Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Keep Yer Paws Off Your PC: Preventing End-Users from Installing Applications
ITBusinessnet ^ | 28 August 2006 | Esther Schindler

Posted on 08/29/2006 10:44:08 AM PDT by ShadowAce

Recently, I overheard an IT professional complaining about her users. Veronica's company has 300 employees, many of whom would have been called "paper pushers" in an earlier era. Some of those employees download software and install it on their computers, and it often causes havoc for the support staff. Veronica's specific rant was about screensavers (some of which carry a payload of spyware, making it a security issue as well as a support problem), but it could have been any sort of application.

Veronica had looked at a $10,000 hardware solution, but even that required 10 hours a week for system maintenance, to keep up with permissions and such. That didn't sound like a great option. But she didn't know what else to do.

Veronica isn't alone. Other IT administrators have to make choices like this every day. How much should you control? And how do you control it?

On the one hand, you may believe, a company's computers are its assets, and employees have no business changing the way the equipment works. On the other hand, the last thing an IT department wants to do is to prevent people from being productive on the job. Computers are tools that are supposed to enable those employees to get work done, which may occasionally include the use of a not-yet-blessed application.

And then there's the human element of corporate life, and the resentment of apparently arbitrary rules. They wonder: why is it more important to prevent people from customizing their computers than it is to personalize their cubicles?

After corresponding with a few hundred professional IT workers and managers, I found that the philosophical and management questions are harder to answer than the technological solutions. We'll get to suggested tech answers in a bit—for Windows, Linux, and Macintosh—but any IT administrator who wants to create a computing environment that's both fair and secure needs to first address the... well, let's call them the emotional and ethical issues.

Whom Do You Trust?

Long before an IT manager decides on a technology or administrative approach, she has to decide how much autonomy users ought to have. Or, specifically, how much autonomy each kind of user ought to have; university students are presumably less trustworthy and tech-savvy than are engineers, and salespeople appear to be at the bottom of the heap. (Dire experiments have been hatched by a bored sales person in a hotel room when he has nothing else to do.) Another issue is the business environment; you'd expect a bank to be more security- paranoid than a chain of dry cleaning stores.

As you might expect, opinions vary widely on this subject, depending on the respondent's own personal stance and the requirements of the business.

"[B]usiness needs to get done and people need software to accomplish that business. Once the 'us versus them' wall of 'can't have badge and gun' mentality is thrown up then you have lost the support of the business," says Michael Schiebel, the Lead Investigator at a Midwest Fortune 100 financial services company. "Our job is to help the business succeed efficiently and safely. So all software must be viewed in the light of business use; if it increases productivity then our job is to make it a standard."

Whose PC Is It Anyway?

One important consideration is that the computer is not the employee's PC. It isn't. Says Schiebel, "The PC is company equipment the same as pencils, paper, chairs, desks, buildings etc. The employee has no right to privacy while using that equipment and should treat it with the same respect they would give if they borrowed their friend's car. The level of respect the employee shows the PC and other company equipment speaks entire paragraphs about their morals and ethics. The business should use this information to decide what kinds of people it wants representing the company to its customers."

For many IT shops, the hand controlling permissible user installations has a light touch. They're happy to trust the users to do the right thing—and then the IT department copes with the consequences.

Most users really don't need more applications than the company provides, say some administrators. According to one, "Most people either don't install outside software or are satisfied with the normal low-profile stuff that doesn't attract a manager's attention, and the ones who install a lot of stuff (e.g., developers and QA staff) mostly know enough not to cause any problems."

However, users who do install applications may not be aware of software licensing issues. That's not merely a matter of conscious piracy. Some applications are free for personal use but require paid registration when used in a corporate environment. Will every user know the difference?

That's not a minor concern. Ian is a security specialist who works in the transportation industry; he was involved in his company's development of the global client and server loads for a decade. As Ian points out, "Companies forget that freeware is normally free for personal use—not for use inside a company—and they are required to have some sort of license (users are too aware of freeware products for home use and bring them in with out telling people). With the litigious nature of the world, companies should be covering their exposure by making it clear that only company-issued and -approved software should be used on company machines, and that the user is responsible if litigation starts."

Also, it's now common for employees to take the company laptop home in order to telecommute or to respond to work needs while on the road, far beyond the old-fashioned 40-hour work week. If your firm enables Internet access for only certain approved sites, then the employee—who's working on your behalf for the rest of the weekend—won't be able to do things like home banking, paying credit card bills or placing an Amazon order, which, in the past, they had to take time off work to do. Whatever solution you come up with, it will have to acknowledge and deal with these complications.

Will They Revolt?

A technically easy answer is for IT to control all computers in the organization, and allow for no exceptions. That sounds good on paper, but it rarely works in reality. First, it doesn't work, because some users are indeed exceptional (particularly technical staff such as programmers). Plus, employees can be resentful that the company doesn't trust them. And it's time consuming.

For one administrator, company restrictions definitely get in the way of getting the work done. In her company, every time you need to change the font or install something for work purposes, you have to phone the helpdesk to log a call which is passed to desktop support. They phone you back within 48 hours, spend time looking at the software required, and eventually install it on the machine if it passes their security checks. Says the admin, "This may sound like a secure way to do things, however the time it takes to get an application approved—or worse, rejected—you've probably missed the deadline for the work you needed to do. You've cost who-knows-how-many man hours running around getting all the I's dotted and T's crossed on the forms to make an exception, not to mention the testing and signatures required by desktops. Ultimately it can take weeks to have a new application installed."

This administrator got around the issue by stating she needed to use ping and traceroute among other things as part of her daily work supporting Linux servers, and at the very least needed to run cmd.exe. "I now have full administrator access to my PC, and have therefore negated the security in place. I have also managed to obtain domain administrator access in very much the same way." So, let's take a look at some of the ways that IT staff address the problem.


TOPICS: Business/Economy; Technical
KEYWORDS: apple; applications; downloading; it; macintosh; mcafee; microsoft; norton; security; support; symantec; technology
Navigation: use the links below to view more comments.
first 1-5051-100101 next last
This is only the first of 6 pages on the original site. I didn't want to post such a huge article, but it is an interesting read.
1 posted on 08/29/2006 10:44:10 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

2 posted on 08/29/2006 10:44:25 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Meh. The company I work for severely restricts end-user installation of applications in a number of ways, chiefly by giving very few people admin privileges. When I complained, I was told the policy had reduced helpdesk calls by X percent (I forget how much. What difference does it make? The company isn't in the business of reducing helpdesk calls. If they didn't allow us to have computers, the calls would be reduced to zero and I don't see how we'd benefit).

For every stupid user story, there is a stupid administrator story.

3 posted on 08/29/2006 10:49:30 AM PDT by prion (Yes, as a matter of fact, I AM the spelling police)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

My last employer solved the problem (sort of). We were simply disconnected from access to the Internet. From then on employees were limited to only intranet access within the agency.

Not necessarily to prevent the downloading of mischief from the Internet, but to prevent the UPLOADING of some sensitive material, which was used in malicious ways against the interests of the agency I was with.

Life can be hard when the people with whom you work every day are not politically reliable.


4 posted on 08/29/2006 10:51:20 AM PDT by alloysteel (When in doubt, forge ahead anyway. To outsiders, it looks the same as boldness. Or plain crazy.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: prion
The company isn't in the business of reducing helpdesk calls.

Not entirely true. The fewer the helpdesk calls, the fewer employees are sitting around waiting for their computer to get fixed and not producing.

For every stupid user story, there is a stupid administrator story.

I agree wholeheartedly.

5 posted on 08/29/2006 10:51:42 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce
...Veronica had looked at a $10,000 hardware solution,...

Just use security groups, and group policy applied to Active Directory Organizational Units.

6 posted on 08/29/2006 10:51:59 AM PDT by FReepaholic (This tagline could indicate global warming.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
This article exactly describes the problems our IT overseers want to fix. However, it isn't the root problem.

I think the real problem is managers wanting technology to do their jobs for them. They don't want to personally hold their people accountable for what they do and/or install, so they want the IT department to get that responsibility. But, as the article mentions, then everyone hates IT for the restrictions. Voila! The managers have successfully avoided doing their jobs and avoided the heat as well.

My solution is this: Every user who has a workstation for which they are the exclusive (or nearly so) user should be made an administrator for that machine and be held responsible for everything they install. Any machines that are "community use" should have no administrator accounts except for IT.

The "zero-tolerance" idea of IT-only administration is what we live under at the moment. It's a disaster, as the article so ably describes. Restoring personal accountability would go a long way toward solving the issue.

IT departments are just too understaffed to test each and every application an organization needs before installing. The ethernet paradigm is more appropriate. "Get it out there fast and if it breaks, fix it." Just make sure your virus scanner is kept up to date. :-)

7 posted on 08/29/2006 10:56:59 AM PDT by TChris (Banning DDT wasn't about birds. It was about power.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: prion

BUMP!


8 posted on 08/29/2006 10:59:14 AM PDT by Publius6961 (MSM: Israelis are killed by rockets; Lebanese are killed by Israelis.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: FReepaholic

But then it's harder to justify expanding your budget and therefore your own importance...


9 posted on 08/29/2006 10:59:44 AM PDT by farlander (Strategery - sure beats liberalism!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce
Here at the BIG International PetroChemical Company ® over 90% of the users have locked machines. They can't even create a text file on their C drive unless it's in a folder unlocked by a software installation script.

If a desktop goes bad it can be reimaged in about an hour.

Acquiring an unlocked machine requires and act of God.

10 posted on 08/29/2006 11:02:53 AM PDT by tx_eggman (The people who work for me wear the dog collars. It's good to be king. - ccmay)
[ Post Reply | Private Reply | To 1 | View Replies]

To: prion
For every stupid user story, there is a stupid administrator story.

Ah yes. The almighty helpdesk.

Here's a little stupidity from both ends:

The Chronicles of George

11 posted on 08/29/2006 11:03:58 AM PDT by Bloody Sam Roberts (Winning shows strength. Winning without fighting shows brilliance.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: tx_eggman
There is a way of allowing users to have unlocked machines and still be able to fix their mistakes.

Have each user log into a thin client that looks and feels like a real machine. If something goes wrong, simply restore the machine image on the server.

This has been done using a *nix-based OS on the clients, running a VM from the server. If the virtual client goes bad, merely copy that machine's image from a backup file.

Usually, the users don't even know they're on a thin client.

12 posted on 08/29/2006 11:06:49 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 10 | View Replies]

To: ShadowAce

I've had several jobs and placements with restrictive computer policies, and nothing makes me feel more like a faceless grunt than when they make me use the system setup they think is best for me.

Meanwhile, I worked at a company that didn't give a crap what you did on your desktop as long as you got the job done and I got more work done there than at my last two gigs combined.


13 posted on 08/29/2006 11:07:12 AM PDT by MIT-Elephant ("Armed with what? Spitballs?")
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

One place I was at used a Windows setup that wouldn't let you change your date/time settings. That was a real sharp one, especially when the clock got out of sync and was wrong all the time.


14 posted on 08/29/2006 11:08:18 AM PDT by MIT-Elephant ("Armed with what? Spitballs?")
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
"For every stupid user story, there is a stupid administrator story.

I agree wholeheartedly.

I can give you a few of those, but we won't get into it here. =)

As for the article, on Windows 2000/2003 networks using Active Directory, there are good mechanisms in place for being able to micro-manage user permissions. You can delegate authority to chosen users, and or use group policy. I believe there's equivalent ways of doing things in the Linux world.

15 posted on 08/29/2006 11:08:40 AM PDT by KoRn
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce
>Keep Yer Paws Off Your PC: Preventing End-Users from Installing Applications

If I were running
a business, I'd consider
using thin clients

and just take away
general purpose PCs.
Keep workers focused

on specific jobs.
Let them click around the net
on their home machine.

16 posted on 08/29/2006 11:08:43 AM PDT by theFIRMbss
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I do some work for a huge Fortune 500 company and their IT is 1950's at best. Most employees used shared workstations which are secured by a user ID of "administrator" and a blank password. As a result everyone can and does install junk, junk, junk including instant messaging software, and their bank and eBay accounts all with their IDs and passwords saved. Since several of the employees are rather unsavory, I wouldn't put it past them to install keycatchers, so I won't use those PCs for anything secure.


17 posted on 08/29/2006 11:09:34 AM PDT by JayNorth
[ Post Reply | Private Reply | To 1 | View Replies]

To: tx_eggman

"Acquiring an unlocked machine requires and act of God.

Or maybe a quick perusal of a couple of articles from 2600.

It is really very difficult to stop a privilege escalation attack if the user has an account on a box, particularly a Windows box.


18 posted on 08/29/2006 11:09:46 AM PDT by proxy_user
[ Post Reply | Private Reply | To 10 | View Replies]

To: TChris
We have a situation where all rights are granted to the administrator and nothing to the user. With the limitations that Windows causes things such as updating plug-ins and patches, changing basic functions like time before monitor goes to sleep are restricted. I do not put fault the company it lies squarely with Windows. It's either all or nothing.
19 posted on 08/29/2006 11:09:47 AM PDT by reagandemo (The battle is near are you ready for the sacrifice?)
[ Post Reply | Private Reply | To 7 | View Replies]

To: MIT-Elephant

NET TIME \\timeservername /SET /YES

In the login script will fix that. =)


20 posted on 08/29/2006 11:09:54 AM PDT by KoRn
[ Post Reply | Private Reply | To 14 | View Replies]

To: prion
Meh. The company I work for severely restricts end-user installation of applications in a number of ways, chiefly by giving very few people admin privileges.

This is why a lot of corporations will, over time, upgrade to Vista.

Personally I share the MS haters skepticism of new Microsoft releases, but a year from now, all new computers will be shipping with Vista, and corporations will be upgrading.

The most significnt change in Vista is the ability to install programs on user accounts without screwing up the admin account.

21 posted on 08/29/2006 11:12:10 AM PDT by js1138 (Well I say there are some things we don't want to know! Important things!")
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

I've worked in IT support for over a decade and my current employer (a college) has by far the best policy on this. We give staff full admin rights to their XP workstations and reimage when they mess it up. Staff do not like having their PC's reimaged so they are naturally careful with what they install. Needless to say, there are only a handful of "problem" staff members that require extra attention. The vast majority are just fine and require little assistance as they learned to support themselves.


22 posted on 08/29/2006 11:14:49 AM PDT by Teflonic
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user
It is really very difficult to stop a privilege escalation attack if the user has an account on a box, particularly a Windows box.

No, actually it's very easy ... they just fire the first two or three that exercise their "freedom" and the problem goes away.

23 posted on 08/29/2006 11:19:05 AM PDT by tx_eggman (The people who work for me wear the dog collars. It's good to be king. - ccmay)
[ Post Reply | Private Reply | To 18 | View Replies]

To: reagandemo
We have a situation where all rights are granted to the administrator and nothing to the user. With the limitations that Windows causes things such as updating plug-ins and patches, changing basic functions like time before monitor goes to sleep are restricted. I do not put fault the company it lies squarely with Windows. It's either all or nothing.

Yeah, I agree. Redmond seems to have no feel at all for what is admin stuff and what is not. A user can't even defrag their own hard disk. :-/

My point is, either you can trust an employee or you can't. If you can't, then fire him. If you can, then give him the tools to do his job!

If the user is just an annoyance, who regularly screws up his computer because he's been playing around, then address that user, rather than handcuffing everyone for it.

24 posted on 08/29/2006 11:21:36 AM PDT by TChris (Banning DDT wasn't about birds. It was about power.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: ShadowAce
Typical once a month:

ring, ring

me:hello

idiot user:It says my account is disabled

me:Yeah, I disabled it because of the 'bad' sites you've been visiting.

IU:Turn it back on!

me:'warez' sites piss me off, have your boss call me.

IU:What? turn it back on now!

me:Have you boss call me...click

25 posted on 08/29/2006 11:22:16 AM PDT by gilor (Pull the wool over your own eyes!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
I solved the problem for my own purposes. I own all the computers except the company laptop. That was provided with the standard company image of Windows XP and some MS Office applications. It was shipped to me. I take care of all the administration and installation. I never call the "help desk" because they are anything but "helpful".

The pin stripe wizards just decreed that all laptop and desktop disk drives running Windows must have full disk encryption. My colleague bent over and complied immediately. This weekend, his Windows OS is giving him a bluescreen. Too bad. The standard Windows boot/repair disk can't handle an encrypted image. He can't see his files anymore with Knoppix either. Brilliant. My laptop still isn't encrypted. It may never be based on the observed consequences. I'm watching with interest to see if the "help desk" has some kind of magic recovery tools for encrypted images. The encryption breaks disk defragmentation immediately upon installation. A hard disk used for compiling large projects gets fragmented rapidly. The "management" has traded "security" for functionality. I expect the loss of lots of critical project data to disk crashes instead of stolen laptops.

26 posted on 08/29/2006 11:25:17 AM PDT by Myrddin
[ Post Reply | Private Reply | To 1 | View Replies]

To: Myrddin

Wow! Someone here proposed hard disk encryption, and I shot them down immediately. My solution was for NO sensitive data to be stored on workstations. All sensitive data, and we have ALLOT of it is to be stored and used from servers. The data on 'the wire' between the workstations servers is encrypted using IPSEC. Of course this solution may not work for everyone, but it worked in our case.


27 posted on 08/29/2006 11:35:42 AM PDT by KoRn
[ Post Reply | Private Reply | To 26 | View Replies]

To: Bloody Sam Roberts

Dude, that was really bad. I feel sorry for everyone involved.


28 posted on 08/29/2006 11:35:51 AM PDT by dljordan
[ Post Reply | Private Reply | To 11 | View Replies]

To: TChris
...give him the tools to do his job!

That is exactly the attitude my company has. My company laptop was stolen from my office back in June. Since then I've been using my personal laptop for work. Rather than requiring me to have certain apps, etc on my machine, they have been very helpful in helping me get my machine to work with them.

As a result, I have the only linux workstation in the company, but I get just as much work done and I don't have to run all sorts of helper apps for virii, etc. The only thing I don't have is access to the VSS database. To get to that, I just start up Windows in a VM, and I can run VSS from there, checking out code into shared folders that my Linux box can access.

29 posted on 08/29/2006 11:37:24 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 24 | View Replies]

To: TChris
Every user who has a workstation for which they are the exclusive (or nearly so) user should be made an administrator for that machine and be held responsible for everything they install.

Gasp! You're talking about...personal accountability!

Well, I agree wholeheartedly. Sign an acceptable use policy and don't dick around with your system.

Basically, here's the only alternative offered around the office these days:

If you FUBAR your system, it's a 30-minute Ghost reload of a baseline system...complete with Winders XP, Orifice, Visi-slow, and FileBreaker Pro 8.

Sorry about your pictures, sorry about your favorites, sorry about that Palm-pilot software, and sorry about your shortcuts.

30 posted on 08/29/2006 11:37:46 AM PDT by Recovering Hermit (Apparently, most who protest for peace do so at the expense of hygiene.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: TChris
My solution is this: Every user who has a workstation for which they are the exclusive (or nearly so) user should be made an administrator for that machine and be held responsible for everything they install

Suppose the user unleashes a virus that compromises company data. What does "held responsible" really mean? [Fix it themselves? Demotion? Termination?] How does this relieve the burden for the IT administrator when something goes wrong and the user cannot fix it? Most users are not as technically adept as they think they are and cannot see the "big picture" of a total computer and network environment, as well as the administrator can. I say drive the car but leave the mechanics to us!

31 posted on 08/29/2006 11:38:17 AM PDT by TexasRepublic (Afghan protest - "Death to Dog Washers!")
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce
why is it more important to prevent people from customizing their computers than it is to personalize their cubicles? Because personalizing your cubicle may offend your neighbors, but some of the pc downloads can bring down the whole network. And all those cute holiday attachments can sure clog up a mail server!
32 posted on 08/29/2006 11:39:06 AM PDT by knittnmom (...surrounded by reality)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bloody Sam Roberts
Ah yes. The almighty helpdesk.

Here's a good example from The IT Crowd.

33 posted on 08/29/2006 11:39:09 AM PDT by 6SJ7
[ Post Reply | Private Reply | To 11 | View Replies]

To: theFIRMbss
Your "users" must be limited to very simple tasks. I do lots of software development in C++/C/C#/PIC assembler for embedded systems and signal processing. My tool vendors are on the internet. That's how they support me with tools, patches, sample code, bug tracking. The tools are Windows and Linux based. Target hardware includes specialized PIC microcontrollers. A thin client won't hack it for anything more trivial web "applications" and a few select X Windows applications that run on a remote server.
34 posted on 08/29/2006 11:39:46 AM PDT by Myrddin
[ Post Reply | Private Reply | To 16 | View Replies]

To: alloysteel
Not necessarily to prevent the downloading of mischief from the Internet, but to prevent the UPLOADING of some sensitive material, which was used in malicious ways against the interests of the agency I was with.

Did they also cut your phone lines and remove the floppy/ cd burners and usb ports too? Why not remove the pens and paper while they were at it?
35 posted on 08/29/2006 11:42:32 AM PDT by Kozak (Anti Shahada: " There is no God named Allah, and Muhammed is his False Prophet")
[ Post Reply | Private Reply | To 4 | View Replies]

To: Bloody Sam Roberts
The Chronicles of George

I thought nobody else remembered that one. I loved watching the story unfold way back when.

36 posted on 08/29/2006 11:42:45 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 11 | View Replies]

To: gilor

Very nice. Hamper user productivity because the user does something that happens to "piss you off."

Do you provide a list of Sites That Piss Off Gilor so users can avoid having their accounts suspended?


37 posted on 08/29/2006 11:43:34 AM PDT by Xenalyte (No movie shall triumph over "Snakes on a Plane.")
[ Post Reply | Private Reply | To 25 | View Replies]

To: ShadowAce

This article tells a telling tale of the incompetence in the IT industry. Security is a breeze under Windows XP. Preventing installation of software is one of the easiest things to do. Both the file system and the registry can be locked down to prevent installation of programs. Even the OS can be locked down to prevent the executing of applications except those application that are authorized.

This can all be done via the group policy editor. Simple, but most "administrators" don't even know the capability exists.


38 posted on 08/29/2006 11:44:22 AM PDT by CodeToad
[ Post Reply | Private Reply | To 1 | View Replies]

To: KoRn
Systems with "sensitive" data on some of my projects use an external USB hard disk that is stored in a safe at night. No internal hard disks. No crippling encryption software. No external network access. The Dell laptops that use the internal hard disks have them removed to a safe upon completion of the work.
39 posted on 08/29/2006 11:45:00 AM PDT by Myrddin
[ Post Reply | Private Reply | To 27 | View Replies]

bttt for later


40 posted on 08/29/2006 11:45:36 AM PDT by RadioAstronomer (Senior member of Darwin Central)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Xenalyte

Our solution was a signed contract to employees if they fubar the system we wipe it out no questions asked and don't save any data. And like someone else said it takes 10 minutes to ghost it back to how it was when they got it.


41 posted on 08/29/2006 11:46:03 AM PDT by lancium
[ Post Reply | Private Reply | To 37 | View Replies]

To: ShadowAce
One of my projects has to build on both Windows and Linux. The company VPN only works on Windows. I have to do a CVS or SVN checkout, zip the files and transfer the zip with sftp to Linux. Feeding back fixes to the repository from problems observed/fixed in Linux is a pain because of the VPN. A Linux box on the intranet with direct access to CVS/SVN has no limitations. Working remotely has its challenges.
42 posted on 08/29/2006 11:49:49 AM PDT by Myrddin
[ Post Reply | Private Reply | To 29 | View Replies]

To: ShadowAce
why is it more important to prevent people from customizing their computers than it is to personalize their cubicles?

It's pretty tough to infect office furniture with a malicious product which can steal hundreds of man hours for which the company has paid or steal company owned data or expose the company infrastructure to attack.

43 posted on 08/29/2006 11:51:35 AM PDT by Still Thinking (Quis custodiet ipsos custodes?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: lancium

I gotta say, I like your solution better than the arbitrary "I don't like ESPN.com so everyone who visits that site will be suspended" approach.


44 posted on 08/29/2006 11:51:51 AM PDT by Xenalyte (No movie shall triumph over "Snakes on a Plane.")
[ Post Reply | Private Reply | To 41 | View Replies]

To: antiRepublicrat
I loved watching the story unfold way back when.

It's always good for a laugh now and then.

45 posted on 08/29/2006 11:53:07 AM PDT by Bloody Sam Roberts (Winning shows strength. Winning without fighting shows brilliance.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: TexasRepublic
Suppose the user unleashes a virus that compromises company data. What does "held responsible" really mean? [Fix it themselves? Demotion? Termination?] How does this relieve the burden for the IT administrator when something goes wrong and the user cannot fix it? Most users are not as technically adept as they think they are and cannot see the "big picture" of a total computer and network environment, as well as the administrator can. I say drive the car but leave the mechanics to us!

The potential is there, but in reality it just doesn't happen very often. With mandatory real-time virus scanning and anti-spyware, independent of local administrator status, that isn't very likely.

In practice, users breaking things outside of their own machine is very rare under this arrangement--remember, they're only administrators on their own machines--and doesn't justify the company-wide slowdown of IT-only administration for all Windows machines.

This frees the admins from having to do everything so they can focus on stuff that really need their attention. Users who aren't capable/comfortable installing their own mouse can always call an admin to do it, just like always. They just aren't forced to call him when they are able to handle it.

46 posted on 08/29/2006 11:53:43 AM PDT by TChris (Banning DDT wasn't about birds. It was about power.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Ramius; ecurbh; FrogInABlender

Interesting company IT consideration article :~)


47 posted on 08/29/2006 11:57:01 AM PDT by HairOfTheDog (Head On. Apply directly to the forehead!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: lancium
Our solution was a signed contract to employees if they fubar the system we wipe it out no questions asked and don't save any data. And like someone else said it takes 10 minutes to ghost it back to how it was when they got it.

I would require the IT group to repay the development hours destroyed by an indiscriminate act of "ghosting" a new image without any attempt to recover development files from the hard disk. The bill would be at customer billing rates for the value of the employee's labor that was destroyed. Help desk labor hours are about 10x lower than most of the software developers in my organization. Any late penalties for schedules misses caused would also be assessed to the IT organization that destroys the valuable data as an expedient use of their time. Loaded developer rates run $170 to $250 per hour.

48 posted on 08/29/2006 11:57:08 AM PDT by Myrddin
[ Post Reply | Private Reply | To 41 | View Replies]

To: 6SJ7
Too foony.

"Ahlow? Oitee."

49 posted on 08/29/2006 11:57:19 AM PDT by Bloody Sam Roberts (Winning shows strength. Winning without fighting shows brilliance.)
[ Post Reply | Private Reply | To 33 | View Replies]

To: ShadowAce

What's funny is that if the problems are solved by the new policies/software, the company will be able to get rid of some of the IT people who solved the problem. lol


50 posted on 08/29/2006 12:06:13 PM PDT by mysterio
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-100101 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson