Endpoint Protection

We are going to be giving out laptops to employees who need to use them for remote access.

They will use the laptop to connect to Outlook Web Access, Cisco VPN and Remote Desktop.  They have no direct access to the LAN for file transfer over the VPN. The only connection open is the RDP port, so all they can do is connect to VPN, launch Remote Desktop and use the remote machine to do their work.  They laptop is to only be used as a RDP terminal and for access to OWA mail.   Because only the RDP port is open, the remote laptops cannot communicate with the SEPM server, so they need to get their definition updates via LiveUpdate when away from the office.

We want to lock down these laptops as much as possible so they can't download or install anything and/or any changes they do are undone at reboot with Windows SteadyState.  We need to be able to reassign the laptops easily without having to reimage them between each user to clean up junk that the employee or their kids installed at home.

Is there anything special we need to do to make Endpoint Client and the definition updates work properly with SteadyState so they don't have to repeatedly redownload the same definition updates between every reboot?

Are there any features built into Endpoint that can restrict changes to the laptop enough so that we don't need to install SteadyState at all?

Laptop Lockdown:  Endpoint MR4 MP1 XP Client with Windows Steadystate 2.5?

If you open Symantec Endpoint Manager and go to "Clients" and open "Policies" tab. You can choose "System Lockdown".

Make sure you only apply this policy to a special group so that you can test it thoroughly before deploying.

I just looked at the Endpoint Lockdown and it seems too inflexible because it won't even allow security updates to be pushed or pulled to the machine or allow the IT staff to make one-off exceptions to allow installing a special app only for one of these shared machines.

One of the interesting things to consider here though... if you have your endpoints locked down to this extent, do you need to patch?

If the machine is physically prevented from running unknown applications and processes, then how can a machine be compromised?

We have customers who run System Lockdown without AV, they haven't had any infections for many years now.

Admittedly the installation thing is a bit harder to manage, but you can checksum the installer and all associated files with the install before providing it to the machine and load multiple fingerprint lists onto the same group, so it is possible.

I totally agree with Paul

If you lockdown your machine you are no longer vulnerable to any:

1. Malware, Spyware

2. Viruses

3. Vulnerabilities (Fixes, Patches)

You only need updates/fixes/patches if you want new functionality/features but not to maintain your security level!

A possible way to make upgrades/updates possible is to disable lockdown temporarily, do the upgrade and make a new lockdown signature based on the upgraded/updated software. Enable lockdown again.