Practicing (Annoying) Better Security

  • Comments posted to this topic are about the item Practicing (Annoying) Better Security

  • One of the presenters at SQLSaturday Boston had a similar 2-minute auto-lock on his corporate laptop. It was amusing to see as it kept popping out of PowerPoint every minute or two and locking itself because he'd gone "inactive."

  • 2 minutes is too few in my opinion - it happens regularly that I do something else than typing / moving the mouse (even seeing a training video could theoretical trigger that timeout).

    When you set the security bar too high / annoying, people will find a (unwanted) way to bypass it (e.g. by using some software / hardware that moves the mouse a pixel every x seconds)

    IF you really work in a high confidential area, better use either biometric for a quick unlock or a RFID token that you have to wear somewhere on your body, which locks the PC, when you leave the range and unlocks it, when you reenter it.

    • This reply was modified 1 year, 2 months ago by  Thomas Franz.

    God is real, unless declared integer.

  • I would disagree this is better security, security measures should be designed to prevent attackers not annoy the users.  If they become to obnoxious which a 2 minute lockout certainly is it just encourages users to find ways to circumvent them themselves.

  • Brent Ozar wrote:

    One of the presenters at SQLSaturday Boston had a similar 2-minute auto-lock on his corporate laptop. It was amusing to see as it kept popping out of PowerPoint every minute or two and locking itself because he'd gone "inactive."

    I haven't had that happen on a call yet.

    Either I have some weird OCD need to move the mouse or Zoom doesn't let it lock 😉

  • Thomas Franz wrote:

    2 minutes is too few in my opinion - it happens regularly that I do something else than typing / moving the mouse (even seeing a training video could theoretical trigger that timeout).

    When you set the security bar too high / annoying, people will find a (unwanted) way to bypass it (e.g. by using some software / hardware that moves the mouse a pixel every x seconds)

    IF you really work in a high confidential area, better use either biometric for a quick unlock or a RFID token that you have to wear somewhere on your body, which locks the PC, when you leave the range and unlocks it, when you reenter it.

    I haven't had a problem with 2 minutes. I've learned that I will likely need to log in again if I get coffee, move laundry, etc.

    The annoyance is often I am hurrying for a call with lunch or somethign and I need to get things set down and then log in before I can join a call. Maybe this will be a wake up call to clean off more of my desk 😉

  • ZZartin wrote:

    I would disagree this is better security, security measures should be designed to prevent attackers not annoy the users.  If they become to obnoxious which a 2 minute lockout certainly is it just encourages users to find ways to circumvent them themselves.

    It's better security in an insecure environment. I have this on my laptop, though I try to always lock it if I move away.

    At home, kids, partners, etc. should not see Redgate info. Not that they'd disclose it, but it is potentially something that a company is concerned about.

    At one place, we weren't high security, but we were privileged users, so it was a big deal to lock our machines. Other admins had a game of messing with your background, colors, etc. if you didn't to try and remind you to lock your desktop

  • All this talk of a personal PC containing company info, and being shared by other member of the family, is horrifying to me.

    Our strategy is this:

    • Personal devices are not allowed. Working from home is only via a a company supplied laptop, which is authorised to connect to the company VPN. No other devices are able to connect to the VPN.
    • The laptop has nothing stored locally, it is essentially a dumb terminal for remote access. It is powerful enough however to allow three 4K monitors to be connected via a dock, so user experience is not compromised.
    • All developers have a desktop at the office on which they do their work (via RDP). Eventually we will replace these with VDIs.
    • Other users are all working via web browsers, or will use RDP to a common server for other work.
    • Lock is set at 10 minutes on all devices. This may seem long, but all the other security measures allow it to be this long.
  • Keeping corporate data on your laptop or phone is an accident waiting to happen. Aside from the creeps who lurk around food courts waiting for you to refill your drink, police or airport / customs agents can confiscate your device for a variety of reasons. I think virtualized desktops are the path forward. Yes, is you lose internet connectivity, then a device used as a RDP client is useless, but that's basically how it is with a fat client anyhow since the database, Azure, Git, Slack, and all the other stuff we need to get things done are all in the cloud.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell wrote:

    I think virtualized desktops are the path forward. Yes, is you lose internet connectivity, then a device used as a RDP client is useless, but that's basically how it is with a fat client anyhow since the database, Azure, Git, Slack, and all the other stuff we need to get things done are all in the cloud.

    They're only the future when you have 24/7 Internet connectivity. Here are just a few examples of places I've worked while disconnected from the Internet:

    • Planes and cruise ships - because often the Internet connection drops for minutes at a time, or the firewalls block useful services. (Drives me crazy that several airlines block Github.com, for example.) I can do my work offline, and then upload & sync when the Internet returns or when I'm back on dry land.
    • Client sites - I've had clients where I was given access to their network, and only their network, and not allowed to connect to the public Internet. In those cases, I had to have Github locally with the First Responder Kit, and could make new branches with code changes for their specific environment.
    • Conferences - because sometimes the conference organizers don't have dedicated Ethernet cables for presenters, or the conference WiFi is overwhelmed, and I can't get good cell phone signal in the venue.

    I do have hope that in the future, we'll have good 24/7 high-speed Internet connectivity everywhere. That's just a hope for the future though - today, I still gotta work offline.

  • Eric M Russell wrote:

    Keeping corporate data on your laptop or phone is an accident waiting to happen. Aside from the creeps who lurk around food courts waiting for you to refill your drink, police or airport / customs agents can confiscate your device for a variety of reasons. I think virtualized desktops are the path forward. Yes, is you lose internet connectivity, then a device used as a RDP client is useless, but that's basically how it is with a fat client anyhow since the database, Azure, Git, Slack, and all the other stuff we need to get things done are all in the cloud.

    I disagree. This why you have disk encryption and MFA or strong auth for users.

    Plus, often your RDP system could still have credentials on it, or a keylogger gets what you type. This isn't quite the security system you think it is.

  • Brent Ozar wrote:

    Eric M Russell wrote:

    I think virtualized desktops are the path forward. Yes, is you lose internet connectivity, then a device used as a RDP client is useless, but that's basically how it is with a fat client anyhow ...

    They're only the future when you have 24/7 Internet connectivity. Here are just a few examples of places I've worked while disconnected from the Internet:

    ...

    I agree here, especially in the era of remote work, or flexible work where people may work in many places or many hours.

    Even if we have great connectivity in most places, there are plenty of places I transit where I don't have good connectivity. For me, here are some issues I've had this year:

    • Colorado outside of the front range - connectivity in mountains is hit/miss.
    • Wyoming - Almost anywhere can be hit or miss
    • Downtown Boston - I've had the local area overloaded and been unable to work in a hotel. Worked one day, didn't the next.
    • All the places Brent mentioned, but airplanes and airports are common places to work where connectivity is problematic
    • Lots of third parties have issues with VPNs, and connectivity is broken. Could be a client site, or could be a coffee shop/restaurant/etc.

      There's also lots of corporate work that isn't privileged.  I might be writing a report or doing a non confidential memo to someone, and I want to work. Not having the ability to do that without an RDP client isnt' great.

      Plus someone is going to screw up an remote desktop upgrade and then what? Everyone is down? I dislike single points of failure and RDP desktops often become these.

    Or we might need to hire someone that walks around an office rebooting desktops that have frozen. I see those messages in slack all the time.

  • we have a ton of stuff local saved (as developer), but the disks of our notebooks are encrypted. Of course this is not 100% secure, if the police storms my flat while the PC is on or someone stoles it on the train / train station, while the laptop is turned on or only in standby some specialists can read disks from the disk without unlocking my Windows, but this are very special cases

    God is real, unless declared integer.

  • If I'm on an airplane or Zenning out in the middle of nature without internet connectivity, then it's either a weekend or I'm on PTO, in which case I'm not even thinking about getting some work done. Occasionally, on a work day my home internet service will go offline for a few hours, but I can just drive a few blocks to the library and finish from there. Broadly speaking, there is no excuse for having a copy of a corporate database with protected data sitting on one's personal laptop, and RDP provides all the access I need.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • That's a you thing. There are lots of others that don't have that luxury.

    However, plenty of people can work, and have code, without having protected data on a laptop. That is a separate things from having an RDP dumb terminal with you as opposed to a machine that can do work. There are plenty of solutions to get useful, but safe data onto a laptop.

Viewing 15 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply