And yes, you can enable scripting per site. Or rather, on IE you have "zones". And you can set different security levels for each zone. You have your "Internet" Zone, "Trusted Sites", and even "Restricted Sites".
You can add sites and change security settings for each one of these. Trusted sites typically have less security requirements because you trust them. And that would be the proper solution to this question.
all of this made me cringe from a security point of view.
Why would this make you cringe from a security standpoint? Security is only a problem with nefarious things are intended. The act of allowing these specific ActiveX controls to run within the context of the training courses has no bearing on whether or not you are permitting other ActiveX controls to run. If the prompts annoy you, rather than simply completely turning off ActiveX security features, you should add this site to your list of Trusted Sites.
There's nothing inherently wrong with enabling IE, using IE, or using ActiveX. And within the context of this single site there's not likely to be a problem. After all, if they were using their software for malicious deeds you surely have legal rights on your side.
Active Directory and Group Policies aren't bad for simple installations, but really turn into a mess quickly depending on your setup. <<< Incorrect. If you set it up properly then it's not as messy.
In old school NT4 environments where the Administrators built their Windows 2000 domains around their NT4 domains, yes, it can be hell. But these days you find less and less of that.
The only other mess that can be had is usually related to merging businesses and merging users into one centrally managed domain. Though this is much easier now with Windows Server 2003 Forest Trusts and forest renaming.
Do you not implement a password policy just because it's possible to brute force passwords?
Just because a particular policy is "easy to work around" does not mean you do not implement it.
See, here's the deal. If you implement a security policy at work, it implies to the end user "you should not be doing this." With that knowledge in mind, you can very easily use that information to help fire a user that bypasses security mechanisms.
But not all policy settings have to do with "preventing" users from doing anything. A lot of it has to do with providing a unified environment for the user to work in.
For example, adding various internal application websites to trusted sites so active x controls (or various other scripts) can run unimpeded. Perhaps different departments need a separate group of trusted sites? You can move the computer between departments logically and not have to take your time out of the day to re-image a corporate machine.
There is a gray between "root access" and "dumb terminal" mode. Windows allows you to mess around with that gray area.
Also, even for the policies that have to do with security--it will stop at least most of the rudimentary "attacks" that people will try. Sure, you can bypass a lot of security. A few weeks ago some guy released a tool that MITM attacks HTTP in order to grab what should be HTTPS data. Does that mean we just throw our hands up in the air and not use HTTPS?
In fact, I would argue that "dumb terminal" mode is not in line with corporate work policies. You want users to be able to install some software, but you need to be able to manage their machines. I have yet to work in an environment that was so locked down that a dumb terminal would achieve the same thing.
You have groups of people all requiring different things. Some that use business laptops for personal use on business trips, etc. And in most cases there's no problems with allowing that. But you still need to be able to manage it when it joins your company network.
Computers, at least those running Linux, should only rarely need to be physically moved. As I pointed out, Linux package managers are mature and flexible enough to completely redefine a given computer's role without physically moving it.
"you push through a change to/etc" means setting up some sort of delivery system to do so, with the computer on, and either SSH'ing into each machine that's required and running the required download function or setting up a script to do it from the server side while the computers are on.
In group policy, you drag and drop these machines to a new OU. Drag and drop the users in AD to a new OU.
They turn on computers and log in the next time and they get the policy.
It's finished, done. There's no trying to figure out HOW to get the changes to the machine, that's taken care of for you.
Unfortunately what the OP asked for has very little to do with "security" i.e. viruses, worms, trojans--and a whole lot to do with corporate policy.
Group Policy can be used for a multitude of things, not the least of which is application rollout, application settings rollout (hello server 2008), and so forth and so forth.
You can very quickly and easily add trusted sites to your environment with a few mouse clicks and having users relog/reboot will update accordingly.
All of this completely regardless of having to setup individual scripts to manage it, nor without understanding the core of what goes behind it.
All of these functions are doable in a linux environment, but are all separate from each other. And on top of that, you need to understand a lot of the applications in far more depth than you do on the Windows environment.
Take that for what you will, but computers are tools. Like other tools, the operator does not necessarily have to be the architect. Though the architect will know more about the tool than the operator and can probably operate it in a much more efficient manner, it's not necessary.
Except you aren't quite getting what it does. It actually does solve a lot of problems and does it on the cheap.
There is a reason why Windows is popular. It is significantly cheaper and far more proven than anything any single person could come up and say works.
Your few scripts that you wrote that require you to support it when things break here or there in no way can compete with the proven Windows domain infrastructure.
You kids still think that what the OP is asking for has anything to do with "preventing users from doing something harmful to the computer".
Get it out of your heads. Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.
When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A for Department B".
Want to make a change to how a whole department does things? There's no pushing a script out later on to the whole department. You simply change it in group policy and the entire thing gets taken care of automatically.
You can spend more time focusing on actually getting shit done than fussing around with HOW to solve the problem with roundabout tool sets.
Multiply this by about 500 machines, and then the ability to later on down the road be able to change it without having to completely redo them or find some screwed up roundabout way to push out to every machine via scripts...
You'll quickly turn to the Windows way of doing it.
But this doesn't stop Comcast from entering a price war in certain areas against Verizon to help stave off defection.
Also, there's no real way for you to compete in the "free market" when it's dominated by only big players.
"Free market" works in small town scenarios. You setup a store, I setup a competing store. And we go at it to try and get as many customers as we can.
As soon as one of those sides becomes "huge multinational corporation", you quickly run into some problems.
You setup a hotdog stand, they setup a hotdog stand. Their hotdog stand is 1 of 30,000 hotdog stands. My hotdog stand is just my own.
They can discount their hotdogs, offer sweet deals, invest more money in larger advertising. Give away t-shirts, have a website, sign up sports deals, TV commercials.
Best you can do is a sign out front saying "GREAT HOTDOGS!" and word of mouth.
Before you know it, your business is dried up as you operate at a loss--they go on, and their hotdog stand becomes the monopoly.
We all know monopolies are a problem. They have proven to be. They have proven to be such a problem that we have laws against it.
There is a reason we have such regulation. Just read a little bit of history.
I know you may have some weird views about some sort of utopian view about "free market capitalism" with no government intervention...but just look back at history..Bayer invented heroin...Coca Cola used to actually have Coca in it...And these are just two of who thousands of examples of what people were doing to themselves and others during that time.
How? "give them multiple choices". How exactly do you propose this?
If the existing companies make the barrier to entry artificially high and in favor of them, how do you "enter" that market?
Even if you tried to start small and work your way up (like any normal company), the dominant utility could shove you out before you even made a profit.
Your right to freedom of speech has long been taken away, long before "governments" ever got involved.
Your right of freedom to absorb whichever information you or your family chooses has long been taken away, long before governments got involved.
Did you know the movie rating system has 0 government intervention? Furthermore, it's completely "voluntary" on the part of movie companies whether or not they want their movie rated. I placed voluntary in quotes because there's the catch all that movie theaters don't actually play unrated movies.
Your right to allow yourself or your child to certain information (whether it be a movie, a video game, or book) is nearly completely taken away from you by people that have nothing to do with the government.
In fact, the only reason they're allowed to do this is because it has not been tested by law (that I know of).
Now, you could argue that you can wait for more available copies to be produced, such as home video content, or a streaming version--but then there's this huge change in what it means for teenagers to be social.
No, I'm not a child. I do have one, however. And she's going to be getting older and these are issues I'm surely going to have to deal with.
Also of note: Most movie theaters do not give you as a parent the option of providing a "pass" for your child to attend a movie. But they have tons of systems in place to prevent them from doing so.
It would work until the 2 suppliers abuse the pricing system and fix pricing to keep themselves profitable. Particularly if the barrier to entry on new competition is very high and regulated by said companies.
The "splitting" didn't really work for the phone companies either. Not 20 years later "Ma Bell" is almost back together again, having gobbled up all of the smaller phone providers.
Other than instituting caps to help stifle competing services, not really.
It's become a hot issue lately as bandwidth usage across the board is on the rise particularly due to streaming video.
Youtube takes up a vast majority of the internet's available bandwidth and ISPs are complaining about that.
Many of these doubling as both phone and cable tv operators, they're worried about the internet dipping into their profits on those services.
Right now, a cable operator can charge you a separate fee for both internet, tv, and phone. But since the internet has become powerful enough to be a reasonable phone and a reasonable TV mechanism, they lose out on this extra revenue stream as people switch off their cable service to go exclusively to internet service.
The only reason they haven't tried it just yet is they're afraid of the backlash.
How do you go from "plenty of democrats are opposed to net neutrality" and then turn and say "it's a very liberal agenda"?
I'm not quite sure how you are able to make that statement.
I'm a very liberal person, and I 100% support network neutrality. The idea of networks not being neutral has far reaching implications to our information structure that isn't just about piracy.
We are already seeing the "market" trying to cap internet growth. With recent caps instituted by Comcast and other cable operators, we're seeing competition (in the form of internet streaming services) being held down.
If Comcast could get away with it, they would just charge you extra money for "high bandwidth use" (internet streaming). This cap is their way of instituting this functionality without actually coming out and saying it directly.
Furthermore, what they really want to do is charge the providers of these services. So while Comcast charges its customers, and say, AT&T charges its customers. Comcast wants to charge AT&T's customers to have "priority" bandwidth on their network. And that's where the idea of "network neutrality" comes into play. That all data should be treated equally, rather than separately on tiers.
So this way, Comcast would charge netflix to deliver "priority" packets to Comcast's customers. Netflix's ISP would charge Netflix to have any access to the internet at all. Comcast would charge its users for access to the internet, and then again charge its users for "priority" access to netflix.
Slashdot Mirror
His comments regarding the perception of performance of the computer have no bearing on whether he should or should not allow the site to use IE.
Completely terrible analogy to make.
And yes, you can enable scripting per site. Or rather, on IE you have "zones". And you can set different security levels for each zone. You have your "Internet" Zone, "Trusted Sites", and even "Restricted Sites".
You can add sites and change security settings for each one of these. Trusted sites typically have less security requirements because you trust them. And that would be the proper solution to this question.
Why would this make you cringe from a security standpoint? Security is only a problem with nefarious things are intended. The act of allowing these specific ActiveX controls to run within the context of the training courses has no bearing on whether or not you are permitting other ActiveX controls to run. If the prompts annoy you, rather than simply completely turning off ActiveX security features, you should add this site to your list of Trusted Sites.
There's nothing inherently wrong with enabling IE, using IE, or using ActiveX. And within the context of this single site there's not likely to be a problem. After all, if they were using their software for malicious deeds you surely have legal rights on your side.
Key points on your post:
It was hell to set up <<< Yes, yes it is.
Active Directory and Group Policies aren't bad for simple installations, but really turn into a mess quickly depending on your setup. <<< Incorrect. If you set it up properly then it's not as messy.
In old school NT4 environments where the Administrators built their Windows 2000 domains around their NT4 domains, yes, it can be hell. But these days you find less and less of that.
The only other mess that can be had is usually related to merging businesses and merging users into one centrally managed domain. Though this is much easier now with Windows Server 2003 Forest Trusts and forest renaming.
Do you not implement a password policy just because it's possible to brute force passwords?
Just because a particular policy is "easy to work around" does not mean you do not implement it.
See, here's the deal. If you implement a security policy at work, it implies to the end user "you should not be doing this." With that knowledge in mind, you can very easily use that information to help fire a user that bypasses security mechanisms.
But not all policy settings have to do with "preventing" users from doing anything. A lot of it has to do with providing a unified environment for the user to work in.
For example, adding various internal application websites to trusted sites so active x controls (or various other scripts) can run unimpeded. Perhaps different departments need a separate group of trusted sites? You can move the computer between departments logically and not have to take your time out of the day to re-image a corporate machine.
There is a gray between "root access" and "dumb terminal" mode. Windows allows you to mess around with that gray area.
Also, even for the policies that have to do with security--it will stop at least most of the rudimentary "attacks" that people will try. Sure, you can bypass a lot of security. A few weeks ago some guy released a tool that MITM attacks HTTP in order to grab what should be HTTPS data. Does that mean we just throw our hands up in the air and not use HTTPS?
In fact, I would argue that "dumb terminal" mode is not in line with corporate work policies. You want users to be able to install some software, but you need to be able to manage their machines. I have yet to work in an environment that was so locked down that a dumb terminal would achieve the same thing.
You have groups of people all requiring different things. Some that use business laptops for personal use on business trips, etc. And in most cases there's no problems with allowing that. But you still need to be able to manage it when it joins your company network.
Computers, at least those running Linux, should only rarely need to be physically moved. As I pointed out, Linux package managers are mature and flexible enough to completely redefine a given computer's role without physically moving it.
Hello laptops...
jbolden:
/etc" means setting up some sort of delivery system to do so, with the computer on, and either SSH'ing into each machine that's required and running the required download function or setting up a script to do it from the server side while the computers are on.
"you push through a change to
In group policy, you drag and drop these machines to a new OU. Drag and drop the users in AD to a new OU.
They turn on computers and log in the next time and they get the policy.
It's finished, done. There's no trying to figure out HOW to get the changes to the machine, that's taken care of for you.
And with Group Policy Preferences you can configure that for virtually any application that uses the registry.
Mikedawg:
Unfortunately what the OP asked for has very little to do with "security" i.e. viruses, worms, trojans--and a whole lot to do with corporate policy.
Group Policy can be used for a multitude of things, not the least of which is application rollout, application settings rollout (hello server 2008), and so forth and so forth.
You can very quickly and easily add trusted sites to your environment with a few mouse clicks and having users relog/reboot will update accordingly.
All of this completely regardless of having to setup individual scripts to manage it, nor without understanding the core of what goes behind it.
All of these functions are doable in a linux environment, but are all separate from each other. And on top of that, you need to understand a lot of the applications in far more depth than you do on the Windows environment.
Take that for what you will, but computers are tools. Like other tools, the operator does not necessarily have to be the architect. Though the architect will know more about the tool than the operator and can probably operate it in a much more efficient manner, it's not necessary.
Except you aren't quite getting what it does. It actually does solve a lot of problems and does it on the cheap.
There is a reason why Windows is popular. It is significantly cheaper and far more proven than anything any single person could come up and say works.
Your few scripts that you wrote that require you to support it when things break here or there in no way can compete with the proven Windows domain infrastructure.
You kids still think that what the OP is asking for has anything to do with "preventing users from doing something harmful to the computer".
Get it out of your heads. Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.
When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A for Department B".
Want to make a change to how a whole department does things? There's no pushing a script out later on to the whole department. You simply change it in group policy and the entire thing gets taken care of automatically.
You can spend more time focusing on actually getting shit done than fussing around with HOW to solve the problem with roundabout tool sets.
Multiply this by about 500 machines, and then the ability to later on down the road be able to change it without having to completely redo them or find some screwed up roundabout way to push out to every machine via scripts...
You'll quickly turn to the Windows way of doing it.
mod parent up. ding ding ding.
bugs2squash:
The question isn't whether or not it's possible, it surely is. The question is whether or not it has been done, tested, and proven.
It has not.
To protect the users from themselves...PXE booting is not the answer.
He wants to enforce things such as proxy settings, desktop settings, auditing, etc.
SELinux is not what he's looking for.
And now you know why Windows dominates the enterprise market.
Good luck.
how many OEMS are going to go out of their way to load Firefox or an alternative browser as the default?
Just like the amazing uptake of Windows N, right?
But this doesn't stop Comcast from entering a price war in certain areas against Verizon to help stave off defection.
Also, there's no real way for you to compete in the "free market" when it's dominated by only big players.
"Free market" works in small town scenarios. You setup a store, I setup a competing store. And we go at it to try and get as many customers as we can.
As soon as one of those sides becomes "huge multinational corporation", you quickly run into some problems.
You setup a hotdog stand, they setup a hotdog stand. Their hotdog stand is 1 of 30,000 hotdog stands. My hotdog stand is just my own.
They can discount their hotdogs, offer sweet deals, invest more money in larger advertising. Give away t-shirts, have a website, sign up sports deals, TV commercials.
Best you can do is a sign out front saying "GREAT HOTDOGS!" and word of mouth.
Before you know it, your business is dried up as you operate at a loss--they go on, and their hotdog stand becomes the monopoly.
We all know monopolies are a problem. They have proven to be. They have proven to be such a problem that we have laws against it.
There is a reason we have such regulation. Just read a little bit of history.
I know you may have some weird views about some sort of utopian view about "free market capitalism" with no government intervention...but just look back at history..Bayer invented heroin...Coca Cola used to actually have Coca in it...And these are just two of who thousands of examples of what people were doing to themselves and others during that time.
How? "give them multiple choices". How exactly do you propose this?
If the existing companies make the barrier to entry artificially high and in favor of them, how do you "enter" that market?
Even if you tried to start small and work your way up (like any normal company), the dominant utility could shove you out before you even made a profit.
Your right to freedom of speech has long been taken away, long before "governments" ever got involved.
Your right of freedom to absorb whichever information you or your family chooses has long been taken away, long before governments got involved.
Did you know the movie rating system has 0 government intervention? Furthermore, it's completely "voluntary" on the part of movie companies whether or not they want their movie rated. I placed voluntary in quotes because there's the catch all that movie theaters don't actually play unrated movies.
Your right to allow yourself or your child to certain information (whether it be a movie, a video game, or book) is nearly completely taken away from you by people that have nothing to do with the government.
In fact, the only reason they're allowed to do this is because it has not been tested by law (that I know of).
Now, you could argue that you can wait for more available copies to be produced, such as home video content, or a streaming version--but then there's this huge change in what it means for teenagers to be social.
No, I'm not a child. I do have one, however. And she's going to be getting older and these are issues I'm surely going to have to deal with.
Also of note: Most movie theaters do not give you as a parent the option of providing a "pass" for your child to attend a movie. But they have tons of systems in place to prevent them from doing so.
N1AK:
It would work until the 2 suppliers abuse the pricing system and fix pricing to keep themselves profitable. Particularly if the barrier to entry on new competition is very high and regulated by said companies.
The "splitting" didn't really work for the phone companies either. Not 20 years later "Ma Bell" is almost back together again, having gobbled up all of the smaller phone providers.
Or we could regulate areas that require regulation and prevent pricing from being abnormally inflated due to a lack of competition in the market.
Other than instituting caps to help stifle competing services, not really.
It's become a hot issue lately as bandwidth usage across the board is on the rise particularly due to streaming video.
Youtube takes up a vast majority of the internet's available bandwidth and ISPs are complaining about that.
Many of these doubling as both phone and cable tv operators, they're worried about the internet dipping into their profits on those services.
Right now, a cable operator can charge you a separate fee for both internet, tv, and phone. But since the internet has become powerful enough to be a reasonable phone and a reasonable TV mechanism, they lose out on this extra revenue stream as people switch off their cable service to go exclusively to internet service.
The only reason they haven't tried it just yet is they're afraid of the backlash.
How do you go from "plenty of democrats are opposed to net neutrality" and then turn and say "it's a very liberal agenda"?
I'm not quite sure how you are able to make that statement.
I'm a very liberal person, and I 100% support network neutrality. The idea of networks not being neutral has far reaching implications to our information structure that isn't just about piracy.
We are already seeing the "market" trying to cap internet growth. With recent caps instituted by Comcast and other cable operators, we're seeing competition (in the form of internet streaming services) being held down.
If Comcast could get away with it, they would just charge you extra money for "high bandwidth use" (internet streaming). This cap is their way of instituting this functionality without actually coming out and saying it directly.
Furthermore, what they really want to do is charge the providers of these services. So while Comcast charges its customers, and say, AT&T charges its customers. Comcast wants to charge AT&T's customers to have "priority" bandwidth on their network. And that's where the idea of "network neutrality" comes into play. That all data should be treated equally, rather than separately on tiers.
So this way, Comcast would charge netflix to deliver "priority" packets to Comcast's customers. Netflix's ISP would charge Netflix to have any access to the internet at all. Comcast would charge its users for access to the internet, and then again charge its users for "priority" access to netflix.