Slashdot Mirror
Managing Personal Electronics and Software In the Workplace
darien writes "Last night Symantec hosted a round-table discussion on the topic of consumer devices in the workplace. John Brigden, Symantec's senior VP for EMEA, pointed out that regardless of the policies businesses may lay down, individuals will always try to use their favorite gadgets and websites at work. Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."
If they won't follow policy, you fire them! What's the problem? In this day and age, IT folks are easy to replace.
Think you can't? I beg to differ - I don't care who you are.
You have to shore these up with human controls: enforced policies, employee agreements, and the like.
This is a human problem caused by our adaptation to technology in our entire lives. Should the computer have been a device you only run into at work, the draconian idea of 'you may only do what we say' may have stuck. But since people get to experience life outside this kind of control, they're going to crave it everywhere.
And resisting it is mostly just frustrating everyone.
Now, I'm not saying you have to support every oddball app on the planet. I would recommend you have an 'approved software' list, and back that software up with support. Saying 'that is not supported, use this' is far better than locking things down, from my experience.
Focus on the wetware, not the software and hardware...
No matter how many times we told users they weren't allowed to install ICQ
Ahhh, 1998 was a great year, wasn't it?
On the Oregon Cost born and raised, On the beach is where I spent most of my days
Companies need to start looking at WHY their employee's want to connect personal devices to coporate systems. If its just so that they can import calenders, contact lists, etc into their PDA or calender at home then set up systems to allow it. If its to take confidential materials out of the office to work on at home (since how many people actually work a 40 hour week anymore), then set up proper encryption protocals to allow this but at the same time minimize the risks associated with data being lost.
Remember the best way to get somebody to do something is to tell them they are not allowed to.
Technology is most abused by the very people it was created to help
We block certain website groups (adult, gambling, games, etc) by default and everyone must go through our proxy to the outside world. Web logs are checked throughout the day and those who try 30 different ways to get to boobsgonewild.com are reported.
Most people have only User permissions so they can't install something and we regularly do sweeps of unapproved software on those people who do have admin privileges. I'm the one who generally gets the call to remove the software. We also check for firewalls on PCs and other software which can potentially bypass our firewall or hide the user.
As far as electronics are concerned, the worst we have are people using fans or heaters, depending on the season.
Not sure what the big deal is. These are just basic network security measures which any decent admin should do and have set up.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Looking around my desk I see the following electronic widgets that are mine rather than the companies:
A pair of DEC Shark computers.
A Sparc based luggable.
Coffee percolator.
Blender.
As long as I got them checked out for electrical safety the system support people here were fine with it, and this is nothing as compared to some of the stuff I saw at a big dot.com that likes exclamation marks. One guy had a pinball machine in his cube, and another had a large tropical fish bubbling away while percolators were everywhere.
To solve the issue of personal laptops being connected to the corporate network, there needs to be some kind of server software where every approved device's MAC address is registered. When a non-approved device is connected, it will not be assigned an IP address by the DHCP server. This will cut 90% of the devices from ever being connected, since most lusers have no idea about MAC addresses, IP addresses, DHCP, and the fact that they can manually assign an IP address if they know the proper range. This does leave a rather gaping hole, though, so another layer of security is needed. It's not coming to me just yet...
On the other issue of people installing ICQ and whatnot, you set up all computers used by lusers to boot from a fresh image every time they boot. You'll have to set the darn thing up exactly the way it needs to be and then use VMware or some other solution that causes the computer to start from a known image each time. They'll install ICQ, but the next time they boot, it won't be there. They'll install it again. It'll be gone again. After five or six iterations, they'll get tired of reinstalling it. I would say that by properly setting up permissions, the issue of ICQ or any other software being installed in the first place will disappear, but given the way permissions work in Windows (and the way most software ceases to work unless you have Administrator privileges), that isn't a very good answer. The advantage of the approach where the system boots from a known image each time is that your lusers can get all the viruses, spyware, adware, etc., installed on their machine, but it won't be there for more than a few hours. Like the previous paragraph, not a perfect solution, but one that cuts down on your headache by 90%.
McCain/Palin '08. Now THAT's hope and change!
I know when I am at work, I am supposed to be working. Nevertheless, there really doesn't need to be an all or nothing policy as it improves employee morale to allow some personal flexibility in the workplace. I know my company tries very hard to lock things down, and yet does allow some off-topic internet browsing (Slashdot, right now for example) and the occasional personal telephone call. They are, however, quick to remind us that the electronic networks to which we connect are a) company property and b) exposed as a security risk anytime we try and connect a personal electronic device. Thumb drives, iPods, PDAs, cell phones etc. are all blocked from connecting to the network.
It is all a balancing act, and a tough one at that. In the end, and no matter how much I might dislike it at times, however, they are right to restrict my access to these devices. In a funny way, they are helping me with my addiction problem - getting me off the Web.
This post brought to you by your friendly neighborhood MBA.
Problem solved. I thought this was standard operating procedure in most corporate IT shops by now anyway.
Ten years ago it was a topic, has anything changed recently that makes this a less exhausted subject? Whoever thought up this "round table" idea doesn't have enough to do I guess.
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
Wouldn't it be a good idea if companies bought licences of AV/Security software for their employees to use at home. It would generally be in the companies interest and would work for the good of all Internet users if more people had better protection. If a company knew that the home/personal pc was protected to the same level as the work PC's the security risk would be reduced and the chance of a user bringing in a virus from home would be reduced
Many institutions can have a more open IT policy than they think that they can have. Excluding external devices and software is often arbitrarily enforced & is of questionable benefit, as insider devices/software can be just as bad or external tools/software from those that have cart blanche to ignore policy (upper management) will be just as bad. Why not just open things up? Companies can win, as employees use technology that they are most comfortable with, and so are more productive (and it doesn't cost the company a dime). Small startups and poor educational institutions sometimes require personally owned electronic devices!
If you want to keep support costs down, refuse to service outside software & hardware. Or suggest that a policy be put in place where the users would have to pay out of pocket for such support. Caveat emptor.
If you need to exclude devices due to contracts (often due to security), you need to change the way you enforce policy. Do random checks of people entering and leaving work. Suspend or terminate employees that violate the rules.
"Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."
1. Users WILL attempt to install stuff
2. If they can't, they will eventually give up
However, if they manage, then they will push for more and more stuff, and demand support for stuff they never should of installed in the first place.
Surely they should never actually be able to install anything? Is it really THAT hard to lock a system down? My university never seems to have any problems unless people bring in external drives with stuff installed on them (someone managed to get wow running... but then the uni stopped it some how) and they could stop this easily enough by stopping USB.
- http://www.milkme.co.uk
Netbook (MSI Wind): EUR400
3G Modem (O2): EUR19.00 + EUR20.00 per month
Problem solved.
If I had a nickel for every time I absolutely had to install Real Player or get someone's personal camera to work with their work computer and it was a "life or death" situation, I would have enough money to buy lunch at London New York.
The game.
Good luck with that.
Since you seem to believe that setting one limit is unenforceable, why do you believe that setting a different limit is enforceable?
You cannot use IM app X because:
a. You are not allowed to use IM at work.
b. You are only allowed to use IM app Y (which does not connect to the service you want to use).
And, from TFA:
Why do so many people see "No" as "reactive"? You can evaluate new technology and new products and determine that they present security issues that outweigh their benefits.
In just about every other aspect of business this would be a non-issue. You don't allow people to replace the phone system with their own phone that is incompatible with your PBX but it's okay because they can just call the phone company and run a POTS line to their cubicle.
While they wait for that, they'll fire up a deep fryer in their cubicle and make up a batch of donuts for everyone.
Damn, your userid is old too.
This issue is a bit more complicated than you think.
To quote Einstein: "The prestige of government has undoubtedly been lowered considerably by the Prohibition law. For nothing is more destructive of respect for the government and the law of the land than passing laws which cannot be enforced. It is an open secret that the dangerous increase of crime in this country is closely connected with this."
The same kind of thing applies in a corporation. You don't want to lower morale, and you especially don't want employees to lose respect for your policies. That certainly poses more risk to the success of an organization than connecting your iPhone to the wifi network.
Maybe a better solution would be investing in IT infrastructure.
When IT doesn't serve the users, the users have to be their own IT. Users are bad at it and it causes problems.
The answer is to stop saying NO when users ask for reasonable (non-harmful) things. Help the users instead of trying to make your own job easier.
The problem with depending upon anti-virus packages is that they are reactive. And their is a delay in them.
It is a LOT easier (and verifiable) to identify what SHOULD be on a machine and then remove everything else.
Which is why most decent IT shops lock down the machines so that new apps cannot be installed on them.
Symantic would be happy to sell you some sort of "proactive compliance solution" to address this deep and serious problem that they were nice enough to convene a roundtable about.
Yea, try locking down the computer in a software RND department. If you succeed, you'll most likely have trouble keeping them around. IMHO there has to be a balance between security and freedom. Some security risks need to be a cost of doing business in order to keep your employees happy. I know if I couldn't read slashdot - I'd have a serious morale problem.
I used a computer I brought from home loaded with my favorite software to get off network work done at work. No different from bringing my own slide rule to work back in the day.
You have a blender at work? Wow, and I thought people who talk on the phone all day were annoying!
Nice thing of us having an all Mac office (even better would be Linux) is that users generally don't have compatible software, so employee installation are at a minimum.
On a few of our networks we have a wifi outside of the internal network which could be connected, though we provide enough computers so they should not require that.
I think part of the thing admins should look into is why are they wanting to connect their stuff or install software. If there is a valid unfilled need, then that should be addressed instead of throwing more roadblocks on them trying to do their jobs.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
May I point you to surfcontrol?
http://www.websense.com/global/en/scwelcome/
I used this for a LONG time. You can have it set up to where it just blocks packets, blocks packets based upon a BUNCH of different rulesets, block packets based upon authentication (I had a private company that the owner HAD to be able to look at porn. I created a custom container for him, and no logging, reports, etc. came through).
It will block based upon port, protocol or keywords it finds in the packets.
Best product I ever found, at least for WinTel environments (It will integrate seamlessly with domains, etc). I prefer it over MS Proxy for web based content filtering at work.
Nothing better, in my opinion.
--Toll_Free
I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen
a) They will succeed
b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
c) They will fail but find some decent-work around
d) They will tell you to fuck off and find a better place to work
e) If they are incompetent enough to do a, c or d they will give up but find another hobby.
So instead of frustrating yourself and your employees, you could just demand a level of productivity in return for a pleasant workplace where having an IM client is not a crime.
I have to disagree with the people here stating that "many of these applications are harmless".
No, they are very harmful, and even if some of them are harmless right now does not mean things may not be harmful in the future.
When the business relies on IT, you cannot allow one person to be able to cause all the headaches for the network.
If a person visits a compromised website with a 0-day exploit that attacks the browser you have installed, and then proceeds to install a worm that traverses the network and attacks all of your machines, soon enough turning your whole network into a giant malware infested spamming machine.
The lockdowns are not because of "known" dangers, it's the unknowns.
You could have the most competent, updated anti-virus in the world, a rigorous patch scheme with Network Access Control implemented (mind you, NAC/NAP is a fairly new thing) that prevents people from connecting to the LAN without certain requirements being met, and a 0-day vulnerability could render all of that useless in an instant.
You have no choice but to lock down your machines and prevent users from doing things that are "harmless".
Using 802.1X with machine based authentication--requiring a certificate issued from your company CA, you can control which devices accesses your network. For anything that doesn't support 802.1X natively (printers, net cams, etc), you can white list the MAC on a port.
At work right now so I guess I'm a bit of a hypocrit, but anyways...
You'd be surprised the crap people try to get away with at work. I work at a college and we have several computers on mobile carts with projectors for class lectures. I do the immediate repair and updates to the systems and I've found registry scrubbers, online gambling software, chat programs, itunes downloads, and all sorts of shady things that shouldn't be on the systems. They aren't even the professor's office systems. These are only used during class. What could they possibly be doing while students are there in front of them? Boggles the mind. Thankfully I recently got the systems swapped out since they were old as shit. I had computer support set up a limited login for the professors and give me the admin so I can keep the stuff up to date and keep their paws off the important things. But man, there's some shady characters that have been on those computers over the years.
Just give them VMPlayer and a XP/SP3 image that is only like 5 gigs and they can install whatever they want.
Then lock down the the company machine.
If something goes wrong with the VM, just give them a new one. Sorry, but there is no support other than that. If they lose stuff in the VM, then that's not your problem.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
...when they stop calling me at home.
Most personal devices have simply become ubiquitous in our daily lives. Most times I see Draconian measures by business taken on by lazy little control freaks who are too fat or whiny to be a beat cop. Companies where staff actually patrol the web logs have WAY too damn much time on their hands. These are obviously the same people that enforce having passwords like "1#$rf12aB$Qzx" that needs to change every 30 days - which mean everyone has their password on a post-it next to their monitors.
Put a wireless node in the dropped ceiling with an SSID broadcast with WPA-PSK. Hook it to a power box and just leave it. Watch the admins hunt around like busy little piss-ants trying to find it. Do this in the CEO suite - preferably in the CEO's office ceiling. The network gargoyles will look like retards.
Shore up your applications and let users do what they will. Its a losing battle to lock down personal systems, especially for those with tech experience. Do YOU use a restricted system image? Most IT professionals do what they want, yet try to get others to follow their stupid rules. I'm fighting my IT department now because I've disabled all their crap except anti-virus and now my machine runs MUCH faster. I had zero tech support calls till they made me enable specialized spyware detectors, software installers and firewall software. With it running, blue-screens, hung applications and performance sucked. Now - their crap is disabled again. I'll take care of my own machine, thank you very much. Stay the fark out of my machine! I use my work PC for personal reasons and work during personal time. I'll fight them till they fire me.
so dumping them for minor things like this is unwise.
In any case, if the tech support crew actually offer some guidance rather than a blanket prohibition, it's possible that they can forestall some of the more flagrantly insecure or unsafe idiocies that some users are apt to come up with.
Contrary to popular belief, not all users are criminals [gasp!] or even idiots [heresy!] and they will more often than not respond well if you take the trouble to explain *why* you don't want them running p2p on corporate machines.
We're already there in the UK Financial Services industry. Earlier this year, the FSA (our financial regulator) issued a report on best practice that, amongst other things, recommends that
If you're in the industry and doing less, expect regulatory sanctions if anything goes wrong. It's time to get tough on slack security.
The reason give around here why that is not permitted is that the IT department cannot verify that your personal machine is virus free. Their stated fear is that a personal machine will come in with some virus and it will spread uncontrolled behind our firewall, infecting hundreds of machines before it is noticed. We've had this happen and it was a real mess! Of course, we also allow people to VPN into the network from their personal machines. A bit of an inconsistency there!
Because once you allow people to connect personal items to the network your security model is non-existent. And connecting them to the workstations counts as having them on the network in this instance.
If they want to play music or whatever, they can bring radios / players / etc in. But they cannot use the company's workstations to load iTunes and fill up their iPod. That just creates another potential issue that IT has to deal with.
Now, if they'd be willing to take a pay cut so IT could afford a few more employees who would handle iTunes problems and such ... say ... $100 a month ... each.
The problem is that already taxed desktop support teams are going out to fix problems that would have never been caused if the application had never been installed. If there is a bona-fide need for a particular piece of software, it should aquire, test, and support it.
As a state insitution, we had employees go out and buy various smart-devices all of which ran proprietary "push" clients; some of wich worked well, others not, others securely, others non-securely. The issue was we had literally hundreds of configurations to support, and when it worked, the users (mostly middle managers) flat-out expected the entry level techs to get their personally owned piece of equipment to work. I argued it was illegal to use state time to fix personally owned equipment and refused, but other techs weren't so lucky and hundreds of man hours for a small support group was spent supporting devices we'd never touch if management would have enforced a simple guideline of what devices and vendors we'd support. (e.g. we had no coverage on campus for Sprint, period).
At the same college college where someone installed some app similar to Picassa that caused major issues with some proprietary (approved) scanning software to record transcripts. We lost almost 2 days of productivity on that station after a full wipe and reconfigure, while the employee didn't catch any flack over it. I argued the employee violated the policy, the business suffered downtime, and she shoud have been sent home without pay. It was no different than breaking a copy machine by feeding stapled documents into it saying "I don't care what IT says, it SHOULD work!"
Forgive my spelling from time to time. I'm often posting during short breaks.
>> Is it really THAT hard to lock a system down? It's impossible to lock a system down.
.exe.
Impossible
Worse case, they would just open the case and reset the bios password. Then they would boot with another drive they brought from home that has windows installed, copy the program to the directory of a legitimate program on the original and rename the
IT will always be perceived as not serving the users interest since it's their job to provide a secure environment for the business. I've caught flak from day one in suggesting (succesfully) that DBAs and Developers didn't need to be Domain Admins or even local administrators of database servers of which 13 accounts were demoted. I caught flak when I suggested (successfully) strong password policies because people couldn't remember their password. The idea of letting every Tom, Dick, and Harry carry their personal laptop, thumb drive, pda, digital camera, iPod, cell phone, and wireless device around and connect into our network scares the $hit out of me. However, it's done because the senior management want it and don't see a problem with letting the guys in the trenches do it too. That being said, we don't support any personal device and will reset workstations to standard configurations if there's a problem. Luckily I'm not the person that supports that side of our network. Now, I've got to get back to downloading some podcasts to my iPod and syncing my calendar to my PDA while I'm waiting for this torrent to download on my laptop. It's good to be king.
Then companies must institute to converse policty too: "the company cannot contact you using a electronic device outside of regular work hours." No phoning, email, computers ...
The last two places I've worked they had a wireless "guest" network. It's not connected to the corporate network in any way so there is no security problem. I connect my iPod touch to guestnet right now so I can use all my favorite apps on it.
"Politicians always tell the truth, when they're calling each other liars."
I mean, we do not allow people to send email using any outlook client, but thats for obvious and technical reasons. We first tried to enforce this by policy since I sort of expect people to obey policy. We had one guy who insisted on using it no matter how many times I tolled him not to. So we explicitly disallow it at the server. Along with this we disallowed common non-encrypted services like windows shares and the like.
However, whats the hatred of IM services? I mean, this sort of thing is a social problem not a technical one. The only reason you would usually try to keep a lid on it is if you supposed employees were wasting their time, and this is a problem for HR or management, not the IT department. If its simply a matter of installing unauthorized software then you have two choices from a technical point of view, authorize it or disallow users installing software using a technical solution. If your platform does not let you have this kind of control then your using the wrong platform for the kind of control you seek.
As far as users plugging in unauthorized devices, use managed switches, and explicitly allow the hardware you approve of. Those users found circumventing this are obviously not innocent, as they have actively circumvented your meager security, so shut them down and let HR know about it so they can decide what to do.
If you REALLY MUST keep users from using software, then shut down UDP and do explicit allows for IPs and ports after the user proves need. Force everything through a transparent proxy and do explicit allows for sites after the user proves need.
You now have control over everything on your network. If this seems draconian its because it is, welcome to 1984(+24).
The gist is twofold; fist, the IT department should try to stay out of the HR management game and stick with technical issues. Second, you can have as much control as you wish ( if you think its a good idea ) so quit your crying.
I think you underestimate just how much I just dont care.
The answer is, you really have to design your systems in a secure way so that some new kid can plug in his iPhone and not cause havoc. It's a totally new world and I'm even trying to get used to it. Feeling like a fuddy-duddy in your early 30s is scary sometimes.
I work in the client-side computing world, taking care of standards-setting for client systems in a large company. For the most part, gone are the days of an IT department absolutely mandating configurations and software choices. Even if you try, people will work around the mandates.
The flip side? A lot of productivity is lost, especially if you don't protect your client PCs. University campuses are probably the worst, but I'm sure there's a bunch of medium-to-large businesses out there who let their users have full control of their machines.
The things that work for us so far are:
I'll repeat a sentiment that I posted previously -- the new generation of workers understands technology. That doesn't mean they know exactly how computers work, but the support emphasis has definitely shifted from "I know nothing. Help me figure this out." to "My machine is busted" or "I've gotten myself in a bad spot. Help!" Growing up with easy-to-use computers and the web makes for a different mindset.
Coming down on this group of tech-savvy workers is just going to make your company look like a stick-in-the-mud, 1960s style authoritarian workplace. You won't get them to stay very long. I really think the only solution is to protect the network the best you can, and only limit behaviors that have clear potential dangers.
I have three networks inside my house. One for guests and family members, one for my work computers, and one for my web servers, with firewalls between them.
Every time my employers tried to enforce some policy like that, they lost money! How? Simply I spent many hours trying to work around the restriction.
;-)
Years ago when ICQ worked only on some non-standard ports, it was easy to cut all connections different that 80 and 8080 at the gateway for example. Then I spent hours and days playing with http tunnels, proxies, etc. This was time lost for my employer but I do not regret. The reason: I don't think that restrcting ICQ will improve the security of the system of drop the productivity of the employees.
And this does not mean that I like to break policies just for the sake of it. Nothing like that in fact. I follow all the policies that make sense to me. I and I trust my common sense because I have years of experience. But I cannot agree with policies that follow Stalin's principle: "There is man, there is problem. There is no man, there is no problem". Heck, in the past (and even now in some places) having Internet at work was considered dangerous
There's a discussion like this every few months on /., and it almost always boils down to the same argument:
"I can be trusted to do anything I like on a PC, therefore everyone in the company can be trusted to do anything they like on a PC, therefore locking them down achieves absolutely nothing and it pisses everyone off. Hell, don't even bother putting any software on them - just hand them out as they left the factory and let end-users do that. Much easier than having to wait for someone from IT to come down and click next next next...."
People like me clear up the mess that comes out of doing that. What you wind up with is:
IME, a large percentage of these locked-down systems have been locked down because person or persons in the past couldn't be trusted. Now, part of the job of the IT department is keep the lockdown at a reasonable level such that it prevents the most boneheaded of errors while still allowing people to work. If they're not doing this, then you haven't got a very good IT department.
You seriously don't see anything wrong with the "boot a fresh image every time on your PC"? Wow - I'm glad you don't work for me!
What you're advocating is called the "Network Terminal" approach. This is much cheaper and easier to maintain than a PC. Honestly, why would you give people a PC at all? You've just wasted at least ~$150 on a local hard disk. And probably wasted much more money. Multiply that by a reasonable number of users, and you've just wasted your annual salary.
If you're going with PC's, have policies and procedures for that. If you're going with Network Terminals, do so, and don't waste money.
You might also want to note that there's a reason why the thin-client approach has consistently failed. But it comes back into vogue for a brief period every once in a while.
A company can experiment with different levels of restrictions, the problem is, that at the end of the day IT is on the hook, if ANYTHING undesired happens. You know... the "how come this was done?", "how come this was not done?", "how come you did not warn us that this could happen?", etc, etc.
I'm glad to see this discussion, it's quite informative on both sides:
1) IT Hubris: "luser", "lockdown", "policy"
2) User Tragedy: "don't block", "circumvent", "I want"
I own my own company, and this has been a particularly bitter issue since we've grown to triple digit employee numbers. On one hand, we're a chemical engineering firm staffed with PEs, physicists and a few odd biologists - ostensibly, reasonably intelligent people. The small support staff primarily services large scale model/sim hardware.
While those two groups get along just fine on incredibly complicated and demanding projects, for some reason it's impossible to agree on the little things: Exchange quotas, IM, web filters and - it almost gives me a migraine thinking about it right now - wifi/wireless access.
It's like the two camps can't even talk without spittle and insults - I've ordered two networks, one for production, one for quality of life. I favor the IT camp for the production and the technical staff for the other; while I realise I could save considerable money, it has been worth the expense to just end the bickering.
However, whats the hatred of IM services? I mean, this sort of thing is a social problem not a technical one. The only reason you would usually try to keep a lid on it is if you supposed employees were wasting their time, and this is a problem for HR or management, not the IT department. If its simply a matter of installing unauthorized software then you have two choices from a technical point of view, authorize it or disallow users installing software using a technical solution. If your platform does not let you have this kind of control then your using the wrong platform for the kind of control you seek.
Your homework assignment for tonight: setup a yahoo messenger account, setup pidgin on a machine that's on 24/7, walk away for 24 hours.
If you can count the number virus wielding chatterbots that have messaged you on one hand, then please see a doctor about the extra twenty digits you've somehow acquired. Internal IM is nice, but even then it can quickly become a productivity drain.
There are some people that if they don't know, you can't tell 'em.
To echo others as well...we admin 6 offices, totalling about 60 some odd users, including remote users with home offices. We set up and configure everything from their Blackberries, to their laptops / desktops, sometimes cell phones. Nearly everyone gets admin on their workstation. That's right, nearly everyone.
In our office, we're adults...we treat each other like adults, and respect each other like adults. Only once have we had to keep an eye on someone and build a bit of a case against them...and that was initiated by management. We, as IT, know who the slackers are...but it's not our place to try to control what ppl do with their time. It's up to management to evaluate performance and motivate the employee(s).
With this formula, we've had zero security breaches, no lost equipment, only two viruses (over achievers who don't read email enough to recognize that zip file is NOT actually from UPS) - but even those were quickly contained and didn't spread at all.
It can be tempting for IT to become power-mongers and control freaks...but really, leave that in the hands it belongs in...and it's one less thing for you to worry about. More than one thing, actually - it's one less thing multiplied by the number of users you have.
MAC tag all of the corporate machines (should be easy if you're asset tagging systems already). Set up all corporate machines in VLANS assigned by MAC addresses. Set up user groups in your filtering system based on job title, machine type, etc and strictly limit inside access to the web via white lists and proxys.
Now, create a seperate VLAN, and automatically put all system in that VLAN that are not on your tagged, approved, MAC address listing. Let those machines access the net through a secondary method of access (cheap, high speed corporate cable service instead of the T1 etc lines). Place only simple, but secure filtering measures on that connection (blacklist instead of white list, and still incorporate inlive file type and virus filtering.
Now your network is secure, and personal devices can still be used, to a limited extent, at work. Lock each active thread down to say 128 or 64K to prevent bandwidth abuse.
We allow VPN from home as well, but for any user issued a VPN account, we issue corporate versions of AV and spyware, and the VPN has stick port and application access limitations. We also quarantine the system if it does not pass certain AV definition and windows patch revisions before it gains access to the VPN.
Yes, setting this up was complicated and expensive. If it prevented even a single virus outbreak or security breach, it paid for itself twice over, especially considdering the cost of federal red flag legislation, and notifying and paying for ID theft assurance for our customer base if a leak occoured and we even suspected a breach.
There is no contest in life for which the unprepared have the advantage.
I think this is probably a corollary to my "Fly Naked" proposal to the NTSC. If your security really needs to be that tight, then everyone leaves everything they were not born with, but possibly excepting medically necessary devices like contacts and pacemakers, at the door. Bar code tattoos, shaved heads, firehose showers, and latex glove searches optional.
But your productivity would be higher, wouldn't it? ;)
Just think: 50% of all people are below average.
I'm old enough to remember the workplace before internet, smart phones, pagers, gameboys, etc.
I mean, there was no pretense that use of a gadget was anything other than goofing off. You were supposed to be working: ringing up customers, moving inventory, filling out forms, maybe even entering PURELY BUSINESS RELATED DATA into a computer. If your boss caught you playing LED football or watching a 1.5'' portable TV he'd confiscate the item and yell at you to get back to work and stop wasting time.
These days, it's the bosses that have the gadgets and it seems to me like it's still a waste of time, only now they try to make their underlings and IT departments into co-dependent timewasters just to get the things to work.
RND, test labs, pre-production, software QA, software dev systems, etc should use seperate user crednetials, and be on seperate VLANs. Part of security is limiting physical and logical access, not just permissions and filtering.
Who's the most likely user in your network to get you infected: The CEO. Seen it dozens of times. The one who refuses to accept the same security as other users is the biggest risk in the building, and he's also typically the one with the least work to actually keep him busy (if he's delegating properly).
As far as employee morale, provided it can be monitored for abuse of productivity, access to known secure sites like iGoogle, MSN, etc are not beyond permissable, but open access to the internet through anything other than personally maintained white lists in a large corporate environemtn is just suicide.
IT personal should simply have a different white list than call center employees. I'm not saying everyone needs the same restrictions, but restrictions do need to be in place, and routinely analyzed for necessary changes to policy.
There is no contest in life for which the unprepared have the advantage.
Damn SlutsRUS.com is down. Musta got slashdotted...
White list? Well I know what companies I'd never work at. Wasting days of time because I can't search for a solution to a problem in what I'm doing does not make me happy. The same goes for wasting days because I can't install software I need to use.
As for productivity? That's between my manager and me. If he thinks I'm being productive then why the hell should IT or HR presume to know better?
I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen
a) They will succeed
b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
c) They will fail but find some decent-work around
d) They will tell you to fuck off and find a better place to work
e) If they are incompetent enough to do a, c or d they will give up but find another hobby.
So instead of frustrating yourself and your employees, you could just demand a level of productivity in return for a pleasant workplace where having an IM client is not a crime.
A) if IT is doing the job right, it should be impossible for a user to launch an exe. period. This is simple and can not be overcome by a user who does not have an admin password. If a user has an admin password, fire the admin and the user both.
B) change bios to not be able to boot from CD, USB, or any device other than primary HDD. Enable BIOS passwords. Use business class systems that have firmware monitoring software, and cases that have physical access alarms or keys. Employees that try to get around this get more than fired, they get prosecuted for tampering with company property or attempting to circumvent a security system, and could face 5-20 years in prison.
C) if you can't install software, and you can't boot from external media (and plug and play is disabled preventing other options) then they can't succeed. If they do, I say its you who should be fired, unless the user found some zero day exploit you could not prevent, highly unlikely somone it so deperate to use AIM that they'll risk federal prison for hacking.
D) let them go. There's a stack of resumes down in HR waiting for people who are here to work 8 hour days and who won't fuck around on the job and waste productivity, let alone become security risks. Fire a couple and the rest stand up and work.
E) If that hobby keeps them from sitting in their seats, logged into the productivity system except when on breaks and logged out as permitted by a floor manager(ie when not getting paid), or if they bother other employees, floor managers will learn about it quick, and we'll need yet another resume from HR.
F) if an application that's not approved IS installed (because someone got access to a password they should not have), automatically terminate the user, then bill them for the HR resourced required to clean the infected computer of said application. ENSURE they are aware this will be deducted from their last pay check before they accept the job. Remind them occasionally by firing an employee for trying. Network scanning software makes it real easy to detect these kinds of changes, within minutes of it happening.
G) If theres a web site they feel they need to access, business OR personal, and they feel its a secure site, let them submit a helpdesk request to get it added to the white list. Wost that will happen is they get told NO. Even allow the submissions to be anonymous if they feel the site is questonable. As for applications, same thing goes. There will be an approved music and video player on your machine already, and chat IS permitted, provided it's logged to the servers and the chat program security prevents file transfers. Webmail is right out, but if you feel you really need to get personal e-mail in your in box, we'll add your POP credentials to your exchange account so you can get those messages, and at least they're filtered for spam, virus, and phishing.
You're here to work. People in this country have become too complacent. 20 years ago you got fired for standing at the water cooler too long, now people think its their right to blow 3 hours a day blogging, that somehow thats all their salary justifies they should work for.
We accomodate some leniency in allowing you 3
There is no contest in life for which the unprepared have the advantage.
I work for a fairly large company - we have 2 Class As. All the computers on our administrative LAN run a standard image. Users are just that - users, no admin rights. Field IT has limited admin rights. Why? It is pretty simple. The company can not afford a roll your own environment. The workstations have to do many specific tasks that keep the company in business. Part of my regular workday involves rdping into workstation and whacking unauthorized software. I know where it is because the system performs a hardware and software audit on a regular basis. The rules are all up front. You are told what is expected when you start the job. We do allow proxied internet access in general unless abuse is detected. We are in the process of pulling back about 1/3 of our laptops. There are no longer a perk, the user has to show a need that exceeds the security risk.
Profanity - The sign of a small mind trying to express itself.
no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it.
We're not assholes about IT like you are apparently. We tell them "sure, bring in your personal laptops". The switches run 802.1x. If your computer hasn't been issued a certificate, you get an internet-only connection which blocks outbound SMTP, and monitors your traffic with SNORT. If it appears you have a virus or are passing bad traffic, you get blocked.
There's no place like
This was solved 20+ years ago. You give the employees Xterms. They can plug whatever crap they like into them. Unless they log into the server, it won't matter. And bringing a computer from home? No big deal either, since the only program that can actually interface to the company network is X.
Issue resolved. Of course, nobody wants to do this, because this means no windows and generally no mac. And (some) more work.
I bring in my laptop and set it right next to my work computer. In between projects I play world of warcraft.
Aint that the truth! Speak it brother!
LOL. I know that was a joke, but I'd just like to point out that it wouldn't. I only go over to slashdot when I'm stuck on a problem. The process of reading and responding to articles helps me think. I almost always think of the solution mid-post. After all, if you're in software you've got to tackle some pretty abstract problems. If you get stuck on something, sometimes the best thing to do is walk away from the problem for a while. Slashdot helps me do that - I consider it an essential tool.
But http://boobsgonewild.com/ is only giving me a bunch of ads. What is the right way to get to the boobs?
What are you, a Microsoft salesman?
Other than influenza or rhino virus, slide rules aren't known to be vectors for viruses, worms, trojans, malware, spambots, etc. Even if you run anti-virus and anti-spyware, you can't guarantee that nothing will slip past the filters. Therefore, the first line of security on the networks I manage is if I (well, the company) doesn't own it, you don't get to attach it to the network.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Last I checked, our whitelist had over 400,000 sites. I've never gone to a commercial site, help forum, or community solotion forum that was blocked unless it was associated with warez distribution or something... We get few whitelist requests since almost anywhere the sheep want to go, except myspace and facebook, are actually in the white list... The white list primarily stops links people click on from e-mails, and mispelled URLs that link to phishing sites.
Productivity is measured in many ways. Managers can't allways look over your shoulder. Honestly, I could care less (and most of the managers with me feel the same) if you get your expected allotment of work done in half the time as anouther guy getting paid the same rate. I'm personally far more concerned with having to track down stupid issues because someone screwed up their machine trying to install some crap media player or website plug-in. ...and I've more than once had my own job on the chopping block because of a system outage or security breach that could have been prevented (and I always saved my ass by pointing to policy I suggested that got turned down that would have prevented the issue).
Mostly, it;s about DOD STIG and SOX though. no choice, have to implement compatible policy.
There is no contest in life for which the unprepared have the advantage.
Mac, Linux, unix, Windows, matters not. executable files should be restricted to root/admin permissions only. Line level employees have no purpose installing software or modifying predertermined OS settings. They want it changed, they submit a help ticket. Even admins should not be logged in as admin unless performing a task that requires admin permissions, and one that can't be done by using a Run As, or SU to root to accomplish. It's just bad, lazy, sloppy, whatever you want to call it to do otherwise.
There is no contest in life for which the unprepared have the advantage.
They are already out. Those are the idiot IT people who think that it's OK to block internet access to people who spend 10 hours a day at work and only have 10 days or fewer vacation per year.
They are the idiots who wants to prohibit everything to cover up for their own incompetence and/or bad choices (can you say Microsoft products?) in case something goes wrong.
Pathetic.
Yea, try locking down the computer in a software RND department.
I hate to sound elitist, but there *is* a difference between the physical plant guy or the customer service rep and an IT employee. Give the employees the tools and access they need to do their jobs. An employee who needs a computer just to receive corporate e-mail, visit the intranet and open/close service tickets might not (in fact, probably doesn't) need admin rights or the right to install and delete software.
On the other hand, a developer, a sys admin or a help desk tech probably does.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Sensible companies see this as a bit of give aqnd take and are flexible.
Why not provide two networks? The "dirty net" and the "clean net". On the dirty net you can plug in your personal stuff, chat, etc. On the clean net you can only use corporate sanitized equipment.
Engineering is the art of compromise.
While the IT department is "in charge of the network" and exists largely to make sure that the company's computing resources are both safe and effective it really is not the IT department (or the people working in it) who should decide just exactly what should and should not be allowed on the network. That is a decision that should come from the top levels of managment with input from the IT staff, lawyers, and the affected buisness units.
The reason for this is because every business is unique and what is right for one company isn't right for another. As IT staff we are here to serve the company, the managment, and ultimately the shareholders.
However, whats the hatred of IM services?
In some cases, there are laws that mandate retention of electronic communications in and out of a business (SOX, HIPPA, etc.). If your employees are connecting to any and every IM service imaginable and you are following the required retention policies, the company can end up in a lot of hot water. In other cases, companies are simply worried about proprietary or confidential information leaking out. Finally, any network service or client could potentially be a vector for malware.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
And get sacked...
I work in a shop selling computer games, whoop-de-do, even we have a small sticker which says "do no remove this blah blah employee handbook".
Refer to the employee handbook : "If you do anything to anything, without being told to, we reserve the right to fire your ass outta the door".
Infact, recently i was asked to help change the ADSL filter on the phoneline simply because something wasn't working right and no one else knew what they were looking at. I asked for it to be confirmed in writing (only took 5minutes anyway) before i actually did anything. I didn't want them coming back with that as a random excuse to get rid of me somewhere down the line.
- http://www.milkme.co.uk
TFA tells us that people not only try to use ICQ and personal laptops on the LAN, they expect IT to support it for them. This is not a problem, boys and girls! Every time IT gets a request for such support, it's forwarded to an appropriate department so that the person requesting the support can be disciplined for their failure to follow company policy. No, it won't stop people from doing such things. It will, however, weed out those who can't manage on their own and are too stupid to learn from what happened the first time they asked for help.
Good, inexpensive web hosting
The answer is to provide the employee with the tools that they need to do their job. This means the corporate approved and tested hardware and applications to perform their jobs. The workstations are then locked down and the employees are given User level access. This negates their ability to make improper changes to the system, install software of any kind, mount iPods and dodgy phones or even visit websites deemed inappropriate for their job function.
If the employee is not satisfied with what is provided, they must present a business case that justifies why their desire is a job requirement.
The employee can then set to doing what they were hired to do and IT can concentrate on the document imaging system integration project or what have you rather than fixing yet another workstation that was hosed by iTunes or a virus infected USB picture frame.
Finally, if the employee feels that being required to perform their job rather than post to Slashdot or chat on Facebook is too much to ask without 'crushing their morale', then they can take it up with HR on their way out.
As somebody who's done tech support, I can assure you that most of the time we'd rather do exactly that. Alas, tech support doesn't write the rules it just enforces them or gets punished if they don't.
Good, inexpensive web hosting
You have no idea of user discipline do you?
I do not allow anyone but IT staff to install anything. We have not had a virus or malware for 3 years, and zero downtime due to software faults Can you say the same.
Doing your job in IT means offending some people.
It's called Function Segregation & Visibility As A Means Of Control
( by inducing Self-Control! )
1. 2-Logins:
Work & Lunchtime.
2. Client-Server = Cloud-Computing Done Right
( YOU keep YOUR data, in YOUR datacentre )
Make it *impossible* for them to be simultaneously logged-in to both
Work & Lunchtime/Personal logins.
Log & restrict *completely*, what goes into the Work desktop-environment.
Log & sanely-restrict, but not nazi-sysadmin, the Lunchtime/Personal login.
Provide 'em with weekly reports of their use, including the websites they spent time on, & their downloads & program-use time.
That way they *understand* that their action is quite visible.
Often there are better tools available to get a job done than the ones some asshat from the desktop team thinks a user will need. Frankly allot of IT teams are full of douche bags who dont understand the jobs of other departments. No. No. No. No. Its like a mantra of the stupid. Old out of touch IT heads and other people who have fooled their employers into thinking they add value to the organization while at ever turn making it harder to get even basic shit done.
IM clients for one. I have no idea how a normal office would function without IM ability. Multitasking; on the phone with vendors while IMing different people in a group working to resolve an issue. IMing from a site without phones and cell phone dead zones. The ability to copy and paste configs, errors, misc output, urls... It even allows the 'water cooler talk' without much interruption of your tasks at hand.
Like rants can be made on a variety of other software or devices.
That article is pretty lacking in substance in general.
With IM (Skype or Yahoo on computer or phone) dev engineering and support engineering can be in touch instantly. I think that makes our company more responsive to our customers.
Our IT head said that we shouldn't use Skype or Yahoo because they weren't 'Enterprise Ready' but didn't suggest anything that was 'Enterprise Ready'. Finally, when pressed, he came up with a couple, but so far we haven't changed to them.
One thing that works to a degree in a medium sized organisation is just telling everyone (including new employees when they start) that all internet traffic is logged and that bandwidth hogs need a pretty good excuse when things get congested. After wandering about the office informing all that the net will be faster now that employee X has agreed to stop downloading a porn DVD you usually get less unneeded traffic.
I imagine that the IT staff at places like google and eBay probably do not lock down their internet in a draconian matter as they need the internet to do their jobs.
Other types of jobs, like oh say cell phone company support, where they block everything but the company website (lucky you, you get to see their website without all the piles of ads!) and intranet sites on all 2000 ways they get to keep the early termination fee.
I'm really not offended if "the company policy" was to restrict the internet to business needs. I am offended if "the IT department" says we can't do X. Period. I'm not offended if they say why.
So the corporate policy may be to NOT allow the use of chat applications to connect to outside the company. That's fine. The company policy may also limit you to only accessing websites for business needs. You how you solve that? You run a separate connection to "the break room" that has default 'accept' policy for internet sites, but denies installing applications by blocking writing to the machines hard drive. That I found worked well. If I really needed information from X website, even out of boredom, I would save the page to the the network drive (which was available) and then load it on my workstation when there was no work to do.
What is frustrating, if not irritating, is when the company hardware's performance is substandard all over the premises.
Say the computer you work at is a old P3, but the bosses computer is a high end Core Duo. Boss sends you every email as a Powerpoint application, takes your computer 3 minutes to download and load it. It would have been faster to walk over to the bosses computer and have him show it to you.
Another issue, on the USB drives. Some machines have USB ports that are enabled (mostly newer machines or machines that were supervisor stations at some point.) Others let you hotswap HID devices only. So by virtue of being able to write to the USB device any data on the machine can be stolen, including any data on the network. That's why it's dangerous. Let alone bringing in any foreign data (reminiscent of floppy drives) And yet the CD/DVD drives allow anything to be put in them. If you are trying to prevent theft of data, you are doing it wrong.
Instead of disabling the port, monitor to see what is being transferred to 'foreign drives'. If someone keeps transferring a lot of files TO the drive, and never from it, then someone is probably stealing data. If you see that someone is bringing the same files back changed/unchanged, maybe they have a legitimate business reason for it.
In one place I worked, they solved the USB issue by physically locking the computers in the cubicle, so you physically couldn't even hit the power switch (good thing) or turn it off. Clever idea, but when the machine goes blaster-worm, you want to unplug it, not let it wreck havoc.
I typically state that if they want to use their devices then they must sign a fictional "Disclosure Policy" which the Virus Scanners on the network must scan their device and reports a list of every file that they have on the device to me for inspection.
Most users say, "Ah, no that's fine, I won't use it" simply because they have porn or something similar they don't want me to know about!
I usually tell them (if I think they're going to plug it in anyway) that the Scanners automatically detect the presence of new devices and scan it anyway.
Sort of like a Police Radar Detector, their existence is enough to scare people into doing the right thing!
http://www.gibby.net.au
Most of the medical "professionals" & "financial genius" types I've had to deal with start out as demanding that the company I work for cater to their whims as to which software, personal printer, laptop, PC or large display from home gets installed or setup for them. In the rare instances someone would hesitate to bow before their brilliance, the would then begin to vary tactics to include.
1. Screaming obscenities.
2. I going to report you to...
3. I'm going to the board on this! (not joking)
4. I'm calling your boss at home!
5. I had this at the last place I worked for & I was promised it here! (not lying)
6. My husband has that software where he works & doesn't like it, I'm not having it here!
ALL of these tactics work. 2x heads of our IT area so far, the 1st started the bad habit of being utterly spineless & the 2nd has realized the futility of fighting the losing battle since the higher powers of the 4k+ employee company think...Ummm...In less than endearing terms of our "little" department/division.
How does one fix such a mess? Prayer, the damage has already been done.
I think the key is getting the Rules Set In Stone From The Beginning, not from "those computer people", but from the highest possible level of the organization. (insert prayer here)
Failing that, lock down what'ere can be & weather the storm as best ye can.
At my current place of employment we have a similar problem. Those damn Windows programs play havoc with our networks, letting viruses loose, attracting ad ware and other malware. Every day employees attempt to use personal Windows machines on our pristine net. Jeez, now some folks have personal phones that run Windows so we had to ban them as well.
Finally we laid down the law: No Windows machines in the head office or any satellite offices. No Windows CE, ME, NT, XP or Vista. Everything was going great until the CEO's trophy-wife tried to connect her Windows Mobile smart phone to our net. It seems she was still in his office when he came back from a very long lunch with his "important client", AKA his large-breasted secretary. Divorce proceedings are underway.
We use tools like smart phones and irc to DO our jobs where I work.