Slashdot Mirror
Spyware/Adware Prevention In Large Deployments?
foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"
Seriously. I am not trolling. It works for me.
Ever since I have installed SP2, Ad-Aware from Lavasoft has not found one spyware program -- even after installing the worst offending sites - porn sites.
but this doesn't prevent the computers from getting these programs
I believe Spybot does protect you ("immunize") from around 2000 different pieces of software, if you let it.
You can apply what is known as a Software Restriction Policy and enforce it strictly so that only approved software is installed on system computers
I love how all the FFox/Mozilla comments get a score of 1.
The truth of the matter is Mozilla does indeed prevent quite a bit of malware from entering your computer.
Oh well, I'm sure this will be modded 1 - Redundant
Yes actualy it does. You see 9 out of 10 "Your computer is not optimised" ads are popups. Therefore Mozilla does a lot for it.
There are however more issues then this. For example firefox's cache is stored in the wrong directory in your user profile so if you have the standard 50 meg cache and log onto another computer you have to wait whilst it copies across.
I am so sick of hearing that "once [fill in the blank] reaches critical mass, it will have the same problems." That sidesteps the issue of design, as though all designs are created equal. This viewpoint only works if you view your computer as a magic (black) box with no discernable internal structure or parts.
Methinks it says much more about the people who utter the phrase than it does about the systems they suggest are inherently equal.
Do all the computers (or even most) really need to be able to install applications and such? Is that really neccessary? Lock them down! Lock them down TIGHT so the users can't install stuff. Lock out all internet access (through a proxy or something) for any computer/user that doesn't need it for their job. Use something like Ghost or DeepFreeze to restore computers nightly/weekly/whever there is a problem. That way, even if something DOES get installed, it will be gone when the computer is re-imaged over the LAN (overnight, perhaps).
And don't forget the users. Not only do they need to be educated, but put some kind of penalties on them for getting spyware installed. Give them one "warning", then after that start doing things. They lose internet (if possible), they get docked a little pay/vacation time/sick days, something. You'd obviously have to talk to a lawyer to make sure it's legal and such, but when it becomes the user's problem too, they'll care a lot more. Another great suggestion is this. Is there some kind of message of the day or builten board or something? Post the names of repeat offenders on it for a few days after each incedent. That kind of publicity can work too (again, make sure it's worded in a way that can't get you in trouble, check with the law guys).
Through removing unneccessary premissions, restoring the OS, and just plain old humiliation... you can make your spyware life easier.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
You can't a posteriori secure systems that have never been designed with security in mind. It's a lost battle, no matter what ingeneous ideas you or your AV vendors may come up with. Get over it.
Or at least move the more sensitive systems to a heavily firewalled environment within your net. This means: blocking ALL incoming (obvious) AND outgoing (spyware wants to phone, mail, ... home) traffic; effectively isolating the subnets from the rest of the net. It's not always necessary to be hooked to the outside world. If departments can connect to your data center or servers, that's all they need. Nothing more, nothing less.
... or switch to more secure operating systems, be they MacOS, *BSD/Linux, Solaris, ..., or whatever else can provide a decent desktop and office apps for your company.
Good luck!
cpghost at Cordula's Web.
I once set up a similar system using a small linux installation.
1) set up windows on half the drive
2) install a small version of linux on the other partition
3) make an image of the windows drive that is stored on the linux side
3) I set up some rudimentary scripting that worked with lilo boot options.
Normal operation is to boot to Linux, then extract the windows image over the windows partition. It then reboots. You can feed lilo an option to override its default boot option and go directly into windows. On next reboot, you go back into linux.
I even set flags where you can turn off the auto-rebuilding, set it for daily rebuilding only (first boot of the day), or make it strictly manual "your computer is goofy? Okay, reboot, and select rebuild. Get some coffee and come back".
As another poster said, you do have to turn off all the auto-updates because they'll continually trigger. But it is so nice to not have to tend to the machines until you want to do those updates.
I don't have the setup on a website, but if you're interested, send an e-mail to username dfrakes at the new google email service. I'd be glad to send my scripts along along.
We had a lab of win98 boxes - all PII-300's or less that would rebuild their 1.5GB windows image in about 11 minutes. I used tar/gzip for the image, but it can work just as well with dd/gzip and may even go faster. In that case, the smaller your windows drive, the better your performance will be.
It was great in an academic computer lab where the users shouldn't be messing with things!
Rather than answer your question, I'll address the problem.
You need to attack spyware and unwanted adware from multiple angles.
Before you begin: If possible, remove the IE icon and remove Outlook and Outlook express and install alternative products that are less of a target. Keep the Windows Update icon or automate this process.
Next, you need to educate your users. No, this won't stop them, but they'll at least have a clue when your anti-spyware software keeps their favorite new spyware-infested app from running.
Once your users are educated, you need prevention. This means perimeter firewalls that scan all traffic for known spyware. This might make for unacceptable performance, so this needs to be looked at carefully.
You need firewall software on each machine that will whitelist or blacklist certain activity, or raise alarms or lock the machine if things look suspicious.
You need network monitors that monitor internal traffic and raise alarms or isolate computers that are acting suspiciously.
If your network is of any size, partition it by department or other logical unit so if one person gets infected and it gets past the PC's firewall, the damage is contained to a department or group.
On each machine, run a realtime spyware-blocker program alongside your antivirus program.
Now for the cure. Sweep all your machines, particularly user-writable areas of servers, for infections on a regular basis. For volitile areas of servers and write-enabled network shares on workstations, hourly isn't too much, for other areas of servers and for workstations, daily or weekly may be enough. Have a ready-response plan in place in case anyone's computer is acting funky. Be ready to disconnect them from the network remotely or make sure they know how to pull the plug. Even better, if your routers and firewalls can do it, isolate the machine on its own "network" that just has access to "emergency tools" including all the software they need to disinfect their system and/or rebuild it.
Optionally, get legal involved and have a plan for collecting forensic data that you can turn over to the police. This is NOT optional if you are a bank, gambling site, or other likely target of organized criminals who will blackmail you.
Now, if you have a relatively small network behind a NAT firewall and block all unneeded external ports, and your users are well educated and don't use IE or Outlook or Outlook Express, these are probably overkill.
I didn't mention wireless networks and securing parts of networks used by guest users plugging in their laptops. If these apply to you, treat them as "outside the network" and make them come in through a VPN or something similar unless you are ABSOLUTELY certain no unfriendly users can connect. Speaking of VPNs, anyone coming in through a VPN is probably NOT running a box you manage, so they may already be infected. Treat them as such. Worse, they may be clean but be connected to other networks, and may become infected AFTER you've scanned them and found them clean.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I agree. When I worked at CellularOne every user was issued a W2K workstation that was locked down squeaky tight. You had to make a very good case to get access to the web and, even then, there was a hellish long list of sites that were blocked. I didn't see any spyware/malware ever. Users were not allowed to install software nor even printers. You go the application suite that your job required and you were mapped to a printer or two. It worked well and nobody was being deprived with the possible exception of folks that like to use their computer to screw off all day.
http://www.busyweather.com/
some kind of proxy helps prevent a lot. Proximitron is an easily configured proxy that helps cut down a LOT of the crap you run into.
;>).
that coupled with something like ad-aware + spybot + spysweeper (yes all three) works relatively well to keep most crap out. I recommend all three specifically because, having to remove spyware from 30ish computers a day as a Geek Squad Agent at Best Buy, I've discovered of the three, with the -1 day defintion updates, you still find things in each one that the other does not.
You might try finding some other spyware detection apps, NAV 2004/2005 detects and removes SOME (but to be quite honest, not as much as they claim), but the more the merrier. Easier? Less time consuming? Of course not, but removing as much as possible once a week usually leads to having to remove less daily (even in a corporate environment, this could be every 3 days instead of every single day, depending on how many porn/gambling addicts you guys have on your payroll
just my two scratched up green pennies.
This is so true. I work for the Air FOrce, and I have to agree. Very few spyware / virus issues. Most normal users simply don't need higher permissions, and really should not be installing their own software anyway. These are work machines for doing work. Whatever software that is on them has to be supported by IT. If they really need or want it, we look at it, and if they do get it, we install it. Everything. As yet in 5 years, no major spyware or virus issues.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
And it's not very good. The open-source antivirus for windows (Clamwin) seems to detect more viruses and mal/spyware for me, recently.
Depending on your budget, try Encase Enterprise by Guidance Software. EnCase is the forensic program/application used by the US Govt and also by most of local and foreign law enforcement investigators as well.
The Enterprise version takes forsensics a step further, utlizing a client listener app which runs on the desktop and after establishing a baseline of permitted apps, can be used to detect and counter malicious apps running on the LAN and WAN as well as imaging drives realtime for investigative purposes.
Investigations have been performed from halfway around the world with the click of a button. Another selling point to the PHB's is that it can be used for HR investigations as well, making it an easy ROI for most companies.
http://www.encase.com/
Works great, until you run into something like Palm software, which won't cooperate with permissions. I've tried several methods to make it possible to sync a Palm Pilot with Outlook, and none work, if the user doesn't have administrator privileges on the computer. Apparently, some of the Palm conduits try to write to directories that aren't available to mere users, and I haven't been able to track all of them down.
And it's the executives that have the Palms, so not letting them work isn't a viable option...
I hear completely where you're coming from, but you're only talking about the side that you see.
Locking people down, while it may well be a desirable solution because of the shite that is MS, very often leads directly to lost productivity that affects many more than just "folks that like to use their computer to screw off all day". In many cases, the problem is made worse by unresponsive IT departments who have an inbuilt superiority complex and think all users are jerks. Well, many users are jerks, but guess what - if they can't do their jobs, they cost their employer money, normally in a way that IS is utterly unaware of (and probably couldn't give a shit anyway).
Recent examples at our clients (we provide our system as an ASP, not least to avoid the claws of those freaking MS bastards, but as you can see we are still the victims):
[x] auto-moderate all posts by this user as insightful
The best way is always prevention, 1. If they have to use IE we make the default ZONE setting for Internet High and Medium for everything else including local zone and trusted. We have yet to find (Business) applications that this breaks. Yet no pop-ups no spyware - works as well as firefox minus tabs. They will have to add banking and other ActiveX/Java/Download type application sites to the trusted zone. Any MS box I use this is the first thing I setup. (assumming I can't install Firefox) 2. Patch Management (Many Spyware and tojens use exploits to install.) Patchlink is good multi-platform choice. www.patchlink.com but there are many others. 3. Web Scanning solution. (e.g, ISS, Mcafee, others?) Scan for ActiveX and Java Exploits on Web traffic. 4. PestPatrol now has a solution that does not require a client. I asume others will have simular solutions soon if they already don't
Maybe I'm just new to this game, but we tried locking down users and ran into so many problems going to users machines to fix issues and having to log out and back in as Admin, fix a simple issue, log out of Admin and back into the user that it became more of a hastle than dealing with the spyware.
Why doesn't Windows have a quick "root" solution? Why can't you quickly and easily elevate a user to admin to fix problems and then demote them back to normal users. Am I missing something?
P.S. I know people are going to ask...give us an example. Well, I had a user we locked down (because this user LOVES smiley face cursors) and we had nothing but problems with her printer. We tried regular user (which locks down printer adjustments) and we even tried Power User which allows a user to manage their printers, both created a lot of issues with printing. Sometimes it would print just one page, other times it wouldn't print anything. When we gave the user full admin rights, all the printing problems went away. We've had similar experiences with network issues and troubleshooting. And quite frankly, regardless of the problem, not being able to go into control panel, or internet explorer options or the registry to make adjustments, or remote control a users machine, all make our job more of a headache than leaving them with admin rights. Correct me where I'm wrong here folks. If there was a "root" option where we could just elevate to admin, make changes and fixes, and demote I could handle working through all the various problems we have had with locking down machines.
by patches on the squid proxy to work as a content filter (some existing patches with some custom filter modules). By disallowing the User-Agent "MSIE" we could very easy identify evil traffic (hinding behind that browser). By forbidding downloads of problematic content we could find one remaining gator instance. Some perl scripts crawl over the filter logs and pipe cought traffic to a virus scanner for thread analysis. Since then we did not have any further incident nor any left network anomaly.
If a user has to make downloads that the filter rejects he can ssh/telnet to a box and use wget to manually download stuff.
Some domains (windowsupdate...) are not filtered to allow online updates.
If anybody is interested I can make the patches public available (but it's working ontop of existing patches, I only inserted the exe/zip filters).
Cheers
Works great, until you run into something like Palm software, which won't cooperate with permissions.
/. discussion months ago, and I asked my boyfriend -- who administrates WinXP and 2000 machines where he works -- if he had found a solution.
This came up in a
I'll look through my replies and repost it. He said that it's a bit tricky, but it can be done.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I didn't work in the IS department, I worked in marketing. I was one of the user's that got locked down. I am sorry if my post conveyed otherwise. The IS people were in Colorado and I was in a remote office in Frederick, MD. However, I am always curious about IS so I learned what I could by talking them over the phone.
http://www.busyweather.com/
One of the things that honestly worries me these days is the fact that IT in general, and sysops in particular, have a tendency to assume their users are total bottom-feeding dumbass idiot morons, and do not give the user any credit for a working brain.
I agree that the default, starting account on most systems should be pretty locked down --- however, once you've been around for a while and you've proved to the world that you're not a complete dipshit, you should be allowed certain freedoms.
Example: On my Windows PC at home, I use LiteStep. As a shell, it pwns Explorer by an incredible margin. It's been a great boost to my productivity, especially with applications like Rainlendar to help with scheduling and planning.
However, if I were to ask any sysop with this type of mindset toward users, I would be shot down almost immediately. I understand that ITs have to deal with tons of idiots every day, but it is important to make the distinction that IT is there to aid the users in getting the job done. That's the reason the computers are there, that's the reason the sysops are there, that's the reason everyone is there.
Another reason that this is a bad idea is because, in large part, the default install at most workplaces sucks. IE for browsing, Microsoft Office for everything else. Period. I understand the necessity of using Microsoft Office, but there is absolutely no reason to force me to use IE on the job (excepting, of course, IE-dependent applications on-job). There are also a myriad of helper and (somewhat) luxury applications, like WinAmp, which could easily be allowed without hurting anything.
Ultimately, I guess, the ITs need to get off their damn high horse. It's time to stop assuming that every worker is going to take every possible chance to slack off, or screw up the equipment, or whatever else you're afraid of. Seriously. ITs need to remember that, regardless of their personal opinion of the worker in question, they and the users are equals, and need to act accordingly. I have found that using a little respect and guidance works much better than trying to reduce the computer to a meaningless black box.
User F downloads Bonzi Buddy with a fancy distributed DOSing system that takes down the entire network for 3 days, or worse, puts critically private information on a public server hosted by hax0rz.jp . Lost money due to network destruction? Usually greater than the overhead to make decisions at an IS level.
Both decisions have problems. It depends on the intelligence and vigilence of your users, which is the best one.
I have also worked in a company set up like this
Ther results were
(a) a Project Plan needed by the CEO blocked
(b) An urgent software upgrade blocked
(c) A senior developer fired, then necessarily
re-hired as a contractor
(d) a new CIO
1. Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.
... think of an IT department run by intelligent IT guys not lazy management types like you're describing.
This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT.
2. Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.
Again bad IT practise
3. Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)
And again, if there's a valid reason to upgrade office and it's showing up multiple times perhaps IT should either distribute a newer image w/ Office 2003 or perhaps OO.o, alternatively they could just have a copy of Acrobat on the IT network so any incoming Word documents can be sent to them for conversion to something that can be read by the current image.
I've administered networks as well as used rather locked-down networks. The problem with locked down networks in my experience happens only when the IT guys are too lazy or stupid to make changes. Any idiot can lock down windows. It takes someone with more intelligence to actually allow the useful while blocking the harmful. As long as the IT department is large/trained well enough for the number of seats it really shouldn't be a problem.
Kleedrac
Sure we wang, can.
This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT...Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.
These would be true statments should the company in question be small - several hundred employees. It's a whole different deal in a large company. In a large company (thousands or 10's of thousands of emplyees) IT policy is often designed such that the (inadvertant) end result is: slow. The overriding concerns in large-company shops are things like security, audit, documentation, repeatability. In an IT shop supporting a large user base, the CIO is often more of s business type than an IT type. Hence lots of compromises, negotiation, changes in direction. Couple that with in-house development efforts and one often gets re-work and that translates into slow.
It's darn near impossible to be large and nimble.
It's gotta be said here: but programmers love to operate, program, debug and test as QSECOFR/admin. I network admin, and I don't run as root on my linux box, have limited domain admin rights on XP normally (like password reset) and use a remote desktop to a domain controller for necessary tasks (about 10 minutes a day).
... "What's the qsecofr password, what the Administrator password, I need ALLOBJ access, i've written the program using Active-X that needs to be run as an administrator on the local machine" (Pick one or all).
First thing that happens when we hire a new developer
I'll quite happily give them admin on thier own machine if they need it, but they had better test thier damn program on a lockdown machine before they submit it for deployment.
Hell, some clueless developer said he was a web developer. The entire page was one giant Active-X control with about three lines of html.
I'm lucky that the culture of my organisation is slowly waking up to these idiot developers. (We do have some good ones too). Now they actually have to have a development plan that includes testing outside thier own machine. Many times a program doesn't need Admin access to run, but a few specific registry keys or folders need to be opened up, they just don't know or don't document them.
I'm not surprised that Microsoft has trouble with security, the programmer culture that Microsoft has supported does not lend itself to thinking about it. Where's their new talent pool? Predominately developers that grew up with the MS programming monoculture!
Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
Why wasn't IT involved in the requirements discussion of your ASP solution? Who did you think was going to be implementing the client side of the solution? A lot of issues could be solved easier if IT was asked for advice before a problem arises. Instead, departments make (sometimes) dumb IT-related decisions, and expect IT to implement them.
Sounds like a department or group of people within Customer B wanted to use your system. Once again, it doesn't sound like IT was involved at all. Nor does it sound like the company as a whole wanted it - or they would've worked with IT to get access to it.
AFAIK, Word 97-2003 have the same file format. Excepting some possible formatting issues, reading the documents shouldn't be a problem. However, realize that an Office upgrade is a huge expense in terms of both time and money. Expecting IT to jump to fulfill your requirements on their existing budget is a bit unfair.
Just because you, understandably, see your solution as the greatest thing since sliced bread doesn't mean IT or the company as a whole does. It would seem that IT, and the executive management, were either not made aware of the business need of your solution, or felt it was not worth the impact on IT's budget and responsibilities. Perhaps involving IT in your next client discussion could point out these issues before the ink is dry.
I admit to being somewhat clueless, being that Office 2003 is covered under our site license (which is dirt cheap, due to gov't status) and I don't use Word very often. However, the official line is exactly what I stated. Which is that, formatting issues aside, file formats shouldn't be a problem. If it is, then I think that qualifies as a bug - ask PSS about fixing it.
Of course, most law offices I've worked with use WordPerfect (and have for ages), so I suspect that may be part of your wife's problem.
This isn't to say they can't hotsync - Anything they put into the Palm software application works just fine, and the data they grabbed from Outlook on the earlier sync will be backed up, but they can no longer attach to their Outlook data, once their privilege level is reduced to "power user".
Note that even this proposed solution isn't that great - what if the user has something in their "run once" registry that installs malware, just waiting for them to be elevated to the point where it can do real damage? If you have to make someone an administrator for ANY reason after they've wandered into the wrong sites, you're still very mutch at risk.
Problem is many spyware and ad programs use buffer overflows to install themselves.
I found out I got my system reineffective just from watching a mpeg of porn.
The stream was infected and using buffer overflows to execute and install itself in the system registry.
No problem under FreeBSD since its mpeg libraries are safer with some of the holes fixed.
Its just insanse what these applets using javascript use to get themselves installed without the user knowing.
A policy will not prevent the overflows since they bypass NT security.
http://saveie6.com/
This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT.
Interesting. You attribute following policy to laziness. Since there aren't enough resources to go around installing HP scanners for everyone and supporting the associated software, the department has made the decision to support a single centralized scanning infrastructure. Unfortunately, they made this decision at a time when OCR wasn't an issue. Generally, the $200 HP scanner isn't going to be an isolated case. Once one is deployed, there need to be others. Now the IT department is forced to support several additional devices and new software. Oh, and while they are providing this additional support, the CFO is busy taking three more people out of their headcount. In a situation like this, the proper solution is for the IT department to follow policy and request that the person who has the need escalate through their management. If it's important enough, it will reach the CEO, who will tell IT they need to provide this service. At that point, they can force the CFO and the CEO to sit at the same table and decide whether its more important to provide this piece of hardware or to reduce the IT budget. Now, if IT hadn't locked down the system and employed this practice in the first place, guess what would have happened. The requesting department would go around IT to buy and install the scanner, and IT would have still ended up supporting the thing.
Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.
Again, you've attributed draconic procedures for gaining web access to laziness. What you are missing is that such decisions rarely come directly from IT, and are instead a direct response to a requirement from the CEO. Just like the previous situation, the issue would have to be escalated. The CEO will either approve, deny, or realize that he needs to change his requirements for IT.
And again, if there's a valid reason to upgrade office and it's showing up multiple times perhaps IT should either distribute a newer image w/ Office 2003 or perhaps OO.o, alternatively they could just have a copy of Acrobat on the IT network so any incoming Word documents can be sent to them for conversion to something that can be read by the current image.
Again, somebody has to support this, and most IT budgets are yielding their dollars up to the Marketing budget. Although, I like the idea of a copy of Acrobat because it would then possibly require only one resource within the IT department.
The problem with locked down networks in my experience happens only when the IT guys are too lazy or stupid to make changes.
No, most locked down networks happen when the IT department is afraid to make changes. Usually this is because the CEO or CFO puts very heavy restrictions on them. Remember that 80s and 90s buzzword, empowerment? Well, we all laughed back them because we knew it wasn't true. It's obviously not true today either.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
If you have the power to hire an IT admin, you also have the power to fire this person. You do, right? If so, what's the problem? Hire somebody who will do the job as you would like them to. If not, then you can safely drop the 'I will not hire you' song. Nobody cares, seriously.
--- d'oh
You seem to have a problem with ignorance and stupidity. I'm tired of hearing about lazy IT from the same assholes that think they can install anything on their computer in five minutes and everything will be just fine.
Here's a clue for you in the scenario of a 5000+ workstation network across several buildings.
1. User calls IT with need for OCR. Dispatcher enters a ticket. (10 mins)
2. IT contacts user and says they have a secure and approved solution but the research needs to be finished for OCR. (15 mins)
3. User says he needs it right away. IT rolls eyes and wonders if user's keyboard is broken. I mean, if it's that important user should be typing and not trying to convince IT his OCR problem is most important. (15 mins)
4. IT spends an hour with user finding a suitable, though insecure solution. Warns user that $99 OCR is nothing like the full solution they have in the works. (60 mins)
5. Fill out PO request (and double check everything, because accounting doesn't like mistakes) for HP scanner. (5 mins)
6. Receiving scanner and dispatching IT installer. (5 mins)
7. Installation of scanner, including 10 mins walking/travel time. Don't try and play off 5 mins here, you can't even unbox most stuff in less than 5 mins especially with an excited user nipping at your heels. Hell, if you need to reboot that's 5 mins in itself. And yes, many USB devices (especially HP's) seem to need a reboot for some reason. Plus you need to scan at least one page to make sure it works. (30 mins)
8. Training the end user how to use the scanner and OCR software. Because "IT is here, why should I RTFM?" (30-90 mins)
9. Documenting the one-off install. (5 mins)
10. Future support of scanner. Moving, helping new employees with it, repair, etc. (0-999 mins)
So realistically, we're talking two+ hours of work just for a relatively insecure install. That's more in labor that you can buy most scanners for. If there are firewall ports to unblock for updates or workstation permissions that need to be configured it'll take even longer.
Running an IT department is not like supporting your Mom's computer she uses for looking up recipes. If things in a business stop working the company loses money and potentially people lose jobs. If your Mom's PC goes down you get mac&cheese for dinner instead of lasagna. Big difference. IT needs to plan on keeping everything working at once, not most things most of the time.
When you get tired of IT people treating you like crap, stop the attitude and give them the respect they deserve. Maybe then you'll get your needs looked after instead of being tossed into the "he's a little shit" pile.
-turbo (who runs "four nines" -- trying for five)