Time For IT Guys To Unshackle Corporate Computers
from the can't-do-that dept
This one ought to infuriate some of the IT folks, but Farhad Manjoo, over at Slate, is making the case for why corporate IT folks should give up trying to control everyone's computers. He says it's silly for them to dictate which apps you can and cannot use, what websites you can and cannot visit and what mobile devices you can and cannot use. He argues that doing so only restricts employees from actually doing useful and innovative stuff and also can make employees significantly less productive.The response from IT folks will always be about the cost of maintaining all of this -- noting (perhaps correctly) that any time there are any problems, people will call up IT folks who will have to try to service all sorts of things, rather than having a standard list. And, of course, they'll say that users are often dumb, and prone to doing things that put computers and networks at risk. Thus, locking stuff down isn't only cost effective, but it's prudent to protect the company.
In the end, though, if that prevents important work from getting done (or done quickly), that seems like a problem. In the past, we've pointed out study after study after study suggesting that those who are actually allowed to do personal surfing at work are happier and more productive. Manjoo makes that point as well, mentioning recent studies that have shown the same thing and suggesting that companies that trust their workers on these sorts of things tend to get much more out of those employees.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: it, limitations, personal surfing, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
About ten years ago when we put in the first network monitoring tools we discovered that two-third to three-quarters of our network bandwidth was being taken up by users streaming audio using RealPlayer.
Bottom line is you give users full control over their PCs and the next morning everybody will be running iTunes and streaming music and be downloading videos from Pirate Bay and saying "well if they didn't want us to do this stuff they shouldn't have let us in the first place."
[ link to this | view in thread ]
I'm an IT Pro
First and foremost the business is there to make money. IT is a tool used to make employees tasks easier and we should be doing everything possible to make this happen.
Security is obviously still a priority and end users must be educated but with a properly secured network, there should be no reason for IT people to restrict others from using their computer to its potential.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Why were the ports on the Firewall open? Maybe ten years ago there weren't the corporate tools to properly manage this but there are now.
[ link to this | view in thread ]
Re: Re:
Now yes, it technically is an education issue that the users of the network do not know how to keep themselves safe, and merely getting people to switch from ie to another browser would probably fix most of the problems. But the fact is you cant fix stupid. I've spent years trying to convince people that the web doesn't really know "you have a virus" and that you "MUST click this link to scan your computer."
I am all for an open and unrestricted user experience, I finally am able to mostly deliver this as I now work at a company of only 15 people. Education is a lot easier with a small crowd. But I can understand the "damage control" that Universities and larger companies take to minimize their down-time.
Also a working image of people's machines can change your entire day to about 20 minutes of your time, Click go and walk away. 2 hours later, machines up and running again.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Fun isnt it.
TRY it.
TRY setting up a multi level/multi protection system. And keep the CRAP out.
The hardest question I have is.."CAN YOU TEACH ME how this works.".
I tel people I USED older progams and learned the hard way HOW to make things, 15-20 years ago. And I know alot and how to DO THINGS MY WAY. but, learning the NEW CRAP, isnt worth my time.
If I learned Every program out there, I wouldnt be running IT. I would be selling my service to EVERYONE for ALOT more then I would be making.
Teaching nubes HOW to run more then 1-2 programs at a time, isnt worth the time.
TRYING to teach MS how STANDARD practices of protecting the OS/programming language...is NOT going to happen.
[ link to this | view in thread ]
End Users
One of the better solutions I've run into was a company that would let an end users manage their own computer the way they want, but they must give up corporate desktop support, if they call with a computer problem, their only choice is to get a standard image applied.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Many of my colleagues have no idea. They know how to do some things because they have been specifically taught but they don't have a clue how to work things out for themselves. Several times they have asked for help and I've spent a couple of minutes flicking through menus trying to find the right tool and they've then accused me of not knowing what I was doing and have reached for the phone to call IT. Its exhasperating.
We're also still using Internet Explorer 6 in the office, quite the most cumbersom browser in existance. There were mutterings about upgrading but apparently we won't be because the older members of staff know how to use it and don't want to have to relearn.
So in conclusion: users are often idiots. If I was IT I would be loathe to let them mess around because they will undoubtebly break something and be unable to fix it themselves.
So for now we just have a minority of computer savvy workers who are frustrated all the time with their restrictive system.
[ link to this | view in thread ]
Re:
then you suck. you should have a stock image (ghost, drive image xml, etc.) or a slip streamed install disk (drivers, office, applications, etc.) to save time on rebuilds.
it shouldn't take you more than an hour to rebuild a box, including the restoration of data and settings. you use roaming profiles or folder redirection for user profiles, right?
half of the system security game is disaster recovery. you should be able to recover from the worst catastrophe in a short amount of time. if you don't know how to do that then do your company a favor and quit.
[ link to this | view in thread ]
Re: Re: Re:
Make your employees responsible for their own stupidity.
[ link to this | view in thread ]
Off topic - the Ad on this page...
"Copyright Infringement
With Training session and workshops We can help you succeed! "
I didn't know it was that hard that you needed a course to do it!
[ link to this | view in thread ]
Re: I'm an IT Pro
preach it brother!
also, if your company's data and whatever is so sensitive (banks, gov't, military, etc.), then put your "sensitive" stuff on a separate network and only allow locked down machines to access it (virtual machine, thin client, etc.) via encrypted connections.
then give your users unrestricted machines that they can use for whatever they need to.
[ link to this | view in thread ]
Sorta
You're mixing two things, here, Mike, as is the Slate author: content filtering and client management. Content filtering (aside from where kids are involved) is relatively stupid and I agree that it often does little to further the cause of the business. A little bit of personal surfing is fine, though the cost of bandwidth (and please don't just consider carrier costs, but all the components that protect and support that path to the internet) can be material and is not to be brushed off as trivial.
Another matter entirely is how client desktops and laptops are managed. It is certainly not just a cost consideration, but security and protection of corporate information assets. Anyone who thinks this is minor has never sweated 24 hours trying to get a multi-billion dollar company's network to settle back down after some jackass installed trojan-carrying software in the form of a stupid photo retouch application. Eh hem. Unmanaged and user-managed systems can carry real risks for business, especially at scale, which can wipe out completely any incidental benefits found along the way.
That said, when the company's business demands that kind of flexibility (say, a news or consumer service organization that needs to test new software or consumer electronics devices and review them, etc) there are plenty of ways around the challenge, whether it be in the form of physical or virtual labs, parallel secured and unsecured networks, etc. I agree that IT policy can't run counter to the aim of the business. But, typically, end user griping doesn't factor in the dim, unglamorous, cave-dwelling reality of keeping networks and systems up, secure and performing well on a 24x7 basis.
[ link to this | view in thread ]
Necessities
We do not filter websites, although we do block activex for non trusted sites.
In some cases I can see how leaving a computer wide open to the user makes sense, but secretaries need a Wordprocessor and a groupware application and that really is about it.
We do occasionally have senior management say that they demand full access, usually after a couple weeks and a very sluggish computer, they request to have the standard locks again.
[ link to this | view in thread ]
Yes, I agree absolutely that hundreds of millions of dollars are being lost in the industry due to this parctice, but you have to balance that against the literally billions of dollars saved by the practice.
[ link to this | view in thread ]
Re: Re: I'm an IT Pro
[ link to this | view in thread ]
Re: Re: Re: Re:
Make your employees responsible for their own stupidity.
no one is responsible for their own actions in a corporation so that is never going to happen.
you have to give the children exactly what they want and then come to the rescue when they have gotten themselves in trouble. it's your fault they are in that mess, so it's your responsibility to save the day. that's your job and if you don't like it then quit.
the problem isn't that end users are stupid. they are, and everyone knows it. the problem is the attitude of IT support types who think they can engineer stupidity to a manageable level.
IT is about fixing things that stupid people do. low level IT guys fix stupid desktop problems, high level IT guys fix stupid executive decisions that threaten the infrastructure for the entire enterprise.
at the end of the day, if you can't handle fixing stupid mistakes, then you have no business being in IT.
[ link to this | view in thread ]
Re: Re: Re:
responsibility? in a business? what planet are you from?
no one anywhere at any time is responsible for anything that they do. it's been that way for a long, long time.
[ link to this | view in thread ]
If a user needs something all they have to do is justify it and they can have it, but not the great $9.99 deal they can get the lastest release of Autocad for.
[ link to this | view in thread ]
Why not a VM sandbox?
Done. And done. People at work are bringing in their own laptops and launching their daily reads on the corporate network... there's little to stop them from crossing the domain barrier and infecting the corporate network. With a VM, at least you can build images that won't ever do that.
-C
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Did I miss the sarcasm tag in this one? Or is this a serious post?
[ link to this | view in thread ]
Re: Why not a VM sandbox?
And yeah, I know, all they need to do is an ipconfig get the ip scheme and keep entering static IPs until they find one that works, but, when most people plug into the network if they cant get on the internet they stop there.
[ link to this | view in thread ]
Riiiighhht
This would wreak havoc, so many times at my last civillian post where the internet was not restricted, we found porn, viruses, spyware.
It was ridiculous how fast computers could be made unusable.
For most of us on this site and similiar sites we are either in the IT business or at least know enough about computers not to be stupid with software, however most computer users are not like this. They have a few things they are tasked to do and that is all they know, the minute you allow them hightened priviledges of any kind is the minute bad things happen.
[ link to this | view in thread ]
Re: Re:
But when a company has 100 users and only 1 part-time IT person(who is not a professional IT person, the norm for a lot of companies today) it's almost impossible to find the resources so locking everything down is the only possible solution. Lost productivity for an individual user is nothing compared to the lost productivity when documents are lost, machines crippled, etc.
Sad, but just the plain fact. Since windows dominates, learn group policies, learn security and lock them down will make your overall users more productive.
But you must be open to every new advance and listen to your users needs (not just requests)... if the ask to do something they cannot do, then make a business case for it and implement it if there is a reason too. Our job here is to listen to the users and give them what they need, not what they think they want. We have to make sure we understand what they want to accomplish and work with them to provide that capability. That doesn't mean deny them every thing, just make sure it will provide a benefit, embrace the technology to make the company more efficient, responsive, etc.
IT staffs get into a rut of not learning and not growing like everyone else and it's even more deadly, but still you don't do things just because they are cool, they have to have a solid business reason behind them.
Just remember change is inevitable, but growth has always been optional.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: I'm an IT Pro
banks have wire transfer terminals in separate rooms specifically for this reason. you have to do what is necessary to both protect the company AND provide useful services to end users. these are not mutually exclusive objectives. they are two very distinct and very important responsibilities.
fixing these sorts of things is the purpose of IT. that's exactly why you are there. after 12 years of IT, i can confidently say that malware and spyware have made our jobs significantly more difficult, but that doesn't change anything.
i remember the old days when i mostly installed new gear and helped people learn to use it. it was great, i made decent money for just knowing how to operate a computer. the job was easy in those days, but those days are long gone.
the job is a lot harder now that everyone is expected to know how to operate a computer (even when they don't) and so now i fight the chinese and the russians on an almost daily basis for control of my company's computers. the game has changed, but the objective hasn't: protect the company *AND* serve its users.
[ link to this | view in thread ]
I agree, but it doesn't work ...
NOW, I run IT at a different company. When I jined, it was a free-for-all; unstable, no security, full of viruses, porn on the servers (yeah, really) and "entitled" senior users.
Now, we're locked down (mostly). You want software that IT doesn't provide, get your boss to pay for it out HIS budget. (If you can't convince him, you can't do it).
Surfing for the professional is monitored, but not terribly restricted. We encourage people to do things like their banking. (We had somebody running a business on eBay - goodbye!) The author's point would be true if ALL people were honest and focussed on the company's success, but in a company with 5000 employees that's NOT the case.
ANd there are people not in IT with special privileges (this drives my network manager NUTS!), but they went through their boss and are monitored to ensure they don't break anything.
So, while I agree that in a "perfect" world this would be true, there will always be people who abuse privileges.
[ link to this | view in thread ]
Re: Re:
Have an image. Buy a Checkpoint firewall (and the expensive expertise to run it). Money doesn't grow on trees, moron.
Do yourself a favor and take Finance for Dummies.
[ link to this | view in thread ]
Somebody is wrong on the internet!
I fight hard at my company to convince management NOT to hurt productivity by blocking access to non-work sites like youtube and facebook (and somehow these sites may have just *happened* to fall off the blacklist a few times, heh) but that doesn't mean I'm in favor of giving all users full control. One extreme is just as absurd as the other. Opening up the systems would mean that a single honest mistake by any employee could create a security hole that would expose all of our customers' financial information.
Imagine: your company has a serious data breach. It comes out that your policies were so lax that a single mistake by any one of your employees is all it would take to blow *everything* wide open. Do you really think you'd stand a chance in that lawsuit? You would lose, and you *should* lose, because that's an irresponsible way to treat sensitive information.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
depends on how strong your department's leadership is.
a good leader, or at least one with significant political power can make your job fairly proactive. since IT costs money and doesn't make money (saving money doesn't count), there aren't many strong leaders in IT departments. the decent ones usually end up somewhere else.
weak leaders, or ones with no support from the company, will make your just about purely reactionary.
being reactionary doesn't make the job any less important, nor does it allow you to be less than professional.
[ link to this | view in thread ]
give him EXACTLY what he asks for... verbatim.
(obviously they can't break security policy or support policy, but in all other cases... don't deviate from my recommendation... at all)
[ link to this | view in thread ]
This is not an IT problem
IT should understand the job functions throughout the company better than just about anyone else in the company, they work in every area. If they don't they aren't doing their jobs.
This is what you get when a person who doesn't understand IT policy, corporate culture, management policies, etc.. writes an article about something he doesn't have a clue about. This is where IT should be responsive to his issues, work with him to define his needs and provide for them in a secure productive manner, if he worked someplace that has sound management and properly implement IT policies. Not surprised it's SLATE...
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
What are you people, 9 years old?
[ link to this | view in thread ]
Dammit
I'll give users unfettered access when I get the promise that I will not have to come in early, stay late, or get a call in the middle of the night that requires me to reload a computer. I have a life. I have a very special person in my life. I refuse to give up my personal time because users are too stupid to live.
[ link to this | view in thread ]
Good points and bad points
Yes, it's possible to lock that down too but only to a certain extent. No one backs up their information, or if they do, they use their email account to do so and then freak out if they are told, quite correctly, that they need to knock it off if they want their email to be more responsive. There's a hard limit for a reason - we don't run an email server just to store your kids' 10 MP resolution PNG files.
There's always the exceptions to the rule, the idiots who happen to be louder than the IT department and insist on using non-standard storage and obtaining admin rights through illicit means (coercion, manipulation, outright lying, etc.), and the supervisors who are just too pissed off and worrying about other things to be concerned with them.
And let's not forget the asshats who will bitch and moan until the cows come home if you forget to back up that random hidden folder with their personal items in it, despite their having signed, at their orientation, a form basically telling them in no uncertain terms that work systems belonged to the company and they could be fired for using company resources for personal use.
It's great to talk about how companies need to take a lighter approach to employee treatment and allow them to do whatever it is that they want, but no one understands just how much more of a burden that is for IT to deal with. No one gets that just being able to see this one joke site or this one girl's myspace page full of poorly coded HTML and possibly dangerous SQL injections can cause damage, not just to their computer (resulting in ALL of their pictures / music / work emails / etc.) but to the servers passing the information along, to their co-workers computers, and any devices connected to their computer as well (iPod, thumbdrives, etc.).
Oh, and let's not forget the risk to corporate secrets when you open up a buttload of corporate computers to the public internet. Wave goodbye to any hope of keeping embarassing secrets from going public immediately. Watch the stock price plunge faster than Gates McFadden's career post-Star Trek: TNG.
Opening everything up to the public is a great ideal but so is communism.
[ link to this | view in thread ]
IT Pros
[ link to this | view in thread ]
Re: Dammit
I think Mike just puts up these articles to expose the mindless sycophants.
[ link to this | view in thread ]
The trick is to identify where the value is
Sure, some users can use their computers effectively, but will require a higher level of cooperation from the IT department.
But what is the IT department's incentive to provide higher service to these users? The IT guy isn't going to be the one getting the bonus/raise/promotion when the user invents a new process.
Meanwhile, for every power user that generates value for the company, you've got five more that have absorbed IT resources that could have been used elsewhere.
[ link to this | view in thread ]
Re: Re: Re:
Feel free to lock down a PC, but why the hell would you prevent them from adding printers for example?
Like others (Schnier) have argued, there is such a thing as being "over secure" to the point where the security gets in the way of the daily user experience.
Sometimes less is more.
[ link to this | view in thread ]
First thing they always do
I don't care what you people say. If the software police come knocking on your companies door and you have illegal software on a system. They are going to hold the COMPANY responsible no matter what your policy says. After your company gets fined thousands of dollars (happened to a buddy of mine) I doubt you'll still have a job.
[ link to this | view in thread ]
Re: Re: Re:
no it's not. if you don't want to use images then you can slipstream drivers into your install disc. the technology is free you just have to learn how to do it and take ownership of the process.
i have worked in IT support (doing it now) and i have worked in software development. so i have been on the IT side trying to keep people from wrecking stuff, but i have also been on the development side, being prevented from doing my job by draconian IT policies.
i always found a way around, but it made me the enemy. that is the problem: working against the people inside the firewall, when you should be working against the people outside the firewall.
But when a company has 100 users and only 1 part-time IT person(who is not a professional IT person, the norm for a lot of companies today) it's almost impossible to find the resources so locking everything down is the only possible solution.
no, it means the IT department sucks, which was my original point.
Lost productivity for an individual user is nothing compared to the lost productivity when documents are lost, machines crippled, etc.
yeah, it's called disaster recovery. i do it everyday, and if your IT guys can't help you recover from a disaster, they suck, also my original point.
Sad, but just the plain fact. Since windows dominates, learn group policies, learn security and lock them down will make your overall users more productive.
i used to think that 10 years ago, but i don't anymore. after being on the other side of IT, i understand the frustration that people feel when they can't do their jobs. IT support is also about supporting people, not just servers and applications.
Our job here is to listen to the users and give them what they need, not what they think they want. We have to make sure we understand what they want to accomplish and work with them to provide that capability. That doesn't mean deny them every thing, just make sure it will provide a benefit, embrace the technology to make the company more efficient, responsive, etc.
yeah, and 6 month approval processes for everything just hold people back. change is not just inevitable, it's accelerating and that will be what separates successful companies from roadkill.
so you can sit on your hands and hide behind policies and other bureaucracy as an excuse for not getting things done, or you can move the envelope back a little and be part of the solution.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: The trick is to identify where the value is
One problem is that it can be either; it entirely depends on the skills and training of the IT department.
The other problem is the difficulty in how to measure the revenue generated by IT. The old adage is that saving a dollar is the same as making a dollar, but those dollars that get made are a lot easier to find in the financial reports.
[ link to this | view in thread ]
Re: This is not an IT problem
[ link to this | view in thread ]
Actually Mike, I think it is time for you to get your nose out of other people's business. Companies do this stuff for a reason, if you actually ran an IT department for a while you would realize. The amounts of money wasted by companies fixing computers "broken" by people piling on useless software, surfing porn, installing spyware toolbars, and the like is insane.
This is really one of those posts where you aren't thinking past your own biases. Not everything needs to be open and free.
[ link to this | view in thread ]
No...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
that is the problem that IT departments should be worried about: creating subversive users.
i know how to crack the local admin password on a windows box to get admin privileges, and how to tunnel traffic to get around network filters and sniffers. at that point i am directly connected to the internet and running as root... the whole reason workstations and networks are locked down and firewalled in the first place.
this is why restrictive IT policies are a bad idea and why you should be working with the people inside the firewall instead of against them.
[ link to this | view in thread ]
Not 5 minutes ago, I was getting a cup of coffee and overheard two people complaining because they had to remember a 12 character password.
These are the sort of people who you want to give unrestricted access to. The same people who, in their own words, *don't care*.
Someone has to care about security. Someone has to care that crapware, viruses, and similar crap doesn't get put on the network.
Oh, and let's not forget licensing! Regardless of how anyone feels about it, the way things are, if we're not controlling what gets put on the computers, I guaran-damn-tee we'll get hit with software licensing violations.
No. Sorry. As long as the user base remains WILLFULLY ignorant and self-interested, the controls and lockdowns need to stay in place. They prove the need for this on a DAILY basis.
[ link to this | view in thread ]
Re: Re: Dammit
On another note, I just realized that I was so pissed off after reading the actual article that I couldn't make a coherent response. Everyone could tell I was angry, but even I'm not entirely sure what I was talking about. All I could think at that moment is that I hope Mr. Manjoo gets kneecapped by thugs.
[ link to this | view in thread ]
Re: Re: Re:
secure the network: use intrustion detection and prevention systems to prevent and/or log malicious bits on the wire. use a firewall that allows most outbound connections, but prevents most/all inbound connections that are not a response to a request from an internal host. log connections (not packets) so you can spot suspicious trends in network traffic.
secure the OS: use AV/anti-malware software with realtime file system protection and use a firewall to that allows most outbound connections, but prevents most/all inbound connections that are not a response to a request from the host.
user gets control (add hardware, software, access websites) but is protected from malicious activity.
[ link to this | view in thread ]
Re: Re: Re:
http://www.runtime.org/driveimage-xml.htm the commercial version if drive imageXML for 100 users is 5 bucks per user for a year. there's also free solutions like partimage and dribbl.
Buy a Checkpoint firewall (and the expensive expertise to run it). Money doesn't grow on trees, moron.
modern versions of windows come with a passable firewall built in.
if you want to firewall network segments, iptables and PF are now and will always be free :-)
[ link to this | view in thread ]
You are an idiot, Mikey
(not even talking about raises)
If users are allowed to destroy their comps companies will have to pay more to existing staff and to hire more IT folks
The more the merrier
The ideal situation is if all comps in US burn down - then we (IT folks) can all make a killing, like some folks did back in 1999
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
What?
[ link to this | view in thread ]
Waaa Waaa Waaa Blaaa Blaaa Blaaa
They are all a bunch of over empowered geeks on a power trip because even the accountants beat them up in school and this is their chance to get back....
IT's FUNCTION is to be a support tool for the USERS which MAKE the company run, NOT an interferance or a problem. If users need to go to IT to get PERMISSION to do their jobs then IT has failed and wasted money....
The crying about insecure and itunes and streaming video is nothing more than an EXCUSE to not work and do their JOBS.
Get over it and learn your place pocket protectors
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Waaa Waaa Waaa Blaaa Blaaa Blaaa
The crying because you can't do your jobs due to restrictions is nothing more than an excuse because you want to have the latest version of desktop strippers installed on your computer.
get over it, do your job and stop worrying about what toys you can't play with.
[ link to this | view in thread ]
Re: Re:
'I once had to give a user elevated priviliges to allow him to test some software. '
or
'because the user downloaded some "tools" he needed to test the software, none of which were approved for use'
I, as a developer sometimes need to go out 'find' tools to accomplish things that we are not prepared for, when I do that I use a different UID that has elevated privileges, and some times I do hose my system. I ALWAYS take responsibility for that (my IT guy still has to fix it though!).
[ link to this | view in thread ]
Re: Re:
'Maybe ten years ago there weren't the corporate tools to properly manage this but there are now.' -- fool, he WAS talking about ten years ago.
[ link to this | view in thread ]
The Attack of Nat Burns, Your Company's Computer Guy
In the REAL Big Corporate World - like Fortune 5 - trying to manage tens of thousands of users who operate in disparate spheres (i.e. the needs engineers are not those of marketing or financial people) and their machines is a constant pooch screw. That some applications from suppliers like PeopleSoft are coded to run in IE6 thus preventing upgrades to something more usable and secure and leaving open XSS and SQL attack vectors (don't get me started on McAfee AV!) doesn't help. That GPO doesn't prevent all software installations (hello, Google Earth) while locking people out of defragging their drives is fun.
Also, the nerd snobs forget that the users aren't there to be PC experts, they're there to do their work! The PC is just the tool they're handed to do their jobs. Is a carpenter supposed to know how the windings of their circular saw's motor were spun? Does a taxi driver have to know how the meter is integrated with the odometer? No to both; they just need to know how to cut wood and drive safely. The d-bags sneering upthread seem to think unless that cabbie changed the oil before his shift, he is just lazy and stupid. Get over yourselves!
[ link to this | view in thread ]
that is what this article is, and that is why there is so much heated response
that said, the article is simply ignorant of the situation: its not 1992, there is an internet, there are REAL security threats, pci/pabp compliance, jail time for piracy, and finite labor pools
if you want unrestricted access go buy a $200 netbook and a data card i am sure your IT person will be glad to help you uninfect it off the clock at $85/hr
[ link to this | view in thread ]
Re: The Attack of Nat Burns, Your Company's Computer Guy
Exactly - it isn't there to look at desktop strippers, it isn't there to download music, it isn't there to go on IRC, it isn't there to surf porn.
It's there for work. The users don't need to know how the computer works, they just need to use it for the JOB they have, not for their own personal joy.
[ link to this | view in thread ]
Re: Waaa Waaa Waaa Blaaa Blaaa Blaaa
[ link to this | view in thread ]
Re: Re:
AKA...... Locking the user down.
[ link to this | view in thread ]
Re: Re: Re:
And a Checkpoint firewall? You have to be kidding right? Checkpoint is arse in a handbasket. If you can't afford a real firewall then your best bet is a *nix box of some sort running the firewall with a nice web interface for changing/adding rules.
I think my solutions are more cost effective than yours. And don't bother telling me they won't work in corporate America I have installed them in small to mid size shops for years. The large shops use real firewalls and can afford Ghost. Strangely enough where I work now is a very large shop and Ghost used to be standard for images until someone pointed out clonezilla. We don't do many images and use OSS tools for our OS installs worldwide. And while I can't tell you who I work for I can safely say it's one of the largest shops around.
[ link to this | view in thread ]
Never in my life
[ link to this | view in thread ]
Always educate users, put in security systems, but giving users root? I think not...
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: What are you people, 9 years old?
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
no it solves one specific problem.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
damn right. IT is two functions: protect the company's infrastructure AND help people use the company's infrastructure to do their jobs.
if you can't help, then get out of the field because if your users can't do their jobs, then you aren't doing yours.
user gets control (downloads latest malware from random emails/websites) IT gets to clean up the mess.
that is what IT is *for*. fixing the stupid things that people do with computers, software and networks is your function.
sometimes you can fix things with education, sometimes you can fix them with software tools, and sometimes you have to roll up your sleeves and do actual work.
i'm sure the thought of sitting around doing nothing and letting restrictive policy and bureaucracy shield you from actual work is very appealing, but it never happens.
The company I work for is pretty lax and I do end up dealing with a lot of spyware and viruses.
and dealing with spyware and viruses is part of what the job entails. the job changed about 8 years ago with the advent of spyware and it's not going to change back.
you used to be able to passively deal with most threats, but the bad guys move quickly now and are way more hands on nowadays, which means that you should be too.
people make mistakes and things get hacked; it's a fact of life with computers.
in the old days, viruses were a highly automated problem that you could use a highly automated solution to fix (AV software). an automated solution only works for old and well understood threats.
today, malware is the product of dedicated teams of skilled and motivated individuals with tons of tools and tactics at their disposal. how do you deal with that? by using teams of skilled and motivated individuals to play defense.
you are either skilled and motivated enough to make a difference, or you're not. if you're not then move out of the way and let someone else take a shot at it.
the behavior of the user is key to preventing the malware issue and you just can't depend on users to always make the best decision.
no it's not. the behavior of the user will not change, ever. when it comes to you vs. your users, you are outgunned and outnumbered and that will never change.
the only thing that has the possibility of changing is your attitude about the user and your understanding of your responsibilities as an IT professional.
if people cleaned up after themselves there wouldn't be janitors in this world. if you don't like cleaning up messes, then you shouldn't work as a janitor. IT is the same way. Technology progresses faster than the average worker can keep pace with, that's why companies hire IT people, to keep pace on behalf of their workers.
[ link to this | view in thread ]
Re: Waaa Waaa Waaa Blaaa Blaaa Blaaa
I'm guessing that the IT shop where you work is full of men, or women, that are all what you consider nerds? Right? Or is there a vast pool of employees that work there? I've worked with IT guys that are bodybuilders, musicians, carpenters, mechanics, navy chiefs, marines, shit, they come from all all walks of life and have all types of hobbies. I would love for you to use your attitude with the one Network admin I knew that was a recently retired Navy Chief. I would love it. Or the Gunny that is 250lbs of pure muscle and stands 6'3". Would love to see it.
[ link to this | view in thread ]
So long as you use a good firewall, external email proxy to filter spam and viruses, and good antivirus on the local network, the most users do is browse with Internet Explorer and install some minor crapware like Weatherbug.
Let managers worry about people surfing the internet, IT can have the security in place to prevent all but willful damage to the computer while balancing the need of users to have some freedom, which they should have to be happier and more productive.
[ link to this | view in thread ]
This is a stupid article. It's entirely wrong.
Where I work I am the sysadmin for about 65 users. That isn't very many people. Most work locally, but we do have several remote branches. I try to keep access as open as I can, but there must be some limitations. Why? Because despite educating users, and re-educating them, over and over, some of them simply will not listen, or do not care to listen.
Now take such people and amplify the number of them, say in a network with 3000 users. Or in a high school with 1500 students. Now imagine that some of these people are in management positions, or are mission-critical people to the company, or are teachers, etc. They are much less likely to be reprimanded for abusing an open computer policy - thus the problems snowball out of control for the sysadmin's.
Now lets take a moment to talk about "Proper Security".
I run a fully updated anti-virus program on EVERY user machine. It not only updates daily and has real-time protection, but it is also set to scan each users machine daily. Every machine is also equipped with a software tool-set to remove and help block spyware, updated frequently. Our e-mail server does a sufficient job at weeding out most of the spam. With all this being said, I have at least one user a week with a spyware problem - and that is with many lock downs in place. If all users had complete control over their machines, this problem would be rampant in no time.
Now before someone says it... This isn't a matter of me not doing my job "well enough". You can go to hell if you think that. :) The fact is that even with safeguards, security problems still arise. By giving complete control to end users however, that only makes the risk skyrocket. There NEEDS to be some limitations. By locking down what can be installed, you help mitigate the risk of spyware, malware, virus's, pirated software, and so on - being installed. It makes SENSE to do this.
This is just the tip of the iceberg, too. Web surfing, downloading, and streaming, are all other things that bring great risks. It's not to say users shouldn't be able to surf the web, but there needs to be a line between what is safe and what is not - and thus, some lock down policies need to be in place. I don't limit my end users from surfing the web - but I do limit them from using a site like Myspace. This is because I had problems with spyware / malware stemming from that site. When an end user proves to me a site is safe, they can browse it all they want. The minute I have to fix their computer because of said site, is the minute that site gets blocked - effectively saving the company time and money by protecting from future infestations. Like I said, at least once a week this happens.
If you want a piece of software on your computer, and you cannot install it, then call I.T. Get it approved, and get their assistance. It is what they are being paid for. If they tell you no, then ask your manager. If I.T. tells your manager no, then there is probably a pretty good reason for it. Either that or your IT staff is lazy. As an end user, you shouldn't be taking this control into your own hands. I'm sorry, but you're not a computer expert, guru, ninja, or otherwise. You are an end user, for a company, and your job is to get things done. If you *need* select software or web access for that, then make your case and I am sure I.T. will be HAPPY to assist you with it.
In short: Don't be an arrogant bastard. I am happy that my users and I get along. There is no hate for the I.T. department where I work, despite limited access policies. They know why they're in place, and we have a mutual respect going. If they need software, or a certain filter lifted, we approach it together and find a solution that fits.
...Openly giving complete control is not a solution that fits. It's an implementation that will likely fail miserably in most environments. Particularly the large ones.
[ link to this | view in thread ]
Re: This is a stupid article. It's entirely wrong.
[ link to this | view in thread ]
Re: Re: This is a stupid article. It's entirely wrong.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: This is a stupid article. It's entirely wrong.
Well said sir.
[ link to this | view in thread ]
um labs much
This whole thing contrasts hilariously with the federal don't be a stupid douche bag security presentation featured today as well. People are just that dumb with their computers a alarming amount of the time.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
So you think the IT people in world are nothing but technical janitors?
You are either an IT guy that cannot get a leg up in the profession or just an ignorant user.
[ link to this | view in thread ]
Re: Re: I'm an IT Pro
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
Not hooey. Tripe.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re:
Toe-MAE-toe toe-MAH-toe...
;-)
[ link to this | view in thread ]
Complicated
I am a relaxed admin, and I will be the first to admit some admins are out of control with restrictions, but the users on our network enjoy an immense amount of freedom.
However, This and the other article are just trolls getting you all to rant about a very complicated issue because neither of the writers know what it is like to be an IT admin.
[ link to this | view in thread ]
Re: Re:
Disk space is getting cheaper so having a snapshot of each computer on your lan is becoming more feasable but your arrogance that everyone can afford an imaging solution or have the space to manage a FOG server or whatnot is astounding.
[ link to this | view in thread ]
Re: Re: Re: Re:
Most firewalls come out of the box the way you refer, but do you really need access to the full 65535 ports? Does your IT staff really have the time to pour through IDS logs and set them up?
[ link to this | view in thread ]
Re: Re:
Actually, instead of making nonsensical claims like this you should develop an actual DR policy that prioritizes high-value systems and de-emphasizes less critical systems. Then you define RPOs and RTOs for your recovery. Then you design a plan that implements it. If their DR plan doesn't care about restoring desktops, that's fine. It's not your choice.
[ link to this | view in thread ]
Re: Re: I'm an IT Pro
Yeah, because that's easy and cheap to implement and users won't throw a fit about having to jump through hoops "just to do their jobs" with the sensitive info.
Seriously, we all know that there is a balance between good security and usability. The most secure computer in the world is one that can't be used, and the most usable is likely unsecured. You just have to find a balance that works for you. In my case, I would never let a user run with full admin rights on any PC or server. The risk just isn't worth it, whether it's the risk of system compromise, malware infection, espionage, or even unlicensed software. And that's before you even run into the issues of supportability.
Think about it...most users today don't like IT because they're not getting the level of support that they need. If IT were to open the systems and let people run with full admin rights the number of systems that need to be whacked and rebuilt on a regular basis would skyrocket. That would cause support costs to go up, resolution time to go down, and people would just be even more unhappy with the level of support that they get.
The reality is that we lock down the systems for a reason. Usually the only people who complain about having their systems locked down are the people who would do the most damage if their systems weren't locked down, usually without even realizing it.
[ link to this | view in thread ]
Re: Re: Re: Re:
I would argue that BSD and *nix firewalls are more like a real firewall than the shiny boxes you buy for significantly more.
But remember, most admins aren't that familiar with open source projects and even though the solutions are free, they are more difficult to manage, that is how the expensive products make their money.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Complicated
[ link to this | view in thread ]
[ link to this | view in thread ]
Grow up people, not everything is free and open and without restriction in life. Mom may give you an unlimited amount of money to spend on WoW and Mountain Dew, but it doesn't mean the rest of the world works that way.
This thread more than anything really make sit clear why so many people here appear to support illegal downloading, talk about clueless!
[ link to this | view in thread ]
There is a balance and that balance is defined in part by the business type and the risk to the company or it's clients presented by exposure to the internet.
[ link to this | view in thread ]
[ link to this | view in thread ]
It depends...
Shackling corporate assets is as much of a CYA game as it is a security issue.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Dammit
Funny... I know a number of people with home computers. Only one ever had a non-trivial malware problem — one of the fake anti-virus scams, which took me a couple hours with Remote Assistance to clear up for him. Most folks I know seem to be able to run a computer that they administer entirely themselves, with no externally imposed restrictions at all, without screwing it up.
My point being that perhaps the problem isn’t that users treat work computers like their home computers, but that they don’t treat them like their home computers, because they don’t feel like they’re theirs.
[ link to this | view in thread ]
[ link to this | view in thread ]
Changing environment, changing expectations
Day by day, more and more members of the workforce are already familiar with the same computer technologies they are using in their jobs. Telling them they can’t check their favorite social networking site or customize their desktop environment with the tools to which they are accustomed at home is as insulting and demeaning as telling an office worker twenty years ago that the phone on the desk could not be used to call home to find out what to pick up at the grocery or to resolve a banking problem during banking hours.
This very real matter of morale competes with the problems of security and maintainability, which are also very real. If the article cited displays only one point of view, we should remember that this is how it will appear initially to most workers. It’s up to IT departments to strike a balance, constraining their users only where the benefits outweigh the costs in ease of use, rapid response to change, flexibility and morale. Some of that means explaining to users why the restrictions in place really are needed — and recognizing that a restriction that can’t be explained clearly might just be an easy way out instead of a real necessity. If all you can say is, “It’s because you’re stupid, stupid!”... that’s not a workable business attitude anywhere, even if your “customers” are others within the same company.
[ link to this | view in thread ]
Re: It depends...
Oh, and yes, your bikini girl background at work is not only offensive but entirely tasteless. For those out there that don't see a problem with this, get a clue. :)
P.S. Surprisingly the unshackling of corporate assets is often pushed for, because users and management are too lazy to deal with proper security protocol.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Dammit
[ link to this | view in thread ]
There went my morale.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Life in my world
My site of 100+ users has less issues per person ratio then the other sites.
When IT and users understand each others concerns then a mutual respect can be had and the world can be your oyster.
I've had many IT visitors that I simply tell to check their attitude at the door and watch. My site has an attitude of learning, not master/servant. With this open minded environment I'm able to share what I've learned with my users as well as them showing me a trick or two.
Only when IT workers stop being overlords and users learn that they can go to their IT workers with concerns/issues without recourse, will a cooperative work environment exist.
Take it or leave it, I really careless. But, the IT world I live in is a very happy place!
[ link to this | view in thread ]
Only ff you have 25 or less systems
Idle Employee's cost the company $$$, Product is delayed, Invoices don't get sent, Sales Calls are not taken, catalogs not mailed, Checks are not mailed.
It really reflects poorly on the company when Customer Service has to say sorry customer, my computer is a POS and Crashed. Then IT's is blamed, for the outage. Management wants to know how this could have been prevented. About that time you want to scream, "I ALREADY F%%K'N TOLD YOU, REMOVE USERS FULL ACCESS"
When I started working at this company we were running 95. I was one of the two front line PPL working the line and you were always running all day from one Dept to next. I kept telling management PPL to stop installing stupid programs. Magically when NT4 got somewhat stable and, we could actually start locking down a workstation. 1 month after installing NT, removing rights and using a SOP for approved Software, we didn't have to run all day fixing software issues. Then we were actually able to plan projects and do equipment upgrades/Maint.
Now 10yrs later some Dept I rarely have to visit some Dept and most of the time it usually of small training issues or user at company X cant sent me an E-mail. Most of my computers I maintain have been running completely stable for Five years and still going. The only PPL that I have too re-image more frequently are the ones the have Full control over their systems. Sure that may be only be 20min of down time. But that is only my time. What about how long the users spent trying to put every little setting back where they were B4, that they forgot how to do and you get a call back to do it for them.
As for filtering Inet. it's a must in a large office. Everyone shares a same Pipe to the internet. You can’t tell me it's good for business if your websites or E-Mails slow for the customer, because you want PPL to be able to access Youtube, EBay, FaceBook, ect. All those little perks programs that run in you systray accessing internet chew up your bandwidth. We put a Deep Packet Inspection Firewall in place. and now our Inet reports have a curve in them.
The company spends thousands a year for the internet pipe just so someone can watch YouTube or have IM, so they are happy. Come one PPL; are you that stupid to really think increases productivity?
IT Departments are expected to do More with Less $$$ and time these days. I don't have time to run around updating computers with updates. That's why; most software is updated from a central point. I have a lot of Viewers that are updated automatically on the next system reboot sure the user has to wait a couple mins but it save IT 10-15 min for every computer that is centrally updated via Corp. policy. That means for every updates that is needed it would take a week before I competed them all, and then I would just have to repeat the steps Next week.
Also a SOP for computers gives you consistency across the board. When theirs a problem you don't have to remember that Bill uses this program and Jane uses that. It's not that your Lazy their never enough time to sit down for 2hrs, at every user computer to figure out which program is giving you a BSOD.
WOW did a preview, man is that message long
[ link to this | view in thread ]
Make users responsible for their own systems
The commenter worked for a company that required a certain level of computer savvy to get the job. This is because they were looking to lower IT support costs. Each applicant had to prove a certain level of competence by building a computer and installing the OS; if the applicant was hired, the computer they built became his office system.
Employees had the opportunity to take the company supplied parts or they could purchase their own parts for the computers. They could also choose which OS they wanted to use. Employees who weren't technical, e.g. admin assistants or other "office" type people, could either build their own systems or use a Mac purchased by the company.
The benefits of this were significant. Since Linux, Windows, and OS X were used, a single virus or other malware infection couldn't take down the entire company. Because each work computer was an employee's "own", they were expected to maintain them; no IT support was given except to people who chose the standard corporate computer (Macs). If a virus was found on the network, the person responsible for it was canned because everyone was responsible for their systems and behavior.
Since all the tech workers had a minimum level of computer knowledge, they were expected to know about computer security and maintenance. IT costs were nearly non-existent because people maintained their own systems. Even if a problem did occur in the office, there were many people who could help out, reducing the number of dedicated IT employees. And because Windows wasn't the standard OS, there were fewer problems with malware and support issues.
If I'm ever in a position to make IT policies, this is almost exactly what I will advocate implementing.
[ link to this | view in thread ]
[ link to this | view in thread ]
Yes
[ link to this | view in thread ]
Yes and no
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
Exactly and don't forget to mention that most companies DO view IT as a cost center and not a revenue stream. Who here works in an IT environment that isn't overworked primarily due to lack of personnel?
I suspect ol' Chris here is an end user who 'knows enough' to think he knows better and has never actually worked in an IT department. Perhaps just started working in IT and hasn't lost his Blue Skies vision of reality.
Gems like.. Give the user local admin but run AV/AM/FW on their PCs to protect them is a very strong indicator that he has never actually had to support more than 10 users if any.
The final point I would like to make is this. There are MANY if not most fortune 500 companies, not to mention DoD/gov/DoE though they do go too far, that utilize a managed desktop environment of some sort. Levels of restrictions and implementation obviously vary. These are companies that can afford to and do hire the best and the brightest. To say they are all wrong is a very bold statement. What do you know that they don't? It is possible that you are simply ahead of your times if you will, but I find it to be more likely that you simply have little experience.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
that's great if what you want to prevent can actually be prevented, or that an ounce of prevention is a real substitute for a pound of cure. i have worked for large IT groups (big insulation manufacturer, large metropolitan hospital, large mortgage company, large publisher) and small startups, and i have worked outside of IT in software development shops and a lot of times, the ratio is something more like two pounds of prevention being worth a pound of cure.
i have worked in draconian shops where no one is authorized to do anything, and i have worked in concierge type shops where the prevailing attitude is "do what you have to do and we will help you do it." the job is still the same: fix broken stuff, undo stupid mistakes, try to keep the ship from sinking, but one job produces a working relationship with users, and one produces and adversarial one.
when i help people do their jobs, they are more inclined to help me do mine. when i prevent people from doing their jobs they do what they can to prevent me from doing mine. i guess the axiom would be "you can catch more flies with honey than you can with vinegar".
Agreed. Which is why the controls are put in place. I'd rather deal with them before they propagate on the network by limiting the opportunities to get on in the first place.
that's great when the threats are highly automated and mostly static (like viruses were in the 90's) and you can just lock stuff down to keep it out. today's threats route around locks because they are being driven by teams of skilled and motivated professionals.
so, if the locks aren't working, why punish users with them? if you are being actively thwarted by one group why take steps to alienate another?
Not entirely true, but close enough. So again, since you have established that the users are the problem, why is it that the controls and restrictions should be relaxed?
because the user isn't going to change. no one is going to stand up and say "i'm stupid and i take responsibility for that stupidity". no manager is ever going to say, "IT is right, i'll tell my people to stop doing that."
so you are faced with a group of people who will not change how they operate (your users) and a group of people who will adapt to every change you make to protect your infrastructure, and you have management that will not spend the money to give you the tools and personnel you need to be productive. in that situation you need to make friends.
if the primary responsibility is to ensure that the user base has the resources to do their job, we have to make sure that the same user base cannot engage in activities that may deny those resources to the other users.
yes, you have to protect the company's infrastructure, but there is a universe of difference between taking reasonable measures to protect that infrastructure, and using the infrastructure as an excuse to be a petty tyrant.
so as you lock things down for the greater good, ask yourself, am i doing this to protect everyone, or am i just being (or acting on the behalf of) a petty tyrant?
[ link to this | view in thread ]
they are sitting in their office with their feet up reading a magazine while everyone else is working. Good IT staff are not running round like a chicken with their heads cut off cleaning up viruses, encting Disaster Recovery plans every second day or constantly rebuilding computers.
Installing anti virus software does not mean you will not get a virus and installing anti spyware software does not mean you will not get spyware.
I worked for a company who liked to cave in to particulalry loud users and give them admin rights on their computers until one day one of them installed a virus on his computer that he thought was a key generator for a copy of Creative suite that he downloaded with via bit torrent. This wonderful virus systematically went through modifying all picture files, word and excel documant and html files on his computer and all share drives he had access to. It was not picked up till the next day and took a lot of people hours to restore all the data, which in turn meant that the entire company lost 2 days of work. I still have a copy of that virus and to this day I still have not found a scanner that picks it up. However if he had not been allowed to install anything on his copmuter it would not have happened.
Not only does locking down a computer stop threats that you know about, it also stops many, many more that you have never heard of yet. It has nothing to do with being a petty tirant. IT staff have a lot of pressure put on them. We have to protect data for the entire company from constantly evolving threats. If something goes wrong we have our heads on the chopping blocks not the users who act dumb when somthing they have done causes major problems. And because of that we will employ any method we can that helps. There is a hell of a lot more to it than can be seen from the users side so please do not make stupid judgements when you obviously have no idea what you are talking about.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re:
Why do you need to give the user local admin access? Give them an account that can install applications, but don't give them admin. That way user can install and run application slocally, while the admin accounts can run AV, firewalls, etc that the user cannot fiddle with.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]