Visitor connections

  • 15 April 2015
  • 2 replies

I'm new to Webroot; 3 days in to a 30-day, 40-seat trial of Endpoint Protection, and pretty happy/impressed so far. However, my boss has asked a few questions I have not been able to find the answers to.
If a guest or visitor wants to use our wireless LAN to connect to the web, does Webroot automatically install the minute our server accepts the connection? I'm using the MSI installer with a Group Policy for fixed machines, which is working well, and if a Windows laptop with a wireless connection starts from cold, I'm reasonably sure it would be installed ok. What worries me is if a visitor brings an infected laptop from outside in hibernation mode, then wakes it, will we be vulnerable? When will the server become aware of the need to install from the GPO? And how does the GPO enforce installation if it's an Apple laptop? I know there's an installation file, but can that be forced onto Apple clients from a Windows server in a similar way?
Even if the answer is that GPO/MSI installs only work from restarts, that's fine, as we can institute a visitor policy that they have to do a full restart when connecting to our network. And maybe have the Apple installer on a flash USB drive - would that be sensible? More of a Windows Group Policy question, I know, but hopefully someone can give me an update.

Best answer by nic 15 April 2015, 17:36

View original

2 replies

Userlevel 1
Badge +1
Hi Julian,
I'm fairly new to webroot myself (I was here posting another question), but have been working as an IT system administrator for a long time now, so thought I'd reply to your post with my thoughts. 
If this were me, I would treat visitors as a complete separate entity, with zero access into your network. Create a separate vlan that only has internet access. No access into your internal network at all. Then have your wireless access points broadcast a SSID for this new vlan. 
You then wouldn't have to worry about installing software onto visitors computers. 
I know this may not be possible (depending on equipment, firewalls etc), but hopefully it's helpful.
Userlevel 7
Badge +56
How do you have the policy setup?  You could test it with a new laptop to see if it requires the reboot or not to force the installation.
Either way, I agree with @ that you probably want visitors on a separate network - like a guest wireless.  We have that here at Webroot.  Anyone from the outside goes on there instead of on our corporate LAN.
The other factor is if that machine might be infected already, just installing Webroot might not remove that infection if it's burrowed in deep.  Webroot works best as a pre-installed AV, and isn't at its best when used as a remediation tool.  If you're trying to vet an unprotected computer then you might want to run some other scans like Malwarebytes as well.
As to the Mac installation, it looks like Apple used to have a remote install function but deprecated it.  You could do an installation using a script or using Apple Remote Desktop:
Even so, will the Mac coming on to your network even be already setup for you to manage it?  If not, you might as well just have them bring it to you and allow you to install Webroot on it before you let them on the network.