Concern: One of the senior managers bought a
laptop for herself to use as a home PC, as well as bring into the office
regularly to use for convenience purposes.
Problem: The problem was aside from the obvious
security issues involved with doing that, domain-level GPO's which restrict
users from access to command prompt, opening certain applications from within
the Help application, as well as quite a few other Windows utilities that could
potentially be harmful have been blocked and enforced. The problem was
particularly relating to the restrictive GPO applying to the user account when
logging into the desktop, as opposed to logging into the laptop. Instead
of having 2 seperate user profiles and confusing the user as to which user
profile should be used and where, I did this:
Solution:
1. Created a domain-wide GPO that applied to a specific
security group in AD to reverse certain restrictions if certain conditions
are met
2. Assign the
computer and user permissions to the group (to be sure that the GPO is
controlled and only applies for a specific user on a specific
computer)
3. Write
a simple WMI filter to only apply to computers with a PCMCIA controller (to
prevent the policy from applying on the desktop).
And of course I
"bulletproofed" the laptop as best I could to make sure that it's not going to
become a mobile virus hive... However, I do not expect that the user
will become infected as the only email she receives is from Verizon and from the
company network, and she is not prone to visiting obscure websites or opening
any suspicious attachments.
Reason for doing
this was mainly because the same solution can be used for more than a single
user with minimal configuration on the same laptop or on seperate laptops
without any issues and minimal security concerns.
I am wondering if
there may be a better way of doing this?
Thanks in
advance!
