Keep users in line even when they're on the road

Many of the messages I receive from readers are about problems managing the ever-growing force of mobile users. Your mobile users require special handling: Common tasks such as implementing security or upgrade procedures can become a challenge, and you must deal with chores such as configuring dial-up connections and providing a way for your mobile users to connect to the network during onsite visits. To further complicate matters, you often need to rely on mobile users to carry out tasks that you typically handle.

You urgently need to develop administrative procedures to effectively manage these road warriors. Your policy should be to perform most configuration steps on your company's mobile machines before you distribute them to users, and to recall those machines to perform upgrades or other major configuration changes. At the same time, you need to provide mobile users with clear, detailed instructions for performing tasks such as using Encrypting File System (EFS), configuring dial-up connections, requesting certificates, using Offline Files, and installing hotfixes. Clear communication about what you expect of your mobile users is key to successful administration of their computers.

Using NTFS and EFS
Your top priority in administering mobile users should be security. Laptops are more likely than desktop machines to be lost or stolen, putting data at greater risk. One way to reduce such risk is to take advantage of Windows 2000's data-encryption technology.

Every Win2K laptop that your company owns should run NTFS, and you should enable EFS—a built-in Win2K facility for encrypting NTFS files—on them all before you turn them over to users. Provide users with documentation about the way EFS works and with a list of must-do procedures to protect all documents, temporary folders, and other important files (e.g., company databases). Instructions with a "do this or your job isn't worth anything" spin should help users understand that they can never be lax about laptop security. You might also point out some of the many available articles about users who've lost (frequently to thieves) laptops that contained secret or sensitive company information. (I don't have enough room to cover EFS in detail, so for information about EFS—what it is, how it works, and what precautions it requires—see "Related Articles in Previous Issues," page 74.)

Configuring Dial-Up Connections
If your laptop users log on to your network through a dial-up connection, your best bet is to create the connection before you turn over the laptop to the user. If you can't do so, be sure to provide users with clear, detailed instructions that cover the following steps. (These steps assume that your users dial in to a RAS or RRAS server on your network—a common setup. For more information about RAS and RRAS, see "Related Articles in Previous Issues.")

Select Settings, Network and Dial-up Connections, then double-click Make New Connection to open the Network Connection Wizard. Select the appropriate option (usually Dial-up to private network) and click Next. Enter the phone number of the network that users will connect to. This screen also contains a Use dialing rules option. These rules provide supplemental dialing information, such as area code or an additional digit that users must dial to reach an outside line from a hotel or corporate location. Depending on users' locations, they might need to use or change the rules as they travel, so be sure to include an explanation of dialing rules in any instructions you give laptop users.

The wizard also prompts you to specify whether to make the connection available For all users of the computer or Only for myself (i.e., for only the currently logged-on user). If you're creating the connection for a mobile user, you obviously need to make the connection available to all users, not only yourself. Also, many laptops have a way of circulating through a group of users, so if you're providing instructions to mobile users who are creating connections, be sure they also choose the For all users option.

Finally, the wizard prompts you to enter a name for the connection. You can use your company name, a name such as HomeOffice, or any name that indicates that the connection dials in to the company network. The wizard also gives you the option to Add a shortcut to my desktop. Selecting this check box is a good idea because Win2K puts the new connection object in the Network and Dial-up Connections folder, a subfolder under the Control Panel object in My Computer and Windows Explorer. Users who migrated to Win2K from Windows 9x are accustomed to finding the connection object in the Dial-Up Networking folder in My Computer, so they frequently have trouble finding the connection in Win2K.

When you click Finish, Win2K automatically opens the new connection so that you can test it or configure its properties. If you're providing users with instructions for creating the connection, instruct them to clear the Save Password option that appears in the connection dialog box. This option is too dangerous for mobile machines, which users often take into unsecured areas and which are always vulnerable to theft. As an added precaution, you can tweak the registry to disable the Save Password option (in relation to phonebook entries) on mobile machines before you distribute them to users. To do so, open a registry editor and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters subkey. Add the subkey DisableSavePassword (of type REG_DWORD) with a value of 1.

To refine the configuration, click Properties in the connection dialog box to open the connection's Properties dialog box. The options you should select depend on your network setup (e.g., its security settings) and also reflect user-specific and location-specific information. The most important configuration options are those that appear on the Security tab.

If your company uses certificates for authentication, secure data exchanges, or both, be sure to configure the connection appropriately. If you're providing instructions to a user who is creating a dial-up connection, you need to explain how to use the Microsoft Management Console (MMC) Certificates snap-in's Certificate Request Wizard to request a certificate the first time the user logs on through the new connection. The user will also need instructions about how to create a new dial-up connection to use the new certificate.

To make life easier for these users, preload the Certificates snap-in on all corporate laptops before you turn them over to users. To do so, choose Run from the Start menu and type


This action opens a new console. Select Console, Add/Remove Snap-in from the console's menu bar (or press Ctrl+M), then click Add in the Add/Remove Snap-in dialog box. In the Add Standalone Snap-in dialog box, select Certificates, then click Add. The resulting Certificates snap-in dialog box offers three options for the entity this snap-in will manage: My user account, Service account, and Computer account. Depending on your company security policies, select My user account or Computer account, then click Finish. Click Close in the Add Standalone Snap-in dialog box, then click OK in the Add/Remove Snap-in dialog box. The Certificates snap-in is now loaded in MMC.

Next, expand the Certificates object and select the appropriate certificate category in the console (i.e., left) pane. Double-click the necessary certificate in the right pane to see detailed information, to configure Properties, or to copy the certificate to a file. Depending on the certificate type you've selected and the available configuration options, finish configuring the console to match your company requirements, then save the console.

Incidentally, if high-level security is important for your mobile users, I suggest you consider using smart cards. (For more information about using certificates, see "Related Articles in Previous Issues." For information about security in wireless environments, see Steve Milroy, "Wireless Security Considerations, Part 1,", InstantDoc ID 21226, and "Wireless Security Considerations, Part 2,", InstantDoc ID 21377.)

Upgrading Mobile Computers
In addition to completing configuration tasks when your company's mobile systems first go into action, you need to develop intelligent methods for including portable computers in companywide OS, service pack, or application upgrades. You might use network share points for desktop-client upgrades, but that method doesn't work well for remote users. Even with a high-bandwidth connection, performing such an installation is risky. (I've seen connection problems at both server and client ends, inappropriate client actions—which are difficult to diagnose and fix in long-distance mode—and other problems that seem to haunt such long-distance procedures.)

The best (and safest) practice is to recall laptops and perform inhouse upgrades. That way, you can use a CD-ROM or the network share point. The second-best practice is to create a set of custom installation files, burn them on a CD-ROM, then ship the CD-ROM to the mobile user. In this case, use the appropriate Win2K installation procedures to preload as much information as possible on the CD-ROM, thus minimizing user interaction. Provide a README file with simple, specific instructions. Be sure your Help desk personnel are trained to interact with users who might seek help with the upgrades, and make available to your Help desk folks a database with detailed information (e.g., components, software) about every portable computer.

Hotfixes tend to be small files that rarely require users to answer questions or make decisions, so you can let mobile users download and install those files through the company VPN, FTP site, or network share point. Provide users specific instructions through email or through a README file on the FTP site or share point. Many users require a lot of hand-holding for these types of processes, but you can send more confident users an email message specifying which hotfix you want them to install and where to find it on the Microsoft Web site. In all events, be sure to give users the hotfix's exact filename, not some vague instruction to "download the hotfix that covers that ugly green icon bug thingy."

Using Offline Files
Another tool that you can encourage mobile users to use is Win2K's Offline Files feature, which ensures that users are working with the latest versions of any files that reside on the company network. Mobile users can use this feature to download a file or folder and configure it as an offline object. When the user reconnects to the network, he or she can synchronize the offline copy (which includes any changes the user has made) with the network-based copy.

Win2K provides a wizard to help users set up and configure the Offline Files feature. Give mobile users well-written instructions about using the wizard, and tell them which network folders hold files that they can—or can't—work with offline. For example, network folders that hold your research department's plans and designs aren't good candidates for offline access. To be on the safe side, you can configure such a folder to be inaccessible for offline work. To do so, open the folder's Properties dialog box, go to the Sharing tab, click Caching, then clear the option that permits caching of files. Or simply prevent access to the folder by changing permissions to exclude mobile users or by locating the folder in a protected network location.

Supporting Onsite Visits
Even the most widely traveled mobile users sometimes show up at the office. You have several options for letting visiting mobile users connect directly to the network. The most common choices are docking stations, PC Card network adapters, and wireless adapters.

Docking stations contain NICs and other components that let users easily work with a direct connection to a full-size monitor, keyboard, and mouse. A user simply attaches the laptop to a docking station through a cable connection, then boots the laptop. Using a docking station once required multiple hardware profiles on portable computers, and administrators needed to teach users how to load the right profile when they booted their laptops. Because Win2K's Plug and Play (PnP) feature automatically senses the presence of the docking station, most Win2K computers don't require this step. However, a legacy laptop might require a user to load a hardware profile. To create a profile, right-click My Computer and choose Properties from the context menu. Go to the Hardware tab and click Hardware Profiles. Click Copy to copy the current profile, and name the new profile Docking (or a similarly self-explanatory name). Then, enable or disable devices as necessary for the new profile. (For information about creating hardware profiles on Windows NT systems, see Michael D. Reilly, "Configuring Hardware Profiles," September 1997, InstantDoc ID 660.)

PC Card network adapters for portable computers are often handy because users can simply plug their systems into any available RJ-45 jack and log on. However, PC Cards are expensive, and the number of cards that end up lost is amazing. In my office, I've attached the cards to the end of the cable that comes from the jack, so the cards stay in the office rather than in the portable's slot. I use duct tape to keep each card with its cable. (I love duct tape—it's useful for so many things.)

Wireless network connections are becoming extremely popular and cost about the same as a PC Card. The best technology is radio frequency (RF), which is usually more powerful and more reliable than infrared (IR). Install an access point to act as a bridge between the wireless and wired network nodes. Then, provide a wireless connector to mobile users who visit the office.

Keeping Communication Flowing
Your rate of success when managing mobile users depends on two important factors: information and communication. Keep detailed records for every laptop that your company owns. This data should include obvious information such as the system's model and serial number, as well as detailed information about components and installed software. Also provide detailed instructions to your mobile users. Make sure those users know which procedures you insist on (e.g., security precautions) and which procedures are forbidden (e.g., which files are prohibited for offline use). Keep these two factors in mind whenever you deal with mobile users, and a good portion of your administrative headaches will hit the road.

Related Articles in Previous Issues
You can obtain the following articles from Windows & .NET Magazine's Web site at

"PKI and Windows 2000," March 2001 Web Exclusive, InstantDoc ID 20425

"Windows 2000's Encrypting File System," January 2001 Web Exclusive,
InstantDoc ID 19721
Inside Out, "Decrypting EFS," Winter 2000, InstantDoc ID 15907
NT Internals, "Inside Encrypting File System,
Part 2," July 1999, InstantDoc ID 5592
NT Internals, "Inside Encrypting File System,
Part 1," June 1999, InstantDoc ID 5387
"Top 10 Security Tools in the Win2K Server Resource Kit," December 2000,
InstantDoc ID 15969

"The Ins and Outs of Offline Files," May 2001, InstantDoc ID 20373
Inside Out, "More About Offline Files,"
January 2000, InstantDoc ID 7789
Inside Out, "Offline Files," December 1999, InstantDoc ID 7609

"What's New in Routing and Remote Access," June 2001, InstantDoc ID 20710
Remote Possibilities, "Radical RAS Solutions," March 2001, InstantDoc ID 19702

"Group Policy for Mobile Users," October 2000 Web Exclusive, InstantDoc ID 9752