Posted on 08/29/2006 10:44:08 AM PDT by ShadowAce
Recently, I overheard an IT professional complaining about her users. Veronica's company has 300 employees, many of whom would have been called "paper pushers" in an earlier era. Some of those employees download software and install it on their computers, and it often causes havoc for the support staff. Veronica's specific rant was about screensavers (some of which carry a payload of spyware, making it a security issue as well as a support problem), but it could have been any sort of application.
Veronica had looked at a $10,000 hardware solution, but even that required 10 hours a week for system maintenance, to keep up with permissions and such. That didn't sound like a great option. But she didn't know what else to do.
Veronica isn't alone. Other IT administrators have to make choices like this every day. How much should you control? And how do you control it?
On the one hand, you may believe, a company's computers are its assets, and employees have no business changing the way the equipment works. On the other hand, the last thing an IT department wants to do is to prevent people from being productive on the job. Computers are tools that are supposed to enable those employees to get work done, which may occasionally include the use of a not-yet-blessed application.
And then there's the human element of corporate life, and the resentment of apparently arbitrary rules. They wonder: why is it more important to prevent people from customizing their computers than it is to personalize their cubicles?
After corresponding with a few hundred professional IT workers and managers, I found that the philosophical and management questions are harder to answer than the technological solutions. We'll get to suggested tech answers in a bit—for Windows, Linux, and Macintosh—but any IT administrator who wants to create a computing environment that's both fair and secure needs to first address the... well, let's call them the emotional and ethical issues.
Whom Do You Trust?
Long before an IT manager decides on a technology or administrative approach, she has to decide how much autonomy users ought to have. Or, specifically, how much autonomy each kind of user ought to have; university students are presumably less trustworthy and tech-savvy than are engineers, and salespeople appear to be at the bottom of the heap. (Dire experiments have been hatched by a bored sales person in a hotel room when he has nothing else to do.) Another issue is the business environment; you'd expect a bank to be more security- paranoid than a chain of dry cleaning stores.
As you might expect, opinions vary widely on this subject, depending on the respondent's own personal stance and the requirements of the business.
"[B]usiness needs to get done and people need software to accomplish that business. Once the 'us versus them' wall of 'can't have badge and gun' mentality is thrown up then you have lost the support of the business," says Michael Schiebel, the Lead Investigator at a Midwest Fortune 100 financial services company. "Our job is to help the business succeed efficiently and safely. So all software must be viewed in the light of business use; if it increases productivity then our job is to make it a standard."
Whose PC Is It Anyway?
One important consideration is that the computer is not the employee's PC. It isn't. Says Schiebel, "The PC is company equipment the same as pencils, paper, chairs, desks, buildings etc. The employee has no right to privacy while using that equipment and should treat it with the same respect they would give if they borrowed their friend's car. The level of respect the employee shows the PC and other company equipment speaks entire paragraphs about their morals and ethics. The business should use this information to decide what kinds of people it wants representing the company to its customers."
For many IT shops, the hand controlling permissible user installations has a light touch. They're happy to trust the users to do the right thing—and then the IT department copes with the consequences.
Most users really don't need more applications than the company provides, say some administrators. According to one, "Most people either don't install outside software or are satisfied with the normal low-profile stuff that doesn't attract a manager's attention, and the ones who install a lot of stuff (e.g., developers and QA staff) mostly know enough not to cause any problems."
However, users who do install applications may not be aware of software licensing issues. That's not merely a matter of conscious piracy. Some applications are free for personal use but require paid registration when used in a corporate environment. Will every user know the difference?
That's not a minor concern. Ian is a security specialist who works in the transportation industry; he was involved in his company's development of the global client and server loads for a decade. As Ian points out, "Companies forget that freeware is normally free for personal use—not for use inside a company—and they are required to have some sort of license (users are too aware of freeware products for home use and bring them in with out telling people). With the litigious nature of the world, companies should be covering their exposure by making it clear that only company-issued and -approved software should be used on company machines, and that the user is responsible if litigation starts."
Also, it's now common for employees to take the company laptop home in order to telecommute or to respond to work needs while on the road, far beyond the old-fashioned 40-hour work week. If your firm enables Internet access for only certain approved sites, then the employee—who's working on your behalf for the rest of the weekend—won't be able to do things like home banking, paying credit card bills or placing an Amazon order, which, in the past, they had to take time off work to do. Whatever solution you come up with, it will have to acknowledge and deal with these complications.
Will They Revolt?
A technically easy answer is for IT to control all computers in the organization, and allow for no exceptions. That sounds good on paper, but it rarely works in reality. First, it doesn't work, because some users are indeed exceptional (particularly technical staff such as programmers). Plus, employees can be resentful that the company doesn't trust them. And it's time consuming.
For one administrator, company restrictions definitely get in the way of getting the work done. In her company, every time you need to change the font or install something for work purposes, you have to phone the helpdesk to log a call which is passed to desktop support. They phone you back within 48 hours, spend time looking at the software required, and eventually install it on the machine if it passes their security checks. Says the admin, "This may sound like a secure way to do things, however the time it takes to get an application approved—or worse, rejected—you've probably missed the deadline for the work you needed to do. You've cost who-knows-how-many man hours running around getting all the I's dotted and T's crossed on the forms to make an exception, not to mention the testing and signatures required by desktops. Ultimately it can take weeks to have a new application installed."
This administrator got around the issue by stating she needed to use ping and traceroute among other things as part of her daily work supporting Linux servers, and at the very least needed to run cmd.exe. "I now have full administrator access to my PC, and have therefore negated the security in place. I have also managed to obtain domain administrator access in very much the same way." So, let's take a look at some of the ways that IT staff address the problem.
Seriously, XP blocked me from installing it on a 350.
I would say that the former is incomplete--why does it piss him off? Probably because of the latter.
We cannot install software on the computers at work. Only those with admin privilige can do so. This seems to be a very sensible solution. It is their computer and their choice about what software to install.
I know some think that it is harsh for the employer to restrict their computers but it is thier computer.
However, you would be amazed what you can run from a thumbdrive installation.
< grin >
Not here. My work laptop was stolen from my office in June. I've been usng my personal laptop ever since.
There are two interesting anecdotes from where I work. It's a materials R&D facility. We needed access to SciFinder, the largest on-line database of peer reviewed science journals in the world. But our IT guys didn;t like the fact that it had to write to a specific port that they wanted closed on our firewall (I'm not an IT guy so please forgive any mis-diescriptions on my part). So for 2 years, over 100 researchers had to use a dial up modem on a PC separate from the network. All because some IT guy in corporate HQ on the other side of the country knew how to do R&D.
The second story comes from dealing with the same IT masterminds. We have a lot of scientific instruments that are computer driven. Our IT guys installed all kinds of management software that disrupted the operation of the instruments. We were told that if the instrument could not run with the management software, then the computer couldn't be used. Moreover, in order to avoid conflicts with the management software, IT would review our instrument requirements and specify what scientific instruments we could use based strictly on their conformity to network policy. So somoe IT guy is going to make descisions that only a qualified PhD researcher should be making!
Well, when our international HQ, where our R&D results go, hear about the stuff the IT department was pulling on us with the blessing of the U.S. HQ, the matter was resolved. The IT guy was told off and all of his restrictions lifted, management software pulled, aside from anti-virus standardization, and we could actually do research.
THey didn't care if it would cost us almost $1 million to upgrade electron microscope lab from Windows NT to XP just for the sake of U.S. software standardization. At least they didn't care until they were told they would have to pay for it out of their budget.
233MHz is the minimum for XP.
I worked at a company that restricted internet access by controlling IE settings from the domain. I was required to research new controls for use by the programmers. Google, and just about any site I wanted to visit was “Off Limits” I wrote my own browser (it took 15 min to a half an hour depending on how complex I wanted to make it (I couldn’t save it and use it later as they had rules about that too.) I was researching a control one day and my boss walked in. He took a look at my screen and said, WOW, how’d you get to that site, so I told him, He walked away shaking his head.
Later, at another company, I was doing a lot of “Time intensive work” (Things that had to run overnight). They had tightened security down so no one could access their machine from home, but we had to be able to use Net meeting to support our customers, and we had to have email. I wrote a program that would check an e-mail address and respond to specific emails by doing things for me. One email would open up net meeting and place a call to my Static IP at home, then hand me the desktop. I was very productive. My boss called me on night and apologized for asking me to drive 45 minutes just to give him a file he needed, while we were on the phone, I had my work computer contact me and emailed him the file from my work computer. He hounded me for a week before I told him how I did it. IT wanted to talk to me (Great). At the end of our little chat, the IT director said well, that is pretty secure (since it could only access my static IP, and only responded to emails containing a daily cipher.) He said “I don’t think there is a way I can stop you without killing our business” Can I have a copy? And how do I get the cipher, and set the email address?” A new “Approved” product was born…
Moral? You can’t stop and employee with technology they understand better than you do.
Or they could save all work files to a server, and have very little on their desktops/laptops.
I lost count of the number of times our Helpless Desk said to me, "if you figure out what the problem is, will you get back to us?" Our original IS staff from a decade and a half ago prided themselves that they didn't own personal computers (because they were world-weary, sophisticated professionals, don'tcha know). They couldn't troubleshoot a typo.
I recently had a C: drive crash. I begged my field tech not to try to fix it, but he did. He showed up one morning when I had a doctor's appointment, took away the drive, brought it back and reported it was totally dead and none of the data was recoverable. He was right. Unfortunately, the drive he carted off had been the perfectly healthy D: drive. I managed to recover all my data from the C: drive.
They instituted new online rules a few months ago. They took away all unauthorized browsers and made us use IE. There goes my Opera. At the same time, they disabled any program that "phones home" for updates. There goes my Ad-Aware.
Shall I go on...?
That strategy is fine if the network is stable and the parties responsible for server backup are doing their jobs. The problem is that the "admin" task is treated as a collateral duty. It's not billable time to a customer. If the responsible party has a full plate of billable work, the collateral tasks never get done. Nobody cares until the server crashes.
Having lived in this environment for quite a while, I invested in DVD+/-R/RW DL drives on each local computer. I use Ghost to back them up on a regular interval.
Do you provide a list of Sites That Piss Off Gilor so users can avoid having their accounts suspended?
So downloading 'warez' (illegal software) is ok?
My company hired me to not only run their networks, but to protect them.
I could have had the Idiot User fired, but I'm a nice guy.
Better yet, add them to your proxy filter and bar them from even going there and redirect to a nice warning page. NO p0rn, No Warez no iTunes, No FReeping... (opps!) Get back to work!
Getting them 'reminded' to go back to work is their bosses job.
Find the George link in this thread. Those people exist.
Great examples. The Mordak character in the Dilbert cartoons should be popular with your group.
For every 20 stupid user stories, there is a stupid administrator story. For every 20 stupid users completely botching their machines up several times a year, there is a stupid administrator halfway botching up multiple departments for months to years.
As you can see in my earlier post, George is NOT an IT administrator, he's a helpdesk lackey. They are not qualified to administer a network.
If an administrator is botching up multiple departments for months to years, he won't be an administrator for long. The employee who screws up his machine, however, is rarely held accountable.
I agreed. There are far more stupid users, and the stories about them are far easier to understand.
If an administrator is botching up multiple departments for months to years, he won't be an administrator for long.
Well, unfortunately that is not true at all. Because their effects are near universal, unless they actually bring down the system entirely or large parts of it, if their acts continuously degrade everyones ability to work it is unlikely that their mis-steps will be noticed - especially as there is no "better" to compare performance with.
We just took away their admin rights and that fixed a lot of problems. They were only ready to drop the gloves over silly little phone-home email icons. Everyone tries to outcute one another. Geez.....
When we hire a new employee, we have a standard speech about rules. One of the big rules is "No matter how important the incoming email looks, do not forward it to the dept email list. Even if it says to send it to all your friends."
Wow. That would definitely get annoying after about 2 weeks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.