, I don't know. Still a limited option and if its for web surfing, its pretty much for fucking around. Maybe if they just prefer to do work on their personal laptop.... yeah right. Although, this would be a good option for those actually requiring network access on the road, off-site, ones that have to travel.

 

[Lethal]

My first question is why is there any kind of need for them to bring their personal laptops into the office to access the network? Does the company not provide them with adequate PCs/access on the job?

Another question... and please bear with me because it's been a few years since I've even had the need, but... say laptops are standard issue because employees are occasionally required to travel, but you usually work in the office and have no need to lug home a laptop every night so instead it gets locked away securely at work when you leave.

Next morning you're sick as a dog, didn't bring your laptop home, and know you need to respond to some important emails from within the company. Isn't there a way to make it so you can use a personal PC at home to access a company network without jeopardizing it? VPN or such?

 

[-Axiom-]

I dropped out of college after 3 1\2 yr.
I am now a roofer.
Computers are my hobby.
EVEN I KNOW YOU CAN"T LET PERSONAL PC'S ON A CORPORATE NETWORK.
I can think of a lot of nightmare scenarios, and I really don't know s##t.
You may want to sell any stock you have in that company....

 

[LittleMe]

People can bring them in all they want to my site, plug them in, and get jack crap. That's a no go on allowing personal comptuers on the corporate network. All the laptops I have as well, will not get on the internet away from my site either. Employees can take them home, logon using cached credentials and work but no internet.

 

[brom42]

Where is your Yes, but with adequate network hardware? All my jobs have been in either universities or boarding schools. I wish I had to deal with only 175+ employees, my last job had 3,500 students who all had personal computers on the schools network. You can easily keep personal computers isolated from the corporate, you just need to get the right hardware. Here is what you need to do:

1) Set-up a separate V-Lan for the personal computers as a bare minimum. Only open the ports that they have to have to function. If possible also make it more difficult for them to access work and the internet from their personal computer. Make them use webmail instead of setting up Outlook, restrict their internet speeds. This will make them much more likely to go back to using the work computers after the "coolness factor" wears off.

2) Secure the wireless and make them come to you to have it set-up. If they bring it to you with viruses or spyware they have to clean it up first. This also makes #3 and #4 easy. If they have access to wired connections, make sure they don't get access. We have it set up so all they get is a website that says they have to register their computer with us.

3) Write up a user agreement that they have to sign. You must insist on this, no matter what you boss says. Include punishments that really affect the employees; such as you bring down the network or surf porn, you get nice unpaid vacation. Over the last school year we expelled/suspended over 12 students, and fired 1 teacher for these problems.

4) Monitor, monitor, monitor. We keep logs of every site every person visits. Our hardware generates weekly reports of who visits inappropriate sites (I am at a highshool/middle school and we have to protect the children!!) and automatically emails it to us and the adminstration each Monday. We also gave them a printout that has which person has each IP address, so we know who is doing what. It will be a good wake-up call when your boss finds out that half of his employees are spending 20+ hours a week at myspace and youtube, personal computer or not.

Schedule a nice long meeting with him and go over everything. Once he sees how much work and money it will be and the fact that he will also have to deal with the problems it causes, it probably won't seem like such a good idea anymore. If he doesn't want to do it properly and demands that you give access; put your foot down and say no. If something happens and you can't find who did it and show evidence, your ass is the one going down!!

 

[MacGyver467]

I did leave some important information out of the whole equasion.

1. The GM is best friends with the co-worker's husband, who is the #2 salesperson in the store. The co-worker is using the friendship to get what she wants.

2. The network is not run by any Windows-based NOS. It's an AS/400, and even that is on a completely separate internal network with all it's 5250 terminals. The Internet is only protected with a Sonicwall TZ170 series unit and any other third-party anti-virus (Symantec Anti-Virus v9.0 Corporate Edition) and anti-spyware (Microsoft, Webroot, Lavasoft) I provide.

3. The Internet connected PCs were only for business use, and there's only three PCs that are for any employee to use. The rest include the three owners and two in the advertising department. All together, we have 10 Internet Connected PCs...well 11 now. :\

Oh yeah, and the #2 salesperson wanted to use iTunes on the laptop to download some songs. If that's what the laptop is being used for, then I'm just going to block the ports.

-MacG467

 

[MacGyver467]

Brom, I really wish I could do the things you explained in your post, but:

1. We lack the hardware
2. We lack the funding to acquire the hardware
3. We will never receive the funding to purchase said hardware
4. I do not have enough rank (nor does my manager, who works under the GM) to force users to sign an agreement
5. Myspace and Youtube is blocked by default.

I do, however have security enabled to keep wardrivers out, which also keeps employees from hooking up without my intervention.

-MacG467

 

[LittleMe]

I did leave some important information out of the whole equasion.

1. The GM is best friends with the co-worker's husband, who is the #2 salesperson in the store. The co-worker is using the friendship to get what she wants.

2. The network is not run by any Windows-based NOS. It's an AS/400, and even that is on a completely separate internal network with all it's 5250 terminals. The Internet is only protected with a Sonicwall TZ170 series unit and any other third-party anti-virus (Symantec Anti-Virus v9.0 Corporate Edition) and anti-spyware (Microsoft, Webroot, Lavasoft) I provide.

3. The Internet connected PCs were only for business use, and there's only three PCs that are for any employee to use. The rest include the three owners and two in the advertising department. All together, we have 10 Internet Connected PCs...well 11 now. :\

Oh yeah, and the #2 salesperson wanted to use iTunes on the laptop to download some songs. If that's what the laptop is being used for, then I'm just going to block the ports.

-MacG467

Just start blocking ports and IPs of services this person is attempting to use.

 

[Blitzrommel]

Man I feel sorry for you.

We have a guest network at work because we have a lot of international consultants so they can VPN to their corporate networks. It's totally VLAN'ed off though.

 

[YeOldeStonecat]

I voted yes but...

all PCs were approved individually and they were on their own restricted VLAN.

I agree with the above..."approved individually". I need to sit down and inspect/clean/install necessary software to bring them up to compliance. This really isn't any different (in my perspective)...than allowing people to VPN in from home to do remote work. And I do the same thing for my clients here...if they wish to VPN in from home, and do Remote Desktop work to their workstation...I always go setup their home. Make sure they're behind a router, make sure their home PC is clean, all windows/office updates, anti-ad/spyware software installed and scanned, and include their antivirus on their corporate server..setup their AV client to report into the main antivirus server.

And quite a few places that want non-office PCs to have access to their network....you can get routers now that are very inexpensive..and can VLAN the wireless networks...even run several unique SSID wireless networks at the same time. The Linksys wrv200 supports 4x SSIDs, each can be VLAN'd. Under 85 bucks! That way some wireless clients can have internet access only, no access to the main network. And others can be on a different VLAN that has access to both.

Jewelry store? Lack of funding? I'm in disbelief there...but even so...again, there's a router where for only 85 bucks can solve your issues. Heck...shop hard...I bet you can find it for under 75 bucks.

 

[compslckr]

well consider college networks... 5000+ personal computres for a pretty small campus.

At my college we have to install a cisco clen access agent which checks for current anti-virus software as well as windows updates. if you are missing either or both your are instantly put into a quarantine where you have no access to the normal network and you are dropped down to a level where you can only access a certain site where they have free antivirus and windows updates available for local download.

It seems to keep things running pretty smoothly, they also use the clean access software to monitor bandwidth usage, both for internet and from computer to computer over the network (say you are sending a friend your music collection over the network etc.) if your net traffic reaches 10gb for the day they drop your net speed down to about 56k speeds, and if your computer to computer traffic excedes 35GB in a day they completely disable your network jack in your room for 24 hours (I only did that once until i learned my lesson )

maybe something like that could help you lock down your connection.

 

[MaXimus]

I chose yes and not "Yes, but it must have adequate anti-virus and anti-spam software" because....what kind of stupid corporate network runs without AntiVirus? puhhleeeze man! give meh a br34k. common sense anyone?

 

[YeOldeStonecat]

.what kind of stupid corporate network runs without AntiVirus? puhhleeeze man! give meh a br34k. common sense anyone?

Heh..oh trust me...there's a lot. Some of us here who travel to different networks to do "whatever"...well, I've stumbled across quite a few that are just...well..a nightmare.

 

[nessus]

I chose yes and not "Yes, but it must have adequate anti-virus and anti-spam software" because....what kind of stupid corporate network runs without AntiVirus? puhhleeeze man! give meh a br34k. common sense anyone?

And anti-virus software never breaks, and a single machine in a remote office can saturate their WAN link back to the Corporate network to the point where you can't even remote into the router to turn off their port without resorting to dialing straight into the router.

I believe the second yes answer means that the AV and anti-spyware on the personal machine being brought in has to be up to date before it is attached to the corporate network, not the corporate machines' software.

Personally, I'd connect personal machines to a SOHO router with its WAN connection to the corporate network with an allowed access list of web sites only. Cheap and effective.

 

[drizzt81]

I am no admin, but I voted "no" nonetheless. I think that in most cases it's a really, really bad idea. Not only do you not have much control over them, it'll making supporting a nightmare.

 

[Boscoh]

Next morning you're sick as a dog, didn't bring your laptop home, and know you need to respond to some important emails from within the company. Isn't there a way to make it so you can use a personal PC at home to access a company network without jeopardizing it? VPN or such?

Sure, you can setup something like OWA, a web-based interface that gives you a client that looks exactly like Microsoft Outlook. You could even implement an SSL-based VPN solution and provide remote access to a lot of stuff, or provide remote-desktop access via a VPN client. There's a lot of ways you can tackle this.

I still completely disagree with allowing them any form of access. In a business, the network is there to be used for business purposes, and not for personal use. If you start allowing people onto your corporate network, even in a private VLAN, you still have increased legal liability, you end up having more users to monitor with your filtering software (if you choose to) which may result in you spending more money for a bigger license, and then you have to deal with the personal users sapping your bandwidth. If you're going to throttle their bandwidth back to say, 15kbps, then what is the point? One download with iTunes would take all of that, and keep it for quite a while.

If you really, really want to have guest access, bring in a business-class cable modem connection and create a completely separate network for them to access. You could have wireless access, and wired access in the reception area and the break rooms.

 

[drizzt81]

Next morning you're sick as a dog, didn't bring your laptop home, and know you need to respond to some important emails from within the company. Isn't there a way to make it so you can use a personal PC at home to access a company network without jeopardizing it? VPN or such?

Apart from the fact that there certainly are many options to log in remotely without allowing home PCs on the business LAN, I think that this comes down to a risk-management choice:

is Pr{your situation happening} * C{loss of business due to that stiuation} greater than Pr{Virus infection due to personal PCs on the company LAN} * C{cost of that virus}?


Pr{statement} = probability of and event occuring
C{statement} = cost of the event

 

[bob]

I cant really think of any good reason why employees would *need* to bring in their own computers. Every place with that many employees that ive been around... If you need to be on a PC, they will give you one to use while at work. Some companies have strict policies about working off the clock, but then again the school district here handed out new Gateway laptops to most of the teachers, and they take them all home when they grade papers.

Answer to the question : NO

No good reason for employees to bring their own PCs.

 

[Stang Man]

you give them an inch, and they take a fucking mile.

they don't need wireless computing to begin with, and I really wonder if that "group" really needed it.

I say HELL NO to bringing personal laptops to work, and a NO to wireless network access.

 

[RocketFast321]

I work on the PCs at my old high school. I will put it to you like this. My office computer is not on the domain, do to the fact that our school system went crazy and started to block everything. But I have an admin account, but I don't like the fact of being watched. If you have just a user account you can't use the run command along with alot more stuff. Hard on the teachers and students because they can't install network printers. Also if the .exe or .com if not on the domain's set list of programs, the program will not work.

But to make a long story short,
If your pc is up to date, has no spyware then it's ok.

 

[LittleMe]

I work on the PCs at my old high school. I will put it to you like this. My office computer is not on the domain, do to the fact that our school system went crazy and started to block everything. But I have an admin account, but I don't like the fact of being watched. If you have just a user account you can't use the run command along with alot more stuff. Hard on the teachers and students because they can't install network printers. Also if the .exe or .com if not on the domain's set list of programs, the program will not work.

But to make a long story short,
If your pc is up to date, has no spyware then it's ok.

From working in a District and setting things up like that, that's the way it should be in a school. The teachers should have some more access but studnets should only be able to run what they need not what they want. If it's an AD installation, which it sounds like, teachers shouldn't need to add printers like that. Just give them all networked printers and put them in the domain. Then they just run the Add Printer wizard and pick the one they want. Or, you can assign them via GP with R2 or write a script to pick the correct one based off the computer name. But, for the most part, sounds like that school is doing what it should to make their jobs easier and stop kids from doing the crap they shouldn't.

 

[zrac]

Get their decision to allow them in writing, print it, frame it, don't care and go along with it and of course wait for the inevitable disaster that is bound to hit that intranet.

I might even say to go as far as help the disaster along a bit Just make sure you hve all the proof to show that you disagreed with their decision, explained WHY you disagree, received are response from the general manager on the matter and then followed his request to the dot. ALL THIS IN IRREFUSABLE WRITING!!!

I can't stress that enough.

Also, starting from day1 document every extra minute spent cleaning up that spyware and viruses that people drag in on their home laptops or worse...

you're not out to screw anyone, especially not the owner/president/general manager, but they will try to throw it on your head when stuff happens.

I've been there, done that and survived thanks to that above mentioned proof...

 

[Kaos]

Get their decision to allow them in writing, print it, frame it, don't care and go along with it and of course wait for the inevitable disaster that is bound to hit that intranet.

I might even say to go as far as help the disaster along a bit Just make sure you hve all the proof to show that you disagreed with their decision, explained WHY you disagree, received are response from the general manager on the matter and then followed his request to the dot. ALL THIS IN IRREFUSABLE WRITING!!!

I can't stress that enough.

Also, starting from day1 document every extra minute spent cleaning up that spyware and viruses that people drag in on their home laptops or worse...

you're not out to screw anyone, especially not the owner/president/general manager, but they will try to throw it on your head when stuff happens.

I've been there, done that and survived thanks to that above mentioned proof...

QFT.

I had this happen to me as well, except that I had a written letter of disagreement with new policy expunging me from all consequences...I even had it notarized after I signed and had my boss notarize as well.

 

[da sponge]

Hell no.

If you're forced to do this, definately set up a VLAN for all the home pcs. Don't allow crosstalk between the two networks. If you can't do VLANS, set up ipsec isolation for the business PCs. Do whatever you can to keep them isolated and LOG, LOG, LOG.

Determine the bare minimum the personal laptops need to access. While others have mentioned that providing VPN access is the same thing as allowing personal computers on the network, I beg to differ. If you only allow DHCP/DNS & RDP from the VPN to the internal network, it's extremely unlikely that the personal computer is going to infect the rest of the network.

 

[Fint]

Man I feel sorry for you.

We have a guest network at work because we have a lot of international consultants so they can VPN to their corporate networks. It's totally VLAN'ed off though.

QFT

 

[rtierney]

As a network administrator, I dislike allowing foreign machines on my network.
If I don't have direct control over it, I don't want to take responsibility for its actions.

 

[moetop]

I work for a very large company. I used to be infrastructure support for remote access. I have seen my fair share of home PC's. The only time we allow non company assets on our network is if they are properly outfitted with virus software and are being used for company business. Our company adapted the policy of providing a laptop for anyone who requires one for their job. Most of the non company assets that are being utilized on our network are outside vendors. If it is found that the machine is infected it is immediately removed from the network and that user is responsible to get proper protection before allowing it to be put back on the network.

If it is not part of the job duties currently, it is a huge responsibility and amount of work put on to a support group. Here support for just the home network setups that allow people to use their work laptop's are on a "best effort" basis. It's not priority.

This reminds me of the first BIG merger our company went through. We were bought out by a bigger company (hostile takeover). We always had the question of how to handle home PC's and where the line was drawn, and so did the company we merged with. The corporate decision was made to not support home PC's with the new remote access infrastructure. We had people currently with remote access on their Home PC's. Their support had always been "best effort" and now officially it was going away. My boss called me down to his office and basically said we were going to still support them and that it was my job. He had this idea that we were going to create this E-mail account and when I had time "like when I was sitting at my desk eating lunch" I would casually answer questions sent to this E-mail address. I basically told him he might as well not even create it because I already had a full schedule and none of them would get answered. This is the ONLY time in my entire life when I refused to do something at work, and after our "discussion" he went back to the director of our department and told him it wasn’t going to happen.

The same reasons people have mentioned above are why we went to this policy.

Legal exposure
Virus exposure
Added work responsibilities without added resources.


Aside from all of that and even if they did sign a waiver before you allowed their PC on your network and worked on it. I always have this creepy feeling when working on someone’s home PC at work, even if it is for work use. If you F it up so bad you have to do a re-image and we know that can happen when you anti spy/virus a machine, now you are stuck with the persons PC that you have to restore with unknown licensing and software. So now before you do ANYTHING to a non company PC you have to back it up. With a corporate PC and image you just need to backup user data, and not have to worry as much about little Jimmy’s 1 year pictures you just lost, or that pirated version of Office you are now expected to replace. It doesn’t matter if it was legal the people will still want it back, and this also go's back to the "legal exposure" issue.

 

[Nasty_Savage]

Put it this way. My organization is considering getting into using Control-F1 so we can help fix users home computers. I flat out refused to have anything to do with it. Go to Best Buy or I'll do it on the side for extra cash. But you are NOT going to make me do it so YOU get the money for it. Fuck you.