Keep users in line even when they're on the road
Many of the messages I receive from readers are about problems managing the ever-growing force of mobile users. Your mobile users require special handling: Common tasks such as implementing security or upgrade procedures can become a challenge, and you must deal with chores such as configuring dial-up connections and providing a way for your mobile users to connect to the network during onsite visits. To further complicate matters, you often need to rely on mobile users to carry out tasks that you typically handle.
You urgently need to develop administrative procedures to effectively manage these road warriors. Your policy should be to perform most configuration steps on your company's mobile machines before you distribute them to users, and to recall those machines to perform upgrades or other major configuration changes. At the same time, you need to provide mobile users with clear, detailed instructions for performing tasks such as using Encrypting File System (EFS), configuring dial-up connections, requesting certificates, using Offline Files, and installing hotfixes. Clear communication about what you expect of your mobile users is key to successful administration of their computers.
Using NTFS and EFS
Your top priority in administering mobile users should be security. Laptops are more likely than desktop machines to be lost or stolen, putting data at greater risk. One way to reduce such risk is to take advantage of Windows 2000's data-encryption technology.
Every Win2K laptop that your company owns should run NTFS, and you should enable EFS—a built-in Win2K facility for encrypting NTFS files—on them all before you turn them over to users. Provide users with documentation about the way EFS works and with a list of must-do procedures to protect all documents, temporary folders, and other important files (e.g., company databases). Instructions with a "do this or your job isn't worth anything" spin should help users understand that they can never be lax about laptop security. You might also point out some of the many available articles about users who've lost (frequently to thieves) laptops that contained secret or sensitive company information. (I don't have enough room to cover EFS in detail, so for information about EFS—what it is, how it works, and what precautions it requires—see "Related Articles in Previous Issues," page 74.)
Configuring Dial-Up Connections
If your laptop users log on to your network through a dial-up connection, your best bet is to create the connection before you turn over the laptop to the user. If you can't do so, be sure to provide users with clear, detailed instructions that cover the following steps. (These steps assume that your users dial in to a RAS or RRAS server on your network—a common setup. For more information about RAS and RRAS, see "Related Articles in Previous Issues.")
Select Settings, Network and Dial-up Connections, then double-click Make New Connection to open the Network Connection Wizard. Select the appropriate option (usually Dial-up to private network) and click Next. Enter the phone number of the network that users will connect to. This screen also contains a Use dialing rules option. These rules provide supplemental dialing information, such as area code or an additional digit that users must dial to reach an outside line from a hotel or corporate location. Depending on users' locations, they might need to use or change the rules as they travel, so be sure to include an explanation of dialing rules in any instructions you give laptop users.
The wizard also prompts you to specify whether to make the connection available For all users of the computer or Only for myself (i.e., for only the currently logged-on user). If you're creating the connection for a mobile user, you obviously need to make the connection available to all users, not only yourself. Also, many laptops have a way of circulating through a group of users, so if you're providing instructions to mobile users who are creating connections, be sure they also choose the For all users option.
Finally, the wizard prompts you to enter a name for the connection. You can use your company name, a name such as HomeOffice, or any name that indicates that the connection dials in to the company network. The wizard also gives you the option to Add a shortcut to my desktop. Selecting this check box is a good idea because Win2K puts the new connection object in the Network and Dial-up Connections folder, a subfolder under the Control Panel object in My Computer and Windows Explorer. Users who migrated to Win2K from Windows 9x are accustomed to finding the connection object in the Dial-Up Networking folder in My Computer, so they frequently have trouble finding the connection in Win2K.
When you click Finish, Win2K automatically opens the new connection so that you can test it or configure its properties. If you're providing users with instructions for creating the connection, instruct them to clear the Save Password option that appears in the connection dialog box. This option is too dangerous for mobile machines, which users often take into unsecured areas and which are always vulnerable to theft. As an added precaution, you can tweak the registry to disable the Save Password option (in relation to phonebook entries) on mobile machines before you distribute them to users. To do so, open a registry editor and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters subkey. Add the subkey DisableSavePassword (of type REG_DWORD) with a value of 1.
To refine the configuration, click Properties in the connection dialog box to open the connection's Properties dialog box. The options you should select depend on your network setup (e.g., its security settings) and also reflect user-specific and location-specific information. The most important configuration options are those that appear on the Security tab.
Previous
