Headlines across several business news services this week read something like "Laptops prove weak point in computer security" that's not an actual headline, because I don't like getting flame e-mail from attorneys, but it's similar to several.
The articles were prompted by Fidelity's announcement that it suffered a single laptop theft, and in that misfortune exposed 200,000 customer records to the prying eyes of identity thieves, or whomever. But laptops are only a security threat if you allow them to be. There are a number of ways to mitigate laptop security problems, and most are dependent on what kind of business you're handling. When you've identified who should access sensitive information, where, and when, you can start putting policies in place to enforce that.
The limits are bound only by your workaround imagination. How about grabbing every MAC address associated with every laptop your company owns? These could then be barred from storing certain kinds of data -- such as, say, any records from the database handling credit card numbers. In fact, maybe only those MACs associated with desktops are even allowed to see that store.
Is all this part of Windows 2003? Not quite. The policy-based stuff you can manage; but drilling down to MAC-level access may require a workaround using a higher-level desktop management tool such as the ones from Altiris. Keeping data secure to desktops might require shutting down certain hardware functions, such as USB ports, so data can't get transferred via thumb drives -- and that might require third-party solutions such as FullArmor IntelliPolicy.
This is quite a bit of work, and if security really is this much of a concern to you, then a full-scale desktop redesign might be another way to go. There are turnkey desktop systems available with this kind of management built in. My favorite has always been ClearCube's blade workstation system.
These are blade-based PCs that use existing Cat5 cabling to channel KVM traffic and basically move the rest of the network into the data centre. Users get KVM equipment plugged in to a small desktop box, called a C-Port, that also has a couple of built-in USB ports. You can disable these or simply configure them to recognize only certain peripherals such as printers but not storage volumes.
Sure it's a bit more work and the folks upstairs may not like it; the day that laptop gets left in a taxi, they'll undoubtedly be in a much better mood.