|
|
| How does your company keep employees from loading apps on their PCs? |
 |
|
Tuesday, August 22 2006 @ 12:01 PM EDT
|
I got a request from a journalist to pick your brains, if you are willing. Esther Schindler of IT Business Network is working on an article about how companies handle employees downloading applications on to their PCs. She'd like to ask you about strategies. I hope some of you will explain about GNU/Linux systems being designed so you can disable/remove applications and functionality so that in that wonderful operating system, an employer really can decide what he will and won't let employees do. Please be specific for her, will you? Lots of businesses may not know of the advantages they could be benefiting from if they switched to a GNU/Linux system, where your browser and media player are not viewed as integral and indivisible parts of your OS. With that, here's her question:
*******************************************
How does your company keep employees from loading apps on their PCs?
Howdy, folks. I'm senior writer and editor at the IT Business Network. I've decided to write a "real world" story about the way that companies (large and small) control their employees' desktop computers.
I'd like your input about what your firm does... and perhaps about what you wish it would do. I might call this a "best practices" article, except that I'm not sure there's any "best" here, just what works for a given company. My aim, however, is to collect enough data to give other IT professionals a sense of the tradeoffs among the varying choices.
This all started because I overheard an IT person complain about her users. The company has 300 employees, many of whom would have been called "paper pushers" in an earlier era. Some of those employees decide to download software and install it on their computers. The specific example was screensavers (some of which carry a payload of spyware, making it a security issue as well as a support problem), but it could have been anything else. The IT pro whom I overheard had looked at a $10,000 hardware solution, but even that required 10 hours a week to keep up with permissions and such. But that didn't sound like a great option.
So I'm curious -- and I dare say, so are a lot of other people.
How does YOUR company deal with employees installing apps on the company computers? My guess is that the answer breaks down in these rough categories.
1. We let them do whatever they want. And then we cope with the consequences.
2. They can install what they want, but we'll only support the apps we install. If they break the computer or get a virus... THEY get to fix it.
3. We control their installations by administrative policy (i.e. "if you install unapproved software, you're fired").
4. We control their installations using technology. What technology would that be?
5. Something else?
Which of these best fits your company's choices? Which option do you wish the company chose?
If you use some sort of technology, please tell me about it. How well does it work? Was it expensive, in financial or other terms? How annoying is it?
Similarly, how well does administrative policy work? Do employees follow the rules, or do they imagine that gosh, installing a screensaver doesn't qualify as an *app*, does it?
I'm hoping to get the article written by the end of the week. So I'd appreciate hearing from you sooner, rather than later.
Also: if I quote you in the article, I'll need some way to refer to you. The usual format is &name, &title, &company, &location ("Esther Schindler, an IT manager at the Groovy Corporation in Scottsdale, AZ, says..."). If you can't be identified specifically without company approval, let me know privately and we'll work out an alternative ("Esther Schindler is a IT professional at a southwest financial firm"). And, of course, you're welcome to contact me privately at esther at bitranch.com, if you prefer not to answer here. (Though I think it could be an interesting discussion!)
Thanks in advance for your help!
Esther Schindler
IT Business Network
|
|
|
|
| Authored by: feldegast on Tuesday, August 22 2006 @ 12:05 PM EDT |
So PJ can fix them
---
IANAL
The above post is ©2006 and released under the Creative Commons License
Attribution-Noncommercial 2.0
P.J. has permission for commercial use.[ Reply to This | # ]
|
| |
| Authored by: clark_kent on Tuesday, August 22 2006 @ 12:07 PM EDT |
First of all, if we use Winblows, it is administrated as a separate system,
either in a Virtual Machine (VMarware or Parallels) so Winblows runs as an
application (that it is) or in terminal server form. I give user level accounts
to all users. Myself and trusted admins have administrative accounts that can
modify the system. I also protect my systems with a FreeBSD bridged firewall,
and only need to run Anti-virus software on Winblows. I run my Solaris, Linux,
and Mac OS X unihibited by security-adding software because the security is
already built in![ Reply to This | # ]
|
- Correction... - Authored by: clark_kent on Tuesday, August 22 2006 @ 12:09 PM EDT
- Its fairly easy on Windows - Authored by: Anonymous on Tuesday, August 22 2006 @ 08:28 PM EDT
- In defense of Linux, apple pie, and the American way. - Authored by: Aladdin Sane on Tuesday, August 22 2006 @ 09:09 PM EDT
- Its fairly easy on Windows - Authored by: Anonymous on Tuesday, August 22 2006 @ 10:15 PM EDT
- Its fairly easy on Windows - to install stuff - Authored by: Anonymous on Tuesday, August 22 2006 @ 11:47 PM EDT
- not quite - Authored by: Anonymous on Wednesday, August 23 2006 @ 03:34 AM EDT
- not quite - Authored by: Anonymous on Wednesday, August 23 2006 @ 05:50 AM EDT
- Its fairly easy on Windows - Authored by: Anonymous on Wednesday, August 23 2006 @ 05:51 AM EDT
- Its fairly easy on Windows - Authored by: troll on Wednesday, August 23 2006 @ 05:59 AM EDT
- Policy on Windows was close to useless... - Authored by: Anonymous on Wednesday, August 23 2006 @ 12:37 PM EDT
- Its fairly easy on Windows - Authored by: Anonymous on Wednesday, August 23 2006 @ 02:21 PM EDT
- lol! - Authored by: Anonymous on Wednesday, August 23 2006 @ 06:23 AM EDT
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 12:12 PM EDT |
First of all, I manage the apps that are installed on my work computer as well
as my home computer (both running Windows XP) much more strictly than the IT
department actually requires.
To answer your question, however, the IT department where I work restricts app
installations to those installed by Microsoft's built-in installer (the one that
uses files that end with .msi). I guess they feel that no self respecting
cracker would be caught dead using Microsoft's installer.
Heh.[ Reply to This | # ]
|
| |
| Authored by: feldegast on Tuesday, August 22 2006 @ 12:17 PM EDT |
Please make links clickable (submit as HTML)
---
IANAL
The above post is ©2006 and released under the Creative Commons License
Attribution-Noncommercial 2.0
P.J. has permission for commercial use.[ Reply to This | # ]
|
- IBM-748 - Authored by: Anonymous on Tuesday, August 22 2006 @ 01:30 PM EDT
- Judge Taylor under attack - Authored by: SpaceLifeForm on Tuesday, August 22 2006 @ 01:32 PM EDT
- Name pictures prior to taking them with a Digital Camera - Authored by: Anonymous on Tuesday, August 22 2006 @ 01:40 PM EDT
- Novell Accuses Red Hat of Flip-Flopping on Xen - Authored by: Nivuahc on Tuesday, August 22 2006 @ 04:27 PM EDT
- Red Hat Accuses Novell of Being 'Irresponsible' About Xen - Authored by: Nivuahc on Tuesday, August 22 2006 @ 04:28 PM EDT
- Another Microsoft smackdown - Authored by: roadfrisbee on Tuesday, August 22 2006 @ 04:39 PM EDT
- Business Week article on draft GPL v3 contention - Authored by: Anonymous on Tuesday, August 22 2006 @ 04:41 PM EDT
- Off Topic Question how to stop Spyware Adware - Authored by: Anonymous on Tuesday, August 22 2006 @ 05:34 PM EDT
- ! - Authored by: SpaceLifeForm on Tuesday, August 22 2006 @ 05:48 PM EDT
- !? - Authored by: Ed L. on Tuesday, August 22 2006 @ 11:50 PM EDT
- Slashdot covers Well's ruling - Authored by: Anonymous on Tuesday, August 22 2006 @ 08:11 PM EDT
- On/Off Topic - Authored by: Anonymous on Tuesday, August 22 2006 @ 10:24 PM EDT
- P.J. has a new article. - Authored by: Anonymous on Wednesday, August 23 2006 @ 03:42 PM EDT
- is today Tuesday? - Authored by: Anonymous on Wednesday, August 23 2006 @ 03:55 PM EDT
- "Tiny, sub-$100 PC runs Puppy Linux" - Authored by: Brian S. on Wednesday, August 23 2006 @ 08:18 PM EDT
| |
| Authored by: Nivuahc on Tuesday, August 22 2006 @ 12:17 PM EDT |
| I mean, they want to... but it's nearly impossible. We use Windows XP on
a Windows network and the IT staff can't seem to get a fair grip on the problem.
When restrictions are put in place by some sort of administrative policy, it
keeps some software from working properly (i.e. AutoCAD).
Either way, I
carry around an encrypted 2GB USB drive with everything I really want/need on
it. I have a slew of portable applications like Firefox, Gimp and Thunderbird. I
don't need to install anything on my work computer, really, to do whatever I
want. Plus I get the added bonus of my private information staying somewhat
private. ---
My Doctor says I have A.D.D... He just doesn't understand.
It's not like... Hey! Look at that chicken! [ Reply to This | # ]
|
| |
| Authored by: janolder on Tuesday, August 22 2006 @ 12:21 PM EDT |
[2] for engineers, [1] for everybody else.
[4] can be achieved with domain policies, but those aren't used here as people
need to get work done.[ Reply to This | # ]
|
- A question - Authored by: Anonymous on Tuesday, August 22 2006 @ 04:37 PM EDT
| |
| Authored by: rsmith on Tuesday, August 22 2006 @ 12:22 PM EDT |
In our company (which is windows-only, unfortunately), users don't have
administrator privileges on their machines, and the permissions on the
directories of the local harddrive are set so that for a normal user the
harddisk is read-only, except for the C:temp directory.
The user's home directories are shares mounted from a server, as are department
or company wide shared directories.
This means that users can't install software nor mess-up the standard software.
The helpdesk installs apps.
Automatic backups are made every hour for the last two hours, and everyday at
night for the last two weeks.
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 12:24 PM EDT |
We have a mixed Windows/Mac client situation. On both machines, users only have
user-level accounts.
Only developers may have admin accounts (since they're supposed to know what
they're doing).
Attempts to handle this by contractual obligations had to be squashed as the
regulations were so restrictive that even going to a page with Javascript
enabled would have violated the agreement (which plainly ruled out "running
programs downloaded from the Internet" which obviously includes Javascript,
Java applets and Flash being executed in the browser).
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 12:26 PM EDT |
I work for a university bookstore with 50-100 computers in use depending on the
season.
When we were looking at upgrading our firewalls, we came across an interesting
feature of one of them. Tiny Personal Firewall version 5 (the one we tried out,
there are newer versions now) had the capability to 'firewall' use of
applications. You can have it allow specific programs and disallow execution of
anything else. It also does a ton of other things such as registry access rules
and filesystem access rules along with the standard firewall port/ip blocking
ability. We didn't end up going with this (we were looking for a firewall)
because it was too complex for our application. But for someone looking to
restrict general access to a computer I think it would work well if a competent
sysadmin configured and maintained it. They were so confident in their program
that when one of the big worms hit, they recommended that system administrators
run the worm and watch what it does to learn more about it. It would tell you
every file and registry entry it touched, so you could reverse the damage when
you were done playing with it.
Anyway, my 2 cents on protecting windows machines.
Orson Jones[ Reply to This | # ]
|
| |
| Authored by: alisonken1 on Tuesday, August 22 2006 @ 12:32 PM EDT |
Ken Roberts, Abletronics (small business, 4 employee retail store)
Our systems are based on:
1 - Linux server
3 - Full GNOME Linux desktops (with 1 dual-boot Win98SE)
2 - POS terminals (no desktop, just CLI)
1 - Apple OSX desktop
Typically, only the root account can install software, and there's only 1 person
(me) that has ready access to the root account. In case of bus, the computers
are documented (with usernames/passwords) in a place accessible to the owner.
For the most part, users can attempt to install software, but they do not have
the technical expertise to install software into their home directory and make
the changes necessary to run from their home directory.
For other software (i.e., booting into Win98 on the dual boot machine), the only
other person that has need of a Windows environment usually asks me to help him
with the software that he needs to run (remote video client on a security DVR -
occasional use to show customers).
In essence, our company has a "don't care" policy, but due to
technical expertise it's effectively "user's can't install anyway".
---
- Ken -
import std_disclaimer.py
Registered Linux user^W^WJohn Doe #296561
Slackin' since 1993
http://www.slackware.com
http://www.mutagenix.org
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 12:32 PM EDT |
You cant, and if you waste your time trying, the expense you have spent on
trying would be better justified hiring 2 more employees to take up lost
productivity.<br><br>Im serious, its like our sysadmin, he claims
his layer 7 firewall will keep anything out he wants, but it has caused a 30%
loss in productivity from development for all the things that worked before, and
are now broke. He refuses to believe that its the firewall
config.<br><br>At the same time I showed him how an SSL tunnel to an
outside proxy answering up on 443 can circumvent everything he has done, at
which point he backtracks saying nothing is 100% if someone really wants
through.<br><br>Herin lies the proble, I have actually seen people
load a second OS on systems for a Dual Boot of their stuff vs Corporate, etc,
etc, hell Linux isnt going to help, Ive run stuff under wine after a week of
tinkering noone said would run.<br><br>EASIEST, is a company policy,
find someone youre going to fire, oust them and make a big stink after they
leave (Rumor Mill) about how they were fired for repeateldy violting this
policy) NOTHING is more effective than FEAR when working with morons who wont
listen and think that for some reason for some justification they are OUTSIDE
the rules.<br><br> Have RANDOM company Audits, have the Sysadmins
show up EARLY buty not too early and when someone walk in to their own office or
cube have the sysadmins make a generic statement like "Were doing an Audit
on unauthorized software", I can promise you never even have to log in and
tommorow EVERYTHIGN they installed will be gone.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 12:46 PM EDT |
Since I haven't seen this method above, I may as well chime in. We're a
relatively small company, consisting mainly of technically oriented people,
with a mixed mac/linux environment.
1. Each employee gets their own mac Mini, which mounts their user directory
from our server: just about everything that gets installed, gets installed to
the user's directory.
2. Users can install any GPL or similar software to their local hard drive,
knowing that the mini's are replaceable, and they may lose their localy
installed software if their machine has probleme.
3. We do our development on Linux boxes: nothing gets installed on them
without the SysAdm's approval. These are our workhorse boxes.
4. We have a couple of Linux "Sandbox" machines, which are communally
available for testing software, running 3rd party software and otherwise.
Often the SysAdm helps with installs to these boxes, and periodically, we
migrate successful apps to the development environment, once we know they
are safe and that users generally would like access to them.
So far, so good. Uninformed users Generally install to the hard drive on their
mini, or directly to their accounts, mounted on the minis, so it significantly
minimizes any damage - and the minis are all interchangable, so if there's a
problem, just re-image, and remount the user's network drive, and it's back
to being stable again. Tada![ Reply to This | # ]
|
| |
| Authored by: gbl on Tuesday, August 22 2006 @ 12:50 PM EDT |
| It it is concidered that important, the obvious solution
is a central server and
thin clients. Unix-like operating systems make this cheap to implement and it
can provide a huge reduction in support costs in suitable situations.
Giving
everybody the equivalent of a 1970s supercomputer on their desk just to read
email and run solitare is both expensive and an invititation to hackers and
viruses.
---
If you love some code, set it free. [ Reply to This | # ]
|
- Or use terminals - Authored by: Anonymous on Tuesday, August 22 2006 @ 01:13 PM EDT
| |
| Authored by: Arker on Tuesday, August 22 2006 @ 12:57 PM EDT |
A place I used to work had already laid out a rather large chunk of money for
one of those so-called 'hardware solutions.' It was more trouble than it was
worth. First, it wasn't a 'hardware solution' as claimed, in reality it relied
on drivers, and the 'hardware' was simply a dongle which had to be present to
enable the functionality in the software. Probably cost about 20 cents to make,
but you can bet we paid a lot more than that for it. It was a PCI card with a
'lock' exposed at the back of the computer - the card had to be installed and
the 'lock' turned the right way or the software wouldn't do its job. (This was
presented as a benefit to the customer, but it wasn't - it was actually a
copy-protection scheme, and it didn't work very well at that either.) The cards
were so flimsy it was hard to install them without damaging them, and any damage
resulted in the software not working. The 'lock' on the cards was rather
worthless as well, there were so many ways to circumvent it it happened
constantly, but the easiest was simply to grab an unused key from the filing
cabinets in every room. Yeah, the 'lock' was that bad. A hairpin would work too.
After all that, this very expensive 'hardware solution' was, in reality, a
software solution, with all the problems that entails. So the weaknesses in the
dongle system were just icing on the cake. It caused an amazing amount of
incompatibility problems with other apps. It introduced just enough control that
people were constantly calling for help because it was blocking them from doing
legitimate work, without being difficult enough to circumvent to prevent people
doing other things from disabling it quickly and quietly. When I'd find one
where this had been disabled, I would have to completely reinstall the machine
from scratch if I wanted to make sure it hadn't been compromised. This took far
too long (partly because policy prevented me from installing the software I
needed on the server, admittedly) so I was told simply to turn it back on
instead. So then we had machines with spyware and junk installed on them, and it
wouldn't go away, when the user tried to remove it this 'solution' would then
prevent it. I'm getting a headache just remembering that thing. [ Reply to This | # ]
|
| |
| Authored by: ppentz on Tuesday, August 22 2006 @ 01:00 PM EDT |
Northwest Airlines:
I worked at NWA in the mid 90s to early 2000s (I was laid off not long after
911) in a department that used Macs. Our policy was to 'try' to prohibit
downloading of software, but people still did it. If they requested help with
an app they downloaded, we would just shrug and tell them they were on their
own. Thankfully, at that time there were very few nasties for Macs so people
downloading Malware really wasn't much of a problem. We would use a network
scanning tool to periodically scan each Mac for 'illegal' software. The main
reason was to get rid of improperly licensed versions rather than support
issues.
Allina:
I currently work at Allina, which uses Unix for the patient database and WinXP
for the users. The average user does not have Admin rights on XP, and the C:
and Program Files directories are locked down. It's still possible to download
and run some apps, such as OpenOffice, but it's pretty limited. Unfortunately
pigs will probably fly before this company switches to Linux.
Paul[ Reply to This | # ]
|
| |
| Authored by: tknarr on Tuesday, August 22 2006 @ 01:00 PM EDT |
Where I work it's a mixture of 2 and 3. The company makes sure users
understand why installing random stuff from unknown sources is a problem. IT
does it's best to make sure the software the users do need is installed and
supported. Installing unapproved software that causes problems for the network
or other systems, or that breaches security, can be and is grounds for firing.
Unapproved software that messes your own machine up bad enough you can't get
your work done, that's treated as a performance issue and handled exactly the
way any other failure to get your work done would be. And the final deterrent is
IT's repair policy: if there's any problem with your machine and there's any
difficulty fixing it, they'll simply wipe and reimage your machine with the
approved software that's on their list of what you're supposed to have
installed. Since all important stuff's supposed to be stored on the
automatically-mounted network shares, there shouldn't be anything that needs
preserved on your local drive (and if there is it's loss is your fault, not
IT's). A few things, like the anti-virus software, are forcibly installed by IT
with permission settings that prevent users from removing or disabling
them.
There's a few restrictions imposed by Windows group policies, but
mostly it's controlled by company policies and not technology. By and large it
works well. Most people either don't install outside software or are satisfied
with the normal low-profile stuff that doesn't attract a manager's attention,
and the ones who install a lot of stuff (eg. developers and QA staff) mostly
know enough not to cause any problems. [ Reply to This | # ]
|
| |
| Authored by: AJG on Tuesday, August 22 2006 @ 01:03 PM EDT |
The desktops are set up in a standard way with the needed business functions and
they stay that way. The users haven't a clue how to change anything.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:04 PM EDT |
A friend of mine owns a small software developement company. A few years ago,
he had an employee who turned out to be an employee from Hell. Stold stuff,
lied, padded his hours, parked in the bosses parking space, and never finished a
project he was ever put on.
Needless to say, he finally got fired. But for being fired, he called the BSA
(amoung other things) and told them my friend's company had massive amounts of
pirated software and was misusing the software they did have licences for.
The investigation was painful. He spent about a month in day-to-day interaction
from the BSA reps, who were uncooperative and hostile. The investigation
completely intrupted business, and the company's reputation was damaged from
having the BSA call and confirm software purchases making his vendors question
if they had an unresponible customer or not.
In the end, he was fined $2000 for use of a piece of software that was free
for home use, but pay for commercial use (he didn't pay for it), and being one
windows2000 license short. They did tell him they were suprised the infraction
was so small considering what their source had told them. He also had paid
about $60,000 in lawyer and investigator fees.
The horror of this is any company can have a disgruntled employee sic the BSA on
them and it will cost money.[ Reply to This | # ]
|
| |
| Authored by: shiptar on Tuesday, August 22 2006 @ 01:05 PM EDT |
To give you a simple answer, stop letting people have unrestricted access to the
Internet. Use white lists. Sit down with your users, find out the sites they
have a _business need_ to use, and run them through a proxy.
That will solve your immediate problem, then you can go do research about a real
solution. Good starting points would be Active Directory if you are windows
based, or LDAP for just about everything else.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:07 PM EDT |
| We use a layered system, depending on where users work in the organization
and
what the IT Services people think of the user's sophistication.
We have
Windows, Mac OSX, Linux and Solaris systems. We have both
nontechnical users
and very sophisticated researchers and software
developers. We also have
managers, some of whom think they are technical,
and probably were in the
80s.
Some things are flatly off limits. Traffic is monitored at the router
for certain
sites, and certain kinds of traffic will get scrutiny, and will get
your system
audited by an admin. Violations of the acceptable use policy,
either by the
content you're downloading or by installation of explicitly
forbidden acts gets
you one warning, followed by termination. In some cases
(kiddie porn) you
get no warnings.
HR cooperates well with IT Services
because the IT guys are
good about logs and an evidence chain, and the IT
Services technical
leadership has done an excellent job of explaining things in
non-technical
terms that a lawyer can handle. HR helped write the current
policy, after
several failed attempts by the IT Services
group.
Nontechnical users don't get admin privileges. This is true across
all
platforms. I'm always slightly amazed that most Windows users seem to
have admin privs, and that many organizations don't seem to realize that you
can have Windows accounts without admin privs. Mac users seem more likely
to
know you can have a non-admin account, but no more likely to use the
ability.
On the other hand, we started as a purely Solaris shop, and everybody
understood the notion of root (and groups, and ACLs) and when we moved
into a
mixed Linux/Solaris/Windows environment, the Unix "style" of privilege
management came along.
Technical users rarely get root access, but most
technical users don't use
Windows. Instead, they use sudo or install things
inside their own account,
where the damage can be managed. All apps have to be
used for some
business reason, though since we are something of a research
organization,
we are pretty loose about what's an acceptable business reason.
Technical
users are subject to the same rules about acceptable apps and
acceptable
content, and know in advance that an "I didn't know it was spyware"
defense
is as likely to get them fired for incompetence as for breaking the
rules.
The few technical users with Windows have admin privs.
There
is a simple process for getting new software 'vetted' for addition to the
standard installation list, and for getting it on your system. We have remote
desktop capabilities on Windows and MacOS, and remote access to the Linux
and
Solaris systems, using VPN when users are remote when necessary, so
that IT
Services can install things remotely. They also do audits on occasion,
mostly
to make sure updates have been applied, but as long as they are
auditing they
look for malware of various sorts.
Purely technical solutions, in my
experience, don't work. Purely policy
solutions are prone to either being
loose enough to drive a truck through, or
so restrictive that developers can't
get their work done. Mixed solutions, and
the ability to IT Service people to
communicate in colloquial American
English, are essential.
And finally,
make it clear that these are business computers,
for business purposes. As I
always tell my staff, if you want to surf for porn,
do what I do: keep it on
your personal iBook, at home.
[ Reply to This | # ]
|
| |
| Authored by: philc on Tuesday, August 22 2006 @ 01:08 PM EDT |
First off, I am a Linux development engineer. I have little need for or desire
to use Windows.
I have recently been in a small company. They permitted each employee to install
whatever Linux distro they liked and self adminsiter. IT provides instructions
on howto connect to the network services and general help the few times its
needed. For the Windows users, the computer comes with XP-pro and IT configures
it. There is a share with "approved" software including instructions
on how to install and use it. They have an internal website to get licenced
software so they can track usage. If someone wants additional software they talk
with IT and, if approved, it goes up on the share. This, overall, works very
well.
In my current company, IT rules the Windows desktops. All IT services are
Windows only and everything is done through trouble tickets. This is very
inefficent and anoying. Linux is not permitted on the corp net, so your Linux PC
is on a lab net and I do as I like. ITs behavior comes from having to keep the
Windows systems up in the face of viruses, bugs, bad software, etc. There is
apparently a lot of support required for each Windows desktop.
I far and away like the small company approach. They really support people in
the best sense of the word.
I don't see much of a value proposition for Windows. About all it has going for
it is its everywhere. Look beyond that and you find some proprietary software
that is Windows only. Its laundry list of problems and limitations is legend.
People that only know Windows don't appreciate what they are missing.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:08 PM EDT |
<p>The intrinsic problem to my answering this question is that we (most
employees at my company) are a software engineers; that is, we have to write,
install, and use applications that we helped build (or built by ourselves) with
some frequency, often on/for desktops. Because of this, it is difficult to
institute anything other than #1.
</p>
<p>As an example, in the last Linux project I was on, my job was to modify
a Linux driver to get a specific device to work on a specific version of Linux.
Frankly, any limitations on my local permissions would have hindered my ability
to do my job.
</p>
<p>If you want to lock a Linux distribution down, I'd suggest looking at
SE Linux <a
href="http://www.nsa.gov/selinux/">http://www.nsa.gov/selinux/</
a> . In any case, depending on the skill of the presumed attacker, you'll
also want to password-protect the BOIS, and make the internal hardware of the
computer difficult to access.
</p>
Zimbel[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:08 PM EDT |
Alas, we're pretty laissez-faire, but most people don't even know how to install
apps (and most have no access to the internet). That said, I did have to remove
a game of porno-solitaire (with bundled spyware, of course) from a machine once,
as well as a few odd viruses (it helps a lot when you can remove them
manually--Symmantec AV was worthless).
Of course, this is a Windows (and DOS) shop, because of the applications we have
to run. Incidentally, DOS is about a thousand times easier to administer.
Nearly everything running under DOS I have automated and down to a science. Of
course, *no one* knows how to mess around with it, so that's a plus. And I have
automated backups (via a custom script I made myself) in case they ever do. I
can't manage even half of that for Windows.
Now, if we ran Linux or BSD, the simplest option would be to restrict who can
access the compilers and/or a few judicious noexec bits. Then they'd only be
able to use shell scripts and such. Definitely a lot easier to lock down if you
put your mind to it and have good admins. And it would not have required
mastering the weird tricks you have to pull to get DOS batch files to do
something even modestly complex. I mean, they only give you GOTO, not even an
else for your if statements. Ugh![ Reply to This | # ]
|
- My company? - Authored by: Anonymous on Thursday, August 24 2006 @ 10:52 AM EDT
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:17 PM EDT |
For the most part, installing applications isn't nearly as big an issue as
Wasting Time at most companies.
A solution a former employer had:
They had a list of supported applications. Anything else was "not
supported" by IT.
IT controlled the machines with master copies of corporate data.
They gave root/admin to users who by virtue of their jobs needed it, plus
developers who by virtue of their jobs would work elsewhere if they were told
"no, you can't have that."
They controlled the firewalls. Yes, you can defeat firewalls but you'd get
fired when you got caught.
Company policy and loyalty did the rest. With rare exceptions, you didn't have
people trying to sneak sensitive data past the firewall or out in their pocket.
You didn't have people abusing the network. You didn't have people deliberately
creating viruses on their company-owned PCs, though no doubt some had the skill
and programming tools to do so. You didn't have people turning off firewalls
and antivirus programs.
Needless to say, we were well-compensated. I know of only 1 person, out of
several thousand over several years, that got into serious trouble over doing
what he wasn't supposed to do with his PC.[ Reply to This | # ]
|
| |
| Authored by: Griffin3 on Tuesday, August 22 2006 @ 01:17 PM EDT |
Pretty much by theatening their lives ... but I have to say that explaining to
them how the adware/spyware works has kept a bunch of the minor-league stuff
off. So, education, I suppose, in combination with #3, administrative policy.
They also know that the moment I get tired of chasing down goofy bits of
software, I will cheerfully come out and change them all over to Ubuntu Linux
over the weekend. Not only will this immunize us against any future BSA
extortion*, but by setting them up as non-administrative users, I will be able
to solve the entire problem without effort or cost.
[*Every single computer here has a legitimate Windows installation on it, except
for one WinXP machine that I upgraded to Win2000 because I got tired of the
retarded behavior of the WinXP networking stack. But, according to every
account I have read, the BSA won't accept CoAs, or CDs, or the little
hologrammic stickers on the computer. Only the original sales receipts will do;
if you can't lay your hands on those, you have to pay again for all the
software, plus whatever attorney's fees the BSA decides to throw at you (plus, I
imagine, you have to upgrade all your poor struggling 98 machines to an
impossible-to-run WinXP). So how's THAT for a reason to upgrade to Linux?][ Reply to This | # ]
|
| |
| Authored by: overshoot on Tuesday, August 22 2006 @ 01:18 PM EDT |
| First off, as far as I'm aware there's nothing that can prevent a file
from executing on a Microsoft system. You may not be able, as a user, to
install stuff on the system but foo.exe in your "MyWarez"
directory is going to run when you double-click it.
On the other hand, it's
been a loooooong time since I messed around with MSWindows and maybe
they've got ways since then.
On a Linux system, you have rather coarse
control over execution. Basically, you can refuse users any write access to
directories other than /home and /tmp, then mount them with
noexec. If you do this, the users' ~/.bashrc and other necessary
scripts will have to be symlinked to the system masters, but that's actually a
good practice anyway.
However, no matter what you do, you're not going to
get around scripting languages on either system. VBA, for instance, is going to
be there on the MS system and if you point it at a vanilla user file with a VBA
script it'll run.
Likewise, as long as I can edit a text file and have some
sort of console access (pretty hard to remove without b0rking the system) I can
always run bash foo.sh and whatever mischief is there in that script file
will run. Considering the number and power of scripting languages (think PERL)
on a basic Linux system, there's not much that a determined user can't do. I've
seen full-up webservers written in awk, which may be masochistic but
proves the point.
In the end, your best bet is that the users who can bypass
the lockdown are also the ones least likely to do monumentally stupid things.
Lay down the law, let the clued ones run without leg irons, and occasionally
make a Horrible Example of the ones who violate the trust. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:19 PM EDT |
I work in the high-end computer aided design field.
85% roughly, of our staff are very computer literate.
Our CIO has to give his blessing to install software.
For the people in our technical division (programming, delivery, support), this
is pretty much a "Hey, I am going to install _____ software, 'cause I
needed it. O.K.?" And the blessing is given.
For others, our CIO looks a lot more closely, etc.
We also have policy related to viruses to where, each computer user is
responsible to ensure their anti-virus software is running and B) not to click
on any e-mail attachments unless the user was expencing the attachments and that
the sender actually sent them. There are a few other steps to the procedure but
boils down to this, if your actions cause your system or our network to get
infected with a virus, it is your behind. This could include docked pay to
handle the cost of removal and recovery of data. Additionally, if it is
determined that company procedures were disregarded, could be outright
dismissal.
So, people are very protective of their systems and, if there is any question
about an attachment, etc., they get with the CIO and get it checked out,
following the steps in our existing policies.
I believe we have had only one virus get onto our network in the past six years,
but it was caught almost immediately and things were shifted to a backup server
while the infected one was taken off all lines and cleaned.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:20 PM EDT |
Where I work we use Mac OS X, which allows permissions to be set as to what a
user can do in Finder, what applications they can run, which ones they can not
run. Anything that is downloaded can't be run since it is not approved. This has
worked very well for us in that we have no problems with rogue software, and
we provide Messaging applications to contact the major networks (Proteus).
Screen savers are the standard flurry ones that come with Mac OS X, and those
are preferences that can't be changed at all.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:23 PM EDT |
I read where the CIA uses 2 LANS - one that never sees the internet and is
secure... and one that can touch the internet and is secured as much as is
possible! The CIA I read uses KVM switches at desktops to access from one
keyboard, one mouse, one monitor, to be able to access BOTH systems (2 computers
or 2 dumb terminals) easily, and one you know is safe (if it does not touch the
internet then it can be safe... also, no floppy drive, no cdrom drive, no usb
ports, serial port disabled, etc...)! Sorry- I don't have the link to the
article handy or remember where I read it.
First rule of Computer Security is: DON'T GET A COMPUTER.
Second rule is: If you gotta have one, don't turn it on!
Have done the same as the CIA it seems, for years before I read this article
written about the CIA! Have other things have done as well, but that is
currently prior art and is one reason why everyone should reject the US Senate
bill proposed by Sen Hatch and Sen Leahy to change the patent system to one
where you gotta register your ideas in a FIRST TO FILE PATENT system (their
proposal is to do away with first to invent, and destroy trade secret 1st
invented with a requirement that to avoid being second you gotta file if you are
doing something as if you don't your idea you have been using for decades (in
house) could be FILED as an invention by someone else and they would have rights
to deny your use as an infringer on your idea if you were the first to invent
but due to security reasons did not want to FILE a PATENT.
Ben Franklin, and inventor, and party to the start of the country and most
likely a father to it's patent system (like fellow inventor Thomas Jefferson)
... well, all these fathers of the country, for some reason, that COULD BE SEEN
AS INTENT, wanted first to invent to rule, not first to patent. If first to
file becomes law then every little idea will have to be filed with the patent
system JUST TO USE IS YOURSELF...! How is one to require invention minded
disabled folks who might not be able to read, to be NOT discriminated against
with such a system? Such a system benefits only large companies with patent
filing legal staffs. The little company, that modifies a machine to do this or
that 50 times over until they get it right will not be able to afford the labor
cost of swamping the USPTO with every little documentation of a weld here or a
cutting torch modification there... ! I don't think a lawyer could understand
that as they can move word around and get courts in different juridictions to
jump thru hoops with ease it seems.... WELL, working folks who are just
figuring stuff out as they go will not be able to keep up... when that happens
you have an INDUSTRIAL, LAWYER employed, FEUDAL SYSTEM that does not favor those
that have not the means, the money, the time, the will, the health, or the
desire, to play in the the Patent game. Just say NO to Sen Hatchet and Sen
Leahy's FIRST TO FILE bill in the Senate, and leave prior art and the historical
and intended by our founding father's FIRST TO INVENT alone!
If gotta run Windows for an application needed, it runs on a network that never
sees the internet (plus can run on Windows side with Windows Terminal Services
or Citrix and ICA protocol, but still nothing never goes on the internet,
because it is still Windows)!
Everything else runs on LINUX, and when can use various Linux based terminal
server technologies and users never get a chance to get close to being root, the
only access to that is from more secured admin location (LTSP and NoMachine, or
FreeNX, are samples of terminal services for LINUX technologies)!
USE DUMB TERMINALS EVERYWHERE (RDP, ICA, LTSP, etc) as dumb terminals don't have
local hard disk drives (so no problem taking a good part of a day to fix HD
crashes), no Floppy drives, no CDROM drives, and no usable USB ports for
introduction of files that way to any system.
Have been experimenting with Flash Drive as regular Hard Disk replacements that
do ECC and Wearleveling with FLASH. AND when I posted a question about this
somewhere on Groklaw or elsewhere someone responded that if someone were to do
this and run a regular OS on it that the Flash would last only 2 hours (well,
this has been running for a few months since then and is still runnning), I am
waiting still for his prediction of failure to ring true (but the MTBF for such
ECC and Wear leveling drives as rated in white papers by their manufacturing
folks is well over 10 years up to 1,000,000 hours of use)! Fast LAN is key for
running applications over the LAN to such machines with Flash drives in a FAT
CLIENT scenerio where someone needs to do graphics (and thin clients too).
Hey folks, so far, small FLASH (ECC and wearleveling) drive and a very fast
network seem to be fine for IF YOU GOTTA RUN some more graphical local apps that
maybe your THIN CLIENT will not support. Hey, this flash can even do thin
client local bit map cache duties just fine as well!
Software Patents and Business Method Patents should die and be banished from
existence for the betterment of all mankind.
[ Reply to This | # ]
|
| |
| Authored by: belad on Tuesday, August 22 2006 @ 01:25 PM EDT |
The company I currently work for allows any software you want as long as it
comes from a qualified vendor(M$).
The company I used to work for had two night-time IT employees whose only
function was to check every PC in the company each night for unapproved
software. If they found any, they would reload your computer and document it. If
you had more than two documented infractions, you were either dismissed or you
had your PC taken away, a really draconian policy.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:28 PM EDT |
On Linux: no can do. Most software uses 'tar' for its installer and can live
anywhere. You take it out of /usr/bin; they put it back in ~/bin or run it off
a USB pen drive.
On Windows: we mostly don't. Some of our Windows boxes have a specific policy
to prevent running the installer for a certain P2P application that's infamous
for installing bucketloads of spyware. That's about it. We fight unwanted
app.s mostly by wiping the affected machine and pouring in a standard image to
repair it. Users must take with them any files they value; they can't rely on
finding them where they left them on the workstation.
We also run a metering application (KeyServer) that monitors application
launches and can tell us what is being run and let us set specific things
not-runnable. But that's a neverending game of catch-up and we don't often take
that route.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:29 PM EDT |
We use a two-tier system.
level 1. Coprorate LAN PCs, running WinXP, Virus scanners, standard Company
software loads. These use Company licenses for MS Word, Autocad, PVCS, and other
software that the company pays for. These PC's can see the global internet. Most
users are not admins, so what they can load is filtered. (IT Controlled). A
Corporate scan program runs now and then and if the scan finds non-approved
software, IT generates a List and your Boss comes looking for you.
Level 2. Engineering computers. These can run anything, including linux, Qnix,
WinNT.... These are used by the Engineers to simulate customer installations.
These are on an Engineering network that is visible to (some) computers at level
1, but have NO access to the global internet. Engineers can load anything they
wish. Viruses are quickly noted and peer pressure and Red-faced Bosses take care
of that.
This basically separates the users into sheep and geeks. You can tell sheep what
to do, and they will (mostly) follow. Tell a geek not to, thd She quickly
figures out how to bypass whatever controls you have. The Geeks get to play with
and use the latest cool stuff and the sheep are just as happy. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:30 PM EDT |
What you can do to Linux is, you can (and probably should) keep people from
installing stuff into the main directories, where other people can use it. But
you can't keep them from installing stuff into their own areas.
To prevent them from running anything unauthorized, you would have to:
- not let them save e-mail attachments, or else not let them chmod their own
files (which would prevent them from creating shell scripts)
- not let them copy or execute files from CDs or floppies
- not let them compile source code (or not let them save text files from the
net, CD, or floppy).
Yes, you could lock down the system this tight - but you want them to actually
be able to do some work, right?
The other possible way to do this would be with really strict quotas on the user
accounts, so that they simply would not have space to install anything (much).
But this also makes it harder to use for real work.
So much as I hate to disagree with PJ, I don't think you can lock Linux down in
the real world. Not if you want your employees to be able to do anything.
But what you can do on Linux, fairly easily, is make sure that an employee who
does something dumb (or malicious) can't hurt other people on the same machine.
MSS2[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:37 PM EDT |
I am a seasonal employee for a national tax preparation firm. I am not
authorized to represent the company, but neither am I forbidden to talk about
the company.
Every tax professional works at a Windows based PC workstation. Company policy
disallows loading or off-loading any software or data to or from a company
computer. I have never seen anyone bring in a laptop. If they did, company
policy disallows them from connecting it to the office network or using it at
the office. Most computers have no floppy or USB connecters, although some do.
All PCs are hooked up to a local to office internal network, used primarily for
print services. One or two special "servers" can communicate outside
the office. These are used to download updates to the company-provided tax
preparation related programs and to upload client tax data to remote company
servers. I have never seen nor heard of anyone trying to violate the company's
policy in regards to no loading of software and/or no offloading of company
software or data.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:38 PM EDT |
Simple. Trust.
The company (very large) I work for gives employees machines and a base image
that is loaded on that machine (typically Windows, but Linux is becoming more
and more used). You have administrative rights to your own machine, meaning you
can install anything from anywhere. The company provides firewall and
anti-virus software in their base image, and provides a security tool that runs
in the background to make sure that you are running your firewall and anti-virus
tools. This security tool also make sure that your email databases are
encrypted (so anything that gets sent by some rogues unknown worm or virus is
not useful on the receiving end). There are also processes that push out
updates to software (like the Windoze security patches). Support of
applications is done simply, the company will support applications that they
provide within their environment for installation. Anything else you install,
you are on your own.
Of course there are administrative policies about abiding by EULAs and such as
well.
While that may not sound like "trust" to some, I really think it is.
I am responsible for my own machine. If I break a EULA, install malware, view
porn sites, etc. it is my butt on the line. I would not say that is
"fear" like others have, but dismissal is always an option of an
employer. They are paying you for your time.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:50 PM EDT |
Yeah, i think the title says it all.
Use GPOs to modify which users are allowed to install software.
IT AUP and Security policy to modify the appropriate allowed applications and
the circumstances under which we are allowed to install new ones.
Use SMS 2003 to manage and deploy updates to approved and supported
applications.
---
Clocks
"Ita erat quando hic adveni."[ Reply to This | # ]
|
| |
| Authored by: The_Pirate on Tuesday, August 22 2006 @ 01:51 PM EDT |
Hm. It's a bit mixed.
I work in a place that used to have 175 employees - heavy layoffs now.
There is several approaches.
The Linux desktop boxes are simple: Do what you like. You can only ruin your own
directory. And there is a /home/username size limit.
Test boxes run without web browser, FTP amd mail clients etc. There is only a
SSH client, that only the maintainer have access to. So you can't really do
something naughty with those machines.
The WinCans are worse.
The laptops of the salespeople are the worst: they do strange things, when bored
in hotels... So, there is a firewall against the laptops when they hook them on
our net. Extensive virus/malware scanning. And regular threats that they will be
the subject of our BOFH's anger, if they download ANYTHING!
The rest of the WinCan's are not so bad: The company policy is
"Don't", but if something is badly needed (like my latest Linux
distro), the BOFH and PFY will check the website in question, make sure the
stuff is kosher, download and hand it over.
Most people respect the workload of our IT people and stick to the rules: those
who don't get a severe telling off from their co-workers. We have a
well-functioning system, why let a few id=10T's ruin it?
To back up against accidents, there is a individual 'Ghost' image of all the
WinCans. If one breaks down, the harddisk is wiped or scrapped, and the image is
transfered. This way it's rare to have a box down for more than half an hour.
We do not have any Mac's in the house, but they would probably be treated
roughly like the Linux boxes.
So far, nearly all the trouble is with the winCan's - wich is about 4 of 5 boxes
now - and of those, nearly all the trouble is from the salesmens laptops.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:53 PM EDT |
Hi Groklawers,
While I am fairly new to the work force I thought I would write down my
experience.
Case 1:
The first I would describe is a managed windows network. Large with a few
hundred users. It is windows XP only environment with three tiers of support.
Machines are "rented" from a central IT organisation by each
department.
The three tiers are as follows: managed client a minimum of Microsoft office
components. A pro managed client with more office and added utilities, some
in house software. And a managed client which allows one to install software,
this is more expensive for the department running into 1500 euros a year for
support.
However, some software that requires some more privileges cannot be
installed on this "install yourself" version and when this happens
central IT
will not assist.
In this system there is one full time IT member of staff per 25-27 members of
staff.
The system uses windows roaming profiles which allow us to log in on any
system with the same results except for the installed applications which are
hard disk dependant.
Case 2:
My second experience is with a much smaller linux deployment. It started as
a small company four years ago and at that time we made the conscious
decision to utilise linux. At first it was red hat (v7, I believe) but later we
moved to Debian. This system has run for four years it only one outage. Raid
card failure and has operated at all other times with remarkable resilience.
Software is normally installed once a week on the day that our part time sys
admin is at work. This is software believed to be of general use to the wider
user population.
We use KDE 3.+ and desktops are completely personalised. Themes, layout
background it is all very personal. The screen saver is centrally administered
and is a slide show of our logo as well as press photo's.
If a user wishes to install software for themselves this is possible but much
more limited. But to be honest, besides the aMSN client there does not seem
to be much demand for this and when required is actually quite simple.
The benefit of the Linux system is that if a user does install a piece of
software on his own account that is mis-behaving it is extremely easy for our
support to fix this without damaging work files.
The added benefit is that all systems are equal. Of the 43 computers at this
place I can log in on any single system with the same results. I can even log in
on the same computer as some one else to quickly compare some work. And
unlike the roaming profiles all my personal applications work on any of the
machines.
Case 3:
The third experience as an intern. This is a strange company as it is a
research institute. Software development is a large part of the work here and
else it is biological database curation / maintenance.
Here there are three choice. System Windows 2000, System Linux CentOS, or
your own thing. When you choose for your own thing you get no support at
all.
Windows 2000 does not allow any software to be installed by the user.
However, admin accounts are available on many of these machines on request
to install software but to make sure that you don't actually use these accounts
to work they some how limit you to 8 hours a week on this account. Normally
more than enough as these machines arrive well provisioned by IT with a wide
variety of Software needed to do the job.
The Linux CentOS, is actually the most widely used of the systems. Software
is installed by systems but one can install software on the local machines /
scratch. As these systems come with such a wide varity of software few
requests are made. As CentOS has the enterprise software upgrade cycle the
most common request is for early upgrades to new Gnome or KDE versions.
This scratch location is used by the developers but no one else. I can't
remember questions from people wishing to install anything. Quake 3 is
actually installed on these machines, and if you hand in a legal copy of the
disk to systems they will allow your account to access this between 12 and
13:00 and after 18:00 before 7:00.
If you go the self admin route you can install whatever has your fancy, but
you clean up the mess of your own mistakes and this is to time consuming
for anybody but interns ;)
Summary
Case 1: Central IT decides or you pay extra and then you are location bound.
Case 2: Sys admin implements depending on demand else install into home
directory.
Case 3: Mix of case 1 & 2 with self admin machines.
I hope this is legible and is useful.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:54 PM EDT |
I am the only full-time IT employee at a Third-Party Administrator of health
insurance in the Midwest employing about 70 people. That makes me a very busy
person. At one time, this was a significant problem for the company, but
administrative policies and procedures for desktop users, proper selection of
server technologies, and ongoing user training have resulted in two years of
almost no major problems.
The policies are very simple. No unauthorized software is allowed to be
installed on company computers. If such software is found, it is removed
without discussion. If it was the cause of a malfunction, security violation,
or virus incident, it is removed, and the individual is refered to their manager
with a description of the impact on productivity, and the situation is treated
as we would any other willful act that resulted in lost time for the company.
By handling things in this manner, the user is able to see exactly why it is a
problem. When I'm dealing with issue they create, I'm unable to put that effort
into resolving real business problems. We may be in a unique situation, but I
find that our employees take their jobs seriously, and there is a mutual respect
between the employees and the company, as well as respect between myself and my
users. It seems that the understanding and respect of the users is more
powerful than overblown, strict policies or obtrusive, complicated technology.
I do consulting work for a few businesses employing under a dozen people, and
the same policies and procedure have done well for them. I've also seen it work
before in other small business where I've worked and, although I'm sure it won't
work in bigger organizations, it does seem to be effective in organizations with
less than 150 users.
This obscured, temporary e-mail address can used to respond. It will be
available for about a month.
glresp at systuff dot com
Charles Bushong
[ Reply to This | # ]
|
| |
| Authored by: NemesisNL on Tuesday, August 22 2006 @ 01:56 PM EDT |
Basically nobody cab install software. There are some exceptions of course. In
my department (ict) some, like me, have administrator rights for their own pc's.
I am a developer so I regurlary hunt the internet for new software. If I find
something I ask our system administrator to download it and he put's it on a
network disk I can acces so I can install it. I can also download stuff at home
and take it in to work on an usb stick. I then upload it to the network disk so
all software is kept in one place making it easier to keep rack of liscences
issues. We work on a good faith bases meaining we share responsibility with the
system administrator to keep hacked software from our systems.
Since we work with windows we reinstall every 6 months or so so keeping all
software in one place is good practice for all of us and makes life easier on
all of us.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 01:58 PM EDT |
| This is an excellent question to ask on slashdot. [ Reply to This | # ]
|
| |
| Authored by: FamilyManFirst on Tuesday, August 22 2006 @ 02:01 PM EDT |
We're a small company of about 150 users or so. It's an all-Windows XP shop at
the front end. We use a mix of methods 1 and 3 with a twist.
We have
one or two mission-critical apps that won't run without local admin priviliges
so users have that level of control. However, we pay for Ghost Enterprise for
the company and we have made it clear that anything local is subject to
loss. If it takes longer than 15 - 30 minutes to try and solve a local
workstation problem we stop and re-image the workstation. Of course, once we've
done that, all user-installed apps, and any local user data, disappear. We do
run Roaming Profiles so that some user settings are kept, but even those are
subject to erasure and return to default if they get corrupted.
After a
user has their apps and settings wiped a time or two they mostly get tired of
re-installing and quit. For those few who don't, we revert to method 1: we deal
with it.[ Reply to This | # ]
|
| |
| Authored by: hdw on Tuesday, August 22 2006 @ 02:14 PM EDT |
1. Company policies forbids installions not oked by IT.
2. All workstations are preloaded with our base build
3. Extra packs with software are installed on demand, after being cleared by
line manager, and logged (so when user X's machine is rebuild it gets what it
had).
4. All machines are scanned for patch status, virus def status and installed
software every 24 hours. Odd results are mailed to IT.
We have gone over the policy with every user, explaining the carnage that can
occur of someone installs malware inside the firewalls.
We've also made it clear that breaking that policy can rank from stupid to
sabotage and result can be anything from being giggled at to fired and sued.
It works, but only because:
1. we really implement the policy
2. we have easy routines for anyone who needs ok for a software or need to
access a blocked site.
And forget about external drives.
Connecting any form of non company equipment to a company computer is regarded
as sabotage.
(All cellphones and pdas are company issued or granted on individual basis).
Connecting company PC to a non-company net is the same.
(Home and travel workstations have special firewall and VPN software
installed).
And of course, connecting a non-company PC to the company LAN is equal to
industrial spionage.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 02:15 PM EDT |
<p>Theoretically, with us, control is via firm policy. In practice, it is
almost never enforced. We run Windows exclusively, and nothing prevents staff
from downloading & installing apps from anywhere.</p>
<p>In my case, it means I download & install "non-approved"
FOSS tools that keep me productive: Firefox (a web browser with tabs, vs. IE 6,
no contest!), GIMP & Inkscape (I work in the intellectual property division
of a largeish law firm, and occasionally I'm called on to clean up drawings for
patent applications), Vim, and so forth. Unfortunately, it also means that the
blinking 12:00 users around me run tons of malware/spyware from all the
wonderful screensavers they're always downloading.</p>[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 02:16 PM EDT |
Closer to [2] than anything else, I guess.
I'm in software, and the companies I've worked for have to be a bit more
liberal about such things, I guess. Certainly my computers were never locked
down in any realistic sense. Company current-2 was largely a Windows shop,
but I ran Linux/Solaris/MacOS, and only WIndows because the only VPN client
available was for Windows. Since then I've been a Windows-free zone and to
a large extent the question is moot.
I don't actually know what the official policy is at my current employer. In
practice, you can run whatever you need to run to get the job done. If
someone were to introduce a virus or something into the local net, there
would be consequences; depending on the degree of culpability, it might
range from a public shaming, to being held over the side of the roof by one
little toe.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 02:18 PM EDT |
I guess a combination of 3 and 5.
In the Windows world, everyone is an
ordinary user in other words the user accounts created in the PC domain are
non-administrative types. In the Unix domain only sysadmins have access to root
accounts, everyone else is a standard user.
There are of course exceptions
to these general rules, application development and technical staff are allowed
root/administrative accounts on their local workstations if they can provide a
sufficient business reason and demonstrate an appropriate level of
competence.
As far as hosing your workstation is concerned a backup system
takes care that your work is backed off to tape on a daily basis so if your
machine goes belly up nothing of paramount importance is lost permanently, and
if you do find yourself in the embarassing position of having to admit that
you've made a small "faux pas" your machine is then reloaded with a bog standard
o/s load which means that all your carefully selected "pet" apps like say
Firefox or perhaps Ethereal have to be re-installed - by you! This is normally
sufficient reason for you to think carefully about what you get up to on your
w/s
The only time I got into trouble (a little unfairly I thought!) was when
I left "John The Ripper" running on my workstation trying to crack a passwd file
because the sysadmin had gone on holiday and not seen fit to leave the server
password list in the firesafe! - the turkey!
CPW[ Reply to This | # ]
|
| |
| Authored by: hardmath on Tuesday, August 22 2006 @ 02:29 PM EDT |
I guess my short answer is mainly adminstrative policy (you can get fired for
violating it, though it focuses on security as the key goal) and MS technology
(in the narrow sense of not giving users Administrator role on their desktops
and limiting registry edits through system policies enforced at the network).
There is annual required computer security training for all staff, in the form
of online tutorials. If you can install an app yourself, it's fine (assuming no
harm), but you are equally on your own for support. If you request support for
an application, unless there's a cost involved (which means a certain amount of
paperwork and authorization), you generally get it promptly from the tech
support folks.
Among the developers it has to be pretty common to install software applications
yourself, e.g. code editors and in-house applications.
regards, hm
---
Please be honest with us as trust is our watchword in this transaction. (a
Senior Credit Officer, sharing vast sums of money owed to a deceased client)[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 02:33 PM EDT |
I work in a government branch in Norway. We got about 6000 employees; every one
using a Citrix client. Hard to install apps there.
The internal network is isolated from the Internet. Even people with laptops or
developer PCs have no way of downloading screen savers og MS malware. IT
professionals that needs to access internet sites has separate computers
connected to a separate network. So, if anyone catches anything, we only need
to install a new image on the PC.
"Paper pushers" browse the net through a Citrix gateway.
Hope this was a bit helpful, though sorry, no Linux as of yet, PJ![ Reply to This | # ]
|
| |
| Authored by: cventers on Tuesday, August 22 2006 @ 02:34 PM EDT |
Our company does not restrict what applications users can
install. It's around 20 people so it tends to work out
fairly well. We in Engineering are Linux users, the test
group is Windows, and most of the execs use Macs.
One thing I would like to suggest as an open-source
solution to software management is the K Desktop
Environment's "kiosk" mode. I confess that I've never used
it, but I have heard many good things about it. Here's an
article that talks about it some:
http://www.linuxjournal.com/article/7718[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 02:37 PM EDT |
I work in Local Goverment in the UK. All PC's we support are covered by an SLA
and Computer Use Policy. If we have a problem reported with a PC and it's
caused by software installed by the user without our permission we charge the
user for the callout, usually between £200 and £500 and send the bill to their
boss. It usually stops them doing it again. [ Reply to This | # ]
|
| |
| Authored by: rsteinmetz70112 on Tuesday, August 22 2006 @ 02:45 PM EDT |
This applies to all software, including Free. We are concerned about having a
consistent environment and being able to exchange information freely within the
Office.
1) We don't allow most employees administrator access.
2) We have a list of approved/standard applications.
3) We require any new applications be cleared first.
4) We remove without warning any violations.
5) We execute the violators.
---
Rsteinmetz - IANAL therefore my opinions are illegal.
"I could be wrong now, but I don't think so."
Randy Newman - The Title Theme from Monk
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 02:47 PM EDT |
If you have your machines set up with a separate account for each user, and you
don't give the users the root (superuser/administrator) password, then:
Users *can* load software of their own onto the company machines -- but the
software can basically only affect the user's own account. The user is in a
sort of "sandbox", where the worst he can do is to screw himself up.
Want to remove the unwanted software? Just clean out the person's account.
Contrast Windows.[ Reply to This | # ]
|
- It's notable - Authored by: Anonymous on Tuesday, August 22 2006 @ 02:53 PM EDT
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 03:02 PM EDT |
| We encourage employees to install apps on their PCs.
Within Engineering, we
have three places where we encourage employees installing
applications.
- Under their home directories (/home/[username]) people
are welcome to install whatever they want. This automounted directory is
visible regardles of which computer they log in to. Obviously no other user has
write access there; so if someone messes up their environment that way, it only
hurts themselves.
- Each deptarment has a directory as well
(/home/[departmentname]) and it's up to the department policy whether all users
in the department or just selected ones have write access to that
directory.
Most user's PATH is set to have
"/home/[username]/bin:/home/[department]/bin" before the standard parts of the
path. That way a department can install specific versions of software that
they may need.
- Windows PCs. People who have these have admin access
(because otherwise the darn things are mostly useless) and can install what they
need on them. Of course these machines do not have a lot of access to the rest
of our servers (you can scp to and from them; but they're effectively firewalled
off on their own subnet). The extent that we support them is that we'll wipe the
image if they get messed up.
Outside of those places, software's pretty
much locked down - the servers are running Debian stable (yes, stable - if you
need newer, you install it under your department's space) - the desktops are Red
Hat but probably moving to Ubuntu.
Outside of engineering, the non
engineering people have Windows machines without admin access and just the apps
they need installed. If one of those get hozed (not often, since without admin
access they can't do much but run selected apps), again, we just wipe the image
and replace it.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 03:06 PM EDT |
We use GNU/Linux on desktops we don't care what apps get installed by users
because we don't worry about having to license the software. If you think it
might benefit you and it's freely available run it in your home directory or
contact a systems admin to install it. Most of the company is composed of
scientists and software engineers. What they install is usually up to the user.
We don't hire children and won't babysit. We could care less if your seen
playing solitare while eating your lunch. You have a job to do. If you don't
perform well, adios. It's as simple as that, and that is why people almost never
leave. Morale is high.
Most people never install anything ever. A linux
distro (Fedora) is pretty full. We do add the repository for
gstreamer-plugin-mp3 and will enable it only if asked for. P2P apps are blocked
by the network, but your free to rip your own CD's and listen to music while you
work. We don't check your browser cache or monitor your online activities. As
long as your professional you aren't monitored. Maybe one in twenty will install
google earth or some SuperKarumba widget.
We have licensed codeweavers
and install plugins to browsers and the system admins control what proprietary
apps get installed, the norm is MS Project, MathCad and Illustrator. We control
this by user permissions the software is located in a read/execute area and
cannot be written to by users. The system admins keep audit of what is installed
on which machines and we insure that proprietary apps all have the correct
licenses. We also have many employees with Apple & some Linux laptops owned
by the company. We set them up and do an initial audit and install needed apps,
but after that they become the resposibility of the user. They take them home
and use them like any personal property. When returned, they get wiped clean and
reissued.
In addition we have a few WindowsXP desktops in our
admin/accounting dept. Those are audited quarterly but only to verify license
compliance issues and insure that users are using MS update and have current
virus definitions. The user is responsible for keeping their machine updated and
help / instruction is always readily available. We are extremely liberal if you
really believe you need a $5k software app (IDL Licenses or specialized
science/acounting software etc.) you'll most likely get it.
I am one of
the systems administrators part-time as we don't need a full time systems
admin so we have two part time admins. I also do database administration and
develop online simulation software and science data management apps. It's the
best job I've ever had hands own.
I used to be software developer for
Computer Sciences Corp. which had the most draconian policies possible, mandated
windows on desktops even though the apps developed ran on Solaris or Irix, which
meant 2 computers on your desk. They monitored everything, they also had a huge
personnel turn over. This was wholly due management trust issues. This high turn
over rate caused them millions in business. They couldn't maintain the expertise
needed to fill the contract and lost it. They spent more on software licenses a
month than we have in 5 years and were completely shutdown by viruses at least 3
times in the 1 1/2 years I worked for them. The department was only about four
times larger yet they had 8 full time administrators, 4 windows, 4 for unix. And
two full-time security people! They also had a huge problem with
spyware/malware. So much for the effectiveness of monitoring! We haven't
experienced one crippeling virus in the 6 years I have worked here. In any
operating system, we have had a couple isolated issues on so one or two windows
machines. But nothing that shutdown all operations like my previous employer.
Empowering users to be actively involved in security is the smartest move any
organisation can make. It takes initial hand holding and a lot of communication
but the outcome is well worth the effort.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 03:06 PM EDT |
Wow... a few good well reasoned posts...
but the tone and content is way down on the norm for Groklaw :(
I believe that one reason for this could be that most ppl who could make a valid
contribution are barred by their employment contract from commenting.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 03:08 PM EDT |
At my workplace we have Linux servers and Windows XP workstations. Windowsen
are
protected by individual antivirus and a firewall in the gateway; the Windowsen
are to be upgraded to Linux rather than Vista, basically eliminating the need
to
tune the PC security after initial install. I do not restrict the users much
because of:
1. Motivation suffers if the users feel too restricted. You should trust that
your employees do to seek harm. Remember the presumption of innocence?
Malicious
users are to be detected rather than presumed by the sysadmin.
2. The days of slavery are over, you cannot expect people to work all day. If
people can relax once in a while using the software of their choice, they are
more satisfied with their jobs, increasing productivity. If you deny them the
relax, they will spend more time doin' nothin' feelin' dull.
3. Regardless of the policies on PCs, the network has to be secured &
backed
up from both inside and outside attacks. If a user compromises his computer,
only he will suffer from it. If someone/something is to attack you from inside,
the restrictions on the Windows PC aren't going to help squat. Any attempt to
compromise the network will have to be detected and dealt with by the admin
anyway.
4. Malicious software that gets to the PC through firewall, antivirus and the
alternative web browser / mailer / office suite is rare enough. You can fix
these problems with ease, using clone images from the server. After all,
everything iportant is on the server and also backed up periodically.
5. If the user really wants to install something, he/she will. You would be
amazed by the genius of the dumbuser. If the program will not function
satisfactory, he/she will be annoyed with you, decreasing productivity.
4. If every action requires the admin password, you need more admins running
around doing stuff everybody is able to handle.
5. Restricting the environment too much will also cause problems to all rather
than only user-installed programs, requiring more support.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 03:11 PM EDT |
| I volunteered for a small library who received a Bill and Melinda Gates grant of
hardware and software. The PCs came from Gateway and were protected by a
hardware locking device called CenturionGuard from Centurion Technologies. We also used a
software program called Driveshield from the same company for existing
computers. Both programs wrote all hard drive changes to a temporary space that
was wiped out on reboot. I don't know how this would work if you needed to save
files or if you could write to certain drives if needed, etc. [ Reply to This | # ]
|
| |
| Authored by: Sunny Penguin on Tuesday, August 22 2006 @ 03:25 PM EDT |
Users can install to local PC as Admin.
There is a list of banned applications.
Do not install the banned applictions or recieve a pink box to put your things
into when you leave.
Then again:I work at helpdesk and need to test software packages daily.
---
"Numerical superiority is of no consequence. In battle, victory will go to the
best tactician."
~ George Custer (1839-1876)
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 03:27 PM EDT |
Don't bother posting about spelling errors, there's tons. :)
I'm the Network Manager at a public library in Indiana (I'm a computer guy, not
a library guy pressed into service). We have one location (no branches),
approx. 115 PCs, 8 servers, 1 mainframe. Servers are a mix of WinServer2k, 2k3,
Fedora, RH9 (still), and HP Unix. Desktops have Win2k, XP, and Fedora.
85% staff are very PC illiterate, and can do just enough to do their jobs and
screw things up (you know, normal users).
Interestingly, out of 46 employees, only 9 are men, and most of the rest are
women over 40 (not uncommon in this field).
As for staff, we control install through a mix of policy and tech. Policy:
Staff may install software beyond standard install only with explicit permission
from the network manager (me) under penalty of having it removed, their system
locked down completely, speakers taken away, and formal diciplinary action.
This includes all media players, most browser plugins, drivers, and stand alone
software. Staff are REQUIRED to use Firefox only. IE is allowed ONLY with
network manager approval, and ONLY because of website functionality loss. Even
then the site is first evaluated for risks and actual work related use (sorry,
no pogo.com).
Tech: We use Windows' Active Directory Group Policy for some controls (ex.
rolls out win and other software updates daily for all win systems in the
building while restricting specific services [Messenger, etc.] from being
started/stopped)
We also use permissions at server and desktop level to restrict access to most
software, ex. all staff are no greater than power user, which can stop software
installs and plugins.
These usually work pretty well.
The big issue we have, however, is not staff, but the 48 publicly available PCs
in the building. Only 20 of those are allowed Internet access for the public,
and are considered the most critical to have locked down and secure in the
entire building besides our servers.
When they were win boxes we were doing weekly maintenance of at least 6hrs and
at least 2 were down at any given time due to software issues alone (virus,
malware, rogue installed programs, etc.).
We replaced them all with Fedora through a company called Userful.com. I spend
(maybe) 10 min. a week dealing with them with almost no down time. The only
issues we have are hardware becuase of overuse. The public transitioned to
OOo.org and Epiphany in two days with no issues (except website compatability,
but the public is understanding about developers not following standards, thos
MSFP morons...).
The others are Win2k boxes/laptops with heavy group policy lockdowns, no HDD
access(rwe) no Internet access, and program run restrictions. I read a post
earlier, and yes, you can lock windows down w/GP to the point they can only run
specific executables. Time consuming, but definitely possible.
You can also (mostly) prevent iexplore.exe and wmplayer.exe from running. For
when they can get a browser on those PCs, we have backup security through
Websense running "no Internet allowed" on those PCs based on station
login profiles.
BTW, patrons are also restricted from installing ANY software on ANY PC by
profile policy, or they are suspended from the library. Repeat offenses can
incure 1-month to lifetime banning from the library. Legal action is also
possible for all staff or public depending on severity of offense.
for questions or other, I'll keep checking my post, and I'm also at
groklibrarytech@warsawlibrary.org
(I'll shutdown the email address in about a week.)
PS: PJ (and everyone else), you rock, I've been following since the beginning
and appreciate what you've done for all of us.[ Reply to This | # ]
|
| |
| Authored by: coffeelover on Tuesday, August 22 2006 @ 03:31 PM EDT |
I have used a program called DeepFreeze with very good results at several
sites. The college I work at only has a couple of labs protected with this due
to incompatabilities with our main solution. Most of the campus labs and remote
sites (1000+ PCs) use a newer solution from www.persystent.com ... this is used
for both deploying (ghost like) and protection. Latest version is 4.0 and has
been working better since we deployed last spring. The students have full access
to the PC (windows), when it's rebooted, it is automatically repaired/reset back
and all changes/additions are undone.
Our faculty have full access to their desktops with nothing to protect them so
we get to reimage them when spyware removal efforts fail ... not a lot of fun
either!
-Patrick-
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 03:37 PM EDT |
We have around 30 win2k or xp clients and 2 win2003
servers. Users don't have admin rights on their desktops
which limits what can be installed. More importantly, all
internet access is through a linux firewall running a
squid proxy server. The proxy server blocks all
executable file types, including exe, pif, scr (even zip,
just in case) from being downloaded.[ Reply to This | # ]
|
| |
| Authored by: BsAtHome on Tuesday, August 22 2006 @ 03:57 PM EDT |
By being a BOFH and using indoctrination. I've "educated" the users
that I have no petty for their woes if self-inflicted. They have a job and the
computers are only tools and not toys. It took making an example out of one's
misbehaviour and the whole department (70 employees) knew that it was wrong to
meddle with this stuff.
---
SCOop of the day[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 04:05 PM EDT |
I'm not sure - some installers seem to work for me. Others don't. I have
installed quite a bit of free software to my 2nd partition of my hard drive -
emacs, Latex, bibtex, bibtex2html, bibutils etc just so I can do my job better.
Officially I'm not allowed to install software, yet my description job requires
that I seek better ways and the best tools to do my job. The time delay (and
expense) of getting software approved means I just do it anyway. Although
nothing I'm not sue of where it came from, that I haven't scanned and haven't
already tried at home.[ Reply to This | # ]
|
| |
| Authored by: Mecha on Tuesday, August 22 2006 @ 04:16 PM EDT |
Alot of the smaller companies that I have had to work with I was forced to allow
them to have Local Admin rights on their windows boxes and complete access to
the internet. Mainly because the owners/bosses didn't like to hear their
employees complain about the restrictions I put into place. I even worked at
one place that pornography was fine to look up and store on your hard drive. I
was able to put my foot down on allowing them to save it to a network share
however. Also, whenever they had an issue (i.e. running like crap), I always
blamed the apps (screen savers, hot bars, and weather watchers) they downloaded.
Eventually people (i.e. me) got a clue and quit doing that (i.e. left to do
another job that had the same lax rules as before!!!). All in all, it is a
hopeless situation if upper management will not stand behind network security
and job productivity because they don't want to upset their employees.
---
** This is my signature and I happen to like it **[ Reply to This | # ]
|
| |
| Authored by: GuyllFyre on Tuesday, August 22 2006 @ 04:24 PM EDT |
Good afternoon, I'm Sean Smith, IT Manager for Hometown Health Centers, a not
for profit health center in Schenectady, NY, USA. I currently am the only IT
person for this company as I have been brought in to create the IT department as
it's needed to serve the business goals.
We have a primary location and three remote sites connected via VPN WAN. I have
a total of about 120 users, 90 computers, seven servers, the fax machines and
fax server, and about 15 network print devices, some being
printer/copier/scanner devices, and the ShoreTel VoIP phone system to keep track
of (about 90 phones, three phone switches, two T1 switches, and a voicemail
server).
We have a Windows population. All of the servers are Server 2003 or Server 2000
and all of the workstations are Windows 2000 Professional or Windows XP
Professional. Limitations of the software the business is running prevents the
use of Linux as a workstation. My training and knowledge of Linux are also not
good enough to support it currently in my workplace.
The primary method I use to prevent users from installing software is to not
have anyone with access above a standard user account.
My PCs are duplicated with all of the standard applications with Symantec Ghost
Corporate Edition. If a user requires a particular application, I install it,
then switch to the user and check it's operation. If it requires more access, I
assign permissions using NTFS permissions on the appropriate files and folders.
I protect them from viruses with Symantec Antivirus Enterprise 10.1, in addition
to Symantec for Exchange on the Exchange 2003 mail server.
I filter all of my incoming e-mail through a Barracuda Spam Firewall. This has
made a huge difference in our quality of life as it blocks 90% of the Spam,
requiring about 30 minutes a day total to adminisiter quarantined items.
I deploy the Windows Updates using WSUS, the Antivirus updates are mostly
automatic using scheduled liveupdate to the local liveupdate primary server.
None of my servers and PCs are allowed on the public internet. Absolutely all
of them are kept behind the firewall on private IP address ranges and the NAT
rules and firewall access rules are set on the (non Windows) edge device(s) to
direct the packets where they need to go. I also use standard site blocking
rules to prevent access to particular domains and web sites. The firewall rules
do not allow PCs to access anything but certain ports out of the system required
for doing thier work. Only the servers are allowed port 25 access and only a
certain couple.
To avoid problems with local printers, very few people are allowed to have them.
All printing is done via network printing from a Windows server and use
"Internet Printing" to give the users an easy way to add a printer to
thier PC.
I know what I have done isn't perfect but I've made an effort to prevent
requiring that I give people full access to the computers. This, along with
group policies that redirect folders and logon sripts which assign network
shares, requires that the user have very little access to thier PC to actually
be able to do thier work.
A big advantage of this is ease of replacement. If a PC fails, the user only
needs to log on to the next one and set a printer and answer "OK" to
Outlook to get thier e-mail, and thier "My Documents" folder is
automatically redirected.
There's probably multitudes of other things I can do to also prevent further
access but I have found that since I implemented these practices, I have had no
more problems with viruses and spyware on the systems and users have everything
they need to do thier jobs, more, actually.
-S[ Reply to This | # ]
|
| |
| Authored by: lordshipmayhem on Tuesday, August 22 2006 @ 04:36 PM EDT |
The company, to which I'm a very recent hire, is a smallish property manager
with between 30-40 users. It's a Windows-only and closed-source shop, which as
the accounting manager in charge of I.T. I intend to start changing over the
next year or so, if I can work around the accounting system (an
industry-standard commercial product that insists on using Windows on your
servers and on your desktop, and Internet Explorer's ActiveX).
All users beneath the level of Manager are not running as Administrator on their
machines. Presumably we can trust the manager level not to install stupid or
malicious software on their machines. There are no explicitly written policies
at the moment.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 04:45 PM EDT |
I work as an intern for a medium-sized embedded system developer. We have
Windows 2000 and Novel Linux Desktop 9 installed in our user's computers,
typically giving the engineers linux and the tech writers Windows.
Under Linux, we are pretty much trusted to do as we wish, with some limited
super-user access priveledges as administration provides. Windows isn't allowed
to install anything.
I also attend a wireless university, supporting well over 3000 laptops running
Windows XP Pro. University policy permits installation of most applications,
though they are unsupported. In the case of maintainence required on the laptop,
bad programs are removed, or the computer gets re-imaged. Antivirus and policies
are automatically pushed onto computers on the domain (all laptops). Updates are
not supposedly controllable by the user. However, since they make every user
Computer Administrator, it is but a step to change the master Adminstrator
password and gain full access control to the machine. Although the domain will
eventually push the polies back onto any "compromised" machines.
Also, the laptops run a theft-protection software, which "calls home"
back to the University every so often. Should a laptop fail to "call
home", it is automatically called in for service at IT.[ Reply to This | # ]
|
| |
| Authored by: RichardR on Tuesday, August 22 2006 @ 04:52 PM EDT |
I manage several small networks (consisting of 6 - 14 desktops each), mostly in
studio buildings for groups of artists and the likes. Now this isn't really
anything like a corporate environment, but all the same, several desktop
machines are for common use, and that's where Linux (Mandriva) shows its true
power - much like other people have already explained:
- Only the sysadm (the root, i.e. usually me) can install applications. Other
users don't have the root password, so they can't install anything.
- Users have their own home directories on these machines, each of which is
inaccessible to other users.
- The home directories are stored on a noexec-partition, so even tech-savvy
users can't execute anything else than what's installed on the machine.
- If someone really needs a new application, I can install and configure it over
the Internet, from halfway across the globe if need be, within minutes.
- Both Linux and most installed applications are automatically kept updated.
And because we're talking Linux here, viruses and other malware are no threat in
any practical sense. What little risk of hacker attacks there is, is mostly
taken care of by the noexec homedirs and the automatic updates. IOW: it's
virtually impossible to run anything on those machines except what was installed
by the root user.
The only drawback: I'm paid by the hour - and with each of those networks
requiring on average perhaps a few minutes of my attention per week, the money
isn't exactly rolling in - to the greater joy of the (poor) artists I mentioned
:-/
Richard Rasker[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 04:54 PM EDT |
They can install what they want. If they break it, we fix it,
by re-imaging with the corporate install. They lose their
installs & anything that was saved only to local disk.
The second time it happens we don't move so fast,
and that machine goes to the bottom of the priority list.
Our security team track malware thru the firewall,
internal machines can be individually blacklisted in seconds,
but usually a warning is sent to the user and local IT,
so the perpetrator knows their transgression has been observed.[ Reply to This | # ]
|
| |
| Authored by: darkonc on Tuesday, August 22 2006 @ 05:09 PM EDT |
| Having users running Linux or *BSD won't make this problem magically go
away.
Unless you lock down what a user can so tightly so that (s)he is
completely unable to execute arbitrary commends (i.e. no shell access and no
access to commands that can run a command and locking down things like Konqueror
so that it can't execute stuff) you end up with a system that is just as open as
Windows is to having random software installed -- In fact it may be even worse,
because a user can always recompile a FLOSS system so that it can install in
his/her home directory so that ther is no need for admin access.
One thing
that you do get from moving to the likes of linux is that most of the
software is FLOSS itself, so you don't have to worry about license counts.
FLOSS also means that you have acess to the source code, so things like trojans,
backdoors and adware are more easily caught and removed. ---
Powerful,
committed communication. Touching the jewel within each person and bringing it
to life.. [ Reply to This | # ]
|
- FLOSS no Panacea - Authored by: Anonymous on Tuesday, August 22 2006 @ 06:05 PM EDT
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 05:12 PM EDT |
The company I work for is migrating to Active Directory and taking the
opportunity to make some use of Group Policies to exert more control over user's
desktops.
However, since it's a partnership (a legal firm as it happens), we don't have
the same authority over users as in a normal company.
While there's an IT Committee that sets standards, ultimately you can't tell a
senior partner in the firm that they are not *allowed* do something - no matter
how crazy.
The most you can do is sell them on it being a Very Bad Idea!
The partial way round this, which mostly works and is mostly accepted, is that
we've got a rock-solid standard HD image that includes the OS (WinXp), Office
and every single approved corporate-approved app.
If they scupper their PC in some way, and it isn't fixable in half an hour, then
we format the hard drive and Ghost a new image onto it.
Any data/files they've foolishly stored locally instead of on the fileservers or
the document management system is rescued on a best-endeavours basis.
This works because we make it very difficult to save anything to the PC's
hard-drive - all Office apps have startup macros to force saving to the document
management system for example.
It's a sort of poor-man's dumb terminal - we don't care what you do to your PC
because it'll be Gone in 1800 Seconds (half an hour).
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 05:30 PM EDT |
Burlington Coat Factory is a Linux house that
has faced this problem. Here is a CW article about it:
http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,88191,00.html
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 05:37 PM EDT |
The last place I worked was mixed linux/windows.
The windows boxes
were someone else's problems -
frequently and annoyingly for them and the
users.
The linux boxes were used by software engineers and
a secretary
(who also had a windows box). All but the
secretary had root access. The policy
was you could install
any free software you wanted. Any software you used
should
be reported to me so I could remotely install it on all
the other
computers.
I never had any virus/malware problems with the linux
boxes,
but there were some precautions: eg / mounted
read only most of the
time.
The secretary prefered Linux - more responsive and
a much more
advanced GUI.
The windows only employees were jealous of my CAD
software
(QCAD) and the gerber viewer (gerber is the
file format for printed circuit
boards).
Now that I am in a linux only place, I miss the
regular
shouting and swearing I used to hear when
MS word failed to read and MS word
file. ;-) [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 05:38 PM EDT |
If you run Windows, there is little you can do. I found that even with extreme
security measures, I can still load from a USB key; two USB ports are reserved
for Keyboard and mouse on Windows systems and if you use these USB ports, they
aren't checked.
Personally I run Linux (kubuntu) and if it were my company, I'd have
non-essential personal running Linux from a 'dumb terminal' or thin client and
limit access to the user. This alone stops 99.9% of users who are only familiar
with Windows. And being on a thin client without root privileges, there is only
so much a knowledgable user can do. Even so, they can only run apps as
themselves and only have privileges that you gave to that user effectively
sandboxing them.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 06:05 PM EDT |
I work at a large university and maintain over 200 workstations, most of which
run Microsoft Windows (2000 or XP). The most effective solution so far has been
to "lock-down" the end-users to the "User"-level privileges
(vs. Power User or Administrator). Each machine is built from a standardised
image and the same baseline of applications are available on every PC across the
environment. Some PCs have a few more applications that may be department
specific.
These practices combined with a good anti-virus package and a good anti-spyware
package have resulted in reducing (*virtually* eliminating) the risk for the
end-user in picking up a virus. We also scan for viruss at the border, scan for
viruss at the e-mail gateway, and also scan for viruses whenever the end-user is
reading/writing files to the file server(s).
Occasionally, a user may whine about not bing able to install the latest
whiz-bang app. New applications are handled and judged on a
business-case/business-justifiable basis. Only the IT staff have access to
install most applications.
Of the many applications we run, only five so far have needed additional access,
and these we worked around by granting specific read/write access to particular
directories/files/registry keys to a "local group" on the machine.
Within the "local group" on the machine, the "global group"
for the logon domain is the only member, and then the end-users who need to run
that particular application are members of the "global group". This
makes it very easy to manage, adding or removing users from the global group
grants (or revokes) access to run the application.
Cheers!
Simba
Engineering[ Reply to This | # ]
|
| |
| Authored by: josmith42 on Tuesday, August 22 2006 @ 06:26 PM EDT |
Answer: my company does no sort of control whatsoever. Being a small company
(less than 50 employees), we haven't had any problems with people getting
viruses or spyware on their computers, at least none that I am aware of. And I
think I would have heard about them, because I sit next to the company's IT
administrator.
---
This comment was typed using the Dvorak keyboard layout. :-)[ Reply to This | # ]
|
| |
| Authored by: elhaard on Tuesday, August 22 2006 @ 06:30 PM EDT |
I have two setups that might be of interest for you:
In my spare time, I volunteer as the sysadm for University Radio of Copenhagen.
We have about 200 users working with our servers from home and on our 12 work
stations at the ofice/studio.
The servers are not a problem in this regard, as most users only have access to
web pages and the mail server.
The workstations, on the other hand, are another story. Due to some proprietary
applications, we have to run Windows 98!
This means that the OS offers few or no real options for a technology based
control. But evenso, it works all right.
First of all, information plays a large role. Users are informed that
installation of applications are only to be done by me, and that unauthorized
installations are the main reason for computer malfunctions. As I only
volunteer, a downed workstation might be down for a while. This does not
prohibit people from working, as they can just use another workstation. But they
notice the dead workstation with the sign "down due to unauthorized
installation".
Secondly, I try to find the right balance between friendly and BOFH. On one
hand, if users are aksing for a piece of software, I look into it and either
install it system wide, point to an already installed application with the same
functionality, or explains why it can not be installed. To the extent time
permits it, I always take the users' request seriously.
On the other hand, I do use technology to prevent the most common problems: The
mail server simply throws away potentially dangerous file types (such as .exe,
.bat, .com).
The VBA engine is removed from desktops. I recoded the "Internet
Explorer" icon on desktops to open Firefox instead. And since MSN Messenger
is one of the applications that users asks for, but will not get due to security
reasons, the firewall is set up to block traffic from the MSN download and
Messenger servers.
Together, these solutions are surprisingly effective, considering how easy it is
to install on Windows 98. I think this is mainly due to the understanding the
users have, that unauthorized installations will probably impeed their ability
to work. That, and building the organisation wide conscience that such
installations are just not something you do, because it might mean problems for
your co-workers.
Technology measures are fine to prevent accidental or careless installation of
software. But if users really want to install software, they will always find a
way. So the key is making them not want to :-)
Right now, I am evaluating replacement for that proprietary applications that
will only run under Windows 98. When I find the right software, we will switch
to Linux.
----------
In my professional life, I have my own company where I work as an consultant. I
recently did a setup for one of my customers.
That setup is based on Debian GNU/Linux on both servers and work stations.
Users' home directories are mounted not-executable as descibed by others here,
as are any USB drives.
Of course, this does not prevent users from running scipts, but scripts are
filtered away by the mail server, thus preventing accidental installation.
I have tried to install all software that the users might reasonably need/want,
and I am open to suggestions. Again, users are regularly being informed about
the negative consequenses of unauthorized installation - not by threatening
unemployment, but by demonstrating the problems it yields for the user and his
or her co-workers.
Of course, the permission management in Linux can prevent a user from damaging
others directly, but malware can still be a security hazard for the company, as
it can sniff keypresses and read any information the user has access to.
So, the bottom line is: Keep your users happy and informed - but do not forget
to have a lock on the door.
Jørgen Elgaard Larsen
System Admin at University Radio of Copenhagen (volunteer)
CTO and senior consultant at Elgaard Data
Copenhagen, Denmark
For more info email j e l at e l g a a r d dot n e t
---
This comment is licensed under a Creative Commons License (Attribution 2.0).
Share & enjoy![ Reply to This | # ]
|
| |
| Authored by: treed on Tuesday, August 22 2006 @ 06:32 PM EDT |
My company (an online clothing retailer) is all Linux based. We have 30+ LTSP
workstations for customer service and warehouse and rolling out more. It is
nirvana. We very rarely hear about problems with them. Have never had a virus or
spyware. It all runs off of one single server (soon to be a Xen/AoE cluster for
scalability and redundancy, this is built but still undergoing testing) which
only a select few have root on. The users run on LTSP Term 150 machines from
disklessworkstations.com. There is practically nothing to go wrong with them and
they use minimal power. The fact that they boot and run off of our LTSP server
means they have zero software administrative costs themselves. We have been
running with them for over a year and just put in an order for a bunch more.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 06:37 PM EDT |
Very simple. You have to have the role of Local Administrator to load
applications on the machine under XP.
Nobody has that role for their computer.
You are forced to call the help desk for almost everything; Defrag the hard
drive, remove applications, install applications, etc. Like I said, everything.
It works, there are no spyware apps, viruses, or spam.[ Reply to This | # ]
|
| |
| Authored by: sparkeyjames on Tuesday, August 22 2006 @ 06:38 PM EDT |
I am the IT tech. for a small business. We have Mac´s and WinXP PC´s and
Slackware/Gnu/Linux server guarding the door. The solution was quite simple.
****If you install software or surf to a website using IE and it trashes the
machine and it´s your 2nd time doing so, your fired****. Firefox or Mozilla is
installed on ALL PC´s and Macs and users are told use it or else. So far this
has worked really well we have not had to fire anyone so far.
This policy was put into effect after someone installed something to a WinNT
server box and all the old apps that had been setup years earlier (before I was
there) got trashed. Resetting everything on that box was a total B#$%h.
Management still does not belive in total backups (the linux box is though :).
I have not had to reinstall any of the WinXP boxes and so far Zero virus´ and
NO spyware for 2 1/2 years and counting. The people who use the Mac´s don´t use
anything but commercialy availble software. If it is not approved by management
or myself it does not get used.
[ Reply to This | # ]
|
| |
| Authored by: ceolson on Tuesday, August 22 2006 @ 07:05 PM EDT |
My company (Midwestern agricultural bank - 220 employees, some technical, most
not) build standard images for different hardware platforms (All windows). Then
they lock down almost all administrative privledges, so that users can not
install anything that needs admin rights. Category 4.
This keeps the support to the minumum (they have a hard enough time trying to
get all the supported applications working together on one PC in the first
place, without users messing something up).
They use MS SMS to push our software updates and new versions of some programs.
Some programs they still install manually.
Overall, it works pretty well, but some users (techie) complain a lot.
Craig Olson
Security Manager
[ Reply to This | # ]
|
| |
| Authored by: Tufty on Tuesday, August 22 2006 @ 07:08 PM EDT |
For Windows
1/ DON'T give users Admin, Guest or anything other than User access.
2/ Remove Windows/Office updates
3/ Remove autorun
4/ Remove as many shortcuts/icons as I can get away with
5/ Severe application of a Tools app to curtail access to control panel and
anything else that may get in the way
For a fully tied down Windows desktop
1/ Novell Netware Zen
2/ see 1/
If possible run the desktop via a remote KVM with the machines locked up. ALWAYS
lock the computer/server room and don't let users gain access for ANYTHING. (BTW
the local Sam's Club has a fancy computer room that people just wander in and
out of - wonder how long that will last before someone nukes something?)
Back up all options with threat of severe repercussions, dismemberment, mayhem,
plague etc. Carry out the threats at the very first attempt to get around
security no matter how minor.
Final step
Be prepared to clear up the mess as no plan survives contact with the enemy.
After years of front line support work, at many levels, you can make anything
idiot proof but you cannot make anything (non-PJ word) idiot proof. Believe me,
you will always find one luser who will find a new way to get around your best
efforts.
Tufty
---
There has to be a rabbit down this rabbit hole somewhere!
Now I want its hide.[ Reply to This | # ]
|
| |
| Authored by: markus on Tuesday, August 22 2006 @ 07:11 PM EDT |
I'm working for the bigger of the two litigants in the biggest lawsuit we are
following here.
The PCs (mostly Laptops) come preinstalled with the operating
system (Windows is the default, Linux is available) and a base set of
applications. There is an internal software download and install site where
users can add more software if they need it.
Besides this each user can
install whatever software they need (and have approval/budget/a license for).
There is no support for it on the internal helpdesk, but freedom for everyone to
install and support himself.
There is a blacklist of forbidden software
(mostly p2p stuff) which we are not allowed to have installed. An agent is
running regular checks on the machine to check for compliance with the internal
guidelines. Things checked are that the firewall and antivirus is up to date and
active, no p2p software installed, passwords are set, etc.
Personally I find
the policies resonable and the enforcement procedure
OK.
Markus ---
Markus Baertschi, Switzerland [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 07:28 PM EDT |
I've built a number of SOE (Standard Operating Environment) installations using
the Microsoft platform over the years, and I'd like to offer a couple of
observations and a fairly disruptive suggestion.
Microsoft SOE's work quite well, and that's a part of the corporate love-fest
with this otherwise egregious near-monopoly. The SOE's (basically locked-down
user profiles and packaged app's) are also rather universally despised by any
user who's ever encountered a flying clue-brick.
SOE's have their roots in the bad old OS/2 days when users could conveniently
change their text and background to navy blue because they liked the Navy, which
configs could not be recovered unless the sysadmin had touch-typing skills and
an excellent memory (most do, but it's annoying nonetheless). Then someone did
their sums with the costs incurred by this annoyance, and we've been living with
the fallout ever since.
What I'd like to suggest is to turn the concept on it's head -- allow people to
control their desktops utterly, subject to two rules:
o They must permit appropriate firewall and antivirus configurations on their
network connection, and;
o They must keep an "Official" VMWare image on their systems with a
read-only backup copy on their C: drive, and an application sitting on their
desktop named "Revert".
Keep your standard software build as a VMWare drive.
The idea is to let the PC become "Personal" again, with all that mucky
"work stuff" on a crafted virtual disk that can be easily recovered at
the press of a button.
A bit of an inversion on normal practice, but one that would be greeted warmly
by most peeps. What do you think?
Regards,
Nefarious Wheel <-- Ancient geek with MCSE & a few SOE builds under his
belt.[ Reply to This | # ]
|
| |
| Authored by: Duster on Tuesday, August 22 2006 @ 08:16 PM EDT |
The "policy" is not to load anything without permission. However,
there are exceptions - well one anyway. The shop is an XP and Office
establishment - but, well the policy is set because most of the staff are more
or less at the typewriter level. The owner does his own legwork and software
updating but some of us, me for example, need computer capability that MS Office
doesn't provide, or you maybe shouldn't trust, Excel for example. Also, I seem
to have become the emergency back-up computer tech. So there is some latitude,
but no official stance.
[ Reply to This | # ]
|
| |
| Authored by: Alex on Tuesday, August 22 2006 @ 09:31 PM EDT |
I use the IceWM window manager, which is a light, small window manager that
resembles Windows. I remove all terminal apps (applications which resemble the
DOS box) from the menu, then go into the .icewm directory, which contains the
configuration files for IceWM, change the ownership to root, and make the
configuration files read only.
Now the user is unable to use any application that's not on the menu. I use
Idesk for icon management. Unlike Nautilus, Roxio, or xfm, Idesk only launches
the icon. It will not give the user access to any information. A better file
manager or terminal access is available for trusted users.
Obviously an experienced Linux user can type "ctrl, alt, F1-6," but
those users aren't usually the problem.
---
Hey Darl!! Did Ross Perot draw your chart?"[ Reply to This | # ]
|
| |
| Authored by: Tsu Dho Nimh on Tuesday, August 22 2006 @ 09:32 PM EDT |
Company A, my previous employer, had several methods in use:
<ul>
<LI>Problems with unofficial software were not the IT department's
problem. If you hosed your install with some downloaded crap, they would fix
it, but bill the time back to the department.
<LI>Some scanning software ran periodically and ratted out unofficial
software. If the software was a known spyware problem or was unlicensed
commercial stuff, you got a warning popup and were ordered to delete it
immediately. If it was unofficial, but the licensing was GPL or other freeware,
you could explain why you had it and they would add it to their list.
<LI>They had a cache of neat screensaver photos to use, and a page that
linked to official sites for some popular FOSS and utilities.
<LI>FORCED virus scanning on startup or connection to the company network
</ul>[ Reply to This | # ]
|
| |
| Authored by: Solarisguy on Tuesday, August 22 2006 @ 09:35 PM EDT |
Fear.
I'm serious. I run a small network and I simply tell employees that if they
download any apps or install any apps without my express permission, they will
no longer have their own computer.
I hate it. I'd much rather migrate to Linux/Unix but we have so many state apps
that only run on Windows and do not work in Wine. My boss is a tech luddite and
trying things VMWare or dual boot is just something I cannot get across to her
or the Board.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 10:18 PM EDT |
Stuff I need to do my job is stuff that isn't on corporate approved lists.
Eclipse
MyEclipseIDE
TortoiseSVN/Subclipse
Java5
Tomcat latest
Proxomitron
Firefox and Opera
Dozens of Firefox extensions: firebug, web developer, tamper data, etc.
MySQL
MySQL migration tools.
Selenium.
I don't know what I'm going to need far enough beforehand to get approval
through corporate red tape. Fortunately where I work developers have admin
rights on their boxes. If they didn't nothing would get done.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 11:12 PM EDT |
My company does a lot of R&D and is rather tolerant of technically savvy
users (like -ahem- me) but they also have a lot of support personnel with no
special IT skills. I just ordered a laptop through the official channels (an HP
nc8230). The subcontractor that handles PC provisioning was going to schedule an
"installation", during which the install and strengthen Windows as
well as they can. I called and said that the were welcome to do that but I was
going to wipe out the disk and put Linux Fedora Core 5 on it. They told me to
sign a couple of "installation refusal" (TM) forms, which I did, but
they let me do what I wanted! The only restriction is that I have to agree to
install (as de facto administrator of my latop) corporate s/w that checks for
installed s/w; I also have to abide by general administator guidelines.
All in all I am very happy about this arrangement. With drivers from ATI and
Intel, my laptop runs Linux like a champ; yet I try to be a responsible
administrator and comply with corporate guidelines about security and s/w
installation.
Bottom line: I love my laptop, I am productive, and my employer stays out of the
way.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 11:14 PM EDT |
First of all, employees should be made aware of the company policy. For my
company this meant having explicit rules that any commercial applications that
required a paid license must be properly purchased before installation.
Installing pirated software was a firing offence.
Open source software licensed under a OSI approved license could be installed
without explicit permission, and since we were a Linux shop we didn't have too
much concern about viruses. This meant that there was very little paid software;
in fact the only one we had was Kylix - and even that is retired technology now.
That is a solution for developers.
For systems used by users who have specific jobs to do you can set up Linux thin
clients or duplicated machines which are essentially identical. All data is
stored on central servers, and all applications installed centrally. This isn't
appropriate for all users, but it can be a useful approach for POS terminals,
factory floor terminals, and in many other sites where the core applications are
all the same.
The downside is flexibility sadly - users are more restricted in what they can
do, and cannot simply load the software they want. It is therefore a balance
between flexibility and ease of administration.
Typical Commercial software adds an additional issue; that of licensing audits
and tracking. Even a restricted system can violate licenses if the tracking is
not kept up to date. That is a problem I didn't have, as developers used Linux
and looked after their own boxes, or users had machines that were locked down on
Linux thin clients. Either way there were no ongoing license costs.[ Reply to This | # ]
|
| |
| Authored by: sappha58 on Tuesday, August 22 2006 @ 11:16 PM EDT |
They keep our PCs locked down. All Windows users are set to being
"ordinary" users. I can hardly do anything on my PC - I cannot
install software, I cannot remove icons from the desktop, I cannot even change
settings in various programs (such as Lotus Notes.) Oh, and they lock out so
many sites from the Internets that the Internets are effectively broken.
I had more freedom with my work PC when I worked for a bank.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, August 22 2006 @ 11:20 PM EDT |
Hi Esther,
We run about 3,000 desktop PCs using Linux. I can't tell you who or
where as I've not been through our media training.
Let's start with some history. Unix system administration practices
grew up in universities' student computing labs. These were typically
30 to 300 machines used by irresponsible but bright computer science
students. So the operating system was designed with the thought that
users may be hostile to the aims of the system administrator. A single
system administrator would be assigned to the lab, so the goal of
minimising the per-machine cost of system administation was also
present.
Unix, and Linux, has a strong distinction between 'user' and 'root'
(superuser) accounts. The 'root' account is only used for system
administration tasks -- the system administrator will have a normal
account for reading e-mail and other non-administrative tasks.
This differs from the 'Administrator' power in Microsoft Windows,
which accompanies a user whatever they are doing. This vastly
increases that odds that faulty software will gain unfettered access
to the system. Worse still, since so many people have 'Administrator'
powers a lot of ordinary software will not run without those powers.
Both Unix and Windows won't allow people without 'root' or
'Administrator' access to install software for use by other users. But
you can already see that too many Windows users need 'Administrator'
powers, allowing them to install software. Worse still, they have that
'Administrator' access all the time, which means a flawed program can
be exploited to install malicious software.
This isn't to say that worms can't occur in Linux. A lot of system
processes run with unfettered access and a flaw in one of those can be
exploited. [To be fair, SELinux was developed to counter this problem,
by limited these system processes to be able to do only the actions
that are expected of them.] Furthermore it's not always needed to get
superuser access to do the things that intruders want to do (such as a
spammer sending e-mails). But a major hole simply doesn't exist.
Getting back to the cost of ownership, that computing lab system
administrator doesn't want to run an "installer" on each machine
which
only installs one program and certainly doesn't want to sit in front
of each machine to install the software.
So Linux distributions have a "package manager" -- this is simply an
installer provided by the operating system rather than an installer
provided by the software provider (as is the usual case with Windows
software). This brings a lot of benefits: removing software is sure
and certain, getting an inventory of software is simple, installing
from a network drive is simple, and installing a package can
automatically install all the other software that the package needs.
Linux distibutions also have a package called "Secure Shell". This
gives a command line on a distant machine. So a system administrator
seeking to install a PDF reader on remote machine 123 could do
ssh root@r123.example.com 'yum install evince'
Being open source software, you can build your own packages. A common
technique is to describe the standard operating environment in a
package. This contains no software, just a list of all the other
software which is needed for the SOE.
ssh root@r123.example.com 'yum install soe-example'
In this environment only the 'root' user can install software. But
let's say that a user wants software installed -- do they have to wait
for a system administrator to become available?
One of the advantages of Linux's shell is that everything can be done
from the command line. So you can build an application which is a web
page listing all the software beyond the SOE that the IT department
supports. The user can log into the web page, tick the additional
software they want and an simple automated program (called a 'script')
can do this if the user has ticked the R statistical analysis package:
ssh software@r123.example.com 'yum install R'
The web page can also update a database of all software which has been
installed. So auditing the machine is simple -- compare that database
to the output of
yum list installed
Maintaining software is simple -- "yum update" is automatically run
every evening by every machine (we set the BIOS so the machine comes
on to do this even if it is off and then powers down again).
A lot of housekeeping can be done in these 'cron' jobs. For example,
every week we drop the average desktop machine into a special
maintenance mode and scan it for viruses, root kits and other malware;
purge any 'temporary' files; test the RAM and hard disk; and so on.
Again the aim is never to have a system administrator to touch any
individual computer and to hopefully become aware of any failure
before the the user, and in any case no later than five minutes after
they've noticed.
The other major system administration task is configuration. We use
cfengine for that. Every machine belongs to classes and we give a
configuration which applies to the entire class of machines. So we
have a class for every non-server -- this does things like make them
update their software from the local software repository, points their
e-mail system to the corporate e-mail server and so on.
Using cfengine is more work than configuring one machine, probably the
same amount of work as configuring five machines by hand. So it pays
it's way very quickly in a large site.
And Linux's computing lab Unix heritage helps it in many other
ways. Almost everything works as well across the network as on the
local machine. As a trivial example system log records can be sent to
a central log server, where they are easily automatically scanned for
messages indicating pending hard drive failures, excessive password
failures and the like. System monitoring is as easy to do remotely as
locally. For example the amount of CPU usage can be recorded and if it
runs at near 100% for a few minutes then an alarm can be raised and
the system administrator have a look for runaway processes. The fan
RPM and power supply voltages are tracked and an alert raised if they
are out of range for that model of computer. That is, problems with
the Linux desktops are usually fixed before the user calls the help
desk.
The amount of memory used can be recorded and used for capacity
planning and alerting software developers to bloat or memory
leaks. That is, Unix's midrange emphasis on tracking resource use pays
off even today in allowing accurate purchasing. Whereas Windows system
adminstrators have to buy 2GB of RAM, we know how much memory is
needed for the machine's proposed role and why. This allows us to
effectively recycle used machines through the organisation.
We also pay for a lot less of unusual software. We don't want USB
memory keys to be used on most machines, but we do want other USB
devices like printers to be able to be used. And for machines where it
is permitted we only want particular keys to be used. That can all be
done using the standard system administration tools. Whereas the
Windows system aministrators are discussing glueing up the USB ports.
All of this is built with standard components. The central software
repository is nothing more than a web server. Copying software to it
is done using WebDAV, like publishing any other web server file. We
track changes to machine configurations in cfengine using Subversion,
the same configuration control tool used by our programming
staff. That sends a mail message every time a change is made -- that
e-mail list is maintained by Mailman, the same mailing list manager
used for all other mailing lists.
That's very different to Windows, where the centralised system
administration tools don't leverage off existing tools and have a huge
learning curve.
----
In terms of support we offer a "standard operating environment" which
can be supplemented with a list of approved software. Generally the
approval process is to force people to choose the software which our
training department support. So the OpenOffice application is approved
and other spresheet programs are not. We offer full support and
training for SOE users. Approval is not needed to install software
(that can be done automatically as descibed above), only to add new
software to the list. One of the advantages of free software is that
we needn't worry if someone requests unnecesasry software
installation.
An SOE can never suit specialist users, such as our graphics,
engineering and science staff. So we offer the "non SOE". This
consists of a small set of required programs and configurations for
each operating system. Just enough to secure the machine and tie it
into our corporate authentication.
We also offer "non SOE" users a stable list of protocols and servers
for accessing corporate services. So e-mail will always be accepted
to the mail submission port at the name smtp.proto.example.com and can
always be collected from the IMAPS port at the name
imaps.proto.example.com. So the non SOE users configure these into
their applications.
Finally, non SOE users have a list of don'ts. Generally these force
the use of network services like DHCP rather than allowing people to
hard code IP addresses; prevent the creation of accounts for people
outside of the company and the like.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 12:20 AM EDT |
All of my customers are using Novell ZENworks to accomplish this. Have a look at
<a
href="http://www.novell.com/products/zenworks/desktops/">Novell's
website</a>
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 02:39 AM EDT |
| First one should note that if all staff have access to the processor box (the
max box of a PC) then it is all but impossible to prevent unauthorised
installation of software. One of my clients has trouble with people
installing unathorised and often unlicenced software despite everything
management do. All desktop machines have the normal user accounts set to low
privilege and the admin grade accounts have all been password protected, so far
without success. Someone has obtained a special boot CD and is using that to
circumvent the protection (we know who it is, we just haven't got proof that
would stand up against a tribunal - they have been warned that if they are
caught it will be instant dismissal). Currently the two server boxes are safe,
primarily because they are not Windows. We would like to move to thin-client
desktops but this is not easy with Windows (something one group are tied to
through the CAD package they use), hence we and management are being very
cautious about the step. [ Reply to This | # ]
|
| |
| Authored by: Tsela on Wednesday, August 23 2006 @ 03:16 AM EDT |
The company I work for has Windows (2000, nobody here wants the crap that is
Windows XP) and Linux workstations. I don't know how the Linux workstations get
controlled, as I don't use one here, but the Windows workstations are controlled
via a so-called "scripted desktop". Basically, tightened security by making most
of the C: drive read-only, the Home a network drive, etc... Applications can be
installed by requesting them via a form. If you get authorisation for such an
app, a script adds it to the list of apps you are allowed to install (a special
programme allows you to do so). The advantage is that installing applications
that way never fails: they are adapted to your desktop in advance, and you can
usually install them without having to stop other programmes nor restart the
computer. The inconvenient is that you can only install approved programmes.
However, if you can make a good business case of it, you can request
applications that are normally not on the list. It will take some time, but it's
possible. This whole "scripted desktop" thing has been developed in-house, and
is thus under tight control of the IT department.
Of course,
applications that don't write to the registry can be installed on your home or
in the few places that are writable to you (or on a USB stick). In practice the
firewall and anti-virus seem to prevent any problem to propagate (it *is*
possible to break your own computer, but no system is fool-proof anyway). Also,
if you can make a good case of it you can also get administrator rights on your
workstation (but if a problem on your computer is identified as coming from an
application you installed yourself, the helpdesk will stop helping you. It's
your own responsibility). In any case, people just seem to be careful with what
they do and hardly ever install anything themselves on their computers (I have a
few apps on a USB stick when I really need something else). The company has an
extensive teaching programme to raise awareness of computer issues, and it seems
to work relatively well. Also, a very tight firewall separates neatly the
Intranet from the Internet, and things that have contact with the outside world
(like the websites) don't run on Windows (they currently run on AIX
AFAIK).
Of course, I believe Linux should become more pervasive here
(right now it's mostly used on high-end machines for running simulations and
such - or for the wonderful Virtual Reality systems that I wish I could use more
(unfortunately they are mostly for geologists and other subsurface people.
Working as I do as a process engineer, I don't get to use them :( ) -), but this
company is quite conservative when it comes to IT, and tests everything
thoroughly before deploying it.
To give you an idea of the company I
work for, it's in the top 5 of the Fortune Global 500 (but not the Fortune 500,
as it is not a US company). ---
Christophe Grandsire [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 03:23 AM EDT |
I'd just like to say that this little thread appears to have turned into an
extremely useful seminal resource. It's probably given a large number of sys
admin types some extremely useful insight into various system protection
methods. I know this probably wasn't the intention, but perhaps a "thanks" to
all the contributors is in order.
CPW[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 03:31 AM EDT |
My company is me, so I get to install whatever I want after asking the CEO
(me).
More seriously, I've generally worked in unix environments, what has been most
common is that, on your workstation, you have user rights only. /usr/local (or
/opt, or whatever, depending on variant) is generally shared between all
workstations, getting software installed there is a question of getting
agreement from the sysadmins; home directories (also, generally, remotely
mounted) are pretty much fair game, so if you absolutely _need_ a particular
piece of software you can install it locally after modifying paths etc, and,
assuming a remotely mounted home directory, you'll have that software on
whatever machine you're logged into. If you're installing massive software,
it's generally better to get it installed for everyone, that way you don't blow
your disk quota.
Works very well for fixed workstations, not so good for laptops.
Simon[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 03:57 AM EDT |
Ok, here's my 2c on this.
We're a 100% windows house, with all the problems that entails, however we have
a relaxed corporate attitude with no formal rules on what staff can and can't
install on their computers.
That said, all users run with normal user permissions so cannot install most
software. We also disable CD-ROM and floppy drives, and our internet access and
e-mails are heavily filtered so staff cannot download programs (only limited
file types are allowed to be downloaded, zip and executable files are explicitly
blocked). We use ISA 2004 to filter downloads, and policy settings to prevent
users accessing .exe files from Outlook.
This means that without any real pain to the users, and without any draconian
management, the average user has no way to get software onto his pc. They can
all get on with their jobs, all the computers work and we've not had any
complaints about this approach.
Of course, this wouldn't stop a determined user finding ways around this, but
we've only had one or two instances of this happening (people heard about google
earth...), and we've never had a serious problem with unwanted software being
installed on the computers.
That said, we're keeping an eye on protection manager from winternals.com. This
would stop any unauthorised software from running, and looks like it would do it
in a painless and relatively cost-effective way. It would prevent employees
installing software, but we're not yet convinced it would block the 0-day word
and powerpoint exploits so are waiting to see if a better solution can be found
before commiting ourselves.
[ Reply to This | # ]
|
| |
| Authored by: q.kontinuum on Wednesday, August 23 2006 @ 04:24 AM EDT |
Many programs are written in scripting languages as perl, shell script, visual
basic (if it must be windows), star basic, ... ... ...
Those programs run even without an executable flag (by calling the interpreter
and giving the path to the script as a parameter). Once started, thay can still
modify the .bashrc (Linux) or the Startup folder (Windows) to be started
whenever the user logs in. The only way to prevent those programs from being
installed is to disallow the user the usage of any Interpreter or the reception
/ creation of any document. That means: No Word document (could employ VB), no
OpenOffice (could employ Star Basic), no HTML (Javascript), nothing. No Word, No
Excel, No OpenOffice, No browser.
That would render the computer quite useless. And please notice: Trusted
Computing does not change a bit of this, in spite of the marketing lies spread
by MS and content industry! To the operating system, scripts are data, not code.
Therefore the OS can not prevent script execution, since in the eyes of the OS
the Script is never executed, bit only the interpreter. Trusted computing just
helps the DRM case, not user security.
The only way to achieve a little bit of security is to accept, that a trojan can
reach the accesslevel of the careless user and therefore restrict the rights of
the user to no more than he needs. Role based accounts can help a bit as well:
When the user has a desktop computer and a remote account, it is more likely
that he will install his own applications to the desktop than to the remote
account. And while it is possible that the trojan could take over a shell
session from the locale host to the remote account, it is unlikely that this can
be automated easily.
Other chances are a background program monitoring system calls by user space
applications and running a statistic to identify changes in the behaviour.
Or (since trojans are dangerous in the first case because of the internet
connection / the possibility to steal data) to monitor the network for unusual
activities, like outgoing connections other than port 80, conntections on port
80 wich are not http (problem: sanity checks for https can not be performed),
outgoing connections while there is no keyboard activity, etc.
Additional security could be provided by alowing only certain applications (e.g.
firefox) to connect to the internet. But careful: Standard Linux does not
provide this feature (also there are add-ons available) and in Windows it's
partly useless because evil programs can use the API of the IE to do nearly
whatever they want.
In short: Disable system features the user does not need, so the trojan can't
have it either. Monitor system features the user is unlikely to need. Monitor
unlikely combinations of features (like network connection while screen saver is
on).
Use different operating systems, so one trojan can not affect all machines.
Educate the user. Make the responsibility clear to the user. Make him liable for
grossly negligent misconduct. (Not actually to get a refund in case of damage,
but to strengthen his feeling of responsability.)
Kind regards
q.kontinuum[ Reply to This | # ]
|
| |
| Authored by: fempisces on Wednesday, August 23 2006 @ 05:00 AM EDT |
<p align='justify'>I work for a large global car manufacturers who run
Windows desktops and use Active Directory to set domain permissions as well as
setting local administrator permissions. The company's IT policy states that you
can send personal email & browse the web so long as it does not interfere
with your work.</p>
<p align='justify'>As you would expect the default policy for a new user
is they only have user permissions & while they can install things locally
as has been mentioned elsewhere they are unable to install anything that
requires registry access or dlls in the main system paths.</p>
<p align='justify'>Every time you need to change the font or install
something for work purposes you have to phone the helpdesk to log a call which
is passed to desktop support. They phone you back within 48hrs of your logging
the call, spend time looking at the software required & eventually install
it on the machine if it passes their security checks. This may sound like a
secure way to do things, however, the time it takes to get an application
approved, or worse rejected, you've probably missed the deadline for the work
you needed to do. You've cost who knows how many man hours running around
getting all the i's dotted & t's crossed on the forms to make an exception
not to mention the testing & signatures required by desktops. Ultimately it
can take weeks to have a new application installed.</p>
<p align='justify'>I got around this particular issue by stating I needed
to use ping & traceroute among other things as part of my daily work
supporting linux servers (Windows is such a bad system for supporting linux, but
they won't let me have a linux machine) and therefore needed to be able to run
cmd at the very least. I now have full administrator access to my PC and have
therefore negated the security in place.</p>
<p align='justify'>I have also managed to obtain domain administrator
access in very much the same way. I am not part of the core systems
administrators here I only look after a few servers and only one windows server
on the domain to which I have administrator access.</p>
<p align='justify'>Ideally I would like a linux machine. For a start I
could interact more easily with the linux servers, but from a security point of
view I would not need administrator access to my local machine under linux, not
even sudo access providing the machine was set up correctly so I could run the
debugging tools necessary. I could download & install anything I wanted,
however, I would not be able to damage the machine to a point where it would no
longer function. Not to mention the scarcity of linux viruses & therefore
how unlikely it is I would ever infect the network with something capable of
bringing the entire company to a halt. (I have seen this happen when someone has
opened an attachment in windows from an email & it hasn't been caught in
time to stop it from spreading).</p>
<p align='justify'>The other obvious advantage to having linux is the cost
of licensing windows software. We have at least one PC per person in the company
plus a lot of people have company laptops as well, then there is the cost of
office for every machine & the server applications like exchange, IIS. I
shudder to think what the actual cost of all that really is & while I
realise most major comapnies like the one I work for would pay for linux and
that there would be a certain amount of re-training for all staff I would be
stunned if it cost anywhere near what they are paying for now.</p>
<p align='justify'>It also accurs to me that I have been getting memory
errors on my PC recently & when I look at the processes running to find out
what is eating the memory it is the operating system itself, something linux is
famous for not doing. With the system resources I have available I could run
linux happily & the PC would not need to be upgraded. I usually run 2-3
instances of ie, outlook, 2-3 instances of putty, MS communicator & gaim,
which with MSes OS consumes all of my 248MB of memory until it crashes & I
have to reboot.</p>
---
What if life was for free & work was for fun?[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 06:49 AM EDT |
Alas too many programs rely on high privileges to run correctly.
Even worse in Windows there is "runas" to run programs with different
privileges, but its usefulness is gravely hampered by the sad fact that there
isn't a practical way to access files and directories of another user, if
protected, so, for example, the administrator cannot routinely log with a low
privileges account and access his directories without logging out and relogging
as administrator, unless he sets his directories to grant access to low
privileges users (HORROR!).
There are less than obvious ways or 3rd parties more powerful shells to bypass
the obstacle, but they are easy for professional administrators, but not so
easy, or often simply unknown, for simple power user forced to log as
administrators by the overall bad design.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 07:35 AM EDT |
With PCs at least the IT can be the only Admin and maybe even control the
Installation of apps by rights management (users are only allowed write-access
on storage where no execution is allowed).
But with Laptops there's two things: (i) there's not always an admin just a
phonecall away which means that situations might occur when a user has to have
admin rights to fix things when he's someplace else but more important is (ii)
that there's a mindset that the laptop is somehow the users computer, not just
for work but also for private use and maybe even the kids games.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 07:49 AM EDT |
Currently, we use ZENworks. ZENworks has a desktop policy piece that allows the
administrator to select which rights the user has to the desktop (ie,
Administrator, User, Power User, etc...). ZENworks is powerful in the fact that
we can configure it to create the local user account on the fly. We can also
configure it to keep or delete the local user account after the user logs-off
the computer.
And that's just one little piece of ZENworks. ZENworks also allow us (if we
decide to enable/configure it) to remote control desktops (great for helpdesk),
configure user account that can only log into a specific workstation, or a
workstation that will only allow a specific user id (or id's) to login to that
workstation, distribute applications (like office, email software, updates,
etc...), modify the registry, install printers (automagically), and workstation
inventory.
Frank E. Friedman
Network Services Technician IV
Ohio Industrial Commission
COlumbus, Ohio[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 08:19 AM EDT |
|
As I posted above, but reconsidered and am now posting in
the
main...
1st - For those of you who bought and paid
for
security toys... well, you better read a bit.
Are
you aware of experts say that computer security is an
oxymoron (here
is who says this)? - Authored by: Anonymous on Friday,
July
28 2006 @ 08:40 AM EDT
http://www.groklaw.net/comment.php?mode=display&sid=2006072515
2958389&title=Are+you+aware+of+experts+say+that+computer+security+is+an+oxym
oron+%28here+is+who+says+this%29%3F&type=article&order=&hideanonymou
s=0&pid=465924#c465928
2nd, - HAVE YOU EVER SAID YES
AND CLICKED THRU A EULA
FOR ANY SOFTWARE PRODUCT?
IF SO, then you better
be ready for your 1st Patent Infringement
BSA AUDIT (how many of Microsoft's
FILED or awarded, patents to you
use and are infringing on with software that
you have used for years
that you developed in-house or bought from a company
that did not
patent this FIRST as well)? IF congress passes First to File and
it
become part of their next patent reform actions... WELL, you can bet
that the
BSA, will see that as a profit center in their work for
getting for Microsoft
every infringer that exists under every stone.
THEY WILL FIND YOU. At some
point in time you used Microsoft
software and you clicked on an EULA and when
you tell the judge that,
then the judge will let the BSA into your company and
you will be
audited for license (infringement) and use of Microsoft software
and
business method patents (security can be a business method as
well).
In fact you don't even have to be a US company to have this
threat
become real... Those in the EU and elsewhere that approve of
software
patents and business method patents (where some kind of software
is
involved and they have clicked thru a EULA to install any software
where they
agree to be audited in the EULA) are at risk for a
software patent infringement
shakedown by ANY software patent or
related business method patent
holder.
AND with Microsoft's book of patents on software.. you will
be
given the choice of paying up... or going to court and also
paying
Microsoft's legal bills (or the BSA's legal costs) and all other
costs
OUT OF YOUR POCKET... because you are an infringer.... THE
ORGANIZED CRIME
BOSSES WILL BE REALLY JEALOUS OF MICROSOFT's ability
with such a law in effect
to have folks just throw money at them.
In fact, they don't even need
First to File in some cases where
JUST HAVING A PATENT GRANTED to them by the
USPTO, even if it is a
bogus patent, to RAID YOUR COMPANY and DEMAND
PAYMENT.
When the First to File Patent bill by Sen Hatch and Sen Leahy
(and
it's almost exact twin that also supports FIRST TO FILE PATENTS,
that has
been endorsed the House of Representative's committee that
does this type of
legislation) is approved by congress (who are
clueless, as ever). AND the fact
that when this bill becomes law....
there will come a day, for OPEN SOURCE
USERS, where Steve, chair
throwing BALMER will want the BSA to enforce
Microsoft's patent
portfolio against all users of open source, against all who
have
invented in-house software that does what Microsoft has patented, or
filed
for a patent first for, and for your own secret in-house
computer and facility
security designs...! YES – all facility
security designs will be examined by a
BSA audit as they all use some
sort of computer software to do this!
ARE
YOU READY FOR YOUR AUDIT... ?
HOW MUCH ARE YOU READY TO PAY
OUT?
OR – ARE YOU READY NOW TO OPPOSE FIRST TO FILE PATENTS – and
are you
ready NOW to oppose all software patents and business method
patents (as they
too will be excuses for BSA raids on your company an
it's internal operations
and your entire company and it's internal and
comprehensive security designs
will be examined for infringement of not only illegal software use, but illegal
patent infringement and use as well)! AND this action by the BSA may not even
be on behalf of Microsoft, it may be done for some other company that holds some
hard to read and understand, but granted by the patent office, piece of paper
where if you are in their sights, you are a dead, software using, patent
infringing, duck! AND YOU WILL PAY!
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 08:30 AM EDT |
I'm a one person IT dept at a local branch of a national company. I have about
100 people who work in the office plus another 100 sales people who work
remotely.
All of our systems are Windows based; servers, desktops, laptops, tablets and
pdas. There are probably about ten people total who have administrative rights
on their sytems. All of the rest are locked down using a program called Security
Administrator.
Security Administrator, once set up, can do everything from disabling
right-click on the desktop, to limiting the programs shown on the Start Menu,
only showing certain buttons in IE to locking down priviledges and access to
folders.[ Reply to This | # ]
|
| |
| Authored by: kberrien on Wednesday, August 23 2006 @ 09:00 AM EDT |
Someone may have duplicated this is a previous post, I didn't check them all.
On our XP workstations (we have no Win2k), we use Active Directories group
policies, and users don't run with elevated privaleges. Of course, there are
some poorly written apps which are no "microsoft security model"
compliant, and the users have to run as power users, or even admin's sometimes.
There are the oddities, about .5 % of the user population.
Group Policies are used to lock down the user from changing, or accessing
anything thats not necessary. We do allow the changing on windows built in
screen savers, background screens, font sized & colors so users can
customize a bit, and be happy. Our users have found that they basically can't
install anything, and have to call on tech support.
Our spyware, and user self installed issues have dropped to near zero.
Our legacy 95/98 workstations, many in our schools rely on older versions of
Winlock (www.visionsoft.com), which also has a network version as well.
Basically, winlock takes the older policy settings for 95/98 and impliments it
better than NT server ever did. Users have a specific set of applications that
they are allowed to run, all others are blocked. They can download till the
cows come home, but can't install regardless of the lack of user level security
in win9x.
The system does have some obvious backdoors, some which can be blocked, others
not. However, most students don't pick up on it, and those that do are silenced
in other ways...[ Reply to This | # ]
|
| |
| Authored by: NZheretic on Wednesday, August 23 2006 @ 10:22 AM EDT |
From Linux on the Desktop at work and worth it
Some
individuals like to download and install software, either in the local
filesystem or home directories, and get annoyed when the installed software is
erased or overwritten. Unauthorized software installs remain a major problem in
terms of both security and licensing. For those users we offered a choice,
either stop installing software or buy and provision their own laptop with a
loan from the organization. The individual owns the laptop but can only access
the internal network if they allow the IT department to inspect the laptop on a
regular basis.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 10:43 AM EDT |
Run Windows XP with NTFS, remove Admin rights from the standard user via Group
Policy, and use SMS 2003 to push updates for sanctioned software.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 11:27 AM EDT |
1)Good anti virus software on all machines.
2)Anti spyware software on all machines.
3)Don't open crap that comes with email's.
4)Provide good support. (If someone organizes the license and comes installs the
software why do it ourself).
5)Encourage the use of firefox.
6)Use open office as that is all most users need and the license terms are
great.
6)Use linux for servers.
7)Install a firewall.
Most people have got the message; windows is not safe; be carefull.
In other words have faith in your users.
It works.
[ Reply to This | # ]
|
| |
| Authored by: theMutant on Wednesday, August 23 2006 @ 11:47 AM EDT |
At present, we use DeepFreeze. The main problem with that is that we also use
ZENworks and, while you CAN get the two to play nicely, it's still extra work.
This year, we are going to do some testing of just using ZENworks policies. An
additional method is to periodically check the applications list in the
workstation inventory database.
Although we don't have the policy with my current employer, with a previous one
we had a policy that if your workstation got fouled up, the technician would
spend 10 minutes trying to fix it. If it couldn't be fixed by that time it got
re-imaged.
---
David W. Cooney, CNB (Certified Novell Bigot)
IANAL[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 11:58 AM EDT |
<ul>
<li>For Windows machines used by admin staff -- no admin rights; and
strict policy forbidding the use any apps except the approved ones (Word,
Powerpoint, Excel, our CRM and Accounting apps).
<li>For Windows machines used by technical people, such as for software
development and testing -- the machines basically exist
<b>Ourside</b> our corporate firewall that protects sensitive data.
When they get messed up, we re-install the entire PC.
<li>For Linux machines -- the standard Unix user/group permissions control
this well, by enforcing exactly where any given user can and can not install
applications.
</ul>
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 12:23 PM EDT |
We fire them - instantly.
While some companies may have more relaxed policies regarding the use of company
computers, at financial institues it is made very clear that the workstation is
the companies workstation, not the employees workstation, and that ONLY approved
applications are installed. All workstations are wiped clean and reinstalled
with the official image nightly. NO information is stored locally. If you so
much as download a screensaver, much less install it, you will be fired.
Of course, permissions are set that make installing any software virtually
impossible.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 12:35 PM EDT |
Form follows function around here.
Some users, the IT guys themselves for example, they're allowed to do whatever
they want with the understanding that only corporate-approved apps are
supported.
At the opposite extreme, some users don't get "PCs", they get Citrix
boxes, and can install and configure nothing.
Most users are somewhere in the middle ground, where they're allowed to
configure their desktops to an extent, but not to install applications.
Also, internet access is heavily filtered, and all downloaded files are scanned
for viruses and known spyware, so spyware and malware can't take root.
Of course, we're a larger shop, so have a group of people doing all the admin
work around this.[ Reply to This | # ]
|
| |
| Authored by: kitterma on Wednesday, August 23 2006 @ 12:58 PM EDT |
We are a very small company with a mix of Windows and Linux desktops.
With Linux it's very easy, software installation rights aren't given to end
users. They can't install anything. No matter what they do, the worst they can
do is mess up their own user account area which is trivial to regenerate if
neccasry.
On Windows, it's a matter of education in smart computing practices. While
similar results could be achieved in theory by restricting administrator access,
in practice it causes to much extra work. Additionally, there are ant-virus and
ant-spyware programs that need to be installed, updated and run that aren't
necessary for Linux.
15 months ago we were 100% Windows on the deskop. Today it's 50/50. I
anticipate being Windows free within 6 months. We'll just use CrossoverOffice
to run Windows applications we have to have.[ Reply to This | # ]
|
| |
| Authored by: Benanov on Wednesday, August 23 2006 @ 02:13 PM EDT |
Windows. Certain things are disabled via Group Policy (such as changing the
screen saver, which is the real default Win XP logo/black screen one).
You can pretty much install anything else you want, it's hardly monitored.
(There's usually someone every week or so who needs all of the spyware ripped
off of their box.)
I have tons of (L)GPL'd apps--GIMP, FireFox, OpenOffice, GAIM, WinMerge, 7-Zip.
I use the FLOSS alternatives as a cost-saving measure, because I don't need a
photoshop license for what I'd do with an image.
My company seems to not even recognize that other operating systems besides
Windows exist, as far as official policy goes. (In fact, my using rdesktop to
remote in from my Ubuntu box is officially unsupported, but it's not like I need
support.) We might have a few Linux servers, but they're in commercial firewall
boxes and the like.
I have admin access my personal workstation. We developers, it is understood,
can be left to our own devices once the basic server security is up to snuff.
Most other people do not run as admin. (This is good!)
I think the organization looked at OpenOffice simply due to the fact that they
were originally out of compliance on MS Office licenses. That's no longer the
case (three more years...)
No, you don't get to know where I work.
---
That popping sound you hear is just a paradigm shifting without a clutch.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 02:15 PM EDT |
First offense, remove it and warn them.
Second offense, fire them?[ Reply to This | # ]
|
| |
| Authored by: pbakker on Wednesday, August 23 2006 @ 02:26 PM EDT |
Our site has up to 20 users in a specialized manufacturing environment. Since
2001 about 80% of day-to-day computer usage is covered by standard applications
in a standard environment. For all standard office functionality we built a
system using diskless workstations which use PXE, etherboot, and LTSP to boot to
a Linux KDE desktop. For standard Windows and DOS applications that we still use
we have installed a Windows terminal server with Citrix so that each user can
also have a Windows desktop available, loaded as a window on the KDE
desktop.
There are many advantages to this approach, starting with the
diskless workstations. These small boxes were configured with an EPIA Mini-ITX
motherboard. There is no hard disk and there are no moving parts, resulting in a
silent box which needs virtually no administration. If a box fails for whatever
reason we simply swap it with a replacement and the user is good to go again in
a few minutes. The absence of a hard disk, CD ROM, and floppy drive means that
there are no issues with local storage, installation, or file copying. USB is
not enabled in LTSP. The absence of a local storage device at the diskless
workstations means there are no local files to back up or upgrade.
Users
do not have administrative rights to either the Linux box or the Windows
terminal server. The administrator installs and maintains the standard
applications. Since this is done once centrally for all users regardless of the
number of users on the system, maintaining a terminal server is not much more
work than doing administration for a single actively-used fat
client.
The remainder of user needs for specialized software and
hardware needs is covered by fat workstations, typically Windows, on an
as-needed basis. For a number of users this means they have both the diskless
workstation as well as a regular computer in their office. Other computers in
the manufacturing area are dedicated to specific functions. Software
installation is controlled through a combination of trust, policy, and disk
ghosting.
Off-site remote usage of office applications also benefits
from the use of a terminal server. For example, using a Citrix client with
Windows TSE the off-site user remotely accesses the same environment as used
inside the office. There is no need to install the same software a second time
on the off-site computer. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 02:54 PM EDT |
Interesting ideas, even if I don't particularly agree - fear and respect are
interesting creatures, and rarely found in the same place.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 03:37 PM EDT |
We are a huge corporate windows house.
Only approved systems are allowed to connect to the network.
and only systems with approved corporate image can connect.
All non-approved systems are blocked.
We use "MAC" address filters.
Only one machine is allowed to connect to a port. You can't use a hub or
anything, the network switches will lock out the port if it sees that. We use
port security. etc.
PCs are locked down pretty much. Even in special cases where users have admin
access because they need it (network reconfig for onsite support, etc)
everything is monitored.
Any non-approved commercial software installed means immediate termination,
regardless of circumstance.
Open source software is allowed to a certain point.
"Servers" and sharing software are forbidden and cannot be installed.
Even MSN messenger cannot be installed.
The security policies on the machines (even those with local admin) won't allow
it.
All access ports are blocked. All access to internet must go through an
automatic proxy which monitors and records ALL activity, regardless of
position.
All email and other communications are monitored and recorded. Essentially
everything is keylogged.
Even an approved system, if installed with linux or other OS will not be able to
connect to the network, the system uses Windows AD, LDAP and other security
measures to ensure this.
Non-windows systems will never be able to connect to the domain, regardless.
In short, we own you. You do something we don't like, you're canned. And no,
this is not a joke.
Have a nice day.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 05:07 PM EDT |
Server Linux Slackware with kernel 2.4.31 vanilla,
uptime today non-stop 373 days
Users only DEC VT510 monochrome terminals (RS-232)
Programs only [n]curses[3x] based, no internet
All users privately only M$ dependent/habitues,
so no idea what UNIX/Linux is (or can)
Two standalone M$ machines, frequent virus/troian etc.,
connection to server via telnet or similar,
but never caused problem(s) on server
Main machines since AT&T SVR2 (1986): AT&T 3B2,
Intel 486DX50, Intel PIII500 and Intel XEON28000HT
never problems in 20 years
Mario Vanoni from Switzerland
don't remember my account, to lazy to remember ...[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 05:12 PM EDT |
Everyone is a restricted user. User's cannot intall software. Local machine
admin accounts are randomized by a custom agent, alternate boot methods are
disabled in the bios, which is also locked out by password. In addition, only
whitelisted applications get network access at the client level. That
effectively blocks most unathorized apps, and a lot of the spyware that users
tend to collect. Group policy keeps them out of anything else they could break.
Many IT shops can't take the pain of making all users restricted, since there
are so many poorly written applications out there that assume all users are
admins. In the vast majority of cases a little time in regmon & filemon can
get the offenders running.
Now we prescreen applications prior to purchase to ensure they run under a
restricted user account. If the vendor can't make the software comply, we don't
buy the software. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 06:25 PM EDT |
How does YOUR company deal with employees installing apps on the
company computers?
Very easily: They can't.
4. We control their installations using technology. What technology would
that be?
This is what we do.
Here's a description of our
setup at work:
All office computers work as thin clients running off a
central server. The local workstations don't even have a harddrive. They simply
netboot from the server - so that's where all apps reside and we can easily
manage what's available to each user.
This has several advantages:
1)
When someone needs an application we simply install one copy on the server and
it's instantly available to everyone (if we permit it).
2) If a desktop
machine blows a fuse it's a simple matter to replace it with a new one - no
installation needed, just plug it into the network and boot it and the user
instantly has his machine back.
3) A user can log on to any PC at the office
and get his own personalized environment. Since there's *nothing* stored on the
individual machines (no harddrive, remember?) it doesn't matter what machine a
user uses.
4) The work environment is nice and quiet since there are no
noisy harddrives spinning everywhere and we use low power machines that can run
with fanless power supplies, so the machines make zero
noise.
Preventing people from installing applications was very, very,
simple. The setup is so that the operating system and applications area provided
(via NFS) from the server to the clients is read-only from the client machines
and then each user has a personal home directory (home folder) also made
available from the server where they can store and retrieve files. Now you
probably think that users will then just install apps in their home directories,
but they can't. The home directories are mounted "noexec" - that is, non
executable, so they can read and write files, but the operating system won't let
them execute any programs stored in this area.
Very simple setup with lots
of advantages and we are completely free of the problem of users installing
their own apps.
If someone needs an application we don't currently provide
they contact an administrator (like me) who then makes sure the app is OK,
installs it on the server and makes it available to wither a single user or
group of user.
There's really nothing special about a setup like this.
All the client machines and the server runs Linux and any Linux distribution contains the
tools needed for a setup like this out of the box. It's not even very
complicated to set up, quite the opposite, it's extremely simple.
To make
things easy on ourselves we used LTSP (The
Linux Terminal Server Project) for the Thin Client setup and on the desktop we
provide users with a nice graphical environment (KDE) to work in. For ordinary office stuff we use
Open Office and Evolution (for email and
calendar stuff) and for browsing we use Firefox. And then we also provide a
bunch of other different apps for special needs.
Another option would
be to use SELinux (Security Enhanced
Linux). I've worked at one place where SELinux was used to setup policies for
each user defining what apps they could run, what areas of the disk they could
access and what they could do there etc etc. It's a more flexible option than
what we use where I work now, but it's also a bit more complex to setup
(although it's not rocket science). And now that SELinux is a standard part of
the Linux kernel it's even
simpler.
Another option, that I haven't used myself but have heard good
things about, is KDE's
KIOSK mode.
And the best thing is that all of this is done using
only Open Source software, so we have no license fees, there's a *ton* of
documentation available and huge user communities to draw on for support - much
more than I've ever gotten from a commercial company.
And when we encounter
a problem we have the source code available so we can go in and fix it ourselves
rather than have to wait for a vendor to do so. That's something our users have
often appreciated since it provides quick turnaround times when they report a
problem - either we can fix it ourselves (and ofcourse submit our fix upstream)
or we report the bug and someone else usually comes up with a fix within a day
or two.
If you use some sort of technology, please tell me
about it. How well does it work?
See description
above.
Was it expensive, in financial or other
terms?
In financial terms it was free. We even saved a bunch
on hardware since the client machines don't have to be very powerful -
everything runs on the server - a server (well, actually 3) capable of handling
20+ clients cost us a bit, but far from what 20+ full powerd desktops would
have.
The biggest cost was retraining people who were used to working on
Windows and using Microsoft applications, but that really was not that big a
deal. Most people felt comfortable after a few days.
How
annoying is it?
Not at all, from and administrators point of
view, quite the opposite. It's a breeze and really cuts down on the time we have
to spend on broken desktops since people simply can't break them.
We also
don't have to spend a lot of time installing apps to 20+ different PC's, we
simply install an app once on the server and it's instantly available to
everyone. Makes updating software, installing security fixes, installing new
apps etc a walk in the park.
Similarly, how well does
administrative policy work? Do employees follow the rules, or do they imagine
that gosh, installing a screensaver doesn't qualify as an *app*, does
it?
They *have* to follow the rules, they can't install
anything themselves, so they are forced to ask the admins to install stuff for
them if they need something.
[ Reply to This | # ]
|
| |
| Authored by: rharvey46 on Wednesday, August 23 2006 @ 06:37 PM EDT |
Our company does not presently do this, I wish it did.
In the case of VMWARE GSX Server, one could have a server (or server farm) where
one or more multiple VMWARE Images were stored on SAN (multiple for certain
product sets that may not agree with others). These images can be shared in a
read-only fassion (making backups easier and improving performance by using
multiple machines). Configure the VMWARE instances such that all changes are
lost when the machine boots up. This means that (unless an administrator) any
data stored, and any programs installed would be lost unless done by the
administrator or using a home drive or shared drive.
Thinking of Windows, if the user has no administrator rights, he may not be able
to install programs, but he may also not be able to develop using certain tools
(Microsoft Visual Studio for example). Amazing, a virus does not need as many
priviledges as a developer! However, by providing a temporary store - and
informing the user that it is temporary - any damage done is also temporary. At
work, very few people have any administrative rights - but this also frequently
means that, for some development tools, they need to use an administrator
(account) to do any development. I find this absurd.
Another method (in the case of Linux) would be to configure the directory
structures in such a way that most directories are read-only and only specific
directories are writable using bind or mount points to SAN storage. IBM has a
redbook at http://www.redbooks.ibm.com/redpapers/pdfs/redp0222.pdf
In the end, any user changes to his 'local' image would be temporary only -
unless he saves them to network locations.
This does require remote access somehow to the GSX image from the user
workstation (not sure of the products here), but these could be standardized to
the point where everything is read-only. Kind of strange, we would be back to
the day of 'dumb' (but graphical) terminals connecting to one (or more) servers.
Not a surprise to me... I work in the mainframe world to a large degree.
Another VMWare solution may be VMware Enterprise Desktop, but I have not read up
on it much. In addition, some products may now have been renamed or fit better.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 23 2006 @ 06:45 PM EDT |
One thing I notice is that a lot of the Unix environments enable people to
install software into a place where everyone in the department or even company
can use it.
For example, if I install a newer version of Perl on the server for our
department, everyone who has my department's "bin" directory in the
path can access it. This ability vastly increases the usefulness of letting end
users install software; and perhaps that's why it's more prevalent in the Unix
world? This results in a pretty consistent shared environment that is easier
to maintian than disallowing installs.
In contrast; on Windows it seems when I install softare, it affects that machine
only -- so when Windows users install software it leads to a bunch of different
configured machines that sound like a maintanence nightmare.
Is there a way to get those benefits on Windows? If so, perhaps installing
software won't be seen as such a bad thing.[ Reply to This | # ]
|
| |
| Authored by: CraigRinger on Wednesday, August 23 2006 @ 10:44 PM EDT |
We have three classes of client machines:
- Mac OS 9 machines with QuarkXPress 4 for desktop publishing. If they can FIND
software for these, they can install it - but most are too computer illiterate
to do so. These will soon be replaced with WinXP clients - which will be locked
down to some extent with group policy and limited user accounts, but beyond that
simply reimaged from a safe sysprep image if any problems arise.
- WinXP clients for selected other users. While nothing much is being done to
prevent software installs on these, that needs to change after a few prominent
instances of "clueless user clicks on 'system alert' from website"
spyware installs. Using Firefox. I'm probably going to apply Group Policy here;
so long as software installs are not trivial they will not happen, the users
aren't computer literate or determined enough to get around initial prevention
measures. The users currently run as local admins (thanks for the crapware,
Adobe) but I'm looking at the required registry and file system permission
changes required to permit users to run without local admin and still use
Photoshop and friends now. A stored sysprep image is used to reimage any clients
that become compromised.
- For users with basic needs an LTSP thin client deployment is operated. There
are problems (Firefox and Thunderbird need to handle X server disconnects
reliably and properly, rather than occasionally entering a zombie-like running
but not responsive and blocking new launches state; OO.o has the same issue) but
overall it works extremely well. It's simple to use, the apps do the job, and
while users can install software it's not easy (Linux without root) and
extremely unlikely to be harmful.
The main downside with LTSP is clunky-to-nonexistent support for client-side
sound, video playback, and local media such as CD-ROMs and USB memory keys.
Without these limitations it'd be deployed across the whole company (except
where incopatible apps such as accounting packages and desktop publishing
software prevent it).[ Reply to This | # ]
|
| |
| Authored by: jmhill on Thursday, August 24 2006 @ 01:27 AM EDT |
Hello;
I teach in the College of Engineering the University of Hartford, located in
Connecticut, USA. We used to have a major headache with student labs.
Everything that you can think of with regards to Windows made the PCs hard to
maintain.
The problem changed overnight when we installed software that we refer to as
"turn-back." The idea is that our sysadmin controls what the reboot
disk image looks like. Any time a PC is rebooted, the PC hard-drive reverts
back to the reboot image. Any software installed locally by a user is wiped
away when the PC reboots.
To save student work, we have a department RAID file server that we encourage
students to use. The moment a student logs in, the file share on the server is
mapped to a generic drive letter. We also encourage students to use USB flash
memory.
Yes, turn-back is a pain and costs, but our students depend on having usable lab
computers and have come to appreciate that when a PC starts acting flakey, just
reboot and continue working. I make a point to ask students to not attempt to
remove the turn-back software, as PC labs are a resource that the University
provides to benefit students.
Jonathan
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, August 24 2006 @ 03:12 AM EDT |
As far as I know, all recent OS's allow blocking of installations. Similarly,
they'll all let you do a copy&paste "install" of binaries in your
local directories.
Actually, the technical questions in the article can all be answered by simply
reading the manual of whatever OS your using, they all have these features.
Only an idiot would choose an OS based on this topic, since it essentially makes
no difference.[ Reply to This | # ]
|
| |
| Authored by: jcasares on Thursday, August 24 2006 @ 04:15 AM EDT |
You can use VMware ACE. It lets you run a secure, centrally controlled virtual
machine. Users can do and download what they want in their physical machine. But
only the virtual machine can access the company network
See more in the ACE information page.
-Juan[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, August 24 2006 @ 05:03 AM EDT |
| Can't install locally, can't physically get to server. [ Reply to This | # ]
|
| |
| Authored by: Mario_Vanoni on Thursday, August 24 2006 @ 11:54 AM EDT |
Hi Pamela
You are right, I beg your pardon.
It was an unforgivable typo in my nym,
shame for an old (age group == DMR) UNIX sysadm,
I remembered the password.
Many thanks and ... sorry.
Kind regards
Mario Vanoni[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, August 24 2006 @ 02:33 PM EDT |
The University I work at doesn't enforce a central policy. Locally in my
department, I do it by varying support.
Standard applications (Office,
the local network storage app, etc) I install and are fully supported. Use of
the corporate anti-virus product (SAV) is mandatory.
Users normally
don't have Administrator or Power User status, but can if the ask and sit
through the associated "don't shoot your foot off" lectures; at that point, they
may be able to install software. Software they install I will also generally
support, but I reserve the right to determine "it's crap", at which point my
"support" reduces to helping uninstall it and helping look for something else
that isn't crap. It usually takes about eight hours, plus possibly a
phone call to the software maker's helldesk line.
If they install
something DANGEROUSLY stupid, such as spyware, a virus, or something illegal, I
also reserve the right to say "that's TOXIC". At that point, I will help them
back up what they think they need short term to external media (max 5GB), and
place it (after a virus scan) in a folder on the hard drive of a "loaner"
laptop, heavily-locked down via "Deep Freeze". I then remove the offending
machine, back up their data, wipe and reinstall the machine, and restore their
data. On Windows systems, I also recreate the default installation folder of the
offending software and remove all permissions from that folder except an
explicit "deny all" for the user in question. Turnaround time is promised as
under three business days, but I make sure it usually takes one full business
day.
The inconvenience of the temporary loss of access and computing
power (the loaner laptops are slightly older but servicable models) is
sufficient risk that my users ask before installing something potentially toxic.
I warn of this policy in with the Power User/Administrator lecture, have only
needed to do this three times total, and have never (yet) had to do this to
anyone twice. I've justified the resulting loss of user productivity as being
marked off to "mandatory security education".
One exception is kiddie
porn, or anything that is electronic evidence of a felony. By company wide
policy, that's an immediate call to the police; in practice, I would first take
my leatherman and cut the video, keyboard, mouse, and network cords, and
then call the police right afterwards.
In short, I'm relatively
flexible... until you hit the point where I abruptly go rigid.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, August 24 2006 @ 07:56 PM EDT |
Windows XP environment
We have thre groups of users:
Most staff - locked down so they can't install software via GPO. If they need
an approved product the IT service group will install it as long as they have a
licence. If it isn't approved, our group ensure they have a valid business case
and if more than a couple of folk will use it, are their any conflicts with the
standard install.
Some staff are granted local admin rights for a specific PC, either they use
broken software that must have lacal admin to run or because they repeatedly
install software for development or testing. They get NO SUPPORT apart from a
wipe and re-install of the standard environment unless they pay for it at
T&M rates (the IT service function is outsourced).
A very limited number of staff have admin rights on all machines - usually to
support specific internally developed applications.
Mostly works well.
Linux/ Solaris users just get sudo access as needed.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, August 25 2006 @ 03:30 AM EDT |
We are a company with a mixed environment. First IRIX, then HPUX, now Windows
and Linux on the Desktop, HPUX and Linux on the Server.
The Linux Desktops have access to a Windows environment with MS Terminal Servers
which are completely locked down (we can only write to the mounted network
disks).
All the UNIXoid Systems had a setup like this: Software was installed on
NFS-servers so admins had to install only once, we users had read-only access to
that. We had write access to our home-directories on our local disks, and we had
write access to our seperate (local) data harddisk as well as to some server
shares.
We could have installed software on the UNIXoid computers in the home directory,
but we somehow never needed to (and most people could not - not enough
knowledge).
Now most of us are on Windows boxes, which also have most Software installed on
a server disk. This does not work well, because lots of software requires admin
rights at the system disk. Also is the standard Windows environment lacking some
applications (like a decent editor) we need for our work. We HAVE to install
some programs ourselves to get the work done we have to do. Linux does not have
these shortcomings, because all these peripheral applications (editor, graphic
program, screenshot tools, ...) come along with the distribution.
Don't get me wrong, I think Windows CAN be locked down, so that users no longer
are able to install anything, but it is not easy to accomplish.
Most important would be to get a picture of what users really need, by looking
through what they already have installed on their (not locked) boxes. One would
likely find 20 or 30 small helper applications (mostly demo versions which are
begging you to buy a license). Most of them will have to be installed and
maintained by the admins if the users are expected to remain productive after
the lock-down.
I know this because currently we are being locked down, and because of licensing
costs not all apps are installed anymore. Productivity has sunk.
I hope this helps[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, August 25 2006 @ 11:36 AM EDT |
And the answer is: don't let them near it. Reinstall as soon as the machine is
delivered to avoid any issues with remote control software, etc.
God I'd hate to work in a real "normal" coroporate work environment...
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, August 27 2006 @ 08:14 PM EDT |
How i block employess/users of my intranet from installing programs is blocking
the downloads for the installs. I have a linksys router that allows me to block
urls i just put in *.exe , *.zip and *.msi , so if people try to download files
and the url bar has that in it it gets blocked. So no files get download to get
installed. the only way people can install files is to bring a floppy or disk
and put it in the machine.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, August 30 2006 @ 01:41 AM EDT |
I work for a software development/open source media company, and I can tell you
how we do things around here. Essentially, employees break down into four
groups:
1.) Developers/Support - Get hardware and internet connectivity. What they do
from their is their own deal. They come with an XP image pre-installed,
however, most of the time, it's blown away before the employee's gone through
his new-hire paperwork/manual. Their desktop systems are good to go, and their
laptops are their responsibility. They have Corporate Virus Control software,
but, that's about it. Developers are firewalled, Support is not.
2.) Sales - Get Hardware (of their choosing) and a Power User account. They
get VmWare Desktop with an xp image for everything else they'll want to
install.
3.) Marketing/Graphics People: Get macs and have to go through the proxy, and
aren't allowed to install any software by Technology/HR policy
4.) Everyone else: Locked down user accounts, all software has to be approved
by IT.
IT is actually really good at giving you what you need, as long as you can
justify it to them. [ Reply to This | # ]
|
|
|
|
|
