Physically Locate Laptop
Posted by caribbeanjon@reddit | sysadmin | View on Reddit | 36 comments
We are required by certain government agencies not to do business in or with certain "hostile powers" and are also required to follow tax law in countries which we do operate. Occasionally we'll hire someone and despite plenty of warning they will try and work from somewhere they are not supposed to or take their work laptop or phone (with work apps) on vacation to one of these forbidden countries and then all sort of holy hell gets raised. But increasingly we are seeing "smarter" users who use VPN and other methods to hide their physical location. Thankfully, we have had luck logging their real IPs when VPN is down, and usually when they figure out they are blocked from logging in, the remember to connect to VPN.
How is everyone dealing with physical location tracking? IP addresses can only take you so far and even our security software seems to get it wrong. Is there something foolproof we can put on Windows/Mac/Linux clients to definitively identify their physical location? German Works Council be damned, I want to know my asset's location.
VermicelliHot6161@reddit
How are your users installing unapproved software or modifying networking connections in order to use a VPN?
caribbeanjon@reddit (OP)
I know where you are coming from, but we don't have our PCs locked down yet, and we allow 3rd parties to use their clients on our VPN. The goal is to address all of this, but it takes time.
ZAFJB@reddit
This job should be a number one priority!
Pusibule@reddit
they can just use a router to do the vpn
DogDeadByRaven@reddit
First off conditional access and we turn blocks for unapproved countries. That's for both computers and phones. Automatic uninstall of unapproved VPN apps. Users don't have rights to install most software on their systems.
caribbeanjon@reddit (OP)
What are you using to automatically uninstall VPN apps? We get notifications from CrowdStrike, but I don't think we can uninstall Are you using something like AppLocker to only allow approved applications?
ZAFJB@reddit
Block installation of VPN apps in the first place.
DogDeadByRaven@reddit
We have auto remediation scripts to check for the most common VPN apps. If they are found they get uninstalled. Our security team does weekly audits of all apps installed and any found that shouldn't be there get uninstalled. We haven't gotten to Applocker yet as we have a wide range of apps we're still going through.
softConspiracy_@reddit
This is the correct answer.
mcmron@reddit
You can evaluate IP2Proxy database in https://www.ip2location.com to detect VPN IP addresses. It also offer API at https://www.ip2location.io
kogun@reddit
ITAR violations are pretty darn serious when done "innocently". Using a VPN while violating ITAR shows a level of awareness of wrongdoing that will likely result in much more serious fines for the company involved. I'd be considering obtaining some level of signed documentation explicitly spelling out individual penalties (acknowledging personal liability and the likelihood of seeking compensation) for knowingly violating ITAR.
Background: company I worked for faced serious fines and nearly blackballed by US gov't for ITAR violations.
Ssakaa@reddit
Since ITAR pretty quickly gets into CMMC/800-171/800-53 territory, there's a good bit on required controls and required awareness and training, which would include that acknowledgement pretty explicitly.
AkkerKid@reddit
I found one of my clients Mac laptops by getting a terminal on it via our RMM and having it look for the nearby SSIDs. Then I put those into a few wardriving websites and found the laptop in Pakistan.
airforceteacher@reddit
Wigle!
caribbeanjon@reddit (OP)
That's pretty gangster.
PolarBill@reddit
I second this method. Computrace is the more industrial answer. But you can have your RMM tool to run a script that will save all local SSIDs then upload it back. I've only done this with "lost/stolen" laptops, so I did not automate the last part of the geo location.
adonaa30@reddit
We track our assets. Computrace works alright
kg7qin@reddit
Run the ip through https://ipinfo.io. Those guys seem to know just about everything on an address, ans itll get you a general location of it as well if not the city. The flags it has are pretty interesting too.
I posted about this before and one of their engineers chimed in about their service.
caribbeanjon@reddit (OP)
I recently found ipinfo.io and their information seems the most accurate of any that I have found.
reincdr@reddit
Thank you for the recommendation. In this case, OP can go with two approaches. Going beyond our location data, our privacy detection data can identify VPN and residential proxies as well. OP has two options: preventative measures and investigative measures.
They can use our data in their firewall system by specifying the ranges of particular countries. It is relatively easy to do and can be done for free using our IP to Country ASN database. To prevent VPN based accesses to their system, they can buy the privacy detection database and get ranges that are used in VPNs, proxies, data centers, etc. and block them in the firewall.
For investigative measures, they can paste their log data into a plaintext file. Use our CLI grepIP tool to extract the IP addresses, then do a bulk enrichment or summary report to get the location and ASN/ISP of these IP addresses. They can see location information of those IP addresses. I think since they do not need granular information and only need to know if the user has used a VPN address, they can just stick with our summarization service, which is also free.
https://ipinfo.io/tools/summarize-ips
If OP or anyone wants to share their log data with me and wants a summary report, I am happy to help. My DMs are always open.
ArsenalITTwo@reddit
Absolute Resilience. Aka Computrace.
Helpjuice@reddit
Computrace and dissallow them from running unauthorized software through Intel TME for hardware attacks and AppLocker for all the software. Only allowlist what you have authorized and disable everything else. This should allow you to prevent installing custom browsers, disable setting network changes to allow VPN, block running VPN software, etc. by locking down network settings, only allowing your authorized DNS providers, etc. If you find them logging into from an unauthorized location treat the device as compromised and start your regular procedures to include notifying HR and Legal.
The employee knows what they are doing, knows it violates policy, and should they should be locked out and their device untrusted until they can return to an authorized location and talk with legal, HR, security, and IT about the matter along with the incident being logged.
madlyalive@reddit
This is the way.
And it really is the only way. It’s the most reliable solution I’ve ever found. My only gripe is the data wipe feature doesn’t always work.
patmorgan235@reddit
Absolute is goat
rootofallworlds@reddit
There’s plenty of laptop tracking software around, Absolute are the market leader I believe. It works off a big database of wifi APs, so based on the BSSIDs the laptop can see it can triangulate the position. Works well in cities, maybe not so well in remote rural areas.
Laptops which support a mobile data SIM usually also have a GPS receiver and the tracking software can use that too. But it’s hard to find mid and high performance business laptops with SIM slots, sadly they tend to only be in tablet/chromebook grade stuff.
IMHO the tracking needs backing up by 1, explaining to staff why overseas working without permission is such a big deal at your company, 2, treating it as gross misconduct (ie potential for dismissal with immediate effect) and treating attempts to sabotage the tracking likewise, and 3, making reasonable effort to give permission when the company can legally do so, instead of just giving a blanket no because payroll doesn’t want to sort out the paperwork. And possibly 4, make new employees work from the office for their first x months, gives them long enough to see or hear about people getting sacked for being dumb enough to try working from Embargoedland.
But all that’s HR and Management stuff.
bindermichi@reddit
Blocking access from commercial VPN access addresses completely will solve one issue. You can also block access from datacenter locations. This is usually a good giveaway they are connecting directly.
If it‘s your device e I would block it from using anything but the corporate VPN to access corporate applications and data.
For international corporate networks I worked with network providers that would offer VPN access in every country, so we could automatically route users to the closest access gateway. That would be one way to know exactly where they are whiteout getting into trouble with labor laws prohibiting you to install tracking software.
TopArgument2225@reddit
Residential 10G proxy providers charge $1-$5 per IP. Looks absolutely real. Absolute Software is the correct answer.
softConspiracy_@reddit
I would isolate any device that connects to a commercial VPN. Let your user come to you and explain where they are.
caribbeanjon@reddit (OP)
We do have alerts that notify us if 3rd party VPN software is installed, but that's not going to stop the "smart ones".
softConspiracy_@reddit
Updated my comment. Not sure if you saw the rest.
caribbeanjon@reddit (OP)
We do have CAPs that block access from certain locations, but just today we had a pretty sneeky sneeky VPN user that appeared to be in London 99% of the time and the only reason we eventually got alerted is because their VPN dropped long enough for us to capture (and block) a login attempt from their real location.
Does InTune provide location data? I suppose a CAP applied to the Authenticator app could block some authentication attempts from the phone, but that's not going to stop TOPT or SMS.
SpiceIslander2001@reddit
If you're blocking by public IPs, run a script via scheduled task to capture the public IP as soon as a network change is detected. Once you have that information, you can use the same script to have the PC take certain steps if it detects that the IP is in a restricted list (or not in an unrestricted list). "Using your PC from here are, you? We'll let's just log you out immediately and restart the PC, and if this happens more than three times, it's time for an OS reset ..." :-).
And how do you get the PC's public IP programmatically? Some ideas here. ...
How to Find Your IP Address From CMD (Command Prompt) (howtogeek.com)
softConspiracy_@reddit
We have revoked SMS and the rest everywhere. Mandatory Authenticator app that narcs users out.
Note that I’m in security rather than admin, but we work in parallel.
We just don’t let people use commercial VPNs and quickly restrict usage if it pops up.
We have data laws internally and customer contracts that mandate data be kept within US shores, so we’re pretty hot on it.
SpiceIslander2001@reddit
Wow, this led me down a rabbit hole....
There *might* be mini-PCIe GPS receivers that can be installed to replace the WLAN card in laptops (of course, those with removable WLAN cards). Once you can get a GPS receiver into the laptop, then there should be a way to track its physical location. A Google search on GPS tracking should turn up a few software solutions.
kryptekgfx@reddit
Intune can do this with some config
caribbeanjon@reddit (OP)
Thank you, I'm going to check this out.