Keep Yer Paws Off Your PC: Preventing End-Users from Installing Applications

ITBusinessnet ^ | 28 August 2006 | Esther Schindler

[lancium]

Our solution was a signed contract to employees if they fubar the system we wipe it out no questions asked and don't save any data. And like someone else said it takes 10 minutes to ghost it back to how it was when they got it.

[Myrddin]

One of my projects has to build on both Windows and Linux. The company VPN only works on Windows. I have to do a CVS or SVN checkout, zip the files and transfer the zip with sftp to Linux. Feeding back fixes to the repository from problems observed/fixed in Linux is a pain because of the VPN. A Linux box on the intranet with direct access to CVS/SVN has no limitations. Working remotely has its challenges.

[Still Thinking]

why is it more important to prevent people from customizing their computers than it is to personalize their cubicles?

It's pretty tough to infect office furniture with a malicious product which can steal hundreds of man hours for which the company has paid or steal company owned data or expose the company infrastructure to attack.

[Xenalyte]

I gotta say, I like your solution better than the arbitrary "I don't like ESPN.com so everyone who visits that site will be suspended" approach.

[Bloody Sam Roberts]

I loved watching the story unfold way back when.

It's always good for a laugh now and then.

[TChris]

Suppose the user unleashes a virus that compromises company data. What does "held responsible" really mean? [Fix it themselves? Demotion? Termination?] How does this relieve the burden for the IT administrator when something goes wrong and the user cannot fix it? Most users are not as technically adept as they think they are and cannot see the "big picture" of a total computer and network environment, as well as the administrator can. I say drive the car but leave the mechanics to us!

The potential is there, but in reality it just doesn't happen very often. With mandatory real-time virus scanning and anti-spyware, independent of local administrator status, that isn't very likely.

In practice, users breaking things outside of their own machine is very rare under this arrangement--remember, they're only administrators on their own machines--and doesn't justify the company-wide slowdown of IT-only administration for all Windows machines.

This frees the admins from having to do everything so they can focus on stuff that really need their attention. Users who aren't capable/comfortable installing their own mouse can always call an admin to do it, just like always. They just aren't forced to call him when they are able to handle it.

[HairOfTheDog]

Interesting company IT consideration article :~)

[Myrddin]

Our solution was a signed contract to employees if they fubar the system we wipe it out no questions asked and don't save any data. And like someone else said it takes 10 minutes to ghost it back to how it was when they got it.

I would require the IT group to repay the development hours destroyed by an indiscriminate act of "ghosting" a new image without any attempt to recover development files from the hard disk. The bill would be at customer billing rates for the value of the employee's labor that was destroyed. Help desk labor hours are about 10x lower than most of the software developers in my organization. Any late penalties for schedules misses caused would also be assessed to the IT organization that destroys the valuable data as an expedient use of their time. Loaded developer rates run $170 to $250 per hour.

[Bloody Sam Roberts]

Too foony.

"Ahlow? Oitee."

[mysterio]

What's funny is that if the problems are solved by the new policies/software, the company will be able to get rid of some of the IT people who solved the problem. lol

[HairOfTheDog]

I would require the IT group to repay the development hours destroyed by an indiscriminate act of "ghosting" a new image without any attempt to recover development files from the hard disk.

No kidding! I couldn't believe I read that. If the employee doesn't "own" the computers or the work product on them, IT doesn't either. That work product belongs to the company and is not IT's to delete.

[Still Thinking]

Remember "Mordak, Preventer of Information Services"?

[Myrddin]

I have all my e-mail directed to my personal ISP account. I have 200 MB of storage backing my mailbox and my ISP doesn't strip out all the attachments. My antivirus software scans all the inbound traffic and is updated daily. The only time a virus has landed on my computer is when I maintained a mailbox on the company MS Exchange server. Their virus scanning is sloppy, they strip attachments, have far more downtime than my ISP and less total storage. The computers harmed when they fail are MY property.

[AFreeBird]

For every stupid user story, there is a stupid administrator story.

Trust me, relatively speaking; stupid users FAR outnumber stupid admins everyday of the week, and twice on Sunday.

And it IS the company's computer, if you have a need for expanded permissions, make your case, and live with the decision.

The company isn't in the business of reducing helpdesk calls.

And most likely, you company isn't in the business of answering helpdesk calls either, unless it's from a customer for a particular product or service.

I can't tell you the number of times I've had to clean computers from competing utilities, spyware, botware, malware, virus' you name it. All because windows defaulted to admin privledges for the enduser and the enduser wanted to load whatever flashing application, tool, screensaver or what have you that tickled their fancy.

Sorry, if I were your admin, you'd have to make a strong case for an application or expanded provledges, and then, if I granted such, you would be watched like a hawk.

[Turbopilot]

I would say that a user visiting illegal sites from his work computer that open both the user and the company up to significant legal liability if caught outweighs hampering his "productivity".

If I had an employee visit those sites with my company's computer over my company's internet connection, I would want IT to kill his account until I were notified. Second time would be termination. I've seen how much IP violations can cost a company even if those violations were unintentional and were rectified before they were caught. Getting sued by Microsoft or Adobe for intentional piracy would put us out of business.

[AFreeBird]

Do you provide a list of Sites That Piss Off Gilor so users can avoid having their accounts suspended?

Better yet, add them to your proxy filter and bar them from even going there and redirect to a nice warning page.

NO p0rn, No Warez no iTunes, No FReeping... (opps!)

Get back to work!

[Xenalyte]

If I had an employee visit those sites with my company's computer over my company's internet connection, I would want IT to kill his account until I were notified. Second time would be termination. I've seen how much IP violations can cost a company even if those violations were unintentional and were rectified before they were caught. Getting sued by Microsoft or Adobe for intentional piracy would put us out of business.

I gotta be honest . . . I've never heard of Microsoft or Adobe suing anyone for piracy as a result of browsing non-work sites. I'm not sure how the first part of your paragraph ends up where it ends up.

[Bobalu]

This one is a hoot..

[EricT.]

I have a girl in my office that uses a 2.7ghz Celeron with 512 MB ram, it runs slower than the Pentium 266mhz with 128MB in the next room (Both run WinXP). The difference? She keeps downloading all kinds of crap. I'm about to take her off the network.

[Bloody Sam Roberts]

I'm kinda glad MY hole area doesn't send external emails either. Ouch.