Anti-Employee Monitoring & Laptop Security

Hi all! I'm thinking there is quite a lot more intrusion / security / spyware expertise here than the little that lies inside my head. Advice please!

I work for myself as a one-man contractor. Due to business (and basic privacy) reasons, my mission today is to lock-out any corporate employee monitoring / spyware I can from my laptop - which is my own company's machine, NOT my client's - and future monitoring software from getting a foothold.


Background and What I've done so far:
- i access two different networks: a home wi-fi router (that is actually the client's corporate apartment and their router) and the network domain at their office
- setup the router myself with password protection on its config, the default firewall protection (whatever THAT is), and wireless WPA encryption with 128-bit security key
- Installed ZoneAlarm Security Suite and updated it
- configured it to be pretty aggressive and to also notify me of EVERYthing (to help me to I.D. and track and destroy potential threats)
- purged / cleaned every stored cache I could think of (via ZoneAlarm's Cache Cleaner utility)
- been using A.I.'s RoboForm forever for storage and encryption of passwords and IDs for the sites i visit regularly
- I've consolidated all my data (which I store under docs & settings on my hard drive) under a single logon on my laptop. That logon ID is resident on the client's domain. I have MAJOR questions about what kind of vulnerabilities that I've set up for myself on that one . . .
- also, I believe that me logging onto their network gives the domain's administrators admin priveleges into my machine . . . ?
- I have a mapped connection to a network drive on my client's server
- I no longer have my email client configured for POP access to my private email accounts (i.e. accounts that may have any sensitive info coming through them) and must check the mail from those on their websites (at least while within the client's network domain)



Here's what I'm considering doing:
- getting http://www.ccleaner.com to *further* empty my histories on stuff on my laptop
- getting one of the many anti-key logging utilities out there (does anyone have any recommendations? is this even necessary now that I have ZoneAlarm running?)
- encrypting my hard drive, or at least my /documents & settings (i'm a little scared of this one for some reason. any thoughts?)
- using PGP to/from those of my email contacts where sensitive information is exchanged (is this any good now that it's commercial? any others out there I may consider?).
- adding "Essential NetTools" to my laptop to give me a larger window into how the processes on my machine are accessing networks
- changing the data structure and logon IDs on my laptop <yet again> BECAUSE: Isn't my password for my domain account resident on the client's domain server? I guess this means that they could log onto my laptop as *me* anytime they want!?! Ugggh. Maybe I shouldn't have consolidated all my personal data under my client's domain's user name. Wondering if it's possible to set things up so that I could both log onto their domain to access the files and such I need on their server *AND* prevent anyone but me from accessing my files on the hard drive . . . ? Maybe have to use two different logons to the laptop, and deny privileges to my domain logon ID from accessing my files and settings? ENCRYPT the doc's & settings?



Any comments on the above? On how I can add to the protection? On anything mentioned that's absolutely worthless? On any Windows & Windows networking configuration changes I need to make? On any ZoneAlarm Security Suite configurations I should definitely have in-place? (On basic paranoia? lol)

Many Thanks!

Pan

 

Hello,
The only way you can 100% be sure there's nothing there is a format and fresh installation.
Mrk

 

WPA doesn't have 128 bit encryption . For the maximum security setting, I would set the encryption to WPA2 which is the latest and greatest. Make a completely random 63 letter and number key by opening up Notepad and randomnly banging on the keys. Then save this .txt file on a usb drive and copy and paste it into the router's config and the laptops config. Keep the SSID broadcasting and disable MAC filtering because these are worthless security measures and only hamper connection efforts between your laptop and the router

Set ZoneAlarm to put your networks in the "Internet" zone to prevent intrusions.

ZoneAlarm will catch most keyloggers since you have the Pro version.

You might want to replace the ZoneAlarm av with a more robust av since it isn't very strong.

Read this part of my "clean speech" I give to people whose computers I fix to get some more ideas:

Ewido Anti-Malware 3.5 from Here http://www.ewido.net/en/download/
A-Squared Anti-Malware from Here http://www.emsisoft.com/en/
Spybot Search and Destroy from Here http://www.safer-networking.org/en/download/index.html
Ad-Aware SE Personal from Here http://www.lavasoft.de/software/adaware/

4) Spyware/Malware Prevention
Use these to help secure your browser and prevent malware from installing
Javacool’s Spyware Blaster: Prevents the installation of spyware and other unwanted software
Available Here http://www.javacoolsoftware.com/spywareblaster.html

IE-SPYAD which blocks bad sites from harming your computer, it is available here http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD_ZO

5) Secure Internet Explore by:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt
b. Change the Download unsigned ActiveX controls to Disable
c. Change the Initialize and script ActiveX controls not marked as safe to Disable
d. Change the Installation of desktop items to Prompt
e. Change the Launching programs and files in an IFRAME to Prompt
f. Change the Navigate sub-frames across different domains to Prompt
g. When all these settings have been made, click on the OK button.
h. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.


6) A Secure alternative browser from Internet Explorer (these two are free)

I recommend using Firefox available Here http://www.mozilla.com/firefox/ with the AdBlock Plus, AdBlock Filterset.G Updater, NoScript, SiteAdvisor, and Spoofstick extensions (a lot I know, but it takes security to a new level)

Or

Opera from Here http://www.opera.com/

7) Keep your Windows’ Operating System up to date, to do so visit Windows Update at least once a month Here http://www.windowsupdate.com (must be visited in Internet Explorer)

Also, activate Automatic Windows Update by

1) On the Desktop, right-click My Computer.
2) Click Properties.
3) Click on Automatic Updates
4) Check the option of choice (I use Automatic (Recommended)). If you use dial-up I would recommend using the
Notify Me option so that you can download when you can afford the time and bandwidth overheads.
5) Select the Day/Time of choice
6) Click Apply
7) Click OK

Safe Computing,

Alphalutra1

 

Thanks Mrk and Alpha!

Mrk - I'm comfortable not having "full 100% sureness" if it means that I do not have to reformat and reinstall everything! "90% sureness" is fine!

Alpha - I'm looking into the specific differences between ZoneAlarm's different components vs. the ones you recommend below.


I suppose that my more "general" questions in my original post concern me:

* any software SPECIFIC to anti-employee monitoring? that is - made to work against others WITHIN the same network that would normally be a "trusted" environment?

* should I rearrange my data structure under a different user name, not on the client's domain?

* should I try to remove admin privileges from the domain admin's from EVERYthing on my laptop? is this even POSSIBLE?

* would ZoneAlarm notify me of employee monitoring components? vs. "traditional malware" like trojans, viruses, worms, etc.

* any boon to "Essential Nettools," or other products like it, to give me more information on connections into/out of my laptop?

* and what about encryption to prevent domain admins from accessing my personal data?

Cheers!

Pan

 

Employee Monitoring Software = "Malware"

I've pretty much posted the same original post in four different online forums centered around spyware and network security and privacy and such. I would've thought that I would have received more replies by now, but then it hit me: my subject line says it all.

Technically, isn't "employee monitoring software" the same thing as "spy-ware?" And isn't "spy-ware" a subcategory of "malware?"

I'll bet that the reason you can't find much information on-line, even after the intensive (& fruitless) research I've been doing on employee monitoring software the past two days, is because it's big business! And wouldn't you lose a buck or two if people actually KNEW how to defeat your product? There isn't even a single product that I can find even MARKETED to defeat employee monitoring software! That's amazing, considering that I can BET you it would sell like hotcakes.

AN ASIDE:
Would any "spyware / malware" programmers out there who are trying to clean their act up and "go legit" care to meet to discuss a business idea I have? I bet you can actually earn big $$$ with your knowledge of spyware, instead of just pissing countless people off!

Not wishing to bring up the philosophical implications, but incapable of preventing myself: Because it's my machine and not my client's, I believe that I am within my rights to prevent them from placing spyware on my laptop even if I *AM* within their domain.

I should do one of those poll things . . . lemme see if I can initiate one . . .

but, ummm, in the meantime can someone tell me why my C drive has a hidden share on it? C$ scares me and when I try to take the permissions away (even as administrator login on the local laptop's "domain"), it says that even if I did it, upon reboot or logout it'll simply be "re-enabled for administrative purposes" or some such.

Could this be because the client's domain administrators are included in the laptop's local administrators group?

Peace,

Pan

. . . dammit can't find the "poll option" anywhere

 

Alphalutra, could you list a few AV programs that are, IYO, more robust than Zone Alarm's AV component ??
ETA: (well, from your sig, I would anticipate NOD32, but any others ?)

How you don't mind the supplemental question here, Panoramic.

 

Perhaps the info provided by the topic poster has confused me...if so please ignor this post.........


My confusion comes into play simply by wondering why the person's Client is being allowed access to the laptop............when there are numerous programs that will provide storage of files.., etc., ......the poster would simply access the storage program which is located on the client's server.....copy or enter copies of whatever files are needed....an move on down the Pike............one such program would be COLUMBUS......but there are many more.........CAD files can be stored.....financial data.....much more.........an no one has access to the other person's personal data...

 

To give you an idea of what I am mentioning...here is a link to Columbus for info purposes only




http://www.oasys-software.com/products/dm/columbus/

 

Domains, Domains, Domains

That person, being me, sits in the client's offices much of the time and use their servers not only for the data that's on them, but also for printer access and I POP mail through them as well (although I'm stopping that as of my "security crackdown" this weekend). So not only would I have to persuade the client to purchase additional software and install and maintain it on their server (i.e. Columbus and such like) just for me, but I believe that I would lose print access if I left their domain. Neither thing is very viable in my circumstances, but I do thank you for the suggestion, Snow.

Now, back to the persistent question. Since the client's domain administrators group is listed in my laptop's local domain administration group, shouldn't I remove that? And couldn't they have been the one to set up the share on my C: drive? Because I sure didn't do it! (Has anyone else noticed that their C$ shared and unchangeable due to "administrative reasons?")

Pan