For every stupid user story, there is a stupid administrator story.
My last employer solved the problem (sort of). We were simply disconnected from access to the Internet. From then on employees were limited to only intranet access within the agency.
Not necessarily to prevent the downloading of mischief from the Internet, but to prevent the UPLOADING of some sensitive material, which was used in malicious ways against the interests of the agency I was with.
Life can be hard when the people with whom you work every day are not politically reliable.
Just use security groups, and group policy applied to Active Directory Organizational Units.
I think the real problem is managers wanting technology to do their jobs for them. They don't want to personally hold their people accountable for what they do and/or install, so they want the IT department to get that responsibility. But, as the article mentions, then everyone hates IT for the restrictions. Voila! The managers have successfully avoided doing their jobs and avoided the heat as well.
My solution is this: Every user who has a workstation for which they are the exclusive (or nearly so) user should be made an administrator for that machine and be held responsible for everything they install. Any machines that are "community use" should have no administrator accounts except for IT.
The "zero-tolerance" idea of IT-only administration is what we live under at the moment. It's a disaster, as the article so ably describes. Restoring personal accountability would go a long way toward solving the issue.
IT departments are just too understaffed to test each and every application an organization needs before installing. The ethernet paradigm is more appropriate. "Get it out there fast and if it breaks, fix it." Just make sure your virus scanner is kept up to date. :-)
If a desktop goes bad it can be reimaged in about an hour.
Acquiring an unlocked machine requires and act of God.
I've had several jobs and placements with restrictive computer policies, and nothing makes me feel more like a faceless grunt than when they make me use the system setup they think is best for me.
Meanwhile, I worked at a company that didn't give a crap what you did on your desktop as long as you got the job done and I got more work done there than at my last two gigs combined.
One place I was at used a Windows setup that wouldn't let you change your date/time settings. That was a real sharp one, especially when the clock got out of sync and was wrong all the time.
 |
If I were running a business, I'd consider using thin clients and just take away general purpose PCs. Keep workers focused on specific jobs. Let them click around the net on their home machine. |
I do some work for a huge Fortune 500 company and their IT is 1950's at best. Most employees used shared workstations which are secured by a user ID of "administrator" and a blank password. As a result everyone can and does install junk, junk, junk including instant messaging software, and their bank and eBay accounts all with their IDs and passwords saved. Since several of the employees are rather unsavory, I wouldn't put it past them to install keycatchers, so I won't use those PCs for anything secure.
I've worked in IT support for over a decade and my current employer (a college) has by far the best policy on this. We give staff full admin rights to their XP workstations and reimage when they mess it up. Staff do not like having their PC's reimaged so they are naturally careful with what they install. Needless to say, there are only a handful of "problem" staff members that require extra attention. The vast majority are just fine and require little assistance as they learned to support themselves.
ring, ring
me:hello
idiot user:It says my account is disabled
me:Yeah, I disabled it because of the 'bad' sites you've been visiting.
IU:Turn it back on!
me:'warez' sites piss me off, have your boss call me.
IU:What? turn it back on now!
me:Have you boss call me...click
The pin stripe wizards just decreed that all laptop and desktop disk drives running Windows must have full disk encryption. My colleague bent over and complied immediately. This weekend, his Windows OS is giving him a bluescreen. Too bad. The standard Windows boot/repair disk can't handle an encrypted image. He can't see his files anymore with Knoppix either. Brilliant. My laptop still isn't encrypted. It may never be based on the observed consequences. I'm watching with interest to see if the "help desk" has some kind of magic recovery tools for encrypted images. The encryption breaks disk defragmentation immediately upon installation. A hard disk used for compiling large projects gets fragmented rapidly. The "management" has traded "security" for functionality. I expect the loss of lots of critical project data to disk crashes instead of stolen laptops.
This article tells a telling tale of the incompetence in the IT industry. Security is a breeze under Windows XP. Preventing installation of software is one of the easiest things to do. Both the file system and the registry can be locked down to prevent installation of programs. Even the OS can be locked down to prevent the executing of applications except those application that are authorized.
This can all be done via the group policy editor. Simple, but most "administrators" don't even know the capability exists.
It's pretty tough to infect office furniture with a malicious product which can steal hundreds of man hours for which the company has paid or steal company owned data or expose the company infrastructure to attack.
Interesting company IT consideration article :~)
What's funny is that if the problems are solved by the new policies/software, the company will be able to get rid of some of the IT people who solved the problem. lol
I have a girl in my office that uses a 2.7ghz Celeron with 512 MB ram, it runs slower than the Pentium 266mhz with 128MB in the next room (Both run WinXP). The difference? She keeps downloading all kinds of crap. I'm about to take her off the network.
BTTT