Slashdot Mirror
Reducing The Negative Impact of Laptops
Mark Brunelli wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change settings is risk prone. Fortunately, larger corporations that install Microsoft Windows XP Professional usually don't grant the laptop user full administrative rights. The same cannot be said of smaller businesses, many of which simply purchase laptops from the local store -- laptops pre-installed with Windows XP Home Edition. "
Better still, use the truly secure Linux operating system. Six months after making the change, you will not use Windows again. The cost of Linux is also much less than the cost of upgrading Windows XP Home Edition to Windows XP Professional.
Unfortunately Linux isn't as easy to use for most people. How about suggesting that they use a Mac? Macs are secure and are easy to use.Bradley Holt
It's very true that laptops are a higher risk than desktops.
1) Most laptops now have wireless cards. If this is the case, use an encrypted connection to an AP.
2) Even then, use as many encrypted streams as you can (ssh, https, pop3s/imaps, etc.).
3) Physical security. It's easy for anyone to run off with your computer. So keep track of it... don't leave it on the table at the library.
This is moronic. If I have to carry a laptop to which I don't have admin rights to, I'd quit.
In fact, I got my employer to unlock my desktop box (so, you know, one can configure it to make it comfortable to use...)
to install XP Pro on any buisness machine? seems silly to let the user install his/her softwares on the COMPANY laptop
Muzik.4.Machines
Until recently I was involved in administrating a linux server on a network of windows workstations. The server primarly operated as a gateway to the internet.
Every now and then some horrible worm would get lose on the network and fill the internet connection with crap. I would get the blame for it of course (internet not working).
Outbreaks were correlated with a particular individual coming back to the office with his laptop after working elsewhere. I think it must be something about the way he uses that system; what sites he goes to, probably; which causes it to be so riddled with viruses.
I am not managing that system any more. Good riddance. The versatility of laptops is letting them down in this instance. If the owner is a bit of an idiot no amount of management will keep them out of trouble.
http://michaelsmith.id.au
How many people have struggled with the problem of free will. I know I have. The idea of free will is ages old and unresolved until now. Now we know laptop users have free will. Tyranny got you down? Buy a laptop.
The GPL does state that any changes made to the kernel has to be open source but if you did everything as a modules(does not touch the kernel source just lets the kernel load this to extend the kernel) you could of kept it closed source and stuck with Linux. Many companies do this such as nvidia and ati. You should of done some research before spending time and money and planned to do this as a module.
Why are business networks so fragile in the first place? There should be automatic checks in place so that if a computer starts sending out too much traffic, it gets cut off (in addition to the usual other AV countermeasures). Why is this not enough?
Any network that fails when one node is compromised does not seem very robust to me.
As a small business IT support guy, I see this all the time. Lawyer X or Dentist Y grabs the latest laptop deal from Dell, brings it to work, and finds out he can't connect to the 'server', which either leads to some kind of limited workaround or an overpriced 'upgrade' to Pro, both costing them money (my time or a sticker, registry fix + more of my time). I'm always telling clients to ASK ME FIRST before buying something but as anyone in the same business will know, that can be rare.
Please stop APK.. you're only hurting yourself.
From the top of the article: In any network setting, laptop and notebook PCs can pose special security risks, particularly those running Microsoft Windows XP Home Edition...
Like I mentioned once before, the default setting for users on windows always administrator which automatically lowers your armour. After that, using internet explorer, you visit a greek jokes website that installs an ActiveX control on your system. The activex then downloads its friendly spyware and adware, and they in turn continue feeding on your bandwidth and cpu power by repeating the process. While they are doing this, these programs discover they are able to modify the registry and are also able to change settings so they run as soon as windows boots up!! How exciting. You are fucked, my friend!
From usenet: The primary shortcoming in Linux is that it retains the concept of a "superuser". If someone can manage to get themselves logged on as "root", then they have the keys to the kingdom. Now imagine what a malicious demon will feel when it finds itself running under Administrator inside a Windows machine!!!
I'm involved in a 'new technology' pilot for the IT department in my company, a Fortune 100 presence, and they're looking to force this down our throats. I'm a consulting network engineer, and I have a distinct need to be able to install a very large suite of custom applications, as well as make changes to network settings, etc. as part of my daily work. I can understand the potential security risks, but if it makes me unable to do my job producing revenue for the company, it's an unacceptable change.
I will fight this, because users need rights too.
"Just install Linux"
Blah blah....
Being funny is my sig nature.
Laptops that are permitted out of the office have to be setup as untrusted devices. Run separate cables, or make the user login wirelessly allowing limited, if any, local network access, but allowing full Internet access.
/*
Basically, you have your primary LAN of machines that never leave the office, and your wireless lan of laptops that are blocked from the primary lan. Both networks should be able to connect to the Internet, and laptop users would be required to connect to network services just as if they were out of the office.
Good wireless AP's should be able to block laptop to laptop communications, so that all the wireless network provides is internet access. Your network services should be hardened from Internet attacks already, and if they are not that should be addressed before any laptop related issue.
This has worked relatively well for me, might have a huge whole I don't see
*/
You don't make the poor richer by making the rich poorer. - Winston Churchill
If you want XP Home machines to be able to authenticate on the domain, just force them to connect to an internal VPN - their VPN credentials will be used for connections to local services (exchange, file servers, etc...)
And it is isn't Solaris in the background, it is the desktop from wich you control the machine.
Have the people working with it got any problems with using a real OS instead of the pretty button Windows/KDE/Gnome crap? No. In fact when some outsiders come in and ask why they don't insist on windows XP for the controlling software the general attitude is what the fuck for?
People will learn to work with the tools they are given. Long before XP, long before KDE yes even long before Gnome even way way before Xerox itself came up with the idea of the modern desktop people have used computers and machines wich were far more difficult to use.
Frankly I think that when someone is incapable of learning to deal with another OS you should seriously question wether that person is capable at all. Would you hire a truck driver who can only drive DAF trucks? A fork lift operator who instantly crashes when he is put on a machine wich uses different peddles instead of a switch to choose direction?
If you ever switch between companies you are likely going to switch a lot of software tools. It is rare to see the same solution in 2 companies, how come people somehow seem able to cope learning an entire new warehouse management system but are unable to learn a new login screen?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
It's how you use it.
In the real world, WEP is much better than free access, in that in this real world most people don't bother once they see that WEP is active.
Transcend Humanity. Please.
I just finished reading the "Stolen U.C. Berkley Laptop Recovered" posting. I'd agree with the biggest threat to and of laptops for corporate use is loss/theft. If it's lost chances are someone's going to try to access the contents. There needs to be required encryption of the hdd, the data is probably worth far more than the cost of a replacement. Also restriction of what data can be copied to a company laptop. Over the last day there has been postings on the U of Miami at Ohio and U.C. Berkley student information getting where it shouldn't be.
F7 doesn't work, ignore spelling and grammar
I work for a company with 80,000+ employees. And better than that a defense company. I'm willing to bet that more than one fortune 1xx company still gives laptop users administrative rights. There are far too many applications to support on the road without giving the users the necessary permissions to get the problem fixed. If I didn't know better I would call this flame bait. Then again slashdot has a pretty poor track record lately with s/n...
This should read...
d itorial/0,289131,sid39,00.html
Mark Brunelli, News Editor of searchEnterpriseLinux.com wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change set
I don't mind plugging articles for your own site, but at least practice full disclosure.
http://searchenterpriselinux.techtarget.com/meetE
Wow, so far this discussion is heading in about 6 different directions, none of which pertain to the topic. While the article may be a simple anti Windows piece, it brings up some real issues. As a sysadmin for a medium size businesbs, I have faced this issue (not with xp home, but 2000 pro and xp pro) many times. I was hoping to see some insightful posts with approaches I had yet tried. Oh wait, forgot what site I was on for a sec.....
oh, thats not even a result of it being a laptop, thats just XP pro...
Slash-for-Thought
Comment removed based on user account deletion
Get a freakin' help system in place so that I don't have to waste time clicking at stuff, getting annoyed, and then decide to give up altogether because it didn't work.
Well, for a Unbuntu end user there is always just paying for real techsupport. I know Redhat can help out with getting Wine to work (saw it happen), dont know about Canonical.
For a business I would never even consider using a specific distro unless there was a live person on the other end of a phone line. It just wouldn't happen otherwise.
Redhat, Canonical, and Novell all offer excellent support for Linux, you cant go wrong.
Remember folks, slashdot doesn't have a -1 "disagree" moderation!
I'm just curious.
We have XP Prof. with Active Directory logins at our school, but I (Teacher ZZZAlpha) often bring my iBook in with me to play MP3s, audiobooks, or show Simpsons episodes that are not out on DVD (I'm a teacher, so I can't afford an iPod). I can login to the shared directories fine. The admin doesn't care, although he's not in a hurry to get the print server to allow me to print.
try it.
Just by adding a second account in the control panel, and changing the (default) administrator account to have a relatively secure password.
;)
:) why do small businesses need to buy XP pro when XP home has enough of the features to do everything that is 'easier' to do in XP Pro?
Since when does having windows XP Home edition prevent you from adding multiple users, some of them restricted users who can't install software? is it because you only know how to use XP pro's tools to manage security? you don't know how to lock down IE with the help of a few simple freeware utilities you can download off the internet
I don't get it
If I'm missing some big reason please tell me, other than XP pro costs at least $120 more (oem pricing) why someone needs to run Pro to do something i did on XP home just last weekend...
https://www.gnu.org/philosophy/free-sw.html
What really helps for this sort of use is a DMZ configuration. Laptops get put on dedicated network ports on a separate VLAN (if your switch doesn't support 'em, time to get one that does, or build parallel infrastructure), or even on a wireless network. Either way, all laptops go onto a network that arrives at a single dedicated port (physical or vlan'd virtual) on the firewall. The firewall treats that as untrusted as it would a DMZ, and only offers public external services to it.
If your laptop users want to get at internal network services, they use their IMAP+TLS, TLS-secured authenticated SMTP, etc - same as they do on the road. File access - WebDAV with SSL and client certificates.
If you must, then expose some "internal" services - but only the sort, such as TCP/IP database access ports, that won't be affected by most win32 worms.
If you isolate laptops from your network core even when they're on site, you'll be a lot better off. With half decent switches you can even configure things so that laptops *can't* be used on the "standard" ports by MAC-locking each port to its appropriate host. If a user knows enough to change the MAC address on their laptop to match their desktop, then change the plugs, you're probably beyond technical solutions (and into "fire them if they don't understand how to follow rules") anyway.
Most computer users are not qualified administrators, in fact many of them are borderline computer illiterate. This isn't to say these people are dumb, they're just not very computer savvy. Such users tend to be able to use software they've been trained on or are familiar with but aren't likely to know exactly how it works. They click an icon, type in some values, and things happen. They don't need to know or care that the app is just a VB SOAP client talking to a web service via SSL hosted on the company's server farm. The guy down the hall in accounting needs to know how to do stuff in Excel, not how to write Excel.
That being said, these people aren't necessarily qualified to administer their own equipment. Some might have a bit of technical prowess but a majority of normal users are just that. So why are they put in charge of managing their own equipment and why are they able to take company information and property with them to get stolen or dropped down a flight of stairs? If they've got light communication needs how about Blackberries or Treos or some other connected devices. Quite a bit can be done through secured web interfaces or through web services with lightweight front ends. A little bit of well designed caching and users would be hard pressed to notice the company's database didn't exist on their little handheld device.
This approach isn't going to solve everyone's problems but it works for some in two major ways. The first is any single field employee can't take the sum of a company's data with them somewhere to have it hijacked by either action or omission. They're also not terribly likely to plug into an office machine and infect the whole network with some new Windows worm. A lost PDA might mean the company is out a few hundred dollars worth of equipment and maybe some confidential documents. A PDA that runs only application/web service front end software is really only out the value of the lost hardware.
If you've got responsible users you can probably trust them with full fledged laptops. For those that are almost more trouble than they're worth, give them cool gadgets they can work on but do limited amounts of damage with. This is of course in addition to better network security in and out of the office. If you've giving even advanced users a laptop to take home let them only take with them the data they absolutely need to get their job done. You don't want a laptop with 98,000 personal records on it stolen or something.
I'm a loner Dottie, a Rebel.
don't you dare lock down the one fucking machine i have access to that isnt crippled by office manager paranoia. Every time i want to install something I have to explain it to our office manager. "activeperl...huh?" "why the fuck you need java?" Sure, maybe if you're IT laptops suck, but i'm a the lone nerd in a company that does mostly net based research. For me having access to the unlocked travel laptops is the difference between weeks of data entry and spending a couple hours surfing /. while a script does all the work.
As an aside, our laptops have XP home, but our desktops have 2000. I have to ssh into my home computer (Mac), ftp the data file, process, and then ftp the results back. f..kin pain in the ass. nough rambling.
Mainly because XP Home cannot directly join a Windows domain.
hello dear sirs my name is jamesh i are india (bihar) can u guide me install red had linux 9?
I work at a DoE National Lab, and many of the people there (including myself) have a laptop as their primary work machine. These machines are generally set up to give us full administrative access -- i.e., we can do whatever we want with them. Furthermore, we are allowed to take these machines home with us when we leave the office, and many of us (again, including myself) do so. I often work from home, and if I ever went on business trips I'm sure I would make frequent use of network access in hotels or other locations -- many other employees do this on a regular basis.
In spite of all of these facts, which I am sure are enough to curdle the blood of many IT managers, our site has had very few cases of intrusion by malicious software. And when it has happened, it has been dealt with swiftly.
I'm not sure how the IT guys here run their shop -- that's not my specialty. But clearly they're doing something right, and they would seem to disprove any claim that strict lockdowns on company laptops are necessary to keep the network secure.
I offer to take your company's garbage out for free!
my understanding is that xp home sucks when it comes to networking. i used it for a short while and it locked up every single time i tried to access another machine via lan.
Actually, the last large corporation I worked for caught Code Red from a salesman's laptop. This salesman was in Australia, far away from the IT Department.
Even better: It was a security company.
Best of all: It was the Mac team that brought it to the IT Department's attention.
Make your checklist and go through it with any Notebook that is introduced to the Company.
# encrypted /home (I don't remember what it is called on Windows) prevents a lot of ugly
things we see from stolen Notebooks nowadays.
# /home (he did it again) must be mirrored (possibly unencrypted) on a Server, (I think
you got to check for the term server side
profiles)
# No Administrative rights! I mean absolutely no administrative rights on the standard
working User!
# The Notebook needs to go back to IT-Department on sporatic calls once or twice
a year to check if the user breached the security rules of the Company (...pr0n, fun tools...)
# automatic windows updates, asap ! (Hell yea I know we like to know what is beeing installed,
but this notebook is not allway available for the Admin)
# Centralized AV-Updates (this puts the power back to the Admin, we like that)
# All connections to the LAN from anywhere go through a VPN, even WLAN.
# Once you have done the whole setup, you may want to use dd (or ghost or ...) to take a
image of the notebooks Harddrive. So you never need to so this for this Notebook again.
# YES, please document what you did, so the next Notebook will not be such a pain. This
also gives you the possibility to review the security every now and then.
I surely forgot something, but this is a starter! Feel free to put more on the lis
But that's because we don't use that "Windows" software on our notebooks.
It is my first Mac (and certainly won't be my last) have had it for two years... PCs and Windows just can't compare.
The space unintentionally left unblank.
I am web developper, I use Eclipse+phpeclipse, also SciTE, ssh, sftp and can work well with Gimp. I whas a happy Windows 2000 user but I have finnally switch to Gnome and I am really happy here. Maybe you sould swich to Linux too.
-Woof woof woof!
I'm a sysadmin. All Mac OS X and Windows notebooks I deploy are preconfigured, tested, verified, and locked down. Even Classic.
If any special apps or hardware is needed, it has to be dropped off during the "preconfigured" part of the process.
The truth here is you are being furnished with a portable workstation, not a personal surfboard.
Nine times out of ten, when some one pages/calls their IT department at 2am because their laptop broke, it's because they were doing something they weren't supposed to do, like install personal software and hardware.
I'm sorry, but if you call me at 2am because installing Flight Simulator broke your machine, and now you can't do your PowerPoint presentation (the work task at hand) I'm going to laugh at you, hang up, and report you to my boss.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Hey, I :heart: linux as much as the next guy but it's still a bitch on laptops because either shit doesn't work or you need to hack for a week to get it to work. IBM has thrown quite a lot of support at linux and there are still problems running it on thinkpads. I have a T30 and even with 2.6 kernels, it's better to use APM than ACPI... even then, it doesn't work consistantly.
Also, I use my lappy for audio/midi tracking and recording live gigs for various local bands. Rosegarden isn't Cubase. Audacity isn't Soundforge. Yes, linux has come a long way (especially in support of audio interfaces). Yes, I'm excited to see where it is going. That doesn't mean it's a viable solution to me now.
When 2k-tan has finally outlived her usefulness, which may not be for quite some time, I'll be deciding between linux and osx/x86. I hate to say it but unless Steinberg ports Cubase to linux, I'll probably be sucking Steve's co...er... choosing Mac.
--- Do you believe in the day?
IT boss to employee: "you have two choices:
1) A laptop with admin rights, that has no direct access to our LAN, but only a connection to a special quarantine server, which we will use to check everything you upload before letting it out onto our LAN, or...
2) A laptop with no admin rights, locked down so tight you can't even change your own wallpaper, but which is a full peer on the LAN.
You get to pick whichever suits your working style best."
... on the sucessful deployment of a well crafted stealth-troll. Judging from the response you got it didn't show up on the radars of many of the resident Linux users.
That being said I agree with you (despite the troll factor). For the average user OS.X is definetly easyer to install and use on a laptop than Linux. I know a number of Linux laptop users and I shudder to think what Joe User would do when confronted with some of the flaming hoops these guys had to jump through, for expample, to get their Wifi to work. Contrast that with my PowerBook where the Wifi... well... it just worked out of the box. You can flame me endlessly with how your Wifi card on your specific laptop running distro X also worked out of the box but for one such example there is plenty of horror stories about some piece of hardware either not working at all on a Linux laptop or only being persuaded to work after major digital surgery on the OS and those stories definetly outnumber similar stories about OS.X.
Only to idiots, are orders laws.
-- Henning von Tresckow
XP Pro has a lot going on under the hood that makes it a lot better for businesses than home. There's a good run down here that goes into details about it.
For me as a sysadmin of 500+ machines, I've have to say that ability to join a domain, group policies, roaming profiles and remote desktop are probably the four major XP Pro differences that benefit me.
These aren't in the Home version simply because they're not needed, unless you are running some kind of domain at home. Incidentally, XP Home's security subset is greatly crippled compared to Pro's which means less fine tuning of network resource access - we're talking network security and user policies here, not just browser holes. You'd probably expect a small company to have a server, and while XP Home will do this just fine, it's not the best utilisation of what you have and can't be centrally managed.
What I'd suggest you do is have a look at XP Pro and look at how the additional features benefit small businesses. XP Home may make things easier on one or two machines, but the more machines you deal with, the more XP Pro comes into its own - even with as few as four or five.
It's slow when accessing other shares using netbios addressing; stick a linux box on the network and it speeds up dramatically (or a win2k / 2k3 server, or anything running wins or netbios naming). XP Home can't connect to Active Directory, making it useless for companies who implement this; if you're not running Active Directory, you might as well just use Linux and save yourself money and hassle.
"If he were a plant, people would roll him up and smoke him."
Of course not. As a developer you have different needs.
BUT, in doing so you have even more reponsibility to keep your house in order: it would be you hanging on a thread if a virus/worm/whatever infects your machine, net, or ultimate product.
I'd have to say that in terms of preventing war driving and the like, MAC address filtering is the best thing since... well actually it's really the only thing going to keep unwanted devices off your network. WEP is useless, and WPA is unsupported by most devices.
The ability to only allow specific devices to operate on a network is very attractive(Hopefully it actually works on most routers). Lazy sysadmins might complain that it entails extra workloads, but honestly lazy admins are half the reason for all this war driving nonsense anyway!
May the Maths Be with you!
I too had this problem with my parents' Dell machine. It could read files off my Linux box, my old Win98 machine, and my Mac; but it locked up during any file transfer and had to be rebooted.
He who lights his taper at mine, receives light without darkening me.
Windows and viruses have been around long enough that the network folks should have figured out how to protect themselves by now. Those that get their laptops screwed up can get them fixed over and over and over until they learn not to screw them up. Corporate images suck. The P in PC stands for personal, and each employee should be able to configure their PC with the OS and tools that make them a productive citizen. I'm not talking about shared workstations like you find in a call center - but the system that YOU use to do YOUR job. My IT department would not allow me to have Google desktop or the Delorme map utility, or my screen capture utility, or Skype. We are not supposed to use AOL/IM while inside the firewall. Fark em. I wiped my corporate image clean within an hour after they gave it to me. Yes, its my responsibility to not screw up their network, but its also their responsibility to protect themselves from the likes of me. Those who run the hotels and other public access points have a lot to teach the corporate IT folks who spend more time making up rules than figuring out how to deploy something that works. There, I feel better... -aggles
This is no longer a true statement. You can now pop in a CD and install linux just as easily as you could windows. My proof: My wife who used to be a mac user, converted to windows in the last 10 years (Mostly because I am a PC user). I installed CentOS on her desktop and she still had no issue. She's not a programmer and isn't that technical (she asks for help plugging in her scanner). Yet she was able to use linux with wifi, firefox, thunderbird, gimp, etc.
SearchIRC - Now with live chat directory!
I was recently involved in an international procurement where 10,000 laptops were supplied with XP Home. The mission-critical application on the laptops was highly secure - all data was encrypted to a high degree but the laptops themselves were wide open to attack or, more likely, inadvertent denial of service by ignorant or curious users.
By the time I flagged this appalling oversight, the procurement process was too far advanced. So, a US$44 million procurement went ahead using XP Home on the kits.
The application? Electronic Voter Registration in a large sub-saharan country in Africa.
So it's not just small businesses who drop the ball.
The budget will never be there to upgrade to XP Pro. And they simply don't have the skills to replace XP with a Linux distro and port the application (which is proprietary anyway).
Does anyone have thoughts on what can be done to improve the security of XP Home?
Backward%20compatibility%20is%20over-rated
I'm the admin at a K-12. Basically my policy for laptops is that if you want to use one, you have to give it to me first and let me lock it down. I treat it just like I would any other workstation: I take away their admin rights, install Firefox and disable IE, install our centrally-managed AV, enable auto updates, make sure the firewall is up and running, etc. Any extra programs you want to install, you have to ask me first. It still makes me nervous though, and we have definitely had our share of laptops causing trouble on the network. And yes we have had laptops stolen which is never much fun. I make sure any important data gets backed up to a server.
The other day I was at a client's site removing spyware and adware from yet-another-windows computer and wondering why companies put up with this. I can imagine hundreds - if not thousands - of IT guys all wasting their education and talent removing shit from an OS that should never have allowed it on there in the first place. This must be costing the economy billions of dollars. Yet companies continue to buy XP (Pro or Home... both vulnerable) and will almost certainly line up to pay $400 to upgrade to Vista.
Meanwhile I use an iBook on the road (for its Unix network capabilities) and Linux on the desktop. And an old Win98 box ONLY for Quickbooks Pro. And I wouldn't be doing that if I could find a similarly-priced Linux accounting solution that does everything for $800.
No one ever had to evacuate a city because the solar panels broke!
I remember working at place where they confiscated floppies in the lobby but I (outside contractor) was carrying back and forth my laptop with some 10 million records on it. A lot of people are issued a laptop when they dont really need it.
The General automaker issues laptops like said with XP, no admin rights at all. I don't have one. But I sit in front of a zippy desktop when there, and have been told that I cannot access the web at all, to look at Slashdot for my daily dose of news, not even on my lunch break! Talk about being tied down. For anyone who depends on the internet for his daily fix of news, email, newsgroups, etc, it is truly stiffling, and the stress on my family when I get home runs high. Lots of activities on the web at work will put you at risk for your job!!!!
It's a fundamental rule of systems engineering that workstations are part of the user, not part of the system. This is especially true of laptops.
Any sysadmin that thinks limiting user privileges on the workstation is solving a security problem is fooling herself. System security needs to be set up on the assumption that all workstations are hostile.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
The risks of not being able to do something when you need to, of losing time due to not being able to install the right tool for a task without a prolonged wait, of requiring a large staff of people working on overhead budgets to maintain machines in ways that reduce a user's flexibility to better their processes, etc. are not only extremely high but usually realized risks on a frequent basis for those who work with locked down machines and rely on IT departments for installation. For laptop users who may be out of the region supported by their IT department when a need hits, these risks are increased. Too many times, I've seen those with the centralized IT religion justify the placement of large monetary and time burdens on those trying to do the business of a company without adequate risk / benefit analysis and usually by trumpeting a worse case scenario that has little chance of actually happening or that, if it happened, would not equal the true impact of their "solution".
An interesting example was the early effects of antivirus tools. In the 90s when antivirus tools started to be deployed in the big corporations in mass, the tools were immature, interfered with the operation of many programs, and consumed about 1/3 of the machine's bandwidth. It was very simple to show that the average time lost across an engineering organization was around 2 to 3 man-weeks per year per individual. There was also the loss of paying for and deploying the antivirus software and the loss of earlier than necessary upgrades to hardware because of the impact of the antivirus software on the performance of every program you ran. And yet, few of us had ever been hit by a virus. Accepting a hit that took down a large portion of the company for a couple days a year would have been far more cost effective. And actually, at least in my case, it would likely have been no real impact since it would have just replaced one of my periodic system-wide rebuilds anyway. Many companies could stand to benefit hugely from a periodic shutdown and cleanup of their systems anyway. Often, this is just what is needed to purge legacy issues that one can't get permission to fix due to the impact of a downtime on users.
Ah - no. They buy them from Dell. Just because it's a smaller business doesn't mean that the people who run it are stoopid.
I don't know what the author's smokin', but in my corporate environment, we can recover a virus-infected laptop in 10 minutes by slapping a new Ghost image on it. Of course, all data is lost, but that was going to happen anyway if you throw it out.
.... and started handing out these MobiBook PRO's. It's basically a thin client running a customized version of WinCE .Net with RSA security. I use it to connect to my desktop computer (as well as my home computer) and work as if I'm in front of my desktop. The cool part is that my organization keeps all of it's data behind the firewall and corporate policies are still enforced.
As far as they are concerned, problem solved.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
A company I used to work for, a fair size place with 6 offices and about 500 employees, didn't care much for me bringing my laptop into work. About every four months my manager would start grumbling that I really shouldn't do that. By some random chance however, each time things were getting despirate, some special need would come up that necessitated my laptop. (there were no company laptops) My machine also had a good hunk of HD space free, scsi with disk recovery tools, and lots of other handy things. Being a mac, it could also convert obscure file formats we would occasionally receive from a client. And that would reset my harassement level back to normal, and the cycle would start over. This went on for the better part of two years.
Ironically, the company was technologically in the dark ages. My laptop was hands-down the fastest machine in the building, and had more storage space on its built-in drive than any single fileserver we owned. (heh, though my lappy didn't have raid...)
The biggest problem we actually had was the windows users bringing in floppies. No, not the regular employees... the IT staff. We used floppies for data backup of stats files, and on at least three occasions I had to go on a "NYB hunt" and flush NYB off probably 1/3 of our stats floppies. (about 100) I suspect the same person on each event. Fortunately that one had a very obvious side effect that made it easy to spot - a system with NYB resident could not format floppies. (it survives ctrl-alt-delete too, irritating bugger, you must cold boot)
PCs may have a death grip on the business scene, but they could do a world of good toward solving the security issue by using powerbooks for their portables. Almost zero risk of getting a virus into the company from it even with the most reckless behavior, and arguably a better portable in any event. (call me a troll if you simply just hate macs, but you must admit I have a valid point!)
I work for the Department of Redundancy Department.
XP home cannot join Domains. If you have more than a handfull of computers, you're going to want a domain.
At our company I tried removing administrator access for all users except network admin staff, but had to change all users back since lots of Windows software doesn't work unless run by an administator.
Our CAD-application, accounting application, PDF creation software just to name a few apps either don't work at all or exhibit very strange behaviour when run as non-admin.
As far as I have been able to find, there is no practical way to set advanced file permissions on a XP Home OS -- EG, removing all permissions from a troublesome file to preclude "accidental" execution OR reinstallation. And, yes, this is really useful in many security situations.
//Information does not want to be free; it wants to breed.
XP Home doesn't support domain authentication. Your average MCSE doesn't know how to handle that and insist on the user buying XP Pro for $500. There are some workarounds, but they are not pretty since they all require the installation of a second authentication system which basically negates the whole purpose of the domain system.
Oh well, what the hell...
Anyone should be able to put any device on your network with all the authentication they can muster and not damage your network. This is security 101. Treat your users as hostile because sometimes, they are!
Let them use what they can but don't let them break anything that you couldn't fix. Not letting people use the tools you give them is a braindead solution to the problem. Granted, it may be a temporary necessity because your servers and services are next to impossible to secure any other way but long term, this is not the solution.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
Dear Prof/Dr/Mr/Mrs/Other Coward, Thank you for your insightful comment. It has been safely filed in /dev/null for later review.
Regards,
Cowboy Neal.
Oh well, what the hell...
The best solution is to dump windows. For applications without a replacement, use wine. The sooner you do this, the less trouble you will have. As M$ branches out, finally, into networking services it will be harder and harder to interoperate.
Friends don't help friends install M$ junk.
All this does is make it difficult to connect alternate OSs to your network. The user still gets owned though email, web or full auto worm. Once owned, the laptop can access anything the user could.
2) Even then, use as many encrypted streams as you can (ssh, https, pop3s/imaps, etc.).
Now you're cooking with gas. Still the holes in the OS defeat the better applications. What good is ssh when a key logger has been installed?
3) Physical security.
Yes, this is a problem but a secondary one. The one or two thieves you are liable to meet in a year's visiting the library are dwarfed by the number of worms, crackers and other baddies 250,000,000 network users will through at you in the same time. Most physical thieves just want the money from selling the laptop. They have no use for data and generally lack the skills required to retrieve it, especially when confronted by an OS they have never seen down at the crack house. The pros can get through anything on the net, but a Windoze set up makes industrial espionage much easier. The top causes of data loss are going to be softare failure caused by worms, spyware and all of that. Loss through physical theft is rare.
Friends don't help friends install M$ junk.
I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or Mepis or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.
If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.
To get an idea of what I'm talking about, check this post out. This is an article about email disclaimers. The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx, because "is teh free".
Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.
Here's that drive-by advocacy and FUD in motion: twitter goes on about some topic and then drops the usual "oh and M$ is teh evil" because "WMP phones home" or some such. Called on his FUD, he then claims that WMP stores every song and movie you've ever played in a file, somewhere. Pressed further, he just sort of slithers out of sight, his FUD-spreading complete. This is not about some Microsoft technology that nobody likes anyway; it's about lying for the sake of lying. Way too many of his posts are exactly like this one.
More? Just read though this post and the subsequent replies. I guess this stands on its own. Or these two. Or this one. Or this one.
Still not convinced? This is what twitter considers "humour" while going about his daily "M$" routine.
M
That is how it sounded to me too!! Group hug everybody!!!
Maybe Slashdot should have a "poster is a crackpot" moderation? We can't be bothered to challenge or falsify all those "interesting but probably untrue" postings, can we? Of course, we accept lots of dubious claims from people we trust or like, but that's a totally different story, right?
The anonymous stalker has become a part of the problem that he seeks to remedy.
Why in the hell would a normal user be a Admin in a domain? Crap like this is what makes Winsores so bad. With Winsores everybody has to be an Administrator. Hell I am the Admin and I never run under Administrator except to fix something.
I'm so glad I switch to Linux
Sorry if this has been posted before ( i dont have time to read it all ) but you can get the advanced user settings in winxpHome that u get by default in xpProf.. start>run>"control userpasswords2" enjoy :D