How to provide laptop and protect data from copying?

Want to hire an employee in another city, to provide him with a workstation, but to protect information on the device copy (the device itself will be at the disposal of the employee). You should encrypt the disks, to allow you to connect external devices to allow access to the network only through the company server (where it will be allowed access only to specific IP). Did you like this? By what means you can implement (including pay)? OS does not matter, as cross-platform.
If we're talking about the same gateway for Internet access, it should be possible to spoof the server with manipulation of the routing.
June 26th 19 at 14:03
11 answers
June 26th 19 at 14:05
at the disposal of the employee

No way.
Why? From the point of view of logic do not see any problems, the only question is the availability of ready-made solutions. The presence of potential vulnerabilities of the OS privilege elevation can be neglected. - Tyshawn11 commented on June 26th 19 at 14:08
: I have already said, because "the offender" has full access to the device.
I can pull the hard drive and byte-by-byte copy its content to another machine, you can put a sniffer between your laptop and the server, intercepting all traffic can photograph the screen and recognize from pictures the text. You are not sure what you mean by FULL access? - Anabel.Donnelly commented on June 26th 19 at 14:11
: All yours "From the point of view of logic" collapses banal about 3 megapixels from the lousy phone. - logan66 commented on June 26th 19 at 14:14
Yes, you are right, but in our case it can be neglected. From the copy task to defend is not worth it. - Tyshawn11 commented on June 26th 19 at 14:17
and don't forget about MITM - Ferne_Hil commented on June 26th 19 at 14:20
Encryption and trusted certificates - Tyshawn11 commented on June 26th 19 at 14:23
The employee can boot from the Live image and to merge all your information yourself. - Gussie_Hansen commented on June 26th 19 at 14:26
Even standard bitlocker will protect - Tyshawn11 commented on June 26th 19 at 14:29
Then the key should be stored in the TPM of iron.
But if copying from the screen is not the problem then what You terminalni not satisfied? But You get full control of activity. And loss of device neither You nor the employee is not terrible. Otherwise, You will not believe him that the computer he stole or took away. - Garland.Aufderhar22 commented on June 26th 19 at 14:32
June 26th 19 at 14:07
Sign the employee NDA or what is the name of the document, in fact of non-disclosure. and you will be happy, and suspect the leak to court and be done with it
The NDA itself, but this is not enough (virtually impossible to prove anything in case of leakage) - Tyshawn11 commented on June 26th 19 at 14:10
so as you, or who will not give a 100% workable solution. Another thing is that you yourself are part of the law will protect you. and NDA without entering the DLP system in organization network money - Anabel.Donnelly commented on June 26th 19 at 14:13
Read about DLP solutions as they are open source and $ - logan66 commented on June 26th 19 at 14:16
>> a suspect in the leak to court and be done with it

A mere suspicion is not enough. Need proof. If you are on I will sue on the basis of "suspicion", I will file a counter-claim about protection of business reputation. Moreover, the damage to my reputation will be obvious (easy to prove), and how you will prove your suspicions is unclear. - Tyshawn11 commented on June 26th 19 at 14:19
: you probably have never sued in Russia - Ferne_Hil commented on June 26th 19 at 14:22
June 26th 19 at 14:09
Technically - no way.

The only competent way to pick up people who value their reputation and have a high level of professional ethics. The only thing that many such people will not go to your sharaga, if she does not have as excellent reputation. Protect the honor of his youth, as they say.
June 26th 19 at 14:11
No.

Although You did not specify from copy or from a leak? Leakage is arranged a trivial rewriting on a piece of paper :) It theoretically can be prevented by only using SMP with the function of monitoring via the webcam of a laptop, and it will be useless without Internet.
Up the establishment on a media copy of the file, preserving its structure so that it was more convenient to work is also possible. Even with all the imaginable bells and whistles. Administrative rights will not? So take hiren, butimba CD, knocks the password for the local admin, increase privileges - without the use of vulnerabilities! Once you have permission, you can disable any gardow, to register any device in the trusted. You can even make a dull copy of the screw means, for this purpose - for example Akronis. And already with a copy of screw to understand as much as necessary.
Yes, SMP, after the fact can notify you about the up - when the laptop will go out to Internet, if the buffer will not overflow. But the fact of the leak it can not prevent, especially if it's not a DB and some kind of photo :)

Full access is full access. Is dangerous every "cloud" service providers - and they know it and so try to get Your data...
Hiren's don't see, BitLocker encrypted, if the password is sewn up in some difficult vikorchovivat configured with UEFI SecureBoot. But the principle is correct. Ideally, not to prohibit, if the device is passed in use. - Tyshawn11 commented on June 26th 19 at 14:14
If the value is a form of organizing information, and not she herself - such as a database with thousands of customers with phone numbers and volumes, are valuable not so much by phones, such as the fact that all this together it is possible, Yes, difficult to copy, if the value is exactly itself information - it does - because it still must work :) But there is another category of information, where the fact of existence thereof - is the thing very interesting to others - for example, we made one staff member the photo of one employee, without anything... - Anabel.Donnelly commented on June 26th 19 at 14:17
June 26th 19 at 14:13
The information displayed can be banal barenblat, to photograph, to record on video.
Yes, you are right, but in our case it can be neglected. From the copy task to defend is not worth it. - Tyshawn11 commented on June 26th 19 at 14:16
: Then much easier. Expand the system and allow the employee remote access. - Anabel.Donnelly commented on June 26th 19 at 14:19
: Required including offline access - logan66 commented on June 26th 19 at 14:22
: Then almost nothing. If you have full physical access to the computer, all the protection is easily removable, it is enough to obtain the administrative rights. - Tyshawn11 commented on June 26th 19 at 14:25
: And if we assume that the user is running with restricted rights and the escalation of privileges is not possible (vulnerabilities do not exist). It is a reasonable assumption. - Ferne_Hil commented on June 26th 19 at 14:28
: vulnerabilities are everywhere. the only question is how valuable the information in relation to the cost of the time required to search for vulnerabilities to obtain access rights to this information. - Tyshawn11 commented on June 26th 19 at 14:31
:
and escalation of privileges is not possible (vulnerabilities do not exist). It is a reasonable assumption.
Remove full image, waiting for the vulnerability is still there. A vulnerability with the escalation find almost every hack contest. - Gussie_Hansen commented on June 26th 19 at 14:34
: The full access and escalation is not necessary, it is sufficient to reset the admin password, that is possible in *NIX and on Windows.
If the screw will be encrypted, then either the user knows the password, or the password is stored in an unencrypted portion on a separate hardware token or is calculated on the basis of computer data. In any case, you can remove the image and decode it. - Tyshawn11 commented on June 26th 19 at 14:37
: just today on habré came the news about the hole in antivirusnike Windows through which you can obtain administrator rights - Garland.Aufderhar22 commented on June 26th 19 at 14:40
June 26th 19 at 14:15
To answer this question, You will have to tell a lot more:
1. What protect
2. Model of the offender
...for to protect all from anyone will not work. Even if you do not need offline, you can open a sniffer. Encrypt? OK, there admin. Admin deaf-blind and believe in God? OK, there is a cleaner that will leave the camera the admin. There is no cleaner? OK, there are special services that will implement micromicrocurie...

Will always be a limit, which overcome the disadvantageous. Which separates the model of your intruder from infinity. And this limit depends on claim 1 - that protect.

So what and from whom you want to protect?
Model of the offender? Yes, the author of "intruder" is already sitting at a PC and has FULL access to it. - Tyshawn11 commented on June 26th 19 at 14:18
: do not speak for the author. Even so, it is certainly not the only offender. - Anabel.Donnelly commented on June 26th 19 at 14:21
: You then read the topic, the author has everything for himself said. With the fact that the hired worker is not the only threat to agree. - logan66 commented on June 26th 19 at 14:24
In the current formulation of the question is an impossible task, right. But I'm referring to the author in a way separate flies from cutlets. Who knows who it actually wants to defend. - Tyshawn11 commented on June 26th 19 at 14:27
June 26th 19 at 14:17
Why recruit people who want to merge the old and dump? Such employee any technical means will not save when he can get access to information.

But if employees are loyal, and you are protected from unintentional removal or theft of information by third parties then something can be done:
1.To sign a non-disclosure document.
2.To install and configure: system of protection against unauthorized access, DLP, firewall, anti-virus.
3.Centrally collect and monitor logs.
4.Total encryption of all disks, including the boot.
5.Sealing of the housing and the compartment for the disc.
6.Enhanced login: tokens, smart cards, etc.
7.A decent salary to the employee for the suffering in the course of performing their duties.
8.The prohibition of access to the Internet.
And the user should not be admin rights, of course. - Tyshawn11 commented on June 26th 19 at 14:20
In principle, a checklist for the author turned out great :) to think - and whether this information is fact? - Anabel.Donnelly commented on June 26th 19 at 14:23
To the above I would add:
The user must know under signature about all the remedies working on his laptop, he needs to explain what exactly does some kind of protection, what protects.
The employee must give consent on the remote control.
Such employees need to regularly conduct studies and testing of information security. - logan66 commented on June 26th 19 at 14:26
Here as always - fighting sword and shield, i.e. the risk calculation. Is it worth the money spent on security, the money may result in a leak.
May not be worth it to shoot from a gun on sparrows?
And most importantly - to acquaint under a list with all documents on non-disclosure, commercial and official secrets, computer/documents, orders on information security... - Tyshawn11 commented on June 26th 19 at 14:29
June 26th 19 at 14:19
Give terminal access to their resources with the relevant safety regulations. Although in this case the employee can simply take a picture of the screen with information of interest
Required including offline access - Tyshawn11 commented on June 26th 19 at 14:22
June 26th 19 at 14:21
Support with Windows Remote Desktop.
But there are solutions and Laptop :
- To encrypt a Laptop is possible and even necessary - VeraCrypt to help, and you can configure a hardware USB key (type ruToken with PIN code) that the person did not know and did not use the password and inserted the key and entered the PIN to the laptop Booted. Because a complex password it will record on paper.
control devices: paid software - Kidlogger: block the connection of other devices, Bluetooth, DVD, banned download from the Internet (and Uninstall as well) , sending files to the network including LAN/FTP , and will monitor user activity, screenshots and stuff.
- About Networking while can't think of a solution.
June 26th 19 at 14:23
To set the clock video surveillance of his workplace and put the guard of the observer.
Why give him over to the computer? It is possible to have it remotely worked with resources that are physically in another city, and to limit his rights to copy.
June 26th 19 at 14:25
I also chord for access via RDP, if you give him the laptop, then it is better to provide a weak laptop and no mobile Internet and RDP to the workstation than fooling over not being implemented in principle by the task. I thus implemented the access for multiple employees. (Though I have full access and no NDA with me, no one sign, but I'm a decent person and employee you wish)

Find more questions by tags Data protectionSystem administration