Do You Allow Webmail Use on Your Network?

rtobyr asks: "I don't allow users at my organization to use any third party e-mail. When users complain, I point out that we can't control the security policies of outside systems. End users tend to think that big business will of course have good security; so I ran a test of the 'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was the only webmail provider to allow delivery of a VBS script. GMail was the only provider to block a zipped VBS script. End users also tend to think that a big business would never pull security features out from under their customers. Of course, we know that AOL and Microsoft have both compromised the security of their customers. I don't know of any security related bad press for Yahoo or Google. Three of my Big Four either allow VBS attachments or have a poor security track records. So, if you are a network administrator, do you limit your users' ability to use third party e-mail, and if so, do you allow for GMail or other providers that you've deemed to have secure systems and reputations?"

How?

[ellem]

Besides the obvious Content Filters how are you blocking them? A moderately bright young chap could proxify their way around that.

Re:How?

[Seumas]

Not to mention, who cares what the webmail services allow? Just because they allow a user to receive - say - a VBS file doesn't mean that you have to allow that onto your network or that you can't block such an attachment and allow the webmail.

Re:How?

[rikkards]

Besides the obvious Content Filters how are you blocking them? A moderately bright young chap could proxify their way around that
Two fold method:
1. Content Filter
2. By an acceptable use policy stating the equipment is for work only and any deviance could lead to dismissal.

Maybe a bit draconian but we do have separate machines that are sandboxed that they can use for surfing "work-unfriendly" sites.

Re:How?

[fistfullast33l]

Our company uses a proxy server that redirects you to a warning page. I think most large organizations do that nowadays if they want to block something. I doubt you can proxy your way around it since you need the proxy to get out of the firewall, so basically you can't connect through port 80 at all. Of course, attempting to go around the proxy will probably get you fired anyways, so I don't try it.

Another reason, that isn't documented here, that people would want to block external communications (AIM, GMail, whatever) would be legal requirements to document any communication with a client. This would especially include banks, security companies, etc. I know that financial institutions are required to archive all email communication forever, literally. Morgan Stanley got into huge trouble because they didn't. In order to control the flow of information, most banks just block external email services so the content is easier to control.

re: how?

[ed.han]

monkeying w/ proxy servers is likely a violation of the acceptable usage policy as well, i should point out.

ed

Re:How?

[rizzo320]

Another reason, that isn't documented here, that people would want to block external communications (AIM, GMail, whatever) would be legal requirements to document any communication with a client. This would especially include banks, security companies, etc. I know that financial institutions are required to archive all email communication forever, literally. Morgan Stanley got into huge trouble because they didn't. In order to control the flow of information, most banks just block external email services so the content is easier to control.

What stops an employee from doing this outside business hours? They could easily contact them at home with their personal account, or even using a blackberry or other smartphone, if they have that device configured to check mail.

I'm not sure how much this new legislation will prevent communication from being "lost" in the future any more than in the past. There have been laws on the books for several decades in regards to record keeping and keeping "paper trails" yet, there are always missing documents when some type of scandal or investigation causes the s$%t to hit the fan.

If someone's goal is to communicate in a secretive or malicious manner, its going to be done regardless of whether you can access gmail.com at work or not.

Re:How?

[Seumas]

Sure, they may be required to archive information forever. I don't think that includes personal emails and personal phone calls. And if you work somewhere that you can't send a note to your wife or make a phone call to say you're going to be home late or ask how your spouse's doctor visit went, then it's time to get out. And I don't see how any private communications need to be archived.

That said, there are simple workarounds. If your employer has some sort of SOCKS proxy, that's very simple to SSH through. One connect.c file and a line in a config file will get you working on OSX for example. Then you can use SSH, IMAP, HTTP and whatever else you want.

Or you could just have a Treo with unlimited internet service and do whatever you want.

That they have to archive communications or control business communications does not seem relevant. Simply have a policy that states "email services outside of the control of this company are not to be used for business correspondence". Seems simple enough.

Also, I know that at my company there have been times when the email has gone down and I've needed to send a small file to a client or request some information and I've had to do so through a non-business webmail account. Has saved much hassle and additional time that simply waiting around for email to return would have caused.

I think I would go insane if I had to work in the environment a lot of you describe being stuck in. :(

Re:How?

[BunnyClaws]

We do block the major web mail websites with content filtering.
Yes, A moderately bright young chap could proxy his way around the content filtering. We have had those moderately bright chaps get fired for doing it as well.

Re:How?

[prothid]

The smart ones are also likely not to fall victim to running a vbs script in their webmail. It's a pity that they either can't follow company policy or can't find a job that lets them do a personal task here or there.

Re:How?

[AKAImBatman]

Yes, A moderately bright young chap could proxy his way around the content filtering. We have had those moderately bright chaps get fired for doing it as well.

Way to remove your best talent there, chief.

And drive away the possibility of any new talent.

Re:How?

[Prof.Phreak]

Indeed. We constantly get requests to rename our distribution .exe file to .txt, put it in a .zip file, and send it as attachment... since plain .exe are rejected, as well as .zip files are rejected. But -then- we have to deal with angry users who cannot run our program.

Now, isn't that silly? If you don't think so, imagine explaining how to unzip and rename files to business folks... especially if their Windows is setup to hide file extensions (many have no idea what a file extension is!).

In my opinion, corps shouldn't concentrate on -filtering- things (nor blocking webmail), they should concentrate on educating users. In my opinion, anyone who doesn't know what a "Command Prompt" is, or how to rename files, or zip/unzip shouldn't be allowed to touch a computer.

Re:How?

[celardore]

we do have separate machines that are sandboxed that they can use for surfing "work-unfriendly" sites.

So long as pr0n is kept to lunchbreaks?

Re:How?

[bzipitidoo]

If you can afford to fire someone for using a proxy, must be quite a supply of unemployed moderately bright chaps out there, eager for any work. Not suffering any shortages or problems finding qualified people to hire, are you?

Re:How?

[Drakin020]

Thats why you block it at the PIX, or whatever kind of firewall you might be using. You can't "Proxify" your way out of that.

Re:How?

[Dancindan84]

Typically someone smart enough to get around it would also be smart enough to not open potentially hazardous attachments. My work doesn't block anything, but keeps images of the computers that can be rolled back to in the case of issues/infections.

Re:How?

[racermd]

If I'm not mistaken (and I very well could be), one of the SOX requirements is that all external communications be logged and retained for a certain period of time.

By running *all* external traffic through a proxy, a company *can* effectively do this. Whether or not they do is really up to the company's security/IT folks.

Re:How?

[hazem]

Simply have a policy that states "email services outside of the control of this company are not to be used for business correspondence". Seems simple enough.

Except some people may NEED to do just that because of the stupid rules set up on the company mail servers.

For my work, I deal with a developer in another state and we have to exchange large files. From inside our network, I have way to ftp/ssh into his company servers to transfer the files. So, e-mailing is the only option. Our e-mail servers won't allow attachments that large.

So, we use gmail. It's not elegant, but we can easily send the files we need back and forth and actually get our work done.

Oh yes... our IT people are the same totalitarians you find everywhere (I used to be an admin, and back then, we actually tried to help our people do their jobs, not inhibit their work). So, they won't adjust the rules of our mail servers, or provide a way for me to connect to the other company's computers and transfer the files.

So there it is... IT's motto is "IT at the speed of business", but the reality is "business crawling at the bureaucratic speed of IT". It's like they believe that they are the revenue generating portion of the company and that the rest of the company exists to serve IT.

Sadly, that view is all too common.

Re:How?

[BunnyClaws]

How would that be the best talent if the company is a Bio-Medical company? Oh, right because people with a moderate amount of knowledge are usually the top talent in most companies.

Re:How?

[0100010001010011]

I am one such "Moderately Bright Chap".

I have putty on my computer and I run everything through a SOCKS proxy. I have Firefox, Thunderbird (no webmail for me) and iTunes all going through one of my few shells.

I occasionally surf between 0 and 3 hours a day: fark, slashdot, ebay, etc. Last year I received the highest rating that someone of my salary level could. My boss, my coworkers think I'm a magic man, when I'm asked to get something done I get it done as fast as possible. Techno &/or 80's music tends to set a rhythm for my coding, despite internet radio being frowned on (not officially banned). My parents are going through a divorce. I like to e-mail both of them and my siblings during the day, but I like to keep that off of corporate mail. Sometimes I want to win an auction during work and sometimes I just need a detox.

With all due respect, you and your company can go fuck themselves. If I got the lowest rating, then yes, there's a problem. But you and your company are automatically removing people like me because we get stuff done AND we have personal lives.

Content filter the secretary not the MSMEs.

Re:How?

[AKAImBatman]

You're telling me that your tpo talent is not computer literate enough to make childs play out of your proxy blocks? I would think you'd be hiring the smart people. You know, the ones who use computers (and even some custom programs) to do much of their research, simulation, and experiment tracking?

Computer knowledge is pretty prevasive in the sciences these days. It needs to be, otherwise the research doesn't get done. So as I said, way to rid yourself of talent.

Re:How?

[aardvarkjoe]

Wow. Right now, I really wish there was a moderation option for "-1, Way Too Full of Himself."

Re:How?

[0100010001010011]

Actually, we are.

I'm a "mechanical engineer," at least that's what my degree says. I'm considered top talent in my diesel engines company because I can get stuff done. Computer knowledge isn't that difficult to obtain. "ssh -D 1080" (and the putty equivalent). I've written VB scripts and matlab scripts to analyze data that people used to do by hand. To me it's trivial but to my managers it's considered 'best talent'. You'd think that at a biomedical company there would be one or two 'top talent' individuals who were really good with computers that could help analyze results.

Maybe you guys still do it all by hand?

Re:How?

[tx_kanuck]

ok, so your special. good for you that you can set up a socks proxy and ignore any and all IT policies that you feel shouldn't apply to you. Wow, I'm impressed.

Do you seriously think IT puts these policies in place just for the fun of it? If you accidentally brought down the network and cost the company $10,000, who do you think would get in trouble? You? Nope, the IT guy who let you bypass their security and ignore the policy. You might get a slap on the wrist, but chances are the IT guy is now looking for a new job.

And as for a personal life.....if the company culture/policy is that at work you work, then keep it out of the workplace. You are paid to work, not play. Don't like that idea? Then leave.

And yes, I am posting from work, and yes I am allowed to do it. Chances are my boss will probably see this comment (Hi Jon!!) as he surfs slashdot as well.

Re:How?

[BunnyClaws]

The really smart people that are talented and do research are usually given a setup that allows them to do the work they need in a separate environment from the rest of the company. This would be done for a biochemist doing research. If you are just a business programmer you don't get this because you can probably be replaced by someone with an H-1B visa.

Re:How?

[gratemyl]

The employer is only required to document communication which has occurred "related to" the business. If an employee chooses to contact a client from outside of the work place, outside of their working hours, this is not official communication by the bank and thus is unrelated. The employee is then at fault, but the employer is protected legally.

Re:How?

[0spf]

Access Denied

I work very hard to keep the garbage out of my network and off my email server. I will not let it waltz in via somebody's home email account.

All ports blocked at the firewall for outbound traffic. You must connect to a server that is permitted to access the service you need. This access is logged.

For web traffic three proxy servers are allowed past this block for ports 80 and 443. This access is logged.

Proxy servers monitored by NetSpective web filter that is set to block web based email and know public proxies amongst other things. This access is logged. My users continually help me find new sites to block.

If you are persistent in trying to circumvent my protection I find creative ways to make your life miserable. If you are a good user and have an emergency situation a temporary exception can be granted with proper supervision.

Re:How?

[BunnyClaws]

I agree that computer knowledge isn't that hard to obtain. Thats why I don't think someone getting passed content filtering would be considered top talent. A high school intern could do this but would that make him top talent?

Re:How?

[Rob+the+Bold]

If you are just a business programmer you don't get this because you can probably be replaced by someone with an H-1B visa.

And that, my friends, pretty much summarizes the arguments for and against expanding H-1B caps.

Re:How?

[zero1101]

For my work, I deal with a developer in another state and we have to exchange large files. From inside our network, I have way to ftp/ssh into his company servers to transfer the files. So, e-mailing is the only option. Our e-mail servers won't allow attachments that large.

So, we use gmail. It's not elegant, but we can easily send the files we need back and forth and actually get our work done. So who's to blame when your gmail account gets cracked and your company's IP gets stolen? Your sysadmins for "forcing" you to use gmail?

Re:How?

[davester666]

Indeed. We constantly get requests to rename our distribution .exe file to .txt, put it in a .zip file, and send it as attachment... since plain .exe are rejected, as well as .zip files are rejected. But -then- we have to deal with angry users who cannot run our program.

That's what I always thought was retarded about communicating with Adobe. If you need to send them a file of any size, they want you to 'zip' the file, but to get the file through their firewall, you need to rename the file with a different postfix. And it's not just an private workaround that individuals use, it's documented on their web site for communicating with Adobe.

It's like "we have this policy, we know it's stupid, but we don't want to change it, so here's how to work around it".

Re:How?

That's just pathetic.

You're supposed to enable the people that use your infrastructure, not sabotage them because it's easier for you.
But of course that takes effort and talent.

I'm sure you're the smartest guy in your company by now because anyone smarter than you would not have put up with this kind
of paternalizing IT bullcrap.

Re:How?

[mr_matticus]

Why should secretaries be treated with any less freedom and respect than you are? They have an even more irregular schedule with lots of brief periods of idle time and should be permitted those pockets to look at shoes or refrigerators or radial arm saws online or email their kids.

Re:How?

[shadow349]

You do realize that touching pictures of a "Big Mac" and "Large Drink" is NOT considered "coding", right?

Re:How?

[0100010001010011]

Secretaries are more likely to open that "Hey look at these kids pictures.jpg.vbs.exe" file than engineers.

Re:How?

[Penguinisto]

So who's to blame when your gmail account gets cracked and your company's IP gets stolen? Your sysadmins for "forcing" you to use gmail?

Ditto on that one... I found it much, much eaiser to simply up the limits (courier has something like a 10MB limit by default I think; others are similar - but they're drop-easy to lift). Disk space? No prob. If it started to look like it would get tight, I'd ask for more from the Array, pointing to the increased usage as justification.

'course, it would be easier to just fix the source of the problem and allow some ssh love to come in from the remote user's host to a specific server or jail set up in the DMZ, then have scp do the heavy lifting from there ('doze users have cygwin and PuTTY, so what's the prob?)... This leads me to wonder why something like that hadn't been done already.

/P

Re:How?

[Noexit]

Jeez, why is everyone assuming that the "end users" in the write up are computer jocks, programmers, admins or the like? The dude is probably talking about the secretaries, the clerks, the CEO, the CPA, the lawyers, etc. If you're the data entry clerk and you're spending your time Farking around and setting up proxies then you're screaming to be fired.

Re:How?

[jslater25]

I have been using the same arguments about webmail to my network admin. Questions that receive no answers:
Why is webmail blocked but USB ports allow anyone to plug and play a thumb drive? Couldn't someone bring a virus in the same way?
Why do we block webmail but no other websites/services are blocked? Shouldn't we worry about someone surfing for pr0n or possibly looking for warez?

Often, I have heard the argument that IT doesn't want to let information get leaked via webmail and IM's. But all computers at my location have a CD-RW, plus 8 USB ports, a printer at each desk, etc. I would think its easier to track a file getting sent via webmail then it is to track a user who prints the document and walks out the front door.

Re:How?

[ucblockhead]

Can I get the name of your company? I want to make sure I don't accidentally apply for a job there.

Re:How?

You had to do that too? Getting a file FROM them through my work mail system was a bitch. I eventually had to have the adobe support person rename the file, zip it encrypted, and send it to gmail.

Re:How?

[secolactico]

Actually, he said "moderately bright". As in, "bright enough to find a way to bypass company policies, but not bright enough to keep from getting caught."

Maybe GP is "thinning the herd" of the less talented individuals. And if his darwinian method of HR management doesn't work out, maybe his position (or even his company) will darwin itself out.

Re:How?

[ChadAmberg]

That's not really a good argument. Just because security isn't perfect doesn't mean its useless. You might as well be arguing about removing all antivirus and firewalls, because someone has a USB port in their system.

Re:How?

[Genevish]

How often have GMail accounts been cracked and a companies IP been stolen because of that crack?

The problem with most security policies is they look at any potential angle of attack and block it, without regard to how likely that attack is versus the inconvenience/disruption of that block.

You might say that blocking third party email doesn't disrupt the function of the business, so it's no big deal. However, if you treat people like untrustworthy idiots, they're going to be less likely to want to go the extra mile for the company.

Re:How?

[stryc9]

Escalate through the proper channels the need to do this. If there is a business case for it then IT should be told to supply something to meet your needs. You're not helping anything buy using gmail. Also, I am a totalitarian admin. Why? Because I have to stop users like you from doing anything that could potentially damage the company or my paycheck like sending corporate data through a public service like gmail. We do it because there is a right way to do things and if the company doesn't want to spend the money or resources then it is not our problem. Remember, it's not our fault you don't have a decent safe way to send this data, go complain to manglement.

Re:How?

[OptimusPaul]

I'm going to have to agree here. The top talent are the folks that get the rules changed for them, or do their f'ing job and don't putz around with personal emails.

Re:How?

If only there was a "Common Sense" mod...

Re:How?

[AKAImBatman]

The really smart people that are talented and do research are usually given a setup that allows them to do the work they need in a separate environment from the rest of the company.

Oh, so you do let them past the restrictions? Officially sanctioned and everything, I see? So basically you're telling me that your best talent would have no trouble defeating your measures (as I surmised) so you don't even try to put them in place for them? Why don't you try putting those measures in place for the researchers, and see how long your company has top talent in that area?

If you are just a business programmer you don't get this because you can probably be replaced by someone with an H-1B visa.

I think that right there sums up your attitude nicely. You treat your researchers like royalty (as you should), but apparently have no problems firing any of the support staff that might be critical to the researcher's work. Because, you know, they're not smart. They're just duh codeded minkeys. Anyone who shows a smidge of ingenuity and talent by getting past your firewall restrictions must, by defintion, be stupider than the rest. Weed 'em out!

Remind me never to work for your company. Or hire you.

Re:How?

[BytePusher]

Somehow... I've never worked at a business where the IT department makes final decisions on hiring or firing. So... somehow... I doubt you've had anyone fired... but if you have it shouldn't have been for working around your proxy but rather what they were doing once around it.

Re:How?

[bushki3]

You are absolutely right about that view being too common.

I have extremely strict rules set up on my network. I am pretty sure that the only one that hasn't been broken (with my authorization) is the pr0n rule.

I constantly take shit from other admin's who pride themselves on being an ass about their rules, but I have found that the best way to get business done is for every rule to have an exception.

All webmail is banned, blocked, filtered, and otherwise prohibited on my network. However, there have been times when it was "necessary" and has been allowed. Times like family medical situations, when one of our employees mother in law was near death and the only information he was receiving was via webmail. I could have been a dick and said "sorry that's against company policy", but I pushed authorization through management channels and got him his webmail so he could focus on work, knowing that he wouldn't miss the important email about his family. This particular gentleman is now the General Manager of the office, and I am still just as mean to him as I am to everyone, with his full support, because he knows first hand that I am aware of when the exception should be invoked.

So, my response to the question at hand would be Yes, and No. Hope that helps clear things up for some of the young admins who are teetering on the decision of allowing exceptions, or not. You don't make the company money, you make it possible for the company to make MORE money in LESS time. Do your job and increase user efficiency, don't be an ass.

Speaking of efficiency, I feel refreshed after this brief visit to /. so I think I'll go find some websites to block from my users!!!!!

Re:How?

[twistedsymphony]

Interesting points.. though not all IT departments are as onesided on their security. In addition to blocking webmail and a plethora of other sites on the web (including but not limited to porn, 3rd party proxies, social networks, and blogs). They also strip all PCs of DVD writers and usb ports monitor all I/O traffic to mass storage devices. if you need to burn something you have to make an IT request.

Unless you were a really crafty and well versed PC user (and 99.9% of our employees are not) the only way way to get data out of the building is to print it out and stuff it down your pants... and hope nobody sees you (which might be difficult considering we don't have cubicles). Even then all printers are on a network and every print job gets logged.

Of course our security wasn't half this good until an employee got pissed... quit... took loads of company data with him and sent it to our competitors. One of them played the good Samaritan and told us about their care package... if they didn't we wouldn't have ever known, but since then the place has been locked up tight.

Re:How?

[AKAImBatman]

As in, "bright enough to find a way to bypass company policies, but not bright enough to keep from getting caught."

He's already said that they don't prune the researchers like that. Which already makes his argument specious. It seems to me that someone who's not in your top talent who's managed to pull off a trick like this at least shows promise. So you're going to cut off any new talent or support talent you might have.

It's like saying, "I need my hand to drive, but it won't hurt anything if I cut off my fingers."

Re:How?

[tx_kanuck]

Then you should read http://worsethanfailure.com/ to see the stupid things engineers do. Just because someone is educated in one field doesn't mean they know another. My dad is an engineer, and has been since he got his PhD at 25. Does that mean he's a computer wizard? Nope. Nor is my Godfather who is also an engineer and ends up calling his companies helpdesk for things.

Re:How?

[rainman_bc]

We have had those moderately bright chaps get fired for doing it as well.

Yeah, like that's a great reason to can a person... Violating the ego of the IT department...

Blocking third party email sites is a superficial solution that sounds good on paper but in reality the only benefit is that company time isn't wasted checking hotmail/gmail/etc... All those mail providers already filter out bad content. Hell Yahoo is quite vocal about their use of Norton to scan attachments.

And the BS about people being able to email off company data - that's bullshit too... Unless you block all http/post requests any data can be sent off your network anyway...

Re:How?

[SealBeater]

All ports blocked at the firewall for outbound traffic. You must connect to a server that is permitted to access the service you need. This access is logged.

For web traffic three proxy servers are allowed past this block for ports 80 and 443. This access is logged.



You seem to enjoy saying the word "logged". All this tells me is that you don't check those logs. Just for your info smart guy, I've gotten past setups like this with ease. It's called a home server and stunnel. Honestly, I've meet admins like you and you sound just like an ass. Being a good admin is not laying down rules and then enforcing them like a tyrant, it's making your network be usable to your users. If your network or email system is so fragile that it can't handle what could be called normal usage, perhaps you are in the wrong field. I make my networks so that the users CAN'T damage them.

SealBeater

Re:How?

[rainman_bc]

Wow. Right now, I really wish there was a moderation option for "-1, Way Too Full of Himself."

Not really - he has a point... If you're considered a good employee that gets his work done, why should anyone care if you slack once in a while? I sometimes find myself slacking off on /. (irony here?).

Doesn't make me a bad employee unless I miss targets for stuff. GP is bang on. If I get stuff done, why should IT care if I waste some time checking my personal email?

And no, the whole "it can bring vbs files to us" is crap because those can just as easily be downloaded off any site, and on top of that these email providers do some pretty good scans on their own too, and furthermore why do you, as a sysadmin not run good antivirus on your lan anyway?

Re:How?

[rainman_bc]

Do you seriously think IT puts these policies in place just for the fun of it?

Sometimes yes. It justifies their presence although there's no proof that blocking that site really benefited your company.

If you accidentally brought down the network and cost the company $10,000

If your entire network is so pathetically weak that a file from a third party email company ( who does their own virus checking btw ) can bring down your whole LAN, then there's bigger issues than that user checking their email. You're directing blame at the wrong person. You're a shitty sysadmin, and blocking yahoo mail is simply a knee-jerk reaction by an IT person to save face when in reality there's security issues on the LAN that need to be resolved first.

Re:How?

Of course our security wasn't half this good until an employee got pissed... quit... took loads of company data with him and sent it to our competitors. One of them played the good Samaritan and told us about their care package... if they didn't we wouldn't have ever known, but since then the place has been locked up tight.

I think it's great that your company is doing this. However, it reminds me of our government here in the USA and you could say across the world, in its over-reaction to security threats.

For example, one crazy suicide bomber tries to light a shoe bomb on a flight, and for months, millions of people had to take their shoes off before they were allowed on a commercial flight. That is a little over the top in my opinion.

So, if you take all of these security measures, but keep pissing off the people you're trying to protect yourself from, then they will eventually get around your security. A better approach may be to protect yourself, and try not to piss off any people in the process.

Re:How?

[SynMonger]

Don't forget WinSCP.

Re:How?

[groslyunderpaid]

I know that financial institutions are required to archive all email communication forever, literally
I'm not entirely sure that is accurate. I work for an insurance company (financial institution), and being the one who runs the backups, I can tell you for a fact they aren't kept forever. 3 years, tops. Now maybe if you have to abide by SOx, which we don't, because we aren't publicly traded (being a mutual company), but that I cannot speak on.

Re:How?

[tx_kanuck]

( who does their own virus checking btw )
Couple points on that.
1) I don't know how recently they updated their virus scanners.
2) I have yet to see a virus scanner that can guarantee that 100% (not 99.999%, but 100%) of viruses, including ones that have not had their signatures pushed out to the scanners yet, will be caught and stopped.
3) Trust but verify is an expression I use a lot. I will trust that they do virus scanning, but until I can verify it to where I am happy, I won't trust them out of a sandboxed area.
As for a network being weak...
Are you seriously trying to tell me that every company that got hit hard by Sasser, Blaster, and other major viruses were staffed by shitty sysadmins? Come on, lets be realistic here. I cannot stop every bad thing from happening on my network. It's impossible, but I'm not going to lock the front door and just leave the garage door open.
Now, if you could please tell me how I can, without blocking any sites, and with virus scanners that we know cannot block everything, secure my network in such a way that a virus will not propagate to multiple computers and cost lots of money (after all, time is money) for me to clean up I would love to hear it. Keep in mind that even if a single network segment (each department is segmented from each other and the only place they touch each other is through servers), then the exercise is considered a failure. So, just to be clear..... no server may go down at all. Multiple machines in a department may not go down. No blocking of sites.... I'm listening.

Re:How?

[nostrad]

How is a talent good if he then fails to adhere to company policies?

Want to promote him and get into trouble for breaking a policy a bit more important for this one? There's a matter of trust between employer and employee that needs to be maintained.

(Do note that at the same time as policies needs to be followed there should be a good reason for those policies as well, such as the security aspect in TFA.)

Re:How?

[Kjella]

Way to remove your best talent there, chief.

That depends a lot on the type of filtering, and the kinds of people that put so much work into avoiding work. Yes, some places really have a bug up their ass about security. Some of those have a really good reason for it, and some of them don't. Some of these might be annoyed workers frustrated by being denied reasonable Internet access. Others are just your immature slackers which believe it or not, aren't the best employees and aren't going to be.

If you're avoiding the content blocking to surf porn or to waste all day on Internet, it's not ok. If your company has really sensitive data you might expose, it's not ok. If and only if they have anal security and not very sensitive data and you use it reasonably, you're looking at good talent you shouldn't throw away. Primadonnas that think the corporate network are their personal playground are usually more trouble than they're worth, just like the artist kind.

Re:How?

They added a wonderful feature to Windows XP, it's called "Windows Firewall". Use it, not just on your servers, desktops too. Not using Windows? Most operating systems either have a built in firewall, or you can get an add-on one. Restrict access to anything unless it's necessary.

Having trouble with making sure all computers on your domain have virus scan? Check out Mcafee EPO. As long as you are draconian in making sure every computer is forced to get virus scan with it's rules and use the auto-deployment, virus issues are dramatically reduced (to an almost non-existent state). Also make sure you update virus definitions once a day (or any time the definitions come out)

If you do these things, the number of times you'll have do deal with virus problems will drop to a point where the occasional 0-day virus will seem like a dream compared to dealing with the old issues.

BTW - I hope you don't have laptops on your network, because websites aren't restricted when the people are at home. So they can get all loaded up with viruses when they're away from your network. Not saying get rid of laptops, just shooting holes in the fact that restricting sites will solve all your problems.

Re:How?

Someone needs to mod this up. Your users will figure out a way to get around your blockers/filters. Try not to piss them off too much.

Re:How?

[iamacat]

Translation of your comment: "resign or get fired from a big company". If you go through proper channels, it will take months for someone to get to your request and reject it - because they don't understand your work and why you need this functionality. In the meantime, your boss will see that you have done nothing and dismiss you. Your management sees the results, not how you achieved them, and couldn't care less about complaint from an IT guy.

As a totalitarian admin, what secure method of sending corporate data to a customer behind another firewall do you support?

Re:How?

[gbjbaanb]

ah, but you are forgetting something (even with your infinite geek intelligence, how can that be?!). Most of these policies are not put into place to stop the malware, or even to stop employee's 'fun'. Most of them, especially nowadays, are there for regulatorary reasons.

Even if we ignore Sarbanes Oxley (sure, you want to get deliberately evade the company's audit systems - its possible jail time for you, my young, arrogant, potential terrorist, instant dismissal at best once you're caught.

Then there's misuse of company property. That bandwidth and pc you're using doesn't belong to you at all. Its provided so you can do your job, not for your amusement. However, I'm sure most companies don't give a damn if you email your family within reason though if makes you more productive or they consider it acceptable personal use, they will be very suspicious if you try to get around their systems.

Then you have to consider the much more serious misuse of these communications - eg. surfing for porn, hate emails etc. The company wants to track all your emails, not so they can spy on you, but so they have something that will later be used in a disciplinary or court action.

In short, why do you bother trying to hide your tracks when they are so innocent?

Re:How?

Leave your personal problems at home. 1st rule of keeping a job. Chap.

Re:How?

[Penguinisto]

Depends on if the man's home computer (or worse, a laptop) gets stolen, an exploit comes out, etc...

"However, if you treat people like untrustworthy idiots, they're going to be less likely to want to go the extra mile for the company."

If you explain it in those terms, yes. OTOH, if you explain that you're simply wanting to limit avenues of possible infection that would otherwise be beyond your ability to prevent (which is what you're doing w/ such a policy), then it makes sense, and the users don't get slighted by any implications.

/P

Re:How?

[swilver]

I work for a company that does that. Solution, I installed cgiproxy at home and browse whatever I like.

Re:How?

So who's to blame when your gmail account gets cracked and your company's IP gets stolen? Your sysadmins for "forcing" you to use gmail? Yes.

Re:How?

[BrokenHalo]

2. By an acceptable use policy stating the equipment is for work only and any deviance could lead to dismissal.

If an employee can be dismissed for using a corporate phone or computer to ask his wife to pick up the kids, the company shouldn't be too surprised if he takes any opportunity to shaft them.

Trust has to work both ways.

Re:How?

[shaitand]

'If an employee chooses to contact a client from outside of the work place, outside of their working hours'

With ya.

'this is not official communication by the bank and thus is unrelated'

Who says? If I am a client and a bank employee contacts me about something related to my account while catching up work from home after hours I certainly consider that to be both 'related to' the business AND official communication from the bank.

Just because communication is outside of normal business hours doesn't mean it isn't work.

Re:How?

[vux984]

Not at all. An employee that doesn't respect company policy isn't an employee worth having.

Moreover, in 'light security scenarios' the proxy server is not the 'bullet proof firewall with which to draw out the companies finest hackers' -- its a light support of the rules.

If I lock the server room and put a sign on it saying "contact IT admin for access", the idea isn't that its now a fort knox vault. The door is simply locked because its not a room most employees need to be in. If they are curious and try the door, it won't open, and they'll move on with their lives. And that's as secure as it really needs to be.

Sure anyone with a paper-clip could probably get it open, and if they do that without a damn good reason they probably deserve to be fired, or at least reprimanded.

Same goes for a basic web-proxy-filter. The point is to support a policy to keep people off sites they don't need to go. If they get 'curious', or have a silly impulse to check myspace or something, they get a gentle reminder that the site is blocked, equivalent to the locked server room door. If they decide to get clever and go around the proxy they're demonstrating the same level of ethics that the guy breaking into the server room did... with the same results.

Re:How?

[ishmaelflood]

Our IT group set up a secure data exchange. I haven't got the foggiest idea how it works, and don't care. To us it just looks like an ftp site.

If there is a business case for it make it their problem, not yours. Just cc your supervisor/manager whenever you can't do your job due to IT's laziness.

So far as not using third party email at work, just tell everyone it is a sackable offence. You don't need any software to implement that solution. Works in our office.

Re:How?

[0spf]

You seem to enjoy saying the word "logged". All this tells me is that you don't check those logs.

My emphasis on logging was exactly because they need to be regularly checked. Many of my users love to figure out how to get around the protections I have in place. I know there are many people out there smarter than me but I am very determined, so I have that going for me....

Just for your info smart guy, I've gotten past setups like this with ease. It's called a home server and stunnel.

I think I would catch you with the report that looks for large amounts of traffic going to home IP blocks used by broaband ISPs in my region of the country. You do have broadband right?

Honestly, I've meet admins like you and you sound just like an ass.

I may also find you with the report that looks to see what users are regularly visiting asshat.com.

I get resumes from admins like you all the time and I throw them in the trash.

Being a good admin is not laying down rules and then enforcing them like a tyrant, it's making your network be usable to your users.

I would like to see how you would keep a city wide network running for 20,000 users without laying down rules and enforcing them.

I try to be a benevolent tyrant and were you in my place with your outlook you would soon be unemployed or back in the bush leagues where you belong.

And forgive me for staying on point but the question was about denying access to home email with a thread of How?. It did not ask what we do to make our networks more usable or did you not RTFA. Attention to detail and remain on task, nope. There goes the resume in the trash again.

If your network or email system is so fragile that it can't handle what could be called normal usage, perhaps you are in the wrong field. I make my networks so that the users CAN'T damage them.

I have over 8,000 High School students who disagree and many would love to test your theory.

I am sure you work in some magical place with unlimited budgets, lots of help, users who never do anything stupid and get to upgrade to the latest hardware every quarter but I live in the real world and that is how we have to do it just to keep the trains running on time.

I am sure you have special insight into what new threats are coming down the pipe and have full confidence that Microsoft, Cisco and your leet hacker skills will keep you bullet proof. I will hedge my bets and play it safe thank you very much.

Re:How?

[rikkards]

Should mention that I work for a government agency that takes security seriously enough to the point of criminal proceedings could take place if something was leaked i.e treason. They are reasonable where you don't get jackboots and truncheons across the back of the head if you send personal emails within reason but privacy is questionable and there is filtering going on with ingoing and outgoing emails that I am sure if certain triggerwords were picked up on external going email, I wouldn't be surprised someone may end up reviewing your email.

Re:How?

[vux984]

No site is ever 100% secure. IT/management generally shoot for the most bang for the buck, to get where the risk/cost ratio of a problem balances with the needs of their business objectives.

Why is webmail blocked but USB ports allow anyone to plug and play a thumb drive? Couldn't someone bring a virus in the same way?

And if they blocked up the usb ports, someone could come in with a SATA drive and a screw driver. Couldn't someone bring in a virus that way too? So why not install intrusion detection systems in all the cases...?? And on it goes.

The answer: risk/cost analysis indicates that email is by FAR the number 1 transport for viruses. Yes other vectors exist, but if you only deal with email you address the lions share of the risk.

Additionally, removing webmail is usually aligns with managements objectives, so blocking it generally gets immediate management support.

Why do we block webmail but no other websites/services are blocked? Shouldn't we worry about someone surfing for pr0n or possibly looking for warez?

The answer: risk/cost analysis again. You address the big problems before the little ones, and the little ones before the ones you don't even have (yet). IE - Knock out MSN/Yahoo/Gmail and you remove a huge chunk of the useless sites that staff ARE spending hours on. If its worth it, you could keep going after every porn or warez site too, but the returns rapidly diminish while the cost keeps going higher.

If surfing porn/warez was a rampant problem then you could expect management to address it with technology. But for most companies a policy against warez and porn is usually enough to keep the problem at minimal levels. (Hell, most of the time you don't even need formal policy, in my experience most people just 'know better' and don't have to be told that surfing porn at work is against policy and grounds to be fired.)

Weaning webmail addicts off their personal accounts, on the other hand, sometimes requires a little help from technology.

Re:How?

[SanityInAnarchy]

Are you seriously trying to tell me that every company that got hit hard by Sasser, Blaster, and other major viruses were staffed by shitty sysadmins?

I'd say a tentative "maybe". Are you seriously going to tell me that blocking web access will do anything to slow down Sasser, Blaster, or any of the other major worms?

Now, if you could please tell me how I can, without blocking any sites, and with virus scanners that we know cannot block everything,

Simple: Run a secure system. Firewalls on indivdiual machines if they're vulnerable, or run systems that generally aren't, like Linux or another Unix. Even if you can only convert your servers, that's a win -- it means a virus wipes out a segment (which it shouldn't -- remember those firewalls?), the server is still up.

Also, keep backups. Disk images of working machines, tape/DVD/network backups of your servers. If you can repair a machine and make it usable and productive for the user again in 10 seconds of your time and maybe 15 minutes of machine time, then you can pretty much let users screw it up as much as they want.

And what you're doing is actually very much equivalent to locking the front door, but leaving the garage door open -- you try to keep stuff from getting into your network, but you have no way of dealing with it once it's there.

Re:How?

[Anonymous+Brave+Guy]

So who's to blame when your gmail account gets cracked and your company's IP gets stolen? Your sysadmins for "forcing" you to use gmail?

Well, since it sounds like they really did force the use of an outside service in order for someone to get their job done, despite requests being made through the appropriate channels for a "legitimate" alternative... Yes, the IT idiots in this case should carry 100% of the liability for the damage.

I always wonder at the idiocy of senior IT people in these discussions. Our lot are little better. The local IT guys are fine, but the senior, "worldwide" level guys are morons. They mandate aggressive e-mail blocking be used at a system level, and officially they ban all webmail services too. Those aggressive e-mail blocking policies are not documented in any way accessible to the mere code monkeys like me. As a direct result, we have lost everything from scripts going across the office (I work in a software development organisation, so we share these things with colleagues all the time) to urgent messages to paying customers.

There is simply no excuse for the IT group to impose such draconian measures. Before we were eaten by a US megacorp, we ran as a small, privately-owned UK company, with a level of security problems tending to 0%. Since the US morons got to run the show, we've had virus outbreaks, losses in connectivity to just about every system we depend on (even stuff that should be entirely local within our physical office building, because it's all routed through "centralised" IT systems outside), a huge rise in spam e-mail that makes it through the filters (which, trust me, has very little to do with the recent waves of increased spam activity, and much more to do with poorly configured filters), and so on. A cynic (or a realist) might reasonably conclude that the IT policies do not, in fact, increase the security of our office at all, yet they demonstrably do damage our legitimate business use of the IT systems.

You know what our local, sensible IT guys say?

Nothing, officially, of course, but unofficially, they just say use what works and make sure you take the appropriate precautions. So we circumvent the various "safety" features when they get in the way, and since the central IT morons are too stupid to understand why their own policies are messed up, they're also too stupid to even notice we're doing it. And if they did notice one day and moan about it, basically our entire office would quit, so perhaps that's for the best.

Re:How?

[Anonymous+Brave+Guy]

You assume too much. There are, in fact, two possibilities here:

1. The GP poster is way too full of himself.
2. The GP poster really is that good, and is making a valid point.

Then again, I'm writing this as someone in a somewhat similar position to the GP poster, so presumably I'm way too full of myself as well, and the objectively measurable targets I've hit over the past year are less important than the fact that I take a break for a few minutes and read random web sites several times during the typical working day?

Re:How?

[PPH]

Why do we block webmail but no other websites/services are blocked? Shouldn't we worry about someone surfing for pr0n or possibly looking for warez?

Because blocking webmail is intended to stop corporate systems from being infected by malwear that might piggyback in on incoming messages. That is something that the most responsible employee may not intend to have happen, but (for the average user) it may happen despite their best intentions.

Accessing porn or warez requires intent on the part of the employee and the company might feel that, by treating employees as adults, all they need to is publish a policy forbidding it.

Consider yourself lucky to work for a company that allows you to make judgements about things you can control (which sites you visit at work, what you download) as an adult. Even if they take steps to protect you from risks that can't detect.

Re:How?

[onescomplement]

This has been a fascinating string. Thanks for all the interesting, and not so interesting responses. I like this fellow's attitude. It's too bad he had to waste time fiddling around with this. I woulda hooked him up. I've set up corporate networks for the allegedly clueful (software engineers) and the notoriously clueless (social agencies.) Both did great work. Both had different needs. In terms of the software folks, the technology of the day (and with VLANs and all the other stuff out there, easier now) made us simply set up a "red" network and a "blue" network. The "red" network was engineering's - period. We assigned a senior tech to it to keep working and fed it hardware. The senior tech ended up being a pretty good engineer. It was all good. His work got boring after a few weeks. New career. It turned out the software execs did not mind a bit spending extra $$$ for a separate T1 line, network gear and an extra workstation or two for EACH engineer because time to market is expensive and failure to market, extraordinarily expensive. Cheap stuff. But we had to ask the question and be aware of the business. The curmudgeons who refused to understand the business and operated out of personal pique and IT-think got the door - to a person. It turned out to be a cheap solution to an embedded organizational problem. My habit these days, for folks who want personal and business access is to invoke virtualization. Build a personal environment, as segregated as can be made from the business and let clients do their worst within it stating that "we're not responsible for whatever you do inside this sandbox". If it ends up getting trashed, we just re-image it. If the person is irresponsible, breaks this membrane and acts in a stupid and selfish fashion (morality cannot be legislated), well that's just grist for HR action against the goals of the organization. And probably another cheap lesson. According to the surveys I'm seeing, IT is hauling its sorry ass out of the financial hole it dug itself into for Y2K, dealing with SOX and other mandates and now ready for a little innovation and fun. It's about time. In any case, I recommend the embattled policy-enforcers get out of nimnod-land and into a place where you have some business cluefulness and stop calling the executives names. Maybe buy them a beer. Buy your clients a beer. If you have any kind of self-confidence you might find them interesting and mutually helpful. It's been known to happen. Otherwise, you will be treated like folks who believe wood weighs less than the witch. And that's a self-inflicted problem I see in business over and over and over again.

Re:How?

[jthill]

In short, why do you bother trying to hide your tracks when they are so innocent?

Because some people would quote Richelieu from admiration?

The fact of innocence is useless as a political defense. Nobody with two functioning neurons and any experience of office politics is unaware of this. Perhaps you've lived your life solely in the company of competent, honest people who have neither time nor desire for ignorant posturing?

Nope, I see that's not the explanation.

Re:How?

[gratemyl]

The bank is not responsible for such communication if it specifically forbids it - which I would expect any financial institution to do - but then again, I haven't worked at a bank before.

Re:How?

Good slave. Have a peanut.

If your network can be "accidentally brought down" then you have bigger things to worry, dude.

I've worked in many places and have yet to see a place where you could not get out to places you want, without asking the IT guys at all. All you need is one connection to outside being allowed (like port 80) and whammo, the whole world opens.

The only way to be secure from the cold outside world is to be disconnected from the outside completely. Take scissors and protect your network for good. Obviously this is undesireable. As you go further away from the total disconnection you allow more entry and exit points. It's that simple. Besided, the IT guys don't make the policy. They implement it. If the policy fails due to non-technical reason, then it's the fault of whoever wrote the policy (the management).

Re:How?

[Elbow+Macaroni]

The next step, to ramp up your security, is to remove all computers from the workers desks. This method has been tested by me, and I find a 100% reduction in spam in email.

Re:How?

I work for an investment bank, and we have to abide with the SEC and SOX. I'm pretty sure it's forever because we need to have both paper and electronic copies of all transactions and emails.

Re:How?

[iamacat]

Our IT group has not setup a secure data exchange. They also don't report to my boss. They report to a high level VP 5 levels removed, to whom my request will not register on the radar, of it does, it will be a new service with half a year deployment schedule. In the meantime, if I don't get a new build to customer and screw up an $10M deal, it WILL be noticed by high level management, who will promptly fire me and reprimand my boss. In the end, if you are given a job, you will be held responsible for its success.

Re:How?

[dodobh]

So why can't your IT department simply setup a website which will allow you to share files securely?

You IT department isn't incompetent by not allowing the transfer of large files via email (email should NOT be used for such purposes), but they are incompetent by dint of not considering alternative methods of file transfer. They could also setup a FTP dropbox on your network, or give said developer a shell.

Re:How?

[SealBeater]

I don't normally check slashdot but I did see your reply and I can only hope that this gets to you.


I think I would catch you with the report that looks for large amounts of traffic going to home IP blocks used by broaband ISPs in my region of the country. You do have broadband right?


Sure you could. It's easy to argue hypotheticals but if the best and the brightest of oh say, Sprint (just to name one) couldn't catch me, I have very high doubts as to your ability to. But then again, I haven't worked in environments that have that sort of draconian policies and if I were unfortunate enougth to land such a position, you wouldn't have to worry, I would soon be gone on my own initiative.

FYI, I have broadband and colospace on both sides of the country. That's not even counting the help of my friends boxes.

I get resumes from admins like you all the time and I throw them in the trash.

Trust me, you've never gotten a resume from an admin like me and I would in all likelihood either be above you from sheer experience or soon to take your job. It's happened before.


I would like to see how you would keep a city wide network running for 20,000 users without laying down rules and enforcing them.

If you are going to quote me, quote me fully. I said "Being a good admin is not laying down rules and then enforcing them like a tyrant". Nowhere did I say not to enforce rules, but your

"All ports blocked at the firewall for outbound traffic. You must connect to a server that is permitted to access the service you need. This access is logged.

For web traffic three proxy servers are allowed past this block for ports 80 and 443. This access is logged."

makes you look like an asshole admin, not a guru. Stop powertripping.


try to be a benevolent tyrant and were you in my place with your outlook you would soon be unemployed or back in the bush leagues where you belong.

And yet, here I am gainfully employed, doing work I love and probably making more than you in a better atmosphere.


And forgive me for staying on point but the question was about denying access to home email with a thread of How?. It did not ask what we do to make our networks more usable or did you not RTFA. Attention to detail and remain on task, nope. There goes the resume in the trash again.

It's obvious to anyone with a brain (I know that that excludes you) that my comments were addressed to your comments, not to the general tone of the thread, whatever it may have been. If that's the smartest comment you have, I suspect the reason you throw resumes away is because you can't read them.


I have over 8,000 High School students who disagree and many would love to test your theory.

Ah, a school admin. That explains it. I'm sorry but you are not a big dog.


I am sure you work in some magical place with unlimited budgets, lots of help, users who never do anything stupid and get to upgrade to the latest hardware every quarter but I live in the real world and that is how we have to do it just to keep the trains running on time.

No, I'm actually just smart. I probably know more than you do too.

I am sure you have special insight into what new threats are coming down the pipe and have full confidence that Microsoft, Cisco and your leet hacker skills will keep you bullet proof. I will hedge my bets and play it safe thank you very much.

Microsoft? Wow, that really does explain it. I've actually left Cisco behind, I got tired of the routing world a long time ago. My leet hacker skills do keep me bulletproof tho, or as near as can be. You hedge your bets and play it safe. That attitude will take you far. Just not that far.

SealBeater

Re:How?

[hazem]

I agree with you on almost everything you said. I'd even say our front-line tech support people are top-notch.

Unless your IT need has a multi-$100K budget (to be dedicated to IT, of course), it simply won't get addressed because it's considered by IT to be low priority. There is a huge committee of people who get to review these projects.

In my case, however, since my project is less than $30k, my needs are totally ignored. In fact, the reason we're doing this with an outside vendor is because our internal IT wanted it to be a $250K project - and that would be with an end product that is missing vital features. We're doing it on the outside for much much less - and our version 1 of the project has been a huge success. It's saving 100's of man-hours every month around the globe.

But again, because it's not a quarter of a million dollar project, my desire to share files with my contractor is being ignored. And by the time I could try to push through one of these committees, the time-frame of the project would have passed and we could have been done sooner by snail-mailing the files.

I'd love to be able to scp the files around (you're right, e-mail is not the best way to handle this). But, I'm just too low priority to be bothered with. The problem is there are countless small issues like this that our IT people should be handling - there would be huge savings across the company. But they only want to be focused on huge-dollar projects that require years to finish. I hope we survive it.

Re:How?

[0spf]

Very well then, you are a bulletproof hacker and I am a lowly school admin with technical and power issues. I stand corrected......

Thanks for reminding me why I quit reading slashdot.

Stupidity!

[cashman73]

These days, anybody that opens ANYTHING with a .vbs extension deserves whatever happens to their computer! Are users really that dumb?

Re:Stupidity!

[0racle]

He's talking about organizations. The end users do not own the desktop or the data it has access to and often treat it that way. On top of that they know it's someone else's problem so they don't care what happens.

Re:Stupidity!

[benbean]

Yes, yes they are.

Re:Stupidity!

[xerxesVII]

Are users really that dumb? Are you really asking that question? Just this morning I had a user who was whispering to herself "Clear, Alt, Delete" when giving the three-finger salute. I could not bring myself to ask how she got "clear" out of "ctrl".

Re:Stupidity!

[Edward+Kmett]

Well, news flash, .js files can do the same thing through windows scripting host, and its not that unreasonable to try to open one to edit and view it and accidentally launch it through WSH instead because your browser has nicely decided to execute it locally.

Not a huge stretch for someone to make that malicious. I find myself more annoyed than not that you can't configure browsers these days to intelligently handle things that you just want to be able to view like .js/.cpp/.h files etc. I don't want it launching WSH. I don't want it opening Visual Studio. I don't even want it to open !@&*#( Notepad. I just want to view it in the browser, click the back arrow and move on.

Re:Stupidity!

[TheSHAD0W]

Subby is talking about a business environment, where a security failure like a user running a malicious script can have ramifications on the whole network. As a result he has the responsibility to keep users from having the opportunity to be stupid.

Re:Stupidity!

Best I've heard is "central" for "ctrl"

Re:Stupidity!

[ronanbear]

Sure, they're easily that dumb. Most can't tell the difference between a .vcf and .vbs

Re:Stupidity!

[AZScotsman]

Short Answer: Yes! Longer Answer: Oooooohhhhh Yeaaaaaaa! Anyone that doubts the collective idiocy of a user base most likely has never had to staff a corporate HelpDesk....

Re:Stupidity!

[russ1337]

>>> Are users really that dumb?

Yes, and in this order






Think about it.

Re:Stupidity!

[russ1337]

I really should have used this map

Re:Stupidity!

[eMbry00s]

Yes, they are. You'll shit bricks when you find out that most users don't even disable "hide extensions for known file formats," and wouldn't be able to tell a .bmp from a .jpg

Re:Stupidity!

[lazarusdishwasher]

I like the first one better the United States managed to place 2nd and 7th

Re:Stupidity!

[toadlife]

Thanks a lot. Getting out the credit card now.

Re:Stupidity!

[Ilgaz]

An organisation should already have their own proactive security measures (those dedicated boxes). If that guy can't get his "precious" VBS script, he will also doubleclick it when he receives it from a friend (!).

I can provide one example since it is the only one I heard/know:

http://www.esafe.com/esafe/default.asp

Also an organisation should also run a Jabber server internally and limit the capabilities of proxies for other services (if they exist) on purpose, e.g. nobody should send/receive a file from outside World.

http://www.jabber.org/software/servers.shtml

Re:Stupidity!

[kaizenfury7]

Hi 'cashman', this is your mom. As you know, it's a great chore being a mom and a housewife, I have to take your sister to soccer practice, your brother to basketball practice, and you to your chess practice. And when I drop everyone off, I go home, grab the Pine sol and my trusty swiffer to clean up the pig sty that you and I call home. During Oprah and the View commercials, I check my e-mail to remind Grandma to take her medications and your Uncle Leeeroy to stop 'using' Grandma's medications. I hope you don't mind that today I may have accidentally clicked on one of those 'Vbs' extensions, because I don't know much about computers, but I know what type of chemicals can (mostly) get those curious stains out of your favorite superman underwear. I don't think it was a virus or anything, because it did a good job of cleaning up the desktop, although I no longer see Clockwork_orgy_[dvdrip].avi and I can't find it anywhere, even in My Documents\school\biology\tmp32\fun_stuff where you seem to keep most your other videos, so unforutnately, you may have to repurchase the Kubrick fick. Sorry, honey... anyways, Oprah is back on, I will see you when you get home.

Love,
Mom

PS - Remember to buy some more laundry detergent, I want to wash your sheets because they seem a bit starchy.

Re:Stupidity!

[Richy_T]

Hey, the US came in 2nd and 7th. That's just greedy.

Rich

For business or personal use?

Are you just not letting people use third party emails for business use or for personal use?

Not allowing it for business use is a no-brainer. Anything internal and private should never be on a public network.

If people are wanting to check email over their breaks or over personal time, then less restriction might make more sense, so long as people know to not use their Yahoo! account for work communication.

Re:For business or personal use?

[dheera]

Exactly; in the name of freedom and promoting a healthy living culture in which employees are able to enjoy their life at work so they are more active and enthusiastic in being productive and creative when they need to, I feel it is extremely important to not impose restrictions (and especially IT restrictions) on the way employees work. In particular, other than offensive, insulting, dangerous, or pornographic content (which I understand), corporations should not block or attempt to control the websites its employees can access at work. An employee who can check his/her personal mail whenever he/she feels like will be much happier at the workplace than one who isn't.

Simply installing and updating a latest virus scanner on all corporate machines should be relatively simple.

Also, employees should be permitted to bring their own computers to use on the corporate network. How do you stop viruses?
1. Demand a periodic inspection of all Windows computers to ensure that the user is using an approved virus scanner that is set to automatically update.
2. Freely allow Linux machines to be plugged into the workplace. They are highly unlikely to cause any problems.
This is how at least two places I've worked at ran it, and employees were extremely happy.

Also, may I point out that my university (MIT) network has nearly no restrictions whatsoever on what you can plug in, what you can serve, and what you can run. I can run a mail server in the office if I want. I can run a web server in my dorm room. I can do essentially anything. The IS&T department here just has it structured pretty well so that nothing bad happens. Solid Unix/Linux servers, and automatic shut down of network drops that are spreading viruses or of Windows machines that appear vulnerable. It's great. I get freedom to do anything I want, and the network is very solid and reliable at the same time. I wish companies could do this too.

Re:For business or personal use?

[Knara]

background: I've worked IT full/part time for about 10 years now (geez) from desktop to network admin to site managing

Statement: In my experience the number of network admins that have the ability to adequately and competently run a network that both allows computing freedom (in reference to how you are saying) and is secure is very small.

I'd also note that I've seen this setup work a lot better with Universities than with corporate environments. Mostly because, insofar as I can tell personally, the network/systems admins/engineers are more concerned with enabling safe but wide-ranging activities in the university environment, as opposed to the corporate environment, where anything not expressly allowed is forbidden.

Re:For business or personal use?

[mlewan]

"Freely allow Linux machines to be plugged into the workplace. They are highly unlikely to cause any problems."

I genuinely do not know Linux well enough to be able to tell from own experience, but I thought it was one of those flexible OSes you could misconfigure so completely that explodes.

Of course, a well configured system is as safe as any other box out there. But who knows if all your users are configuring their systems well?

Re:For business or personal use?

[dheera]

"the network/systems admins/engineers are more concerned with enabling safe but wide-ranging activities in the university environment, as opposed to the corporate environment, where anything not expressly allowed is forbidden." Exactly, I believe the corporate environment should change to the former. I realize that it's harder for the IT department to keep up, but you'll have a hundred times happier employees, and those employees will be more willing to contribute more to the company than they are required to if they are happy.

Re:For business or personal use?

[dheera]

"but I thought it was one of those flexible OSes you could misconfigure so completely that explodes."

If ever, it explodes on you, not on other people, in general. Those sorts of misconfigurations are like you accidentally wiping your hard drive or deleting something important. There are very few if any viruses and worms for Linux, and an honest employee with a Linux machine is extremely unlikely to do damage beyond their own personal machine, even in the world of Linux vulnerabilities.

Re:For business or personal use?

[nine-times]

I see what you're saying, but there's a difference in needs and motivations between a university and most companies. Universities specifically need freedom because they're largely interested in education (ok, maybe not really, but at least supposedly). Education requires freedom. Plus, the constant re-evaluation of the setup is educational. When you have a whole bunch of aspiring CS majors and academics without a whole lot of real work to do, you have a free workforce to constantly address the ever-changing threats to network security.

With most companies, there are very limited and specific goals. They can be summed up, like, "we have e-mail so our employees can communicate with customers," or "we have web access so our employees can research [whatever]." Once you've established those needs, they key thing is to enable those services in ways that are as simple and fool-proof as is humanly possible. "Fool-proof" almost always requires that you limit the number of activities that could happen to the activities you expect to happen, that you plan for, and that you would like to happen.

And often that's the real culprit here: opening the network to additional unplanned possibilities also opens it to possible unknown security failures. It's not fool-proof, and it doesn't offer the company any advantage, so there's a motive to block it but no motive for them to allow it.

Re:For business or personal use?

[dheera]

I see what you're saying as well, but I also feel that more successful companies also highly correlate with companies that have goals that aren't set in stone.

For example, an employee of Google assigned to a particular task (say, to code something) may spark an idea in their own time about a new project that may be really cool for Google as a company. They will be *far* more inclined to make it a part of the company if the work environment is enjoyable and fun for them; that includes being able to communicate with their family/kids over other e-mail, being able to do things that aren't related to work during work time for creativity's sake (as long as they get their work done), etc.

Also, I think this extends beyond research and development. Seriosuly, suppose you let Taco Bell cashiers the opportunity to surf the net when they aren't serving customers, as long as they will unconditionally appear and serve customers immediately when they arrive. I guarantee you they will be much happier people, and will be much more polite and happy with the customers, will enjoy working at the company, will consider to continue working at the company, and most of all, will be inclined to do their best at their job, rather than just do their job.

Re:For business or personal use?

What ever happened to due diligence?

Re:For business or personal use?

[brainee28]

Unfortunately, you kept bringing in the one thing that companies aren't very interested in: employee morale.

The prime goal of a company is to make money and it's main responsibility is to it's shareholders. Restrictions are put in place for a variety of reasons: legal, techinical, security, financial, and procedural.

The company I work for is a security company; webmail is a bad idea because files such as drawings, designs, and specifications could be leaked if individuals had access to webmail.

Personal laptops are just that; they're personal. When you bring in a personal item, the companies liability insurance may or may not cover any damages sustained while in the office. Also, again with security; it's a lot harder to secure a device that needs connectivity on multiple systems, then if it only needs to connect to one system.

Your example of your university doesn't apply to businesses; the criteria are much different.

Your ideas work in an academic environment, but aren't real plausible in the real world.

Re:For business or personal use?

[PitaBred]

You're right, you don't know Linux that well. You can configure it to explode as easily as you can do with Windows, possibly even easier.

Re:For business or personal use?

[nine-times]

Sometimes it works this way, but honestly, I could imagine it backfiring. Give Taco Bell cashiers internet access, and I could easily imagine that leading to them telling customers, "Hold on a second..." while they finish reading some MySpace page. If you fired them over that, you'd just fire a bunch of people all the time, because people would do it anyway.

Web usage probably, overall, has a net-loss of productivity, but it isn't practical for me to ban myself from port 80, even if I didn't need it for my job (which I do).

I guess I'm just not of the belief that happier employees are necessarily more productive employees. There's a limit on each side. If people are too unhappy, they aren't productive, but if you give them everything they want and let them do what they want when they want to, they aren't productive then either.

It depends on the job/company. Working for Google, it's better that you know about whatever is happening on the Internet. If you're a data-entry drone for some boring company, then not so much.

But also, none of this is really what I was talking about. I'm not talking about maximizing productivity of general employees, but minimizing IT costs and security risks. If your network is running like the wild west, you're going to have to hire more technicians who will spend all day straightening out problems. Restricting the services offered and allowed will cut downtime and the number of trouble calls, which will allow a company to function with a smaller IT staff.

Maybe your mindset changes when you work in support for a couple years. For example, most of your users will complain at some point that they don't have admin rights on their computers, and you'll hear some people with computer experience say, "If someone knows enough about computers, then why not?" But if you give users admin rights, their computers will break much more often. Honestly, I don't even really know why. There's not always a clear cause-- it might have nothing to do with viruses or spyware or anything particularly horrible, but you find out that the fewer configuration changes people can make, the less downtime they have. It's just some sort of whacky mystical rule.

Maybe there's a good theory to explain this, but I just know it as a truth I've learned through experience. If you want your computer to function without trouble, install only the applications you need, and don't operate it as an admin. Only log in as an admin (or root) to do those rare things that require it. Don't install then uninstall things you don't need, and don't screw with settings you don't need to, or else your computer will slowly go to hell.

It's similar with networks. When it comes to networks, don't let protocols travel through firewalls that you don't explicitly intend on using. Don't enable services on servers without a clear concept of what you're going to use that service for. Plan ahead, and be a minimalist. Keep things simple and restricted to what you want to use.

All this runs contrary to the idea of "education", but if you're focussed on easy and efficient network/systems management, be restrictive.

Re:For business or personal use?

[dheera]

Yes, I know many companies aren't too interested in morale and employee happiness, but I feel like even though it is not necessarily profitable, that ought not to be 100% of the game.

There should be a human aspect to being a company -- that is, promoting good culture and true employee happiness is something I would morally/ethically expect out of a company, much in the same way that I would expect help from a friend or love from a parent.

I say this because a company is a bunch of human beings that in some cases perhaps ought to be a little more human. Driving straight for profit only, while killing happiness, extending work hours, or expecting too much out of an employee, is, IMHO, a bit immoral.

I suppose I take a somewhat slightly more European stance on work ethics, but I do consider life beyond work extremely important, and think that promoting happiness is very important for a country, perhaps in some cases more important than trying to inch your profits from $1 billion to $1.2 billion.

Re:For business or personal use?

[dheera]

Sorry for the comment abuse in replying to myself, but I guess I may not have been clear in my last sentence:

Yes, if I were designing a company, I _would_ sacrifice some company profits to promote happiness, as a human being. If this means a larger hiring department so that automated resume-readers can stop being used, great. If this means a larger IT department that can attack and kill all vulnerabilities while providing freedom, I'd do that too. If it means providing more vacation time to employees, I think that's very important, too. I would also, as an employer, firmly believe in 40-hour weeks and hire a larger work force if it turned out that any employees were spending 80-hour weeks regularly to get their jobs done.

I realize that all this decreases profits. But if I ran a company, making sure my employees and customers were happy, creative, and able to pursue other things in life for some time would be my #1 goal. If I could stay profitable keeping that goal, great (many, many companies do this really well, from what I've seen). If I couldn't keep up happiness and profits, I don't think it would be too ethical to stay in business, for I certainly wouldn't be too proud of it.

Re:For business or personal use?

[Knara]

Sometimes it works this way, but honestly, I could imagine it backfiring. Give Taco Bell cashiers internet access, and I could easily imagine that leading to them telling customers, "Hold on a second..." while they finish reading some MySpace page. If you fired them over that, you'd just fire a bunch of people all the time, because people would do it anyway.

You're probably correct, but I don't see what the problem is there. People fire employees who aren't doing their jobs for a lot less.

Web usage probably, overall, has a net-loss of productivity, but it isn't practical for me to ban myself from port 80, even if I didn't need it for my job (which I do).

Perhaps but without non-BS metrics for measuring productivity (which very few industries have outside of manufacturing), there's no way to prove the claim.

I guess I'm just not of the belief that happier employees are necessarily more productive employees. There's a limit on each side. If people are too unhappy, they aren't productive, but if you give them everything they want and let them do what they want when they want to, they aren't productive then either.

*Good* employees that are happier are better than bad employees that are happier. The problem with your line of thought so far is that you assume everyone in every job needs to be constantly supervised and externally motivated in some parental fashion in order to do their jobs. While it's true that this segment is not insignificant in the workforce, wouldn't you rather keep sorting through people (firing and hiring) until you get good ones, than try and slave-drive the lazy stupid ones?

But also, none of this is really what I was talking about. I'm not talking about maximizing productivity of general employees, but minimizing IT costs and security risks. If your network is running like the wild west, you're going to have to hire more technicians who will spend all day straightening out problems. Restricting the services offered and allowed will cut downtime and the number of trouble calls, which will allow a company to function with a smaller IT staff.

The number of trouble calls due to "network security" from general users is very, very low. I've done user support in several places now, and *by*far* the greatest number of trouble tickets can be attributed to user error resulting in a desktop configuration problem. Restricting services does nothing to alleviate that issue (and I'm convinced that it won't decrease significantly until the 40+ age group leaves the workforce)

Maybe your mindset changes when you work in support for a couple years. For example, most of your users will complain at some point that they don't have admin rights on their computers, and you'll hear some people with computer experience say, "If someone knows enough about computers, then why not?" But if you give users admin rights, their computers will break much more often. Honestly, I don't even really know why. There's not always a clear cause-- it might have nothing to do with viruses or spyware or anything particularly horrible, but you find out that the fewer configuration changes people can make, the less downtime they have. It's just some sort of whacky mystical rule.

In the Windows world, "after you work in support for a couple years", you'll realize that for everything through Windows XP, making the users local admins and then restricting by group policy the things they can do is the *only* way you can maintain security, retain your sanity, *and* not have the users calling you for help every time some odd-ass thing requires admin access.

Maybe there's a good theory to explain this, but I just know it as a truth I've learned through experience. If you want your computer to function without trouble, install only the applications you need, and don't operate

Re:For business or personal use?

[nine-times]

It is a good theory, but only that. In the Real Windows World unless you like remote controlling users and do "Run As..." any time their Java needs to be updated or Adobe Reader needs to be updated, or a developer needs to add a tool to their environment, or change an ENV variable, users need to be in the local administrator group. Again, this is where a good GPO scheme will do wonders. Maybe for an office of a dozen or two users its okay, but anything of size will become problematic quickly.

To be blunt, I doubt your experience. I've worked on a site of a multi-national corporation with 250 users (including programmers and engineers) with a support staff of 3 (including me, doing all desktop and network support). The only way to do this was to have those 3 people all be good at their job, be hard workers, develop a good imaging system, and to drop admin-access from user accounts.

Before that, it was hard to get anything done because the Windows machines would just fall apart after a couple weeks. You'd set it up, get it working silky-smooth, and 5 weeks later, we'd be getting complaints every day because the machine "sucked". Sure enough, we'd check it out and it would be slow, unresponsive, buggy, and it would crash every 5 minutes. It wasn't clear what people were doing, but sure enough, the machine wouldn't really get working properly again until we reinstalled Windows from scratch. We couldn't manage it all, didn't fix things quickly, and it looked like we'd have to double our staff (at least). Management wasn't happy about all this.

Now, when we removed the admin rights, you'd better believe that some of the programmers lost their shit. They'd complain and complain about all the things that they needed to do for their jobs. They'd complain, "You know I can't do my job like this, right?!" At first, we'd give those couple of people admin rights again, and guess what? Those machines would have spyware installed the next day, or start being buggy after a few weeks, just like before. The machines that stayed locked-down continued to work great.

So we re-imaged the bad machines again, and said, "Ok, if you need something for your work, e-mail IT and we'll do it immediately." The programmer would get flustered and spit out, "Well you know that means you're going to be here all the time, right?! I do stuff all the time that requires admin rights, so you'll just be here all the time!" We said that was fine, if need be, we'd be there all the time. And can you guess what happened?

What happened was that we got a couple stupid requests for spyware to be installed, which we refused. They wanted us to help them do things that violated the corporate policy (e.g. attaching personal hardware to their corporate machines), and every now and then we'd get a couple of valid requests. The valid requests mostly were things that were either a one-time fix, or things that we could enable just that single capability in an otherwise user-level account. After a couple weeks of checking up, refining the image to make sure everything worked, etc.-- no more complaints from the programmers. In reality, there weren't so many things they needed administrative rights for. There just weren't. And there systems would run and run for months, maybe years, without incident.

Yeah, there were some people who still bitched about not having control of their systems. But we had management support because we had tamed the chaos. Their underlings used to complain, "I can't do my work because this stupid computer is broken!" and they weren't hearing those complaints anymore. Everyone, even the complainers, had to admit that there were much fewer problems.

Re:For business or personal use?

[Knara]

Other than my first job out of college and a short stint as a one-man-show, 250 is far fewer the minimum number of users my team has had to support at any given location. And, no, the teams were not massive in number.

Here's the thing, you're operating under the assumption that just because someone is a local administrator, you can't restrict what happens on their machine. You certainly can by properly maintaining a domain-based security system. Granted, this requires expertise that is often not available at a smaller shop, but it's very possible to implement.

Centralized anti-virus and anti-spyware systems that update, monitor, report, scan, prevent infections, and auto-clean infected machines can alleviate a lot of the work (not all of it, but a significant amount). Even in situations where we have people out on the other side of the planet who rarely hit a bona fide corporate office, we don't see machines go down in 5 weeks if they're a known model that got a known good .gho on them. We have people who are out in the "wild" for months at a time, but so long as you have your systems set up to poll a corporate patch/antivirus server (any reasonably sized office has their wandering people using a vpn solution that enables this), you can keep things up to date and generate notices when things are wrong. Once in a while we get problems after a .gho is updated and put on a machine, but not often (annoying as hell when it happens tho).

In short, "removing local admin" for windows machines can be one approach, I suppose, but I've never found it to be a practical one.

Isn't webmail safer for VBS?

[joeflies]

with webmail, you still have to download the file in order for it to cause problems, wheras if you force your users to POP it, it will be on their computer for sure.

Re:Isn't webmail safer for VBS?

[truesaer]

I'm sure they're blocking the corresponding pop servers for free email services as well.

Re:Isn't webmail safer for VBS?

[guruevi]

You still have to open it before it works (except if you have an older version of Outlook Express), doesn't matter where it comes from. And Windows machines should have virus scanners anyway (Mac, Linux and other Unices which send things to Windows should have at least an e-mail scanner in a company), so either way it would get blocked.

As for the posters' question: I wouldn't block webmail access, heck I wouldn't block POP3 or IMAP either. People only get pissed off about it and will find a way around, which might compromise your security more than just allowing webmail.

what do they save

[mastershake_phd]

don't know of any security related bad press for Yahoo or Google.

Google is suspected of saving and data mining users gmail. It may sound paranoid, but if you are worried about corporate info/secrets being leaked, it might be wise to avoid. http://en.wikipedia.org/wiki/Gmail#Criticisms

Re:what do they save

[DDLKermit007]

And I suspect you of being an ass-monkey too. Doesn't necessarily make it true however. It's on Wikipedia so it should be largely ignored. Conspiracy theorists, and tin foil hatters are the ones posting that bs.

Re:what do they save

[Ilgaz]

don't know of any security related bad press for Yahoo or Google.

Google is suspected of saving and data mining users gmail. It may sound paranoid, but if you are worried about corporate info/secrets being leaked, it might be wise to avoid.

http://en.wikipedia.org/wiki/Gmail#Criticisms http://www.google.com/mail/help/privacy.html

Google maintains and processes your Gmail account and its contents to provide the Gmail service to you and to improve our services. The Gmail service includes relevant advertising and related links based on the IP address, content of messages and other information related to your use of Gmail

You may organize or delete your messages through your Gmail account or terminate your account through the Google Account section of Gmail settings. Such deletions or terminations will take immediate effect in your account view. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our offline backup systems.

(Instead of commenting, I give a secondary URL which already has comments in better english than mine)

http://www.google-watch.org/gmail.html

Squirrelmail

[FreakyGeeky]

Where do you work? I'd like to know so that I do not inadvertently apply for work at your company.

Then again, I'm sure you've addressed all of your company's really important network concerns first before moving on to this. Or, maybe you were sure to restrict all of the workstations such that no one can change their desktop wallpaper and things like that.

Which webmail system do I use while at work? I use my own squirrelmail installation. I bet you'd really hate that!

Re:Squirrelmail

[slayermet420]

Be glad you don't have the network restrictions I have at work. I know very few people have heard of the infamous Navy/Marine Corps Intranet (NMCI), but they are infamous for blocking everything they possibly can. The majority of proxy servers are blocked, as well as anything they deem "unproductive" while at work (MySpace, webmail, etc.). They basically block anything they don't want us looking at.

The good thing is that they give us about 10 Mbps downloads.

Re:Squirrelmail

[brobak]

You know, its not always as sarcasticly simple as you want to make it out to be. The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not. They REQUIRE that you inventory 'customer sensitive data' and control the flow of that data. The CEO literally signs on the bottom line that the reports you give to the auditors are true. Not to the best of his knowledge or any cop outs like that. So, when the big guns come down from their gilded offices, and demand to know for a 'fact' that you have control over data, it doesn't matter that the steps you have to take might have little to no real world effect. You just have to take them. Yes, as a security professional, *I* understand that if I wanted to get customer sensitve data out of the network, I could write it on my own ass, and press it up against a window for the guy in the next building over to read. But my board of directors doesn't find that amusing. They know they are legally responsible now, and they must be seen to be doing *everything* possible to secure the data. This does include doing our best to block things like mail apps, IM apps, USB drives and the like. Personally, I can see MANY ways in which each of those things would streamline the business process, and provide actual performance and productivity increases for the business, but that doesn't matter because GLBA demands that if we were to use those things, we keep logs of ALL of the ways they were used for 3 years, that are indexed and searchable and online, and another 4 after that in archive format. So when you go to the accounting dept with your new budget with all these new equipment costs, and software costs, and you have to GUARANTEE legally that they can't be used in ways other than intended...guess what the simpler solution is? Thats right, they go away. And lets be honest, for every valid business purpose, there's an equal number of time wasting BS purposes for that stuff that expose the company to legal liability. And the fact of the matter is, if we have policies against it, procedures in place to prevent it, and you still manage to get it done, then we have a pretty damn good case in court to hang YOU out to dry and not the company. CYA for the big wigs, and frankly, for myself. I know as geeks and nerds we think we know best, but if you play hard enough, stuff does break. I know I've had my own little personal web host 'pwned' before, and thats being decently careful to lock things down. I can't imagine my 'lusers' having more access than they already do, and what they might 'accomplish' with that access. For my own sanity, our regulatory requirements, the CEOs CYAs, and to be able to support the secured environment that we do, things like you refer to so sarcasticaly would get you fired. We own that machine, we own the network its on, we own the bandwidth you use to connect to the outside world, and therefore, we get to say exactly what you get to do with it. If you don't like that, thats fine, I totally understand, leave. But sometimes, even though I personally don't like it, I 'get it'.

Re:Squirrelmail

[DavidpFitz]

The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not.

[Disclaimer: I do risk and reg for a living]

Bull. Sarbanes Oxley says nothing of the sort. If you think it does, go read the regs. I don't believe you are intentionally lying, I just think you are misinformed and have no idea what you are talking about.

Re:Squirrelmail

My thoughts exactly. The original poster is putz.

I wish IT staff would start doing the job they are supposd to do - support uses so they can do their jobs, rather than do what they typically do which is try to make their own jobs easier.

Re:Squirrelmail

[twbecker]

Congrats, you just pwnt the GP with the GIANT WALL OF TEXT!!.

Seriously man, paragraphs.

Re:Squirrelmail

[brobak]

I listed both SOX and GLBA. And you are correct, section 404 says nothing of the sort. Its the fact that it is so vague, that our regulators and auditors have expanded on its requirements just to 'be safe'. Go ahead and look up some of the recent commentary by Mr. Oxley himself. They realize they've created a monster by being so damn vague. GLBA is the same way. I'm paraphrasing, but the language says basically 'put into place a system of controls, and document those controls'. Then my conversations with my regulators go like this: Great, wtf does that mean? How about I just document what we currently do, and call that the controls...no? thats not good enough? Ok fine, tell me whats good enough...you cant? well how about some guidance...no you cant do that either? Ok fine. We'll just go whole hog to protect ourselves. And then they are happy.

Re:Squirrelmail

There is a thing called the return key. If you did use it, make sure to use "Plain Old Text" rather then "HTML Formatted".

This will create paragraphs.

Even when you select "Plain Old Text", you can still use formatting and anchors. Strange isn't it.

Re:Squirrelmail

[Stonent1]

The last place that I worked restricted webmail access from regular PCs but set up a locked down Citrix server that could go to the major webmail sites. So you just go to the URL for the .ICA file and it would open a IE6 window that you could use to get some outside mail. Downloading anything or whatnot was restricted and cookies were purged after you logged off.

Re:Squirrelmail

[BunnyClaws]

Good reply. I don't think most of the clowns out here sometimes realize that I.S. Security has to deal with a lot of IT Controls that are mandated such as SOX, HIPPA, FDA, PCI, etc... Yes, we know there are ways around content filtering and there are legitimate uses for Skype or Instant Messengers but in order to be compliant with certain regulations we have to take certain measures. So, if you work for a publicly traded company, or a company in banking or health care accept the restrictions that are set in the company. There isn't a need to prove how smart you are by trying to get around security restrictions that are put in place by the company that owns the equipment you are using. If you were that smart you would be the one running the company and not a low level employee with limited access rights.

Re:Squirrelmail

[Jherek+Carnelian]

I'm paraphrasing, but the language says basically 'put into place a system of controls, and document those controls'.

Replace "controls" with "processes" and that sounds like ever ISO certification I've ever seen.

Re:Squirrelmail

[PilotDvr]

You must have the same auditors as we do. I just went through the hell of a SAS70 audit that was more invasive than my last rectal exam.

I am in total agreement with both of your posts in this thread.

Re:Squirrelmail

[jay2003]

Did you ban all laptops? If customer data is on a laptop and it leaves the building, you do not have control over it. That laptop could get stolen and you've lost of the data. The problem *might* solved if the data was store encrypted but we know from the data compromise incidents, that's rarely the case.

Re:Squirrelmail

[Punto]

It's useless anyway. the guy is running computers that can execute visual basic; he alredy got pwnt a long time ago.

Re:Squirrelmail

[BunnyClaws]

Since, you are in Risk Management you probably deal with 3rd party auditors who may interpret the regulations differently then you do. In my opinion SOX is very vague on a lot of issues and this can become a major pain when you are dealing with some auditors who had grand parents who worked for the Third Reich.

Re:Squirrelmail

[brobak]

Actually we have PGP whole disk encryption on all laptops. Look, as a geek, and a security professional, I know that nothing is 100%. I can't say it enough. I get it. But that doesn't matter. The regulators don't... So we do what we can to the maximum extent that we can in order to please the regulators (they can shut you down you know). And we do the max because we have no specific guidance. So, when it comes to the business...better safe than sorry.

Re:Squirrelmail

[PilotDvr]

The thing that pisses me off about /. is that should you have a security lapse (ie CitiBank, VA, etc) then the same people who are telling you that your security controls are draconian will be saying 'how in the hell could they let that happen? Didn't that moron SysOp know to lock down webmail?' Pisses me off royal...

Re:Squirrelmail

[brobak]

I think its one of those things where people are book smart, but haven't really operated in the real world. I know its stupid, I know it sucks, and I know its not ideal, but the fact of the matter is, its gotta be done because someone said so.

People just don't seem to get that. And like I said, if you dont like it, and you can afford to leave, then more power to you bro, leave. But some of us have a job to do, and its just gotta get done, even if it hurts our nerd-feelings. :)

Re:Squirrelmail

[pegr]

I just went through the hell of a SAS70 audit that was more invasive than my last rectal exam.
 
Then you've never had a true audit. SAS70's aren't worth the paper they're printed on. Type 1 SAS70s don't even require control testing. The only point to a SAS70 is to get a check-in-the-box when the IT auditor asks if you have a SAS70 for each of your external service providers.
 
Wait, I'm mistaken... The only point to a SAS70 is to enrich your CPA...

Re:Squirrelmail

[sgtrock]

The FFIEC guideline letters that supposedly cover GLBA and SOX sure put auditors in a tizzy. OP is right. If we don't do all this stuff, we also face fines from the OCC. Think I'm kidding? We already ponied up something like $12 million once.

Re:Squirrelmail

[lastchance_000]

So you can download practically nothing at 10Mbps. Nice!

Re:Squirrelmail

[FreakyGeeky]

I know SOX quite well, as internal SOX auditing is part of my job. Nice try. It seems like you're misinformed about SOX. SOX doesn't force IT departments to do anything, let alone "drastic measures."

Like I said in my original post, it's a good thing you're focused on the important activities of, "blocking mail apps, IM apps, USB drives and the like." You better ban laptops too! While you're at it, kill your users. They might *speak*. Well, you could rip out their vocal cords so they can't do that, but then they might use semaphores. Better ban flags too!

What you fail to realize is that your data is only secure as your users. I would say that you do not "get it" at all.

Re:Squirrelmail

[Rob+the+Bold]

The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not.

Why the hell would the Gay Lesbian Bisexual Alliance give a damn about your customer data?

Re:Squirrelmail

[FreakyGeeky]

I am approaching this argument as someone involved in the definition, auditing, and enforcement of my company's security restrictions. I am not trying to demonstrate how smart I am by circumventing security restrictions, but instead am demonstrating how smart I am by not wasting time on creating useless security restrictions such as disabling USB, IM, and other things.

Re:Squirrelmail

[Achromatic1978]

very few people have heard of the infamous

Infamous is not 'not famous'.

Which is it? 'Infamous' or 'very people have heard of'?

Re:Squirrelmail

[brobak]

You misunderstood my entire post. I stated quite clearly that I know for a fact that these measures most likely do not offer 'real world' security.

What I am saying is that none of that matters in the face of vague sets of regulatory requirements.

I see also that you chose to ignore the fact that I also listed GLBA as a requirement, as did a few others who responded.

I go through four to five audits per year. I have had to beg for specfiic guidelines, and have yet to receive any. And so, the safe thing to do is to appear to be trying as hard as possible.

The other thing that I *do* get is that as a self proclaimed geek (you are here arguing on the internets with me) that you might be naturally averse to a situation like the one we have here. Thats OK. And if you have the ability to pull up and leave for more open pastures, by all means, go. Go takea job where you aren't under this kind of insane scrunity. Really. I envy you that mobility.

However, the fact remains that this hardware belongs to the company. And if my boss says that after the latest audit, we're going to lock you down as tight as is possible, even if in real world terms it means nothing, then thats what I'm going to do. Thats what they PAY me for.

And whats more, actions like that do in fact, please regulators. And at the end of the day, if the regulators are happy, we get to continue to make money, rather than being fined or possibly even shut down. And when the business makes money, I make money. And that makes me happy.

Re:Squirrelmail

[jrumney]

'put into place a system of controls, and document those controls'. Then my conversations with my regulators go like this: Great, wtf does that mean?

It means exactly what it says. It's ISO-9000 for the finance department.

Re:Squirrelmail

[Ilgaz]

Those poor users and company will be likely victim of a custom coded trojan, impossible to detect without advanced heuristics which claims it can pass the evil webmail filters.

Depends on size/secrets/wealth of company of course. Too much hassle you say? Well, if you make living from stealing company secrets, it isn't.

Re:Squirrelmail

[brobak]

Its not useless if it gets the auditors off your back, and keeps the regulators from shutting down your company.

I know that the real world security gained by these actions is almost (though not quite) nil. Thats not really the point, is it? I thought I made that clear in my original reply.

Re:Squirrelmail

[ankarbass]

I've blocked wallpaper and color changes before. This was back in the windows 3.1 days. People would spend hours mucking with their colors and would regularly set them such that the background matched the foreground for some text and it would, of course, not be visible. They'd then want me to come fix it. Or inevitably they would choose a wallpaper which would offend someone. We went to a nice company logo wallpaper and the standard colors for everyone.

Re:Squirrelmail

[fraudrogic]

"The infamous El Guapo."

What does that mean? "In-famous"?

In-famous is when you're more than famous.

This man El Guapo is not just famous, he's in-famous.

Re:Squirrelmail

[Achromatic1978]

I think you missed my point, where I was querying the GP's use of language, in mentioning how "not very many people know of the infamous xxx"

Re:Squirrelmail

[bearave]

"We own that machine, we own the network its on, we own the bandwidth you use to connect to the outside world, and therefore, we get to say exactly what you get to do with it. If you don't like that, thats fine, I totally understand, leave" Hell yeah. You own that paper, you own that desk, and you own that telephone I use to connect to the outside world, and therefore you get to say exactly what I get to do with it ? Seeing that you'll tell me exactly what to do, I won't be getting to do anything innovative. In fact, it could be very dangerous for me not to park my brain at the door when entering your office. You might think you know exactly what your workers should be doing with their IT, or any other part of the company infrastructure. But your competitors will soon find where you are not half so smart as you think you are. And really, your workers would have to be be pretty brain dead to be working for a company that takes the view that paying wages buys ownership. Unless your talking about a business that is doing idiot-simple work like flippin burgers at Maccas, you'll go belly-up just for that reason alone.

Re:Squirrelmail

[statemachine]

I run my own domains and my own squirrelmail installation as well. The company I work for does not filter it out, nor do I think they filter much of anything out or have any plans in the near future. I would like to think that my company trusts its employees' intelligence somewhat. There are of course network firewalls, virus scanners, and spam filters, for example. IT here are just not completely BOfH.

My personal e-mail is sent via my personal e-mail server, and corporate e-mail is over the corporate e-mail server. I don't mix the two, and I nudge my friends into doing the same. As far as my privacy, my personal e-mail is read and sent via SSL. (Oh, I know, someone might say "but smtp is transmitted in the clear." And I say, right, but my inbox in aggregate is encrypted between my server and my web browser, which I consider a far easier and more desirable target for any snooping -- not to mention that my MTA will encrypt its smtp sessions (and does frequently) with any other MTA that supports this.)

I keep my corporate and personal lives separated and don't abuse the network. Maybe, just maybe, my company's IT sees wisdom in this and will continue to allow this to happen.

(message captcha: paranoia)

Re:Squirrelmail

And what you don't 'get', is that anything I create, including an email on a computer belongs to me, the creator of that email. Copyright and all that other stuff that you idiots who come up with all sorts of excuses/laws to prevent people from communicating, etc. like to throw around at everybody else except yourself. Fine, you don't want me to use your network, I'll do it by hand, and expect everything to take MUCH, MUCH longer, and I guess you'll have to hire a few more people to keep up with demand, etc. And I haven't even started on invasion of my privacy issues, etc.

Idiots who lock down everything so much that the computers, etc. become unusable are the problem, not the 'lusers'.

Re:Squirrelmail

[NoOneInParticular]

Getting auditors from your back is one thing. Get different auditors. Regulators will not shut down your company as long as you take good care of you financial systems. If you allow any nut-job in your company access to your financial systems, you have to lock down every employee. If you however have locked down your financial systems, no regulator will shut down your company for allowing your (non-financial) employees to read webmail.

And yes, I do work at a SOX regulated company, we're compliant, and I can read web-mail, ssh to the outside world, use POP to different servers and do whatever I need to do to get my job done while still having a (semblance of a) life. I do have to fill in more paperwork than I'd like, and that takes time. But that's the cost of doing business for the USA.

Re:Squirrelmail

[FreakyGeeky]

I chose to ignore GLBA because it doesn't apply to my company. Imagine that!

Though it may apply to your company, I'm sure it doesn't demand draconian IT practices.

Re:Squirrelmail

[FreakyGeeky]

My point exactly. I also work in a very large SOX-regulated company, and have webmail, ssh, and pretty much open Internet access. Our financial and HR systems, however, are very tightly controlled and monitored.

Re:Squirrelmail

[DavidpFitz]

Since, you are in Risk Management you probably deal with 3rd party auditors who may interpret the regulations differently then you do.

I do - and who pays the auditors? Reality of business is that if your auditor wants repeat business, they need to understand how you operate - and that means you choose auditors who think the same as you. SOX is vague, indeed - so a decent Risk practicioner will use this to their advantage to do less, and argue they didn't need to do more. A bad practicioner will try to cover every base, and fail... or if they manage to succeed, they're spending far too much doing it!

Re:Squirrelmail

[fraudrogic]

I understood your point. The reference to amigos was for the most part an attempt at humor(since it wasn't modded so, I guess the attempt was in vain), for the next to the most part a jab at the GP for being contradictory in his language, in essence agreeeing with your point without really saying so since its really off topic. Since your off topic I guess I am now REALLY off topic.

Mods be kind.

Of course I do

Every person is responsible for their own actions while using the network. If they end up comprimising data or causing network wide issues, they know it's their ass on the line. Teach your users to be good users. If you want content blocking, you'll have to cover ALL of your bases, which is impossible to do. Eliminating the problem by having informed users is better than putting all of your users in a box with airholes that aren't big enough for them to breathe.

Re:Of course I do

[sjwest]

Yes - but stop them using Internet explorer. Most 'issues' then go away.

I am guessing that this will be fixed very quickly

At this moment, the MS lobbyists are busy reading this and saying to bill, "why don't you have better protection?" Sadly, yahoo and AOL are busy saying "what just happened?".

Seems more effective to have a good anti-virus

[stratjakt]

Shits going to get through, one way or another. Even through your preferred e-mail system, or through a web browser exploit, or through something else.

I use hotmail and gmail every day, mainly as spam-sisterns. They've taken pretty much every worm, scam and spam the 'net has seen, and I've never been infected from either service. Nor has my local AV software ever kicked in to protect me from anything. YMMV.

I like the write up. You didn't find problems with hotmail, but hate MSFT, so you put it on the same list as Yahoo, who forwards .vbs scripts. Lol. I know better than to bite a troll like that.

So, what are your favorite Apple products? Me, I'm excited about the iPhone.

Re:Seems more effective to have a good anti-virus

[cyberbob2351]

So, what are your favorite Apple products? Me, I'm excited about the iPhone.
I thought Cisco manufactured that wonderfully useful device?

Given Google's Push to the corporate desktop

[Earl+The+Squirrel]

I've been part of the Google Beta testing for hosted e-mail (for my own domain) and also been part of the testing for the Google Apps for businesses. During that time, I've not had any issues with spam nor malware mail. Given Google's intent to host small businesses, I strongly suspect that they will pay close attention to security issues, esp. on their e-mail service. I've been pleasantly surprised as to how good their spam filtering works. My wife also has noticed that spam has pretty much gone away. You can access your e-mail both on the hosted site, and at least via a pop client, so you could possibly insert additional security on the pop client, but give folks access to a web version of the e-mail as well.

One thing for sure...

I'm glad I don't work at your organization!

Seriously, webmail has so much use that blocking it is ultimately counterproductive -- the only equivalent "security" would be totally blocking net access.

If you are worried about productivity loss, well, I often use webmail so I can stay at work longer. Really, it's not hard to imagine that allowing people to use light net access for personal communication means that they do not have to physically leave work to do these things. It's a bonus for all.

If you are worried about security, any net access that allows submission of forms or uploading of files is equivalent security breach. As stated before, any moderately skilled hacker can configure a proxy to get data off your network.

You're crippling your users and kidding yourself.

Re:One thing for sure...

I find the whole concept hilarious.

What possible reason other than stupidity would you block access to AOL/Gmail from work?

If I am working for 40+ hours a week on a computer, and I need time to email my contacts for anything from advice on a specific issue to our hockey pool, how is this unreasonable? If you had this policy, I would have the policy to certainly block your emails/phone calls from home and probably not work there in the first place.

Re:One thing for sure...

[paeanblack]

If you are worried about productivity loss, well, I often use webmail so I can stay at work longer. Really, it's not hard to imagine that allowing people to use light net access for personal communication means that they do not have to physically leave work to do these things. It's a bonus for all.

This is where the smart company compromises. A few workstations scattered about that are designated for random personal uses like email will go a long way to bridging the compliance/convenience gap.

Re:One thing for sure...

[Randseed]

When the hospital I worked at last pulled this kind of crap on us doctors, I just set up an SSL proxy on one of my off-site machines and started pumping traffic through that (for myself, not anyone else). They never even noticed. Nor is it specifically forbidden by their Internet access policy, so about all they could have done was tell me, "uh, don't do that anymore." The reality is that they have little idea (short of desktop-spyware) what that proxy URL actually corresponds to, and considering that one of the things I do is used a web-based calendar and appointment software that runs on my machines off-site...

Re:One thing for sure...

I have attempted to argue this point exactly to our management. It fails.

Some background: I work for a medium sized SAAS company with 14 other developers, an IT department consisting of 3 people, 30 something project relation managers (sales department), and 6 helpdesk/testing (they do both) people. *All* of our upper management (CEO, VP, ... 4 others) are salespeople. One of them made a sale to a large client and as part of their contract, they agreed to make everyone at the company not access webmail(yes, it is in the SLA that we will not use web based email). The sole reason given for why we will not access email is: If you don't have web based email, you can't email yourself client data.

For the 3 months that SLA was in draft form I argued *every single day* to have the webmail portion removed for the following reasons:

Almost none of the sales department would ever be affected by it, because they almost exclusively work outside the office, off their own machines.

The people who would be affected are the testers, who use external email systems to ensure that mail is properly being sent from our system, the developers, who use external email for mailing lists that they need to read (another IT policy forbids using your company email on a mailing list), and the H1Bs, who use email to keep in touch with family outside the states and to keep abreast of their legal stuff like becoming citizens (yet another IT policy says you can't use your company email for anything that isn't strictly for the company).

It does absolutely nothing to stop anyone from distributing client data. Every employee has the ability to log into any of the client sites and can run any of the reports from their home computers. Half the company can directly access the databases and run queries, and all of them have access to the webservers and ftp sites where they can put database dumps to download for themselves. Everyone in the main office has access to automatically created access databases, created from the client databases every hour and uploaded to a fileshare on the network that also happens to be the ftp site for client access.

Yes

[Ngarrang]

Simply put, yes.

We would prefer that the work e-mail not be used for personal mailings. One of the reasons is file storage space.

We are willing acknowledge that the parents are going to communicate with their kids, and other folks with friends and family. It makes for better employee morale when they are permitted access to web mail for such things, leading to less abuse of work systems. It is better to use e-mail than the phone, which needs to be left free for actual business calls with clients.

Are there security concerns? Though the poster found some concerns, those concerns are easily disarmed by a good anti-virus/anti-spyware program.

Sure, we could be rather draconian and put the kabosh on all of it, but it comes back to employee morale. A happy worker is a productive worker. Our workers are given the task of being responsible and are rewarded for their success.

Re:Yes

[Aadain2001]

I just wanted to respond to this post by saying that is exactly how it should be! Peoples' lives do not cease to exist when they walk in their employer's front door. It is much better to allow people to keep their work and personal lives separate by allowing webmail systems for person emails and cell phones for personal calls. Kudos to your company for recognizing that employees are people and if you treat them as such they will have a much better perception of their work place and be happier about working for you.

Re:Yes

[Angostura]

I just want to respond by saying that the original poster *does* have valid security concerns, however. One possible solution, albeit a bit heavily engineered and expensive, might be to use virtual machines - one for work with restrictions, one that allows access to Gmail/whatever. Hmmm.

Re:Yes

[rizzo320]

Mod parent up!!! Amen, brother. User education can prevent many of these problems. A combination of AntiVirus/Malware, and a good network configuration can prevent the rest.

Limiting usage like this just makes an employee dislike their job that much more, and just as you said, unhappy workers are not nearly as productive as happy ones.

Re:Yes

[BrookHarty]

Morale to do ones job, I hate it when IT security thinks they have to protect me from myself, that I cant even do my job and have to get special (aka normal) engineer access to our own laptops.

I was blocked from using altavista, and couldn't translate some emails, and couldn't get approval to buy the software. IT security tends to treat engineers as call centers, and lock them down. Those engineers tend to leave the company due to crappy office politics. Morale is important.

Re:Yes

[BobPaul]

This is exactly how it should be, and has been everywhere I've worked, including the couple of places where I was part of the IT group. I've seen sites like youtube, metacafe, et al blocked, but never webmail.

Blocking webmail just means you'll have more company signatures attached to forwards urging a boycott of Starbucks for being unamerican, grass roots campaigning for politicians, or a number of other things you're company doesn't officially support. Once that signature goes on there, someone's going to attribute it to the company, and you just don't want that.

Unless you read their e-mail, too, in which case I would
a) never work for your company
b) never do personal business with your company
c) be leering of recommending your company's products or services to my employer. How can you trust an organization that doesn't trust their own employees? Obviously price, performance, etc are important, but so is reputation and knowing about things like this don't help your company's reputation.

Re:Yes

[zCyl]

Precisely. It's one thing if a company wants to mandate (by policy, not by technology) that its employees use only internal email accounts for all business related communications, but security does not seem to be a legitimate reason to block webmail. Allowing limited personal use of the internet from work equipment is productive for employee morale, and it can provide short breaks which reduce stress, boost overall efficiency, and can increase creative solutions.

If you have to setup a non-networked computer or an isolated LAN with no internet access for special security situations, fine. But the mainstream webmail providers yield no more security problems than the rest of the internet.

Re:Yes

[the_womble]

Ah, a rational admin!

One company I worked for had a policies on use of work email for, the stated reason being that emails from a work address could be associated with the company, fair enough.

However, they also blocked access to web mail, to prevent people avoiding these same rules. Logic?

I always thought that your policy, for your reasons, was the sensible thing to do. I wish more IT departments could follow the logic.

Re:Yes

[argStyopa]

Kudos to your company for recognizing that employees are people

Read his post again. His company doesn't 'recognize' the employees are people, they concede that treating them like humans is the best way to get work out of the animals.

As he said - they'd rather totally lock everything down.

So I say to him: F*ck you, Mr SysAdmin. You have it totally backwards, and only have it "right" by accident. Maybe you should think of your employees as humans FIRST, instead of as trouble-causing drones? Perhaps you should be the advocate saying "gee, you know, happy people like to come to work, they like to be here, and they're probably spending too much of their life here ANYWAY - what's wrong with opening everything up as much as possible (within the limits of security) and letting people control themselves, only stepping in to discipline people that can't seem to keep their focus on work while they're here?"

No, it's SysNazis like you that make stupid ass DRACONIAN policies that are so much fun to break. The more you tighten your grip, the more systems will slip through your fingers.

Google Apps

[Penguin's+Advocate]

We use Google Apps for our company email. We were using an internal service until we switched in February. Apart from IMAP support, using Gmail for company email has been a great improvement over our previous system. The majority of our employees prefer Gmail's web interface to a standalone mail client. That said, we obviously allow webmail use on our network.

Re:Google Apps

[Short+Circuit]

In the past couple weeks, I switched both of my high-traffic mailing lists away from Google Groups, becuase it was taking 15 hours for an email/reply to make a round trip.

Does Google Apps have a similar service, and was that service seeing similar issues?

Re:Google Apps

[Penguin's+Advocate]

The mailing lists available in Google Apps are currently lacking in features, they have enough for our purposes, but there are many things they don't do (appending headers to subjects, reply to list, automatic subscriptions, mass user add, mass user delete, to name but a few). That said, emails to and from the lists happen near instantly and we have had zero problems with delays in either message forwarding or user adding.

Re:You forgot MySpace

[Joe+U]

it's too big of a business for this to be excusable.

Seriously, why is this considered horrible? Someone might sniff a myspace password? It's Myspace, Everquest ranks higher in the securiy list.

Where I work...

[DRAGONWEEZEL]

The big Net Admins in the sky tried to block web based e-mail from Comcast, Aol, G-mail, Hotmail, Yahoo, etc... then all the physicians freaked out and got pissed enough for them to change it back. Or at least that is the story I was told...

Shooting the messenger

[Jeremi]

Translation: my organizations' computers are not secure enough to safely access the Internet. This is somehow Google/Yahoo/MSN's fault.

Re:Shooting the messenger

[glwtta]

The only thing left to add is: ... and I'm a dick about it.

Re:Shooting the messenger

[lewp]

True that. We prefer securing our computers, network, and user account as opposed to treating our coworkers like children -- though, admittedly, sometimes they ask for it.

Re:Shooting the messenger

my organizations' computers are not secure enough to safely access the Internet.

[sarcasm][translation]
You must be running Windows then.
[/translation][/sarcasm]

Users are a pain!

[ImperfectTommy]

It's safest when the users can't run any scripts or executables. With Vista, you can easily configure the UAC to stop such user nonsense.

Re:Users are a pain!

[walt-sjc]

Hah! With Linux, it's so much easier. I just don't give them a login for the system at all! Those pesky users just get to look at a pristine monitor and keyboard, but are not allowed to touch... Can't have them fucking up my nice clean install now can I?

Muahahaha!

Re:Users are a pain!

[pe1chl]

Install and configure TrustNoExe and your users cannot run programs they have downloaded, no matter if via webmail, internet, usb sticks, ...

Re:Users are a pain!

I can see it now...

You web browser is about to access the web page mail.yahoo.com. It's not as good as MSN Hotmail. Are you sure want to continue? [continue]

MSN Hotmail is A LOT better. Are you sure want to continue? [continue]

Re:Users are a pain!

[jbrandv]

If the user has physical access to the computer you are fooling yourself if you think you can stop them with UAC.

Re:Users are a pain!

[mlewan]

"It's safest when the users can't run any scripts or executables."

Isn't it safer when their only communication device is a pencil and a piece of paper?

Re:Users are a pain!

Haha, with a dry cool wit like that, you should write Mac commercials!

I bet you'd have no problem penning words for an elitist metrosexual douchebag.

Re:Users are a pain!

[nine-times]

Yes, but people who understand the idea "physical access = compromised security" and know enough to crack a Windows box are probably also knowledgeable enough to know, at least, not to run a script received through e-mail. Most virus infections I've seen in the corporate world are an employee's act of stupidity, not maliciousness.

Re:Users are a pain!

[tepples]

Install and configure TrustNoExe and your users cannot run programs they have downloaded, no matter if via webmail, internet, usb sticks, ... But how long until home versions of Windows ship with a program like this pre-installed? Another Microsoft platform already does.

Re:Users are a pain!

[archen]

Hope you remembered to lock down grub or you'll be eating those words when that punk kid who knows linux starts working there =)

Re:Users are a pain!

[Anonymous+Brave+Guy]

The irony of your post, funny as it is, is that what you describe would pretty much be the result in real life if all these posters from Draco's School of System Administration took their arguments about regulation, liability, and the like to their logical conclusions.

Re:Users are a pain!

So what are you saying? It's easy to to work around not having a Windows logon?

Stupid

[dedazo]

I work at a very large company that allows unrestricted access to any webmail provider. Let me repeat that: You can use any webmail provider you want from within their network. So long as you use their proxy (obviously).

What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).

This has been the policy for at least five years and they've never had a single problem. Never.

If a large financial services company can do it, I don't know why everyone else can't either. So you're asking the wrong question - instead, ask "how can I provide a better service to my users by allowing them to access their webmail and also maintain my network security?"

I've worked at companies that either completely or selectively block webmail access. Nothing personal, but you and other network admins like you suck rocks as far as I'm concerned. Trusting or distrusting the webmail provider because they do X or Y is supremely stupid because you're basically bending over for them and waiting for the inevitable vulnerability to show up. What, are you going to go to your CTO and say "well, I didn't trust Microsoft and AOL, but I thought Yahoo was OK! It's not my fault!"?

You should know better and you should do better. If you can't, just block all webmail and stop complaining about what other companies do or fail to do. It's your network and your responsibility.

Re:Stupid

[drinkypoo]

I work at a very large company that allows unrestricted access to any webmail provider. Let me repeat that: You can use any webmail provider you want from within their network. So long as you use their proxy (obviously). What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).

We do the same thing at my place of work. We have a Cisco security appliance that uses Trend Micro's antivirus to scan any file that it can identify as such. It's annoying because it has to fetch enough of the file to scan it before it lets you have any part of it, but it works on ftp, http, smtp (with mime attachments), and probably some other protocols.

Re:Stupid

[CTilluma]

That is a far preferable, less intrusive method. Strip out unwanted extensions and MIME types, and you can allow users to read and write mail without the risk of a problem file coming across. If the issue is with confidential data leaving the organization rather than the risk of malware then restrict which HTTP commands are allowed and then you can have users able to read their mail but not post any new mail.

It just depends on what risk the user is and what level of data they have access to.

Re:Stupid

[adrenalinekick]

I work in a large professional services firm where they give every employee a laptop. Because of the nature of our work where we are often traveling and working at various client sites, my company would be hard pressed to effectively restrict access to webmail, so they don't even try. My company finds it is more productive to allow its employees to be able use any available internet connection (eg. wireless at the local coffee shop, a client's network, hotel modem, etc) so unless you choose to VPN into the internal network, they have little or no control over what you access on your laptop.

Presumably you are concerned about one or both of two issues with webmail: 1.) files coming IN to your network and bypassing security controls you have in place or 2.) files going OUT of your network that you have no control over, no record of, and no ability to monitor.

I would suggest that #2 should be a greater concern than #1. Files leaving your network is indeed a concern - confidential information needs to remain confidential for a host of reasons (lawsuits, regulatory requirements, company image/brand destruction to name a few). But as has been stated... unless you duplicate the great firewall of china - which may be appropriate depending on what industry and company you are working with - you have little or no prayer of actually stopping a determined user from leaving with company secrets.

sidenote: if this is a concern, I would recommend looking into Vontu - I have used it and it is a great product for monitoring and/or stopping outgoing data...although it still can't deal with https and it is expensive as all hell. I am in no way affiliated with Vontu, I just highly recommend it to a company with this problem.

If you are more concerned with files coming IN to the network... well you have larger issues that should be dealt with first. Webmail is only one of MANY areas to worry about. Have you taken similar measures against USB drives? CDs? The entire downloadable inter-pipe-tubes? My point is - if VBS files are at the top of your list of concerns, it might be time to re-think your approach to security.

Re:Stupid

[tepples]

If the issue is with confidential data leaving the organization rather than the risk of malware then restrict which HTTP commands are allowed and then you can have users able to read their mail but not post any new mail. But can your proxy tell the difference between a POST of the username and password used to obtain an authorization cookie and a POST of classified information used to leak trade secrets?

Re:Stupid

[CTilluma]

Some proxies can do some interesting things - depends on how granular they can (and you want to) get. You could for instance allow a POST to the authentication URL, while not allowing a POST elsewhere, or you could do a regex search for something common to each message post and deny based on that. You could even go into enough detail to validate the presence of the authentication cookie, and allow a POST while the cookie isn't present and deny if they have already authenticated. More than one way to skin a cat - depends on how granular the proxy will let you get.

At my company...

[truesaer]

They've blocked both webmail and instant messaging, but the reasoning is "document retention." ie, in case there's a lawsuit they want to guarantee they have all our communications archived. And since I work at a fortune 500 there's always a lawsuit.

I guess I understand that, but the bummer is that for a lot of us we don't work just your basic 9-5. If you work a lot its nice to be able to take care of a little personal business, in fact I think it probably increases productivity by making people more willing to hang around at work a little longer. So in that regard these bans are counterproductive.

I don't think IT people really think about stuff like that much...the ideal situation for IT isn't necessarily whats best for the enterprise. That said I can see how security and document retention are valuable goals...maybe webmail could provide some kind of mechanism to allow companies to hook into it and archive messages read or sent using corporate machines. Same for instant messengers. Then everyone's happy (except privacy advocates...)

Re:At my company...

Its not just for fortune 500 companies, any listed company (in the US) is regulated by Sarbanes-Oxley, so if the auditors find out you can send emails outside the company without having an archived 'paper trail', then they're in trouble.

Don't forget that, while you are at work, using the company-provided hardware, software and bandwidth they do get to say what you use those things for. 99% of companies will understand if its used for some personal communications, so you needn't worry as long as you're not spending all day using IM for pornographic tittilation. But if you don't like using their gear on their terms, quit and use your own.

Re:At my company...

[apt142]

The funny thing is, your company obviously can't stop a slashdot post.

If they can't stop that, what's to stop you from posting documents to your journal? Blog? Total retention/archival is impossible.

Re:At my company...

[Prof.Phreak]

I don't think IT people really think about stuff like that much...

I think the sole purpose of IT is to make things easy to use/access, and get out of the way. Unfortunately, in many corps, IT exists for IT's sake, and many procedures are in place primarily to get in the way between users and their job. After all, IT must appear to be actively doing something---instead of just passively allowing for everyone to use IT resources.

Daylight savings: Someone at my place applied a few patches, and time got changed -twice-. 2 hours forward. Nobody in the -whole- place couldn't change their system time (they're not -allowed- to do it). For 2 days, everyone's time was off by an hour. I thought that was rather stupid.

Anything that deals with email, etc., is best handled by educating users (and firing those who don't learn). If a user works with a computer for a few weeks, and doesn't know what a ``Command Prompt'' is, or doesn't know how to rename a file, or change file's extension, or the difference between a text file and a word document, fire them. The organization will be better without such `users' (I don't care if they're business folk, if they use a computer, they must be computer literate---otherwise don't let'em use a computer, or fire'em).

Re:At my company...

[Jherek+Carnelian]

They've blocked both webmail and instant messaging, but the reasoning is "document retention." ie, in case there's a lawsuit they want to guarantee they have all our communications archived.

Sounds like they need to ban cell phones and record every phone call too,

Re:At my company...

[hb253]

I wouldn't be so quick to blame IT. Many of the blocking policies being discussed here are required/imposed by corporate legal/management types.

Re:At my company...

[CTilluma]

I'm not sure how many facilities i've been to that take my cell phone at the door. Camera phones will get taken even quicker. Of course, they have to know you have it on you, but some places are able to determine the location of the phone the moment it is turned on.

Who needs to record every phone call when there is CALEA?

Re:At my company...

[jguthrie]

Sarbanes-Oxley? I suppose that a law could mandate that I have the capability to jump to the moon, too. However, I don't think Sarbanes-Oxley says what you think it says, at least about the general retention of general. I've skimmed over it and if there was anything in there that talked about anything other than the handling of financial data, I didn't see it. Perhaps you could point it out to me.

As for your point that the company has a right to control the use to which company resources are put, well, there's an old saying to the effect that just because you have a right to do something, that doesn't make it right for you to do it. Many companies (most companies? certainly all the companies I've ever worked for or owned) cannot function unless their employees do things that aren't strictly part of that worker's job description. Things like engineers working occasional (or even not-so-occasional) evenings and weekends. It is generally best for morale if those companies don't try to be strict with their resources. After all, if the people are giving up their time and resources on behalf of the company, the company should reciprocate. To do otherwise fosters a "workers vs owners" mentality when what is best is for everyone to be on the same page and working for the common good.

Re:At my company...

[imemyself]

Daylight savings: Someone at my place applied a few patches, and time got changed -twice-. 2 hours forward. Nobody in the -whole- place couldn't change their system time (they're not -allowed- to do it). For 2 days, everyone's time was off by an hour. I thought that was rather stupid.

So, what would you do? Give users admin rights on their computers so that they can change the time? Great, now they can install malware (but I really like WeatherBug!), as well as fsck up their entire install, as opposed to just their profile. Now, they should have probably prepared a bit more - I'm not sure how on earth they could have managed to have the time rolled two hours forward, short of applying a patch and then maybe manually changing the time via a script or something, but giving everyone local admin rights is not a good solution.

Anything that deals with email, etc., is best handled by educating users (and firing those who don't learn). If a user works with a computer for a few weeks, and doesn't know what a ``Command Prompt'' is, or doesn't know how to rename a file, or change file's extension, or the difference between a text file and a word document, fire them. The organization will be better without such `users' (I don't care if they're business folk, if they use a computer, they must be computer literate---otherwise don't let'em use a computer, or fire'em).

While I would personally agree with that, try running that by a group of executives(who probably don't even know what half of the stuff you're talking about is) and see where that gets you. Short of killing off large numbers of people, there will always be stupid people. It's our job to protect networks and computers from fscking stupid people, and limit the damage they can do. Personally, I think the best solution would be let user's use their company email account for personal use. With limits on the size/type of attachments, and possible content filtering, etc. That way, they can still send their little stupid jokes to all their little stupid friends, and the company can easily monitor and secure what they're doing.

Re:At my company...

>Give users admin rights on their computers so that they can change the time?

I would not hire someone who was not responsible enough, knowledgeable enough, and sufficiently trustworthy to have "admin rights" on their computers. Of course, I do work in a research environment where pretty much everybody on the staff has a Ph.D. and is actively doing research, and is responsible for their own infrastructure and budget.

Re:At my company...

[imemyself]

Again, I would agree with that. *I* personally wouldn't hire someone who I didn't feel was responsible enough to do that. But IT deparments generally aren't going to be able to overrule HR in most companies and have much of a say in who is hired outside IT.

Re:At my company...

[trawg]

I worked at a company that did something similar, though for different reasons. Their solution was to have a separate computer (or computers, can't remember how many) that was completely separated off the corporate network, plugged into its own Internet link.

People could get up and use this at any time to do pretty much whatever they want. It was reimaged regularly to stop viruses, etc, from being a problem just in case some newb downloading something stupid.

From the company's point of view, this had a few advantages:

- employees could get up and check their mail and do other internet stuff whenever they wanted without compromising the office network
- employees would peer review other employees (if not overtly, then at least the pressure was there that when you were sitting at this other PC doing personal stuff, you weren't working and everyone knew it)

Re:At my company...

[gbjbaanb]

its not so much about stopping you posting, its about being able to find out what you did after they have reason to investigate, and then using it to take action against you.

I'm sure they don't really care about this post, but I was libelling my CEO or posting racist hate statements, they would.

Re:At my company...

[mpe]

So, what would you do? Give users admin rights on their computers so that they can change the time? Great, now they can install malware (but I really like WeatherBug!), as well as fsck up their entire install, as opposed to just their profile. Now, they should have probably prepared a bit more - I'm not sure how on earth they could have managed to have the time rolled two hours forward, short of applying a patch and then maybe manually changing the time via a script or something, but giving everyone local admin rights is not a good solution.

A much easier solution would be to have workstations find out about what time it is from a server...

May as well prohibit all web-browsing...

[mi]

Making a non-webmail page with links to nasty VBS scripts, etc. is just as easy as send an e-mail, so you are not really protecting your network by these annoying limitations... An attacker can send your charges an e-mail (at the corporate address) with a link to his script. And if you check all browsing (via scanning proxies), then you may as well leave webmails alone, for they'll be checked too, along with all other HTML pages.

You are not alone, unfortunately. I found, that whenever admins (pompously) argue for strict banishment of a particular "attack vector", they almost always ignore another vector for the same attack.

There could be one justification for banning external (non-corporate) means of communications, while at work — compliance and legal issues. A big bank, for example, does not want a broker to be able to claim, that a bank's trader ordered a (bad) trade via. GMail or cell-phone. But this only makes sense, when your official (corporate) communications get recorded and archived (unlike private webmail accounts and personal cell-phones), and can be played back.

In short, you have to remember, that you (an administrator) exist for the benefit and convenience of these people, not the other way around. So if they want to be able to access their webmail, you must have a much better reason than "you may get a virus" to deny it to them.

I bet, more productivity is lost, when an employee brings in flu and half the office gets sick. But no one is advocating forcing people to take vitamin C and wear scarves, right?..

Re:May as well prohibit all web-browsing...

[Hatta]

In short, you have to remember, that you (an administrator) exist for the benefit and convenience of these people, not the other way around.

You BOFH's especially need to remember this.

Re:May as well prohibit all web-browsing...

[drinkypoo]

In short, you have to remember, that you (an administrator) exist for the benefit and convenience of these people, not the other way around. So if they want to be able to access their webmail, you must have a much better reason than "you may get a virus" to deny it to them.

What? If they don't need it to do their job, that argument falls apart, and you must step back and fall on the argument that it's bad for morale if they don't get webmail.

I bet, more productivity is lost, when an employee brings in flu and half the office gets sick. But no one is advocating forcing people to take vitamin C and wear scarves, right?..

Any competent boss I've ever had wants people to stay home when they're sick, so they don't make other people sick.

Re:May as well prohibit all web-browsing...

traders can't enter orders via email, it's against the law and isn't legally binding

Re:May as well prohibit all web-browsing...

[adriansd]

Who decides what someone needs to do their job? I think this is one serious problem often over-looked in all of these sorts of discussions. It appears that, more and more, IT security gets to apparently make this determination -- or anyone that wants to that goes unchallenged, for that matter. The real truth, though, is that, at best, an employees' boss should get to. But, honestly, a world where employees' jobs are these well-defined things that managers can casually glance at and know what is or is not entailed is some sort of HR fantasy land. So, in practice, "Is this in your job description," is really just some sort of lawyerly tactic to shut down someone else's innovative and clever work-around simply because it is outside of the mainstream and using up bandwidth somewhere that probably should belong to the very employee using it, in the first place.

Re:May as well prohibit all web-browsing...

[drinkypoo]

I agree that this is a valid point, but let's face it, there is no reason for users to have access to webmail to do their work if your internal email is working correctly.

Re:May as well prohibit all web-browsing...

[mi]

What? If they don't need it to do their job, that argument falls apart, and you must step back and fall on the argument that it's bad for morale if they don't get webmail.

That's not for a system- or net-admin to decide. Whether or not employees are doing their jobs is up to their manager(s). And they — the managers — have mostly (wisely) decided, that enforcing "work-related only at work" policies is foolish. Phone calls are not limited to be "business only" either, so don't pull this "work-related only" card. It is not relevant.

Any competent boss I've ever had wants people to stay home when they're sick, so they don't make other people sick.

Of course. But people come in to work anyway — they may not realize they are sick, or they may not want to use up "sick days" (so as to attach them to vacation later), etc. Why they come to work is irrelevant. It is not even relevant, whether they come — productivity suffers anyway (from their staying home and from their infecting others).

But no one seems to mandate vitamin C, warm clothing, and other flu-preventive steps...

Don't bother replying, drinkypoo. I remember your nick from previous fruitless conversations and see, that you have not become any brighter... Both of your points are not irrelevant to my mine, you seem to post for the sake of posting.

I wish, there was "killfile" on /.... *Plonk*

Re:May as well prohibit all web-browsing...

[drinkypoo]

I'll only reply long enough to say that you are an ass - I won't debate the point that I am one too. But let's face it, I said in so many words that you've got to fall back to the argument of "good for morale". I didn't say it was a bad argument, but you feel free to assume anything you want about what I said, ignoring the words that I actually used. As such, I have foe'd you (hint: setting foe modifier nice and low and foe'ing someone is your killfile equivalent, HTH, HAND) and will be pleased not to see your ignorant ass again. It's hard to believe that you utterly neglected my point #1, and agreed with my point #2, and then had the gall to claim that I'm the dim bulb in this transaction - but of course, this is slashdot. Come back and talk to me again when you find a clue.

Re:May as well prohibit all web-browsing...

I call BS.

I used to mostly use the corporate email for everything, personal, business, whatever. Then, in a 'long planned change in corporate focus' I am cut loose. Of course, there's no way IT will provide me with backups of my personal information, correspondence or contact information.

Thanks, I'll keep my personal life off the companies servers and some place more transferable, and I'll keep my business life someplace where it's all backed up and available for the companies lawyers.

The most telling thing about IT was a conversation at the holiday party, where the IT manager kept saying "if it wasn't for IT, you couldn't work." In his drunken state he couldn't understand my reply "And if it wasn't for facilities, you couldn't take a dump." What part of Service Group didn't he understand?

Re:May as well prohibit all web-browsing...

[drinkypoo]

Thanks, I'll keep my personal life off the companies servers and some place more transferable, and I'll keep my business life someplace where it's all backed up and available for the companies lawyers.

I think you're missing the point entirely. You do not need to do any of your personal shit in order to work. It's bad for morale to take all this stuff away, but that is a separate argument.

In order to do their work, 99.44% of employees out there don't need access to IM, to their personal email, to myspace, or any of the other time-wasting shit that they spend their time on. Most people don't even need access to the internet at all, although some will benefit from it. Some absolutely need it, for instance people who actually work in IT. But they don't need personal email to do their jobs either. Your employer pays you to work, not to fuck off.

Now again, it is bad for morale to not let your employees fuck off while on the clock. But it's bad for the bottom line to let them fuck off, too. The ideal situation would be one in which the employees worked while they were at work, and they were actually paid for their efforts so they were willing to do so... But we live in an imperfect world.

Re:May as well prohibit all web-browsing...

[adriansd]

In order to do their work, 99.44% of employees out there don't need access to IM, to their personal email, to myspace, or any of the other time-wasting shit that they spend their time on. Most people don't even need access to the internet at all, although some will benefit from it. Some absolutely need it, for instance people who actually work in IT. But they don't need personal email to do their jobs either. Your employer pays you to work, not to fuck off. But, at least at my particular company, IT tends to systematically remove all the options, and how does this happen? Because somehow the burden gets shifted from them showing that something really must be prohibited to us showing that we really need it right now to do our job. And so, that's what the real problem is -- that IT is out there making all these managment decisions for the managers in the company with unilateral security policies such as banning web-based email.

I think you just lack imagination. In fact, this particular policy reduces productivity, policies like these always do, and this very way of making policy is a broken process of circumventing the proper channel of management that will lead to widespread loss of productivity. And, I am not talking about the morale issue or whether or not these employees ought to be allowed to waste time -- I am not talking about any of that even a little bit. I am talking purely, here, about the opportunity cost of people not even being able to use what would otherwise be widely available resources to them. You cannot measure that in the terms you are trying to -- by simple volume of use or some such thing. It is a matter of being available when they need it.

And, the real issue is when everything else is banned (because the general policy is that unless someone can prove they need it, it gets banned), you have a situation where they wouldn't need X except for the fact that Y was banned. Now that X and Y are banned they need Z , but that is banned, too.... When it is all strung so tight, it becomes more than just a drain on productivity but even an insurmountable obstacle to getting something done altogether. I might finally note that, I am speaking from direct experience on this matter -- it happens to me, personally, all the time. But, then again, I am largely paid by my employer to be a "Shadow IT" guy.

Also, with regard to the morale issue, that issue is not just about being able to waste time at work. There is also the matter of having control over the manner and environment the employee works in. For instance, if they allowed me to install linux on my desktop, or if I had a linux option, complete with Perl, BASH scripting, MySQL on my desktop, and so on, then I would be a lot happier doing the work. (And, not just on a personal level, but on a professional one of not having to spend all this time knowing Visual Basic, for instance, which is my only option in a microsoft world and with an IT department that would never let me install something like Perl.)

So, there are some specifics for you on both the productivity issue, specifically, as well as maybe some more meaningful points on the morale issue.

Re:May as well prohibit all web-browsing...

[drinkypoo]

But, at least at my particular company, IT tends to systematically remove all the options, and how does this happen? Because somehow the burden gets shifted from them showing that something really must be prohibited to us showing that we really need it right now to do our job.

This is of course because they are responsible for security. If I know you can get owned by doing something, and I get shitcanned if you get owned, well, I'm going to take that away from you. My continuing to have a job is more important to me than your amusement.

And so, that's what the real problem is -- that IT is out there making all these managment decisions for the managers in the company with unilateral security policies such as banning web-based email.

No, they're making a management decision that management is unwilling to make. Management says "heads will roll if these computers are taken over". IT, lacking the ability to determine who will fuck up and who will not, is forced to implement blanket policies, because the managers are not doing THEIR jobs. Don't be mad at IT. Be mad at whoever is threatening them and forcing their hand.

I think you just lack imagination. In fact, this particular policy reduces productivity, policies like these always do, and this very way of making policy is a broken process of circumventing the proper channel of management that will lead to widespread loss of productivity.

I lack imagination? I can imagine a world in which I come to work and I am motivated to work, so I do not feel a need to have battles of wits with the unarmed on slashdot. You're busy imagining ways to justify fucking off. Which of us is further from the mainstream?

Here I had to skim two paragraphs where there were lots of words but no content, then we come to the meat.

But, then again, I am largely paid by my employer to be a "Shadow IT" guy.

Ah, now here is the rub. Your employer has instituted an inefficient model. There is no reason why there should be any IT work being done by anyone outside of IT. If such a thing is going on then it points to a problem elsewhere in the model. The solution is not to compromise security, but to solve the problem.

There is also the matter of having control over the manner and environment the employee works in. For instance, if they allowed me to install linux on my desktop, or if I had a linux option, complete with Perl, BASH scripting, MySQL on my desktop, and so on, then I would be a lot happier doing the work. (And, not just on a personal level, but on a professional one of not having to spend all this time knowing Visual Basic, for instance, which is my only option in a microsoft world and with an IT department that would never let me install something like Perl.)

So what you're saying is that you took a Windows job, but you really wanted a Linux job, and now you want to whine about it and complain?

I think the solution is to go get a job you want (I'm a big one to talk, since I don't actually like my job, but anyway) and stop complaining that the Microsoft shop you work for won't let you do things the Linux way. Most people are too much the coward to step out of the Microsoft box and learn something new, so you can only accomplish so much by telling people how much better Linux is.

Re:May as well prohibit all web-browsing...

[adriansd]

This is of course because they are responsible for security.

Well of course! Prohibiting everything is good for the security professional not the business units. The company is not hiring the security professional to "do whatever it takes to prevent an intrusion". They hire the security professional to prevent intrusions in the most unobtrusive way possible.

You're busy imagining ways to justify fucking off.

That's just false. That you think that web-based email is just fucking off is -- and let me perfectly clear here -- wrong, as in mistaken or "you have uttered a false statement". I'm not saying that "well, sometimes it's used to not fuck off, ya know." I'm not saying that "it doesn't really hurt productivity that much but it really boosts morale!" I am saying that, specifically with regard to web-based email, you will only hurt productivity by disallowing it because while everyone spends a microscopic amount of time emailing their friends with it, other people use it to transfer files to and from home and stuff like that (which is often also a security violation, but that is another issue). The people that fuck around with it will just do the same with the company email (as has no doubt already been pointed out), and in any case the net amount fo fucking around that you have stopped is nothing compared to the shot in the nuts you have just delivered to some of your best producers.

If you were speaking from the standpoint of some particular business perspective it would be one thing. But, you are trying to justify this from some general IT persopective. Do not presume to know anything when it comes to business unit productivity if all you are is the IT guy and not a business unit person, yourself.

You haven't even begun to prove yourself in their field.

You have no idea what a day in the life of a rank-n-file employee is like or what it takes to do their job.

You certainly have no idea what it takes to be successful at what they do nor do you know the first thing about how a business is successful in their industry.

But, then again, I am largely paid by my employer to be a "Shadow IT" guy.

Ah, now here is the rub. Your employer has instituted an inefficient model. There is no reason why there should be any IT work being done by anyone outside of IT. If such a thing is going on then it points to a problem elsewhere in the model. The solution is not to compromise security, but to solve the problem.

Have you ever actually worked out here in the real world? Well, forgive us if we don't hold our breath while you devise the perfect IT department all built around security of all things. Here in the real world IT routinely falls ridiculously short of what is really required at the end of the day. So, while you're off making IT perfect, why don't you leave a little room for work arounds so we can try and turn a profit this quarter. Mmmmmkaaayyyy....

So what you're saying is that you took a Windows job, but you really wanted a Linux job, and now you want to whine about it and complain?

Not even close. What I am saying is that I took an actuarial job instead of an IT job because I was never particularly interested in the first place. But, since every where I go, the needs left behind by IT are so great, I have practically ended up becoming a programmer, after all. I would have been totally content doing my business unit job from 9 to 5 in a windows world and persuing my largely non-computer-related hobbies in my spare time. Instead, techinical procedural issues have dominated my job and most of my peers jobs, as well. Because I was less squeamish about IT work than my peers, I have over the years become so totally immersed in it that I have taken up linux in my spare time for practical work-related reasons. Now, I am not saying that they should, in fact, let me install linux on

Re:May as well prohibit all web-browsing...

[drinkypoo]

I'm not saying that "it doesn't really hurt productivity that much but it really boosts morale!" I am saying that, specifically with regard to web-based email, you will only hurt productivity by disallowing it because while everyone spends a microscopic amount of time emailing their friends with it, other people use it to transfer files to and from home and stuff like that (which is often also a security violation, but that is another issue).

No, that is the same issue. We are talking about two sides of the same coin. But beyond that, why should you need to transfer files to/from home? Why is that part of your work? If your work requires you to use personal data, then your work is flawed, and they should examine the issues that cause you to need it and resolve them so that you can use work resources to do work.

If your work does not require you to be able to transfer files to and from home, then why should you be permitted to do so? Permitting you to do so, in fact, is itself a security risk, and it is precisely what we are already talking about.

If you were speaking from the standpoint of some particular business perspective it would be one thing. But, you are trying to justify this from some general IT persopective. Do not presume to know anything when it comes to business unit productivity if all you are is the IT guy and not a business unit person, yourself.

I'm sorry, what does "business unit person" mean? Some kind of Manager? I think we can all agree that most managers don't know their ass from... hey, what's that over there in the ground with the roof over it?

You haven't even begun to prove yourself in their field.

I don't even know what their field is, because "business unit person" doesn't mean anything. Hey, I'm a person, and I work within a business unit. I must be a business unit person!

And no, I'm not just being obtuse. Speak English.

You have no idea what a day in the life of a rank-n-file employee is like or what it takes to do their job.

Uh, what? I have a job, therefore I am a member of the rank and file. I work for the IT department but only because I got shuffled over there from the marketing department because everything I do is computer related - I don't make IT decisions at this job, and I'm not responsible for security either.

However, in the past I have also worked as an IT peon, as an IT intern, as an IT random-guy, as the head of MIS and PC support, and as a tech lead. I've never had a management job because I don't want one - who wants to deal with employees? I'd rather just go work for myself. I've also done tech support. Whoopee.

At all of those jobs I have had unfettered access to the internet, including at this one; but when I did support I worked for Tivoli before there even was a level 1 support and every single person in support came from a systems administration background, so we could be counted on to do our own technical support. And we did.

Have you ever actually worked out here in the real world? Well, forgive us if we don't hold our breath while you devise the perfect IT department all built around security of all things. Here in the real world IT routinely falls ridiculously short of what is really required at the end of the day. So, while you're off making IT perfect, why don't you leave a little room for work arounds so we can try and turn a profit this quarter. Mmmmmkaaayyyy....

I'm still waiting for you to provide an example of someone actually needing internet access to do their job, and not having it. You have yet to do so. Put up, or shut up.

What I am saying is that I took an actuarial job instead of an IT job because I was never particularly interested in the first place. But, since every where I go, the needs left behind by IT are so great, I have practically ended up

Re:May as well prohibit all web-browsing...

[adriansd]

No, that is the same issue. We are talking about two sides of the same coin. But beyond that, why should you need to transfer files to/from home? Why is that part of your work? If your work requires you to use personal data, then your work is flawed, and they should examine the issues that cause you to need it and resolve them so that you can use work resources to do work. No -- you're wrong. Maybe that's true about marketing. That's not true about my business. So, now what are you going to say? That it really is true about actuarial science? Why? Because you're an actuary? Because IT security would like that to be the case? Not even IT should revolve around IT security. Certainly, the pricing unit for an insurance company shouldn't have to. And, they certainly should not have to justify their habits to a bunch of people that couldn't possibly, and in any case, simply refuse to, understand them, either. I doubt the other business areas feel any differently about it than I do.

Banning web-based email and other such initiatives have simply stopped a number of good things from happening that otherwise would have. I know because I was the one that was no longer able to do it. Now, you can continue to say, "Your work is flawed," but you really don't know anything about what I do or what makes an insurance company profitable, do you? Even if you did, what about finanacial analysis for an investment bank or accounting for a reinsurer or financial reporting for an automobile company or quality assurance for a fast food chain? You simply cannot say on the basis of IT security , of all things (!), how everyone is to go about their business, for crying out loud!

Re:May as well prohibit all web-browsing...

[drinkypoo]

You simply cannot say on the basis of IT security , of all things (!), how everyone is to go about their business, for crying out loud!

You're acting like security is not important to you. It is clear that it is important to most of us. We do not want our records spread across the internet so that someone can read their email.

Again, if you want to provide a specific example of why you would need access to the internet to do your job, then I'm interested. As long as you make vague pronouncements about good things not being able to happen that otherwise could if you had access to your home email, I'm going to have to continue to assume that you're talking about personal good things, and fucking off.

If you want me to take you seriously, you're going to have to give me a reason to do so. So far all you've done is a lot of handwaving and saying "but of course it is obvious that"... when it is the opposite of obvious.

One thing we DO know is that security is important. Or at least, I know it. You can be held liable for breaches of security. If I'm the one being held liable, and I'm working in IT, then you bloody well are going to have to justify your need for that access to me, because I am not going to get in trouble for no reason. Capiche? I don't care if you're the fucking pope.

By the way, I like the way you ignored the majority of my points in this response. I will take that to mean that you have no argument to refute those points.

By the way, making an insurance company profitable might be a complex thing to do, but the concept is not complicated. You need to evaluate the risks and charge people enough so that the money going out, plus your expenses, is less than the money coming in. This requires access to certain data, as in, what are the odds of having to pay out? I'm willing to accept that you need internet access. But you haven't managed to explain to me why on earth you would need access to your personal email, and so I can only believe that you are making up bullshit because you are sad that you can't check your email any more. Again, if you want me to take you seriously, you're going to have to give me a reason to do so.

And of course, this is no different from the people who work in your IT department, who are trying to make responsible decisions, for which they are accountable.

Security makes me sad.

[rizzo320]

There are talks at my employer as well of limiting 3rd party mail usage (along with IM and other services) not just because of security, but because they want (or "need") to monitor all outgoing/incoming messages.

It's really depressing how limited our access to the Internet has become. Its mostly done to "boost" productivity or "prevent" litigation. Security concerns are now adding to that situation. I see a point in the not-so-distant future where businesses and corporations will be so worried about authorized usage and security issues that there will be not be any user desktops/laptops even connected with Internet access, just back end servers (such as Exchange).

Sad. Just sad. And there isn't much that can be done to reverse the trend.

Re:Security makes me sad.

The job market's pretty strong right now. I wouldn't hesitate to leave a company that blocked or even filtered my Internet access. There are just too many other places to work where I'll be treated like a responsible adult.

Re:Security makes me sad.

[tepples]

The job market's pretty strong right now. Locally, or just nationwide? Some people have to live close to family. And would you recommend that somebody who is relatively new to the workforce look for another job?

Re:Security makes me sad.

And would you recommend that somebody who is relatively new to the workforce look for another job?

Yep. If you begin your career under the misapprehension that your employer owns your soul, your heart, your mind, or anything other than the work you're being paid to do for them, it's very likely that your career will end the same way. Not something I want to look back at from my golden years.

Corporate email users are adults

[cryfreedomlove]

If there is a corporate policy on outside email usage then it sounds like a place I would not want to work. Please expect me to be an adult and I will act like one.

We made our own....

[Mechagodzilla]

We created our own web access to our server.

I also agreed with the "no third party" rule...

People do this?

[Procyon101]

Do people really chmod +x email attachments?!? I'd say your problem is in user education. Hell, any user knowledgeable enough to know how to set the executable flag should KNOW better!

Re:People do this?

Hey, just in time! I need to run a Visual Basic script that I downloaded to my Windows XP computer. Where do I find this "chmod +x" you speak of?

Re:People do this?

are you for real?

Most users use windows, there is no need to do chmod..!

Re:People do this?

[Locklin]

I'm prety sure that "chmod +x attachment" is not required on systems that are vulnerable to .vbs attachments.

Re:People do this?

[drinkypoo]

In Windows NT, Read and Execute are the same permission until you use the advanced view which separates "execute/traverse directory" and "read". Most people don't even know what's in the advanced dialog. In order to keep things simple, Windows normally sets all new files to read/execute.

Re:People do this?

[nine-times]

Insightful? I thought this person was trying to be funny.

Re:People do this?

[Procyon101]

I was trying to be humorously insightful. Actually, I half expected to get modded to oblivion if people didn't get the joke.

The insightful theme is the fact that incoming email is ACL'd owner|Full Control, when it should be ACL'd owner|Read. The MS justification is "What if our user's WANT to hose their system and bring the network to a crawl? We should make it easy for them, so they don't have to understand ACLs to be able to do stupid things." Hence, MS chmod +x's the file *for* the user, even though they have a perfectly adequate system for blocking such problems. This forces the poor ask slashdot poster to block incoming files at the server level because the OS is too insecure to be able to trust the users with it.

And no, a "You are trying to hose your company's network, cancel or allow?" is not sufficient. If the user can't turn on the execute flag on the script to be able to run it due to lack of knowledge of security ACLs, then he obviously is not knowledgeable enough to know if the script comes from a reliable source.

Re:People do this?

[nine-times]

Yeah, I got the joke, but I thought it was obvious you weren't actually suggesting that people were changing permissions on these scripts, but taking a dig at Microsoft for not requiring people to mark it as "executable" in order to run it.

Re:People do this?

[Procyon101]

in Windows click-speak (hehe.. that sounds like an African tribal language):

Right click, properties, security tab, click edit, select [you], check execute allow, click apply.

As you can see, MS checked this box already for you. Apparently they foresaw the fact that their user's enjoy hosing their systems, and saved you some steps in order to make it easier for you to do it.

Re:People do this?

It was a long time since I used windows but i believe it was xcacls.exe evil.vbs /E /G user_or_group :x

IT Tough Guy

This sounds less like a real Ask Slashdot question and more like "Hey look at me. I'm an IT fascist!"
Blocking webmail is pointless and serves only for you to needlessly flex your authority in the only part of the world you have authority: your company's network.
Seriously, if you are so paranoid about webmail, why allow internet to the desktop at all? Since you are so afraid of VBS, why don't you just lock out VBS execution at the desktop and keep your enterprise AV up2date?
Grow up, have kids, and annoy them with your stupid restrictions. Leave the people at work alone.

Re:IT Tough Guy

[BRUTICUS]

Agreed, where's my mod points when I need to give them out?

Much better solution

[codepunk]

Long, Long ago we just disabled vbs execution across the whole enterprise.. we allow access to any of these services.

Re:Much better solution

[Uncle_Meataxe]

Awhile back, we just disallowed the use of Windows across the entire enterprise and now we worry a lot less about our users getting into trouble. Sometimes it's good to examine the assumptions...

Your users are tunneling over HTTPS

If your users can run java applets locally, using an SSL Explorer installation, they're hitting their webmail accounts already - straight out port 443 of your firewall.

Disclaimer: I don't work for 3SP, but I use their product every day at work to evade the corporate firewall

A great topic and question!

[rindeee]

Man, was this ever timely. I just finished setting up a very complete solution for my current location (forward deployed military in the M.E.). Yes, of course I allow Webmail access. Everyone relies on it for 'reach-back' capability. What I do in an attempt to secure things is to setup a very complete firewall/filtering/etc. box. Is it perfect? No, but it's very effective. I'm running a Linux box with a slew of services(HAVP, P3Scan, ProxSMTP, HAVP, Privoxy, frox, ClamAV, RenAttach, Rules Du Jour and of course IPTables plus a bunch of others) and have had outstanding success. I recommend just using IPCop + BOT + CopFilter if you need something quick and relatively painless. I also do regular automated Nessus scans, etc. Man I love my job!

Re:A great topic and question!

And from the renattach website:

WARNING: THIS SOFTWARE HAS BEEN DISCONTINUED. IT IS NO LONGER MAINTAINED.

The author recommends that you do not depend upon renattach to filter emails for dangerous content. As of 2006, renattach used on its own is not enough to filter potentially harmful emails. Dangerous attachments, or other attacks, may pass through the filter undetected. Please switch from renattach to some other actively developed security system. [2006-03-19]

Re:A great topic and question!

[rindeee]

Duely noted. Got a suggestion? At this point, I must add in fairness, I simply block offending attachments rather than renaming them. ;)

Various Other Methods

[i_ate_god]

GMail supports POP. So you could just setup an account in your mail client at work. I use IMAP for my personal email at work. Barring that, I can VNC / Remote desktop to my windows machine and use the mail client there. Barring that I can SSH into my server and check my imap server there.

Gmail

[Ruvim]

Only allowing Gmail access on corporate network for the same reasons as the submitter.

Quit Worrying

[asphaltjesus]

As other posts will/have pointed out, your current thinking is a little misguided.

Here's some suggestions:

1. Corporate has a policy of "acceptable use" for their computers and networks right?
2. I'm running a small network, I log packets passing through the firewall and then filter for certified time wasters like fark.com and report usage by individual to their superiors. Waste of disk space? Waste of time setting up? yes to both. But you get an idea who's abusing and it's up to the manager to decide their fate.
3. I'm not perfectly familiar with Dan's Guardian, but maybe it's another way?

Unless management wants the approach you describe, I'd go at it a different way.

Re:Quit Worrying

I don't like your thought #2. If you *never* want it, then filter it out. Simply block access to porn sites, fark.com, etc. Use your descretion for other stuff like msn and yahoo.

Reporting users that view them is exactly like that annoying tattletale kid on the playground. How do you know the employee looking at it is coming in on his day off, waiting for something to compile (for work) and just killing time? What about after 6 PM on a weekday when doing the same thing, or waiting on a coworker to finish?

Tell the user, and only if that fails, complain to superiors.

Re:Quit Worrying

Is slashdot on the timewasters list?

You fucking hypocrite.

Re:Quit Worrying

No -- I'm on call, don't have to be here at work, and can go home any time I want to. I'm not on an hourly salary right now, but being paid to be on call all night, which has already started. I can do whatever I want as long as I'm within 20 minutes of the company and its servers.

Don't make unnecessary accusations...

moronic

[decuser]

unbelievable - "I don't allow users at my organization to use any third party e-mail." What about public phones, cell phones, flash drives, uh... Why not just curtail any network use? Oh, and I'm sure you "don't allow" folks to use tunnels either, right? Go back to cisco class, bozo, there's a big bad world out there that you're clueless about.

It's my job...

...like it or not to help protect my users from themselves. In that spirit, as part of my security practices, I run heavy antivirus and antispyware on the firewalls in order to facilitate safer webmail usage by my users. Sure, I could (legitimately) mandate no web mail as policy or simply be a jerk and disallow it, but I *try* to see technology as an enabler. It's a better situation: users get home/private mail access and I get a reasonable-secure network. A bonus is that users see IT as helpful instead of "those jerks who won't let me at my Gmail account. This may not work for others for technical, political, or idealogical reasons, but it's pretty good for us...

I allow it

[nine-times]

Honestly, I've always allowed webmail (and encouraged it) as a way to side-step a certain amount of responsibility for reporting users for things. It may sound crazy, but in my experience you can't stop users from e-mailing their friends, spouses, mistresses, and drug-dealers during the course of the work day.

I've had it happen where e-mails about an employee's drug habit get stuck in our spam filter, which means I saw them when I went through looking for false-positives. Suddenly, I'm in my own personal game of "Scruples", trying to figure out whether I need to report the guy or if I can just ignore it. You might think, "Of course, you report it!" However, after seeing a whole ton of these things, reporting them all is a scary prospect. Do you want to be the company tattle-tale? Do you want to report half of the company for sketchy behavior they've committed on their own time? It's a scary truth: pretty much everyone has skeletons in their closet, and far too many people are sending those skeletons around via e-mail.

So rather than having to report new transgressions every day, I started telling my users, "Get yourself a web mail account (hotmail, yahoo, gmail, etc). If you want to e-mail your mistress about all the coke you did last weekend, send it through your web mail account instead of your company account. If you send it through your work account, assume I will read it. Assume your boss will read it."

Yes, I suppose that means they might misuse the hotmail account somehow, but you just can't keep people from doing completely stupid things. All you can do is make those stupid things someone else's problem.

I'd figure out a way to allow it

[Todd+Knarr]

Speaking purely as a sysadmin, I'd block those sites utterly. Web-browser components are the biggest target of malware out there, it's bad enough when targeted at an e-mail client that can lock down scripting and such but Web-mail sites let that stuff through to a browser that has to allow scripting in a corporate environment. And if you're a business you've got your own e-mail system, no company e-mail should be going through a Web-mail system in the first place.

As a techie, no decision would affect me. I deal with my personal e-mail by SSHing to my home machine and reading my personal mail there via mutt. Call me a bigot, but the only protocols a mail client should be using are IMAP (for reading) and SMTP (for sending) and the only acceptable interpretation of the message body is as plain text. Anything else just ends in tears these days.

OTOH, as an employee I'd have to think you've an obligation to provide that access at least for some employees. Think about your IT staff, for example. They're probably expected to work extended or odd hours, usually without extra compensation since they're salaried. In effect the company's asking the employees to give it a big chunk of their personal, outside-of-work, "I have a life" time, for the company's benefit, for free. To me it's then only fair that the company has some obligation to let employees take a certain amount of company time, for free, to deal with all the things they'd've otherwise dealt with during that time the company's wanting from them. If you don't find some way to accommodate them, you're likely to end up with employees who're dissatisfied, frustrated and actively looking to ways to get access to those services. They'll succeed eventually and then you'll have the worst of both worlds. At least if you provide some authorized way to access those services you've got some ability to control the situation, eg. adding specialty filters on the Web proxy for the worst problems.

Re:I'd figure out a way to allow it

[Todd+Knarr]

Oh, and on follow-up, those outside e-mail addresses benefit the company too. When I'm travelling, I often can't reach the company mail system because it's not accessible outside the company network and the local firewalls and access setup at hotels often won't permit the VPN to connect properly. But almost always I can manage to get an SSH connection to my home machine through, and when I can't I can still use a Web browser to get at Web-mail, which means my bosses can reach me via my personal e-mail even if I can't be reached through company e-mail. So that Web-mail may not be without any benefit to the company.

Secure Preceptions?

FTA:

"...do you allow for GMail or other providers that you've deemed to have secure systems and reputations"

Sorry to tell you this but no bad security PR, perceiving something is secure or placing you're blessing on a provider != to secure

Using Webmail at work machine is NOT the issue

[GIL_Dude]

Really there are much more important things to block when it comes to any external mail account. For example, can your users set up a server rule (easy in Outlook/Exchange, probably in others too) to auto-forward their mail to an external service (whether a web mail or not)? If they can, then THERE is your bigger problem. External mail services don't make users abide by your strong password or Smart Card requirements. Their password is probably easily discoverable. They go on vacation and forward all their mail. It's probably trivial now for an attacker to access that CORPORATE DATA that may be in that mail. Worrying about VBS scripts isn't anywhere near as important (since any competent AV will stop the majority of bulk-mailed nasties). It's about the DATA. Not just email either. Are any of your users using one of the web based backup services (or even GMail) to backup their documents? Whoops! Data exposure there too. Anyway, I just wanted to call out that today it really isn't the random script in email that is all you need to worry about.

It's a short term issue

[Raccroc]

Methods such as content filters and blocked domains are only going to be useful to the bigger, more prominent webmail sites. This still allows a lot of webmail into your network. A basic "no webmail" policy, is difficult to to enforce without resulting to some fairly invasive and harsh tactics.

The better method is to enforce good network and system security practices. Do things like setting the policies as such that users cannot execute VBS on the local system and early warning detection/isolation on the network.

Regardless, this is one of those things which I believe is going to become less and less of a problem on it's own. With web enabled cell phones and PDAs becoming more and more common, I figure we are a short time away from the bulk of a users mail just going there.

we block everything except for IT people

[alen]

no webmail, no pop3 and no smtp relay unless you are on the golden list. not so much for information security, but for anti-virus purposes. we have antivirus on our exchange server and each PC that is updated hourly or daily. no one really knows the quality of the antivirus system of internet email or how often they update definitions

Comment removed

[account_deleted]

Comment removed based on user account deletion

You Have Your Answer Already: Replace the OS.

[twitter]

It's amazing how people can tell you the root of their problem without seeing it. The submitter asks about "webmail security" like this:

... Of course, we know that AOL and Microsoft have both compromised the security of their customers. ... Three of my Big Four either allow VBS attachments or have a poor security track records. ...

The issues raised are not "webmail" problems, they are problems of the underlying OS from a company that has "compromised the security of their customers." If you are using a decent OS, these security issues vanish.

In a free-wheeling educational environment

[abb3w]

...we allow it, but discourage it heavily. It's useful as a fallback measure; the local disaster plan admits we're going to use GMail as an interim step if central IT feels a burning need to clusterfsck the mail server while leaving the main network intact. However, as part of the annual data security lecture, we remind faculty and staff that sending FERPA-protected data over insecure network methods is a big no-no, that email is inherently insecure, and that web mail is doubly so. (Well, mostly; the local webmail app is on an https: server, meaning it's no worse than regular email checks via ssh to a mail server unix shell, so it's just "insecure".) A basic "any competent geek can forge an email" demonstration is included in the lecture, so local users are properly skeptical about email origins, and I also remind users of the basic insecurity any time I notice them using webmail.

If you're in a HIPPA environment, on the other hand, I'd give it some strong thought.

Monopoly blames the user again!

[twitter]

anybody that opens ANYTHING with a .vbs extension deserves whatever happens to their computer! Are users really that dumb?

It's funny, but nothing bad happens to me when I vi random.vbs

Re:Monopoly blames the user again!

[Aladrin]

And you deserve what happened to you when you opened it!

(Yes, nothing happened. And you SO deserved it.)

Re:Monopoly blames the user again!

[dedazo]

It's funny, but nothing happens to me when I notepad random.vbs

Your point?

Re:Monopoly blames the user again!

[BunnyClaws]

HAHA I was thinking the same thing. Wow, nothing happens with you open a .vbs file with an editor? Impressive.

Re:Monopoly blames the user again!

[toadlife]

To both of you, I would check to make sure your respective text editors are working properly. When you open a (non-empty) .vbs file in vi or notepad, some text should be displayed on the screen. The fact that nothing is happening might indicate a problem with your systems.

Re:Monopoly blames the user again!

[dedazo]

Well, other than being forced to see BASIC code, nothing bad happened =)

Re:Monopoly blames the user again!

[Anonymous+Brave+Guy]

Oh, man. Working with VBS files is pretty bad, but you use notepad? Your life is teh sux0r. :-)

Re:Monopoly blames the user again!

[twitter]

Dedicated twitter attack troll, Dedazo states and asks:

It's funny, but nothing happens to me when I notepad random.vbs Your point?

What happens when someone plays an extension or embedded icon trick on you and you double click it? Those tricks don't work on my system and again nothing happens even if they would because no gnu/linux email client makes attachments executable by default. Even Dedazo should understand the point here: With GNU/Linux, the user has to work hard to get hosed. To get hosed with Windoze, all you have to do is use it.

And I'll use this post to update the massive trolling I get from Dedazo. 13 of the 24 visible posts on your page are harassment for Twitter. What's not harassment for Twitter is mostly the same for others advocating free softare.

• In this thread, you pretend there's no difference between M$ and gnu/linux email security, despite admitting that you "scan" every file coming and going from your network to protect your fragile windoze boxes.
• Here you start a whole thread of not so witty abuse for your sock puppet accounts to fill in.
• Here you are at the end of your wits calling EU officials "sucktards" and babbling incoherently.
• Here you blame me for the harassment you dish out. Things really won't work out better for your employer if people like me could be silenced because their "product" still won't work.
• Here you defend M$ file formats as "the best tool for the job", ha ha, and then tell me I'm impractical and don't care about "compatibility" because I think M$ has a history of intentionally breaking compatibility with past works and making it impossible for other to work with them.

There's more, of course, like this quickly refuted beauty , where you pretend M$ has never broken their own file formats, but there are only so many hours in a day to show up astroturfers like you.

Re:Monopoly blames the user again!

The point is in a Unix-like system, the user has to chmod a file before it becomes executable.

Re:Monopoly blames the user again!

Keep your personal feud away from Slashdot. From what I see here, you're the foolish troll while he is actually making sense.

Re:Monopoly blames the user again!

[jb.hl.com]

What happens when someone plays an extension or embedded icon trick on you and you double click it? Those tricks don't work on my system

#!/bin/sh
rm -rf ~/*

As far as I recall, KDE and GNOME run shell scripts when you double click them. Have fun. ...your employer...

Well, dangit, I think it's time to come clean. Yes, I do work for Microsoft, posting here to disrupt communications from someone who hasn't done anything of note for the F/OSS community other than make it look like a bunch of lunatics and has no kind of leadership role within it. This applies to dedazo as well, seeing as he's my sockpuppet, along with the other million or so users of Slashdot (or is it the other way around? I forget.) Look, I even have a letter of employment as proof.

Re:Monopoly blames the user again!

[dedazo]

Wow twit, talk about flying off the handle.

What happens when someone plays an extension or embedded icon trick on you and you double click it?

Nothing. My email client does not make attachments "executable" by default, nor am I actually stupid enough to execute an attachment from some random fuck on teh interwebs. This is a concept that escapes you, isn't it?

In this thread

I've yet to understand what it is about all those links that excites you? Or do you figure anyone who clicks on them will read what you want from them? Maybe they'll suddenly realize that Bill Gates himself hired me to "stalk" you on Slashdot? You are truly demented.

But as the Scorpions once said, there's no one like you.

Keep it up, BTW. At this rate Microsoft will probably contact you to negotiate some sort of compensation for your infatigable efforts to completely discredit the free software community.

Re:Monopoly blames the user again!

[dedazo]

This applies to dedazo as well, seeing as he's my sockpuppet

Hey! I thought you were my sockpuppet! When did this happen??

Re:Monopoly blames the user again!

[jb.hl.com]

Well one night, me and my other sockpuppet Keith Russell were very drunk back at my place and...actually, you don't need to hear this.

Point is, everyone's a sockpuppet. Difference is, twitter's the only one with a hand up his ass. ;)

security

The question I would raise is if you allow 3rd party email, then the business will need to accept the responsibility that someone could send any file (including your client list, price list, etc) using the 3rd party email with no real tracking abilities. just my 2cents

Re:security

[HikingStick]

If it was sent from a client on our network, we have ways of finding it. Nothing that passes through a PC goes without a trace.

Webmail != insecure

[MobyDisk]

My experience is that the companies that do this type of blocking do it because the workstations are inherently insecure. Security is not in the sites someone can visit or the specific file extensions that are allowed. It is in the setup of the network and the access the user has on their workstation. It's like making the kitchen safe by removing the sharpest knife from the drawer.

Re:Webmail != insecure

[Overzeetop]

You are correct. The truly secure kitchen would be no kitchen at all. Althernately, you could go with an "all spoon" kitchen. But producing sliced apples for your customers might be a litte more difficult that in the kitchen with knives.

Re:Webmail != insecure

No, that is not why most companies do that. Most places that enable this type of blocking have to due to regulatory requirements, such as needing to track client communications, data flow, etc. I don't care how locked down you have the workstation - if the auditor says you need to block webmail, you block webmail.

Other places do it because it is a good security practice to cut down on the number of attack vectors on your network. Since these webmail services are not typically needed for business operations, they are an easy one to cut out.

The blocking is never 100%, all good security people know this already, but it's better than nothing.

Gmail is more usable!

[EastCoastSurfer]

My company hasn't flat out blocked web mail yet, but I'm sure they are on the way. IM was blocked awhile ago and a coworker got an email today from IT that she shouldn't check gmail anymore (she would just leave it up all day, which would let gmail do it's auto-refresh). The problem I have is that here at work we have 100MB of email space that gets backed up. On gmail I have 3-4gb. So while this one person got the email to quit using gmail the rest of the office is continuing to use gmail not just for personal mails, but also for work. Gmail is better than the IT solution, and users are smart enough to realize this. So as long as we have draconian, I know what's best for you IT people, we'll have users who do what they have to to get the job done.

Here's an idea! How about IT look to the users as customers and treat them that way.

Re:Gmail is more usable!

There are good reasons for limiting your mailbox to 100mb, most email clients have an option to archive your mail offline, use it. If you cant figure out how to archive your mail, ask IT to help.

Re:Gmail is more usable!

[Lehk228]

...that is HORRIBLE

internal email should be done as an internal web mail solution with storage and backups centralized, not shifted out to whatever desktop an employee happens to be at right now. what if an important email is downloaded right before a power failure or the magic smoke comes out of the user's computer.

Re:Gmail is more usable!

[EastCoastSurfer]

I know how to archive email off line. So how do I now get it backed up? I am now responsible for doing my own backups? The issue that IT has limited boxes to 100MB and given no method to go over that limit either with offline folders which still get backed up the in the corporate strategy or with bigger email boxes.

Re:Gmail is more usable!

[sash]

So you let users access their mail archive on their PC via Remote Desktop when they are away?
That really would improve your network security... and explains why you post AC.

How about this question

[old-lady-whispering-]

Do you allow jackasses to post to slashdot at work?

Security.... for what?

[Quixadhal]

My question is... what exactly are you trying to secure? If you're talking about ensuring that sensitive corporate data isn't leaked outside the company, I hate to say it but, you really shouldn't be using unencrypted email in the first place. If you don't allow VPN's or other ways for people to access their email outside the building (I'm sure the salespeople LOVE you), then you may as well force your employees to use paper, or a custom client that only talks to other people on the LAN.

If you're worried about virus/malware/etc... web based email is no more or less safe than any other modern graphical pop3/imap client. All of them these days are HTML enabled, and unless you personally watch everyone click their messages, some will still run winbig.exe or whatever.

Personally, I'm getting a bit tired of people tossing the "security" word around as a reason to make things more difficult or expensive, without ever justifying what it is that needs the added security, and why.

Re:Security.... for what?

[Tomfrh]

My question is... what exactly are you trying to secure?

His sense of being a big strong man.

It should be a matter of give and take

[thesandbender]

I was the IT administrator at my old company of about 500 consultants. After many discussions with the upper management I successfully argued for an open webmail policy because we had employees who regularly worked long and odd hours to accomplish our projects and it seemed only fair that we give them a method of private communications during their _overtime_. Quid Pro Quo. We were especially lenient with consultants who traveled all the time... except for a few areas those laptops were considered their property and as long as they didn't jack with the security settings we didn't call them on anything. With that said: 1. We were running squid and clam on any any incoming data (yes this is intensive but $8-10k of equipment will garner you many times that in employee good will). 2. We had a very aggressive AV policy. 3. We had consultants that were governed by stricter SEC and DoD rules that were kept on a separate subnet and different AD that was more restrictive... because laws required it. Seriously though... Unless you tell your salaried employees to work no more than 40-45 hours a week (and give them comp time to balance that out) it is asinine not to let them use the company system for personal activities when the company itself is encroaching into their personal time.

paranoid

Agreed. We allow webmail where I work. Like someone else mentioned, a file has to be downloaded to infect your machine anyway and our antivirus takes care of that reasonably well.

If I worked at a company with a draconian policy like yours, I'd just find a way around that with a proxy or something (at least until I could find a better company to work for ;).

Shhh...don't tell him

[Atario]

If you can get to the internet, you can get to whatever you want. Just set up your own Squid proxy at home, get at it over SSH (tunneled via HTTP if you must...), et voila. Freedom from the self-appointed corporate mommies.

Re:Shhh...don't tell him

[CTilluma]

Except that most proxy servers are going to validate the HTTP traffic over port 80 and the SSH connection will get dropped for failure to comply with the RFC. In addition, quite a number of organizations use list based filtering that will restrict access to websites that are not categorized or fall into a category that is unaccepable to the powers that be. Some installations I've come across are even more restrictive. They white list all available web sites and if you don't have a legitimate business need for a site that isn't whitelisted then you won't get an exemption for it. But in some cases running a proxy at home will provide a work around for most issues.

Not in my office (small business)

[sco_robinso]

I'm a network admin for a small-medium sized company, about 40 - 50 people. We are pretty liberal about our IT security policies. We're still at the size where we can place a great deal of trust in our staff, and they don't abuse it. For the most part, we don't block virtually any content. We've never had problems, but we're at a growth stage where we're needing to tighten up security a bit.

My girlfriend's company, which is a larger energy company of about 250 people, does however block some webmail content, as they recently had an employee download material that caused a security concern.

Personally, I don't think it's unreasonable to block web-based mail. However, since email is such a common place in daily life now, if I was to do that, I would make sure there were a few computers in a staff room where people could freely check their email, outside the companies' proxies and firewalls.

VBS Script?

[TPJ-Basin]

VBS Script? Is that anything like a GUI Interface or a NIC Card?

ISP/Telco - No Webmail

I used to work for a Telco that is also a major ISP. Our internal .com users were not allowed to access our own .net webmail accounts PROVIDED BY OUR COMPANY!!! It was claimed to be for security reasons.

Bad files are going to get inside regardless of what you do to prevent them coming in - unless you disable all USB ports, floppy drives and external networking like DoD does. Your network and each system needs to be able to protect itself even when "inside." Blocking at a firewall is just 1 of many layers that are needed in any network environment.

Don't be a fool, your PC is never safe. Learn it, know it, get over it, protect it.
http://www.checkpoint.com/products/internal_securi ty/articles/rr_elements.html

Educating users

[lilrowdy18]

Whatever happened to educating users and enforcing software policies? Instead of calling users stupid and locking down desktops like a prison, how about you actually take the time to hold a class. Teach them and show examples of what happens when they treat a computer like a toy. If they still don't listen, then enforce the company's software policy. (If there is one.)

I am a junior admin at our firm. Our motto here is that if a computer has a problem then it is because of IT's fault. Not the user's. If a user doesn't understand how to use a computer then it is our fault for not teaching them.

VBS and Firefox

[140Mandak262Jamuna]

Firefox and many other browsers are immune to VBscript. The very same idiots who ban webmail citing security concerns, blithfully allow IE to run rampage in their internal networks. What gives? If data leaks through a hole in IE, the brass will claim, "We followed the industry standard practices. We are not responsible. We are actully irresponsible. Go chase Microsoft". If they want to ban IE, they cant because MSFT has woven IE into the fabric of the OS. Even if they say only Firefox can be used, still they are not off the hook. What a mess.

Re:VBS and Firefox

[baggins2001]

I replied to this email because I agreed with this problem and wanted to step into the overall discussion. From my point of view this has been a lopsided discussion. My reply is not directed at or towards this previous post. This is more of a generic reply to a lot of the posts made.

Yes I am the internet fascist, hitler, nazi, and everything else that security admins can be called.

I have a budget and limited resources to stop the multiple attack vectors which our network is susceptible to.

I am in charge/responsible for computer uptime and the personnel time that IT spends cleaning up messes that users make. So I have been accused of all sorts of draconian practices. One banning use of IE. Even people in my IT department disagree with it, but since we've done it computer downtime has decreased significantly (3%).

Educating users only goes so far. At some point you have to say this is where we have to stop or pour more money into solutions to prevent the problem from happening.

To those jr admins who are spoiting all of these solutions, how about we take it out of your budget(your paycheck) to supply all of these things. Cisco firewalls with Trend micro and other solutions only go so far. I'm not saying they don't work or we don't use them, but totally relying on them is not really a good idea. Especially against targeted attacks. [Oh by the way, it pretty much did come out of your paycheck, unless you are working for gov.]

oh, but if you just keep all your patches up to date. You know how many applications we would break regularly. But if you just do QC on the patches. Yeah, well the junior guys aren't very good at it and the senior guys really don't want to be bothered with it. Maybe if I could give bonuses to the people who do a good job at it, Oh wait, I spent it on Cisco firewalls and Trend Micro solutions.

What do you think would happen to in the IT department if one day we came back and found all the systems down and had to do a major number of reinstalls and large amount of data recovery. How do you think it would benefit the company?[ I was the jr admin when that happened, about 35% down, another company]. How high do you think the morale is going to be in the IT department when I tell them they can't leave until this is all back up. Oh, yeah you server admins and developers in your little comfy cubby holes, I'm going to pull your asses out here working on client computers until this is fixed. Overtime, you don't get overtime because the CEO won't give me the money to cover it. It's much more cost effective to give you comp time. You don't like it, neither do I. Because you get pissed and leave and then I have to go get another dimwit (Remember you 2 years ago) and train them.

Why don't we just deploy the endless number of solutions that would have prevented all of this? 1)Money 2)Time (see 1 for definition) . BOD and investors want to see the largest amount they can, my boss wants to show it to them, because then they get off his back.

How do I get away with these draconian tactics. Usually because the biggest bitchers have the departments with the worst problems and the BOD has actually thought it was a good idea if I just started charging the departments for the extra time IT has to spend on their computers [Actually what they said was take it out of the paycheck of the employee like they do at his company. I checked and no shit they charge them $200 for the second occurrence (No I don't think it is a good idea, because that doesn't really seem like a good idea morale wise. Seems to have some moral and ethical problems also)]. So now the department managers know I haven't gone as far as I am authorized to, so they blame all this badness on me.

Oh yeah, I'd just go to another company where there are more forward thinkers and people who would let me have all the internet access I wanted. Well good luck.

You think we really like it and get some kind of charge out of pissing people off? Maybe some do. Most

General policy

[HikingStick]

The general policy is that the company's assets are for company business. That said, policy also allows for limited personal use, as long as it does not interfere with the primary business use of the company. This leaves enough room for most employees to happy, and it gives us the iron hammer if we ever need it (and we rarely have). We can block things outright at the perimeter if we need to do so (e.g. when there is a new virus propogating via email), but we generally trust our employees to be professionals. We train them heavily on security awareness, and we keep our network and client defenses current.

Agreed

[asphaltjesus]

I actually automated the process so I don't know who's doing what because it's way outside my job scope. I don't want to know. _Really_ don't want to know.

But the company policy is clear, our computers, our network don't waste time on them.

Fortunately, your use cases lie outside the application's capabilities and the employee types it follows.

I guess you could block the use of webmail...

[BRUTICUS]

If you want to be regarded as a tool and hated around the office even more than most "admins"

Worry About your yourself than User rights

I would just block these sites then you have less of a security issue. Most of the time people like sending around useless jokes with powerpoint and other attachments or links to e-cards and other spyware laden sites. Unless you have made sure you patch for every jpg and office exploit you are putting yourself at risk by allowing them access. Its not just the VBS scripts that you need to worry about. Like the person said before. Work systems are for work. If they want to surf the web and their personal email they can do this at home. Learnt from my experiance as a sysadmin is that if you give a user an inch they will take a mile. The nice approach of saying "please don't" and here is why and why never works and then the users believe they have the right to do as they wish. God help you if they get infection of some sort because it will be turned around on you for "not having adequate protections" in place. Also if you have the right type of firewall in place you can block access most public proxies and track the remaining attempts at access in your firewall.

Yes, we do for personal stuff

[kosmosik]

I work in small company (~30 employees). We do allow use of webmail. But only for your private stuff. You are not allowed (and it is clearly stated in contract and rules) use your private email for company related stuff (your work). Beside that you can use your private webmail as you wish.

It has to be said that we do not have any monitoring or censoring policies. It is OK for somebody to write personal email in work from time to time untill that person does her job right.

But you have a certainly flawed reasoning. *Any* website can load your browser with VBS script. If the user clicks it than it does not matter wheter it is from webmail or other site. In general if you fear webmails that means that you are not safe from the Web as whole (and there are loads of threats on the web).

The solution would be to use some filtering proxy that would cut down such traffic. Right now we just use AV software on client machines (that tends to work blocking obvious web threats). We also have a proxy server that blacklists known phishing/malware/evil addressess (not for content filtering - for protection from known threats).

another point to note

[Taelron]

A point that has come up in the past but lately glossed over is that by using third party mail services such as Yahoo, Hotmail, Gmail, etc... their Terms of Use and Service state that you give them rights and ownership of your data to do with as they wish. In a corporate environment that means any trade secrets or concepts you mail to or from someone via one of the third party mail systems gives the systems owner license to use your data as they wish. If they want to develope it into a product and market it themselves, they in effect could without paying any royalties as your use of their service granted them consent.

As a rule at all my client offices its stated that all business related correspondance must happen via company owned services. IT doctrine at each site states the computer resources are property of the company and use provided to aid the users in corporate business only. Any personal use can result in disciplinary action, to include firing.

Many of these rules came about when users started clicking on random pop's or installing their favorite screen savers, weatherbug, mail programs, and chat programs. Many of these were found to contain malware that cost the companys lots of money to have cleaned up and slowed down productivity. While users company mail is scanned for virus's, third party mail products and chat programs showed more problematic and became the primary source for infection of the corporate networks.

We've also caught employees suspected of corporate espionage using third party mail services to transmit company information in an effort to side step IT monitoring their mail. That alone was enough for the Board of Directors to decree no employee may ever access such services from their offices.

We've enacted proxys at some sites, others content filtering, and others simply requiring the employees to sign a usage agreement that if caught in an audit means they can be terminated without severence.

Re:You forgot MySpace and this one too

[bobbonomo]

How do you block them all. Almost every ISP has a webmail client. Ok so it might be very simple to zoom in on all that start with webmail.xxx.com or the word mail in it. What about other languages? In french it would be courriel.xxx.ca.

How about a mom and pop webmail called GrannyMayApplePie.com (does not exist). or myrealbox.com

People will just find others if you block the BIG 4

Re:When users complain

Are you sure playing golf during the day is in line with your company's employment policy?

The above was typed without a smirk nor attitude.

Find a Nicer Company.

[twitter]

... they have all our communications archived. ... I work at a fortune 500 there's always a lawsuit. ... we don't work just your basic 9-5 ...

No privacy. Unreasonable work hours, without ability to take care of personal business. Everyone is suing them. A company that mistreats it's employees and customers. I'll bet they treat their investors just as well.

Re:Find a Nicer Company.

[truesaer]

You don't have privacy at any company. Simple fact, regardless of what they say they can invade your privacy at will. I'm not aware of any specific lawsuit against us, though I'm sure there are some. Find me a large company not involved in any lawsuit and I'll give you a cookie. I don't know how you determined they "mistreat customers". Or investors. And in the career world when a product launch deadline approaches, you do what is necessary to get your piece of the puzzle done.

webmail is not the most important problem

[Freggy]

If you are really worried about your users downloading viruses by webmail, I think there are much more fundamental problems with your setup. There are much more other ways your users can get infected than by webmail. What about malicious web sites? What about non-malicious websites which have been compromised? What if your user brings along an infected file on USB memory key? Etc...

Get a good virus scanner (a really good one, not Norton or Mcafee, but Kaspersky or F-Secure or something like that), get some virus filtering and firewalling done on your gateway. Make them use an alternative web browser and e-mail client, which is much less target of attacks than Internet Explorer and Outlook. And most of all: learn your users about potential dangers. Explain how they can recognise suspicious files and web sites. Explain them that they should be careful with their passwords. Explain them that they should do so not only at work, but also at home.

Re:webmail is not the most important problem

[triso]

... Explain how they can recognise suspicious files and web sites. Explain them that they should be careful with their passwords. Explain them that they should do so not only at work, but also at home. You can explain all you want but they will still click on "OK" when the message, "Do you want to download a free gift." comes up.

common denominator

[mjolnir_]

Maybe if you tried blocking computers on your own network that run software that's vulnerable to something like a VBS script..

I allow all those websites; I don't allow Windows.

IN SOVIET RUSSIA

[EvilSporkMan]

WEBMAIL USES YOU!

dns hacking to prevent hotmail...

I changed our dns to send hotmail users to the ip address for the local unemployment office's website. they get the message pretty fast.

Just another control freak

Obviously not serious about making money at this company.

Stupidity? or Ignorance != loss of rights

[DRAGONWEEZEL]

Just as ignorance of the law is not an excuse to commit a crime.
Ignorance of a scam doesn't mean you SHOULD be violated.

If we don't protect the innocent, & week, why protetct anyone?

I am so sick of hearing this arguement. And by sick, I mean sick to my stomach that there are people out there who have this mentallity of "they are weak, they deserve to parish"

It's true that you have to save the people w/ greatest potential to survive, and sometimes even sacrifice those who might not last long if they were saved. Be it a Natural disaster, fire, battle, theft, or computer security.

While it's true that if you know what a *.vbs is capable of, then you should also know how to open it as a text file and see what's in it.

But what if it comes from your boss? What if some top lvl guy is ignorant to scripting, and unknowningly mails something to his subordinates.

While I know the risks, and if I was on top of it, I might ask what it was. I'll be damned if most people wouldn't automatically open an attachment from their boss regardless of their knowledge lvl.

Sorry if your statement was jokingly put out, but as the victim of a recent scam, I am unthrilled w/ that response.

Re:You forgot MySpace

Assuming you can and do sniff someone's Myspace password, you can then try the same password on other accounts. Chances are, you'll find at least one that it works on.

Posting from work?

[iceperson]

My boss sounds a lot like you. He even went so far as to have a DSL line ran straight to his office and uses a switch to use it instead of the corporate lan to do stuff that he's had banned/blocked. Generally I have no problem with the rules, just when the guys in "IT" seem to have a different set of them.

Re:Posting from work?

[Lehk228]

if the machine hooked up to that DSL line wasn't ever conencted to company property or networks i don't see the problem.

Re:When users complain

Certainly, an abacus network will never get any problems at all. Maintenance free.

Those policies you describe make the job a jail. Nothing comes in, nothing goes out. I would think that people is as happy as Peter Gibbons!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Death to Mordac !!

[onkelonkel]

Mordac the Preventer strikes again.

I can understand that if you have a regulatory requirement to archive all communications, or maybe you handle sensitive financial or medical data, then you need to block webmail. These, however, are special cases. Otherwise, you are just being a dick, and for no good reason.

There are perfectly legitimate business uses for webmail, such as a backup when the regular mail is down or as a throwaway or spam trap when you need to subscribe to trade mags. On a more philosophical level, I would argue that if you ever expect your employees to take work home, then you must be prepared for some aspects of their home life (including personal email) to sometimes show up at work.

To even ask this question is a symptom of "IT Manager Lockdown Disease"; whose main symptom is setting policies to make IT's life easier no matter what negative impact they may have on the users ability to get work done.

We have an unspoken agreement here, IT does't lock us down, and we in turn try to avoid doing stupid things to make more work for them. Caveat - I work at what you might call a "boutique" engineering firm and we don't hire morons. If your population of users contains more of the "energetically stupid" sort this arrangement may cause you a lot more grief than it does here.

I know I am kinda late and this is redundant but..

[nomad63]

You wouldn't make it to your second week in my organization. By enforcing "no web mail" policy, you are pushing the users to use the company email system to send and receive personal messages. And god forbid, your infrastructure is MS Exchange, you are more vulnerable than the webmail systems that you are afraid of, let alone opening up your company to be liable to what people say in their personal email messages.

Time to reevaluate the policies in my opinion.

Not by default

[Mechamse]

The company I work for uses a "As needed" rule to allow this. We, IT, have setup the environment (Mostly XP) so users are user, no admins, and removed the VBS extensions as well. This coupled with several webfilters and out proxy keep us rather save from 99% of what is out there. Are main enry point now is USB drives coming from home, but even they are very limited since users are users and the antivirus software we use catches these rather quickly.

All that is needed is a request to the supervisor and we grant them the access.

Re:When users complain

[skoda]

The important thing is that you manage your corporate IT policies to make your job easier, and not to actually serve your customers: the employees who struggle to get their work done in spite of your draconian rules.

I work with similar issues: it can be interesting finding ways to get work done in spite of IT's (un)support and (un)help.

Re:When users complain

[99BottlesOfBeerInMyF]

Sure folks complain and I'm avoided like the plague at times. But lets see what non-maintenance down time have I needed? Zero. For me and my team the lines are clear cut and boundaries well established.

Thank you very much. Companies like yours are the reason companies like mine can hire brilliant and talented people away from bureaucratic nightmares and pay them 20% less while getting a significant amount more productivity from them. We have internal Web, IRC, chat, etc. servers. If your AOL IM is not working and it is stopping you from chatting with your girlfriend, IT is happy to help. They'll even grab you a beer from the fridge on the way to your desk. For smart people who know they'll spend a significant portion of their life at work, but who chose their work because they love it... there are companies like mine. You're treated like a real person instead of a cog. If you need to go home for the rest of the day while waiting for the plumber to come to your house, go ahead. Don't bother filling out paperwork or logging your time. So long as your work gets done, it's all to the good. If a friend is in town and stops by the office, go ahead and take a few hours to have a beer and play a video game with them in the lounge. Introduce them to your boss and coworkers.

We don't lock down Web access to any type of external site. We track everything, but the tracking system is open to all employees so if you want to see what your boss is doing, just log on and look. We don't seem to have a lot of IT emergencies either. Some of our old and out of date servers overheat or fall over now and again and we power cycle them. No big deal.

Every day I'm thankful I realized early in life that I did not want to take the top dollar offer for my work if it meant I had to put up with nonsense like you advocate. IT's job is not supposed to be to minimize the amount of work they need to do or even to prevent problems. It is supposed to be to facilitate the rest of the company getting work done. Happy employees work harder for the company and stay late to work on something or even come in on a weekend for some project. Happy employees do not quit and move to another company with no notice leaving the company in the lurch. Happy employees are not the largest and hardest to stop threat to the security of your network as they feel it is "wrong" to screw over the company and boss and people who treat them well and with understanding and who are their friends.

But by all means, keep making yourself hated and keep thinking your employees lives should stop and they should act like machines for 8 hours a day. We'll keep hiring away the smartest people you have.

Re:When users complain

As others have said, you are kidding yourself. First, the no personal usage of network policy is total bullshit. You want your employees bitchy and with high turnover, then institute this policy. Of course, I am sure none of your IT staff is sitting around surfing the net and *ahem* posting to slashdot right now. (Yeah, no "personal duties" my ass.)

No information on public networks, with 3rd party e-mail? Hmm, does your corporate e-mail travel along some mystical secure pipeline where only you and your customers see it? I really doubt it. So, travelling from point-to-point your e-mail is on some VERY PUBLIC networks and probably a few private ones as well. Have you thought they might need webmail access because your system is blocking certain outgoing extensions, or perhaps it is limiting attachment size too much? These could be good reasons why someone might need to send corporate e-mail beyond the bounds of your limit domain of false security.

I personally cannot fault you for no devices on the corporate network, so long as the no PDA rule doesn't mean they cannot even hook them to their desktop for syncing. If that is the case, congratulations on convincing someone to allow you to make policy that is complete BS and totally restrictive. Did I mention high turnover rates before? Are you sure you are not my old boss?

You are avoided like the plague and hated even more. You have no friends where you work, except for a few naive staff people that work for you, who are probably just kissing your ass so they can keep their special access that IT surely has. I always hated the preventing fires line. It ranks up there with arresting someone because of what they might do, not what they did. If you really just secured your systems with proper firewall, antivirus, and spyware protections, you would not need to worry about the 3rd party e-mail and the user devices.

Coming from a company that had a loose network policy my pager went off all the time. Now I can actually take time off and play golf or take the day off. Like today. Best advice is to rule the network with an iron fist but with a gentle voice.
You see, this is the sort of thing that doesn't work. You didn't make this policy for the others benefit, or even for the company's. It is for your own personal gain and that is truly the wrong motivation for setting up policies like this. Make you be struck by lightning on that golf course.

VBS: it's a Microsoft problem

[feranick]

You blame AOL/Yahoo/Hotmail/Gmail for your security. At the end you seem to be really worried about the VBS. As far as I know if you use Macs or Linux or any other non-Microsoft products, you can be sure to be safe from those scripts attacks. i know it's easier to blame the email providers instead of Microsoft for its poor security, which allows scripts to be executed system-wide. So, again, looks fror the cause of your security concerns, not the consequences!

Right Choice, Wrong Reasons

The lad has made the correct decision, but for the wrong reasons. The number one reason is because you want all of your "business traffic" to go thru your corporate email system.

He should be asking himself, "Why do the people who work here feel they need to use the non-corporate system for business work?"

All my work email goes from my work account, personal goes thru gmail.

Also, if he doesn't allow people to use personal accounts for personal email, they'll just use the company email for that. Does he want that to happen?

Re:Right Choice, Wrong Reasons

[BrokenHalo]

He should be asking himself, "Why do the people who work here feel they need to use the non-corporate system for business work?"
br...and probably 9 times out of 10, the honest answer will be that it's a matter of trust. Many (most?) employees feel they need some level of insulation from corporate intrusion into their private lives. Whether or not webmail actually gives them that is another matter, but it doesn't change the perception.

Re:Right Choice, Wrong Reasons

[shaitand]

But there it is, if it is work related email then it is not part of your private life. If it is not work related then you shouldn't be sending or receiving it while at work.

Re:Right Choice, Wrong Reasons

[BrokenHalo]

If it is not work related then you shouldn't be sending or receiving it while at work.

If you insist on adopting this kind of totalitarian approach, don't be surprised if your employees screw you. As I said elsewhere, trust has to work both ways.

Re:Right Choice, Wrong Reasons

[susanwg]

That's a pretty unrealistic attitude and one that's bound to lead to resentment and all of its associated problems. Most modern managers realize that allowing workers to handle personal tasks at work usually makes them more productive and more loyal. Besides, much of the time it isn't strictly personal. Many of my colleagues and co-workers use gmail or yahoo mail for their professional mailing lists because it's easier to handle the high volume, thread-based correspondence and its accessible from anywhere.

Re:Right Choice, Wrong Reasons

[Anonymous+Brave+Guy]

If it is not work related then you shouldn't be sending or receiving it while at work.

Hey, you could try banning personal phone calls at work, too. Let us know how that works out for you in a couple of years... if you're still in business.

Seriously, employees do not cease to become human when they walk through the office door. It is unreasonable (and indeed illegal, in some places) to expect them to work like machines, denied access to private communication with anyone outside the business during office hours, denied time off when they're sick or for medical check-ups, and so on.

Fortunately for all of us, it's rarely necessary to invoke such laws. Companies that abuse their staff (and that's exactly what this sort of thing is) will simply see all their staff walk, starting with the really good people, who find it easiest to find more pleasant conditions elsewhere. Meanwhile, companies with more enlightened, employee-friendly policies eat up good people for very modest costs and wonder what the problem is all about.

Re:Right Choice, Wrong Reasons

[fallungus]

Additionally, a lot of jobs these days require commitment from employees that extends beyond the office, in the way of blackberries, VPN access, etc. It would not be consistent to require them to keep up with work email at home but not allow them to keep up with personal email at work. The line between work time and personal time is a lot more blurry than it used to be.

Re:Right Choice, Wrong Reasons

[vertinox]

Seriously, employees do not cease to become human when they walk through the office door. It is unreasonable (and indeed illegal, in some places) to expect them to work like machines, denied access to private communication with anyone outside the business during office hours

Hey... You just described one of my former employers right before they brought in the consultants and laid everyone off.

I'm not going to name names, but I used to work for a major ISP... And low and behold some policies started to change such as:

1. Making you work like machines by requiring you to be clocked in and taking support calls at all times. You couldn't even go to the bathroom when you pleased or the manager would breathe down your neck.
2. Denial of surfing the web, AIM (they said it was because they feared AOL eavesdropping), and of course making outside phone calls on company phones.

To be fair... You could technically surf the web if you wanted to but they had particular programs that monitored your screens at all time and they would get on your case if they caught you while reviewing your customer records.

Considering you could never be off the phones when you weren't at your desk it kind of made this a moot point.

I quit the damn place after a year, but they laid off all my coworkers shortly after that and sent the jobs to mostly India. Oh well...

Re:Right Choice, Wrong Reasons

[oliphaunt]

I hate responding to AC, but you raise an interesting point:

if he doesn't allow people to use personal accounts for personal email, they'll just use the company email for that. Does he want that to happen?

Depending on where you are, the answer is "Yes, he absolutely does." If you work anywhere that trade secrets matter, or anywhere with access to financial or business information about publicly traded companies, you best be damn sure your users aren't sharing that information through another channel. That means no IM, no outside email, no web posting on Yahoo forums, no Google Groups, no Slashdot. Tell employees that you're reading and archiving all email, and that limited messages to family is OK, but that anyone sending sensitive information outside the company will immediately be fired and prosecuted to the fullest extent the law allows.

It sure would suck to have to explain to the SEC and the FBI that your employee could use Hotmail to feed info to his insider-trading buddies becuase you wanted him to feel like he was trusted. Even worse to explain the FBI/SEC investigation to your shareholders. If you've got 20 employees and your mailserver is in the closet next to the receptionist, do whatever you want. If you have 15,000 employees and handle trillions of dollars of investments, you just can't take the risk.

Much better to just lock everything down on the company boxes. If somone really wants to cheat, they'll find a way to do it: text messages on personal cell phones, EDGE connections on that second laptop. But that's one bad seed, and you can cut that assh*le loose when the SEC comes calling. If he's using company equipment and the company network, you've just cost yourself and your company a world of hurt UNLESS you can reliably catch him and turn him in yourself... and the only way to do that reliably is if you control the channels he uses to communicate when he's using the company network.

Remember: your primary loyalty is not to your users. It's to your shareholders.

Re:Right Choice, Wrong Reasons

[eionmac]

A second point. security / continuity of business. 1. Our set up does not allow third party web mail, but all sites in the domain are also compromised on continuity of business by not having an out-of-our-domain-separate-land-line- web/internet-connected computer. When our internal systems go down, so does email. This could cause loss of life (we respond to emergencies on oil rigs as well as doing other work such as tender closing date/times where 24/7/365-6 is important) 2. Prior to closure of email by third party web sites, we responded through individuals Gmail or Yahoo mail or whatever in domain down time, such as local telecon having a fire in their premises causing down time on internal domain. 3. Thus if you close the mail to outside third party use, correctly, you need to install a stand alone 'public computer' to which work in extremis can be transferred vis a USB key or CD and communications maintained. If you want if without any possibility of recording to hard drive for infection, use computer with a live Linux system such as Knoppix. This was most useful in a hotel cupboard-fire ,where wired/wireless systems were knocked out by minor fire (affected servers in closet)but land telephone line was active and used vis Knoppix and independent computer.

Re:Right Choice, Wrong Reasons

[it074830-yanie]

Why corporate people need to bother seriously about the webmail? I think it is good if work matters go to work email account then the personal email go to their own private email, dont you guys think so? I think the important part here is how actually the corporate webserver protect the corporate emails account from receiving any unnecassary or unrelevant data that not related to works..

Re:Right Choice, Wrong Reasons

[shaitand]

'If you insist on adopting this kind of totalitarian approach, don't be surprised if your employees screw you. As I said elsewhere, trust has to work both ways.'

You aren't being paid to send and receive personal emails. Unless there is some sort of emergency personal communications should be restricted to breaks, lunch periods, and off-hours. There is no reason for any of those communications to take place at your desk.

It isn't a matter of trusting you not to abuse the priv, it is a question of not needing to trust you because ANY personal communications while on the clock are an abuse.

Re:Right Choice, Wrong Reasons

[shaitand]

'That's a pretty unrealistic attitude and one that's bound to lead to resentment and all of its associated problems. Most modern managers realize that allowing workers to handle personal tasks at work usually makes them more productive and more loyal.'

That is debatable.

'Besides, much of the time it isn't strictly personal. Many of my colleagues and co-workers use gmail or yahoo mail for their professional mailing lists because it's easier to handle the high volume, thread-based correspondence and its accessible from anywhere.'

Then you are back to work communications. Work communications MUST all go through the company mail system so that they can be archived for legal reasons. It might be easier for your colleagues and co-workers but you are putting your employer at legal risk.

Unless what you really mean is that your co-workers like to read technical mailing lists on topics that interest them when they are bored. That is about as work related as reading Slashdot when you are a tech support drone and shouldn't be done on-the-clock.

Good (company paid) benefits, frequent paid breaks, a real (rather than formally stated) open door policy, and lots of personal/sick/vacation days keep employees happy and loyal. When you have those things there is no reason that an employee can't stick to working during work time. Unless of course your employees are salaried, in that case you are undoubtedly abusing them unpaid draconian hours that require them to be able to handle person matters at work.

The other exception might be tech support employees and those guys who clean the sewers. They spend grueling hours sifting and filtering shit and I say let them handle all the personal business they can if it delays the inevitable burn-out that comes with that job.

Re:Right Choice, Wrong Reasons

[shaitand]

'Hey, you could try banning personal phone calls at work, too. Let us know how that works out for you in a couple of years... if you're still in business.'

I don't make personal calls while I am at work. Why should anyone else? Unless you are working for a company that puts you on salary and requires you to work abusive hours.

'denied access to private communication with anyone outside the business during office hours, denied time off when they're sick or for medical check-ups'

Those aren't even in the same ballpark. If employees are given adequate breaks, sick days, vacation days, personal days, etc there is no excuse for them to be using the work time that is left for anything they could have taken care of during off hours. I am all for giving employees time off when they need it and entirely support the idea that time off work belongs to the employee. First it should be respected by the employer and not interrupted with work and second the employer should keep their nose out of what the employees does during that time. But the employee in turn needs to respect the time they commit to their employer and shouldn't interrupt work time with personal business that they should finish on personal time. Naturally emergencies are an exception; calls from wives to pick up something after work are not. That is what cell phones and their accompanying voice mail boxes are for.

'Fortunately for all of us, it's rarely necessary to invoke such laws.'

There are no laws preventing employers from making employees work during the time they are paid to work.

'Companies that abuse their staff (and that's exactly what this sort of thing is) '

Hardly.

'will simply see all their staff walk,'

Perhaps in your world. In my world the balance of power rests with employers not employees. Employees are a dime a dozen. The unexpected loss of an employee isn't going to have much impact on most companies. The loss of a job can be devestating to an employee. The employee usually only has one job and the employer usually has lots of employees.

Re:Right Choice, Wrong Reasons

[Anonymous+Brave+Guy]

I don't make personal calls while I am at work. Why should anyone else?

Because employees are human beings, with more important responsibilities that do not stop just because they are at work?

Because lots of essential services are only available during office hours?

Because people have breaks during the day, when they're not required to be working?

I'm not saying people should abuse the ability to make personal calls and spend all day chatting up their girlfriends/boyfriends/whatever, but sometimes you just need to communicate with other people during office hours, and other times a quick call to someone can make you feel much better. The smart employer respects this, and provides suitable facilities for personal calls to be made privately and without distracting others in the office. Your approach appears to be focussed on working 100% of the time during office hours, something which no human being can sustain productively anyway, at the expense of causing unnecessary inconvenience/concern to employees, which will actually decrease productivity.

Perhaps in your world. In my world the balance of power rests with employers not employees. Employees are a dime a dozen. The unexpected loss of an employee isn't going to have much impact on most companies. The loss of a job can be devestating to an employee. The employee usually only has one job and the employer usually has lots of employees.

Then we do indeed live in different worlds. In my world, the good people rarely have trouble finding a new job even in so-called employer's markets, while the costs to business both of losing good people and of recruiting new people are significant for even a single member of staff. In any case, this is beside the point, which is simply that treating employees respectfully as valued people gets far better results than a culture where every member of staff is just another human resource.

Re:Right Choice, Wrong Reasons

[shaitand]

'Because employees are human beings, with more important responsibilities that do not stop just because they are at work?

Because lots of essential services are only available during office hours?

Because people have breaks during the day, when they're not required to be working?'

Right.

'Your approach appears to be focussed on working 100% of the time during office hours'

No my approach appears to be focused on working 100% of the time during office hours with the exclusion of aforementioned breaks. During the course of an 8hr workday you get at least 2 15 minute breaks and another 1 hr break for lunch. You break about every 2hrs and under those circumstances there is no justification for not spending the rest of the time working. That is 1.5hrs out of an 8hr workday that you not only can make calls without cutting into company time during business hours but are being paid for your pleasure to do so. Those are hardly slave-like work conditions.

'provides suitable facilities for personal calls to be made privately and without distracting others in the office'

That goes without saying. Although I personally don't think privacy should really be given just a place that doesn't distract other employees. The employer shouldn't be given the false expectation of privacy when they communicate from work. None of those communications should be made during working hours, they should made during breaks. During breaks they should not be made from your workstation or the phone at your desk. They should be made from the phones/computers in the employee break areas. Any communications made from the workplace are probably going to be monitored. You have no expectation of privacy at work.

Google is Owned

Google gmail is trawled by bad, bad, people, lifting out links and anything else that can be copied.

If I were God...

[pchoppin]

... and I am not. Nor am I the Senior Network Administrator at the company where I work. I am an Assistant Network Administrator. I don't have the final say.

But if I were king, I would certainly allow web-based email as well as messenger services.

Yes, we have a proxy server and a firewall. We currently do not allow access to any web-based email to users (that is, users who have been granted Internet access at all). The rationale: "Company assets and technologies are the property of [company name]. Employees may only use these assets for business purposes. The use of company assets for personal use is strictly prohibited." --employee handbook

Understand that this was not solely an IT decision. The CEO and other company officers in conjuction with recommendations from the IT department are behind these decisions. We, the IT department, put the technology in place which makes the policy reality.

So you might want to consider being nice to the Network Admin. Remember, he has to work for the same people you do.

SOX, ITAR, etc.

As has been pointed out, SOX makes document retention/protection a major concern. My employer has the problem that many items we work on are ITAR protected. Leak of these data can subject us to loss of government contracts and huge fines.

In addition, it is rumored that a virus outbreak that cost big bucks to stomp out was traced to a worker using hotmail and downloading an attachment. So now, all workstations are locked up tighter than a tick and all known webmail is blocked. Non-corporate machines are prohibited from connecting to the intranet and wireless ethernet requires an almost-impossible-to-get permission from corporate IT and security.

However, major installations have "outside the firewall" network drops available to connect personal laptops to check personal email. This is a good compromise, allowing transient workers access to email as well as the local staff.

I don't allow my users to use Windows

[NatteringNabob]

Then they can use any email program they like.

Re:vague regulations

[evought]

This was a real problem early on with the Clean Air Act and Air Quality Monitoring regulations as well and still is depending on what state agencies you have to work with. Like, SOX, company officials must affirm that the data they submit is true and accurate and that they are in compliance when there is often significant disagreement over the meanings of terms, measurements, calibration practices, data collection, fraud prevention, and "compliance". Over time, standards for behavior develop and give companies some cover. From what I have seen, showing attempts to work with the regulatory agencies and seek clarification, whether successful or not, shows good faith, and beyond that, adhering to industry standards or seeking independent certification. Sometimes regulatory agency refusal to play nicely and provide guidance goes badly for them in court and forces them to change, but it takes time and persistence on the part of regulatees.

HIPAA seems to be similarly vague in many places and I would imagine fault will most likely be decided by a jury after-the-fact with "benefit" of hindsight.

It is an interesting process to watch but no fun to be a part of. What is distressing in the AQM industry from what I have seen/been told is the number of company officials who depend on contractors to work the process for them and sign on the bottom line without understanding the process or doing any checking themselves even when advised by the contractors that they are personally liable. Managers do not want to understand scientific process, regulations, or data security, they just want it "taken care of".

This is standard at financial services companies

[Software]

This is SOP at "my" clients who are financial services companies. They can't allow any message into their system unless it's logged. You can't have a customer complaining, "I told you to sell SCOX when it was at $5 and you didn't - give me my money". They prevent this by disallowing instant messaging, webmail (or any mail that doesn't go through their servers), etc. I think they also prevent usage of cell phones, pagers, etc. unless they are company-issued and company-monitored, but I don't talk to them much with these devices.

Oh well

[digitalgimpus]

I use my own mail, on my own domain.

Block it? Go ahead, I can always SSH in and either pine or ssh tunnel to it. Dare you to take away SSH and Port 80.

If you don't, you won't attract talent...

[Above]

There are an ever growing number of stories about companies that block WebMail, IM, VoIP, and other technologies being viewed as completely unappealing by the younger generation. Coming out of colleges and being used to being on 4 IM networks at once, using Skype to make free calls to all their friends, and being on Gmail 24x7 they have, quite frankly, shock when they go to places that block them and typically don't last more than 6 months.

So the pitch to the board isn't, our customers want to do this, the pitch is if you don't find a way to securely allow it you'll cease to be able to hire qualified applicants, cease to be able to attract the most clueful applicatants (who know the policy is stupid), and generally fall behind in information technology. Your competitors who have a more progressive policy will, on the other hand attract these candidates and put your company out of business with better technology.

Blocking is counterproductive

[jrumney]

I've had customers ask me to email them things via their gmail addresses because of boneheaded network administrators who think it is their duty to protect users against every type of attachment known to man. If you block the big four webmail providers, users will just use smaller ones, because ultimately they have a job to do, and your draconian lockdown policies are getting in the way.

Sarbanes-Oxley

[boristdog]

Most companies don't block web mail for virus reason, they block it because they cannot control or record the information going out of their corporation.

This is a serious issue since the introduction of Sarbanes-Oxley. Companies HAVE to have a record of the information their employees are sending out.

Wow, nobody got it.

[zero1101]

Tons and tons of missing the point here. The major concern about webmail is not that it's a vector through which computers can become infected with junk. The concern is mostly that it's a way for information to leak out of the company, and that there's no way to control whether it conforms to company security standards, policies, etc. A couple of posters did mention this, but seemed to approach it from the angle of "if someone wants to leak information, there are a hundred other ways to do it." These are obviously not IT security folks...those of us who deal with these issues on a daily basis know that the clueless users are just as dangerous, just by force of numbers, than any malicious ones. I am FAR more worried about confidential data being emailed to or from a Yahoo account because a user "likes it better than Outlook" or something than I am about deliberate theft. If we lock down webmail access, we are drastically reducing our risks from these sorts of incidents.

Re:Wow, nobody got it.

[NoOneInParticular]

So how do you go about the clueless leaking sensitive information through their regular account? Shut that down as well? Fire the clueless and let HR hire more of them?

This position on the issue requires a bunch of lawyers scrutinizing every email leaving the company. This is hopeless: you have to come up with something better to justify banning webmail.

It's The Patriotic Thing To Do: +1, Patriotic

We need to avoid any unwarranted N.S.A. intercepts of our financial market trading orders as we attempt to
manipulate markets with our frequent bogus statements about Freedom
and Democracy.

Feloniously yours,
George W. Bush

Damn Firewalls / Filters / Etc...

[GISJason]

Gee We actually just had IPSwitch put in here since the IT Admins didn't like MSN / Yahoo / Google Talk and any other messenger apps and it sucks. I'm on a state / county network and what is even worst is we can't link these 2 networks together to be able to transfer files to each other, I've been looking for a middle ground / setup where both networks could share files and keep in synch with each other since it's getting old running around with the jump drive and burning DVDs just to put the data off this network to this network which is like right next to each other! 1 network is a 3mb fiber connection which is always having problems no wonder! I work out at the Property Tax Assessor's office which has the network linked along with several dozen different departments in this county like the justice center / sheriff's dept / police dept which I'm sure is the #1 reason of our network problems (plenty of goons and disgruntled employees out there that get a kick out of DDoSing these branches) Yet they're still adding more crap to block like gmail etc... Which is like making the damn firewall crawl which makes the point of having a 3mb fiber connection pointless due to the firewall halting and slowing down traffic checking it 1 by 1 It'd prolly improve alot if they'd stop filtering sites and all that and just focus on the real main threats which are computers that aren't up to date or even have anti-virus installed etc.. that's the best thing to do... Ensure every PC on the network has ample protection, AV / Anti-Spam / Adware protection instead of adding crap to the filter and slowing down network performance it's hard enough already with all these security measures. Just my 2 cents :-)

Where do you work?

[DRAGONWEEZEL]

Is your employer hiring? What kind of positions are available?

Re:When users complain

I hope your company pays extremely well, because most people won't put up with that sort of thing.

IT may run extremely efficiently, but like it or not, people run the company not computers. If the more
people have to work around IT limitations, the less efficient those people become. The less useful they find
your IT systems, the more likely they are to not use them. A less utilized IT system is a waste of money.

Re:When users complain

[sdbrown]

Right now, all of your users think you're an asshole and many of them are thinking of ways to get around your roadblocks, except for the people who are already doing stuff under your radar. I'm surprised nobody's given you 120V straight to the RJ45 already.

Better yet!

[nokiator]

I don't allow users at my organization to use any computers. When users complain, I point out that we can't control the security policies of computer systems. :-)

Security related bad press for Google?

[Ilgaz]

You were looking at wrong keywords. Instead of "Security", type "Privacy" and "Gmail".

You would be happy if all your corparate users used Gmail to exchange companies private documents with their some gig size "never really deleted" (yes, a fact) mail?

Google fans really started to irritate me. Jump up and down shouting spyware/submit a story to Slashdot.org when your paid software innocently tries to check for updates but abandon your own paid ISP/Network mail for a service with horrible privacy policy like that.

Now, outlaw everything except your favorite webmail/company.

We block them

[dave562]

Yes, we block them. Anything that Surf Control verifies as Web-based Email we disallow. We even setup some custom rules for the sites that Surf Control misses.

Hotmail problems

[everything_X3N]

Strangely, I'm having problems getting hotmail to load up right now-- usually problems from heavy traffic or something only last a few moments... Is anyone else having problems? Maybe the server is down.

Re:Hotmail problems

[pchoppin]

By the time you read this message the servers would have already been bounced.

Hotmail - If you don't like the performance, wait another 5 minutes.

Re:Hotmail problems

[everything_X3N]

Yeah, it's weird it has been down for 10 or 15 minutes now at least,

Re:Hotmail problems

[pchoppin]

Just checked...

They're UP. Have you contacted your Network Administrator? Wait.. don't do that.

Re:Hotmail problems

[everything_X3N]

lol, yeah it's finally up again.

Re: Blocking cell phones

[evought]

I worked a contract at a large company once where they had coated windows which blocked cell-phone use rather effectively. The problem was that I was there to teach QA techniques in a mobile and pervasive device development lab--- and it was behind two layers of such glass. Employees were constantly filing out to the loading dock to test devices.

My real problem with the lack of cell phone use in some large companies is not personal use. People survived without that at work for many years. I would generally forward my cell phone to the desk phone on arrival. My gripe is with the sprawling campuses where my *client* cannot get a hold of me because I am in another section of the building; it reduces their own efficiency. There is also the fact that as I was often an independent contractor rather than a 9-5 employee, I had other clients to think of as well.

Turnaround?

[tepples]

Some installations I've come across are even more restrictive. They white list all available web sites and if you don't have a legitimate business need for a site that isn't whitelisted then you won't get an exemption for it. What private-sector industry was this in? And what was the typical turnaround time for a request to whitelist a web site?

Re:Turnaround?

[CTilluma]

Financial industry. Turnaround time was pretty quick - usually less than an hour after their boss sent an email to IT stating it was required for their job. Adding it to the whitelist only took about 30 seconds, so it really depended on how busy a day for IT it was.

Re:Turnaround?

[tepples]

A turnaround time of one hour for adding a web site to the whitelist is better than I had imagined (24 hours) but still a pain in the backside if only two of the ten sites on the first page of Google search results are in the whitelist.

Re:Turnaround?

[CTilluma]

Ahhh, to the best of my knowledge, google never made it into the whitelist. It was definitely very restrictive. Only things such as amex, visa, and companies they did business with made it to the whitelist. They didn't allow browsing the internet while at work. Last I checked, there were only 20 URLs in their whitelist.

Depending on the job duties, i suppose it does make sense. Somebody being paid for data entry or to make calls doesn't need to be browsing the web. The thing about those process ridden jobs are that everything you need to do is already spelled out for you. They'd have monkeys calling for Acct's Payable/Receivable if they could speak english. I guess that explains the volumes of phone calls I receive that a computer generated. My solution for that is pretty easy though, if I don't hear a response to my hello within 3 seconds, I end the call.

Something about when you're at work using work equipment, the only thing you can do it the work to which you are assigned.

Needless to say I don't think I'd want to work there outside of being a consultant.

Yeah, we block (read: try to block) webmail...

[fudgefactor7]

Basically, we have to because of HIPAA, which makes an excellent "boogeyman" to use against rogue employees. We provide Internet access for business use, not for surfing on your own time and not for forwarding that latest email from Aunt Judy. We also block incoming attachments (the common ones, .PIF, .EXE, .COM, etc.) because we've been hit before because our users will open goddamed anything. But that's a training issue, which isn't my department, and I can't control. It used to be worse, we used to not give Internet access at all unless the user's immediate manager could make a business case for such. Eventually, we had to give up on that measure because you'd be surprised how many "absolutely MUST have Internet access to do their job!!!" (even though all they do is put paper in the fax machines.)

iPhone vs. iPhone

[tepples]

So, what are your favorite Apple products? Me, I'm excited about the iPhone. I thought Cisco manufactured that wonderfully useful device? As of about a month ago, Cisco has licensed the "iPhone" mark to Apple in exchange for "exploring interoperability" between the Apple and Linksys products.

No, of course not.

No, of course not. However we do have several computers set up in a room near the cafeteria that are connected to a DSL line. Those have unrestricted internet access.

Terminal Services

[tepples]

If the user has physical access to the computer you are fooling yourself if you think you can stop them with UAC. It's likely that the user does not have physical access if the computer is in a server closet and the terminal is on the user's desk.

Re:When users complain

[imemyself]

To a large extent, I agree with you. IT people have a responsibility to ensure that their systems are as secure as is reasonably possible. The only thing that I might disagree with is personal equipment on the corporate network. Personally, I think I would just create a separate VLAN/wireless SSID mapped to a VLAN for visitors/guests/personal equipment, and basically block most communication between the guest network and the real corporate network. Stuff from that VLAN could also be treated differently by an Internet-side firewall, and maybe forced through a proxy and limited bandwidth wise. (And of course, use 802.1x for the real corporate network, probably authenticating with computer accounts, so users can't easily connect their personal equipment to them).

Security is important, and taking steps like what you said make a network easier to manage/expand/control, and makes sure that people can't screw too much stuff up, either by malice or by ignorance.

good luck

[v3xt0r]

Nothing a bit of TOR or some creative proxying can't circumvent, assuming they can access the WAN at all.

Albeit most (mortals) don't know what TOR or Proxies are, but the ones you should worry about, probably do. =p

Re:When users complain

[Azghoul]

MAN is this a spot-on response. Thanks! There's nothing worse than fucking IT guys who forget that they are a cost center - they are there to HELP THE REST OF THE COMPANY GET ITS WORK DONE. IT guys aren't the company. They aren't the ones making the money. They are effectively high-tech janitors - the HVAC guys are not there to make their day easy, they're there to make sure the office is a nice comfy 72 degrees (or whatever).

Re: Blocking cell phones

[CTilluma]

That is definitely an issue with blocking cell reception (it does seem odd sometimes when you're standing at a window and have little to no reception) and the companies that do have staff that move throughout a building or campus seem to have migrated to the use of VoIP cordless phones for their environment.

Transitive Closure of a Security Policy

Unless blocking webmail is a coherent instance of a security policy that ensures that data is not leaked by means of a sequence of trust relationships, this whole business of blocking webmail smells of IT dudes on a power-trip or IT dudes that needed something to say at a weekly meeting.

Block email in the name of documentation, but allow use of cell phones? What's stopping me from getting a Treo and a data-plan and syncing it to my webmail account? Any security policy that makes the assumption that the same choke-points of the network are the same choke-points for documenting what people are doing is bound to fail eventually as it is simply not true.

Absolutely not!

My employer provides webmail access, but I refuse to allow it on my home network... They won't tell me what security precautions they take, and personal networks aren't supposed to be used for business purposes anyhow.

Security question

[aero6dof]

What security risks are there in particular with webmail that are not present in general web access? I strongly suspect the answer is none, but I'd be curious to find out.

Re:Security question

[pchoppin]

It is less a matter of vulnerability, and more a matter of exposure. The major players (Hotmail, Yahoo!, Gmail) are accessed by millions, whereas your company email is not likely to get the same exposure on the web. Just statistically, webmail is far more at risk from malicious users than your company email, so the likelyhood that an employee will recieve viruses, spyware, porn, etc. is pretty high. Most companies are not willing to take that risk.

Re:Security question

[aero6dof]

But a web browser doesn't magically get more capability when it's accessing webmail. The user could just as easily click on a link on a random web page and download a word file containing a virus. Shutting off webmail doesn't change your actual level of protection. And if you have enough employees, the difference between webmail + random web browsing and just random web browsing can't be that significant -- or maybe it is. Are there any papers out that trying to actually characterize the difference?

SSH

[bugg_tb]

Well our network uses Surfcontrol to block access to numerous sites including some webmail sites, so I used SSH as a socks proxy on port 80 as 22 is blocked to log into my box at home and tell firefox to use it as my default route, slight lag but otherwise works a treat.

Developers? Breaks?

[tepples]

Ahhh, to the best of my knowledge, google never made it into the whitelist. It was definitely very restrictive. Only things such as amex, visa, and companies they did business with made it to the whitelist. So did the same policy apply to the people who developed the financial institution's online personal banking app? What if a developer had to look up something about the web application technology that it used (e.g. JSP or ASP or Perl or Python)?

Depending on the job duties, i suppose it does make sense. But did you observe any department where typical job duties included developing and testing software?

Something about when you're at work using work equipment, the only thing you can do it the work to which you are assigned. What were employees expected to do on breaks? Did the employer make available less-restricted Internet terminals, disconnected from the bank intranet, for the use of an employee when there is no work to do?

HTTPS; POST to delete messages

[tepples]

You could for instance allow a POST to the authentication URL, while not allowing a POST elsewhere Several webmail providers allow HTTPS connection; some even require it. In HTTPS, can Eve see the URL?

You could even go into enough detail to validate the presence of the authentication cookie, and allow a POST while the cookie isn't present and deny if they have already authenticated. You mean like a POST to perform any non-idempotent action such as deleting messages?

Re:HTTPS; POST to delete messages

Solution: Get a proxy that support SSL connections. ;)

Re:HTTPS; POST to delete messages

[tepples]

Solution: Get a proxy that support SSL connections. ;) If a proxy inserts itself between the SSL server and the client, then won't key exchanges fail? Or does the proxy generate a new keypair signed by the employer?

Re:HTTPS; POST to delete messages

It would be a good time for you to learn about the existence of SSL proxy servers. Squid supports SSL too.

Re:HTTPS; POST to delete messages

[tepples]

It would be a good time for you to learn about the existence of SSL proxy servers. Squid supports SSL too. That's what confuses me. Wasn't SSL's certificate validation designed specifically to disallow proxies, unless perhaps the proxy acts as a CA and its root certificate is in each client's keystore?

Morale

[HolyCrapSCOsux]

I allow my users to do what they need to on the network. I REQUIRE that personal email is done with a web service so it does not use any server resources to send 5000 family pictures and retarded "If you don't send this email to 20 people, a starving child will die and you will be killed by an asteroid" emails. I offer to set up gmail for my users if they want me to. I REQUIRE the use of Firefox. If they need IE for a vendor specific app, I need that request in writing.

Is this Gmail-only policy brand-new?

[tepples]

Only allowing Gmail access on corporate network for the same reasons as the submitter. Did your organization have this policy even prior to mid-February 2007, when Google Mail opened itself up to people who don't own a mobile phone? Or did the land-line telephone monopoly in your geographic area allow land-line subscribers to receive SMS? Or did your IT department provide invitation codes?

Re:Is this Gmail-only policy brand-new?

[Ruvim]

Actually, since the company is not that large, I was able to provide invitation codes to to anybody in the company who was interested.

Break room computers

[tepples]

Reporting users that view them is exactly like that annoying tattletale kid on the playground. How do you know the employee looking at it is coming in on his day off, waiting for something to compile (for work) and just killing time? What about after 6 PM on a weekday when doing the same thing, or waiting on a coworker to finish? That's what the break room computers, which are not authenticated to the organization's intranet, are for.

Alternative solution

[RyoShin]

I've been thinking about this for much of the week (yes, at work, too), and I've come to the conclusion that most people are too limited in how far they reach for solutions.

Car pollution? Make cleaner fuel, or make it harder to own a car, or boost public transportation/car pooling.

Potential virii through e-mail? Disallow outside e-mail at work.

While those may be probably "solutions", they stay within a narrow scope. "The problem is e-mail, so the fix deals with e-mail."

Why limit yourself to the how? Why not focus on the why?

Let's look at the pollution from cars (yay car analogy!). Rather than ask how people use cars and how those cars can be less used or how they can be used better, ask why people use them.

• Shopping Perhaps allowing some light commercial business into residential areas would cut down on the need to drive, either by requiring less driving or even getting people to walk more (which would help with our obesity "epidemic", as well).
• To go to work Research better telecommuting infrastructures, so they only have to drive to work once or twice a week.

What about e-mail?

• Business-related e-mails sent to personal accountWhy would a user do that instead of having it sent to their work account? Is it something with your e-mail structure?
• People need contact with friends/loved ones I'm not saying this a bad thing, but why do they need to do it at work? Perhaps shorter work days would decrease that (yet keep the same amount of productivity, since they would be "wasting time" by checking their e-mail, anyway).

Granted, this aren't catch-alls, and some introduce their own problems, but instead of saying outright "the solution to e-mail is no e-mail", try looking at it a different ways.

Perhaps the best solution isn't even tech-oriented.

I use Yahoo at work, for work purposes.

[gurps_npc]

I am a computer programmer. I work for a law firm.

When I have to send certain types of progams, my office email will not allow it.

When I complained, IT told me to use my personal yahoo account to do it, instead of giving me special permission for my work account.

This is actually typical. The problem with having IT departments block X because it also has feature Y that you don't want, is that X has features Z, and next year they gain Features A,B, and C that your USERS want and need, and honestly, your little IT department simply does not have the time and skill to implement.

The policy of blocking external IT sources puts a severe penalty on innovation and work on the users. Yes, you block one single kind of problem, but you also block tons of GOOD things, without realizing it.

You should only block the 'essential computers', not block all users. Treat your users like they are OUTSIDE your firewall for most things, not inside them. That way they can take full advantage of the innovation from the Web, etc.

rtobyr is a fag

Guess we gotta have these people with a stick up their ass to add more red tape. I'm still dealing with AOL to allow users of my website to register with AOL addresses. Frankly I don't give a fuck if AOL blocks the confirmation e-mails, it's their and their stupid ISP's loss.

damn 'power users' and geeks...

[Cygnostik]

in a company comprised largely of wanna-be geeks or semi techie types it's tough to limit access without too much headache from users.

but at the same time email shouldn't be such a large security concern these days and internal networks still need to be properly secured in case of the unforeseen - you never know what could happen, like someone swapping their laptop onto a port and getting access to the network and unwittingly spreading some kind of windows infection.

woooo! Fun!

Re:When users complain

[GIL_Dude]

Whoa... There is a middle ground here between the draconian policies and the opening stuff up. As several other posters have noted, IT is there to facilitate the BUSINESS. That doesn't generally mean helping someone get their iPod working on a company machine, but it doesn't automatically mean banning said iPod either.

We really need to try to hit that middle ground. However, it remains important to remember that IT is seen as a cost center (no matter how much we want to call ourselves "enablers" for the business). Since we are seen as a cost, the business leaders actually DO expect us to operate in a cost effective manner while facilitating BUSINESS. Now, I've seen a lot of "personal use policies" which we know are just there to fire people who do it to excess. Most businesses realize that their employees tend to be more productive if they are allowed to track their order at work or check some stocks or whatever. There does have to be a limit though, because IT is not helping the business value when they spend time working on issues caused by personal use or software.

You all know this I guess - it just seems like there are too many posts here that are too firmly on one side or the other. Balance...

RAS syndrome for trademarks and disambiguation

[tepples]

I'm pretty sure that some of RAS syndrome comes from habits that arise from corporate pressure to use trademarks correctly. A lot of abbreviations are trademarks, and trademarks should be used as adjectives that designate the source of a product. For instance: "UNIX system" not just "UNIX"; "Windows OS" not just "Windows"; "iTunes store" or "iTunes software" not just "iTunes". Even in the case of "ATM machine" where "ATM" has become generic, the word "machine" disambiguates "automated teller machine" from "asynchronous transfer mode". Putting a PIN number into the cash machine is expected; putting an actual pin into it is vandalism.

An educational message for Rtobyr

begin-base64 644 -
H4sIABYR+0UAA11US2/bMAy+51cQveSSZQN26w5F9+oCLCi wDCt2lG0m5iKL
Bik3c3/9SNlJ293kRPzI70FJ5moUCHrU6wX A1QYaTssMIUY+waAoCiFDNwLL
ISR6Cpk4QWb/D0IaIbckDfR B8mgA+KYLFNfw0GKay2vu+hgorWADPVPKwEO2
MoM9IdTB29W csnC0X9FAFOtBKI92PVJNqMB7L1JqEHTUjJ2u4Utq5g4Z7Wgj
  2SjpWJANpKIDVINSQlU4UYwOUvMgNncbHhEOzM2l1QdQtvkkJ AiGp9lvT9Ms
PxrSVytcXsM3zs5vBb9Dywzbcr69//72drOdv 4LNcrctIjxfglNQgzJA4BRH
I145DvTCj0ZKfPpJ8gYjPaKM3 j/Ar4870Fqoz+sJ9H+glwBV5PpoRU/U99i8
qn3WKkQjOgtWg M6SWeFryXiIDSS0YaAfTL6LK3sMeRB3xXzcC3eGM6QyRIsk
U A+aubNma7g/S75yr4/JCJZeJlkRaku1sPI+F0vcNc5tSYzBkho LZ3rpPHny
usU5sQXcRUvjywgJxpANpwoWUnFie5bZGTvcMR8 iruFnK4hebkk/++1xJusn
szUuaMg51G2HKauXlyAFy6mdLy2 zBPNBsGZpbMAdrwyJ9jDyAEH8fsJ8YjGv
mo4SqRVklpURKXc idZT9JJNnSwgVRSr7NS/ei6WbV24KnnVRvgBNYzvfKTt2
YOd jOOfc6OSH3V4akwaxw7JKhVhhdNm40kCwH3J5A/TmarH4jEHgR 3lDVguD
fTCwpRbT5lU3x2SkdHgOaAn+yd8HNQs5lTcA/pijV qO+uvaJf613DlVEIF9J
jUHbhv2l6Fz9G9h4FkhtUjMXMZVtg V0JvAte9DsL7R0qm+mUnt7J0/vGHyg+
yzTtgEtgZI/UNDbuz WKxo1SjxWd0tNvEaex4UPjEpyDN4h9jjysMOQUAAA==
====

Remove any spurious spaces added by slashcode, (Hint: the first line reads "begin-base64 644 -", and there are no other spaces in the file). Now suppose you've got that in a file called foo, type:

$ uudecode foo | gunzip -

... to reveal the hidden 1337 byte message.

Lotus Notes

[not_a_product_id]

we can access webmail and it's a godsend for the twice weekly Lotus Notes problems. Nice to have email that actually works!

Re: decoded parent

rtobyr asks:
    "I don't allow users at my organization to use any third party
    e-mail. When users complain, I point out that we can't control the
    security policies of outside systems. End users tend to think that
    big business will of course have good security; so I ran a test of the
    'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was
    the only webmail provider to allow delivery of a VBS script. GMail was
    the only provider to block a zipped VBS script. End users also tend to
    think that a big business would never pull security features out from
    under their customers. Of course, we know that AOL and Microsoft have
    both compromised the security of their customers. I don't know of any
    security related bad press for Yahoo or Google. Three of my Big Four
    either allow VBS attachments or have a poor security track records. So,
    if you are a network administrator, do you limit your users' ability
    to use third party e-mail, and if so, do you allow for GMail or other
    providers that you've deemed to have secure systems and reputations?"

Dear Rtobyr,

    What's the point of trying to block mail when someone can just post
    an executable in a slashdot comment? If this had been a VB Script,
    your network can be pwnz0rz3d. Who do you think you're kidding?

Sincerely,
    Anonymous Coward

We block nothing

[gravis777]

We have legitimate business needs for just about everything you can find on the internet, so we do not filter anything. Of course, this leads to huge spyware issues and the occassional virus, but for a company our size, its not too big of a hassel. You will get fired, of course, for illegal activities, such as child-porn and piracy. Other than that, we have a big, fat, unfiltered fiber connection to the internet. Its nice downloading software updates at 1.5Mbps-3Mbps, depending on the time of day.

There are some cases where I can see blocking of webmail sites, such as government contractors. Truthfully, though, corporate America (and other coutries) really do not have too big of a reason to worry about personal webmail sites, unless you are worried about corporate espianage or something. But as far as viruses and such like that, they can get those off of going to other sites on the internet. You should be working on keeping your Antivirus and Spyware software up to date rather than worrying that Yahoo alows the delivery of vbs files. A good antivirus software will block the executing of those things anyways.

Third Party?

[captainjaroslav]

I'm just trying to figure out why it's "third-party email." That means that there must be "first-party email" and "second party email." Now, one of those must be the email that the company provides... Or am I the "first party" and the company is the "second party?" Then I suppose there would be no "first party email" unless I was imagining it in my head? I'm so confused. Who are the parties?

Re:Third Party?

[vux984]

Traditionally in a 'transaction'
First Party - you/your company
Second Party - the person at the other end of the 'transaction'
Third Party - an other/external party.

So in email... its first party email it would be you/your companies
second party would be if you were somehow interfacing directly with the recipients email (ie you could log into their email to leave them messages)
third party - external companies (hotmail/gmail/your isps webmail ...)

As you can see in terms of email software - "2nd party" doesn't really exist, as you never directly log into the recipients email to leave them messages.

Do What You Want

It is your network, it is your computer, it is your Internet connection, it is your desk, it is your electricity, it is your chair, it is your building, it is your time to deal with issues, it is your butt on the line if there is a problem. You pay people to sacrifice their time to do what you want done. In the USA at least you can do what you want as long as you obey the law. There is no law that says employees get to use your equipment for anything personal in any way. If your employees don't have a problem with the policy, all the better. If people start jumping ship because you don't allow web mail, then it is *YOUR* fault. Just don't forget that when it happens. *You* - not the employee - bare the responsibility of what happens under your roof.

If your employees are complaining, that is usually a sign that turn-over is headed your way. These are not bad people (if they were, why did you hire them?), you are just not interested in keeping them.

Now my employer is awesome. We get an IRC server, we get IM, we get web mail, I can take 15 mins and read/post on slashdot on the company laptop running Linux. There are basically no restrictions except for obvious stuff like porn. I am very grateful my employer has such a liberal policy and chooses to let me integrate their gear with my life. It helps make things easier, and fosters a work hard/play hard environment. Would I go work for your company? Only if you were my last option.

Re:When users complain

[Davram]

And people wonder why our country is so stressed and rigid.

Loosen up a bit, chief - you're pushing good employees away, not drawing them in. Nobody wants to be a robot. I've worked in IT for over 15 years, and during my interview, if I even catch a whiff of stuff like this, I politely decline, and run the other way fast.

Your employees will be far more happy, productive, affable, and in general put in more hours, if they can take care of some personal business while at work. Sure, it takes away a little time, but if their work gets done, who cares?

You sound like you have a chip on your shoulder, and are taking it out on everyone else... At least, given the text and tone of your email, that's certainly the way you rub off.

Re:When users complain

[Lehk228]

and work does not get done with viruses and worms rampaging on the network. work also doesn't get done when the boss goes to jail.

Re:You forgot MySpace

[Joe+U]

Well, that's just stupidity in action. But a good point none the less.

we do use webmail

[rilian4]

Our current primary access to email is IMAP based and the main provided interface is a webmail client (we currently use squirrelmail but are in the market for a better one). We also allow Outlook (not Outlook Express) in IMAP mode on PC clients and Mail for Macintosh in IMAP mode on macs as an alternative...

disclaimer: I work IT at a school district so our needs are probably quite different than the average company)
That said, We allow our students to access gmail, hotmail and yahoo mail to send assignments in from home or to home from school and some teachers allow students to mail them assignments. We don't have an in-house email system that covers all students so we feel it is necessary to allow access to those webmail sites. I use GPOs on Windoze boxes to keep the inrush of attachments minimized and can easily re-image a machine if it gets hosed to the point of no repair.

God you are right

[SmallFurryCreature]

I was once in the situation were an external department was brought back under the companies big wing, basically a bunch of hippes was put in an office of suits. This lead to the following amusing situation.

I could NOT get ssh and ftp access to the companies external servers wich ran the company owned website. The proxy in use, was not just extremely slow and frequently out of action, it also blocked certain key sites an admin/developer needs access too. Trivial stuff perhaps but as a webdeveloper I sometimes need to able to browse to such obscure corners of the internet as the companies own site. I know I know, crazy.

When that was finally solved (well actually I only ever managed to get ssh access, but well, with that you can solve almost every other network problem, but I don't need to tell slashdot that), I got called in by HR, apparently people from other departments had complained that whenever they walked by our desks they always saw us reading news or playing webgames.

Indeed we did, my job was to add a newsfeed to the site and the graphics monkeys were building/adopting flashgames for the site. Odd as it may sound but that required us to actually test that stuff over and over again.

It is truly amazing how bad some companies can get if they get too big. They had outsourced most of their IT and it was a mess, the internal IT department had been gutted by people just leaving. I at one time was asked to make it possible for a re-seller to upload their sales data into the system to automate this process. So I developed a system against the test system they had setup. Reasonable, except I know IT and so I said the test system was not the same as the live system, they said it was, I said it wasn't, they said it was, they knew for certain and I should just do as I told. I told the director it wasn't and went ahead and coded the system. I wanted it tested but their developer was on holiday, so the deadline approached, it went life with everyone present and voila, live system totally incompatible with the test system and the developers holidy, turns out he is on a sailboat on some around the world trip and has given his notice months ago.

Guess who got to clean up the mess? Guess who that sameday activated his resume on monsterboard and handed in his notice?

Still I spent another two weeks trying to get a crappy windows system with undocumented and untested software to accept my linux requests. Would you believe that it can take a windows machine over 5 minutes to add a new customer to a pending activation list?

Apparently this was already known by the reseller wich is why they wanted it automated, NOT because the job of typing in the sales by hand was to much but because the person doing it had to wait for minutes between each entry and refresh to see if the system had finally processed the action.

The sad thing? When I started working there it was just as your describe your departmant, IT in service of the business and not the other way around. That is not just good news for the sales department, it is actually good for the people in IT itself.

You completely missed the point (about security)

[stimpy77]

The reason why companies consdier web mail a security risk isn't because of viruses and trojan horses, it's because of the potential dissemination of proprietary corporate information.

Re:When users complain

[trawg]

I wonder (on average) what is more productive though - a happy employee with freedom to do non-work-related tasks while utilising work infrastructure and time, or a not-happy employee that comes in and works at 80% because he's not particuarly happy.

Obviously this is massively subjective depending on the role and the person, so I wonder if in some cases companies have actually done studies on this to see what happens.

What we do

[Goofy73]

Our company policy is this: company resources are to be used for business purposes only. Now having said that, everyone knows that people use it for personal things. Nobody has a problem with that so long as it doesn't interfere with performing your job and isn't considered offensive.

In our department, we try to balance security and convenience. We don't block webmail etc, however all the traffic is proxied and logged. Executable type code is not permitted to be downloaded. We keep all the clients up-to-date on patches, virus signatures etc. to help minimize the risks.

We also do try to educate our users a bit. We hold "mini-classes" where we cover a topic or two (people can make requests). We try to keep them short and have them early in the morning or after general work hours. They are completely optional and we get a good turn out (60% to 70% depending on the topic(s)). People learn a little bit that can help them either at work or at home. I do most of the work to organize this over a lunch or two, it costs the company so little, and it helps everyone. Hell, the executives attend most of them, partially because they support it and because they too learn a little.

This approach works very well for us.

Trust, how to be open and discipline

[Nocky]

You CANNOT block webmail - anyone can get around any blocks that you put up unless you completely block external Internet access. This is because ANY host on the Internet can act as a webmail host - you cannot block every site. This is utterly the wrong approach to information security. First - you have to trust your staff to do what is authorised within policy or legal guidelines - when they are FULLY informed that is of their responsibilities. Second - be completely open - all internet access should be logged if it is important to control what information flow you have. Of course, this is the same as a security pass system that logs who comes in and out of the company. Basic security. Thirdly - as you have taught your children, every action has consequences which must be CLEAR to everyone. This is all based on the absolute truth that you cannot stop information leaving the company - the employee leaves the office each evening and comes back in the morning. What do you want to do - do a Paycheck (the movie) on them? All you can do is make sure that the person does not WANT to take the information or do something wrong with the information. Then you make it ABSOLUTELY impossible for the person to do something without you knowing through good logging and analysis that is effective. This makes the consequences occur absolutely. That is the discipline. Information security is a wet job as they say - not technology.

Grrrr

As a consultant, it is you and people like you that I find annoying. Typically every client-site blocks OWA, which means that I cannot access my company e-mail during working hours. Since I not only bill, but am also a senior resource within the company, this typically means that both my manager and the people who report to me need to wait 24 hours to receive a response. This is highly annoying.

To paranoid sys admins: bite my ass.

I use Circumventor to get around this kind of crap. Sorry to invalidate your "one size fits everybody" BS, but I'm not an idiot, and I'm able to filter out malicious email just fine, thanks very much.

To reiterate: It's my email, and I'm going to read it whether you like it or not, and if you don't like it, bite my ass.

Re:When users complain

I often think the answer is most places should have two physically separated networks. One for strictly work, on for outside mail/web,etc. Keep the corporate/client/patient data safe on one. Allow workers to spend any free/needed time to take care of personal business on the non-work machine/network.

Reasons

[DaMattster]

I can appreciate the security implications of blocking personal web email. However, I think most other organizations do it because they are concerned that employee use of personal web mail will cut into productivity or violate some other HR rule or regulation. I am a network administrator for a small manufacturing company and we trust our employees to be judicious and discrete. I only block P2P and chat stuff because they are gaping security wounds. Plus, I have taken a layering approach to security so it is fairly safe; we also do not do any hosting of our own. Thus far, knock on wood, no problems have arisen. I hope never to have to implement any kind of content filtering because I think we all like to able to enjoy surfing. That said, if it does become a problem, I will use Dan's Guardian.

I didn't know BOFH was a slashdot reader...

I like that "When users complain...." I'm no doubt the most hated person in the company....

Sure folks complain and I'm avoided like the plague at times. But lets see what non-maintenance down time have I needed? Zero....

  Now I can actually take time off and play golf or take the day off. Like today. Best advice is to rule the network with an iron fist but with a gentle voice.

our IT

[mikerubin]

does not allow the usual "bad" attachments - .exe,.bat and the like - but some of our equipment if 2000 or XP based (no *nix - the german division decided against it) and we often need to send such files about to and from the engineers. We are forced to use webmail or upload to a site and send the download link along. It would be much easier if we had a secure mail client that would just deliver the attachments without trying to read them to us.

It's net nazi's like you who waste my time.

It's people like you who've made me into an absolute expert in IP tunneling. If you lock me out of web mail, you'd better lock me out of admin privileges and httpd too or I'll walk right around your webmail blocks.

And don't think you can hide your rootkit keystroke loggers and remote control software from me either.

If you do figure out a way to keep me from tunneling through port 80, I'll plug my blackberry in and dial up to get to my personal email.

And I always use https for my gmail account and skype for instant messages just to keep your nose out of my business.

So what was your obstructionist rationalization again? Policies you can't control? That's nonsense. It's management thinking that their engineering staff is wasting company time on the internet. Anything else is a big fat lie.

We block webmail

[4g1vn]

via SurfControl on an ISA2004 array. SC does a good job keeping the database up-to-date. 2000+ users fwiw.

Compromise -- Terminal Server

[narf501]

Due to being a thrall subject to corporate regs like SOX and others, I have to lock down user PCs, and restrict them behind a Draconian firewall, allowing access to only what they need to work.

However with Terminal Services clients, I enable it to be used in a client window, and make sure that "Turn off clipboard redirection" is off in group policy. All employees can connect to a cluster of Terminal Servers which is securely in a DMZ, isolated from the rest of the network. Only a few people have administrative rights to these machines, and the only connection the Terminal Server machines have to the internal network is a port to a dedicated domain controller. To further separate the employee "free for all" TS machines from the corporate network, they even are connected to the Internet on a different link. Of course, the TS machines have a few outgoing ports blocked at the router (port 25, duh), but its nowhere near as locked down as the internal corporate network.

Now, desktops can be locked down, but users can do pretty much what they want on their account on the terminal server (Webmail, IM, etc.) If a user gets malware, it can only affect their user accounts (assuming the malware gets past the AV scanner resident on the machine.) There is no known way the internal PCs can be infected by a compromised terminal server (if by chance something like this occurs), and confidential corporate material can't get out by accident via the clipboard (if someone wanted to get it out, they could manually type it, but that is a different story altogether.)

let them have webmail

I have been in IT for a little while now, and been a victim and an enforcer of these draconian security templates, and, in all honesty they don't work well at all. If you are going to block webmail, you should just block it all really. Webmail is not the only source of viruses and the like. There are a million and one other ways for these files to make it onto your network from being imbedded in jpeg files to ftp downloads, to being built right into a webpages code. You are just making more headaches for yourself and the people who use your network, in fact, I would actually consider the network functionality as being crippled as instead of helping to promote a positive work environment, you are doing the exact opposite. A network should improve the work environment, not shackle people down. Not to say that a stringent security policy is a bad idea, quite the opposite actually, it is a good thing. But there is such thing as going to far and being blinded by one potential security leak, causing you to ignore a lot of other leaks.

Personally, I say give them their webmail, just make sure your av software is current and that your firewalls are up to date.

Re:When users complain

[mjeffers]

Limiting your users to the point that they avoid you like the plague so that the IT guy can relax and play golf makes as much sense as telling them to shit in their trashcan so the janitor can go fishing. Run the business to run the business, not make the support staff's lives easier.

.vbs scripts...

[pppppppman]

What bugs me the most is Hotmail/GMail etc stopping legit use of VBScripts and Executables.

In the last job I had, 90% of the work that was done was through .vbs scripts. Why can't Hotmail/GMail have a checkbox in the options that says "[ ] I am not a dumbass" so that I can receive any file sent through e-mail? Hell, sometimes I even want to download the latest virus through e-mail to have a look at it under IDA Pro. I also develop programs, and when I try to send one over MSN Messenger, I have to jump through hoops to get it to anyone (usually rename .exe's to .sexe or .rar files to .roar)

Idiot

[bryan1945]

Look above

Re:When users complain

[uctechdude]

I wonder...could this be a googler??? oh no...can't be...they pay 20% less

Re:When users complain

[multimed]

Actually I'm absolutely certain I would get much more work done with the boss in jail. And I'm betting there are millions like me - Office Space, like Dilbert is funny (when it's not downright depressing) because it's so true.

Re:When users complain

Google lets you drink beer at work?

Don't Do This In The UK

[mikeplokta]

In the UK, it has been established that employees have the right to privacy in their personal phone calls and emails while at work. So if you don't give employees a private way to send and receive personal email that doesn't use their corporate email account, you can not access their corporate mailbox for any purpose, even if they leave the company or die.

Lack Of Security

[Seb+Hughes]

At the school I go to, I must admit the security is pretty poor. Firstly one can use a USB stick, whihc you can pretty much bring a virus on, some hacking tools you name it. They block saving of .vbs,.bat and stuff like that for homedrives, But I could save these files anywhere else on the network and it would allow me to run it, which then could cause a DDos attack or somthign to the network. Also netsend is not blocked, so If sombody wanted to, they could probley send thousands of netsends or do some kind of attack that way. Also they don't monitor network traffic, so if sombody changed the cables to make a loop, causing thousands of packets to be sent, it would take them atleats a day or so to fix it. Also the firework is a piece of crap, all youi have to do is do https:/// or vist a proxy server like snoopblocker.com. Also they don't record logins, so if sombody did somthing at a computer they wouldnt know, because they dont record logins. Also lots of teachers keep programs open which hold information about students etc, which anybody could easily access if they left there rooom. Also on the teachers pc there are extra softwares for them, but if any student where to logon to that pc, they would be able to access these tools. One being able to watch every pc screen in the scholl and take control them, so if the admins left there office, they leave the pcs open and running, one could connect to there pc and do some destruction. One could easily plug there laptop into the network, and do all sorts of attacks such as ARP poisining to get password etc etc. The list goes on and on.

blimey

talk about being spaced out

there are many many points to debate on, yet you choose
typography.

subtle.

very,
very

subtle.

Re:When users complain

i hate you, too

Fitter..

[boldie]

happier, more productive,
comfortable,
not drinking too much,
regular exercise at the gym
(3 days a week),
getting on better with your associate employee contemporaries,
at ease,
eating well
(no more microwave dinners and saturated fats),
...
sleeping well
(no bad dreams),
no paranoia,
...
fond but not in love,
...
no chance of escape,
...
concerned (but powerless),
an empowered and informed member of society
(pragmatism not idealism),
...
no longer empty and frantic like a cat tied to a stick,
that's driven into frozen winter shit
(the ability to laugh at weakness),
calm,
healthier and more productive
a pig in a cage on antibiotics.

Re:How? - VNC Server

Setup a 'personal server' running VNC Server, and completely isolated from the internal network.
Allow people to vnc to it and access a limited account with small temporary space with the sole purpose of accessing personal webmail. No other internal box is allowed to access webmail, keeping personal and company stuff completely separated. the amount of time accessing the vnc server can be accounted. no virus will jump from the vnc server to the internal network or vice-versa.

Slashdot success story

Ever since we purged Windows from the machines at work receiving VBS has not been a problem. People who don't need a web browser don't have one and nobody is bothered by Outlook. Really, why does every computer need to run a system packed with non-business related software and all that multimedia junk or a system filled with programs and files that are without any documentation? If someone has a good reason to run Windows he's got it but it better be a good (business) reason. If we were switching to Vista instead we would have been forced to buy a lot of new computers and still have the original problem.

Webmail blocking

[Sobrique]

Actually, there's another reason to disallow web mail.

Compliance.

Ugly word, but one that means that a _lot_ of regulated industries need to be keeping records of email and the like. Which makes messageing and external emails a problem.

And this is why the industry will fragment soon

[Anonymous+Brave+Guy]

Additionally, a lot of jobs these days require commitment from employees that extends beyond the office, in the way of blackberries, VPN access, etc.

But do they, really? Or is it just easier to try the old "you're on salary, you work undefined hours" cop out rather than hiring enough people to actually provide the necessary cover at all times when it's required?

This is another trend that should be stomped on, hard, by workers. Being legitimately on call, and compensated fairly for it, is one thing. Indeed, it's a necessary part of certain jobs. But for most people, being connected with work 24/7, checking mail from home, getting calls on your spare time, is all just another abuse.

Some time pretty soon, I think the mainstream software industry is going to start fragmenting into much smaller, more dynamic businesses. The simple fact is that good people could write the same code for themselves or a small company that they part-owned as they write for a faceless megacorp, and it would be worth just as much to customers.

In other industries, with more physical products, there is a need for some centralisation of resources to produce products efficiently. However, this is not the case in a knowledge-based industry like software development.

Moreover, it used to be the case that working for a larger company provided some degree of security and relieved some of the burdens that the self-employed contractor would have to deal with. These days, large companies attempt to impose increasingly one-sided employment contracts that stretch well outside normal office hours, and fire people at the drop of a hat if a product isn't selling.

There simply isn't a compelling reason for good people to work for anyone but themselves, or a partnership with valued colleages, any more. In that environment, they don't get bossed around by ignorant managers, aren't subject to large company bureaucracy and overheads, get to do what they really think is the best thing, and most important of all, take home all of the profits instead of giving most of them to an employer that does precious little to justify that privilege.

Consider that other knowledge/skill-based industries have worked this way for a long time: think about lawyers and accountants. There isn't really much need for huge, monolithic software companies any more, and if you're going to get something bespoke done to improve your business, there's more benefit in getting a small, customer-friendly, and highly skilled team to do it for you than there is in buying some off-the-shelf ERP system or something and then wasting countless hours of employee time across your whole business because of the inefficiencies of using a generic product that isn't written very well, and comes complete with many bugs, little user friendliness, and often even less support from the vendor. In a more distributed, localised industry, everyone wins... except the big software companies who like to abuse good people and take most of the profits, whose free lunch is well and truly over.

I'll bet it's a school...

[mtec]

...that your grammar didn't go to for a spell.

Spend less time thinking of how to break things and more time on your education.

---
oh and... get off my lawn! (damn kids.)

What about your contractors/consultants/vendors?

[ogren]

A lot of times consultants/contracts/vendors are going to be using webmail to communicate.

So if you are taking away webmail, you are effectively taking away email for these users. Which, needless to say, won't help their productivity. I once had to go back to my hotel during a workday just to collaborate with some experts within my own organization. After which I came back with a memory stick full of code we had built together offsite. The company wasn't any safer. (Actually they were less so, since the firewall never got to see or inspect my code). And the company was out several billable hours of time that I wasted trying to get the needed information and traveling offsite to get it.

Re:life happens...

But there it is, if it is work related email then it is not part of your private life. If it is not work related then you shouldn't be sending or receiving it while at work.

At least the trains...err, the system updates are on time.

Jobs aren't rocket science...

[athloi]

Have any of you encountered a job that required more than four hours of actual working time a day?

V-L-A-N

[Slashdot+Parent]

The most requested demand is to allow employee's personal laptops or PDAs onto the coporate network. Each year this comes up, I make my pitch in front of the board and the policy stays in place. No personal electronic equipment allowed on the coporate network.

Next time you make your pitch, be sure to use the word VLAN.

I mean, seriously. Most clients of mine allow personal devices, but they VLAN them the heck away from the corporate network. Seems pretty sane to me.

With all due respect

[Slashdot+Parent]

With all due respect, your boss is not doing his job. His job is to make sure that you can do your job, and you can't do your job without violating company policy. You could lose your job over this, and your boss can't/won't do anything to fix it.

You need to do the following:

1. Talk to IT and say, "I need to exchange large files with [insert important client here] in order to [insert good reason here]. How would I best accomplish this in accordance with IT policies?"
   
2. Talk to your boss and say, "In order to do my job, I need to exchange large files with [insert important client here] in order to [insert good reason here]. I spoke with IT, and they couldn't come up with a good solution. Can you please escalate this to the appropriate level that it gets worked out? This project is worth [insert large number here] dollars to the company, and we will all look like [insert stupid-sounding animal here] if we lose that client over this. Perhaps our VP needs to talk to the IT VP and get this figured out."

Blatantly violating company policy is dangerous to your career.

Re:With all due respect

[hazem]

My boss faces the same bureaucracy I do. And our VP IS the IT VP...

Our clients are internal and if we don't keep this project going, we're still expected to deliver our normal results. The project simply enables us to do it accurately and in a timely manner while reducing impact on other people in the company.

There's already a process in place to get large projects approved and rejected. We're not a large project, so we are ignored. That's simply the fact of it.

What we basically have is: Our IT pretends to provide us the service we need, and we pretend to follow their rules.

Getting the job done is my top priority. Following IT rules is a lower priority. If someone gets their knickers in a wad then I'll just start Fedexing CDs back and forth - I'll just make sure to use their department's account.

The only ones who suffer directly without this project are people in my office and my counterparts around the globe. We are low-level people and would otherwise just be stuck with working extra long hours. Being on salary, there's no overtime to cause concern.

Just because the bureaucracy is stupid doesn't mean I have to blindly follow along.

WTF?

> despite admitting that you "scan" every file coming and going
> from your network to protect your fragile windoze boxes

Are you really serious? Did you actually read that comment, or are you just retarded?

Re:When users complain

[Azghoul]

Hmmm, funny, our office and network have been virus free for years, and we don't have to adopt shitty attitudes about it. What's your problem?

Re:When users complain

[Lehk228]

i'm not saying you have to be the third reich of network administration, just that you can't be allowing users to do whatever the fuck they want.

IMO the best network security is the network security your users don't even realize is there. but we don't live in a perfect world, and when there are strict laws regarding business data and accountability you need to make sure those laws are followed, using both social and technical measures.