Skip to comments.Keep Yer Paws Off Your PC: Preventing End-Users from Installing Applications
Posted on 08/29/2006 10:44:08 AM PDT by ShadowAce
Recently, I overheard an IT professional complaining about her users. Veronica's company has 300 employees, many of whom would have been called "paper pushers" in an earlier era. Some of those employees download software and install it on their computers, and it often causes havoc for the support staff. Veronica's specific rant was about screensavers (some of which carry a payload of spyware, making it a security issue as well as a support problem), but it could have been any sort of application.
Veronica had looked at a $10,000 hardware solution, but even that required 10 hours a week for system maintenance, to keep up with permissions and such. That didn't sound like a great option. But she didn't know what else to do.
Veronica isn't alone. Other IT administrators have to make choices like this every day. How much should you control? And how do you control it?
On the one hand, you may believe, a company's computers are its assets, and employees have no business changing the way the equipment works. On the other hand, the last thing an IT department wants to do is to prevent people from being productive on the job. Computers are tools that are supposed to enable those employees to get work done, which may occasionally include the use of a not-yet-blessed application.
And then there's the human element of corporate life, and the resentment of apparently arbitrary rules. They wonder: why is it more important to prevent people from customizing their computers than it is to personalize their cubicles?
After corresponding with a few hundred professional IT workers and managers, I found that the philosophical and management questions are harder to answer than the technological solutions. We'll get to suggested tech answers in a bitfor Windows, Linux, and Macintoshbut any IT administrator who wants to create a computing environment that's both fair and secure needs to first address the... well, let's call them the emotional and ethical issues.
Whom Do You Trust?
Long before an IT manager decides on a technology or administrative approach, she has to decide how much autonomy users ought to have. Or, specifically, how much autonomy each kind of user ought to have; university students are presumably less trustworthy and tech-savvy than are engineers, and salespeople appear to be at the bottom of the heap. (Dire experiments have been hatched by a bored sales person in a hotel room when he has nothing else to do.) Another issue is the business environment; you'd expect a bank to be more security- paranoid than a chain of dry cleaning stores.
As you might expect, opinions vary widely on this subject, depending on the respondent's own personal stance and the requirements of the business.
"[B]usiness needs to get done and people need software to accomplish that business. Once the 'us versus them' wall of 'can't have badge and gun' mentality is thrown up then you have lost the support of the business," says Michael Schiebel, the Lead Investigator at a Midwest Fortune 100 financial services company. "Our job is to help the business succeed efficiently and safely. So all software must be viewed in the light of business use; if it increases productivity then our job is to make it a standard."
Whose PC Is It Anyway?
One important consideration is that the computer is not the employee's PC. It isn't. Says Schiebel, "The PC is company equipment the same as pencils, paper, chairs, desks, buildings etc. The employee has no right to privacy while using that equipment and should treat it with the same respect they would give if they borrowed their friend's car. The level of respect the employee shows the PC and other company equipment speaks entire paragraphs about their morals and ethics. The business should use this information to decide what kinds of people it wants representing the company to its customers."
For many IT shops, the hand controlling permissible user installations has a light touch. They're happy to trust the users to do the right thingand then the IT department copes with the consequences.
Most users really don't need more applications than the company provides, say some administrators. According to one, "Most people either don't install outside software or are satisfied with the normal low-profile stuff that doesn't attract a manager's attention, and the ones who install a lot of stuff (e.g., developers and QA staff) mostly know enough not to cause any problems."
However, users who do install applications may not be aware of software licensing issues. That's not merely a matter of conscious piracy. Some applications are free for personal use but require paid registration when used in a corporate environment. Will every user know the difference?
That's not a minor concern. Ian is a security specialist who works in the transportation industry; he was involved in his company's development of the global client and server loads for a decade. As Ian points out, "Companies forget that freeware is normally free for personal usenot for use inside a companyand they are required to have some sort of license (users are too aware of freeware products for home use and bring them in with out telling people). With the litigious nature of the world, companies should be covering their exposure by making it clear that only company-issued and -approved software should be used on company machines, and that the user is responsible if litigation starts."
Also, it's now common for employees to take the company laptop home in order to telecommute or to respond to work needs while on the road, far beyond the old-fashioned 40-hour work week. If your firm enables Internet access for only certain approved sites, then the employeewho's working on your behalf for the rest of the weekendwon't be able to do things like home banking, paying credit card bills or placing an Amazon order, which, in the past, they had to take time off work to do. Whatever solution you come up with, it will have to acknowledge and deal with these complications.
Will They Revolt?
A technically easy answer is for IT to control all computers in the organization, and allow for no exceptions. That sounds good on paper, but it rarely works in reality. First, it doesn't work, because some users are indeed exceptional (particularly technical staff such as programmers). Plus, employees can be resentful that the company doesn't trust them. And it's time consuming.
For one administrator, company restrictions definitely get in the way of getting the work done. In her company, every time you need to change the font or install something for work purposes, you have to phone the helpdesk to log a call which is passed to desktop support. They phone you back within 48 hours, spend time looking at the software required, and eventually install it on the machine if it passes their security checks. Says the admin, "This may sound like a secure way to do things, however the time it takes to get an application approvedor worse, rejectedyou've probably missed the deadline for the work you needed to do. You've cost who-knows-how-many man hours running around getting all the I's dotted and T's crossed on the forms to make an exception, not to mention the testing and signatures required by desktops. Ultimately it can take weeks to have a new application installed."
This administrator got around the issue by stating she needed to use
traceroute among other things as part of her daily work supporting Linux servers, and at the very least needed to run
cmd.exe. "I now have full administrator access to my PC, and have therefore negated the security in place. I have also managed to obtain domain administrator access in very much the same way." So, let's take a look at some of the ways that IT staff address the problem.
For every stupid user story, there is a stupid administrator story.
My last employer solved the problem (sort of). We were simply disconnected from access to the Internet. From then on employees were limited to only intranet access within the agency.
Not necessarily to prevent the downloading of mischief from the Internet, but to prevent the UPLOADING of some sensitive material, which was used in malicious ways against the interests of the agency I was with.
Life can be hard when the people with whom you work every day are not politically reliable.
Not entirely true. The fewer the helpdesk calls, the fewer employees are sitting around waiting for their computer to get fixed and not producing.
For every stupid user story, there is a stupid administrator story.
I agree wholeheartedly.
Just use security groups, and group policy applied to Active Directory Organizational Units.
I think the real problem is managers wanting technology to do their jobs for them. They don't want to personally hold their people accountable for what they do and/or install, so they want the IT department to get that responsibility. But, as the article mentions, then everyone hates IT for the restrictions. Voila! The managers have successfully avoided doing their jobs and avoided the heat as well.
My solution is this: Every user who has a workstation for which they are the exclusive (or nearly so) user should be made an administrator for that machine and be held responsible for everything they install. Any machines that are "community use" should have no administrator accounts except for IT.
The "zero-tolerance" idea of IT-only administration is what we live under at the moment. It's a disaster, as the article so ably describes. Restoring personal accountability would go a long way toward solving the issue.
IT departments are just too understaffed to test each and every application an organization needs before installing. The ethernet paradigm is more appropriate. "Get it out there fast and if it breaks, fix it." Just make sure your virus scanner is kept up to date. :-)
But then it's harder to justify expanding your budget and therefore your own importance...
If a desktop goes bad it can be reimaged in about an hour.
Acquiring an unlocked machine requires and act of God.
Ah yes. The almighty helpdesk.
Here's a little stupidity from both ends:
Have each user log into a thin client that looks and feels like a real machine. If something goes wrong, simply restore the machine image on the server.
This has been done using a *nix-based OS on the clients, running a VM from the server. If the virtual client goes bad, merely copy that machine's image from a backup file.
Usually, the users don't even know they're on a thin client.
I've had several jobs and placements with restrictive computer policies, and nothing makes me feel more like a faceless grunt than when they make me use the system setup they think is best for me.
Meanwhile, I worked at a company that didn't give a crap what you did on your desktop as long as you got the job done and I got more work done there than at my last two gigs combined.
One place I was at used a Windows setup that wouldn't let you change your date/time settings. That was a real sharp one, especially when the clock got out of sync and was wrong all the time.
I agree wholeheartedly.
I can give you a few of those, but we won't get into it here. =)
As for the article, on Windows 2000/2003 networks using Active Directory, there are good mechanisms in place for being able to micro-manage user permissions. You can delegate authority to chosen users, and or use group policy. I believe there's equivalent ways of doing things in the Linux world.
| If I were running
a business, I'd consider
using thin clients
and just take away
general purpose PCs.
Keep workers focused
on specific jobs.
Let them click around the net
on their home machine.
I do some work for a huge Fortune 500 company and their IT is 1950's at best. Most employees used shared workstations which are secured by a user ID of "administrator" and a blank password. As a result everyone can and does install junk, junk, junk including instant messaging software, and their bank and eBay accounts all with their IDs and passwords saved. Since several of the employees are rather unsavory, I wouldn't put it past them to install keycatchers, so I won't use those PCs for anything secure.
"Acquiring an unlocked machine requires and act of God.
Or maybe a quick perusal of a couple of articles from 2600.
It is really very difficult to stop a privilege escalation attack if the user has an account on a box, particularly a Windows box.
NET TIME \\timeservername /SET /YES
In the login script will fix that. =)