badwhitevision
Disciple
I'm hoping at least a few members of this forum are sysadmins or have had experience in this field and can help me with this.
Before going forward, I am not a sys-admin. I don't even have a college education in computer science. Everything I have learnt is by experience and the internet, so I may well be wrong. This is not my profession. I'm doing this simply out of interest and passion.
I have a relative who has a business and as a part of this business, issues office owned laptops to employees. I would like to incorporate/harden security for these laptops and also monitor their network traffic/installed applications, any changes to system configuration etc.
Most of these are home use laptops that are repurposed for office usage (so Windows 10/11 Home) and aren't specifically meant for corporate usage (think like a ThinkPad).
I can install a fresh Windows Enterprise edition, should that give me better features.
I have divided this into a few sections. Please give me your inputs on how stupid I am.
1. BIOS -
Employ an admin password. If the BIOS supports it, something like Computrace or Absolute. (Highly doubtful, since these were never intended for Business usage)
Why? - A few tech-savvy employees mess up the BIOS and then handing in their laptops stating something is wrong. I am all for learning by experimenting, but would prefer if they did it on their own equipment instead of the office equipment.
2. Network Monitoring -
Currently, I use a PiHole with certain sites blocked out. By virtue of the PiHole, I am able to see which devices access which sites. I am looking to make this more easier/simpler/better/more invasive.
The fallacy here is that I cannot control applications which use inbuilt DNS.
For remote monitoring, I use Tailscale to pass all DNS queries to the PiHole. This also allows remote access of the SMB File share that contains documents.
Should I consider invasive monitoring like DPI (Deep Packet Inspection) or are there easier methods available? If DPI, how do I go about it? Any leads would be appreciated.
There is also another fallacy that Tailscale has a quick access button that allows you to stop using the VPN. I would prefer that the VPN remained always on.
I have read about Nagios and LibreNMS, but have never deployed them in my homelab because there was never a need to, so I don't know much about these softwares. I have also read about SNMP monitoring, but again no idea how useful these will be.
Why? - Access to social media is fine. (I am not going ballistic over someone using Snapchat/Instagram) But a few decide to use the office equipment and network for NSFW activities, or even worse, download games to play.
3. Device Monitoring -
This is for device stats, such as disk space, CPU/RAM temperatures/usage, SMART status, WiFi/LAN connectivity.
In my current HomeLab setup, I use Telegraf with InfluxDB and Grafana for the UI. I'm planning to scale this setup and implement as-is.
Why? - Very often, any issue that arises is attributed to the laptop being old and very slow. However, I do not have enough data to counteract these claims, despite knowing that they are utterly rubbish. Also would help in pre emptive maintenance.
4. Software Install/ Lock configuration -
This is where I am blank and unable to draw any ideas and this is important.
Some kind of admin password needs to be provided before attempting to install any application or change any significant configuration.
This also applies when attempting to uninstall an application.
One way I can think of is to use 2 accounts, an admin and a limited user and require admin access for the above. Is this feasible?
A nice to have feature would be a notification such an event has occured.
Why?
Prevent unauthorised installs. Most of the employees are proficient in internet usage, but end up downloading bloatware/spyware and then complain that the system is slow. Half of my troubles would be stopped if only they stuck to the software that has already been installed. Even when downloading required software, they tend to use non official sites and I am dreading the day they decide to install a RAT along with the software.
Configuration changes - Stop the above mentioned tech-savvy employees from messing up the Windows install.
Access via TeamViewer/anydesk. But if the employee only has access to limited user actions, how can I perform admin actions?
6. Recovery plan -
All projects undergo failures during implementation and a robust recovery plan is a requirement.
My current and only idea is to have a few extra SSDs with fresh windows installs and the required software and when any major issue arises, replace the SSDs. Obviously, this does not cover issues arising when the employee is at a remote location.
I have seen friends who work in larger organisations (proper corporates) who have laptops that are restricted from even using USB sticks (I guess this is a BIOS lock?). I suspect they do use some kind of software too, but I have no idea what that is.
I am trying to use FOSS for all this, but am open to considering paid enterprise versions if they are worth it. As every other middle-class Indian, I'm trying to keep this as cheap as possible, but I do understand that sometimes only a paid solution will work.
A reason for preferring FOSS is the hands on work it brings with it. Like I said, I am doing this out of passion and sitting and breaking my head over something that doesn't work, gives me a sense of satisfaction. (I'm weird, I know)
Thank you for reading through this wall of text and for your suggestions.
Before going forward, I am not a sys-admin. I don't even have a college education in computer science. Everything I have learnt is by experience and the internet, so I may well be wrong. This is not my profession. I'm doing this simply out of interest and passion.
I have a relative who has a business and as a part of this business, issues office owned laptops to employees. I would like to incorporate/harden security for these laptops and also monitor their network traffic/installed applications, any changes to system configuration etc.
Most of these are home use laptops that are repurposed for office usage (so Windows 10/11 Home) and aren't specifically meant for corporate usage (think like a ThinkPad).
I can install a fresh Windows Enterprise edition, should that give me better features.
I have divided this into a few sections. Please give me your inputs on how stupid I am.
1. BIOS -
Employ an admin password. If the BIOS supports it, something like Computrace or Absolute. (Highly doubtful, since these were never intended for Business usage)
Why? - A few tech-savvy employees mess up the BIOS and then handing in their laptops stating something is wrong. I am all for learning by experimenting, but would prefer if they did it on their own equipment instead of the office equipment.
2. Network Monitoring -
Currently, I use a PiHole with certain sites blocked out. By virtue of the PiHole, I am able to see which devices access which sites. I am looking to make this more easier/simpler/better/more invasive.
The fallacy here is that I cannot control applications which use inbuilt DNS.
For remote monitoring, I use Tailscale to pass all DNS queries to the PiHole. This also allows remote access of the SMB File share that contains documents.
Should I consider invasive monitoring like DPI (Deep Packet Inspection) or are there easier methods available? If DPI, how do I go about it? Any leads would be appreciated.
There is also another fallacy that Tailscale has a quick access button that allows you to stop using the VPN. I would prefer that the VPN remained always on.
I have read about Nagios and LibreNMS, but have never deployed them in my homelab because there was never a need to, so I don't know much about these softwares. I have also read about SNMP monitoring, but again no idea how useful these will be.
Why? - Access to social media is fine. (I am not going ballistic over someone using Snapchat/Instagram) But a few decide to use the office equipment and network for NSFW activities, or even worse, download games to play.
3. Device Monitoring -
This is for device stats, such as disk space, CPU/RAM temperatures/usage, SMART status, WiFi/LAN connectivity.
In my current HomeLab setup, I use Telegraf with InfluxDB and Grafana for the UI. I'm planning to scale this setup and implement as-is.
Why? - Very often, any issue that arises is attributed to the laptop being old and very slow. However, I do not have enough data to counteract these claims, despite knowing that they are utterly rubbish. Also would help in pre emptive maintenance.
4. Software Install/ Lock configuration -
This is where I am blank and unable to draw any ideas and this is important.
Some kind of admin password needs to be provided before attempting to install any application or change any significant configuration.
This also applies when attempting to uninstall an application.
One way I can think of is to use 2 accounts, an admin and a limited user and require admin access for the above. Is this feasible?
A nice to have feature would be a notification such an event has occured.
Why?
Prevent unauthorised installs. Most of the employees are proficient in internet usage, but end up downloading bloatware/spyware and then complain that the system is slow. Half of my troubles would be stopped if only they stuck to the software that has already been installed. Even when downloading required software, they tend to use non official sites and I am dreading the day they decide to install a RAT along with the software.
Configuration changes - Stop the above mentioned tech-savvy employees from messing up the Windows install.
-----Edit------
Adding the following 2 points based on post #3 below. Thank you for pointing these out @calvin1719
5. Dealing with updates -Adding the following 2 points based on post #3 below. Thank you for pointing these out @calvin1719
Access via TeamViewer/anydesk. But if the employee only has access to limited user actions, how can I perform admin actions?
6. Recovery plan -
All projects undergo failures during implementation and a robust recovery plan is a requirement.
My current and only idea is to have a few extra SSDs with fresh windows installs and the required software and when any major issue arises, replace the SSDs. Obviously, this does not cover issues arising when the employee is at a remote location.
------End of Edit-----
I have seen friends who work in larger organisations (proper corporates) who have laptops that are restricted from even using USB sticks (I guess this is a BIOS lock?). I suspect they do use some kind of software too, but I have no idea what that is.
I am trying to use FOSS for all this, but am open to considering paid enterprise versions if they are worth it. As every other middle-class Indian, I'm trying to keep this as cheap as possible, but I do understand that sometimes only a paid solution will work.
A reason for preferring FOSS is the hands on work it brings with it. Like I said, I am doing this out of passion and sitting and breaking my head over something that doesn't work, gives me a sense of satisfaction. (I'm weird, I know)
Thank you for reading through this wall of text and for your suggestions.
Last edited: