Time For IT Guys To Unshackle Corporate Computers
from the can't-do-that dept
This one ought to infuriate some of the IT folks, but Farhad Manjoo, over at Slate, is making the case for why corporate IT folks should give up trying to control everyone’s computers. He says it’s silly for them to dictate which apps you can and cannot use, what websites you can and cannot visit and what mobile devices you can and cannot use. He argues that doing so only restricts employees from actually doing useful and innovative stuff and also can make employees significantly less productive.
The response from IT folks will always be about the cost of maintaining all of this — noting (perhaps correctly) that any time there are any problems, people will call up IT folks who will have to try to service all sorts of things, rather than having a standard list. And, of course, they’ll say that users are often dumb, and prone to doing things that put computers and networks at risk. Thus, locking stuff down isn’t only cost effective, but it’s prudent to protect the company.
In the end, though, if that prevents important work from getting done (or done quickly), that seems like a problem. In the past, we’ve pointed out study after study after study suggesting that those who are actually allowed to do personal surfing at work are happier and more productive. Manjoo makes that point as well, mentioning recent studies that have shown the same thing and suggesting that companies that trust their workers on these sorts of things tend to get much more out of those employees.
Filed Under: it, limitations, personal surfing, security
Comments on “Time For IT Guys To Unshackle Corporate Computers”
There’s a big difference between allowing web surfing and giving total control to users. I once had to give a user elevated priviliges to allow him to test some software. A few days later his computer was infected with spyware that forced a rebuild of the system. This was because the user downloaded some “tools” he needed to test the software, none of which were approved for use. So it was a lost day for me rebuilding his PC and for him because he had to sit and twiddle his thumbs all day.
About ten years ago when we put in the first network monitoring tools we discovered that two-third to three-quarters of our network bandwidth was being taken up by users streaming audio using RealPlayer.
Bottom line is you give users full control over their PCs and the next morning everybody will be running iTunes and streaming music and be downloading videos from Pirate Bay and saying “well if they didn’t want us to do this stuff they shouldn’t have let us in the first place.”
Re: Re:
“A few days later his computer was infected with spyware that forced a rebuild of the system.” -Not your users fault, that’s your fault for not securing the network or the OS.
Re: Re: Re:
Its kind of hard to secure the OS when you are allowing users to download and install anything they come across on the web. sure if this guy was downloading an video driver from ATI.com its probably pretty safe, but when users branch out and start downloading everything that appears in a pop-up ad its nearly impossible to “give up control” and ensure your not going to be spending a few days a month reloading machines.
Now yes, it technically is an education issue that the users of the network do not know how to keep themselves safe, and merely getting people to switch from ie to another browser would probably fix most of the problems. But the fact is you cant fix stupid. I’ve spent years trying to convince people that the web doesn’t really know “you have a virus” and that you “MUST click this link to scan your computer.”
I am all for an open and unrestricted user experience, I finally am able to mostly deliver this as I now work at a company of only 15 people. Education is a lot easier with a small crowd. But I can understand the “damage control” that Universities and larger companies take to minimize their down-time.
Also a working image of people’s machines can change your entire day to about 20 minutes of your time, Click go and walk away. 2 hours later, machines up and running again.
Re: Re: Re: Re:
You can’t fix stupid, but you sure as hell can fire stupid, replacing it with smart! Users who get their system infected should be held responsible for this mess they’ve caused! First time? Educate them. Second time? Warn them! Third them, give them the boot!!!
Make your employees responsible for their own stupidity.
Re: Re: Re:2 Re:
ou can’t fix stupid, but you sure as hell can fire stupid, replacing it with smart! Users who get their system infected should be held responsible for this mess they’ve caused! First time? Educate them. Second time? Warn them! Third them, give them the boot!!!
Make your employees responsible for their own stupidity.
no one is responsible for their own actions in a corporation so that is never going to happen.
you have to give the children exactly what they want and then come to the rescue when they have gotten themselves in trouble. it’s your fault they are in that mess, so it’s your responsibility to save the day. that’s your job and if you don’t like it then quit.
the problem isn’t that end users are stupid. they are, and everyone knows it. the problem is the attitude of IT support types who think they can engineer stupidity to a manageable level.
IT is about fixing things that stupid people do. low level IT guys fix stupid desktop problems, high level IT guys fix stupid executive decisions that threaten the infrastructure for the entire enterprise.
at the end of the day, if you can’t handle fixing stupid mistakes, then you have no business being in IT.
Re: Re: Re:3 Re:
So IT is a reactionary profession and should in no way be proactive? Because it is only about fixing things after the fact right?
Did I miss the sarcasm tag in this one? Or is this a serious post?
Re: Re: Re:4 Re:
So IT is a reactionary profession and should in no way be proactive? Because it is only about fixing things after the fact right?
depends on how strong your department’s leadership is.
a good leader, or at least one with significant political power can make your job fairly proactive. since IT costs money and doesn’t make money (saving money doesn’t count), there aren’t many strong leaders in IT departments. the decent ones usually end up somewhere else.
weak leaders, or ones with no support from the company, will make your just about purely reactionary.
being reactionary doesn’t make the job any less important, nor does it allow you to be less than professional.
Re: Re: Re:3 Re:
IT…i laugh at IT people, wannabe execs trying to make sure that they’re precious network is secure along with everything else on it. please….whenever i get a new machine from IT i always have to figure a way around the rules so that i can perform my job correctly without going through all the procedures an IT department wants me to do to make sure it goes through their system correctly which could take months. Hell last time i tried to do something with IT correctly it took 2 years for them to unregister a router i was using to test my 802.11 designs from the work network that i had taken down right away. I kept getting emails and phone calls, and of course IT is outsourced so hardly any of them speak engrish, telling me to fill out form so and so which i already had and did again and again. I don’t think that router’ll ever leave their system.
Re: Re: Re:4 Re:
wow read that again and realized i need to put on a new nicotine patch
Re: Re: Re:4 Re:
whenever i get a new machine from IT i always have to figure a way around the rules so that i can perform my job correctly without going through all the procedures an IT department wants me to do to make sure it goes through their system correctly which could take months.
that is the problem that IT departments should be worried about: creating subversive users.
i know how to crack the local admin password on a windows box to get admin privileges, and how to tunnel traffic to get around network filters and sniffers. at that point i am directly connected to the internet and running as root… the whole reason workstations and networks are locked down and firewalled in the first place.
this is why restrictive IT policies are a bad idea and why you should be working with the people inside the firewall instead of against them.
Re: Re: Re:4 Re:
You laugh at us now…but that black file that your IT department is keeping on you will bite you in the ass when you get laid off.
Re: Re: Re:3 Re:
Of course, users will make mistakes. Just don’t let them repeat the same mistake.
Re: Re: Re: Re:
No it isn’t Matt. And no one said users should be given unfettered control. But the majority of risks can be handled by proper network management and making sure your AV and other Anti-Malware apps are working right.
Feel free to lock down a PC, but why the hell would you prevent them from adding printers for example?
Like others (Schnier) have argued, there is such a thing as being “over secure” to the point where the security gets in the way of the daily user experience.
Sometimes less is more.
Re: Re: Re:
What you are suggesting is that the user is not at all responsible for their own actions? it’s the standard mantra, everyone else is responsible for my mistakes, right?
Re: Re: Re: Re:
What you are suggesting is that the user is not at all responsible for their own actions? it’s the standard mantra, everyone else is responsible for my mistakes, right?
responsibility? in a business? what planet are you from?
no one anywhere at any time is responsible for anything that they do. it’s been that way for a long, long time.
Re: Re: Re:
Your reply makes absolutely no sense at all… How can he secure the network and OS but give the user full control?
Re: Re: Re: Re:
Your reply makes absolutely no sense at all… How can he secure the network and OS but give the user full control?
secure the network: use intrustion detection and prevention systems to prevent and/or log malicious bits on the wire. use a firewall that allows most outbound connections, but prevents most/all inbound connections that are not a response to a request from an internal host. log connections (not packets) so you can spot suspicious trends in network traffic.
secure the OS: use AV/anti-malware software with realtime file system protection and use a firewall to that allows most outbound connections, but prevents most/all inbound connections that are not a response to a request from the host.
user gets control (add hardware, software, access websites) but is protected from malicious activity.
Re: Re: Re:2 Re:
yeah, realtime AV, that’ll solve everything. Was that supposed to be a joke? Do you actually work in IT?, (the geeksquad and firedogs don’t count).
Re: Re: Re:3 Re:
yeah, realtime AV, that’ll solve everything.
no it solves one specific problem.
Re: Re: Re:2 Re:
You make it sound like if only IT would do their jobs right everything would be hunky dory. That last point you have is the problem, let me correct it for you. user gets control (downloads latest malware from random emails/websites) IT gets to clean up the mess. The company I work for is pretty lax and I do end up dealing with a lot of spyware and viruses. the behavior of the user is key to preventing the malware issue and you just can’t depend on users to always make the best decision.
Re: Re: Re:3 Re:
You make it sound like if only IT would do their jobs right everything would be hunky dory.
damn right. IT is two functions: protect the company’s infrastructure AND help people use the company’s infrastructure to do their jobs.
if you can’t help, then get out of the field because if your users can’t do their jobs, then you aren’t doing yours.
user gets control (downloads latest malware from random emails/websites) IT gets to clean up the mess.
that is what IT is *for*. fixing the stupid things that people do with computers, software and networks is your function.
sometimes you can fix things with education, sometimes you can fix them with software tools, and sometimes you have to roll up your sleeves and do actual work.
i’m sure the thought of sitting around doing nothing and letting restrictive policy and bureaucracy shield you from actual work is very appealing, but it never happens.
The company I work for is pretty lax and I do end up dealing with a lot of spyware and viruses.
and dealing with spyware and viruses is part of what the job entails. the job changed about 8 years ago with the advent of spyware and it’s not going to change back.
you used to be able to passively deal with most threats, but the bad guys move quickly now and are way more hands on nowadays, which means that you should be too.
people make mistakes and things get hacked; it’s a fact of life with computers.
in the old days, viruses were a highly automated problem that you could use a highly automated solution to fix (AV software). an automated solution only works for old and well understood threats.
today, malware is the product of dedicated teams of skilled and motivated individuals with tons of tools and tactics at their disposal. how do you deal with that? by using teams of skilled and motivated individuals to play defense.
you are either skilled and motivated enough to make a difference, or you’re not. if you’re not then move out of the way and let someone else take a shot at it.
the behavior of the user is key to preventing the malware issue and you just can’t depend on users to always make the best decision.
no it’s not. the behavior of the user will not change, ever. when it comes to you vs. your users, you are outgunned and outnumbered and that will never change.
the only thing that has the possibility of changing is your attitude about the user and your understanding of your responsibilities as an IT professional.
if people cleaned up after themselves there wouldn’t be janitors in this world. if you don’t like cleaning up messes, then you shouldn’t work as a janitor. IT is the same way. Technology progresses faster than the average worker can keep pace with, that’s why companies hire IT people, to keep pace on behalf of their workers.
Re: Re: Re:4 Re:
I have to say, Chris, that you’re doing a damn good job of making the case for the restrictive policies to stay in place.
that is what IT is *for*. fixing the stupid things that people do with computers, software and networks is your function.
While true, that is a reactive response to the job responsibilities. Far better to be proactive and have the policies in place that limit the opportunities for people to do stupid things.
Or would you disagree with the axiom “An ounce of prevention is worth a pound of cure”?
and dealing with spyware and viruses is part of what the job entails.
Agreed. Which is why the controls are put in place. I’d rather deal with them before they propagate on the network by limiting the opportunities to get on in the first place.
no it’s not. the behavior of the user will not change, ever. when it comes to you vs. your users, you are outgunned and outnumbered and that will never change.
Not entirely true, but close enough. So again, since you have established that the users are the problem, why is it that the controls and restrictions should be relaxed?
if people cleaned up after themselves there wouldn’t be janitors in this world. if you don’t like cleaning up messes, then you shouldn’t work as a janitor. IT is the same way
Again – you seem to be advocating a reactive approach (Clean up the mess). I (and countless other IT Professionals) would rather take the step to prevent the mess in the first place. And sometimes, that means the user doesn’t get to do whatever they want.
So thank you, sir, for helping to show that the premise of the article is still a bunch of hooey.
After all, if the primary responsibility is to ensure that the user base has the resources to do their job, we have to make sure that the same user base cannot engage in activities that may deny those resources to the other users.
Have a great day!
Re: Re: Re:5 Re:
So thank you, sir, for helping to show that the premise of the article is still a bunch of hooey.
Not hooey. Tripe.
Re: Re: Re:6 Re:
Not hooey. Tripe.
Toe-MAE-toe toe-MAH-toe…
😉
Re: Re: Re:7 Re:
But tripe sounds so much more offensive!
Re: Re: Re:5 Re:
While true, that is a reactive response to the job responsibilities. Far better to be proactive and have the policies in place that limit the opportunities for people to do stupid things. Or would you disagree with the axiom “An ounce of prevention is worth a pound of cure”
that’s great if what you want to prevent can actually be prevented, or that an ounce of prevention is a real substitute for a pound of cure. i have worked for large IT groups (big insulation manufacturer, large metropolitan hospital, large mortgage company, large publisher) and small startups, and i have worked outside of IT in software development shops and a lot of times, the ratio is something more like two pounds of prevention being worth a pound of cure.
i have worked in draconian shops where no one is authorized to do anything, and i have worked in concierge type shops where the prevailing attitude is “do what you have to do and we will help you do it.” the job is still the same: fix broken stuff, undo stupid mistakes, try to keep the ship from sinking, but one job produces a working relationship with users, and one produces and adversarial one.
when i help people do their jobs, they are more inclined to help me do mine. when i prevent people from doing their jobs they do what they can to prevent me from doing mine. i guess the axiom would be “you can catch more flies with honey than you can with vinegar”.
Agreed. Which is why the controls are put in place. I’d rather deal with them before they propagate on the network by limiting the opportunities to get on in the first place.
that’s great when the threats are highly automated and mostly static (like viruses were in the 90’s) and you can just lock stuff down to keep it out. today’s threats route around locks because they are being driven by teams of skilled and motivated professionals.
so, if the locks aren’t working, why punish users with them? if you are being actively thwarted by one group why take steps to alienate another?
Not entirely true, but close enough. So again, since you have established that the users are the problem, why is it that the controls and restrictions should be relaxed?
because the user isn’t going to change. no one is going to stand up and say “i’m stupid and i take responsibility for that stupidity”. no manager is ever going to say, “IT is right, i’ll tell my people to stop doing that.”
so you are faced with a group of people who will not change how they operate (your users) and a group of people who will adapt to every change you make to protect your infrastructure, and you have management that will not spend the money to give you the tools and personnel you need to be productive. in that situation you need to make friends.
if the primary responsibility is to ensure that the user base has the resources to do their job, we have to make sure that the same user base cannot engage in activities that may deny those resources to the other users.
yes, you have to protect the company’s infrastructure, but there is a universe of difference between taking reasonable measures to protect that infrastructure, and using the infrastructure as an excuse to be a petty tyrant.
so as you lock things down for the greater good, ask yourself, am i doing this to protect everyone, or am i just being (or acting on the behalf of) a petty tyrant?
Re: Re: Re:4 Re:
Dude, you have a really messed up view of what the role of IT is. There is more than enough to keep the IT crew busy without making daily spyware rounds. Letting people put whatever they want on the companies computers is not an answer to anything. If it has a business need they should get the opportunity to try it, but they can use itunes at home, or they can bring in their ipod pre loaded with the music.
So you think the IT people in world are nothing but technical janitors?
You are either an IT guy that cannot get a leg up in the profession or just an ignorant user.
Re: Re: Re:5 Re:
“Dude, you have a really messed up view of what the role of IT is. There is more than enough to keep the IT crew busy without making daily spyware rounds.”
Exactly and don’t forget to mention that most companies DO view IT as a cost center and not a revenue stream. Who here works in an IT environment that isn’t overworked primarily due to lack of personnel?
I suspect ol’ Chris here is an end user who ‘knows enough’ to think he knows better and has never actually worked in an IT department. Perhaps just started working in IT and hasn’t lost his Blue Skies vision of reality.
Gems like.. Give the user local admin but run AV/AM/FW on their PCs to protect them is a very strong indicator that he has never actually had to support more than 10 users if any.
The final point I would like to make is this. There are MANY if not most fortune 500 companies, not to mention DoD/gov/DoE though they do go too far, that utilize a managed desktop environment of some sort. Levels of restrictions and implementation obviously vary. These are companies that can afford to and do hire the best and the brightest. To say they are all wrong is a very bold statement. What do you know that they don’t? It is possible that you are simply ahead of your times if you will, but I find it to be more likely that you simply have little experience.
Re: Re: Re:6 Re:
Why do you need to give the user local admin access? Give them an account that can install applications, but don’t give them admin. That way user can install and run application slocally, while the admin accounts can run AV, firewalls, etc that the user cannot fiddle with.
Re: Re: Re:7 Re:
I am a firm advocate of this. Granted, creating a sudo account with this type of limited abilities us much easier using *nix or even Macs than trying to configure Windows this way. Windows prefers to make users Admins, limited users, or guests, by default. It’s possible to create a limited user with install rights but it is such a pain that most people simply don’t bother.
Re: Re: Re:2 Re:
Ummmm….ya, if I had unlimited cash or time that would be a great idea…as it is we dont so we have to do crappy things to emulate the security that an IDS box or proxy would allow.
Most firewalls come out of the box the way you refer, but do you really need access to the full 65535 ports? Does your IT staff really have the time to pour through IDS logs and set them up?
Re: Re: Re:
So which is it either lock it down so the spyware and viruses don’t get in or allow the user to be free? You can’t blame IT for not securing the network or OS because the user got spyware/viruses. You can’t secure anything from stupidity.
Re: Re: Re:
That is ridiculous. I don’t care how secure the network is, if I have full admin rights on a machine, I can screw it up.
Re: Re: Re:
Jesus…how stupid are you. didn’t you read the part about-
‘I once had to give a user elevated priviliges to allow him to test some software. ‘
or
‘because the user downloaded some “tools” he needed to test the software, none of which were approved for use’
I, as a developer sometimes need to go out ‘find’ tools to accomplish things that we are not prepared for, when I do that I use a different UID that has elevated privileges, and some times I do hose my system. I ALWAYS take responsibility for that (my IT guy still has to fix it though!).
Re: Re:
“About ten years ago when we put in the first network monitoring tools we discovered that two-third to three-quarters of our network bandwidth was being taken up by users streaming audio using RealPlayer.”
Why were the ports on the Firewall open? Maybe ten years ago there weren’t the corporate tools to properly manage this but there are now.
Re: Re: Re:
They tried shutting off those ports at our place a few years back – they had to reinstate them because of complaints from… the senior management
Re: Re: Re:
Read, quoted and still a stupid reply.
‘Maybe ten years ago there weren’t the corporate tools to properly manage this but there are now.’ — fool, he WAS talking about ten years ago.
Re: Re: Re:
And what about YouTube, which isn’t port based? Suddenly we’re buying network traffic tools to filter sites or limit streaming video traffic?
AKA…… Locking the user down.
Re: Re:
So it was a lost day for me rebuilding his PC and for him because he had to sit and twiddle his thumbs all day.
then you suck. you should have a stock image (ghost, drive image xml, etc.) or a slip streamed install disk (drivers, office, applications, etc.) to save time on rebuilds.
it shouldn’t take you more than an hour to rebuild a box, including the restoration of data and settings. you use roaming profiles or folder redirection for user profiles, right?
half of the system security game is disaster recovery. you should be able to recover from the worst catastrophe in a short amount of time. if you don’t know how to do that then do your company a favor and quit.
Re: Re: Re:
Obviously Chris you are not an IT support person. I’ve been doing real support since 1987 … in todays world with every manf putting the cheapest handiest part in every machine keeping proper images of all machines and possible configs is a daunting proposition. Not to mention keeping those images up-to-date is almost impossible. I work for an integrator (after 15 years in corporate support) and my advice (often ignored) is to store all real data on the network, keep machines generic, keep your protection programs up-to-date with a centrally managed tool, lock down your firewall/content scan, and scan your email with an outside service (incoming & outgoing).
But when a company has 100 users and only 1 part-time IT person(who is not a professional IT person, the norm for a lot of companies today) it’s almost impossible to find the resources so locking everything down is the only possible solution. Lost productivity for an individual user is nothing compared to the lost productivity when documents are lost, machines crippled, etc.
Sad, but just the plain fact. Since windows dominates, learn group policies, learn security and lock them down will make your overall users more productive.
But you must be open to every new advance and listen to your users needs (not just requests)… if the ask to do something they cannot do, then make a business case for it and implement it if there is a reason too. Our job here is to listen to the users and give them what they need, not what they think they want. We have to make sure we understand what they want to accomplish and work with them to provide that capability. That doesn’t mean deny them every thing, just make sure it will provide a benefit, embrace the technology to make the company more efficient, responsive, etc.
IT staffs get into a rut of not learning and not growing like everyone else and it’s even more deadly, but still you don’t do things just because they are cool, they have to have a solid business reason behind them.
Just remember change is inevitable, but growth has always been optional.
Re: Re: Re: Re:
Obviously Chris you are not an IT support person. I’ve been doing real support since 1987 … in todays world with every manf putting the cheapest handiest part in every machine keeping proper images of all machines and possible configs is a daunting proposition.
no it’s not. if you don’t want to use images then you can slipstream drivers into your install disc. the technology is free you just have to learn how to do it and take ownership of the process.
i have worked in IT support (doing it now) and i have worked in software development. so i have been on the IT side trying to keep people from wrecking stuff, but i have also been on the development side, being prevented from doing my job by draconian IT policies.
i always found a way around, but it made me the enemy. that is the problem: working against the people inside the firewall, when you should be working against the people outside the firewall.
But when a company has 100 users and only 1 part-time IT person(who is not a professional IT person, the norm for a lot of companies today) it’s almost impossible to find the resources so locking everything down is the only possible solution.
no, it means the IT department sucks, which was my original point.
Lost productivity for an individual user is nothing compared to the lost productivity when documents are lost, machines crippled, etc.
yeah, it’s called disaster recovery. i do it everyday, and if your IT guys can’t help you recover from a disaster, they suck, also my original point.
Sad, but just the plain fact. Since windows dominates, learn group policies, learn security and lock them down will make your overall users more productive.
i used to think that 10 years ago, but i don’t anymore. after being on the other side of IT, i understand the frustration that people feel when they can’t do their jobs. IT support is also about supporting people, not just servers and applications.
Our job here is to listen to the users and give them what they need, not what they think they want. We have to make sure we understand what they want to accomplish and work with them to provide that capability. That doesn’t mean deny them every thing, just make sure it will provide a benefit, embrace the technology to make the company more efficient, responsive, etc.
yeah, and 6 month approval processes for everything just hold people back. change is not just inevitable, it’s accelerating and that will be what separates successful companies from roadkill.
so you can sit on your hands and hide behind policies and other bureaucracy as an excuse for not getting things done, or you can move the envelope back a little and be part of the solution.
Re: Re: Re:
Hey dummy! Ghost is EXPENSIVE. (Unless you don’t have a license). So many of you DON’T understand economics.
Have an image. Buy a Checkpoint firewall (and the expensive expertise to run it). Money doesn’t grow on trees, moron.
Do yourself a favor and take Finance for Dummies.
Re: Re: Re: Re:
Hey dummy! Ghost is EXPENSIVE. (Unless you don’t have a license). So many of you DON’T understand economics
http://www.runtime.org/driveimage-xml.htm the commercial version if drive imageXML for 100 users is 5 bucks per user for a year. there’s also free solutions like partimage and dribbl.
Buy a Checkpoint firewall (and the expensive expertise to run it). Money doesn’t grow on trees, moron.
modern versions of windows come with a passable firewall built in.
if you want to firewall network segments, iptables and PF are now and will always be free 🙂
Re: Re: Re: Re:
Hey dummy! Clonezilla is free (http://clonezilla.org/) and even has a server edition. On top of that there are plenty of free deployment tools that are not image based and will work for Microsoft products such as: Unattended (http://unattended.sourceforge.net/)
And a Checkpoint firewall? You have to be kidding right? Checkpoint is arse in a handbasket. If you can’t afford a real firewall then your best bet is a *nix box of some sort running the firewall with a nice web interface for changing/adding rules.
I think my solutions are more cost effective than yours. And don’t bother telling me they won’t work in corporate America I have installed them in small to mid size shops for years. The large shops use real firewalls and can afford Ghost. Strangely enough where I work now is a very large shop and Ghost used to be standard for images until someone pointed out clonezilla. We don’t do many images and use OSS tools for our OS installs worldwide. And while I can’t tell you who I work for I can safely say it’s one of the largest shops around.
Re: Re: Re:2 Re:
Clonezilla, dont make me laugh…go for FOG 😉 Free and enterprise level 😉
I would argue that BSD and *nix firewalls are more like a real firewall than the shiny boxes you buy for significantly more.
But remember, most admins aren’t that familiar with open source projects and even though the solutions are free, they are more difficult to manage, that is how the expensive products make their money.
Re: Re: Re:
Ummm, he doesnt suck, some PCs dont have stock images because they deviate from the norm. You must be a very inexperienced tech. I am considered by many to be an imaging expert, I cut my teeth in the late 90s doing mass imaging deployments and have only gotten better since then. Some programs take an hour alone to install…try installing SAS sometime…
Disk space is getting cheaper so having a snapshot of each computer on your lan is becoming more feasable but your arrogance that everyone can afford an imaging solution or have the space to manage a FOG server or whatnot is astounding.
Re: Re: Re:
half of the system security game is disaster recovery. you should be able to recover from the worst catastrophe in a short amount of time. if you don’t know how to do that then do your company a favor and quit.
Actually, instead of making nonsensical claims like this you should develop an actual DR policy that prioritizes high-value systems and de-emphasizes less critical systems. Then you define RPOs and RTOs for your recovery. Then you design a plan that implements it. If their DR plan doesn’t care about restoring desktops, that’s fine. It’s not your choice.
Re: Re:
You can always restrict access on your side, rather than the PC itself. Proper use of firewalls and back-end peripherals, such as Astaro, Barracuda or PIX will accomplish what you need it to do – block stupidity.
Re: Re:
Having been a user and an IT person I think I can understand both sides of the coin. Was it ever explained to the users why it was a problem using itunes and other bandwidth intensive apps? and can’t the IT dept. track and see who it is doing that and speak to them directly to solve the problem. There has to be some other solution or compromise that can be worked out…
I'm an IT Pro
I used to believe the mantra that it was our job to lock down and restrict people but it’s nonsense and an ‘old school’ attitude.
First and foremost the business is there to make money. IT is a tool used to make employees tasks easier and we should be doing everything possible to make this happen.
Security is obviously still a priority and end users must be educated but with a properly secured network, there should be no reason for IT people to restrict others from using their computer to its potential.
Re: I'm an IT Pro
I used to believe the mantra that it was our job to lock down and restrict people but it’s nonsense and an ‘old school’ attitude.
preach it brother!
also, if your company’s data and whatever is so sensitive (banks, gov’t, military, etc.), then put your “sensitive” stuff on a separate network and only allow locked down machines to access it (virtual machine, thin client, etc.) via encrypted connections.
then give your users unrestricted machines that they can use for whatever they need to.
Re: Re: I'm an IT Pro
One of the places I worked at had four ‘unlocked’ machines in the canteen so that users could surf all they wanted (within reason), play games and so on. The rest of the system was locked up tight (a financial company). However, we found that if we restricted the machines enough to stop the malware getting through (removed IE, set up a reasonable AV system) the users complained that ‘they couldn’t do what they wanted’ – PopCap springs to mind. So the upshot was that the machines were removed since maintenance, if the users had their way, sould have been an expensive nightmare.
Re: Re: Re: I'm an IT Pro
One of the places I worked at had four ‘unlocked’ machines in the canteen so that users could surf all they wanted (within reason), play games and so on. The rest of the system was locked up tight (a financial company). However, we found that if we restricted the machines enough to stop the malware getting through (removed IE, set up a reasonable AV system) the users complained that ‘they couldn’t do what they wanted’ – PopCap springs to mind. So the upshot was that the machines were removed since maintenance, if the users had their way, sould have been an expensive nightmare.
banks have wire transfer terminals in separate rooms specifically for this reason. you have to do what is necessary to both protect the company AND provide useful services to end users. these are not mutually exclusive objectives. they are two very distinct and very important responsibilities.
fixing these sorts of things is the purpose of IT. that’s exactly why you are there. after 12 years of IT, i can confidently say that malware and spyware have made our jobs significantly more difficult, but that doesn’t change anything.
i remember the old days when i mostly installed new gear and helped people learn to use it. it was great, i made decent money for just knowing how to operate a computer. the job was easy in those days, but those days are long gone.
the job is a lot harder now that everyone is expected to know how to operate a computer (even when they don’t) and so now i fight the chinese and the russians on an almost daily basis for control of my company’s computers. the game has changed, but the objective hasn’t: protect the company *AND* serve its users.
Re: Re: I'm an IT Pro
That’s not financially viable.
Re: Re: I'm an IT Pro
also, if your company’s data and whatever is so sensitive (banks, gov’t, military, etc.), then put your “sensitive” stuff on a separate network and only allow locked down machines to access it (virtual machine, thin client, etc.) via encrypted connections.
Yeah, because that’s easy and cheap to implement and users won’t throw a fit about having to jump through hoops “just to do their jobs” with the sensitive info.
Seriously, we all know that there is a balance between good security and usability. The most secure computer in the world is one that can’t be used, and the most usable is likely unsecured. You just have to find a balance that works for you. In my case, I would never let a user run with full admin rights on any PC or server. The risk just isn’t worth it, whether it’s the risk of system compromise, malware infection, espionage, or even unlicensed software. And that’s before you even run into the issues of supportability.
Think about it…most users today don’t like IT because they’re not getting the level of support that they need. If IT were to open the systems and let people run with full admin rights the number of systems that need to be whacked and rebuilt on a regular basis would skyrocket. That would cause support costs to go up, resolution time to go down, and people would just be even more unhappy with the level of support that they get.
The reality is that we lock down the systems for a reason. Usually the only people who complain about having their systems locked down are the people who would do the most damage if their systems weren’t locked down, usually without even realizing it.
Fun isnt it.
Running a secondary FULLY protected system running threw another computer/system to monitor for BOTS and Virus…really SLOWS everything down.
TRY it.
TRY setting up a multi level/multi protection system. And keep the CRAP out.
The hardest question I have is..”CAN YOU TEACH ME how this works.”.
I tel people I USED older progams and learned the hard way HOW to make things, 15-20 years ago. And I know alot and how to DO THINGS MY WAY. but, learning the NEW CRAP, isnt worth my time.
If I learned Every program out there, I wouldnt be running IT. I would be selling my service to EVERYONE for ALOT more then I would be making.
Teaching nubes HOW to run more then 1-2 programs at a time, isnt worth the time.
TRYING to teach MS how STANDARD practices of protecting the OS/programming language…is NOT going to happen.
End Users
There are just too many end users that don’t have good computing common sense. The larger the company, the bigger this problem tends to be, and lets not even talk about federal, state, and local government 🙂
One of the better solutions I’ve run into was a company that would let an end users manage their own computer the way they want, but they must give up corporate desktop support, if they call with a computer problem, their only choice is to get a standard image applied.
I’ve been using computers for years, practically grew up with them. I don’t have a huge amount of knowledge but I do have an idea about how different programs work. So if I don’t know how to do something I at least know where to start to work it out.
Many of my colleagues have no idea. They know how to do some things because they have been specifically taught but they don’t have a clue how to work things out for themselves. Several times they have asked for help and I’ve spent a couple of minutes flicking through menus trying to find the right tool and they’ve then accused me of not knowing what I was doing and have reached for the phone to call IT. Its exhasperating.
We’re also still using Internet Explorer 6 in the office, quite the most cumbersom browser in existance. There were mutterings about upgrading but apparently we won’t be because the older members of staff know how to use it and don’t want to have to relearn.
So in conclusion: users are often idiots. If I was IT I would be loathe to let them mess around because they will undoubtebly break something and be unable to fix it themselves.
So for now we just have a minority of computer savvy workers who are frustrated all the time with their restrictive system.
Off topic - the Ad on this page...
Says
“Copyright Infringement
With Training session and workshops We can help you succeed! “
I didn’t know it was that hard that you needed a course to do it!
Sorta
The most surprising thing in the article is the fact that Slate, a news and opinion operation, is content-restricted in terms of web surfing. That is truly silly and can obviously impact their news gathering and fact checking. But opening up the client image to be modified at-will by end users is a whole other matter.
You’re mixing two things, here, Mike, as is the Slate author: content filtering and client management. Content filtering (aside from where kids are involved) is relatively stupid and I agree that it often does little to further the cause of the business. A little bit of personal surfing is fine, though the cost of bandwidth (and please don’t just consider carrier costs, but all the components that protect and support that path to the internet) can be material and is not to be brushed off as trivial.
Another matter entirely is how client desktops and laptops are managed. It is certainly not just a cost consideration, but security and protection of corporate information assets. Anyone who thinks this is minor has never sweated 24 hours trying to get a multi-billion dollar company’s network to settle back down after some jackass installed trojan-carrying software in the form of a stupid photo retouch application. Eh hem. Unmanaged and user-managed systems can carry real risks for business, especially at scale, which can wipe out completely any incidental benefits found along the way.
That said, when the company’s business demands that kind of flexibility (say, a news or consumer service organization that needs to test new software or consumer electronics devices and review them, etc) there are plenty of ways around the challenge, whether it be in the form of physical or virtual labs, parallel secured and unsecured networks, etc. I agree that IT policy can’t run counter to the aim of the business. But, typically, end user griping doesn’t factor in the dim, unglamorous, cave-dwelling reality of keeping networks and systems up, secure and performing well on a 24×7 basis.
Necessities
People should have only what they need to do their job on the companie’s computers. I am more than happy to review, install and allow them to test whatever software they think may boost their productivity.
We do not filter websites, although we do block activex for non trusted sites.
In some cases I can see how leaving a computer wide open to the user makes sense, but secretaries need a Wordprocessor and a groupware application and that really is about it.
We do occasionally have senior management say that they demand full access, usually after a couple weeks and a very sluggish computer, they request to have the standard locks again.
Another vote here for “the average user is stupid enough to cost your company a billion dollars if you don’t stop them”.
Yes, I agree absolutely that hundreds of millions of dollars are being lost in the industry due to this parctice, but you have to balance that against the literally billions of dollars saved by the practice.
Don’t forget the legal issues. If I let them install anything there would be pirated software all over the system and guess who’s responsible: me and the owners, not the person who did it.
If a user needs something all they have to do is justify it and they can have it, but not the great $9.99 deal they can get the lastest release of Autocad for.
Why not a VM sandbox?
You give the users a locked-down PC, replete with onerous Pointsec whole-disk encryption so that your stupid email announcements are safe from prying eyes, and no one can repair the HDD in case Windows doesn’t shut down properly. Right, you do that, but then you also allow users to run a VM image of a standard WinXP build. They can do whatever they want in the VM, blow it up, infect it, whatever. The VM has no access to anything internal to the corp. Also, the VM isn’t backed up, so if it gets too far removed from safety, it gets nuked, and a new one installed.
Done. And done. People at work are bringing in their own laptops and launching their daily reads on the corporate network… there’s little to stop them from crossing the domain barrier and infecting the corporate network. With a VM, at least you can build images that won’t ever do that.
-C
Re: Why not a VM sandbox?
We have found that DHCP reservations keep foreign computers off the corporate network, we have open wireless on a different internet connection for that stuff.
And yeah, I know, all they need to do is an ipconfig get the ip scheme and keep entering static IPs until they find one that works, but, when most people plug into the network if they cant get on the internet they stop there.
Riiiighhht
I work for NATO in Bosnia, if we allowed users free access to the internet and to install software not on the approved software list.
This would wreak havoc, so many times at my last civillian post where the internet was not restricted, we found porn, viruses, spyware.
It was ridiculous how fast computers could be made unusable.
For most of us on this site and similiar sites we are either in the IT business or at least know enough about computers not to be stupid with software, however most computer users are not like this. They have a few things they are tasked to do and that is all they know, the minute you allow them hightened priviledges of any kind is the minute bad things happen.
Can I use the cup holder?
I agree, but it doesn't work ...
I started my career NOT in corporate IT – but as a “splinter” group doing the things IT wouldn’t support but that moved the business forward.
NOW, I run IT at a different company. When I jined, it was a free-for-all; unstable, no security, full of viruses, porn on the servers (yeah, really) and “entitled” senior users.
Now, we’re locked down (mostly). You want software that IT doesn’t provide, get your boss to pay for it out HIS budget. (If you can’t convince him, you can’t do it).
Surfing for the professional is monitored, but not terribly restricted. We encourage people to do things like their banking. (We had somebody running a business on eBay – goodbye!) The author’s point would be true if ALL people were honest and focussed on the company’s success, but in a company with 5000 employees that’s NOT the case.
ANd there are people not in IT with special privileges (this drives my network manager NUTS!), but they went through their boss and are monitored to ensure they don’t break anything.
So, while I agree that in a “perfect” world this would be true, there will always be people who abuse privileges.
Somebody is wrong on the internet!
I can tell you as an IT guy that most of the annoying policies at many companies (including controlling which programs people can run) are about legitimate security concerns, not some management bulls**t about “maximizing productivity.”
I fight hard at my company to convince management NOT to hurt productivity by blocking access to non-work sites like youtube and facebook (and somehow these sites may have just *happened* to fall off the blacklist a few times, heh) but that doesn’t mean I’m in favor of giving all users full control. One extreme is just as absurd as the other. Opening up the systems would mean that a single honest mistake by any employee could create a security hole that would expose all of our customers’ financial information.
Imagine: your company has a serious data breach. It comes out that your policies were so lax that a single mistake by any one of your employees is all it would take to blow *everything* wide open. Do you really think you’d stand a chance in that lawsuit? You would lose, and you *should* lose, because that’s an irresponsible way to treat sensitive information.
In the future I recommend this guy’s IT staff deal with this low-end user thusly:
give him EXACTLY what he asks for… verbatim.
(obviously they can’t break security policy or support policy, but in all other cases… don’t deviate from my recommendation… at all)
This is not an IT problem
The problem described in this article is not an IT problem, it’s a management problem. The corporate culture established in the companies described allow this kind of dis-functional atmosphere. If a company is well run, people will not be restricted from doing their jobs creatively or any other profitable way. But when management doesn’t understand, doesn’t care, etc.. then IT is tasked with this kind of stuff. If they do it on their own or are not open to the possibilities of properly implemented IT policy, they should be replaced.
IT should understand the job functions throughout the company better than just about anyone else in the company, they work in every area. If they don’t they aren’t doing their jobs.
This is what you get when a person who doesn’t understand IT policy, corporate culture, management policies, etc.. writes an article about something he doesn’t have a clue about. This is where IT should be responsive to his issues, work with him to define his needs and provide for them in a secure productive manner, if he worked someplace that has sound management and properly implement IT policies. Not surprised it’s SLATE…
Re: This is not an IT problem
It’s really a two part equation. As you say, “IT should understand the job functions throughout the company.” AND the other job functions in the company need to understand IT if it is critical to their function. Beyond that, what you seem to be describing is basically the creation of a personalized IT experience for every user based upon their individual job function and skillset. That doesn’t sound like it would scale well….
What are you people, 9 years old?
This is the most unbelievable tantrum over such petty bullshit I’ve heard in a long time. GROW UP!
Re: What are you people, 9 years old?
what you, some kind of dootyhead?
Dammit
I knew when I woke up this morning that I’d see some crazy bullshit. You know what happens when users have unrestricted access, even after extensive training? They treat the machine like it’s their home machine. I’ve trained users. I actually trained a group yesterday. Tomorrow they won’t remember what we did, but they will remember that I brought donuts. There are some people responsible enough to handle it. Some people are too stupid to hurt their computer (mostly little old ladies who don’t know how to do anything outside their job). Most people will go around installing whatever stupid thing they find.
I’ll give users unfettered access when I get the promise that I will not have to come in early, stay late, or get a call in the middle of the night that requires me to reload a computer. I have a life. I have a very special person in my life. I refuse to give up my personal time because users are too stupid to live.
Re: Dammit
I agree!
I think Mike just puts up these articles to expose the mindless sycophants.
Re: Re: Dammit
It’s a possibility.
On another note, I just realized that I was so pissed off after reading the actual article that I couldn’t make a coherent response. Everyone could tell I was angry, but even I’m not entirely sure what I was talking about. All I could think at that moment is that I hope Mr. Manjoo gets kneecapped by thugs.
Re: Dammit
“You know what happens when users have unrestricted access, even after extensive training? They treat the machine like it’s their home machine.” — aguywhoneedstenbucks
Funny… I know a number of people with home computers. Only one ever had a non-trivial malware problem — one of the fake anti-virus scams, which took me a couple hours with Remote Assistance to clear up for him. Most folks I know seem to be able to run a computer that they administer entirely themselves, with no externally imposed restrictions at all, without screwing it up.
My point being that perhaps the problem isn’t that users treat work computers like their home computers, but that they don’t treat them like their home computers, because they don’t feel like they’re theirs.
Re: Re: Dammit
We must travel in different circles. At one time I had tons of people asking me to come by and take a look at their computer. It was usually loaded with some untrustworthy P2P program set to download malware and had tons of crap on it. Then I started charging $120 per hour with a 1 hour minimum to help. Now I don’t get asked.
Good points and bad points
The fact is, it isn’t as simple as that. Very rarely will you have a shop that is set up where EVERYTHING is stored in the cloud and it’s possible to reimage machines on a whim – often times there are cloud features available but users choose to ignore them in favor of the local hard drive.
Yes, it’s possible to lock that down too but only to a certain extent. No one backs up their information, or if they do, they use their email account to do so and then freak out if they are told, quite correctly, that they need to knock it off if they want their email to be more responsive. There’s a hard limit for a reason – we don’t run an email server just to store your kids’ 10 MP resolution PNG files.
There’s always the exceptions to the rule, the idiots who happen to be louder than the IT department and insist on using non-standard storage and obtaining admin rights through illicit means (coercion, manipulation, outright lying, etc.), and the supervisors who are just too pissed off and worrying about other things to be concerned with them.
And let’s not forget the asshats who will bitch and moan until the cows come home if you forget to back up that random hidden folder with their personal items in it, despite their having signed, at their orientation, a form basically telling them in no uncertain terms that work systems belonged to the company and they could be fired for using company resources for personal use.
It’s great to talk about how companies need to take a lighter approach to employee treatment and allow them to do whatever it is that they want, but no one understands just how much more of a burden that is for IT to deal with. No one gets that just being able to see this one joke site or this one girl’s myspace page full of poorly coded HTML and possibly dangerous SQL injections can cause damage, not just to their computer (resulting in ALL of their pictures / music / work emails / etc.) but to the servers passing the information along, to their co-workers computers, and any devices connected to their computer as well (iPod, thumbdrives, etc.).
Oh, and let’s not forget the risk to corporate secrets when you open up a buttload of corporate computers to the public internet. Wave goodbye to any hope of keeping embarassing secrets from going public immediately. Watch the stock price plunge faster than Gates McFadden’s career post-Star Trek: TNG.
Opening everything up to the public is a great ideal but so is communism.
IT Pros
I see a few comments from people saying they are IT Pro’s but they are putting the security blame back on IT. I smell a wolf in sheeps clothing. If you were IT you wouldn’t be saying to let people do what they want on the corporate computer because you would have lived that problem. I completely agree that one of the roles of IT is to help make working more efficient. However in an open environment that can never be accomplished because you tie up IT with doing clean up work all the time. A corporation that has no IT and allows anything to happen on there computers would most likely grind to a hault because bandwidth would be sapped and individual computers would stop functioning do to spyware and other things loaded on systems. What most users don’t understand is that security is much more than just a firewall and a firewall is only good for keeping things out trying to get in but it will never protect against a user opening up the door to let something in. The sad reality of why corporate networks have to be locked down by an IT department is to simply protect the users from themselves. Thus computers need to be locked down to prevent the installing of software by users. Try working with IT instead of against IT and you will get what you need to be more productive. Keeping in mind that “productive” doesn’t mean you have multitasked listening to music while shopping online and working on a spread sheet for your next meeting. Only one of these IT will consider work.
The trick is to identify where the value is
Assuming that all users will act like monkeys is how the IT department protects itself.
Sure, some users can use their computers effectively, but will require a higher level of cooperation from the IT department.
But what is the IT department’s incentive to provide higher service to these users? The IT guy isn’t going to be the one getting the bonus/raise/promotion when the user invents a new process.
Meanwhile, for every power user that generates value for the company, you’ve got five more that have absorbed IT resources that could have been used elsewhere.
Re: The trick is to identify where the value is
This goes back to the old argument of whether IT is a cost center or a revenue generator.
One problem is that it can be either; it entirely depends on the skills and training of the IT department.
The other problem is the difficulty in how to measure the revenue generated by IT. The old adage is that saving a dollar is the same as making a dollar, but those dollars that get made are a lot easier to find in the financial reports.
First thing they always do
Start installing illegal software. Sometimes it’s they prefer their version of office they have at home. Sometimes “a friend gave them” a copy of lets say quicken. I even had a guy change the OS on his laptop because he didn’t like the work version (he installed Windows me, which shows how much of an idiot he was).
I don’t care what you people say. If the software police come knocking on your companies door and you have illegal software on a system. They are going to hold the COMPANY responsible no matter what your policy says. After your company gets fined thousands of dollars (happened to a buddy of mine) I doubt you’ll still have a job.
“Time For IT Guys To Unshackle Corporate Computers”
Actually Mike, I think it is time for you to get your nose out of other people’s business. Companies do this stuff for a reason, if you actually ran an IT department for a while you would realize. The amounts of money wasted by companies fixing computers “broken” by people piling on useless software, surfing porn, installing spyware toolbars, and the like is insane.
This is really one of those posts where you aren’t thinking past your own biases. Not everything needs to be open and free.
No...
Idiotic article with zero research. Can’t think of anything, spew out some rubbish!
I work as an IT contractor to the US Gov’t.
Not 5 minutes ago, I was getting a cup of coffee and overheard two people complaining because they had to remember a 12 character password.
These are the sort of people who you want to give unrestricted access to. The same people who, in their own words, *don’t care*.
Someone has to care about security. Someone has to care that crapware, viruses, and similar crap doesn’t get put on the network.
Oh, and let’s not forget licensing! Regardless of how anyone feels about it, the way things are, if we’re not controlling what gets put on the computers, I guaran-damn-tee we’ll get hit with software licensing violations.
No. Sorry. As long as the user base remains WILLFULLY ignorant and self-interested, the controls and lockdowns need to stay in place. They prove the need for this on a DAILY basis.
You are an idiot, Mikey
The only thing IT folks worry about these days is how to keep their jobs and, preferable, keep making the same money
(not even talking about raises)
If users are allowed to destroy their comps companies will have to pay more to existing staff and to hire more IT folks
The more the merrier
The ideal situation is if all comps in US burn down – then we (IT folks) can all make a killing, like some folks did back in 1999
What?
Sounds like somebody in IT will need to block that guy’s access to techdirt…. Sounds like somebody took away Manjoo’s access to porn, lolcats, and youtube…. I would venture to say, yes they are happier, because they don’t work they play…
Waaa Waaa Waaa Blaaa Blaaa Blaaa
I am so sick of IT guys crying wolf about security etc….
They are all a bunch of over empowered geeks on a power trip because even the accountants beat them up in school and this is their chance to get back….
IT’s FUNCTION is to be a support tool for the USERS which MAKE the company run, NOT an interferance or a problem. If users need to go to IT to get PERMISSION to do their jobs then IT has failed and wasted money….
The crying about insecure and itunes and streaming video is nothing more than an EXCUSE to not work and do their JOBS.
Get over it and learn your place pocket protectors
Re: Waaa Waaa Waaa Blaaa Blaaa Blaaa
Boo Hoo, I can’t bit torrent, why can’t I have the AOL client on my machine, but I like the doggy of the day screensaver.
The crying because you can’t do your jobs due to restrictions is nothing more than an excuse because you want to have the latest version of desktop strippers installed on your computer.
get over it, do your job and stop worrying about what toys you can’t play with.
Re: Waaa Waaa Waaa Blaaa Blaaa Blaaa
you’re an idiot. People always take IT for granted until they need something and then they come begging or they complain about how they can’t do their job because they can’t install software or surf without restriction. Instead of worrying about itunes or streaming video why don’t you do your job? Jerk.
Re: Waaa Waaa Waaa Blaaa Blaaa Blaaa
LOL. Wow. It sounds like someones jock strap is wound a bit tight today. Do us a favor, go to the bathroom, take of the jock strap, go back to your desk, and calm down. After that, please rethink what you wrote.
I’m guessing that the IT shop where you work is full of men, or women, that are all what you consider nerds? Right? Or is there a vast pool of employees that work there? I’ve worked with IT guys that are bodybuilders, musicians, carpenters, mechanics, navy chiefs, marines, shit, they come from all all walks of life and have all types of hobbies. I would love for you to use your attitude with the one Network admin I knew that was a recently retired Navy Chief. I would love it. Or the Gunny that is 250lbs of pure muscle and stands 6’3″. Would love to see it.
The Attack of Nat Burns, Your Company's Computer Guy
I can tell by the unrealistic sneering tones of most of these posts that a lot of the supposed “IT professionals” spouting off have probably not working in an environment much larger than a LAN party. Nerd arrogance is so silly.
In the REAL Big Corporate World – like Fortune 5 – trying to manage tens of thousands of users who operate in disparate spheres (i.e. the needs engineers are not those of marketing or financial people) and their machines is a constant pooch screw. That some applications from suppliers like PeopleSoft are coded to run in IE6 thus preventing upgrades to something more usable and secure and leaving open XSS and SQL attack vectors (don’t get me started on McAfee AV!) doesn’t help. That GPO doesn’t prevent all software installations (hello, Google Earth) while locking people out of defragging their drives is fun.
Also, the nerd snobs forget that the users aren’t there to be PC experts, they’re there to do their work! The PC is just the tool they’re handed to do their jobs. Is a carpenter supposed to know how the windings of their circular saw’s motor were spun? Does a taxi driver have to know how the meter is integrated with the odometer? No to both; they just need to know how to cut wood and drive safely. The d-bags sneering upthread seem to think unless that cabbie changed the oil before his shift, he is just lazy and stupid. Get over yourselves!
Re: The Attack of Nat Burns, Your Company's Computer Guy
“the nerd snobs forget that the users aren’t there to be PC experts, they’re there to do their work! “
Exactly – it isn’t there to look at desktop strippers, it isn’t there to download music, it isn’t there to go on IRC, it isn’t there to surf porn.
It’s there for work. The users don’t need to know how the computer works, they just need to use it for the JOB they have, not for their own personal joy.
the one thing you never ever want to say to a technical person is “you don’t know what you are doing”
that is what this article is, and that is why there is so much heated response
that said, the article is simply ignorant of the situation: its not 1992, there is an internet, there are REAL security threats, pci/pabp compliance, jail time for piracy, and finite labor pools
if you want unrestricted access go buy a $200 netbook and a data card i am sure your IT person will be glad to help you uninfect it off the clock at $85/hr
Re: Re:
^ So very, very true. And to add to that; Stop asking us to fix your personal netbook computers on company time, for free. 🙂
Never in my life
I work IT and I can tell you that letting people load stuff and go anywhere unfettered is a nightmare. We do that now and 85% of our bandwidth is used for non work related stuff and the majority of desktop supports time is spent removing viruses from computers. Admin rights is not the answer. We have painted lanes and lights on roads because people are morons and require direction. It does not stifle innovation in a cubicle setting.
This is just asinine. First of all there is no such thing as a secure network. Security is an ongoing process. You use best practices to lock down and protect what you can but there are millions of ways that a computer and network can be compromised. There is only so much you can do.
Always educate users, put in security systems, but giving users root? I think not…
If you want to surf the web while at work so you can be happy, work for your self. You can surf all you want, but I bet once you start working for yourself you won’t want to surf the web as much. Frikin whiners!
I think the main problem is that it may be very difficult to develop a policy that will correctly assess what apps should be allowed and what apps shouldn’t. I think it’s better to just ban it in the policy and then let people get away with it as long as they arn’t doing anything harmful/bad. That way, if someone decides that downloading gigs of porn on their harddrive is appropriate use of company bandwidth, you have a policy to act on.
I work in IT, outsourced to many small businesses. In my experience, giving local admin privileges to the user doesn’t cause problems most of the time. Obviously I have to rebuild a machine every 3-6 months, and get annoyed at the user who hangs around wanting to know when they’ll have their computer back and being impatient with me. That’s normal though, people won’t take responsibility and then grief the person who is only trying to help. It gets balanced out when you make them twiddle their thumbs all day, sticking out like a sore thumb to everyone else who can honestly earn their pay that day.
So long as you use a good firewall, external email proxy to filter spam and viruses, and good antivirus on the local network, the most users do is browse with Internet Explorer and install some minor crapware like Weatherbug.
Let managers worry about people surfing the internet, IT can have the security in place to prevent all but willful damage to the computer while balancing the need of users to have some freedom, which they should have to be happier and more productive.
This is a stupid article. It's entirely wrong.
This article is ridiculous. Everyone loves to talk about keeping a perfectly open computing environment. Educating users. Complete local access to machines. People go on to say (often with ZERO experience) that if you have a “properly secured network” then you won’t have a problem giving your users complete local control… Well, I’m sorry, but that is complete CRAP.
Where I work I am the sysadmin for about 65 users. That isn’t very many people. Most work locally, but we do have several remote branches. I try to keep access as open as I can, but there must be some limitations. Why? Because despite educating users, and re-educating them, over and over, some of them simply will not listen, or do not care to listen.
Now take such people and amplify the number of them, say in a network with 3000 users. Or in a high school with 1500 students. Now imagine that some of these people are in management positions, or are mission-critical people to the company, or are teachers, etc. They are much less likely to be reprimanded for abusing an open computer policy – thus the problems snowball out of control for the sysadmin’s.
Now lets take a moment to talk about “Proper Security”.
I run a fully updated anti-virus program on EVERY user machine. It not only updates daily and has real-time protection, but it is also set to scan each users machine daily. Every machine is also equipped with a software tool-set to remove and help block spyware, updated frequently. Our e-mail server does a sufficient job at weeding out most of the spam. With all this being said, I have at least one user a week with a spyware problem – and that is with many lock downs in place. If all users had complete control over their machines, this problem would be rampant in no time.
Now before someone says it… This isn’t a matter of me not doing my job “well enough”. You can go to hell if you think that. 🙂 The fact is that even with safeguards, security problems still arise. By giving complete control to end users however, that only makes the risk skyrocket. There NEEDS to be some limitations. By locking down what can be installed, you help mitigate the risk of spyware, malware, virus’s, pirated software, and so on – being installed. It makes SENSE to do this.
This is just the tip of the iceberg, too. Web surfing, downloading, and streaming, are all other things that bring great risks. It’s not to say users shouldn’t be able to surf the web, but there needs to be a line between what is safe and what is not – and thus, some lock down policies need to be in place. I don’t limit my end users from surfing the web – but I do limit them from using a site like Myspace. This is because I had problems with spyware / malware stemming from that site. When an end user proves to me a site is safe, they can browse it all they want. The minute I have to fix their computer because of said site, is the minute that site gets blocked – effectively saving the company time and money by protecting from future infestations. Like I said, at least once a week this happens.
If you want a piece of software on your computer, and you cannot install it, then call I.T. Get it approved, and get their assistance. It is what they are being paid for. If they tell you no, then ask your manager. If I.T. tells your manager no, then there is probably a pretty good reason for it. Either that or your IT staff is lazy. As an end user, you shouldn’t be taking this control into your own hands. I’m sorry, but you’re not a computer expert, guru, ninja, or otherwise. You are an end user, for a company, and your job is to get things done. If you *need* select software or web access for that, then make your case and I am sure I.T. will be HAPPY to assist you with it.
In short: Don’t be an arrogant bastard. I am happy that my users and I get along. There is no hate for the I.T. department where I work, despite limited access policies. They know why they’re in place, and we have a mutual respect going. If they need software, or a certain filter lifted, we approach it together and find a solution that fits.
…Openly giving complete control is not a solution that fits. It’s an implementation that will likely fail miserably in most environments. Particularly the large ones.
Re: This is a stupid article. It's entirely wrong.
You said it without the vitriol that I would have use, but I do agree with you.
Re: Re: This is a stupid article. It's entirely wrong.
That should be *used*
Re: This is a stupid article. It's entirely wrong.
*stands and applauds*
Well said sir.
um labs much
Yeah, whatever, apparently he has never heard of a lab area, where folks can do whatever they want and break production infrastructure. Or maybe he just couldn’t make a business case for his theoretical amazing innovations :p.
This whole thing contrasts hilariously with the federal don’t be a stupid douche bag security presentation featured today as well. People are just that dumb with their computers a alarming amount of the time.
Complicated
This issue is much much more complicated than the slate or techdirt article lend you to believe. As a seucirty officer and network admin I can attest to the complications of allowing 4 different browsers or 3 different document management tools. Because now your intranet devs have to code for each of those new software packages. Then you have to worry about the interoperability, someone downloads Ituens and winamp and media player 11, now their computer is slow because when itunes was installed it brought over safari and quicktime and Bonjour. Then the apple updater prompts them constantly to upgrade the things.
I am a relaxed admin, and I will be the first to admit some admins are out of control with restrictions, but the users on our network enjoy an immense amount of freedom.
However, This and the other article are just trolls getting you all to rant about a very complicated issue because neither of the writers know what it is like to be an IT admin.
Re: Complicated
Thank you. You sum it up very well. It’s easy to want to write an article expressing how complicated this is in detail, and rant about it… But it’s better not to feed the trolls. Rock on. 🙂
Interesting article. Can you send me a link to your other posts?
Justin Davis
Internet Filter
The comments in this article can show the difference between experienced IT people and the whiny kids still in mom’s basement.
Grow up people, not everything is free and open and without restriction in life. Mom may give you an unlimited amount of money to spend on WoW and Mountain Dew, but it doesn’t mean the rest of the world works that way.
This thread more than anything really make sit clear why so many people here appear to support illegal downloading, talk about clueless!
Computer security in a web development lab is far different than security in a bank. I used to fight the management structure of a manufacturing facility because it felt like our business as the IT department was to define what people couldn’t do with computers rather than providing a service that freed people to add value with the systems.
There is a balance and that balance is defined in part by the business type and the risk to the company or it’s clients presented by exposure to the internet.
IT will unshackle computers as soon as users learn to use them without screwing them up. We’ll take the diapers off as soon as you learn to not shit the bed and learn to wipe your own ass.
It depends...
In my experience it’s not really IT that supports locking down the PCs.. it’s the lawyers and HR. If users can get to pornography, they might view it and that creates a “hostile work environment” because someone else might see it. Or, it’s then considered “sexual harassment” because some office girl was offended by your bikini girl background.
Shackling corporate assets is as much of a CYA game as it is a security issue.
Re: It depends...
No. I assure you, IT supports locking down user computers, regardless of HR or lawyers. It’s needed.
Oh, and yes, your bikini girl background at work is not only offensive but entirely tasteless. For those out there that don’t see a problem with this, get a clue. 🙂
P.S. Surprisingly the unshackling of corporate assets is often pushed for, because users and management are too lazy to deal with proper security protocol.
He sounds like a spoiled brat upset because he isn’t getting his way. While I agree that web surfing in a lot of places could be more lax, allowing users to use whatever app they want is unrealistic. This guy has obviously never done computer support of any kind.
Changing environment, changing expectations
The thing is, the environment has changed and is changing. Twenty years ago, most people who used a computer in their job used one only at work — or, if they did have one at home, it was a completely different animal. It made just as much sense to users as to IT that workers should have access only to the specific functions required for their jobs. Who (aside from a criminal looking for opportunities) would want anything else?
Day by day, more and more members of the workforce are already familiar with the same computer technologies they are using in their jobs. Telling them they can’t check their favorite social networking site or customize their desktop environment with the tools to which they are accustomed at home is as insulting and demeaning as telling an office worker twenty years ago that the phone on the desk could not be used to call home to find out what to pick up at the grocery or to resolve a banking problem during banking hours.
This very real matter of morale competes with the problems of security and maintainability, which are also very real. If the article cited displays only one point of view, we should remember that this is how it will appear initially to most workers. It’s up to IT departments to strike a balance, constraining their users only where the benefits outweigh the costs in ease of use, rapid response to change, flexibility and morale. Some of that means explaining to users why the restrictions in place really are needed — and recognizing that a restriction that can’t be explained clearly might just be an easy way out instead of a real necessity. If all you can say is, “It’s because you’re stupid, stupid!”… that’s not a workable business attitude anywhere, even if your “customers” are others within the same company.
TODAY, ironically enougy my company, a large one, issued a warning to all users of a very popular though non-standard browser notifying them about “not authorized” software. This is humorous and frustrating because the only individuals that even have access to install software are the developers who largely know what they are doing.
There went my morale.
Life in my world
I work in a 4000 user environment of which the site I support is an unlocked one, while the rest of the sites are locked down.
My site of 100+ users has less issues per person ratio then the other sites.
When IT and users understand each others concerns then a mutual respect can be had and the world can be your oyster.
I’ve had many IT visitors that I simply tell to check their attitude at the door and watch. My site has an attitude of learning, not master/servant. With this open minded environment I’m able to share what I’ve learned with my users as well as them showing me a trick or two.
Only when IT workers stop being overlords and users learn that they can go to their IT workers with concerns/issues without recourse, will a cooperative work environment exist.
Take it or leave it, I really careless. But, the IT world I live in is a very happy place!
Only ff you have 25 or less systems
Unrestricted access may workable solution if you’re in an office of 25 or less PPL. Not very practical in an office of 200+ PPL.
Idle Employee’s cost the company $$$, Product is delayed, Invoices don’t get sent, Sales Calls are not taken, catalogs not mailed, Checks are not mailed.
It really reflects poorly on the company when Customer Service has to say sorry customer, my computer is a POS and Crashed. Then IT’s is blamed, for the outage. Management wants to know how this could have been prevented. About that time you want to scream, “I ALREADY F%%K’N TOLD YOU, REMOVE USERS FULL ACCESS”
When I started working at this company we were running 95. I was one of the two front line PPL working the line and you were always running all day from one Dept to next. I kept telling management PPL to stop installing stupid programs. Magically when NT4 got somewhat stable and, we could actually start locking down a workstation. 1 month after installing NT, removing rights and using a SOP for approved Software, we didn’t have to run all day fixing software issues. Then we were actually able to plan projects and do equipment upgrades/Maint.
Now 10yrs later some Dept I rarely have to visit some Dept and most of the time it usually of small training issues or user at company X cant sent me an E-mail. Most of my computers I maintain have been running completely stable for Five years and still going. The only PPL that I have too re-image more frequently are the ones the have Full control over their systems. Sure that may be only be 20min of down time. But that is only my time. What about how long the users spent trying to put every little setting back where they were B4, that they forgot how to do and you get a call back to do it for them.
As for filtering Inet. it’s a must in a large office. Everyone shares a same Pipe to the internet. You can’t tell me it’s good for business if your websites or E-Mails slow for the customer, because you want PPL to be able to access Youtube, EBay, FaceBook, ect. All those little perks programs that run in you systray accessing internet chew up your bandwidth. We put a Deep Packet Inspection Firewall in place. and now our Inet reports have a curve in them.
The company spends thousands a year for the internet pipe just so someone can watch YouTube or have IM, so they are happy. Come one PPL; are you that stupid to really think increases productivity?
IT Departments are expected to do More with Less $$$ and time these days. I don’t have time to run around updating computers with updates. That’s why; most software is updated from a central point. I have a lot of Viewers that are updated automatically on the next system reboot sure the user has to wait a couple mins but it save IT 10-15 min for every computer that is centrally updated via Corp. policy. That means for every updates that is needed it would take a week before I competed them all, and then I would just have to repeat the steps Next week.
Also a SOP for computers gives you consistency across the board. When theirs a problem you don’t have to remember that Bill uses this program and Jane uses that. It’s not that your Lazy their never enough time to sit down for 2hrs, at every user computer to figure out which program is giving you a BSOD.
WOW did a preview, man is that message long
Make users responsible for their own systems
Several years ago there was a comment on Slashdot. I wish I could find it, because it was something I had been thinking about for a while but was glad to see a real world case.
The commenter worked for a company that required a certain level of computer savvy to get the job. This is because they were looking to lower IT support costs. Each applicant had to prove a certain level of competence by building a computer and installing the OS; if the applicant was hired, the computer they built became his office system.
Employees had the opportunity to take the company supplied parts or they could purchase their own parts for the computers. They could also choose which OS they wanted to use. Employees who weren’t technical, e.g. admin assistants or other “office” type people, could either build their own systems or use a Mac purchased by the company.
The benefits of this were significant. Since Linux, Windows, and OS X were used, a single virus or other malware infection couldn’t take down the entire company. Because each work computer was an employee’s “own”, they were expected to maintain them; no IT support was given except to people who chose the standard corporate computer (Macs). If a virus was found on the network, the person responsible for it was canned because everyone was responsible for their systems and behavior.
Since all the tech workers had a minimum level of computer knowledge, they were expected to know about computer security and maintenance. IT costs were nearly non-existent because people maintained their own systems. Even if a problem did occur in the office, there were many people who could help out, reducing the number of dedicated IT employees. And because Windows wasn’t the standard OS, there were fewer problems with malware and support issues.
If I’m ever in a position to make IT policies, this is almost exactly what I will advocate implementing.
I’ve worked IT briefly. Users are mindless pawns to be played with for our entertainment… You can I’m sure guess why I don’t work in IT anymore…
Yes
Agree – and lets quit with the 45 day password changes too
Yes and no
Having worked in IT for some time now I can kind of agree with what he says. I have worked for large componies approx 5000 users world wide) and small (approx 50 users)In the small companies its a lot easier to trust people not to install programs and allow them free reign over the internet. While the larger companies tend to lock everything down even for the IT’s Where I am now has found a good middle ground. The users have almost free reign on where they want to go but we block many sites ie myspace, facebook, gambling, porn. We also allow them to download programs but they have to contact us first so we can review it. This is all for our desktop users. Now with the laptop users it diffrent. They have full control over the laptop. I dont agree with this and it just so happenes that the majority of the calls I get a day have to do with laptops. People do stupid things when you give them the power
How can you tell if your company has good IT staff?
they are sitting in their office with their feet up reading a magazine while everyone else is working. Good IT staff are not running round like a chicken with their heads cut off cleaning up viruses, encting Disaster Recovery plans every second day or constantly rebuilding computers.
Installing anti virus software does not mean you will not get a virus and installing anti spyware software does not mean you will not get spyware.
I worked for a company who liked to cave in to particulalry loud users and give them admin rights on their computers until one day one of them installed a virus on his computer that he thought was a key generator for a copy of Creative suite that he downloaded with via bit torrent. This wonderful virus systematically went through modifying all picture files, word and excel documant and html files on his computer and all share drives he had access to. It was not picked up till the next day and took a lot of people hours to restore all the data, which in turn meant that the entire company lost 2 days of work. I still have a copy of that virus and to this day I still have not found a scanner that picks it up. However if he had not been allowed to install anything on his copmuter it would not have happened.
Not only does locking down a computer stop threats that you know about, it also stops many, many more that you have never heard of yet. It has nothing to do with being a petty tirant. IT staff have a lot of pressure put on them. We have to protect data for the entire company from constantly evolving threats. If something goes wrong we have our heads on the chopping blocks not the users who act dumb when somthing they have done causes major problems. And because of that we will employ any method we can that helps. There is a hell of a lot more to it than can be seen from the users side so please do not make stupid judgements when you obviously have no idea what you are talking about.