Slashdot Mirror
Securing Your Internal Network from Windows?
acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."
Users who think they know more than the IT department, who run a Mac network, insisting that they maintain Windows boxes? I keep reading that sentence over and over and alternating between laughing my ass off and getting mildly furious.
You: "MacOSX is built on UNIX technology, and is more stable, sports a superior IP stack, and new users will find it much easier to use, thanks to the greatest GUI ever designed"
Them: "No thanks, I use a real computer, and that starts with a PC running Windows."
I feel for you man...
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
Ssshh....we have a near monopoly. Let's say we keep this quiet, k?
Just stick a firewall in front of them (filtering out ALL inbound not originating from the box) and let them share a hub. That way they can do all thier little active directory stuff with each other and won't have to worry about hackers hacking in. In fact, filter out all traffic coming OUT too and use a proxy for web browsing and mail and you won't have to worry about emailed code-red type things clogging up your network when they look at them in outlook.
"Your superior intellect is no match for our puny weapons!"
What threat does a couple of XP boxes pose to 150 MacOSX boxes?
Is there a known trojan/worm/virus that infects XP and then attacks MacOSX ?
Could this entire story be blatant MS bashing, because it's a slow news day?
Frankly, I think it's bad juu-juu to let users define policy unless it is already mandated by corporate policy. If you have the mandate to nix the installation of Windows boxes on the network, then just do it.
I guess that's the first question then. Can you say no to the request? If so, get 'em running with the standard plan. If not, then firewall them onto their own segment and be very, very tight about what gets in and out from their segment.
While I'm sure that someone with a clue could manage to run a WinXP computer just as securely and stable as any Linux, OSX, ... machine out there... ...i doubt that someone who insists of having a stupid PC when he could have a Power-MAC instead has any useable brain left...
It's probably your job to keep the network running, stable and secure and therefore I would do nothing... just check for open ports/running services about once a day (that can be automated) and whenever you note something that is against the acceptable use policy of your network disconnect them until it's fixed. That's the way it's done in many places: if you use something that's not approved and managed by IT you will have to care for it yourself.
They want to create work for you (not having a homogeneous{sp?} network increases the workload!)... you will delegate this back to them.
Fire them now before it's too late.
Then LART the idiot who hired them.
Failure to stop this sickness while
you can will result in major pains later.
You are being MICROattacked, from various angles, in a SOFT manner.
youre right. he need to think about the storys he posts to slashdot.
format c: it works everytime! garenteed to protect your macs from the pc's and it does wunders for the pc's uptime as well
dybia felly dwi a hampster (i think therefore i am a hampster)
Given the number of computers involved I am assuming you are using switches. One option you have is to configure VLANS - I'm not very clued up on these, but iirc you should be able to construct a logical separate LAN from a group or port or MAC addresses. Then you need a gateway between the Windows VLAN and the Mac VLAN, with a firewall which can protect them from each other.
This can be a bit nasty to manage though. If its a port-based VLAN you have to make sure the boxes are plugged into the right network sockets, or they'll be on the wrong VLAN. If believe MAC-based VLANs are possible (but I could be wrong); in which case you have to have a list of MACs and whether they are Windows or Mac machines, and assign them ... tedious.
A simpler solution could be to insist that all Windows boxes use DHCP, and assign them addresses in a particular subnet. If you want the Mac boxes to use DHCP too, you'll have to do MAC reservations for the Windows network cards to make sure they go onto the right subnet. Then have a gateway/firewall. This doesn't protect against lusers who give their computer a static IP on the logical Mac subnet ... but it gives you some ability to manage the situation.
To detect troublecausers, you could automate a security scanning tool to check the Mac network for computers which appear to be Windows boxes.
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
At least your question here suggests that they might be. Nothing worse than an overzealous, clueless sysadmin.
Jilles
Imagine a story where the opposite is true: a Windows Network Admin who asks how to secure a few Macs from the rest of the Win network. Be honest, the bloke would be flamed to a cinder, and rightly so, because securing a network should be part of a Network Admin's daily job!
So why is the majority of the reactions like, "Oh, poor Mac Network Admin, those Win users deserve any shit they get!" Why not subtly reminding him what the fsck his job is in the first place?
Oh wait, I see: he needs to maintain a few WinXP boxes in a *nix environ, so when he bitches he must be right. Because it's Microsoft. Right?
Funny as this is (IT department demands users use MacOS, users refuse and want to use Windows), there's a simple fix. If these folks are so computer-centric that they can handle this themselves, let them run (as an alternate...I'd put a normal, supported computer on their desk so that they're never in a situation where they can say "hey, I can't do X and the IT department won't help") Windows. Make them admin the box themselves too, and state very clearly at the outset that connecting a nonstandard box to the network is a privilege, not a right, and at the first onset of problems, the box goes permanently.
A lot of Windows networks have Linux boxes creeping on to them via this route -- the users have to admin them, and are fully responsible if anything goes wrong.
I'd also put a few hard rules on the users -- if they break them, they're in violation. First, SMB/CIFS goes. Windows file sharing causes more problems than anything else on earth. Second, it's probably not a bad idea to budget to get them antivirus programs. Third, I wouldn't let them run their own servers (IIS or whatnot) unless this is already a normal policy (users running servers is kosher) and you have them blocked from the outside world -- users simply do not reasonably have the time if they're doing their work to keep servers up to date.
That being said, your job is to allow the users to get their work done as efficiently as possible. If they're uncomfortable in a non-Windows environment, don't make yourself disliked by trying to impose a different environment on them. Make reasonable restrictions, as I noted above, but don't axe their desires just because they're Windows-based.
I'd try this approach regardless of the OS being used, if it's an unsupported OS, as a matter or fact.
Oh, and the last item: you may (I feel reasonably) ban the use of Outlook on your network. People can argue as much as they want about whose fault Outlook issues are and whether Outlook is simply targeted because it's popular, but there have been enough nasty worms and problems coming from Outlook that I don't think I'd want to administer a network with it on it.
May we never see th
Put them on different subnets and stick 2 NICs into the server. this will expose only the server to the Win XP machines.
For extra paranoia, put the Windows XP on a different switch.
For super paranoia, pull the blue cables out.
There are several ways you can do this (why, I don't know, but thats your call). Any Network Administrator should already know this stuff, however.
You could VLAN the XP boxes onto thier own segment, then use Access Control Lists to only let the traffic through that you want. Or, alternately, a firewall.
You could publish desktop standards (with management approval, of course), and simply turn of the switch ports of the XP boxes until they get a Mac.
Or, you can leave them on the same networks as the Macs. Just dont let them install 2000 Server or whatnot with ADS, and you should have no problem. Is there a specific cross platform virus you are worried about, or are you just a chest thumping over-zealous sysadmin?
"The natural progress of things is for liberty to yield and government to gain ground." - Thomas Jefferson
Er, they have Win XP already..
...and he grinned, like a fox eating shit out of a wire brush.
No, it's because of the fact that he's working in an OS X shop, and some users insist on running XP. Hey, when I can replace my XP box with OS X at a Microsoft shop, and *still* force the IT depertment to support it, I'll be happy.
But the reverse is not true sadly. I don't know of one IT department that would continue to support you if you'd replace an XP box with any other OS.
-BrentKeep those boxes under seperate virtual lans, and put a firewall in between the two.
How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."
SOCKS proxy.
If you have to ask, you are unqualified to do your job, and should resign immediately.
Read the EULA carefully. Especialy the part regarding auditing any and all computers in the building. Let your staff know the building can not support the liabiality risk of the other OS.
Please do not give the BSA a free ticket in the front door.
The truth shall set you free!
...the reason he's griping about his WinXP boxes is that he doesn't want any viruses banging on his network, crackers hijacking these machines, etc.--Windows IS more susceptible to this stuff, if for no other reason (and there may be other reasons) than it is so popular right now, and it is not exactly set up by default to be secure. So get off your high and mighty standards-compliance horse (no matter that I agree with you--I think you have a good point about what _should_ be the case) and remember this guy has to deal with a real-world situation.
Plus, MS is not really into standards-compliance last I heard, and that also kinda puts a crimp in your ideology...
We have a couple users who think that they know more than the IT department
If you have to ask such a simple question, may be your users DO know more then IT department.
Let them keep their Windows machines. Just don't help them. Sure, you can turn on the Windows services available on your OSX Server, but tell them that beyond that, it is their problem. There might be one snag, however. Does any sensitive information sit on these Windows machines? If so, they shouldn't be allowed "for security reasons". If not, just leave them until the first viral attack or r00ting, and then unplug them due to their danger to each other and the network in general.
A network can be set up easily for you in this manner:
I will assume that your 150 mac workstations are all connected to hubs located around your building. Those hubs are probably connected to a larger hub closer to your router.
If that is the case, simply ask you pc users to plug in to the closest hub.
The pcs are so deep in the network that they should not get attacked by inbound worms. Your router and firewall should handle that.
As a requirement that you get to set.. force them to install something like Norton AntiVirus/Internet Security. Assign the pc users IP addresses. dont let them automatically assign using DHCP. when they get fussy with you about AntiVirus. simply kill their IP address and tell them when they meet requirements they get turned back on.
But know you will have to add to your routine a few steps.
make sure they have all incoming email getting scanned. Set their computer to only let you be the admin and them the user. Set windows update to automatically install updates. Set Norton to check for updates everyday. Do not let them have the ability to install software unless you do it.
this should put things back into control for a while.
pcs and mac os x actually work fine together as long as the IT guy is a tyrant!
pretzel_logic
Add the windows boxes MAC addresses to their own VLANs and have the rest of the computers assigned to the open segment. Or just set up a named ACL to deny known 'security features' of windows, assuming it's a switched network.
I didn't know there was a version of Word Perfect for OSX!!
:)
(Moderators - if you don't see the humor here you need to go talk to a lawyer or an IT consultant who's handled law firms...
In the past, I have handled this question in a number of ways. First, you need to establish how necessary it is to their jobs to work on a platform different from the rest of the company. This doesn't have to be a platform war. There are plenty of reasons for them to want a different platform, pick your battles carefully. If it is still necessary that the Windows boxes remain, establish who the admins are for the boxes. If your endusers insist they can administer the boxes,I would refuse to allow them to attach it to the network. It's all very well and good for them to be technically savvy, but the network is still your responsiblity.
However if you administer the machine, and I realize it's probably not your first choice, you need to start reading up on Windows. Yes, there's a lot to keep up with, however their can be some advantages to understanding different platforms and being able to administer and secure them in the same environment. And regardless of how any one feels about it, Window is still the most common business environment.
Additionally, I see several post that seem to question the legitimacy of the original question. This *is* a legitimate question, as any one who has had samba and appletalk on the same network can tell you. Discussing security concerns when integrating two very different platforms with different vulnerabilities is more than reasonable for any Administrator, especially in a small business environment where the only other "collegues" they may have access to are the very same users insisting on the installing their own boxes.
Can you blame him with windows' security reputation? Who wants some freaking winblowz network worm hurting their beautiful mac network?
reech bee-yond ur clip-0n
They're lawyers, right? Don't deal with them as tech wannabes. Deal with them as lawyers. For a change like this, one of the very top PHBs must have either okay'ed this, or instigated it. Go up the ladder to the highest lawyer in the firm that was behind this switch. Have him help you prepare a form that says something like, "Since Windows XP has been shown to have the following security vulnerabilities...yada yada yada...and the Macintosh OSX has been shown to be a more secure system...yada yada yada...I understand that in insisting that I use Windows XP as my desktop operating system, I am increasing the risk of having not only my computer, but the entire corporate network either infected or damaged by viral programs, as well as the risk of my computer or the entire network being accessed illegally by unauthorized persons. I fully understand it is my choice to use this software and I take full legal and financial responsibility for any damage done to my desktop system or the company network as a result of my choice of running an OS with these known high risks."
Be sure to include in the paper (where the first set of yadas is) lists of vulnerabilities of WinXP, including the recend IE/Outlook flaws for which there is (as of yet) no sure fix. In place of the 2nd set of yadas, put in documentation that shows OSX is more stable and less vulnerable.
The point is to take the issue to them on their grounds and show them that their choice can have serious implications for them and the entire law firm and that they could be the idiot responsible for the whole system going down. If they are talked to in their language and made to see their choice as a real action with real (and possibly disasterous) consequences, it could open their eyes. You might still have to deal with WInXP, but it'll certainly get them thinking about it.
No, the majority of the reactions here are "WTF is your problem with letting them run XP? Are you some kind of IT nazi?! No Windows for you!"
IT should ABSOLUTELY be dictating policy on their LAN. Assuming COMPETENT IT personnel, they are responsible for ensuring the security of their LAN. It is going to be IT's ass on the line when some Windows box spews Klez emails all over the web.
Remember that worm that infected Samba shares? What if a file gets infected by a Windows machine, but noone knows until they email it out to some unwitting client? Instead of giving everyone who expresses some dislike for Microsoft products a hard time, how about offering a suggestion to help this guy?
To be honest, it shouldnt take much to keep those XP boxen secure. If they won't be using Outlook, that is a big first step =). After that, keep IIS off the machines, install Microsoft's automagic update feature, and you should be good to go. If possible, make user accounts for the users of the machine and keep them in the users or power users group, to keep them from installing any other software. If they can justify having a Windows box on your company's LAN, you can justify some conditions.
You're the network and hardware administrator. You don't support Windows. Regardless of whether you know Win or not, the company that pays your salary does so in order to keep you maintaining the Mac network, not some secretary's WinXP box so she can use ICQ or whatever.
The computers aren't there for their convenience and entertainment, they are there so that they can do the work they are paid to do. Since you're running over 100 of these systems, I'm making a fairly safe assumption that everything that needs done in day-to-day business can be done on the Macs that the company provides?
There is no reason to introduce unsupported hardware and software into your environment. Maybe the handful of people should be made aware that if Windows boxes were to come into play, they'd have to fund a new employee to manage those computers, which would drop $100K or so from the anual budget; that's a lot of company-expenses dinners and parties that won't happen, jsut so they can play Age of Empires or whatever while they're working.
This space for rent. Call 1-800-STEAK4U
IT's job is to make sure the lan is up, not to police it, if users need winxp for whatever reason, tough for IT, if one of the guys needed a dos box because that's the only thing that runs his software, then thats what the user gets, IT can make suggestions, but they shouldn't be dictating commands to people like gods
You're there to support their needs, not vice versa. It sounds like you don't have veto power over their decision to use XP, so do everything in your power to make their experience positive and productive. It never hurts to have more friends. And if their experience with XP is NOT going to be good, then don't set yourself up as the scapegoat. Enemies are bad, especially if they are lawyers.
It never hurts to know more. This is a good chance to learn more about how most of the world lives, and how to support them. It may be the camel's nose in the tent, but in a installation like yours it will take years to make a transition, if it it ever happens. Nobody knows what the future will bring. Apple may (finally) go out of business -- it happened to Wang and DEC, after all. Or something new may come along. If you are flexible, your skill set will never become obsolete.
Threats cannot be dealt with in the abstract. Security is not a monolithic property that can be measured in a system. Instead, deal with concrete issues and make your plans from them. Take a legal pad, and draw a line down the middle. On the left, put your concerns: viruses, trojans, spyware, license audits. On the right, ways you can deal wtih them: anti-virus software, supervising software installation, reading and understanding your licenses and keeping your license documentation in a safe place. Getting your ducks in a row is what makes you a professional, not some whining fan-boy.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
EXACTLY! They have to make sure the LAN is up! This we can agree on. Part of that is making sure you KNOW what is on your network, and are aware of the possible vulnerablilities. And the only way to do so is to spell out exactly what IS and ISN'T allowed on your LAN.
I work for a company composed largely of engineers, who are working on a networking product. Yet these same engineers don't think twice of plugging a box into our core LAN, and running a piece of software designed to do funky things with IP they can't predict the results of. I had my core LAN going down once or twice a week because some engineer's machine was spewing bogus ARP packets on the network. I do my best to accomodate these guys and not inconvenience them, but when they start taking down the LAN and interrupting everyone else's work I had to draw the line.
IT shouldn't act like a bunch of Nazis, but part of keeping a LAN secure and functional is dictating a policy of what is and isn't allowed on a network. This is where the management side of MIS comes in. There is more to MIS than being a tech. Maybe I'm confusing MIS and IT? Perhaps, but then a lot of people here are too. Do any of the idiots bashing this guy have any experience at all?
"I am Mordac, the Preventer of Information Systems! Your request for a non-standard computer is DENIED!" -- misquoted from Dilbert
Use this as cost justification to get yourself a windows box and learn to use, admin, and defend it, and how to integrate it cleanly with your Macs.
If that doesn't sound like interesting, lucrative work to you, you might consider switching careers.
OS zealotry is for the weak and cowardly. Learn the strengths and weaknesses of all of them and use them all to their best advantages. If you are talented, your salary will come to reflect this decision in a very positive way.
C'mon, relax. You can handle this. Be strong and stop standing in the users' way.
I would put them behind a firewall or NAT box and turn off every inbound port to them. Enable outbound ports one-by-one, as needed. (POP3 and IMAP internally, WWW to the outside world, whatever). Proxy the heck out of their WWW access, and require credentials.
Alternatively, run them under VMware hosted on a linux box. You can limit what XP can do fairly well that way. Good luck!
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
I would just ban them from the network. There is no reason that they need an XP box if you have OS X, Unless there is legacy software that they use for HR or something that they need to run like that. I would personally not have those machine on the network and I would suggest win2k if possible. If they need these machines I would want to know why.
Only 'flamers' flame!
Every attorney is a PHB, complete with their own dictates and whims. Some attorneys are cool, some aren't. Going "by the book" is a great way to tick off someone who can get you fired.
Yes, it should be a stated/printed IT policy that only Macs are supported, but you've still gotta help the Windows users. But do it slowly, begrudgingly, and occasionally mention that it's just a favor, and how lucky they were that someone was around who could do it.
Failure to support their PCs can get you fired, or at least make your life rough. Supporting them too well will subvert your goal and make your job harder in the long run. You want to get across the point that it's the PC that's making their job harder, not you. If you can rig the network to drop a fair percent of their packets or throttle their bandwidth on days you're in the mood, then do it to slow things down a little. When their coworkers and secretaries are getting lower pings and faster downloads than they are, they'll figure it's the PC and come to your side.
So what if they want to use XP. Let 'em, unless they are asking you to maintain the machines for them. Then you hit them with the standard Windows administrator line. Overtime. Since it adds to your normal management duties, and since security is critical, you will need to spend extra time maintaining these machines. And since they are no your network and you are the network admin, you should be responsible for the machines on your network. So make sure they only have a standard user account in XP, and be sure to use a good secure password scheme so they can't admin the machine and install any applications without authorization. In fact, I'm sure you have a Mac OS X server on your network (right?) so set it up as a primary domain controller and make thier user accounts be roaming profiles. That way, thier user accounts are easily managed on the server and not on the desktop machine. Essentially, you've then taken away all thier control of these machines. They can use them to run the software you deem safe on your network, and it's a PC running Windows XP Professional. If they have any issues after that, they can suck on it because you have bent over backwards to give them what they wanted. A corporate envionrment, where the machine is an asset of the company and therefor, belongs to the company and is maintained by the company. If you need help in setting up these systems, there are tons of resources on the web, or you could even hire a consultant (whoo-hoo, more IT spending, even in a recession!!!). And the best thing is, you with charging overtime, you can afford to save up for a new Tibook running at 1Ghz (sweet machines). Heh. If that doesn't get them, then the other option would be to do what someone else suggested and make them sign a waiver of resposibility for any risks.
Don't Ask Questions. I don't know the answers and even if I did I wouldn't tell you.
You can run palmOS on the network for all i care as long as it's not in the demilitarized zone. There are no security holes in any OS that is behind a firewall; this is the "safe" environment. It could me intentionally comprimized by a user on the inside (tcp over http would be a fun way ;) but it's as safe as your firewall from outside attacks.
What's that song: Tum, ta, tee tum! You gotta keep 'em separated...
Use a sidecutter - snip - to give them a private network with their own Samba server and their own connection to the internet, so they can have their own private viruses.
Securing your internal network from windows?
I'd start off by putting all the Windoze boxen on a physically different subnet. Then I'd firewall off the Windoze subnet from the rest of the corporate network. Take a look at OpenBSD as a suitable firewall. This should provide adequate protection from those pesky Windoze systems.
Remember, logical security is only half the battle. Think physical security too. Maybe everyone using a Windoze box should sit at one end of your office space. Then you can put a OmniLock on the door to keep them from getting into the rest of the office.
While you're at it, you might also want to think about implementing a virus-filtering mail gateway in between your Windoze subnet and the rest of the known world.
I certainly see and understand your statement, but I believe this may be slightly different than what you're saying.
For the legal profession, I doubt there are many killer apps that are Windows only. If these few outcasts are using programs that only run on Windows, then the IT department would have its best interests in mind if it supports the Windows boxen. However, if the ones using the Windows boxen are using it just because they're familiar with it, then I believe it is time for the IT departmant to mandate a change. Be friendly about it, and show those people ways that OS X will improve their productivity while minimizing their personal liability (definitely appreciated in a legal environment), but be firm in the desktop standart.
You zap the moderators with a wand of humor! The moderators resist!
I feel for him and the lack of support he is getting from the high-mucky-mucks. Regardless of how well rounded everyone is they will all have some field that they truly shine in. In his environment, I can bet that every IT professional is a Macintosh guru. I can also just about guarantee that most of the XP users are not Windows XP gurus.
Who is going to support the XP in that situation? The IT Department.
How long is it going to take for someone in the IT department to support the XP system in comparison to the Mac sitting next to it when the user can't get their e-mail? At least double the time. So, he isn't productive and neither is the guy that is sitting around waiting to get his e-mail. That costs money.
One solution: Train the IT department to support any computer. Great, that costs money too. In our economy it ain't going to happen.
Another solution: Hire some guy to support the XP boxes as his primary job. Most companies won't say it is worth it unless there are a LARGE percentage of the "non-standard" systems.
Ok, so let's say we get past all those costs. Lets get to everything else.
Volume licensing works where the more you buy of the same thing the cheaper it is. If I have 400 Macs and 10 Winxp systems, the XP systems (on a per system basis) will cost more to purchase software for than the Macintosh.
The real world solution (only available with backing from above) is to have a single platform and support it very well. Training people to use a Macintosh is a one-time expense that can be handled by the guy sitting next to them. In the long run it will be a lot cheaper.
"Look! There! Evil, pure and simple from the Eighth Dimension!" --Buckaroo Banzai
What are the guys with the windows boxes writing your paycheck or actually generating the cash which is why you come here to whine like a complete fool on Slashdot rather than take it up with them.
Unlike mac losers, developers who have a perogative for an OS [generally *nix+emacs] and people who actually do work rather than fuck with i-pod and i-tunes, and other i-crippled crap don't use Macintosh.
If I was being billed by your firm I would be *fucking* pissed. I gave OS X a chance, and I am so glad I dont own a power pc. Pieces of shit, and a fake half assed "unix" with a primitive userland, a deprecated kernel and a propritary and SYSTEM RESOURCE HOGGING gay INEFFICIENT power-puff fag UI.
Mac OS is built on Mach, a deprecated Kernel.
Mac OS is built on FreeBSD 3.X userland, when 5.0 is about to come out and 4.X deprecated 3.X, Severely.
Mac OS has a horrible oversimplified, inefficient and closed gui. If you think you can be efficient on OS X, you are deluded. I'd rather use any other UI. Fucking zealot.
And people who have work to do cant be bothered to fuck around with weird OSs, with weird UIs, and no decent software availability. They want what they have at home, they want it to be cheap and familiar. Sorry, Mac Fucks, OS X is only being used by 25% of the Mac users to date. Thats a niche of a niche.
Coders use VI, Emacs, generally *nix or another commercial compiler/debugger/ide suite. I have rarely met coders who need IT. Leave them alone, AppleBoi.
Professionals, like Executives, Officers, lawyers, etc, use whatever they want to make it easy. Generally they dont need a computer very much - they do work. Let them do it so your money comes from somewhere, AppleBoi.
You are a little fucking IT bitch, telling your bosses they are foold behind your back. I would have listened to you if I was your boss if you came to my face with this. If I was your boss and saw you airing your gripes and dirty laundry to a place like this you would be summarily FIRED with CAUSE. You fucking little unappreciative BITCH.
What a gay lamer. FreeBSD or die, sluts.
Obligatory Brockovich quote "I hate lawyers. I just work for them."
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Filter out everything. Better still, disconnect them from the network entirely :)...
Make even shorter URLs - 8LN.org
Mostly Mac, eh? GOOD FOR YOU. Unfortunately, for me, we're just now migrating AWAY from Windows. Thankfully they've never touched *MY* datacenter -- and *I* certainly have refused to use it myself.
... but Windows? Please. Mickey-MouseSoft is a joke of a system.
My statement to my users: The computer we provide is a tool. You can negotiate the make/model as much as you'd like, but like the printers, copiers, fax machines, and phones you'll use what is provided. IT IS A TOOL.
If they don't like it I'd suggest you let them know to start looking for work elseware. If they can't/won't learn to use the tool, OS X, then obviously they'll be unable to complete their job.
Personally inside work and outside I have REFUSED to diagnose, use, touch, learn, anything XP. NOTHING gets plugged into my network without my knowledge (arpwatch). XP is completely UNSUPPORTED.
Here, Windows 2000 "Professional" is being supported only until it is completely REMOVED. Anybody that wants to talk Linux or BSD with me is also VERY welcome. I do like the Unix's
Who's in charge there? There's no reason you couldn't take the OS X only stance. If it the PARTNERS wanting XP, well, then, they OWN the business. Do what THEY want. If it is some secretary or trouser trout then I have to question: do they make their own decision on what they should be paid too? Can I work there?
Fortunately, for me here, the "IT Department" (me) owns the largest chunk of company stock as well (non computer related business -- they're just TOOLS we happen to use in our job). Heheh. I make my own rules, and well, Windows had it's chance. I see the light now. It is Unix.
Of course I _started_ on AT&T SysVr2 TRUE "Unix" and have missed those days only briefly. Loved Coherent, drooled over the NeXT, settled on Linux, and can say I like tight and fast BSD. OS X is the GUI of choice today for the GNU generation.
Microwho? Fire the idiots...
Unless someone has castrated you, why don't you decide on a policy and do it instead of letting your users tell you how to run your network. If the bottom of the food chain always decided how things happen, do you think anything would ever get done?
"Oh wait, I see: he needs to maintain a few WinXP boxes in a *nix environ, so when he bitches he must be right. Because it's Microsoft. Right?"
Exactly right. Microsoft makes the most insecure, crash-happy operating system known to man. No IT admnin should have to put up with that kind of Bullshit.