I have recently identified a security risk with some of the machines (primarily Windows 10 and MacOS laptops) my company issues to users. Specifically, a small subset of the users are regularly placing their device “directly on the Internet” when working remotely.
I suspect that this is primarily caused by plugging the Ethernet of the machine directly into a cable/DSL modem provided by the ISP for their home Internet connection. And that ISP is issuing a public IP address to our machine when it makes a DHCP request. This has publically exposed RDP, SSH, and other remote services only meant to be accessible from LAN networks.
The people/process solution to this problem will be user education, and I do intend to pursue this route. However, this will always be purely reactive–waiting for users to plug in to the Internet and chasing them down to ask them to stop doing so. I am currently only able to run periodic search queries to find these machines and would not seem to have a way to get automated, immediate alerting when it occurs.
I am wondering if there could be a more proactive, technical solution to this problem. I think that the ideal solution would be one that (a) prevents the configuration of a public IP address onto any of the NICs, especially via DHCP; (b) provides a pop-up message to the user informing them of what has occurred and whom to contact for assistance (i.e., our corporate help desk); and (c) immediately alerts our support staff that this has occurred, if possible.
The machines have various endpoint agents and technologies in place for management, including GPO policies, SCCM, and CrowdStrike. I do not have enough experience with any of these tools to know if it is feasible to create a technical solution using one of them, and I am not personally an administrator of any of these tools in my environment.
I have not yet attempted any particular implementation. It is within my skill set to create a Python script/executable that could check the configured IP addresses every X number of minutes; give the user a pop-up message; remove/change any public IP addresses; and/or possibly send back an alert. However, I’m highly doubtful that I could get approval to deploy this.
I certainly do not have the skill to create a full-time, inline monitoring/blocking agent, so the truly desired implementation would have to come from an existing tool. Is anybody aware of whether GPO, CrowdStrike, or other common endpoint management tools might be able to accomplish this technical solution?
Further, does anybody have any other guidance (people, process, or technology) that they feel might be useful in addressing this risk?