Slashdot Mirror
Managing Personal Electronics and Software In the Workplace
darien writes "Last night Symantec hosted a round-table discussion on the topic of consumer devices in the workplace. John Brigden, Symantec's senior VP for EMEA, pointed out that regardless of the policies businesses may lay down, individuals will always try to use their favorite gadgets and websites at work. Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."
You have to shore these up with human controls: enforced policies, employee agreements, and the like.
This is a human problem caused by our adaptation to technology in our entire lives. Should the computer have been a device you only run into at work, the draconian idea of 'you may only do what we say' may have stuck. But since people get to experience life outside this kind of control, they're going to crave it everywhere.
And resisting it is mostly just frustrating everyone.
Now, I'm not saying you have to support every oddball app on the planet. I would recommend you have an 'approved software' list, and back that software up with support. Saying 'that is not supported, use this' is far better than locking things down, from my experience.
Focus on the wetware, not the software and hardware...
No matter how many times we told users they weren't allowed to install ICQ
Ahhh, 1998 was a great year, wasn't it?
On the Oregon Cost born and raised, On the beach is where I spent most of my days
Companies need to start looking at WHY their employee's want to connect personal devices to coporate systems. If its just so that they can import calenders, contact lists, etc into their PDA or calender at home then set up systems to allow it. If its to take confidential materials out of the office to work on at home (since how many people actually work a 40 hour week anymore), then set up proper encryption protocals to allow this but at the same time minimize the risks associated with data being lost.
Remember the best way to get somebody to do something is to tell them they are not allowed to.
Technology is most abused by the very people it was created to help
We block certain website groups (adult, gambling, games, etc) by default and everyone must go through our proxy to the outside world. Web logs are checked throughout the day and those who try 30 different ways to get to boobsgonewild.com are reported.
Most people have only User permissions so they can't install something and we regularly do sweeps of unapproved software on those people who do have admin privileges. I'm the one who generally gets the call to remove the software. We also check for firewalls on PCs and other software which can potentially bypass our firewall or hide the user.
As far as electronics are concerned, the worst we have are people using fans or heaters, depending on the season.
Not sure what the big deal is. These are just basic network security measures which any decent admin should do and have set up.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Looking around my desk I see the following electronic widgets that are mine rather than the companies:
A pair of DEC Shark computers.
A Sparc based luggable.
Coffee percolator.
Blender.
As long as I got them checked out for electrical safety the system support people here were fine with it, and this is nothing as compared to some of the stuff I saw at a big dot.com that likes exclamation marks. One guy had a pinball machine in his cube, and another had a large tropical fish bubbling away while percolators were everywhere.
To solve the issue of personal laptops being connected to the corporate network, there needs to be some kind of server software where every approved device's MAC address is registered. When a non-approved device is connected, it will not be assigned an IP address by the DHCP server. This will cut 90% of the devices from ever being connected, since most lusers have no idea about MAC addresses, IP addresses, DHCP, and the fact that they can manually assign an IP address if they know the proper range. This does leave a rather gaping hole, though, so another layer of security is needed. It's not coming to me just yet...
On the other issue of people installing ICQ and whatnot, you set up all computers used by lusers to boot from a fresh image every time they boot. You'll have to set the darn thing up exactly the way it needs to be and then use VMware or some other solution that causes the computer to start from a known image each time. They'll install ICQ, but the next time they boot, it won't be there. They'll install it again. It'll be gone again. After five or six iterations, they'll get tired of reinstalling it. I would say that by properly setting up permissions, the issue of ICQ or any other software being installed in the first place will disappear, but given the way permissions work in Windows (and the way most software ceases to work unless you have Administrator privileges), that isn't a very good answer. The advantage of the approach where the system boots from a known image each time is that your lusers can get all the viruses, spyware, adware, etc., installed on their machine, but it won't be there for more than a few hours. Like the previous paragraph, not a perfect solution, but one that cuts down on your headache by 90%.
McCain/Palin '08. Now THAT's hope and change!
I know when I am at work, I am supposed to be working. Nevertheless, there really doesn't need to be an all or nothing policy as it improves employee morale to allow some personal flexibility in the workplace. I know my company tries very hard to lock things down, and yet does allow some off-topic internet browsing (Slashdot, right now for example) and the occasional personal telephone call. They are, however, quick to remind us that the electronic networks to which we connect are a) company property and b) exposed as a security risk anytime we try and connect a personal electronic device. Thumb drives, iPods, PDAs, cell phones etc. are all blocked from connecting to the network.
It is all a balancing act, and a tough one at that. In the end, and no matter how much I might dislike it at times, however, they are right to restrict my access to these devices. In a funny way, they are helping me with my addiction problem - getting me off the Web.
This post brought to you by your friendly neighborhood MBA.
Problem solved. I thought this was standard operating procedure in most corporate IT shops by now anyway.
Ten years ago it was a topic, has anything changed recently that makes this a less exhausted subject? Whoever thought up this "round table" idea doesn't have enough to do I guess.
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
Wouldn't it be a good idea if companies bought licences of AV/Security software for their employees to use at home. It would generally be in the companies interest and would work for the good of all Internet users if more people had better protection. If a company knew that the home/personal pc was protected to the same level as the work PC's the security risk would be reduced and the chance of a user bringing in a virus from home would be reduced
"Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."
1. Users WILL attempt to install stuff
2. If they can't, they will eventually give up
However, if they manage, then they will push for more and more stuff, and demand support for stuff they never should of installed in the first place.
Surely they should never actually be able to install anything? Is it really THAT hard to lock a system down? My university never seems to have any problems unless people bring in external drives with stuff installed on them (someone managed to get wow running... but then the uni stopped it some how) and they could stop this easily enough by stopping USB.
- http://www.milkme.co.uk
Netbook (MSI Wind): EUR400
3G Modem (O2): EUR19.00 + EUR20.00 per month
Problem solved.
If I had a nickel for every time I absolutely had to install Real Player or get someone's personal camera to work with their work computer and it was a "life or death" situation, I would have enough money to buy lunch at London New York.
The game.
Good luck with that.
Since you seem to believe that setting one limit is unenforceable, why do you believe that setting a different limit is enforceable?
You cannot use IM app X because:
a. You are not allowed to use IM at work.
b. You are only allowed to use IM app Y (which does not connect to the service you want to use).
And, from TFA:
Why do so many people see "No" as "reactive"? You can evaluate new technology and new products and determine that they present security issues that outweigh their benefits.
In just about every other aspect of business this would be a non-issue. You don't allow people to replace the phone system with their own phone that is incompatible with your PBX but it's okay because they can just call the phone company and run a POTS line to their cubicle.
While they wait for that, they'll fire up a deep fryer in their cubicle and make up a batch of donuts for everyone.
Damn, your userid is old too.
This issue is a bit more complicated than you think.
To quote Einstein: "The prestige of government has undoubtedly been lowered considerably by the Prohibition law. For nothing is more destructive of respect for the government and the law of the land than passing laws which cannot be enforced. It is an open secret that the dangerous increase of crime in this country is closely connected with this."
The same kind of thing applies in a corporation. You don't want to lower morale, and you especially don't want employees to lose respect for your policies. That certainly poses more risk to the success of an organization than connecting your iPhone to the wifi network.
Maybe a better solution would be investing in IT infrastructure.
If they won't follow policy, you fire them! What's the problem? In this day and age, IT folks are easy to replace.
Think you can't? I beg to differ - I don't care who you are.
I think you need to meet somewhere in the middle. Employees expect some flexibility with their equipment, and yes there should be limitations on what you can or can not use on that equipment, but a blanket statement like "Don't follow the policy-fired" isn't what is really being asked here.
How do you find a good position for where the policy and employee desires meet? I certainly wouldn't work for a company that refused to even consider installing certain programs or the use of certain 'gadgets'.
An example of this is that how certain 'closed' or camera restricted areas are modifying their policies and training so that people can carry their cell phones with them since they nearly all have built in cameras. IE: in areas where you are already allowed to carry a cell phone, you take a special training course and then are allowed to use a cell phone that has a built in camera. There are still restrictions, but it recognizes that it is hard to find a phone w/o a camera.
The result was that you ended up with VPs and such who couldn't pick the cell phone they wanted because the stores didn't carry them without cameras. And if you don't care that a VP wants to pick a certain phone, and the only rationale you can come up with is "It's policy" Then perhaps it is you that should be worried that IT folks are easy to replace.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
When IT doesn't serve the users, the users have to be their own IT. Users are bad at it and it causes problems.
The answer is to stop saying NO when users ask for reasonable (non-harmful) things. Help the users instead of trying to make your own job easier.
The problem with depending upon anti-virus packages is that they are reactive. And their is a delay in them.
It is a LOT easier (and verifiable) to identify what SHOULD be on a machine and then remove everything else.
Which is why most decent IT shops lock down the machines so that new apps cannot be installed on them.
Symantic would be happy to sell you some sort of "proactive compliance solution" to address this deep and serious problem that they were nice enough to convene a roundtable about.
Yea, try locking down the computer in a software RND department. If you succeed, you'll most likely have trouble keeping them around. IMHO there has to be a balance between security and freedom. Some security risks need to be a cost of doing business in order to keep your employees happy. I know if I couldn't read slashdot - I'd have a serious morale problem.
That's a nice theory, but unless you work in fast food high turnover is not a good thing. It's very expensive to find and train qualified people, so dumping them for minor things like this is unwise.
You have a blender at work? Wow, and I thought people who talk on the phone all day were annoying!
Nice thing of us having an all Mac office (even better would be Linux) is that users generally don't have compatible software, so employee installation are at a minimum.
On a few of our networks we have a wifi outside of the internal network which could be connected, though we provide enough computers so they should not require that.
I think part of the thing admins should look into is why are they wanting to connect their stuff or install software. If there is a valid unfilled need, then that should be addressed instead of throwing more roadblocks on them trying to do their jobs.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
May I point you to surfcontrol?
http://www.websense.com/global/en/scwelcome/
I used this for a LONG time. You can have it set up to where it just blocks packets, blocks packets based upon a BUNCH of different rulesets, block packets based upon authentication (I had a private company that the owner HAD to be able to look at porn. I created a custom container for him, and no logging, reports, etc. came through).
It will block based upon port, protocol or keywords it finds in the packets.
Best product I ever found, at least for WinTel environments (It will integrate seamlessly with domains, etc). I prefer it over MS Proxy for web based content filtering at work.
Nothing better, in my opinion.
--Toll_Free
I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen
a) They will succeed
b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
c) They will fail but find some decent-work around
d) They will tell you to fuck off and find a better place to work
e) If they are incompetent enough to do a, c or d they will give up but find another hobby.
So instead of frustrating yourself and your employees, you could just demand a level of productivity in return for a pleasant workplace where having an IM client is not a crime.
I have to disagree with the people here stating that "many of these applications are harmless".
No, they are very harmful, and even if some of them are harmless right now does not mean things may not be harmful in the future.
When the business relies on IT, you cannot allow one person to be able to cause all the headaches for the network.
If a person visits a compromised website with a 0-day exploit that attacks the browser you have installed, and then proceeds to install a worm that traverses the network and attacks all of your machines, soon enough turning your whole network into a giant malware infested spamming machine.
The lockdowns are not because of "known" dangers, it's the unknowns.
You could have the most competent, updated anti-virus in the world, a rigorous patch scheme with Network Access Control implemented (mind you, NAC/NAP is a fairly new thing) that prevents people from connecting to the LAN without certain requirements being met, and a 0-day vulnerability could render all of that useless in an instant.
You have no choice but to lock down your machines and prevent users from doing things that are "harmless".
Using 802.1X with machine based authentication--requiring a certificate issued from your company CA, you can control which devices accesses your network. For anything that doesn't support 802.1X natively (printers, net cams, etc), you can white list the MAC on a port.
At work right now so I guess I'm a bit of a hypocrit, but anyways...
You'd be surprised the crap people try to get away with at work. I work at a college and we have several computers on mobile carts with projectors for class lectures. I do the immediate repair and updates to the systems and I've found registry scrubbers, online gambling software, chat programs, itunes downloads, and all sorts of shady things that shouldn't be on the systems. They aren't even the professor's office systems. These are only used during class. What could they possibly be doing while students are there in front of them? Boggles the mind. Thankfully I recently got the systems swapped out since they were old as shit. I had computer support set up a limited login for the professors and give me the admin so I can keep the stuff up to date and keep their paws off the important things. But man, there's some shady characters that have been on those computers over the years.
Just give them VMPlayer and a XP/SP3 image that is only like 5 gigs and they can install whatever they want.
Then lock down the the company machine.
If something goes wrong with the VM, just give them a new one. Sorry, but there is no support other than that. If they lose stuff in the VM, then that's not your problem.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
That's a nice theory, but unless you work in fast food high turnover is not a good thing. It's very expensive to find and train qualified people, so dumping them for minor things like this is unwise.
Pretty much.
It is much easier (and cheaper) to restrict things, but give employees the ability to request certain features, programs, or support for gadgets. It does take time to evaluate those requests, but it is certainly cheaper than replacing an unhappy employee or one that needs to get around the blocks because there is no method to request acess. When you make the decision, it is also helpful to explain in a dept or company wide letter why the program or gadget is blocked. Do not install "XYZ" will only get you so far. Do not install "XYZ" because it has a known security flaw that we cannot allow on our system, will give you a much better response.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
I've lost count of how many time I've been forced to circumvent stupid policies to be able to actually do my job. Cos neither my boss nor myself want to go through the nightmare of calling the stupid IT guys (I work in IT too, it's not an attack against the whole group, only against the ones that are stupid) to tell them let me download latest winscp executable, latest linux ISO, latest spring framework release, etc.
.zip, .iso, .exe file.
Cos yes, the bright minds at my working place have a blanket ban that prevents downloading every damn
And of course they also ban every IM program available, even if using it actually would save time and improve productivity, cos we won't have to send a freaking internal email (slow as hell, btw) to just give the other a job related url, a block of code, or whatever.
Yes, I know I should just tell my boss "hey, can't do it, go and tell IT their policy sucks bigtime". But my boss answer is "download it at home and bring it back in your usb". And since I'm not going to spend my free time downloading things for my job, I just circumvent their stupid policies.
So before blindly defending a strict IT policy, make sure it actually makes sense.
so dumping them for minor things like this is unwise.
In any case, if the tech support crew actually offer some guidance rather than a blanket prohibition, it's possible that they can forestall some of the more flagrantly insecure or unsafe idiocies that some users are apt to come up with.
Contrary to popular belief, not all users are criminals [gasp!] or even idiots [heresy!] and they will more often than not respond well if you take the trouble to explain *why* you don't want them running p2p on corporate machines.
We're already there in the UK Financial Services industry. Earlier this year, the FSA (our financial regulator) issued a report on best practice that, amongst other things, recommends that
If you're in the industry and doing less, expect regulatory sanctions if anything goes wrong. It's time to get tough on slack security.
The reason give around here why that is not permitted is that the IT department cannot verify that your personal machine is virus free. Their stated fear is that a personal machine will come in with some virus and it will spread uncontrolled behind our firewall, infecting hundreds of machines before it is noticed. We've had this happen and it was a real mess! Of course, we also allow people to VPN into the network from their personal machines. A bit of an inconsistency there!
Because once you allow people to connect personal items to the network your security model is non-existent. And connecting them to the workstations counts as having them on the network in this instance.
If they want to play music or whatever, they can bring radios / players / etc in. But they cannot use the company's workstations to load iTunes and fill up their iPod. That just creates another potential issue that IT has to deal with.
Now, if they'd be willing to take a pay cut so IT could afford a few more employees who would handle iTunes problems and such ... say ... $100 a month ... each.
The problem is that already taxed desktop support teams are going out to fix problems that would have never been caused if the application had never been installed. If there is a bona-fide need for a particular piece of software, it should aquire, test, and support it.
As a state insitution, we had employees go out and buy various smart-devices all of which ran proprietary "push" clients; some of wich worked well, others not, others securely, others non-securely. The issue was we had literally hundreds of configurations to support, and when it worked, the users (mostly middle managers) flat-out expected the entry level techs to get their personally owned piece of equipment to work. I argued it was illegal to use state time to fix personally owned equipment and refused, but other techs weren't so lucky and hundreds of man hours for a small support group was spent supporting devices we'd never touch if management would have enforced a simple guideline of what devices and vendors we'd support. (e.g. we had no coverage on campus for Sprint, period).
At the same college college where someone installed some app similar to Picassa that caused major issues with some proprietary (approved) scanning software to record transcripts. We lost almost 2 days of productivity on that station after a full wipe and reconfigure, while the employee didn't catch any flack over it. I argued the employee violated the policy, the business suffered downtime, and she shoud have been sent home without pay. It was no different than breaking a copy machine by feeding stapled documents into it saying "I don't care what IT says, it SHOULD work!"
Forgive my spelling from time to time. I'm often posting during short breaks.
Then companies must institute to converse policty too: "the company cannot contact you using a electronic device outside of regular work hours." No phoning, email, computers ...
The last two places I've worked they had a wireless "guest" network. It's not connected to the corporate network in any way so there is no security problem. I connect my iPod touch to guestnet right now so I can use all my favorite apps on it.
"Politicians always tell the truth, when they're calling each other liars."
Like you, I agree - if there is a policy against having music on your work machine - fire the people with music on their work machines. Don't ask me to find or craft a solution to delete music files from work machines.
Of course, it could be those accounting/marketing/sales folks aren't so easily replaced and like you said - its just us techo weenies that are a dime a dozen
I mean, we do not allow people to send email using any outlook client, but thats for obvious and technical reasons. We first tried to enforce this by policy since I sort of expect people to obey policy. We had one guy who insisted on using it no matter how many times I tolled him not to. So we explicitly disallow it at the server. Along with this we disallowed common non-encrypted services like windows shares and the like.
However, whats the hatred of IM services? I mean, this sort of thing is a social problem not a technical one. The only reason you would usually try to keep a lid on it is if you supposed employees were wasting their time, and this is a problem for HR or management, not the IT department. If its simply a matter of installing unauthorized software then you have two choices from a technical point of view, authorize it or disallow users installing software using a technical solution. If your platform does not let you have this kind of control then your using the wrong platform for the kind of control you seek.
As far as users plugging in unauthorized devices, use managed switches, and explicitly allow the hardware you approve of. Those users found circumventing this are obviously not innocent, as they have actively circumvented your meager security, so shut them down and let HR know about it so they can decide what to do.
If you REALLY MUST keep users from using software, then shut down UDP and do explicit allows for IPs and ports after the user proves need. Force everything through a transparent proxy and do explicit allows for sites after the user proves need.
You now have control over everything on your network. If this seems draconian its because it is, welcome to 1984(+24).
The gist is twofold; fist, the IT department should try to stay out of the HR management game and stick with technical issues. Second, you can have as much control as you wish ( if you think its a good idea ) so quit your crying.
I think you underestimate just how much I just dont care.
I don't think anyone would question IT's value - just that when they get all self-indulgent like the obviously trolling grandparent... well, then.
You don't fire a guy for installing software - unless he's being malicious. And then you still don't fire him for installing software - you fire him for being malicious.
We used proxies to do our football pools while at work... after 10 years of doing it they suddenly installed a blocker. Did our manager know? Um, yeah, he was in the pool. Sure, we could have done the pool from home - but shouldn't work want me there? Old lab machines running Windows 95 suddenly stop working because some IT guy decides to put some policy enforcement agent on them that uses up the entire 32MB of RAM... doesn't put in RAM of course. We disable the program, computer fixed. As a result, the helpdesk guys refer people over to me when someone complains about a really slow ancient computer. IT one day caps our outgoing email size - tells us that "email is not suitable for large file transfer". Of course, they don't give us outward-facing FTP or anything else that is "suitable". Nice. So we buy space on a godaddy FTP server and use that until they get their act together.
IT is great - except when they aren't. Not everyone breaking the rules is someone you'd want to fire.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
The answer is, you really have to design your systems in a secure way so that some new kid can plug in his iPhone and not cause havoc. It's a totally new world and I'm even trying to get used to it. Feeling like a fuddy-duddy in your early 30s is scary sometimes.
I work in the client-side computing world, taking care of standards-setting for client systems in a large company. For the most part, gone are the days of an IT department absolutely mandating configurations and software choices. Even if you try, people will work around the mandates.
The flip side? A lot of productivity is lost, especially if you don't protect your client PCs. University campuses are probably the worst, but I'm sure there's a bunch of medium-to-large businesses out there who let their users have full control of their machines.
The things that work for us so far are:
I'll repeat a sentiment that I posted previously -- the new generation of workers understands technology. That doesn't mean they know exactly how computers work, but the support emphasis has definitely shifted from "I know nothing. Help me figure this out." to "My machine is busted" or "I've gotten myself in a bad spot. Help!" Growing up with easy-to-use computers and the web makes for a different mindset.
Coming down on this group of tech-savvy workers is just going to make your company look like a stick-in-the-mud, 1960s style authoritarian workplace. You won't get them to stay very long. I really think the only solution is to protect the network the best you can, and only limit behaviors that have clear potential dangers.
I have three networks inside my house. One for guests and family members, one for my work computers, and one for my web servers, with firewalls between them.
Every time my employers tried to enforce some policy like that, they lost money! How? Simply I spent many hours trying to work around the restriction.
;-)
Years ago when ICQ worked only on some non-standard ports, it was easy to cut all connections different that 80 and 8080 at the gateway for example. Then I spent hours and days playing with http tunnels, proxies, etc. This was time lost for my employer but I do not regret. The reason: I don't think that restrcting ICQ will improve the security of the system of drop the productivity of the employees.
And this does not mean that I like to break policies just for the sake of it. Nothing like that in fact. I follow all the policies that make sense to me. I and I trust my common sense because I have years of experience. But I cannot agree with policies that follow Stalin's principle: "There is man, there is problem. There is no man, there is no problem". Heck, in the past (and even now in some places) having Internet at work was considered dangerous
For what it's worth, the machines would probably be faster if the guys with the money listened to IT.
It's not IT's fault that you are using a crappy computer. Let me assure you, if the IT nerds had an unlimited money supply everyone in the building would be using quad processor machines with 24" LCDs just so they could brag to their IT nerd buddies about how awesome their network is.
There's a discussion like this every few months on /., and it almost always boils down to the same argument:
"I can be trusted to do anything I like on a PC, therefore everyone in the company can be trusted to do anything they like on a PC, therefore locking them down achieves absolutely nothing and it pisses everyone off. Hell, don't even bother putting any software on them - just hand them out as they left the factory and let end-users do that. Much easier than having to wait for someone from IT to come down and click next next next...."
People like me clear up the mess that comes out of doing that. What you wind up with is:
IME, a large percentage of these locked-down systems have been locked down because person or persons in the past couldn't be trusted. Now, part of the job of the IT department is keep the lockdown at a reasonable level such that it prevents the most boneheaded of errors while still allowing people to work. If they're not doing this, then you haven't got a very good IT department.
100% Correct. My PC at work is currently running 42 processes. 19 of those processes are IT department Altiris/Symantec crapola. Even on my brand new PC with a dual core cpu and 4 GB of RAM it sometimes bogs my machine down to a crawl. This is all about the lazy self-serving gits making their own jobs easier at the expense of making my job more difficult.
None of them can see the clouds; The polished wings don't care.
However, whats the hatred of IM services? I mean, this sort of thing is a social problem not a technical one. The only reason you would usually try to keep a lid on it is if you supposed employees were wasting their time, and this is a problem for HR or management, not the IT department. If its simply a matter of installing unauthorized software then you have two choices from a technical point of view, authorize it or disallow users installing software using a technical solution. If your platform does not let you have this kind of control then your using the wrong platform for the kind of control you seek.
Your homework assignment for tonight: setup a yahoo messenger account, setup pidgin on a machine that's on 24/7, walk away for 24 hours.
If you can count the number virus wielding chatterbots that have messaged you on one hand, then please see a doctor about the extra twenty digits you've somehow acquired. Internal IM is nice, but even then it can quickly become a productivity drain.
There are some people that if they don't know, you can't tell 'em.
To echo others as well...we admin 6 offices, totalling about 60 some odd users, including remote users with home offices. We set up and configure everything from their Blackberries, to their laptops / desktops, sometimes cell phones. Nearly everyone gets admin on their workstation. That's right, nearly everyone.
In our office, we're adults...we treat each other like adults, and respect each other like adults. Only once have we had to keep an eye on someone and build a bit of a case against them...and that was initiated by management. We, as IT, know who the slackers are...but it's not our place to try to control what ppl do with their time. It's up to management to evaluate performance and motivate the employee(s).
With this formula, we've had zero security breaches, no lost equipment, only two viruses (over achievers who don't read email enough to recognize that zip file is NOT actually from UPS) - but even those were quickly contained and didn't spread at all.
It can be tempting for IT to become power-mongers and control freaks...but really, leave that in the hands it belongs in...and it's one less thing for you to worry about. More than one thing, actually - it's one less thing multiplied by the number of users you have.
In general I agree with you - I've seen some strong & stupid policies in my time. But this I have to call-out:
"And of course they also ban every IM program available, even if using it actually would save time and improve productivity..."
They do this because the vast, vast majority of people use it for chatting when they should be working. Even people who do use it productively often *also* use it for chatting.
If I owned a company, I would ban chat in a heartbeat.
-Jeff
Please learn the difference between a dissenting opinion and a troll before you moderate.
MAC tag all of the corporate machines (should be easy if you're asset tagging systems already). Set up all corporate machines in VLANS assigned by MAC addresses. Set up user groups in your filtering system based on job title, machine type, etc and strictly limit inside access to the web via white lists and proxys.
Now, create a seperate VLAN, and automatically put all system in that VLAN that are not on your tagged, approved, MAC address listing. Let those machines access the net through a secondary method of access (cheap, high speed corporate cable service instead of the T1 etc lines). Place only simple, but secure filtering measures on that connection (blacklist instead of white list, and still incorporate inlive file type and virus filtering.
Now your network is secure, and personal devices can still be used, to a limited extent, at work. Lock each active thread down to say 128 or 64K to prevent bandwidth abuse.
We allow VPN from home as well, but for any user issued a VPN account, we issue corporate versions of AV and spyware, and the VPN has stick port and application access limitations. We also quarantine the system if it does not pass certain AV definition and windows patch revisions before it gains access to the VPN.
Yes, setting this up was complicated and expensive. If it prevented even a single virus outbreak or security breach, it paid for itself twice over, especially considdering the cost of federal red flag legislation, and notifying and paying for ID theft assurance for our customer base if a leak occoured and we even suspected a breach.
There is no contest in life for which the unprepared have the advantage.
I think this is probably a corollary to my "Fly Naked" proposal to the NTSC. If your security really needs to be that tight, then everyone leaves everything they were not born with, but possibly excepting medically necessary devices like contacts and pacemakers, at the door. Bar code tattoos, shaved heads, firehose showers, and latex glove searches optional.
But your productivity would be higher, wouldn't it? ;)
Just think: 50% of all people are below average.
If your IT staff members are a bunch of jackholes, then they need to be replaced. I am an IT manager (worked my way up through the IT ranks) and I simply do not tolerate my staff acting the way you describe in your post. The people we support are the reason we are here and they need to be treated with dignity. I also do not tolerate people we support berating my staff. There is absolutley no reason that IT workers and the people they support need to be at odds. One cause of this that I have personally witnessed is, for example, many IT workers can not understand why the marketing guy needs to have ICQ. Well, you know what? That is between the marketing guy and his boss. If the software has been approved by a user's manager, then install the software and support it as best you can. We have processed requests from managers asking that their reports have access to gaming sites over lunch. The boss wants you to be able to play games? No problem. Here's your access. If you have any problems, let me know and I will try to fix it.
There doesn't need to be this rift between IT staff and the people they support, the two groups need to work together. At least, that's what my group does.
"I'm just here to regulate funkiness."
I'm old enough to remember the workplace before internet, smart phones, pagers, gameboys, etc.
I mean, there was no pretense that use of a gadget was anything other than goofing off. You were supposed to be working: ringing up customers, moving inventory, filling out forms, maybe even entering PURELY BUSINESS RELATED DATA into a computer. If your boss caught you playing LED football or watching a 1.5'' portable TV he'd confiscate the item and yell at you to get back to work and stop wasting time.
These days, it's the bosses that have the gadgets and it seems to me like it's still a waste of time, only now they try to make their underlings and IT departments into co-dependent timewasters just to get the things to work.
RND, test labs, pre-production, software QA, software dev systems, etc should use seperate user crednetials, and be on seperate VLANs. Part of security is limiting physical and logical access, not just permissions and filtering.
Who's the most likely user in your network to get you infected: The CEO. Seen it dozens of times. The one who refuses to accept the same security as other users is the biggest risk in the building, and he's also typically the one with the least work to actually keep him busy (if he's delegating properly).
As far as employee morale, provided it can be monitored for abuse of productivity, access to known secure sites like iGoogle, MSN, etc are not beyond permissable, but open access to the internet through anything other than personally maintained white lists in a large corporate environemtn is just suicide.
IT personal should simply have a different white list than call center employees. I'm not saying everyone needs the same restrictions, but restrictions do need to be in place, and routinely analyzed for necessary changes to policy.
There is no contest in life for which the unprepared have the advantage.
You're assuming that if you ban IM, people will be more productive. I don't think that's true: they'll just find something else to be unproductive with.
Workers need time off besides lunch and coffee breaks. Either way you'll get the unproductiveness, either through sloppy work at the end of the day or by them having their mini breaks. If that time is spent chatting to their girlfriends, that's fine.
On the other hand, when they are being productive, they can easily save time by sending bits of code or whatever through IM. This increases their productivity.
I don't see the problem, except for if I would find myself working for a person who is this restrictive about my life, I'd quit in a heartbeat.
Intent doesn't matter. Effects do. Installing a potential attack vector like ICQ when you were asked not to should be grounds for firing. Nobody produces enough revenue to make that kind of risk worthwhile. Then again, why does IT let these people even have the ability to install software of any kind?
you're right. everyone uses usb flash drives, so lets rework our policy of not allowing any storage device to connect to our network to only allowing flash drives. we'll "train" our users not to pirate software from our networks. not to copy lil' jimmie's screensaver to our desktop. not to keep a copy of employee's SSN records on the flash drive.
oops, someone forgot about that silly training course and after being fired for allowing a virus to ravage your network (and the overtime in IT labor) the flash drive turns up on ebay complete with your employee's medical data and a copy of the software used to read the records.
are you sure that middle ground is necessary?
White list? Well I know what companies I'd never work at. Wasting days of time because I can't search for a solution to a problem in what I'm doing does not make me happy. The same goes for wasting days because I can't install software I need to use.
As for productivity? That's between my manager and me. If he thinks I'm being productive then why the hell should IT or HR presume to know better?
Sorry if I came across as making them sound like imbeciles - they weren't. Fact is, some were my good friends and I was pretty open about what I was doing.
A lot of the time their hands were tied, though. Things need approval, initiatives don't really get run by the people that they will affect, disk space and server space were always short, etc. For instance, getting a site whitelisted was sort of a big deal. The CEO got pissed off when they blocked ebay and some other sites he visited, and so those were quickly unblocked. When I asked them to unblock yahoo sports or whatever it was, they told me to make a business case and have it approved by my manager... not unreasonable, but it was far easier to set up a proxy (a solution some of the IT guys used to see their all-important gaming sites). So that's what happened. I think there was a generational thing there - older folks couldn't understand spending your lunch hour surfing gaming reviews/strategies and so it stayed blocked. Whatever.
Anyway, I wouldn't say there was much of a "rift" where I worked - it was all friendly. I was just pointing out how suggesting that all rule breakers get fired is asinine.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Actually, for any given Windows XP SP3 machine or Windows Vista box, 42 processes is an extremely low number.
And I find it extremely hard to believe, even in that scenario, that almost half of them (19 processes) are related to software that the IT department had installed on there.
Either way, sounds like a troll to me.
I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen
a) They will succeed
b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
c) They will fail but find some decent-work around
d) They will tell you to fuck off and find a better place to work
e) If they are incompetent enough to do a, c or d they will give up but find another hobby.
So instead of frustrating yourself and your employees, you could just demand a level of productivity in return for a pleasant workplace where having an IM client is not a crime.
A) if IT is doing the job right, it should be impossible for a user to launch an exe. period. This is simple and can not be overcome by a user who does not have an admin password. If a user has an admin password, fire the admin and the user both.
B) change bios to not be able to boot from CD, USB, or any device other than primary HDD. Enable BIOS passwords. Use business class systems that have firmware monitoring software, and cases that have physical access alarms or keys. Employees that try to get around this get more than fired, they get prosecuted for tampering with company property or attempting to circumvent a security system, and could face 5-20 years in prison.
C) if you can't install software, and you can't boot from external media (and plug and play is disabled preventing other options) then they can't succeed. If they do, I say its you who should be fired, unless the user found some zero day exploit you could not prevent, highly unlikely somone it so deperate to use AIM that they'll risk federal prison for hacking.
D) let them go. There's a stack of resumes down in HR waiting for people who are here to work 8 hour days and who won't fuck around on the job and waste productivity, let alone become security risks. Fire a couple and the rest stand up and work.
E) If that hobby keeps them from sitting in their seats, logged into the productivity system except when on breaks and logged out as permitted by a floor manager(ie when not getting paid), or if they bother other employees, floor managers will learn about it quick, and we'll need yet another resume from HR.
F) if an application that's not approved IS installed (because someone got access to a password they should not have), automatically terminate the user, then bill them for the HR resourced required to clean the infected computer of said application. ENSURE they are aware this will be deducted from their last pay check before they accept the job. Remind them occasionally by firing an employee for trying. Network scanning software makes it real easy to detect these kinds of changes, within minutes of it happening.
G) If theres a web site they feel they need to access, business OR personal, and they feel its a secure site, let them submit a helpdesk request to get it added to the white list. Wost that will happen is they get told NO. Even allow the submissions to be anonymous if they feel the site is questonable. As for applications, same thing goes. There will be an approved music and video player on your machine already, and chat IS permitted, provided it's logged to the servers and the chat program security prevents file transfers. Webmail is right out, but if you feel you really need to get personal e-mail in your in box, we'll add your POP credentials to your exchange account so you can get those messages, and at least they're filtered for spam, virus, and phishing.
You're here to work. People in this country have become too complacent. 20 years ago you got fired for standing at the water cooler too long, now people think its their right to blow 3 hours a day blogging, that somehow thats all their salary justifies they should work for.
We accomodate some leniency in allowing you 3
There is no contest in life for which the unprepared have the advantage.
I work for a fairly large company - we have 2 Class As. All the computers on our administrative LAN run a standard image. Users are just that - users, no admin rights. Field IT has limited admin rights. Why? It is pretty simple. The company can not afford a roll your own environment. The workstations have to do many specific tasks that keep the company in business. Part of my regular workday involves rdping into workstation and whacking unauthorized software. I know where it is because the system performs a hardware and software audit on a regular basis. The rules are all up front. You are told what is expected when you start the job. We do allow proxied internet access in general unless abuse is detected. We are in the process of pulling back about 1/3 of our laptops. There are no longer a perk, the user has to show a need that exceeds the security risk.
Profanity - The sign of a small mind trying to express itself.
Installing a potential attack vector like ICQ when you were asked not to should be grounds for firing.
No, it shouldn't.
Then again, why does IT let these people even have the ability to install software of any kind?
Exactly. The only reason we have IT is because the average person can't keep up with all of this stuff. If security and networking were easy, there wouldn't be an IT department. If IT wants all potential attack vectors ruled out, then they should do it by locking down the PC. If an otherwise good secretary clicks on an ICQ installer at some point, she sure as hell should NOT be fired.
Let me ask you - if you lose your ID badge, maybe leave it on the bus... should you be fired? After all, someone could use it to enter the building - it's a security risk that is all your fault, regardless of intent.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Problem is: you're dealing with real actual people that have real actual lives and interests. Your job is to secure IT infrastructure AND support your users. If you care only about your holy sanctified security, you're only doing one half of your job and if they manage to install software, you don't even perform that half properly.
People use ICQ at home all the time and somehow many of them manage to not get rootkitted and that's not out of sheer luck. So where's the problem in reproducing the same guidelines for your workplace that sane home users follow when using ICQ? There are peer-reviewed GPL'ed ICQ clients, remember?
And why is IT security on desktop machines so important? You control their web access, you control your servers and your data center is behind many layers of firewalling. The worst that could happen is a w32.Blaster outbreak among your workstations and that's going to happen only if you skimp on updates, scanners and internal firewalling.
So what? You have images to reinstall one machine in less than ten minutes. The poor little user who wrecked his machine by installing ICQ will be ashamed for weeks among his coworkers. You can BOFH them into oblivion later on, so why should anyone be fired then?
And then again this is not only about revenue-risk-tradeoffs but also because of company attitudes, company loyalty, trust between departments and an environment worth working in. After all, we all do 10 hour workdays sometimes and God help our office staff if they were confined to Word and Excel only then. We want them to actually like going to work, because that saves a ton of wage raises in the long run and reduces turnover by extreme percentages. If you annoy your users, you cost your company brownie points and raise turnovers. And high turnovers cost more than all ICQ desasters combined.
It's only idiots who think that workers are robots and can work in top form non-stop with no means of relaxation. You're perfectly free to believe that and I'm perfectly free to not work for you. Granted you'll likely only get idiots and the desperate working for you so don't complain when they keep acting like idiots.
I'm also salaried. I get paid to get things done not for my warm body to fill a chair for 8 hours. If I waste time than that just means that I need to make up for it later. If I don't get my work done then that's my manager's job to do something about not ITs.
no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it.
We're not assholes about IT like you are apparently. We tell them "sure, bring in your personal laptops". The switches run 802.1x. If your computer hasn't been issued a certificate, you get an internet-only connection which blocks outbound SMTP, and monitors your traffic with SNORT. If it appears you have a virus or are passing bad traffic, you get blocked.
There's no place like
I bring in my laptop and set it right next to my work computer. In between projects I play world of warcraft.
Aint that the truth! Speak it brother!
LOL. I know that was a joke, but I'd just like to point out that it wouldn't. I only go over to slashdot when I'm stuck on a problem. The process of reading and responding to articles helps me think. I almost always think of the solution mid-post. After all, if you're in software you've got to tackle some pretty abstract problems. If you get stuck on something, sometimes the best thing to do is walk away from the problem for a while. Slashdot helps me do that - I consider it an essential tool.
There are two sides to every opinion, and you do a good job of explaining the working stiff's side of IT policies.
However, having been on both sides of the fence, here is the IT side.
When Joe User installs software on his computer that introduces a virus in the network after you've told him over and over again to stop installing crapware on his machine, you get a little frustrated and wish he would just find employment elsewhere. After rebuilding Jane User's computer for the third time this month after she mucked around with policy settings that she didn't understand (again) and her supervisor insists (again) that she absolutely must have admin access to do her job, you begin to consider giving her an etch-a-sketch instead of another laptop. I've had employees wonder why they can't e-mail a 150MB autocad file to another employee in a remote location, and that's why IT puts caps on outgoing e-mail size. I worked with one guy in particular who constantly badmouthed IT because he thought he knew more than the senior admin (he didn't) and he was hoping to get enough people griping to force IT to do things the way he wanted (we didn't).
However, you are, of course, correct. There are some real dumb***** in IT who aren't qualified to work a cash register at Best Buy (no offense to Best Buy cashiers intended), and they often make some really boneheaded rules. There *are* IT admins who are on a power trip and enjoy keeping non-IT staff under their thumbs. But there are *also* very competent IT administrators who simply want to provide a stable and reasonably secure network.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
I have both a restircted use system and an unrestricted one on a seperate VLAN. One is used for business, the other for research. I am bound by the same security I impose on my users. I do not log in as Admin unless strictly necessary (and often Run As works just as well).
There's no real "crap" on the PCs in our network. Each runs only the services required to do their job, and those required by HIPAA, Sarbanes Oxley, Federal regulations, DOD STIG, and company security policies which comply with those. AV, AS, and a hardware monitoring tools are all that's on them aside from Office where necessary, the IP phone connector, Company chat system (which doulbes as the time clock), and the CRM or accounting apps again as necessary. There's not a bunch of bloat. The images are job specific and easily deployable. If you need an app, in most cases I make a quick change to your system image in the software distro app, and in 15 minutes or less it;s auto installed. We give users a media player and a few other programs to occupy them at work and on breaks.
If a user wanted to, they have no access to the shell, no control panels, no way to make system level changes. The computer BIOS is locked out, there's no booting from CD or USB, and with plug n play disabled, and the C: and D: drives hidden, and only the home folder and workgroup folders accessible, there is no way for them to mount a volume with which to install a program or infect the machine, and no way to change settings other than walpaper, font size, and a few ergonomic settings we're required by law to allow you access to.
Anyone needing to take files home is approved to do so, and has a shared web accessible, encrypted system to access to get those files, and all activity is logged. Moving a file to CD, DVD, thumb drive, etc, is grounds for termination, as is the attempt to mount any unapproved device. Need to load something from a disk? you bring it to IT for scanning and loading to your home folder.
I don't keep them from their favorite, proven safe news sites, or the occasional blog (we do prevent myspace, facebook, etc but mostly due to HR rules about content accessibility and to help limit bandwidth utilization, not so much for security.) They're alowed a whitelist of places to go when they're taking personal time at their desks. We're not inhuman, we just expect certain levels of security, HR accountability, and productivity from our well paid (above regional average) employees.
If you were on my network, and disabled any of the security software on the machine, you'd not only be immediately terminated without exception, but the IT department through terms in your employee contract would deduct from your last paycheck consulting time for which to re-image the infected machine (about an hour and a half). If you really pissed us off, you'd be terminated without predudice and saccrifice your severence pay, potential for unemployment compensation, possibly matching funds in your 401K, and if you'de been here long enough, your pension too. We're bound by regulation to have a minimum security level. Not firing you would get other people fired when the audit comes though. If there's Credit Card info, SSNs, medical insurance info, or other peronal info in your systems anywhere (almost guaranteed HR has them), and if you do business in more than 1 state (or some specific states like NY), then your IT department is bound by these laws, wether they explained that to you or not.
If your image is blue-screening, it is NOT a software issue, but a hardware conflict or more likely a failing HDD or RAM. If you knew shit-one about IT, you'd know that application software does not cause blue screens, only kernel level events. If your system was so sluggish, or routinely failing, it would have been pulled to the helpdesk for a hardware scan to confirm, or re-imaged to eliminate the potential of a corrupt driver. Likely you would have had your system swapped with another while it was being tested. If multiple machines like
There is no contest in life for which the unprepared have the advantage.
While you're at it, train everyone of your employees not to be stupid.
Has anyone yet considered
- admin rights and alcotests in every company operated vehicle, so no one with a hint of alcohol can start the engine, because driving under the influence kills workers and costs the company thousands?
- admin access only to knives, scissors, screwdrivers, lawnmowers, chainsaws, drills and hammers because otherwise they could be misused and cause injuries or death among the workers?
- locks on doors and windows so no employee can open them without admin rights and fall to their death?
- tight-fitting gas masks that cannot be removed without admin rights for workers in a chemical plant so no one can accidentally breathe in fumes?
- admin rights for bathroom door locks so employees can not spend too much time in unauthorized potty breaks?
- admin rights on company stationery, stamps, pens and ink so no employee can write unauthorized company letters that management cannot review nor censor?
- mandatory security mumbo-jumbo and admin-only-everything anywhere except information technology?
I don't think so. After countless hours of trying to get online on unsecure wifi during business trips, trying to use a coworkers internet access to review train schedules or trying to get one lousy presentation or spreadsheet to another business partner's computer, I'm totally fed up with ridiculous IT policy.
Nowhere in the corporate world will you find access or usage restrictions even remotely as silly and obscene as in IT. I mean, you can use and take out construction vehicles or machinery worth several hundred thousand bucks without more than showing your license and signing a slip of paper - in the same company that forbids using USB thumbdrives under the death penalty.
Sooo ridiculous. People are expected to acknowledge and avoid tremendously complex failure modes on heavy, expensive and dangerous machinery while we forbid them to install a screensaver on their workstation "for safety reasons". Some engineers have rotating control-station- and office-duty shifts: in the control room, they are trusted to manage nuclear reactors, but in their office shifts we restrict them from installing screensavers without a second thought.
Yeah, I know exactly what you mean. Honestly, I don't know why IT doesn't just lock down PCs as the default. None of this "make a business case" stuff to install something new - just have a half-competent IT guy okay the install and let the user's supervisor know that it's going on.
And sometimes people who fancy themselves competent make some mistakes (ahem, me, ahem). Like one time I was testing QNX (we used it on an embedded system) and I plugged it into the network with a fixed IP and it crashed a bunch of boxes... something to do with ARP tables... whoops! So please be patient with us lusers :)
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
What are you, a Microsoft salesman?
I wish my mod points hadn't just expired. I used to sit next to a woman who would chat on the phone with people from all over the country. About everything. Intimate encounters, medical information, shopping sprees, trips to Prague. You name it.
She would log her personal chat time under one of her most active projects in our time tracking software. She was recently promoted to some higher echelon position.
Technical restrictions are stupid. People will find ways around them.
That said, these restrictions are sometimes necessary from a legal compliance standpoint for auditing purposes, such as blocking personal e-mail at a government agency (HA HA HA HA HA *gasp* HA HA HA HA HA HA HA!!!!!!) or a bank.
From a memo sent to all employees at my workplace about a year and a half ago:
As all of you are aware, financial services firms continue to be under heightened regulatory scrutiny relating to compliance generally. One of the regulatory requirements that has been in place for some time at Initech Financial Services and across the industry is that all email communication by individuals at IFS must be archived and reviewed from a compliance perspective.
A recent regulatory review advised Initech Financial Services to investigate industry practices relating to access of third party email providers (Google mail, AOL mail, etc.) and third party instant messaging from IFS desktop computers. The regulatory report recommended that we prohibit employee access at IFS to all such third party email and instant messaging providers as these emails and messages cannot be archived and monitored by compliance.
Gotta love iGDS.
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
Other than influenza or rhino virus, slide rules aren't known to be vectors for viruses, worms, trojans, malware, spambots, etc. Even if you run anti-virus and anti-spyware, you can't guarantee that nothing will slip past the filters. Therefore, the first line of security on the networks I manage is if I (well, the company) doesn't own it, you don't get to attach it to the network.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Last I checked, our whitelist had over 400,000 sites. I've never gone to a commercial site, help forum, or community solotion forum that was blocked unless it was associated with warez distribution or something... We get few whitelist requests since almost anywhere the sheep want to go, except myspace and facebook, are actually in the white list... The white list primarily stops links people click on from e-mails, and mispelled URLs that link to phishing sites.
Productivity is measured in many ways. Managers can't allways look over your shoulder. Honestly, I could care less (and most of the managers with me feel the same) if you get your expected allotment of work done in half the time as anouther guy getting paid the same rate. I'm personally far more concerned with having to track down stupid issues because someone screwed up their machine trying to install some crap media player or website plug-in. ...and I've more than once had my own job on the chopping block because of a system outage or security breach that could have been prevented (and I always saved my ass by pointing to policy I suggested that got turned down that would have prevented the issue).
Mostly, it;s about DOD STIG and SOX though. no choice, have to implement compatible policy.
There is no contest in life for which the unprepared have the advantage.
We are struggling with many of the same issues you raise where I work. One of the things I am looking at is having the costs associated with cleaning up the mess created by bad user behavior charged back to their department. Someone else pointed out earlier in this thread that IT staff are not generally revenue producers, and this is correct. But the revenue generated by your star producer won't mean much if he is a huge drain on resources.
It's no different than a project manager who doesn't manage effectively, and whose job costs end up exceeding the revenue they produce. Or a salesperson whose margins don't cover all of the costs associated with generating his sales (including his expenses, car allowance and the overhead of the people needed to support him). Or, for that matter, someone who is stealing office supplies, or driving a company vehicle in to the ground. Costs associated with bad employee behavior need to be contained, whether that bad behavior is being wasteful and inefficient or violating the acceptable use policy for company-owned equipment.
If IT is treated as just another overhead like the lights and the heat, abuses will always occur because there is really no way of knowing what those abuses cost the company on a per-incident basis. If IT actually bills departments for the work they do, and that information ends up in the relevant employee's personnel file, these costs can be considered when evaluating that employee's performance for the purpose of determining raises, bonuses and promotions.
I don't care why you're posting AC
Mac, Linux, unix, Windows, matters not. executable files should be restricted to root/admin permissions only. Line level employees have no purpose installing software or modifying predertermined OS settings. They want it changed, they submit a help ticket. Even admins should not be logged in as admin unless performing a task that requires admin permissions, and one that can't be done by using a Run As, or SU to root to accomplish. It's just bad, lazy, sloppy, whatever you want to call it to do otherwise.
There is no contest in life for which the unprepared have the advantage.
Were you a member of the Audrey team at 3Com (we had that same type of event happen (QNX was the core OS for the (complete failure) Audrey) several times)?
How's THAT for some nesting (you'd think I was a Pascal programmer or something)?!?!
"I'm just here to regulate funkiness."
Yea, try locking down the computer in a software RND department.
I hate to sound elitist, but there *is* a difference between the physical plant guy or the customer service rep and an IT employee. Give the employees the tools and access they need to do their jobs. An employee who needs a computer just to receive corporate e-mail, visit the intranet and open/close service tickets might not (in fact, probably doesn't) need admin rights or the right to install and delete software.
On the other hand, a developer, a sys admin or a help desk tech probably does.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
The nice thing about IT people is that there are plenty of good ones, and you can afford to hire them and fire the idiots.
The joys of having linux administered for me by someone else:-)
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
If your employees are that stupid, you have bigger problems.
Everywhere I've worked it's been; we support this. Stray from it + fuck up = major fireage. I brought my own laptop and USB keys and remote controlled by work desktop with ssh. No complaints.
Of course I did have to spoof some things to get wireless... ...maybe I'm just an awful employee...
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
when I worked in a organization, their incompetent IT people closed my account early. So the local sysadmin built a back door in so I could do my job.
If idiots manage competents, you end up with security holes. Better to allow much and document all.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
1) has nothing to do with embezling. Your abolutely right, we're looking for a scapegoat, and ifg the logs point to you as the one who caused the breach in security, after IT and HR inseisted you not and documented it, congratulations, you win the prize.
2) Blue screen = hardware or kernel issue. An application in user space can not cause XP or Vista to blue screen... No, not all shops service well, but unless employees file tickets, there's no reliable tracking system for issues. More over, allowing employees to enact changes makes the cause of the issue harder to diagnose. This is a double edged sword. The IT departments doing a better job have tighter controls, and that's most of the reason they're doing so well. All of us have relatively similar diagnostic skills at the enterprise level... (most of us).
3) corporate models have case access triggers. If the case has been opened, as soon as the OS is booted, IT is alerted it has been through a monitoring utility, provided by the manufacvturer. Many systems actually have case locks. This is why IT pros prefer IBM systems and HP business workstations. Dell is far behind in corporate system utilities and system security. Of course, replacing the screws on the case with ones that can not be removed with a common tool also goes a long way. Sure, anyone determined is going to get in, but explain how to do that in a cube without getting noticed, and without leaving physical damage...
Most users actually resent us. We make policy, we enforce policy, mostly policy they don;t understand and feel is restrictive (mostly because it is, but SOX and STIG don't give me much of a choice!), and most importantly then know we get paid a lot more.
Dev macines in our network are segregated, and have far less restriction. They can't access the databases or other company information, but they don;t need to (and when they need to test data, they're working on mock-up databases, or copies not originals).
I can't guarantee I'll catch you, but I'm pretty sue of it. Between the protections in place, continual packet inspoection, and system status monitoring, I usually know there's an issue with a machine before the user does (crashes obviously excluded). It;s pretty damned hard for anyone less than fully determined to bypass the controlls. Those who do don't typically know about network level monitoring on top of that security and as soon as they find a way to bypass some protection, the packet inspector or proxy picks it up and red flags the machine.
As far as someone else doing something on an other employees unlocked workstation: first of all, it;s an open cube floor, no high walls. Second, leaving your system unlocked only works for 60 seconds, and even that is grounds for a write up. Any system that has access to protected data uses a webcam auto-logoff. (if your face moves away from the screen, lockout happens in about 2 seconds).
Someone would have to very maliciously plan to infest the network. I can't prevent that. I can't pretend to. I don;t really care to try. I'm interested in protecting the network from the stupid users (those who open apttachments weithout question, etc). HR honestly weeds out their own productivity problems, I just have the data to back it up with so there are no fights about it when they do get fired for wasting time. I never provide reports to HR about who's using what when (They asked, so I gave them a 700 page print out that looked more like code than a report and they never asked again). I'm not cold hearted, just reasonable, and trying to keep my network operational. If it goes down on my watch, it's probably my ass.
There is no contest in life for which the unprepared have the advantage.
But, really, what's the per-incedent cost of a bunch of people that you're paying anyway. It would all be funny-money, and funny-money charges are calulated based of friendship with the guy who does the calculating, and similar politics.
In most of the shops I've worked in, the minimum acceptable revenue for a software group was 1 million per head. IT costs were a few thousand per head, at worst. If some guy'd bad habits doubled or tripled that every year, it would still be noise.
Socialism: a lie told by totalitarians and believed by fools.
Sensible companies see this as a bit of give aqnd take and are flexible.
Why not provide two networks? The "dirty net" and the "clean net". On the dirty net you can plug in your personal stuff, chat, etc. On the clean net you can only use corporate sanitized equipment.
Engineering is the art of compromise.
While the IT department is "in charge of the network" and exists largely to make sure that the company's computing resources are both safe and effective it really is not the IT department (or the people working in it) who should decide just exactly what should and should not be allowed on the network. That is a decision that should come from the top levels of managment with input from the IT staff, lawyers, and the affected buisness units.
The reason for this is because every business is unique and what is right for one company isn't right for another. As IT staff we are here to serve the company, the managment, and ultimately the shareholders.
This is all about the lazy self-serving gits making their own jobs easier at the expense of making my job more difficult.
That's very easy to say when you aren't the IT admin getting the phone call at 9:30 on Friday evening when a virus is running rampant on the network because some self-proclaimed computer expert thought he knew more about computer security than IT did. You aren't the guy getting called on the carpet when the network is down for two days while you clean up the mess.
If it was up to the admins where I work now, everyone would be using a Linux machine with *no* anti-virus software, and we'd all be FOSS nerdvana. Unfortunately, business requirements often mean we have to use Windows, and consequently, you have to run A/V (although I would never, ever recommend anything from Symantec).
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
However, whats the hatred of IM services?
In some cases, there are laws that mandate retention of electronic communications in and out of a business (SOX, HIPPA, etc.). If your employees are connecting to any and every IM service imaginable and you are following the required retention policies, the company can end up in a lot of hot water. In other cases, companies are simply worried about proprietary or confidential information leaking out. Finally, any network service or client could potentially be a vector for malware.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
In many companies, operating a company vehicle under the influence of drugs or alcohol is grounds for dismissal.
It's not uncommon to require employees to be trained and certified before operating equipment or using tools.
If there is a likelihood of the employee falling out of the door or window, it would be irresponsible to not take action to prevent that.
If the terms of your employment state that you get a fixed amount of time for breaks during the day to go potty, or have a smoke, or get a coffee or eat your lunch, it's really no different than your employer requiring you to start and end your day at a given time. It's his time; he's paying for it.
Naturally. Our staff often work on sites where air quality is an issue, and yes, they wear respirators when it's prescribed by the Safety Officer. Do you not have a Safety Committee where you work? Where I live, we could have a job site shut down for failing to comply with Occupation Health and Safety standards.
If I use the company's postage meter to mail a letter, I drop 52 cents in the jar just like anyone else. No different with other office supplies, they're not mine and I don't take them for personal use.
The computer I work on and the network it connects to are also not my property, so I abide by the policies my company has established, even when it would be more convenient for me to simply do as I please. Just like that engineer at the nuclear reactor wouldn't tolerate me poking around the controls at his work station, IT staff shouldn't tolerate people disregarding company policy with regard to more mundane parts of the infrastructure.
I don't care why you're posting AC
And get sacked...
I work in a shop selling computer games, whoop-de-do, even we have a small sticker which says "do no remove this blah blah employee handbook".
Refer to the employee handbook : "If you do anything to anything, without being told to, we reserve the right to fire your ass outta the door".
Infact, recently i was asked to help change the ADSL filter on the phoneline simply because something wasn't working right and no one else knew what they were looking at. I asked for it to be confirmed in writing (only took 5minutes anyway) before i actually did anything. I didn't want them coming back with that as a random excuse to get rid of me somewhere down the line.
- http://www.milkme.co.uk
TFA tells us that people not only try to use ICQ and personal laptops on the LAN, they expect IT to support it for them. This is not a problem, boys and girls! Every time IT gets a request for such support, it's forwarded to an appropriate department so that the person requesting the support can be disciplined for their failure to follow company policy. No, it won't stop people from doing such things. It will, however, weed out those who can't manage on their own and are too stupid to learn from what happened the first time they asked for help.
Good, inexpensive web hosting
Troll? If only.
ACLIENT.EXE; AClntUsr.EXE; AeXNSAgent.exe; alertsvc.exe ; ccApp.exe; CCSRVC.exe; ccSvcHst.exe; Client.exe; jusched.exe; lucoms~1.exe; MNMSrvc.exe; nisserv.exe; Rtvscan.exe; Semsvc.exe; SescLU.exe; Smc.exe; SmcGui.exe; SymCorpUI.exe; symlcsvc.exe; Wmiprvse.exe
There were a few more that turned out to be nvidia and a sound driver. My XP box at home will run on 18 processes. I assume that a networked corporate PC might have a few more, but good lord this is ridiculous. I wouldn't mind so much if it all sat quietly in the background, but when it slows my PC down to the point where it's unusable 2 or 3 times a day I start to get pissed.
None of them can see the clouds; The polished wings don't care.
And that's great, if the only people you are supporting are high-volume revenue-generating top performers. But if you are also supporting dozens of "entry level" type people for every one of those high-earners, it eats away at your margins pretty quickly.
And my point was that you need to identify where you are spending your IT resources, and determine if the benefits of giving someone more leeway outweigh the costs. I might be more tolerant of a top earner who just can't seem to stop losing cel phones, or putting dents in his Lexus, than I am of an entry-level clerk who will open any attachment or install any piece of rogue software just because he doesn't give a shit.
You might very well find that with some people it makes sense to keep fixing their fuck-ups, but if you are not actually tracking each incident and what it cost to correct it, you just don't know.
I don't care why you're posting AC
I feel your pain. My comment you quoted was directed more at the corporate IT managers at head office. I actually get along fine with the local IT people. The big problem is that there aren't enough of them here, and also they have no say in what "the company" decrees we are going to use. It's all decided by the bosses at corporate HQ. They decide that decide they need 3 different remote control programs running at the same time to admin our PCs. This is why we get the mountain of suck that is Symantec EndPoint on our PCs. They decide to put all our AutoCAD licenses on a server in New Jersey, when our WAN was losing connection 2 or 3 times a week for 2 hours at a crack. Centralize everything, because it's easier for the bosses. Too bad the engineers who actually _Bring_ Money_In_ can't work because they can't get a AutoCad licence.
None of them can see the clouds; The polished wings don't care.
Well, it seems like the useful number here is "how many IT guys could I fire if people followed the rules a little better". Are you sure you want management to have that number? I'd expect them to announce a policy, fire half the IT staff, and consider it a win. People wouldn't actually change their habits, of course, so it would be unpleasant all around.
Socialism: a lie told by totalitarians and believed by fools.
Don't tell me what I assume.
I can see people talking around the water cooler, taking more time for lunch, calling home, and so on. I agree that a bit of that is expected and likely healthy.
But IM is different - I'll never find out how much they are chatting. Humans are selfish, lazy creatures - if you give them an out, they will take it. So I don't advocate giving them an out.
Again, don't put words in my mouth - I'm not aiming for 8 hours of unbroken productivity. I've never seen that from anybody. But I think IM is too much in the other direction.
-Jeff
Please learn the difference between a dissenting opinion and a troll before you moderate.
As somebody who's done tech support, I can assure you that most of the time we'd rather do exactly that. Alas, tech support doesn't write the rules it just enforces them or gets punished if they don't.
Good, inexpensive web hosting
Take an example: First you have a policy of not allowing general unskilled office staff to install software. You then have someone install something to give them smiley icons for their email (wish I was making it up) which turns out to be a paticularly nasty bit of malware. You also let things inside the network send things out on port 25 to allow a very badly designed bit of antivirus software to check for updates. Next thing you are on a dozen spam blacklists due to sending out hundreds of spam a minute. Now you might not fire the person that broke the rules and was stupid and you might not fire the guy that set up that PC without antivirus software or the guy that chose the broken antivirus software on the other machines - but you certainly don't want to have a recurring series of similar mistakes.
The poster above had some good points and they come down to poor communication with the IT staff, which can result in some pretty poor rules put in place.
With IM (Skype or Yahoo on computer or phone) dev engineering and support engineering can be in touch instantly. I think that makes our company more responsive to our customers.
Our IT head said that we shouldn't use Skype or Yahoo because they weren't 'Enterprise Ready' but didn't suggest anything that was 'Enterprise Ready'. Finally, when pressed, he came up with a couple, but so far we haven't changed to them.
One thing that works to a degree in a medium sized organisation is just telling everyone (including new employees when they start) that all internet traffic is logged and that bandwidth hogs need a pretty good excuse when things get congested. After wandering about the office informing all that the net will be faster now that employee X has agreed to stop downloading a porn DVD you usually get less unneeded traffic.
Were you a member of the Audrey team at 3Com
Nope! Sorry... love the nested parenthesis, though. :)
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Next thing you are on a dozen spam blacklists due to sending out hundreds of spam a minute.
Yikes! I'd think you'd only let 25 go out to a limited IP range to get the antivirus updates :)
I understand the need to have IT rules, and I understand how destructive lusers can be... hell, I've been the source of a headache or two before (yeah, that linux box I plugged in DID have a DHCP server running... ooops!). I just don't understand the mentality of guys like in the top of the thread... firing the smiley face girl in your example will just bring on a replacement who is just as likely to adorn her computer with malware.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I typically state that if they want to use their devices then they must sign a fictional "Disclosure Policy" which the Virus Scanners on the network must scan their device and reports a list of every file that they have on the device to me for inspection.
Most users say, "Ah, no that's fine, I won't use it" simply because they have porn or something similar they don't want me to know about!
I usually tell them (if I think they're going to plug it in anyway) that the Scanners automatically detect the presence of new devices and scan it anyway.
Sort of like a Police Radar Detector, their existence is enough to scare people into doing the right thing!
http://www.gibby.net.au
Most of the medical "professionals" & "financial genius" types I've had to deal with start out as demanding that the company I work for cater to their whims as to which software, personal printer, laptop, PC or large display from home gets installed or setup for them. In the rare instances someone would hesitate to bow before their brilliance, the would then begin to vary tactics to include.
1. Screaming obscenities.
2. I going to report you to...
3. I'm going to the board on this! (not joking)
4. I'm calling your boss at home!
5. I had this at the last place I worked for & I was promised it here! (not lying)
6. My husband has that software where he works & doesn't like it, I'm not having it here!
ALL of these tactics work. 2x heads of our IT area so far, the 1st started the bad habit of being utterly spineless & the 2nd has realized the futility of fighting the losing battle since the higher powers of the 4k+ employee company think...Ummm...In less than endearing terms of our "little" department/division.
How does one fix such a mess? Prayer, the damage has already been done.
I think the key is getting the Rules Set In Stone From The Beginning, not from "those computer people", but from the highest possible level of the organization. (insert prayer here)
Failing that, lock down what'ere can be & weather the storm as best ye can.
That's a really good analogy.
I find the prevalence of "If an employee is suboptimal in any way, fire them and start over" to be really creepy and upsetting.
For instance, what about that person who's slow picking up workplace policies and rhythms, but once they're caught up, phenomenal at their job? I mean, do they get to have valuable work and money for food and shelter? Or does a minor setback mean "Whoops, no job for you! Go live in a gutter!"
Any system that's going to be dealing with people needs to understand and deal with the mistakes we can't help but make.
(lisp (were (you (think (I'd)))))
Exactly.
A good plan might be to set up an intranet site listing all allowed (and specifically banned) extra-company software, with a web form for submitting suggestions. Every (increment of time), IT reviews the suggestions, and updates the banned/allowed list.
Now you still have the issue of employees working to get around bans, but if you're banning primarily malware (and have this listed next to the entry on the banned page), I don't think that will be a problem except from the genuinely malicious (who would be a problem anyway).
Also, if a company uses systems that are based off of a network image or are routinely refreshed from disk images (except the home/user directories), you could lock the computers down, and have IT update the images based on the suggestions with the most popular/requested software. The users are happy, because their programs get installed and they have agency in the process, and IT is happy because there's less room for users to destroy the systems.
As an IT guy, I could care less if Fredd Dagg office worker installs a picture of wife, kids and dog on his PC as a wallpaper.
However, the 18 year old office temp, wants pop star de jour on the desktop, downloads PussycatDolls-nekkid-screensaver-install.exe and kills the local system, puts virus infected files on the network shares, deleting or changing files they have access to and starts eating LAN and WAN bandwidth as fast possible.
Risks and issues to the company:
- IT staff time cleaning computer, network.
- IT staff time restoring backups of files.
- Possible copyright infringement exposure.
- Office temp downtime as moving resource to new PC is not "cost free". Time is money.
Do you have time to run around and personally vet each and every screensaver installation? The most cost-efficient way here to make a corporate standard, and enforce with whatever vendor supplied tools are available.
Change the above to "Photoshop", that the user downlaoded from a P2P service. Anyone with a business need will have this installed by a competant administrator, license paid for and the application will be supported.
And let's not forget about the various pieces of phoney-baloney compliance legislation out there. (Sarbanes-Oxley, et al). Every year, we have to prove that the corporate information is safe, and is providing an accurate picture to our corporate overlords, who are in turn providing accurate information to the market.
An IT departments biggest threat is the person that might know a thing or two about a PC, but nothing about how to run a network. An IT department that isn't responsive to users legitimate needs will end up having more problems than it solves as users find a way to "get things done". Users aren't the enemy, nor is IT.
Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
Sorry but policy is generally in place for a reason, and in the case of things like bans on ICQ it's generally due to legislation. You might not have heard of things like Sarbanes Oxley, but IT is now legally required to make damn sure ALL company correspondence is captured and logged. If we allow just anything to be installed we are putting ourselves and the directors of the company in personal danger of criminal prosecution. Your need to have ICQ despite it being against policy is NOT worth me going to jail, no matter HOW much better you like it.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Your need to have ICQ despite it being against policy is NOT worth me going to jail, no matter HOW much better you like it.
If users could send me to jail by installing arbitrary software, I'd sure as hell have their computers locked down. If you think that all of your users will read and memorize all of your policies, you are smoking something... you have to enforce them. And no, that does not mean firing employees to make some kind of an example of them.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
It must be very sad for you that your idea of doing your job includes offending people. I do not subscribe to that belief. All this time I thought the concept of finding ways to make things work for the users was a good thing.
"I'm just here to regulate funkiness."
Trust me, I DO have them locked down. It's more the attitude that it's all the big, bad, uncooperative IT departments fault that I can't have my shinny toy that gets me. We don't do things to piss users off (at least most of us don't), we do it because it's our job to enforce company policy and the law.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Well, on the other hand - if a marketing guy comes to you and says, "I need ICQ for an online campaign we're doing." What do you do? You need to support his business needs. If necessary give him a virtual machine with keyboard logger or what have you so that you have a SarbOx record.
If he's shooting the shit with his college buddies, then yeah I agree with you.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Most likely I would suggest an alternative that we control with enterprise logging built in. If he insisted on that specific tool for a good business reason then yes, I would come up with a technology solution to meet his needs and the businesses needs. But, the business would have to realize that the more complex solution comes at a cost and would need to weigh the costs of implementing the solution vs the business benefit.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
At my current place of employment we have a similar problem. Those damn Windows programs play havoc with our networks, letting viruses loose, attracting ad ware and other malware. Every day employees attempt to use personal Windows machines on our pristine net. Jeez, now some folks have personal phones that run Windows so we had to ban them as well.
Finally we laid down the law: No Windows machines in the head office or any satellite offices. No Windows CE, ME, NT, XP or Vista. Everything was going great until the CEO's trophy-wife tried to connect her Windows Mobile smart phone to our net. It seems she was still in his office when he came back from a very long lunch with his "important client", AKA his large-breasted secretary. Divorce proceedings are underway.
We use tools like smart phones and irc to DO our jobs where I work.