Have you pestered those vendors about Windows 7 support?
When the Beta was out back in January 2009, i tested all our corporate software on it. All those that didn't work, i opened a support case with the vendors, asking them about when they will support Windows 7.
The reactions varied - some just closed the ticket saying that they do not support unreleased operating systems, others promised to look into it, and especially the small ones responded that they were actually testing it themselves and hoped to release a compatible version when the RC was out.
A month after the RC was public, i started another round of these tickets. Some vendors still refused to do anything, others sent me beta versions of compatible software.
Of course, as a Microsoft partner we really have a reason to do all this, since our partner licenses only give us half a year to upgrade (and stay on free licensing).
Well, first of, Microsoft wants to make money. Purchasing SA to an existing Windows 7 Professional OEM license is pretty cheap for corporate standards (around 100$). This will net you Windows 7 Enterprise (and a bunch of other goodies, like reimaging rights which you NEED if you have more than 5 computers).
Also, there's the whole "shoot yourself in the foot" thing. If Bitlocker was in HP/Pro, there'd be countless people "trying" it out, then losing their USB key (for non-TPM machines) or changing the hardware configuration (for TPM machines), without having the recovery key handy.
I can only agree. I work for a small ISV and Microsoft partner. Under the partner program, we've rolled out the Windows 7 RC to 75% of our laptops/desktops. Roughly a month after we were able to get our hands on RTM (i think that was around August 5th), we've upgraded 100% of our machines.
Now, roughly two months after GA, we have several smaller customers (10-20 machines) that are running Windows 7 only.
Only issue we had was laptop-hangs-on-shutdown-because-of-bitlocker. While annoying, it didn't prevent it from doing anything. In the meantime, there's a hotfix for this issue.
There's no need to wait for SP1, if you're a small, agile company. If you're a big corporation, these will likely finish there Windows XP rollouts somewhen past April 2014;)
Censorship in Germany and many other European countries is done under the guise of "protecting the children" ("Jugendschutz").
Germany hasn't really learned from it's past and is heavily promoting censorship as a solution to all issues. For example, it is illegal to deny that the holocaust happened.
Actually, all the crapware on machines is allowing is to make good money reimaging machines.
Assume we have a small customer, that orders 20 or so computers. Then we additionally sell him Software Assurance (to get reimaging rights and MAK keys), and then reimage all the machines to a company baseline. That's about 8-16 hours for creating the image doing QA on it, plus another 8 hours to do the image rollout.
This way, selling computers actually still makes sense for us as a company.
I am a sysadmin, if you're willing to call someone who works with Windows that.
I like my job and i like what i do - but i have no illusions about it. Yes, there is lots of interesting stuff to do, but unless you work in a large corporation, people will still call you up if they can't fix a paper jam themselves.
"Never touch a running system" is what usually leads to the spectacular failures that make it into the press.
If you know and understand something, patching and upgrading it is no big deal - but it helps you to stay familiar with whatever you're dealing with. Also, planned outages and planned upgrades ensure that everyone is familiar with the system and documentation stays current.
Not touching your systems is a very, very bad practice.
Look at how a HTTP proxy works. The client will communicate with the proxy, telling him to GET / for slashdot.org - and the proxy will then deliver that content. The client will never know what IP address slashdot.org has, because it does not need to know.
The client will also not be able to open "custom" TCP/IP connections to the internet, but this is quite normal in secured networks. Only applications that are HTTP proxy aware will be able to communicate with the Internet. No need to rewrite anything.
Yes - but by that time, you'll have enough in your hands to get that guy fired immediately. And, of course, if someone is willing to spend that much time on breaking company security policies, he deserves to get fired.
And trying to circumvent such a setup will trigger many IPS/IDS systems, as you're trying to find out what works and what doesn't.
Of course there is no silver bullet - if you allow some form of internet access, there will be ways to tunnel under.
That much is clear. And (complete) data extrusion protection is essentially impossible if you want people to still get work done.
Your IT department must be a bunch of jackasses in a larger corporation.
I work for a small company. Productivity is key. My job (and that of my department) is to allow other departments to be more productive.
I will try to do everything REASONABLE to fulfill those wishes. Using your Macbook at work is not reasonable, but wishing to have a mailbox quota of 5GB mails instead of 500MB is reasonable, and will be fulfilled as soon as possible. However, more space means more cost - and upper management might not want to give me more money to buy an LTO4 drive, more space for D2D backups and more space in the Exchange servers themselves. This is something that users sometimes don't want to understand.
Now that's easy. Don't allow resolution of external names. Make the proxy resolve the IP address of external websites. That's even the default, i believe.
Of course the whole "in a properly managed network" shtick is a myth. I'll still try to get it as right as possible.
As for developers, i'm currently working for an ISV. All our developers are in a separate VLAN and they all have local admin rights. I don't see much wrong with that, as i also have local admin rights on my work laptop and my work desktop. I, of course, expect our developers to actually turn on their brain and don't install fancy games on their machines. This works - mostly.
As i said in another thread, we don't filter the web for anything except malware (and that for all users - from IT to execs to administrative staff). I very much like this approach - but it's only feasible in smaller companies without a legal department that's hell bent on releasing new policies every week.
For the certificates - you're looking at this from the wrong perspective. I'm aware that self-signed certificates (or certificates by self-made CAs for that matter) aren't in any way less secure.
However, teaching users to ignore security warnings and click "continue anyway" will have them click-through the warning even in case of sites that normally have a certificate signed by a well-known CA.
Of course it's possible. This is not an extrusion protection setup, as you seem to imply.
It just exists to ensure that all traffic from non-malicious users is clean and that there's no easy way to circumvent the filter.
Of course, circumventing them is possible, though you need significant effort to do so. This significant effort is also a proof of maliciousness, providing grounds for immediate termination.
You've never dealt with one of these proxies before, have you?
The connection is encrypted from the client to the proxy, and from the proxy to the server with the proper certificate. So it will spot that you're not talking HTTP and terminate the connection.
No, this would probably work on most of the networks i've dealt with.
Though you'd have a hard time on actually getting OpenVPN and all the tools installed (something along the lines of booting a desktop PC with an ntpasswd CD, resetting the local admin password, etc.). We still have customers with machines without AMT or intrusion detection, so resetting the BIOS password et all would probably work out.
Of course, if you get ever caught at doing something like this will get you fired.
Asking IT nicely to unlock a site for you usually won't. And i've never had any issues unrestricting sites if the user could give me an even slightly reasonable explanation why.
Porn (especially kiddie porn), torture videos, etc. (the really nasty stuff) etc. should be blocked in most businesses. If you don't, it's a sexual harassment lawsuit waiting to happen.
I know, i know, i might not get all the fine points of American culture, but how exactly can someone sue the company over this? They're just acting as an internet provider.
Warez sites and P2P networks actually fall into both the security and legal bins.
P2P networks are automatically blocked, since you don't allow direct internet connections. Rapidshare and such? I don't see why i should care.
Get a separate ADSL line for the IT pros. A friend of mine did exactly that. He works in a large bureaucracy and in the end their installed a separate, unfiltered ADSL line that's not under the administrative control from over-the-pond.
Of course, being in IT, they were smart enough to keep this all on a separate network.
I've always seen management wanting exceptions to those rules.
As long as they're not security relevant (for example, installing random software on their machines) and just for their leisure time (turning off the porn filter), i really don't care.
There's two ways you can interpret that - either your network management team is incompetent, or they don't really mind you using SSH. Decide which one is the case.
In a properly managed network, you won't get a direct connection to the internet AND you won't able to run any kind of SSH tunneling software.
I know most of the proxy software i use will tear down SSH sessions established through a HTTPS proxy, if you even get that far - i usually configure them to reject self signed certificates (as those would only provide a false sense of security).
Slashdot Mirror
Have you pestered those vendors about Windows 7 support?
When the Beta was out back in January 2009, i tested all our corporate software on it. All those that didn't work, i opened a support case with the vendors, asking them about when they will support Windows 7.
The reactions varied - some just closed the ticket saying that they do not support unreleased operating systems, others promised to look into it, and especially the small ones responded that they were actually testing it themselves and hoped to release a compatible version when the RC was out.
A month after the RC was public, i started another round of these tickets. Some vendors still refused to do anything, others sent me beta versions of compatible software.
Of course, as a Microsoft partner we really have a reason to do all this, since our partner licenses only give us half a year to upgrade (and stay on free licensing).
See my remark about large corporations.
That's what you get for buying shoddy products.
Well, first of, Microsoft wants to make money. Purchasing SA to an existing Windows 7 Professional OEM license is pretty cheap for corporate standards (around 100$). This will net you Windows 7 Enterprise (and a bunch of other goodies, like reimaging rights which you NEED if you have more than 5 computers).
Also, there's the whole "shoot yourself in the foot" thing. If Bitlocker was in HP/Pro, there'd be countless people "trying" it out, then losing their USB key (for non-TPM machines) or changing the hardware configuration (for TPM machines), without having the recovery key handy.
I can only agree. I work for a small ISV and Microsoft partner. Under the partner program, we've rolled out the Windows 7 RC to 75% of our laptops/desktops. Roughly a month after we were able to get our hands on RTM (i think that was around August 5th), we've upgraded 100% of our machines.
Now, roughly two months after GA, we have several smaller customers (10-20 machines) that are running Windows 7 only.
Only issue we had was laptop-hangs-on-shutdown-because-of-bitlocker. While annoying, it didn't prevent it from doing anything. In the meantime, there's a hotfix for this issue.
There's no need to wait for SP1, if you're a small, agile company. If you're a big corporation, these will likely finish there Windows XP rollouts somewhen past April 2014 ;)
Censorship in Germany and many other European countries is done under the guise of "protecting the children" ("Jugendschutz").
Germany hasn't really learned from it's past and is heavily promoting censorship as a solution to all issues. For example, it is illegal to deny that the holocaust happened.
Actually, all the crapware on machines is allowing is to make good money reimaging machines.
Assume we have a small customer, that orders 20 or so computers. Then we additionally sell him Software Assurance (to get reimaging rights and MAK keys), and then reimage all the machines to a company baseline. That's about 8-16 hours for creating the image doing QA on it, plus another 8 hours to do the image rollout.
This way, selling computers actually still makes sense for us as a company.
I am a sysadmin, if you're willing to call someone who works with Windows that.
I like my job and i like what i do - but i have no illusions about it. Yes, there is lots of interesting stuff to do, but unless you work in a large corporation, people will still call you up if they can't fix a paper jam themselves.
Just like no university has classes on being a Janitor.
I really don't see why someone with an university degree would want to work as a system administrator.
"Never touch a running system" is what usually leads to the spectacular failures that make it into the press.
If you know and understand something, patching and upgrading it is no big deal - but it helps you to stay familiar with whatever you're dealing with. Also, planned outages and planned upgrades ensure that everyone is familiar with the system and documentation stays current.
Not touching your systems is a very, very bad practice.
Look at how a HTTP proxy works. The client will communicate with the proxy, telling him to GET / for slashdot.org - and the proxy will then deliver that content. The client will never know what IP address slashdot.org has, because it does not need to know.
The client will also not be able to open "custom" TCP/IP connections to the internet, but this is quite normal in secured networks. Only applications that are HTTP proxy aware will be able to communicate with the Internet. No need to rewrite anything.
Did you even read what this thread was about?
This isn't about a someone reading Fark, it's about someone who tries to undermine every effort the IT dept has put into providing security.
Yep. It's called a "Firewall Client".
Yes - but by that time, you'll have enough in your hands to get that guy fired immediately. And, of course, if someone is willing to spend that much time on breaking company security policies, he deserves to get fired.
And trying to circumvent such a setup will trigger many IPS/IDS systems, as you're trying to find out what works and what doesn't.
Of course there is no silver bullet - if you allow some form of internet access, there will be ways to tunnel under.
That much is clear. And (complete) data extrusion protection is essentially impossible if you want people to still get work done.
Your IT department must be a bunch of jackasses in a larger corporation.
I work for a small company. Productivity is key. My job (and that of my department) is to allow other departments to be more productive.
I will try to do everything REASONABLE to fulfill those wishes. Using your Macbook at work is not reasonable, but wishing to have a mailbox quota of 5GB mails instead of 500MB is reasonable, and will be fulfilled as soon as possible.
However, more space means more cost - and upper management might not want to give me more money to buy an LTO4 drive, more space for D2D backups and more space in the Exchange servers themselves. This is something that users sometimes don't want to understand.
Look at what the Forefront TMG Firewall client can do.
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-installing-configuring-Forefront-TMG-client.html
Now that's easy. Don't allow resolution of external names. Make the proxy resolve the IP address of external websites. That's even the default, i believe.
Of course the whole "in a properly managed network" shtick is a myth. I'll still try to get it as right as possible.
As for developers, i'm currently working for an ISV. All our developers are in a separate VLAN and they all have local admin rights. I don't see much wrong with that, as i also have local admin rights on my work laptop and my work desktop. I, of course, expect our developers to actually turn on their brain and don't install fancy games on their machines. This works - mostly.
As i said in another thread, we don't filter the web for anything except malware (and that for all users - from IT to execs to administrative staff). I very much like this approach - but it's only feasible in smaller companies without a legal department that's hell bent on releasing new policies every week.
For the certificates - you're looking at this from the wrong perspective. I'm aware that self-signed certificates (or certificates by self-made CAs for that matter) aren't in any way less secure.
However, teaching users to ignore security warnings and click "continue anyway" will have them click-through the warning even in case of sites that normally have a certificate signed by a well-known CA.
Of course it's possible. This is not an extrusion protection setup, as you seem to imply.
It just exists to ensure that all traffic from non-malicious users is clean and that there's no easy way to circumvent the filter.
Of course, circumventing them is possible, though you need significant effort to do so. This significant effort is also a proof of maliciousness, providing grounds for immediate termination.
You've never dealt with one of these proxies before, have you?
The connection is encrypted from the client to the proxy, and from the proxy to the server with the proper certificate. So it will spot that you're not talking HTTP and terminate the connection.
No, this would probably work on most of the networks i've dealt with.
Though you'd have a hard time on actually getting OpenVPN and all the tools installed (something along the lines of booting a desktop PC with an ntpasswd CD, resetting the local admin password, etc.). We still have customers with machines without AMT or intrusion detection, so resetting the BIOS password et all would probably work out.
Of course, if you get ever caught at doing something like this will get you fired.
Asking IT nicely to unlock a site for you usually won't. And i've never had any issues unrestricting sites if the user could give me an even slightly reasonable explanation why.
I know, i know, i might not get all the fine points of American culture, but how exactly can someone sue the company over this? They're just acting as an internet provider.
P2P networks are automatically blocked, since you don't allow direct internet connections. Rapidshare and such? I don't see why i should care.
Get a separate ADSL line for the IT pros. A friend of mine did exactly that. He works in a large bureaucracy and in the end their installed a separate, unfiltered ADSL line that's not under the administrative control from over-the-pond.
Of course, being in IT, they were smart enough to keep this all on a separate network.
I've always seen management wanting exceptions to those rules.
As long as they're not security relevant (for example, installing random software on their machines) and just for their leisure time (turning off the porn filter), i really don't care.
There's two ways you can interpret that - either your network management team is incompetent, or they don't really mind you using SSH. Decide which one is the case.
In a properly managed network, you won't get a direct connection to the internet AND you won't able to run any kind of SSH tunneling software.
I know most of the proxy software i use will tear down SSH sessions established through a HTTPS proxy, if you even get that far - i usually configure them to reject self signed certificates (as those would only provide a false sense of security).