Increasing security for Windows laptops in a mostly Linux organization

mickeyil · March 1, 2020, 11:19am

Hi,

I’m interested in increasing the security of Windows laptops in an organization which is mostly Linux (R&D, product) but has Windows machines (laptops), from which engineers use connect to Linux dev machines and do their work (either in the office or remotely using vnc).

One approach that I heard is to create a Windows domain controller on top of a Windows Server and with group policies have a better control over the windows laptops. This would require having pro licenses (most laptops are home edition), and sounds quite expensive, both in time/labor to set it up correctly and in cost of licenses. We have no other use case for Windows server or Active Directory domain controller.

I saw a tool in one of the videos called Solarwinds RMM. Since in “securing a windows machine” my intentions are to ensure patching, and have control over what users install over their laptops, it looks like a better fit. I don’t know if this kind of tool is complementary or replaces the need for pro licenses and/or Active Directory domain controller.

I’m not an expert when it comes to Microsoft environment, and would love to hear any ideas or thoughts about this issue

LTS_Tom · March 1, 2020, 11:43am

Solarwinds is also a bit pricey to use just fro that and it is complimentary to having a Windows Domain. You might want to look at moving these systems to pro and using something like Azure AD to manage them.

anon31769429 · March 1, 2020, 11:30pm

If they are work laptops, why don’t you just wipe them and put a Linux distro on and manage them like the rest of your environment?

If not,
I would probably use an anti virus that allows application control, and then use a service like https://www.manageengine.com/patch-management/ (free for less than 20machines) or PatchMyPc

FredFerrell · March 3, 2020, 9:07pm

I use TrendMicro and deploy local security policies for none domain joined systems via PS. I create a local admin account for each system and use it for authentication. I HIGHLY recommend you use a different password for each system.

anon31769429 · March 6, 2020, 1:00am

Hi Fred,
What do you use to push out the scripts?

FredFerrell · March 6, 2020, 11:52pm

PowerShell directly from a Windows box. Look for Windows PowerShell ISE.