As the mobile workforce has continued to grow, it has become a major headache for organisations to ensure laptops have been patched and are not carrying malware when they reconnect to the corporate network. You are right to be concerned about the cost and complexity of full-blown NAC systems; a significant investment in time and money will be required to implement any such enterprise-wide technology (as is the case for intrusion prevention systems [IPS] and security information and event management systems [SIEM] as well).
If you are concerned about rogue devices connecting to your network as well as patch management enforcement, NAC may be the best choice. However, if your primary focus is to ensure legitimate computers are patched correctly and malware-free, then there are less-costly alternatives.
Assuming we're looking at Windows devices in an Active Directory environment (the standard architecture in contemporary enterprises), careful use of Group Policy Objects (GPOs) combined with well-configured antivirus, personal firewalls and full disk encryption can prevent malware and patching problems from arising in the first place. GPOs can prevent the laptop user from running with local administrator privilege or installing applications. Antivirus and personal firewalls can be configured such that the user cannot turn them off. Full disk encryption can prevent the user from using free tools to obtain local administrator privileges. Combining these controls significantly reduces the likelihood of malware infection or hacking of the laptop whilst off site. GPOs can also enforce patch updates once the laptop is reconnected to the corporate network.
This was first published in May 2010