This sounds like the kind of crap we were fed when the web first "appeared" in the public eye. The media made it out as if you could open up your web browser and all of a sudden naked pictures of children would just start popping up out of no where, and you could do nothing to prevent it!!! Ignorance breeds fear breeds knee-jerk style legislation. What an interesting situation this would put The Freenet Project in. So we'd have an anonymous system that the owner of the P2P network would have to keep track of everyone on. The thing I always come back to is that the internet itself is a peer-to-peer network. Start suing everyone with an ISP, that'll solve the problem, that'll make us all go out and buy CDs.
I don't know what radio stations they are sampling, but after a few minutes of listening it sounded like a bunch of "pop-tart" music strewn together being blasted over AM radio... I used to always joke that you could take all of the Spear Britney albums and--if mixed properly--you could make one long song that didn't change themes, tones or melody once...I'm thinking this is one step closer to proving that theory.... Maybe it was just the time I tuned in--who knows? There is one thing I find curious though, when I pick from 20 stations in my area, they are all playing the same 9 songs... I hope they have a better selection to choose from than I do!
I understand the "usability" issue, having just recently started using Linux. But at the same time, the beauty of having a choice of multiple distributions lends itself to customizing a distribution that is "right" for each type of user. I, personally, like the choice, but I'm a geek. My mother probably would be confused with all of these options...she wants an icon on her desktop that says "e-mail" and "word processor"... and she doesn't want to login to her PC, either. But just because she doesn't want to, why should I not be able to? So while I choose a distribution that gives me a great deal of choice and options out-of-the-iso, I would expect--if she were to run Linux--she'd purchase a PC running a flavour with the usability of Lindows or something to that effect.
What are the chances that this was someone within a network administration role that was trying to find a creative way to patch all of their systems? While unconventional, it would be able to handle workstations of differeing configurations (except for the TFTPD item) eliminating the vulnerability/virus from their network. I mean, the worm even kills itself after 1 January 2004. This doesn't seem like the typical "virus writer's" M.O.
Just a thought, might be unlikely, but I've personally done less conventional things in times of an emergency. This will very likely spawn a discussion about the ethics of doing such a thing. If they catch the guy who wrote this virus, would it be appropriate to jail him just like the rest? What if it was entirely an accident?
There seems to be an interesting parallel between SCOs activities and common activities that cause criminals to ultimately get caught. Had they simply decided to just sue IBM, chances are somewhat good that IBM would have settled the lawsuit, SCO would have made some money through extortion and while we wouldn't have been happy about it, much of the rest of the world would have shrugged it off and continued business as usual. Instead, they start with IBM, then begin threatening people, and ultimately attempt to extort money out of anyone who has ever looked at a device running Linux. It's reminiscent of the kid who starts out stealing candy from the corner store and gets away with it... later graduates to bigger things until he's ultimately being chased down a freeway in truck he stole from a police officer's driveway.
They got too cocky and too greedy for reasonable people to put up with. It will be nice if they go down hard.
I used to use Password Safe at work so that I could have randomized passwords and a system to retrieve them from, but it was very inconvenient because I wouldn't have the changes I made at home.
I now store my password safe database on my pen drive and just plug it into a USB slot when I need it--since I'm one of those geeks with a keychain equivalent to George's Wallet (Seinfeld)--it's always with me wherever I am. I also store various utilities that I use from day-to-day, and made it bootable so that I can boot from it on ailing workstations when I need to.
As I've watched this play out a few things have always sat in my mind. I never believed, for a second, that any lawsuit with SCO vs. IBM would have ever truly materialized. When the word about this new "licensing program" where you would buy a copy of SCOs software and SCO would quietly put you on a "safe" list of those who would not be sued surfaced, this kinda solidified that hypothesis. They'd run a large scale FUD campaign (which we've been watching for weeks) and *frightened* corporate CIOs would either pay up or migrate from Linux to something else.
Someone finally coming out and suing them in a campaign to end this mess seems to be the only way out. Hopefully there are some damages involved. Corporations and others alike need to stop using our legal system as a money-making scam. If part of ones business model is to hire a bunch of lawyers and extort money out of individuals, as SCO, DirecTV, the RIAA and others are attempting, they need to be sued and have their bottom lines burned to a crisp.
I don't know about the rest of you but I'm putting my money where my mouth is. It won't be a million bucks, but they'll get a donation. I'm not a personal fan of Red Hat Linux, but this is starting to persuade me.
This is why I now attend class online. Who cares what everyone else is doing? They're odd habits of slirping their soup or clacking their keyboards or asking idiotic questions that slow down the pace of class so that those of us who can learn have to learn at their pace rather than our own don't happen online. Sure, the idiot questions go on, but you don't have to read them or the responses to them, you can focus on your own problems.
I've personally found the learning experience to be far less distracting, and much more effective (not to mention usually a hell of a lot more work). And they don't care if I IM my classmates, or play Quake with them:-). You can even bring beer to class, and the professor doesn't care...or know for that matter. But I'd refrain from doing any work while intoxicated, it tends to result in lower grades.
It's been a while since I've attended college in the traditional lecture sense... so my comments may be dated, but that doesn't stop me from making them:-)
Way back when--prior to the abundence of wireless networks on the campus, people always found other ways to screw off that were probably more distracting. I always brought my laptop to class and I was always typing away notes. It didn't seem to bother anyone. If the professors are bothered by the fact that people might be "Chatting about them behind their backs", that's really their problem. I look at it this way. I paid for the class, you are grading the class. You tell me how well I did based on my performance. How I achieve that performance, or whether I achieve that performance is up to me provided that I'm not being a total distraction for other folks who are spending their wages trying to learn.
I wonder what types of classes are the most affected by people "screwing around" and distracting others. Way back when, it was always those classes where attendence was manditory. You'd get a bunch of people who didn't need to show up every day, showing up and making class difficult for those of us who didn't have such a great grasp of the subject matter.
I can completely see how IM would be very useful in a learning environment. It's very useful in my work environment, but there are many in IT who would ban it--not because of security risks, or snooping risks (our e-mail system is just as prone to snooping)--but because they're concerned about how much time people who don't appreciate the importance of their paycheck are wasting.
It's unfortunate that whenever a new *something* comes our way that has positive benefits, the attention is always paid to those individuals who misuse it. It's another example of making rules (or Laws) based on the Least Common Denominator elements of society.
After you get the software update for your cable box, you'll have to dial an 800 number, read off a 700 digit code and they'll give you an activation sequence. Then, once you decide to replace your television, you'll have to pay for all of the movies you watched on the previous one all over again.
Or no, better yet. Someone will write a virus that takes advantage of a security hole in the software resulting in your cable box being a participant in a DDoS attack... All this while my Tivo hums along unaffected because it's running Linux:-).
Welcome to the new Microsoft Bob Network! Did you forget your parental block password? Here, have a new one!
I think you'll find we're quite crazy about a lot of things. We take our civil liberties very seriously. Case in point, in our country (unlike many others) racist hate speech is not outlawed. Even though it is evil and wrong, it is not illegal. Our rights are being withered away by political correctness and "government will solve my problems" kind of attitudes. Filter mandates, attempts to make the internet child-safe rather than parents child-responsible, and other attacks to our freedoms are in our midst right now. I personally don't care about Gun Rights ideologically, and I'm against abortion. But the reality is, the last thing we need is more laws to take away more rights.
Not to mention that if the flow of ammunition was stopped, most criminals would not be able to fire their guns.
I almost didn't reply to this because it's really not an issue that is near or dear to my heart. But how do you propose "stopping the flow of ammunition?" I mean, you could pass a law to ban them, but then the natural ebb and flow (that is the subjet of so many... many endless flamewars) goes "Now the criminals are safe...they can still get guns, but the law abiding citizens cannot." You could not simply pass a law and make the problem of "Criminals Using Guns" go away. Last I checked, Marijuana, crack, (insert name of illegal drug here) was outlawed. In the US we have even gone to extreme measures, like declaring "war on drugs" to attempt to stop the distribution of said substances. But yet at any given time it would not be very difficult to get my hands on these substances (not to mention currently outlawed firearms).
As far as holding those responsible for their gun being stolen, etc. As much as I hate the car/gun analogy, the reality is, would you hold a car owner responsible for leaving theirs doors unlocked in their drive-way if the end result was that someone stole that vehicle and hit a few pedestrians in the street. I have two friends at work who have had their vehicles stolen. In both cases the vehicle was recovered...at the scene of an accident. I don't know if there were any deaths involved, but either of these people being held responsible because someone stole their property and misused it seems kinda backward to me. If punishing the criminals isn't working, punishing the innocent is not how you fix it.
Don't get me wrong. I sympathise with those who have been victims of gun violence that could have been prevented if a law abiding gun owner had taken his responsibility a little more seriously. But if we write every law to handle the least-common-denomenator type of person, we're going to have an internet that resembles sesame street, cars made out of nerf that don't actually drive, and quite possibly a consortium of Microsoft, the RIAA and MPAA deciding what we can and cannot install on our computers (not to mention the requirement to validate a license for every CD, DVD, or piece of software prior to our equipment allowing their usage). It never ends.
Any attempt to remove a right that we presently enjoy today you will always find me on the other side of.
Normally I'd read something like this and say "Geez! Everywhere a Conspiracy!". But, we are talking about the cable companies. These are the same guys that nearly every year--while EVERY OTHER kind of communications services' prices are going DOWN, their bills are rising. And rising..and rising..and rising. I recently moved from one city in a Comcast area to another city. Found out that my $121 cable bill (service/internet) from the place I used to live is only $65 here for identical services. Turns out they offer many discounted prices here because the office I'm servied by has areas within it that have a choice between them and Wide Open West. So this idea that "once the competition is gone" the prices will go up (and services down) is their current operating procedure when dealing with competing cable companies.
The reality is...I work in that environment. And I think more than a few of the Slashdot readers do as well. You have to know your enemy (read: Gates) before you can defeat him. Truly the only reason I *HATE* Microsoft is because of their license agreements, and their corporate tactics. I don't *hate* Windows XP, but I won't sell my soul in a license agreement to Microsoft so that they can feel warm and cuddly that I have not stolen their software. I can't stand a company that just blatently assumes that everyone running their product is stealing it, so they need to put some kind of "IRS" style auditable protection into their applications.
I believe that many people resort to piracy because when you buy many applications, music, movies, etc, you're so limited as to what you are "allowed" to do with them that it doesn't seem worth the cost. ...My two canadian pennies.
--User Profiles: First off, I'm assuming you're using roaming profiles. That's where most profile issues stem from. I can't offer much help for you here. We don't use them corporate wide. It was attempted at first, but after we realized it would take a technical staff roughly the size of our user base to make everything run properly even *most* of the time, we opted away from this configuration for 90% of our workstations. (Limited only to our "kiosk" style machines that multiple users will access).
-- Propigation(sp?) of configuration: Your best bet is to do some of this through a GPO on your domain and the remainder through Startup or Login Scripts. And make absolutely sure you have fully tested any GPO changes before you update your production environment. (again, since you didn't state your exact configuration, I am assuming you are in a domain environment--I work in an AD domain, and its been a long time since I've screwed around with NT 4 domain architecture, so I only can hope that this is relavent to you). The general rule that I have used is that if you are trying to add to something (ie, add domain groups to the Local Administrators group), you want to do it through one of the scripts. If you require elevated privileges for the activity (again, adding groups to the local admin group), you must use the startup script. It executes as local system. The problem with the startup script is that it fires off prior to user login, so access to network resources is *somewhat* limited. Get familiar with ADSI and WMI (search on Google on these items and there are hundreds of example VBS scripts (yes, I know...VBS *bleaugh!*) They will solve many of your config problems)
-- User Rights: Unfortunately, locking down the desktop is very difficult if not impossible to do when you're dealing with Windows desktops. Even using the "Users" group, we found that out of 20 or so attempts to install different applications that included spyware, 4 of them installed completely, and 12 of them crashed just *after* the spyware was successfully installed. (The more disturbing part was that none of them would let you uninstall if you weren't an administrator). The problem is, if you let the user write to the drive or any part of the registery, you can still install many applications. If you don't let the user write to the drive or the registery... you can imagine how useful the workstation may be. If you want to even give the user's a *challenge* at unlocking the workstation, you will have to get far more granular than the defaults. You can go so far as to lock down the system by enforcing that only select executables can run, but even that is far from fool-proof and has a huge overhead of you have a frequently evolving environment. In the end, no matter how hard you try, a simple floppy disk or any number of exploits exist to break local "security". In doing all of this, bear in mind that legitimate software, such as printer drivers, will not install in a locked down environment. (We've had HP inket drivers that won't even print if the user is not an administrator)
The short of it is: DO the following 1. Setup a group for your techs accounts and add that group to the local admin group on all workstations (see ADSI and Startup Scripts)--(This shouldn't need to be said, but Don't give your techs the domain admin account!). 2. Rename the local administrator account to a random set of characters through a script. Reset the password to that account in the same manner. Again--It's not *perfect* but it's going to ward off some of the less vigilant amoungst your users. 3. Have a CLEAR and DEFINED Acceptable Use Policy. It's even a good idea to make your users sign it directly (Yes, pen and paper in a bit driven world). And ENFORCE the darn thing occasionally. I mean, if you really care what your users are doing with their workstations, this is an absolute must. They will be able to get past the "security", and
I have to say that I agree. I mean, I type very fast and my hand-writing is nearly illegible (even to me). I'm not an artist with a pen, I'm an artist with a keyboard and a mouse. (OK, maybe not an artist)
I don't know about that...usually I'm swearing at my computer because it WON'T log in, boot up, or beecause it just blue screened. If swearing caused it to log me in, what would I do when it failed? Praise it?
Slashdot Mirror
This sounds like the kind of crap we were fed when the web first "appeared" in the public eye.
The media made it out as if you could open up your web browser and all of a sudden naked pictures of children would just start popping up out of no where, and you could do nothing to prevent it!!!
Ignorance breeds fear breeds knee-jerk style legislation.
What an interesting situation this would put The Freenet Project in. So we'd have an anonymous system that the owner of the P2P network would have to keep track of everyone on.
The thing I always come back to is that the internet itself is a peer-to-peer network. Start suing everyone with an ISP, that'll solve the problem, that'll make us all go out and buy CDs.
I don't know what radio stations they are sampling, but after a few minutes of listening it sounded like a bunch of "pop-tart" music strewn together being blasted over AM radio...
I used to always joke that you could take all of the Spear Britney albums and--if mixed properly--you could make one long song that didn't change themes, tones or melody once...I'm thinking this is one step closer to proving that theory.... Maybe it was just the time I tuned in--who knows?
There is one thing I find curious though, when I pick from 20 stations in my area, they are all playing the same 9 songs... I hope they have a better selection to choose from than I do!
I understand the "usability" issue, having just recently started using Linux. But at the same time, the beauty of having a choice of multiple distributions lends itself to customizing a distribution that is "right" for each type of user. I, personally, like the choice, but I'm a geek. My mother probably would be confused with all of these options...she wants an icon on her desktop that says "e-mail" and "word processor"... and she doesn't want to login to her PC, either. But just because she doesn't want to, why should I not be able to? So while I choose a distribution that gives me a great deal of choice and options out-of-the-iso, I would expect--if she were to run Linux--she'd purchase a PC running a flavour with the usability of Lindows or something to that effect.
What are the chances that this was someone within a network administration role that was trying to find a creative way to patch all of their systems?
While unconventional, it would be able to handle workstations of differeing configurations (except for the TFTPD item) eliminating the vulnerability/virus from their network.
I mean, the worm even kills itself after 1 January 2004. This doesn't seem like the typical "virus writer's" M.O.
Just a thought, might be unlikely, but I've personally done less conventional things in times of an emergency.
This will very likely spawn a discussion about the ethics of doing such a thing. If they catch the guy who wrote this virus, would it be appropriate to jail him just like the rest? What if it was entirely an accident?
There seems to be an interesting parallel between SCOs activities and common activities that cause criminals to ultimately get caught.
Had they simply decided to just sue IBM, chances are somewhat good that IBM would have settled the lawsuit, SCO would have made some money through extortion and while we wouldn't have been happy about it, much of the rest of the world would have shrugged it off and continued business as usual.
Instead, they start with IBM, then begin threatening people, and ultimately attempt to extort money out of anyone who has ever looked at a device running Linux.
It's reminiscent of the kid who starts out stealing candy from the corner store and gets away with it... later graduates to bigger things until he's ultimately being chased down a freeway in truck he stole from a police officer's driveway.
They got too cocky and too greedy for reasonable people to put up with. It will be nice if they go down hard.
I used to use Password Safe at work so that I could have randomized passwords and a system to retrieve them from, but it was very inconvenient because I wouldn't have the changes I made at home.
I now store my password safe database on my pen drive and just plug it into a USB slot when I need it--since I'm one of those geeks with a keychain equivalent to George's Wallet (Seinfeld)--it's always with me wherever I am.
I also store various utilities that I use from day-to-day, and made it bootable so that I can boot from it on ailing workstations when I need to.
As I've watched this play out a few things have always sat in my mind.
I never believed, for a second, that any lawsuit with SCO vs. IBM would have ever truly materialized.
When the word about this new "licensing program" where you would buy a copy of SCOs software and SCO would quietly put you on a "safe" list of those who would not be sued surfaced, this kinda solidified that hypothesis.
They'd run a large scale FUD campaign (which we've been watching for weeks) and *frightened* corporate CIOs would either pay up or migrate from Linux to something else.
Someone finally coming out and suing them in a campaign to end this mess seems to be the only way out. Hopefully there are some damages involved. Corporations and others alike need to stop using our legal system as a money-making scam.
If part of ones business model is to hire a bunch of lawyers and extort money out of individuals, as SCO, DirecTV, the RIAA and others are attempting, they need to be sued and have their bottom lines burned to a crisp.
I don't know about the rest of you but I'm putting my money where my mouth is. It won't be a million bucks, but they'll get a donation.
I'm not a personal fan of Red Hat Linux, but this is starting to persuade me.
This is why I now attend class online. Who cares what everyone else is doing? They're odd habits of slirping their soup or clacking their keyboards or asking idiotic questions that slow down the pace of class so that those of us who can learn have to learn at their pace rather than our own don't happen online. Sure, the idiot questions go on, but you don't have to read them or the responses to them, you can focus on your own problems.
:-).
I've personally found the learning experience to be far less distracting, and much more effective (not to mention usually a hell of a lot more work).
And they don't care if I IM my classmates, or play Quake with them
You can even bring beer to class, and the professor doesn't care...or know for that matter. But I'd refrain from doing any work while intoxicated, it tends to result in lower grades.
It's been a while since I've attended college in the traditional lecture sense... so my comments may be dated, but that doesn't stop me from making them :-)
Way back when--prior to the abundence of wireless networks on the campus, people always found other ways to screw off that were probably more distracting.
I always brought my laptop to class and I was always typing away notes. It didn't seem to bother anyone. If the professors are bothered by the fact that people might be "Chatting about them behind their backs", that's really their problem. I look at it this way. I paid for the class, you are grading the class. You tell me how well I did based on my performance. How I achieve that performance, or whether I achieve that performance is up to me provided that I'm not being a total distraction for other folks who are spending their wages trying to learn.
I wonder what types of classes are the most affected by people "screwing around" and distracting others. Way back when, it was always those classes where attendence was manditory. You'd get a bunch of people who didn't need to show up every day, showing up and making class difficult for those of us who didn't have such a great grasp of the subject matter.
I can completely see how IM would be very useful in a learning environment. It's very useful in my work environment, but there are many in IT who would ban it--not because of security risks, or snooping risks (our e-mail system is just as prone to snooping)--but because they're concerned about how much time people who don't appreciate the importance of their paycheck are wasting.
It's unfortunate that whenever a new *something* comes our way that has positive benefits, the attention is always paid to those individuals who misuse it. It's another example of making rules (or Laws) based on the Least Common Denominator elements of society.
OK. That is not only unbelievable but absolutely frightening.
At the same time, I'm afraid it's also not too surprising based on recent history.
After you get the software update for your cable box, you'll have to dial an 800 number, read off a 700 digit code and they'll give you an activation sequence. Then, once you decide to replace your television, you'll have to pay for all of the movies you watched on the previous one all over again.
:-).
Or no, better yet. Someone will write a virus that takes advantage of a security hole in the software resulting in your cable box being a participant in a DDoS attack... All this while my Tivo hums along unaffected because it's running Linux
Welcome to the new Microsoft Bob Network! Did you forget your parental block password? Here, have a new one!
Sorry guys, I had to get it all out.
I think you'll find we're quite crazy about a lot of things.
We take our civil liberties very seriously. Case in point, in our country (unlike many others) racist hate speech is not outlawed. Even though it is evil and wrong, it is not illegal.
Our rights are being withered away by political correctness and "government will solve my problems" kind of attitudes. Filter mandates, attempts to make the internet child-safe rather than parents child-responsible, and other attacks to our freedoms are in our midst right now.
I personally don't care about Gun Rights ideologically, and I'm against abortion. But the reality is, the last thing we need is more laws to take away more rights.
Not to mention that if the flow of ammunition was stopped, most criminals would not be able to fire their guns.
... many endless flamewars) goes "Now the criminals are safe...they can still get guns, but the law abiding citizens cannot." You could not simply pass a law and make the problem of "Criminals Using Guns" go away. Last I checked, Marijuana, crack, (insert name of illegal drug here) was outlawed. In the US we have even gone to extreme measures, like declaring "war on drugs" to attempt to stop the distribution of said substances. But yet at any given time it would not be very difficult to get my hands on these substances (not to mention currently outlawed firearms).
I almost didn't reply to this because it's really not an issue that is near or dear to my heart. But how do you propose "stopping the flow of ammunition?"
I mean, you could pass a law to ban them, but then the natural ebb and flow (that is the subjet of so many
As far as holding those responsible for their gun being stolen, etc. As much as I hate the car/gun analogy, the reality is, would you hold a car owner responsible for leaving theirs doors unlocked in their drive-way if the end result was that someone stole that vehicle and hit a few pedestrians in the street. I have two friends at work who have had their vehicles stolen. In both cases the vehicle was recovered...at the scene of an accident. I don't know if there were any deaths involved, but either of these people being held responsible because someone stole their property and misused it seems kinda backward to me. If punishing the criminals isn't working, punishing the innocent is not how you fix it.
Don't get me wrong. I sympathise with those who have been victims of gun violence that could have been prevented if a law abiding gun owner had taken his responsibility a little more seriously. But if we write every law to handle the least-common-denomenator type of person, we're going to have an internet that resembles sesame street, cars made out of nerf that don't actually drive, and quite possibly a consortium of Microsoft, the RIAA and MPAA deciding what we can and cannot install on our computers (not to mention the requirement to validate a license for every CD, DVD, or piece of software prior to our equipment allowing their usage). It never ends.
Any attempt to remove a right that we presently enjoy today you will always find me on the other side of.
Normally I'd read something like this and say "Geez! Everywhere a Conspiracy!". But, we are talking about the cable companies. These are the same guys that nearly every year--while EVERY OTHER kind of communications services' prices are going DOWN, their bills are rising. And rising..and rising..and rising.
I recently moved from one city in a Comcast area to another city. Found out that my $121 cable bill (service/internet) from the place I used to live is only $65 here for identical services. Turns out they offer many discounted prices here because the office I'm servied by has areas within it that have a choice between them and Wide Open West. So this idea that "once the competition is gone" the prices will go up (and services down) is their current operating procedure when dealing with competing cable companies.
The reality is...I work in that environment. And I think more than a few of the Slashdot readers do as well.
You have to know your enemy (read: Gates) before you can defeat him. Truly the only reason I *HATE* Microsoft is because of their license agreements, and their corporate tactics. I don't *hate* Windows XP, but I won't sell my soul in a license agreement to Microsoft so that they can feel warm and cuddly that I have not stolen their software.
I can't stand a company that just blatently assumes that everyone running their product is stealing it, so they need to put some kind of "IRS" style auditable protection into their applications.
I believe that many people resort to piracy because when you buy many applications, music, movies, etc, you're so limited as to what you are "allowed" to do with them that it doesn't seem worth the cost.
...My two canadian pennies.
I empathise with you. Let me see if I can assist.
--User Profiles: First off, I'm assuming you're using roaming profiles. That's where most profile issues stem from. I can't offer much help for you here. We don't use them corporate wide. It was attempted at first, but after we realized it would take a technical staff roughly the size of our user base to make everything run properly even *most* of the time, we opted away from this configuration for 90% of our workstations. (Limited only to our "kiosk" style machines that multiple users will access).
-- Propigation(sp?) of configuration: Your best bet is to do some of this through a GPO on your domain and the remainder through Startup or Login Scripts. And make absolutely sure you have fully tested any GPO changes before you update your production environment. (again, since you didn't state your exact configuration, I am assuming you are in a domain environment--I work in an AD domain, and its been a long time since I've screwed around with NT 4 domain architecture, so I only can hope that this is relavent to you). The general rule that I have used is that if you are trying to add to something (ie, add domain groups to the Local Administrators group), you want to do it through one of the scripts. If you require elevated privileges for the activity (again, adding groups to the local admin group), you must use the startup script. It executes as local system. The problem with the startup script is that it fires off prior to user login, so access to network resources is *somewhat* limited. Get familiar with ADSI and WMI (search on Google on these items and there are hundreds of example VBS scripts (yes, I know...VBS *bleaugh!*) They will solve many of your config problems)
-- User Rights: Unfortunately, locking down the desktop is very difficult if not impossible to do when you're dealing with Windows desktops. Even using the "Users" group, we found that out of 20 or so attempts to install different applications that included spyware, 4 of them installed completely, and 12 of them crashed just *after* the spyware was successfully installed. (The more disturbing part was that none of them would let you uninstall if you weren't an administrator).
The problem is, if you let the user write to the drive or any part of the registery, you can still install many applications. If you don't let the user write to the drive or the registery... you can imagine how useful the workstation may be. If you want to even give the user's a *challenge* at unlocking the workstation, you will have to get far more granular than the defaults. You can go so far as to lock down the system by enforcing that only select executables can run, but even that is far from fool-proof and has a huge overhead of you have a frequently evolving environment. In the end, no matter how hard you try, a simple floppy disk or any number of exploits exist to break local "security".
In doing all of this, bear in mind that legitimate software, such as printer drivers, will not install in a locked down environment. (We've had HP inket drivers that won't even print if the user is not an administrator)
The short of it is: DO the following
1. Setup a group for your techs accounts and add that group to the local admin group on all workstations (see ADSI and Startup Scripts)--(This shouldn't need to be said, but Don't give your techs the domain admin account!).
2. Rename the local administrator account to a random set of characters through a script. Reset the password to that account in the same manner. Again--It's not *perfect* but it's going to ward off some of the less vigilant amoungst your users.
3. Have a CLEAR and DEFINED Acceptable Use Policy. It's even a good idea to make your users sign it directly (Yes, pen and paper in a bit driven world). And ENFORCE the darn thing occasionally. I mean, if you really care what your users are doing with their workstations, this is an absolute must. They will be able to get past the "security", and
I have to say that I agree. I mean, I type very fast and my hand-writing is nearly illegible (even to me). I'm not an artist with a pen, I'm an artist with a keyboard and a mouse. (OK, maybe not an artist)
...My two canadian pennies worth.
I don't know about that...usually I'm swearing at my computer because it WON'T log in, boot up, or beecause it just blue screened. If swearing caused it to log me in, what would I do when it failed? Praise it?
We should get the whole album for 99 cents. :-)