Oh, and another thing...most employees operate with impunity when it comes to getting their PCs all spyware'd out. If you can change that, it will help drastically.
If you find that you're wasting a lot of time removing spyware and cleaning up the mess from webshots and all the other crapware employees like to download, I think you'll find that your spyware volume will fall off sharply if you can get management approval to start charging your spyware cleanup time back to the employee's department. Once the department head has a talk with their employee about how they don't want to see another 5 hour charge for removing Troj.Vundo, the employee will be much more careful about what he/she chooses to download at work.
It's the same as any other department in your organization. If you have one sales guy and he's working 60 hour weeks every week to maintain the status quo, then maybe you should look at hiring another sales guy. Same thing for IT. A lot of it will depend on how much can be centrally managed/fixed from your desk/PDA and how much time you actually have to go and spend helping users one on one. We have about 90 users and 25 servers with one network guy (me) that also handles user support, one dba/app developer, and one manager that interfaces with the rest of the org to allocate our resources. If we were able to hire someone else, it would probably be another developer because that's where our shop sees the biggest backlog of work. Our developer spends most of his time maintaining existing apps, so he has very little time to develop new apps.
I think the biggest factors that affect the answer to your question are 1) user skill levels 2) your power user's willingness to help their coworkers 3) having a centralized helpdesk/issue tracking software where users report problems and you keep track of everything that needs fixing and prioritize, and 4) your ability to fix problems from where ever you happen to be (office, home, Blackberry, iPhone, etc).
One thing I've found helpful is interns...many times you can call down to your local community college or university and get setup with their work study program. Most of the time the interns they send you will work for free, and they're perfectly able to Ghost systems and remove spyware, freeing you up to do more important tasks.
If you can educate them to avoid malware and viruses, that's great, but usually people want to click on every popup and answer yes to every prompt, so that hasn't worked too well in my experience.
Next time you have to reinstall their computer, just create an image of the OS in it's pristine newly-installed state and show them how to reimage the computer. If you wanted to make it foolproof, you could create a second partition on the hard drive that doesn't show up in Windows and store the image and imaging software there, and add a selection list that appears when they boot: 1) boot Windows 2) reimage computer. Then all you have to teach them is how to back up their bookmarks, saved passwords, e-mail, etc. You could write a script that would copy all that stuff over to a network share and another script that would automatically run upon reimaging that would copy it all back. Or, you could just set something up where all that stuff is backed up on a regular basis (which you really should do anyway), so they can just nuke it and then restore all their data afterwards.
This does sound very similar to what VMware implemented in vSphere 4.0 as far as nearly real-time failover where the HA mechanism is application agnostic. It sounds like with Remus you can use a single box as a failover target for multiple physical hosts, (i.e. a single failover box can protect the web server, db server and mail server assuming it is sized appropriately). Does Remus only work with physical to virtual or can you also keep two VMs in lockstep?
Try using a password vaulting app such as KeyPass, and encrypting the password database on your laptop. I'd suggest not trusting the encryption built-in to the password vaulting app and using multiple layers of encryption such as a TrueCrypt volume, whole disk encryption, etc. You can determine the level of security/usability that's right for you. You could also look at hosting the password database online so you can access it from anywhere. You could use an online backup/file hosting service for that purpose.
Keep in mind that security is inversely proportional to usability, so you'll have to make some sacrifices in terms of usability for good security. If you're not willing to make those trade-offs, then this whole exercise is probably pointless.
Instead of trying to get people to use a LiveCD, why not simply package a LiveCD as a VMware Player (or similar) appliance? Speaking from a support perspective, I think the feasibility of getting your average user to comprehend downloading and burning an ISO, figuring out how to select the CD as the boot drive, getting networking up and running, and understanding that there's no "Big Blue E" to click on in Linux is significantly less than what the author of the article thinks it is. An appliance with a hardened OS would eliminate three out of those four problems, and if banks would customize appliances for their users, then the operating system could be configured to automatically open Firefox and direct them to the online banking site.
This guy is obviously a class act douchebag. He's sued enough people previously, he must certainly be aware of the safe harbors provision of the CDA, so all this can really amount to is a publicity stunt (which, unfortunately is working...here at least). Don't the courts have some sort of method available to them to deal with people that abuse the court systems by filing frivilous lawsuits without any legal merit? Maybe if they threw him in the lockup for a few months he wouldn't be so trigger happy on the retarded lawsuit machine gun.
While I agree with others that an online mirror at a remote location or copying the data to whatever the current preferred medium is every 3-5 years are good ideas, I think you're reading too much into this. Once you've delivered the information to them, it's their job to safeguard it. Any institution that already has digital media in their collection probably already has an existing plan in place to ensure the safety of that data. I think a better approach would be to choose a good, economical archival-grade medium to deliver the information and let them decide how they want to handle it from there. If you're really worried about it, provide recommendations, but don't force a particular solution on them.
We do configure internal DNS servers on the VPN profile (obviously), but we also split-tunnel since we don't want to push all traffic over the VPN (only traffic destined for the internal LAN). If you do an ipconfig/all, it lists both the ISP and internal DNS servers. Normally this works fine because the ISP's DNS server will return an invalid hostname response and the client will query the internal DNS server.
Slashdot Mirror
Oh, and another thing...most employees operate with impunity when it comes to getting their PCs all spyware'd out. If you can change that, it will help drastically. If you find that you're wasting a lot of time removing spyware and cleaning up the mess from webshots and all the other crapware employees like to download, I think you'll find that your spyware volume will fall off sharply if you can get management approval to start charging your spyware cleanup time back to the employee's department. Once the department head has a talk with their employee about how they don't want to see another 5 hour charge for removing Troj.Vundo, the employee will be much more careful about what he/she chooses to download at work.
It's the same as any other department in your organization. If you have one sales guy and he's working 60 hour weeks every week to maintain the status quo, then maybe you should look at hiring another sales guy. Same thing for IT. A lot of it will depend on how much can be centrally managed/fixed from your desk/PDA and how much time you actually have to go and spend helping users one on one. We have about 90 users and 25 servers with one network guy (me) that also handles user support, one dba/app developer, and one manager that interfaces with the rest of the org to allocate our resources. If we were able to hire someone else, it would probably be another developer because that's where our shop sees the biggest backlog of work. Our developer spends most of his time maintaining existing apps, so he has very little time to develop new apps. I think the biggest factors that affect the answer to your question are 1) user skill levels 2) your power user's willingness to help their coworkers 3) having a centralized helpdesk/issue tracking software where users report problems and you keep track of everything that needs fixing and prioritize, and 4) your ability to fix problems from where ever you happen to be (office, home, Blackberry, iPhone, etc). One thing I've found helpful is interns...many times you can call down to your local community college or university and get setup with their work study program. Most of the time the interns they send you will work for free, and they're perfectly able to Ghost systems and remove spyware, freeing you up to do more important tasks.
If you can educate them to avoid malware and viruses, that's great, but usually people want to click on every popup and answer yes to every prompt, so that hasn't worked too well in my experience. Next time you have to reinstall their computer, just create an image of the OS in it's pristine newly-installed state and show them how to reimage the computer. If you wanted to make it foolproof, you could create a second partition on the hard drive that doesn't show up in Windows and store the image and imaging software there, and add a selection list that appears when they boot: 1) boot Windows 2) reimage computer. Then all you have to teach them is how to back up their bookmarks, saved passwords, e-mail, etc. You could write a script that would copy all that stuff over to a network share and another script that would automatically run upon reimaging that would copy it all back. Or, you could just set something up where all that stuff is backed up on a regular basis (which you really should do anyway), so they can just nuke it and then restore all their data afterwards.
This does sound very similar to what VMware implemented in vSphere 4.0 as far as nearly real-time failover where the HA mechanism is application agnostic. It sounds like with Remus you can use a single box as a failover target for multiple physical hosts, (i.e. a single failover box can protect the web server, db server and mail server assuming it is sized appropriately). Does Remus only work with physical to virtual or can you also keep two VMs in lockstep?
Try using a password vaulting app such as KeyPass, and encrypting the password database on your laptop. I'd suggest not trusting the encryption built-in to the password vaulting app and using multiple layers of encryption such as a TrueCrypt volume, whole disk encryption, etc. You can determine the level of security/usability that's right for you. You could also look at hosting the password database online so you can access it from anywhere. You could use an online backup/file hosting service for that purpose. Keep in mind that security is inversely proportional to usability, so you'll have to make some sacrifices in terms of usability for good security. If you're not willing to make those trade-offs, then this whole exercise is probably pointless.
Instead of trying to get people to use a LiveCD, why not simply package a LiveCD as a VMware Player (or similar) appliance? Speaking from a support perspective, I think the feasibility of getting your average user to comprehend downloading and burning an ISO, figuring out how to select the CD as the boot drive, getting networking up and running, and understanding that there's no "Big Blue E" to click on in Linux is significantly less than what the author of the article thinks it is. An appliance with a hardened OS would eliminate three out of those four problems, and if banks would customize appliances for their users, then the operating system could be configured to automatically open Firefox and direct them to the online banking site.
Picard: Mr. Data, do we have a tomographic imaging scanner onboard? Data: Yes, sir.
This guy is obviously a class act douchebag. He's sued enough people previously, he must certainly be aware of the safe harbors provision of the CDA, so all this can really amount to is a publicity stunt (which, unfortunately is working...here at least). Don't the courts have some sort of method available to them to deal with people that abuse the court systems by filing frivilous lawsuits without any legal merit? Maybe if they threw him in the lockup for a few months he wouldn't be so trigger happy on the retarded lawsuit machine gun.
"How'd that get in there?"
While I agree with others that an online mirror at a remote location or copying the data to whatever the current preferred medium is every 3-5 years are good ideas, I think you're reading too much into this. Once you've delivered the information to them, it's their job to safeguard it. Any institution that already has digital media in their collection probably already has an existing plan in place to ensure the safety of that data. I think a better approach would be to choose a good, economical archival-grade medium to deliver the information and let them decide how they want to handle it from there. If you're really worried about it, provide recommendations, but don't force a particular solution on them.
We do configure internal DNS servers on the VPN profile (obviously), but we also split-tunnel since we don't want to push all traffic over the VPN (only traffic destined for the internal LAN). If you do an ipconfig/all, it lists both the ISP and internal DNS servers. Normally this works fine because the ISP's DNS server will return an invalid hostname response and the client will query the internal DNS server.
Google is your friend.