I'm a decision maker locally, but not nationally, and nationally is where the policy is set. I went to bat for IM once before and it bit me in the ass, and I'm not doing it again. Comparing lack of IM to slavery is just a tiny bit of a fallacy.
Security isn't why anyone uses windows, but it is why people like me have to lock down third party applications. The more crap you run on a windows machine, the less secure it is, and that goes double for any application that connects to the internet.
Low UID means nothing. I got my first paying tech job in 1992, 10 years before I signed up for a/. account, which means I've got a decent amount of experience. One of the first things I did was networking, which back then, meant Novell. Even so, I've never seen a decent-sized business without a windows machine, and I haven't had someone who had a lot of experience come up to me and say, "Well you're using Windows so you must not care about security" since about 1997, when MS Office dominated the world. In 1999 I was working my way through post grad, and didn't have time to surf newsgroups, so you can feel free to lord that extra 18 months of no doubt enlightening/. experience over me.
Fired eh? For treating a secure network like a secure network, and not like a kiddie pool for helpless users?
People wonder why there are constant security problems, and the reason is because everyone assumes that anyone who is on the inside is friendly. But social engineering and incompetence can bring your network down in a second, can expose customer data, cause corporate nightmares, everything.
The way to prevent that is to trust NO ONE, not to be all happy and nice and just assume you'll never get hit.
Talk to any programmer; user submitted data must be treated like it's straight from a hacker, EVERY TIME. Networking is just the same. Don't fill your systems with tons of directories that belong to "Everyone"; don't ever chmod 777...In a well secured system that last digit should almost always be 0 anyway. If someone doesn't need access to a resource as part of their job, they shouldn't have it.
These days the problems keep increasing, while the number of people around to deal with them keeps shrinking. To be safe, you have to minimize the places where things can go wrong and that means approved software, locked down systems, aggressive firewalling and network monitoring, and all kinds of crap that chafes users.
People who put user comfort above security deserve what they get.
It honestly took me a minute to work out whether you were being serious or being humorous. The 10:00 curfew line is pretty funny, and being sued for downloading music? Classic. And private schools? You went to private school and you're complaining about money?
I did eventually decide you were being serious though, and that makes me sad.
You're in the same boat everyone is in. I know people my age who still have 50k in college loans, and I know people my age who left school with 100k in college loans. So your family doesn't make little enough money to qualify for financial aid? That's not breaking my heart.
Everyone has all their rules forced on them by the older generation, that's been true forever. Politicians don't listen to anyone outside of voting season, and if you don't vote, as many young people DON'T vote, you can't complain that they don't care about you. Why should they?
It's not that you shouldn't complain. Everyone should complain. What's annoying as fuck is when you say, "Everyone else had it soooo easy."
Ooooo, you've got a lower/. ID than me. Truly, that doth add weight to your argument.
Making a dig on Windows is amazingly pointless. Who has a choice in this market, especially in the context of an article about a survey by symantec? No one. So why throw down on someone who is dealing with the crap? Just for fun?
This activity is, in fact, acceptable, according to the good old "employee code of conduct". Instant Messenger is not.
I'm sure you're productive every instant you're at work...With such a low UID, you surely MUST be.
Yep. I get around the tendency of my superiors to ask for my password by making my password so long and torturous that they give up halfway through and ask me to set them up a user account.
The only exception is, of course, the superuser account. It's ironic that that is the only password that usually has to be known by more than one person, and it is the one that could cause the most problems in the wrong hands.
We just block the ports. Saves arguments down the line. I've not yet had anyone (besides me;) want to use BitTorrent, but given the nature of the business I can't imagine a situation where that would be acceptable...No files that they need are too big for FTP, and we have decent bandwidth.
Lot of people are bitter about all the MCSEs, because a lot of them get hired just because they have an MCSE, and not because of any skill. It's especially irritating when you have the experience and you're passed over because you lack the cert.
I've known both types. I work with a Windows guy right now. He's just got the cert, and no formal CS/IT education. He's dilligent, and windows-knowledgeable; his AD is set up correctly, and "clean". The admin stuff he does well. He's capable of reading the book, and learning new things. He and I butt heads over the places where our areas of responsibility collide, but that's normal.
So I don't immediately decide that MSCE == incompetent, but it doesn't have any weight with me in the other direction either. Certifications don't mean much really; I've hardly ever learned anything in a Cert class, and I've never went into one with any other goal than just to get the piece of paper to prove I know what I already knew.
Generally those decisions aren't made by knowledgeable people...They're made by policy wonks who don't really know what they're talking about. A good rule is firm, but allows for exceptions. When I first got here, they were psycho about the web browsers, which is one of my pet peeves...The LEAST secure browser is the one everyone already has to use: IE. So if people want to use something else, that should be encouraged, and we let people choose within reason.
I sympathize with you with regards to the ancient equipment and the OSS. I had an uphill battle with linux, initially, until I realized belatedly that all the magic boxes that were admined by corporate were linux, and that the corporate guys were delighted to turn it over to me. That placated my bosses, and made it easier for me to install more of the stuff in the name of "standardization". Not much you can do though if the people in charge are uninformed (like my bosses who were afraid to use linux even though some of the most critical machines in the building already WERE linux) and unwilling to inform themselves.
Don't get me started. Bunch of damn photographers didn't want to have to keep plugging their laptops in. We set up wireless for all the salespeople, but the photo people were too far away to get it (and didn't have the budget clout to get the corporate-mandated cisco hardware), so they try to set up their own without telling anyone.
First thing I know of it, I come in and see that there is another DHCP server on my network, and that it's running a 192 subnet, AND that there are damn 15 users...The router was sitting on a window ledge and the people at the coffee shop three doors down were logging on to it because the bandwidth was better.
To say I lost my shit would be an understatement. I'd locked down all the "public" ports, so someone couldn't just sneak into the building and plug something in in a conference room, but I hadn't locked them all down because it was too much of a p.i.t.a. After that I had to, and register every MAC address, which pisses people off of course, because it adds a big headache for everyone who brings a laptop into the building and just needs internet access, but if you can't trust people to obey the rules...
I tout it as a proactive security measure, but it's really just another headache with little benefit. I tried setting up an internet only subnet for all the ports that people only used occasionally, but it was more trouble than it was worth.
Oh absolutely! I see it more in applications, a lot of the time...People who don't understand the application are terrified of doing anything in a way different from what they were taught, because if they break it, they can't fix it.
On the other hand, someone who understands it, someone who knows how to fix the problems, and who can adapt if the situation changes, they're fine with things changing. They aren't afraid of it, so they're more relaxed.
If you really understand the worst case scenario, it's not so scary. If you only know that there IS a worst case scenario, it's terrifying. If you have no knowledge of the worst case scenario, you're fearless.
Eh. As you can probably imagine, I'm not allowed to talk to the users very often. My primary specialties are Unix, Code, and Databases (all about the same level, though "databases" isn't much of a specialty). The sysadmin thing is just a little something extra that you sort of get foisted off on you these days as a booby prize, if you can do the work. I don't have any current certs ATM...I was linux certified at one point,.Net at one point, and Cisco at two points. Mostly I'm self-taught, though I've a degree from a reputable 4 year institution.
I know what you mean, certainly. I dealt with a guy on Friday, IT in another part of the corporation, who spent all day telling me that I was wrong about the problems on his network. The fact that he had three machines that (together) did more bandwidth than all the rest of their machines and all of OUR machines COMBINED, he dismissed as "people visit a lot of high bandwidth websites with those." WTF? The damn machine had used almost 5gigs by 9:00am...I didn't think they had enough external bandwidth to ALLOW that, and I know damn well they didn't get that by WEBSURFING. The problem had been widely known through their company; they'd added more bandwidth, rewired the inside of the building, but nobody ever looked at the goddamn logs! Amateur hour.
I don't often give people the benefit of the doubt any more...I just had to walk a guy with an IT degree (who doesn't work in IT) through the process of figuring out what his IP was. But if someone proves to me that they're competent and they can hack it, and they prove to their boss they can be trusted with the extra privileges, I'll do whatever I can to make their job easier.
Spare me the Windows crap. Hardly anyone has the authority to make that sort of choice in the IT world, and your dig concerning it does little but show inexperience. If I did have a choice, I'd probably have more Macs. Having gone through Linux-on-the-desktop a few times, I'm not prepared to go through it again right now, though I've exponentiated Linux-in-the-server-room since I got here.
Shrug. I could be doing a lot of things. Mostly what I'm doing right now is working on a goddamn automated data transfer, and it takes about 1 post to run, and it keeps kicking out errors. Since I'm working through lunch, I doubt anyone will complain. And I'm real nice about people's web usage.
I do occasionally feel guilty smacking down people who would use the extra access for good stuff, and I've been known to make exceptions (with occasional dire warnings about what I'll do to 'em if they misuse it). But mostly I'm dealing with arrogant liberal arts majors who get really pissy whenever someone has the audacity to trump their will, and I tend to not be willing to make exceptions in that case. Thankfully I don't have to do as much of it these days (I make the windows guy deal with 'em;)
The first school I went to was a joke. Terrible network policies, crappy equipment, mediocre connections in the dorms. The systems were weak and poorly secured...The servers were hilarious; you could take 'em down with any resource-hogging program, just as a lark. The admins were clueless and therefore rigid and authoritarian.
The next school I went to was the exact opposite: huge network, sexy unix mainframes, fibre to the dorms, effectively unlimited bandwidth. I still managed to crash a mainframe every now and then, but it took a lot more work (stupidity), and it always got a response from the admins...Not a bad response either; I got access to the code-test mainframes my freshman year. A quick and easy approval for a privilege I didn't even know existed, and one which they were not required to offer me. The admins were well paid; they were there to support the student systems and to support the research labs from which the grant money flowed like wine.
I always try to be more like the latter than the former. You should always try and help well-intentioned people whenever possible, especially when they're working toward a goal that you're supposed to support. But there is a limit.
If they DO need that access, then more power to 'em. My biggest problem with that type of user is their attempts to subvert the standard development environment.
I did a guy a favor once and installed a bunch of compilers and libraries for him to "play with" and it snowballed into a shit storm because he immediately stopped working with the stuff he was supposed to be working with and started using the stuff I'd foolishly installed. Lesson learned.
Most of the time the sort of "tech user" I'm talking about doesn't have a tech job...They're in marketing or some crap.
The reason people complain about IT so much is that there really are places out there who think it is their entire job to prohibit users from doing anything.
If someone really needs that access, what would you suggest I do? Give it to them right there inside the protected network? Or put them out where I put everything that needs unusual access? And once they're there, their extra access is noted on the monthly security audits, and any problems that come down on them would come down on them the same as if they'd lost a laptop containing the same information.
Not much of a risk anyway. My DMZ is more restricted than the rest of the network, in many respects.
Oh an impact; sounds like you work in advertising.
It's my problem when I open up something that causes a meltdown because someone wants a service that has no practical benefit to the company. That is an impact. Not allowing a tool that someone is in love with because I feel like it offers no benefit that outweighs the risk...That's sound security practice.
We opened up IM for a while a few years back. Unfortunately for the users it was during the height of SoX, so we logged everything...We were getting bought out, so it was the law. Lot of users had made a big stink over the "impact" of no IM, so I took a certain amount of satisfaction when the corporate auditors went over the IM logs. Now we're back to no IM, because obviously no one uses the internal stuff.
Restricting browsers and stuff is amateur hour. I'll let anyone install pretty much any professional-grade software they can convince someone to pay for. I'm OSS friendly, but I'd prefer a heads up, or at least I'd prefer to know that the guy installing the software gets a good binary and checks the hash.
I restrict all my subnets pretty tightly, so I'm not worried about a lot of stuff leaking out if someone installs something bad. We don't really have problems with email viruses. I lock down the network mainly for convenience; most business environments only need a handful of ports available to the outside, and even fewer inbound.
So you think that you should be trusted with more access because you're running password crackers on your coworkers machine?
It's exactly that sort of script-kiddie crap that worries me about the guy who "knows more than the IT people do."
Put yourself in my shoes: what would you do if it came to your attention that someone in one of the departments you support was cracking passwords for people? I'm trying to come up with a security issue on the same level. Cloning access cards? Copying keys? If I report it to management on any level, you'd be fired because managers live in fear that you'll read their seeecret files.
You can't do that kind of crap in a business environment. It's like the guy who sets up the unauthorized wireless router on the network, just by plugging it into the wall and getting an address through dhcp...Now I've gotta turn fucking DHCP off because of dumbasses who are perfectly willing to plug a wireless router into a secure network, and then I've got to lock the IPs to mac addresses, and THEN I have to lock it to mac address and hardware signature because of bright boys like you who are willing to compromise the entire system to make things easier for themselves.
It's not my job to convince you, it's your job to convince me. If you can't convince me, that's not my problem.
Case in point, Instant Messenger. I get people trying to sell me on instant messenger all day long...They want to use it for inter-departmental discussion. Okay. So I set up an internal IM server, and gave everyone access. No, it's not enough. We need to talk to people in other business units. Ok. Fine. I set it up corporate wide, and route all the traffic through secure tunnels. No, it's not enough, we need to talk to customers. Too bad, use email.
Really, people want to talk to their friends in other locations. So I should open up my network to the sort of vulnerabilities that come with AIM and the other big services, just so they can goof off? I bend over backwards to provide the functionality they say they need, until it becomes obvious that they just want a toy. Not my responsibility to provide this. Learn to use email.
I know a lot of places are run by paranoid morons who are afraid of web browsers and Open Office; I get it. But that doesn't mean that there are no real security concerns, and it doesn't mean that all rules are arbitrary.
One of my first jobs out of college was being hired into a situation where they had downsized everyone who had 10+ years of experience and replaced them all with kids straight out of college. You can imagine how the managers and supervisors, all of whose friends we were replacing, treated us.
It definitely goes both ways. Sucks for him that he took it in the ass, but it happens. I remember showing up for work during the dot bomb and finding the doors chained shut. Yee haw. Had my 20 months of "freelancing" (e.g. scrabbling for consulting gigs and contract work in an economy saturated with out of work professionals). Tons of fun.
Now I'm in my 30's and am probably one of the "middle aged" bastards he was talking about since he's a gen y kid and "middle age" can usually be calculated by adding 10 years to your current age. I remember being a know-it-all kid, and thinking I was better than people who'd worked their way up. Sometimes I was, but that doesn't change the fact that not everyone gets to start at the top.
In answer to your questions, yes, it's all unauthorized. I think your company is run by a bunch of goobers though.
Here we block most everything at the firewall. You can have whatever browser you want. We allow iTunes and similar. You need something else, let us know, and if there is a valid work reason for it, we allow it.
Any company that doesn't remove regedit or similar is asking for pain.
Firefox: If places don't allow multiple browsers, thats their own fault. Just stupid.
VNC: If it's needed for the job, I'd have it installed, or some other similar remote management program...VNC isn't all that feature rich. You'd probably need NAT for that as well, and you ought to run it through a tunnel. Otherwise, I am the firewall gestapo. I open ports for no one, and if you try to local proxy all your traffic out through 80 I will notice.
SSH: See above, except for the tunnel part.
The worst type of user is the tech guy who doesn't work in IT. They always think they know better, they have a massive attitude, and a huge superiority complex. If you can prove to me you know your shit, I'll give you some leeway, but that leeway is probably just having your box dumped out into the DMZ, and you screw it up, you fix it.
First off: Worst article ever. Not just one paragraph per page...1 statistic per page? Jesus. Content to page ratio is like.001:11. And what content there is is vapid and uninteresting.
If you're an admin tasked with security, you have to assume all users are evil, so the question should be more along the lines of, "What is the problem with your process that you are allowing these users to install unapproved software?" Symantec obviously has a big stake in convincing people that they need better security (assuming that this will drive business for their crappy products), but the simple truth is that these sorts of problems shouldn't BE problems in an adequately secured network...Even your basic windows AD setup on XP is capable of restricting software installs and such.
If you're a big believer in allowing users to install whatever crap that they think they need to do their jobs, then you'll need to invest in some solid networking gear because you're inevitably going to have more problems. Otherwise, just lock it down, set up an approval process, and be prepared to deal with a zillion complaints from people who think they're experts because they did their own myspace page.
Slashdot Mirror
I'm a decision maker locally, but not nationally, and nationally is where the policy is set. I went to bat for IM once before and it bit me in the ass, and I'm not doing it again. Comparing lack of IM to slavery is just a tiny bit of a fallacy.
/. account, which means I've got a decent amount of experience. One of the first things I did was networking, which back then, meant Novell. Even so, I've never seen a decent-sized business without a windows machine, and I haven't had someone who had a lot of experience come up to me and say, "Well you're using Windows so you must not care about security" since about 1997, when MS Office dominated the world. In 1999 I was working my way through post grad, and didn't have time to surf newsgroups, so you can feel free to lord that extra 18 months of no doubt enlightening /. experience over me.
Security isn't why anyone uses windows, but it is why people like me have to lock down third party applications. The more crap you run on a windows machine, the less secure it is, and that goes double for any application that connects to the internet.
Low UID means nothing. I got my first paying tech job in 1992, 10 years before I signed up for a
Fired eh? For treating a secure network like a secure network, and not like a kiddie pool for helpless users?
People wonder why there are constant security problems, and the reason is because everyone assumes that anyone who is on the inside is friendly. But social engineering and incompetence can bring your network down in a second, can expose customer data, cause corporate nightmares, everything.
The way to prevent that is to trust NO ONE, not to be all happy and nice and just assume you'll never get hit.
Talk to any programmer; user submitted data must be treated like it's straight from a hacker, EVERY TIME. Networking is just the same. Don't fill your systems with tons of directories that belong to "Everyone"; don't ever chmod 777...In a well secured system that last digit should almost always be 0 anyway. If someone doesn't need access to a resource as part of their job, they shouldn't have it.
These days the problems keep increasing, while the number of people around to deal with them keeps shrinking. To be safe, you have to minimize the places where things can go wrong and that means approved software, locked down systems, aggressive firewalling and network monitoring, and all kinds of crap that chafes users.
People who put user comfort above security deserve what they get.
It honestly took me a minute to work out whether you were being serious or being humorous. The 10:00 curfew line is pretty funny, and being sued for downloading music? Classic. And private schools? You went to private school and you're complaining about money?
I did eventually decide you were being serious though, and that makes me sad.
You're in the same boat everyone is in. I know people my age who still have 50k in college loans, and I know people my age who left school with 100k in college loans. So your family doesn't make little enough money to qualify for financial aid? That's not breaking my heart.
Everyone has all their rules forced on them by the older generation, that's been true forever. Politicians don't listen to anyone outside of voting season, and if you don't vote, as many young people DON'T vote, you can't complain that they don't care about you. Why should they?
It's not that you shouldn't complain. Everyone should complain. What's annoying as fuck is when you say, "Everyone else had it soooo easy."
Ooooo, you've got a lower /. ID than me. Truly, that doth add weight to your argument.
Making a dig on Windows is amazingly pointless. Who has a choice in this market, especially in the context of an article about a survey by symantec? No one. So why throw down on someone who is dealing with the crap? Just for fun?
This activity is, in fact, acceptable, according to the good old "employee code of conduct". Instant Messenger is not.
I'm sure you're productive every instant you're at work...With such a low UID, you surely MUST be.
Yep. I get around the tendency of my superiors to ask for my password by making my password so long and torturous that they give up halfway through and ask me to set them up a user account.
The only exception is, of course, the superuser account. It's ironic that that is the only password that usually has to be known by more than one person, and it is the one that could cause the most problems in the wrong hands.
We just block the ports. Saves arguments down the line. I've not yet had anyone (besides me ;) want to use BitTorrent, but given the nature of the business I can't imagine a situation where that would be acceptable...No files that they need are too big for FTP, and we have decent bandwidth.
Lot of people are bitter about all the MCSEs, because a lot of them get hired just because they have an MCSE, and not because of any skill. It's especially irritating when you have the experience and you're passed over because you lack the cert.
I've known both types. I work with a Windows guy right now. He's just got the cert, and no formal CS/IT education. He's dilligent, and windows-knowledgeable; his AD is set up correctly, and "clean". The admin stuff he does well. He's capable of reading the book, and learning new things. He and I butt heads over the places where our areas of responsibility collide, but that's normal.
So I don't immediately decide that MSCE == incompetent, but it doesn't have any weight with me in the other direction either. Certifications don't mean much really; I've hardly ever learned anything in a Cert class, and I've never went into one with any other goal than just to get the piece of paper to prove I know what I already knew.
Generally those decisions aren't made by knowledgeable people...They're made by policy wonks who don't really know what they're talking about. A good rule is firm, but allows for exceptions. When I first got here, they were psycho about the web browsers, which is one of my pet peeves...The LEAST secure browser is the one everyone already has to use: IE. So if people want to use something else, that should be encouraged, and we let people choose within reason.
I sympathize with you with regards to the ancient equipment and the OSS. I had an uphill battle with linux, initially, until I realized belatedly that all the magic boxes that were admined by corporate were linux, and that the corporate guys were delighted to turn it over to me. That placated my bosses, and made it easier for me to install more of the stuff in the name of "standardization". Not much you can do though if the people in charge are uninformed (like my bosses who were afraid to use linux even though some of the most critical machines in the building already WERE linux) and unwilling to inform themselves.
Don't get me started. Bunch of damn photographers didn't want to have to keep plugging their laptops in. We set up wireless for all the salespeople, but the photo people were too far away to get it (and didn't have the budget clout to get the corporate-mandated cisco hardware), so they try to set up their own without telling anyone.
First thing I know of it, I come in and see that there is another DHCP server on my network, and that it's running a 192 subnet, AND that there are damn 15 users...The router was sitting on a window ledge and the people at the coffee shop three doors down were logging on to it because the bandwidth was better.
To say I lost my shit would be an understatement. I'd locked down all the "public" ports, so someone couldn't just sneak into the building and plug something in in a conference room, but I hadn't locked them all down because it was too much of a p.i.t.a. After that I had to, and register every MAC address, which pisses people off of course, because it adds a big headache for everyone who brings a laptop into the building and just needs internet access, but if you can't trust people to obey the rules...
I tout it as a proactive security measure, but it's really just another headache with little benefit. I tried setting up an internet only subnet for all the ports that people only used occasionally, but it was more trouble than it was worth.
Oh absolutely! I see it more in applications, a lot of the time...People who don't understand the application are terrified of doing anything in a way different from what they were taught, because if they break it, they can't fix it.
On the other hand, someone who understands it, someone who knows how to fix the problems, and who can adapt if the situation changes, they're fine with things changing. They aren't afraid of it, so they're more relaxed.
If you really understand the worst case scenario, it's not so scary. If you only know that there IS a worst case scenario, it's terrifying. If you have no knowledge of the worst case scenario, you're fearless.
Eh. As you can probably imagine, I'm not allowed to talk to the users very often. My primary specialties are Unix, Code, and Databases (all about the same level, though "databases" isn't much of a specialty). The sysadmin thing is just a little something extra that you sort of get foisted off on you these days as a booby prize, if you can do the work. I don't have any current certs ATM...I was linux certified at one point, .Net at one point, and Cisco at two points. Mostly I'm self-taught, though I've a degree from a reputable 4 year institution.
I know what you mean, certainly. I dealt with a guy on Friday, IT in another part of the corporation, who spent all day telling me that I was wrong about the problems on his network. The fact that he had three machines that (together) did more bandwidth than all the rest of their machines and all of OUR machines COMBINED, he dismissed as "people visit a lot of high bandwidth websites with those." WTF? The damn machine had used almost 5gigs by 9:00am...I didn't think they had enough external bandwidth to ALLOW that, and I know damn well they didn't get that by WEBSURFING. The problem had been widely known through their company; they'd added more bandwidth, rewired the inside of the building, but nobody ever looked at the goddamn logs! Amateur hour.
I don't often give people the benefit of the doubt any more...I just had to walk a guy with an IT degree (who doesn't work in IT) through the process of figuring out what his IP was. But if someone proves to me that they're competent and they can hack it, and they prove to their boss they can be trusted with the extra privileges, I'll do whatever I can to make their job easier.
Spare me the Windows crap. Hardly anyone has the authority to make that sort of choice in the IT world, and your dig concerning it does little but show inexperience. If I did have a choice, I'd probably have more Macs. Having gone through Linux-on-the-desktop a few times, I'm not prepared to go through it again right now, though I've exponentiated Linux-in-the-server-room since I got here.
;)
Shrug. I could be doing a lot of things. Mostly what I'm doing right now is working on a goddamn automated data transfer, and it takes about 1 post to run, and it keeps kicking out errors. Since I'm working through lunch, I doubt anyone will complain. And I'm real nice about people's web usage.
I do occasionally feel guilty smacking down people who would use the extra access for good stuff, and I've been known to make exceptions (with occasional dire warnings about what I'll do to 'em if they misuse it). But mostly I'm dealing with arrogant liberal arts majors who get really pissy whenever someone has the audacity to trump their will, and I tend to not be willing to make exceptions in that case. Thankfully I don't have to do as much of it these days (I make the windows guy deal with 'em
The first school I went to was a joke. Terrible network policies, crappy equipment, mediocre connections in the dorms. The systems were weak and poorly secured...The servers were hilarious; you could take 'em down with any resource-hogging program, just as a lark. The admins were clueless and therefore rigid and authoritarian.
The next school I went to was the exact opposite: huge network, sexy unix mainframes, fibre to the dorms, effectively unlimited bandwidth. I still managed to crash a mainframe every now and then, but it took a lot more work (stupidity), and it always got a response from the admins...Not a bad response either; I got access to the code-test mainframes my freshman year. A quick and easy approval for a privilege I didn't even know existed, and one which they were not required to offer me. The admins were well paid; they were there to support the student systems and to support the research labs from which the grant money flowed like wine.
I always try to be more like the latter than the former. You should always try and help well-intentioned people whenever possible, especially when they're working toward a goal that you're supposed to support. But there is a limit.
If they DO need that access, then more power to 'em. My biggest problem with that type of user is their attempts to subvert the standard development environment.
I did a guy a favor once and installed a bunch of compilers and libraries for him to "play with" and it snowballed into a shit storm because he immediately stopped working with the stuff he was supposed to be working with and started using the stuff I'd foolishly installed. Lesson learned.
Most of the time the sort of "tech user" I'm talking about doesn't have a tech job...They're in marketing or some crap.
The reason people complain about IT so much is that there really are places out there who think it is their entire job to prohibit users from doing anything.
If someone really needs that access, what would you suggest I do? Give it to them right there inside the protected network? Or put them out where I put everything that needs unusual access? And once they're there, their extra access is noted on the monthly security audits, and any problems that come down on them would come down on them the same as if they'd lost a laptop containing the same information.
Not much of a risk anyway. My DMZ is more restricted than the rest of the network, in many respects.
Oh an impact; sounds like you work in advertising.
It's my problem when I open up something that causes a meltdown because someone wants a service that has no practical benefit to the company. That is an impact. Not allowing a tool that someone is in love with because I feel like it offers no benefit that outweighs the risk...That's sound security practice.
We opened up IM for a while a few years back. Unfortunately for the users it was during the height of SoX, so we logged everything...We were getting bought out, so it was the law. Lot of users had made a big stink over the "impact" of no IM, so I took a certain amount of satisfaction when the corporate auditors went over the IM logs. Now we're back to no IM, because obviously no one uses the internal stuff.
Yea, the government. 'Nuff said.
Restricting browsers and stuff is amateur hour. I'll let anyone install pretty much any professional-grade software they can convince someone to pay for. I'm OSS friendly, but I'd prefer a heads up, or at least I'd prefer to know that the guy installing the software gets a good binary and checks the hash.
I restrict all my subnets pretty tightly, so I'm not worried about a lot of stuff leaking out if someone installs something bad. We don't really have problems with email viruses. I lock down the network mainly for convenience; most business environments only need a handful of ports available to the outside, and even fewer inbound.
So you think that you should be trusted with more access because you're running password crackers on your coworkers machine?
It's exactly that sort of script-kiddie crap that worries me about the guy who "knows more than the IT people do."
Put yourself in my shoes: what would you do if it came to your attention that someone in one of the departments you support was cracking passwords for people? I'm trying to come up with a security issue on the same level. Cloning access cards? Copying keys? If I report it to management on any level, you'd be fired because managers live in fear that you'll read their seeecret files.
You can't do that kind of crap in a business environment. It's like the guy who sets up the unauthorized wireless router on the network, just by plugging it into the wall and getting an address through dhcp...Now I've gotta turn fucking DHCP off because of dumbasses who are perfectly willing to plug a wireless router into a secure network, and then I've got to lock the IPs to mac addresses, and THEN I have to lock it to mac address and hardware signature because of bright boys like you who are willing to compromise the entire system to make things easier for themselves.
It's not my job to convince you, it's your job to convince me. If you can't convince me, that's not my problem.
Case in point, Instant Messenger. I get people trying to sell me on instant messenger all day long...They want to use it for inter-departmental discussion. Okay. So I set up an internal IM server, and gave everyone access. No, it's not enough. We need to talk to people in other business units. Ok. Fine. I set it up corporate wide, and route all the traffic through secure tunnels. No, it's not enough, we need to talk to customers. Too bad, use email.
Really, people want to talk to their friends in other locations. So I should open up my network to the sort of vulnerabilities that come with AIM and the other big services, just so they can goof off? I bend over backwards to provide the functionality they say they need, until it becomes obvious that they just want a toy. Not my responsibility to provide this. Learn to use email.
I know a lot of places are run by paranoid morons who are afraid of web browsers and Open Office; I get it. But that doesn't mean that there are no real security concerns, and it doesn't mean that all rules are arbitrary.
No, see I do work in IT, so it's justified. ;)
One of my first jobs out of college was being hired into a situation where they had downsized everyone who had 10+ years of experience and replaced them all with kids straight out of college. You can imagine how the managers and supervisors, all of whose friends we were replacing, treated us.
It definitely goes both ways. Sucks for him that he took it in the ass, but it happens. I remember showing up for work during the dot bomb and finding the doors chained shut. Yee haw. Had my 20 months of "freelancing" (e.g. scrabbling for consulting gigs and contract work in an economy saturated with out of work professionals). Tons of fun.
Now I'm in my 30's and am probably one of the "middle aged" bastards he was talking about since he's a gen y kid and "middle age" can usually be calculated by adding 10 years to your current age. I remember being a know-it-all kid, and thinking I was better than people who'd worked their way up. Sometimes I was, but that doesn't change the fact that not everyone gets to start at the top.
In answer to your questions, yes, it's all unauthorized. I think your company is run by a bunch of goobers though.
Here we block most everything at the firewall. You can have whatever browser you want. We allow iTunes and similar. You need something else, let us know, and if there is a valid work reason for it, we allow it.
Any company that doesn't remove regedit or similar is asking for pain.
Firefox: If places don't allow multiple browsers, thats their own fault. Just stupid.
VNC: If it's needed for the job, I'd have it installed, or some other similar remote management program...VNC isn't all that feature rich. You'd probably need NAT for that as well, and you ought to run it through a tunnel. Otherwise, I am the firewall gestapo. I open ports for no one, and if you try to local proxy all your traffic out through 80 I will notice.
SSH: See above, except for the tunnel part.
The worst type of user is the tech guy who doesn't work in IT. They always think they know better, they have a massive attitude, and a huge superiority complex. If you can prove to me you know your shit, I'll give you some leeway, but that leeway is probably just having your box dumped out into the DMZ, and you screw it up, you fix it.
Having a company adequately secure their network would cut into symantec's bottom line, so, from their perspective, no.
First off: Worst article ever. Not just one paragraph per page...1 statistic per page? Jesus. Content to page ratio is like .001:11. And what content there is is vapid and uninteresting.
If you're an admin tasked with security, you have to assume all users are evil, so the question should be more along the lines of, "What is the problem with your process that you are allowing these users to install unapproved software?" Symantec obviously has a big stake in convincing people that they need better security (assuming that this will drive business for their crappy products), but the simple truth is that these sorts of problems shouldn't BE problems in an adequately secured network...Even your basic windows AD setup on XP is capable of restricting software installs and such.
If you're a big believer in allowing users to install whatever crap that they think they need to do their jobs, then you'll need to invest in some solid networking gear because you're inevitably going to have more problems. Otherwise, just lock it down, set up an approval process, and be prepared to deal with a zillion complaints from people who think they're experts because they did their own myspace page.