Posted on 08/29/2006 10:44:08 AM PDT by ShadowAce
For every stupid user story, there is a stupid administrator story.
My last employer solved the problem (sort of). We were simply disconnected from access to the Internet. From then on employees were limited to only intranet access within the agency.
Not necessarily to prevent the downloading of mischief from the Internet, but to prevent the UPLOADING of some sensitive material, which was used in malicious ways against the interests of the agency I was with.
Life can be hard when the people with whom you work every day are not politically reliable.
Not entirely true. The fewer the helpdesk calls, the fewer employees are sitting around waiting for their computer to get fixed and not producing.
For every stupid user story, there is a stupid administrator story.
I agree wholeheartedly.
Just use security groups, and group policy applied to Active Directory Organizational Units.
I think the real problem is managers wanting technology to do their jobs for them. They don't want to personally hold their people accountable for what they do and/or install, so they want the IT department to get that responsibility. But, as the article mentions, then everyone hates IT for the restrictions. Voila! The managers have successfully avoided doing their jobs and avoided the heat as well.
My solution is this: Every user who has a workstation for which they are the exclusive (or nearly so) user should be made an administrator for that machine and be held responsible for everything they install. Any machines that are "community use" should have no administrator accounts except for IT.
The "zero-tolerance" idea of IT-only administration is what we live under at the moment. It's a disaster, as the article so ably describes. Restoring personal accountability would go a long way toward solving the issue.
IT departments are just too understaffed to test each and every application an organization needs before installing. The ethernet paradigm is more appropriate. "Get it out there fast and if it breaks, fix it." Just make sure your virus scanner is kept up to date. :-)
BUMP!
But then it's harder to justify expanding your budget and therefore your own importance...
If a desktop goes bad it can be reimaged in about an hour.
Acquiring an unlocked machine requires and act of God.
Ah yes. The almighty helpdesk.
Here's a little stupidity from both ends:
Have each user log into a thin client that looks and feels like a real machine. If something goes wrong, simply restore the machine image on the server.
This has been done using a *nix-based OS on the clients, running a VM from the server. If the virtual client goes bad, merely copy that machine's image from a backup file.
Usually, the users don't even know they're on a thin client.
I've had several jobs and placements with restrictive computer policies, and nothing makes me feel more like a faceless grunt than when they make me use the system setup they think is best for me.
Meanwhile, I worked at a company that didn't give a crap what you did on your desktop as long as you got the job done and I got more work done there than at my last two gigs combined.
One place I was at used a Windows setup that wouldn't let you change your date/time settings. That was a real sharp one, especially when the clock got out of sync and was wrong all the time.
I agree wholeheartedly.
I can give you a few of those, but we won't get into it here. =)
As for the article, on Windows 2000/2003 networks using Active Directory, there are good mechanisms in place for being able to micro-manage user permissions. You can delegate authority to chosen users, and or use group policy. I believe there's equivalent ways of doing things in the Linux world.
If I were running a business, I'd consider using thin clients and just take away general purpose PCs. Keep workers focused on specific jobs. Let them click around the net on their home machine. |
I do some work for a huge Fortune 500 company and their IT is 1950's at best. Most employees used shared workstations which are secured by a user ID of "administrator" and a blank password. As a result everyone can and does install junk, junk, junk including instant messaging software, and their bank and eBay accounts all with their IDs and passwords saved. Since several of the employees are rather unsavory, I wouldn't put it past them to install keycatchers, so I won't use those PCs for anything secure.
"Acquiring an unlocked machine requires and act of God.
Or maybe a quick perusal of a couple of articles from 2600.
It is really very difficult to stop a privilege escalation attack if the user has an account on a box, particularly a Windows box.
NET TIME \\timeservername /SET /YES
In the login script will fix that. =)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.