 
fatmanskinny
Premium
join:2004-01-04
Wandering
 ·Comcast Digital Vo..
 ·Comcast
| I can attest to that! I worked in a huge company where machines were compromised at least once a month.
I think giving all end users admin rights on their machines is not a good idea. My new company does not allow admin rights for end users. It creates additional work for IS but the payoff is that you assist the end user in not being a danger to themselves or anyone else.
--
The only place where Success comes before Work is in the dictionary. | |
|  | 
N10Cities
SILENCE I Keel You
Premium
join:2002-05-07
Roland, OK
clubs: | Re: I can attest to that! Here is one possible solution......all users running Citrix desktop sessions, locked down, no admin rights..... user doesn't like it, tough.... company policy... | |
| | | openbox9
join:2004-01-26
Alexandria, VA | Re: I can attest to that! Riiiight. That's a great policy if you have top-down support. In my experience, the top are often the first ones to violate (or direct violation of) policy. | |
| | | |
fatmanskinny
Premium
join:2004-01-04
Wandering
·Comcast Digital Vo..
·Comcast
| Re: I can attest to that! said by openbox9  :Riiiight. That's a great policy if you have top-down support. In my experience, the top are often the first ones to violate (or direct violation of) policy. In my new company, not even the CEO has admin rights. Lol! It is a top-down policy. Some people have it (very, very, very (did I say very?) few).
For the most part, the ones who are dangers to themselves don't have it. Also, Corp IS has two separate accounts:
One User account
One Account Operator or another type of Admin account.
We work using mostly Citrix or Remote Desktop connections to ticketing system, remote control tools, etc. That way, we can still work on issues and log tickets but still locally logged in using a User account.
--
The only place where Success comes before Work is in the dictionary. | |
| | | | | openbox9
join:2004-01-26
Alexandria, VA | Re: I can attest to that! It's great that you have support from the top. That hasn't been my experience. Granted, I do think the situation is changing, just not as fast as us geeky types would like. | |
| | | | | | | | | openbox9
join:2004-01-26
Alexandria, VA | Re: I can attest to that! I made the comment below that until corporations experience financial implications, network/computer security simply aren't a concern. HIPAA provides that financial implication and therefor you will have positive response from the top. | |
| | 
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL
1 edit | said by fatmanskinny :I worked in a huge company where machines were compromised at least once a month. I think giving all end users admin rights on their machines is not a good idea. My new company does not allow admin rights for end users. It creates additional work for IS but the payoff is that you assist the end user in not being a danger to themselves or anyone else. What about crackers?
It takes me less than 5min. to get Admin rights on any Windows based PC. | |
| | | 
toadlife
Premium
join:2004-05-03
Lemoore, CA | Re: I can attest to that! With physical access, right? | |
| | | |
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL | Re: I can attest to that! said by toadlife :With physical access, right? Yes. | |
| bigjimc
join:2003-04-21
Middleboro, MA | Why doesn't the government prosecute them Oh yeah, any AG that would file charges against a Fortune 1000 company would be fired for some reason.
--
Just my 2 cents...Flame Lightly... | |
| | | | | 
cableties
Premium
join:2005-01-27
 ·Verizon FIOS
| Re: It all comes down to administration As an admin, I can add this:
-Corporate doesn't see the problem
-Management won't allocate resources or money
Comes down to spending money on marketing and less on systems. Rather you just reinstall OS (waste your time), and blame you for wanting a budget for tools, hardware, upgrades, licensing, software...
Used to work with an admin "gestapo" that almost punched several users. He even had a 5-button door pad to his office (he would yell at his fiance on the phone and we could hear it all day...glad we got him to leave). Then I worked with a department head that felt passwords were a hindrance. | |
| | |
fatmanskinny
Premium
join:2004-01-04
Wandering
·Comcast Digital Vo..
·Comcast
| Re: It all comes down to administration said by cableties : Then I worked with a department head that felt passwords were a hindrance. Gotta love those employees who feel passwords are a hindrance to their work. I usually respond with "well, I will make a deal with you. I will remove all passwords from your computer accounts if you remove all locks and security systems (including firearms) from your home and car and provide the address of where you live."
How quickly the complaints about passwords disappear.....
--
The only place where Success comes before Work is in the dictionary. | |
| | 
devrandom
I got a pot, full of random stuff here
Premium
join:2003-06-28
| said by Nightfall :It is stories like that and this one that amaze me. Why are some good network admins without jobs these days? I read in an article once (and i'm forgetting who it was actually by, but it may have been one by Bruce Schneier) that pretty much summed up the answer to your question -- good IT practices are undervalued because tangible results are never seen by the people who fund it.
Action (buying tons of useless advertising hours on TV) = Profit
Prevention = ?? (but does = profit as any sane person who works in IT will know). | |
| | openbox9
join:2004-01-26
Alexandria, VA
 ·AT&T Southeast
1 edit | said by Nightfall :Why are some good network admins without jobs these days? Because bad network admins cost less money? In Corporate American, the bottom line is what matters. Until lack of security genuinely affects the bottom line, nothing will change. | |
| | | BosstonesOwn
join:2002-12-15
Everett, MA
clubs:
·Comcast
·Comcast Formerly ..
| Re: It all comes down to administration said by openbox9 :said by Nightfall :Why are some good network admins without jobs these days? Because bad network admins cost less money? In Corporate American, the bottom line is what matters. Until lack of security genuinely affects the bottom line, nothing will change. TJX ?
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" | |
| | | 
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
|  SPAM , the problem just continues to get worse.
The local libraries are more worried about patrons doing damage then the real risk of scum on the internet accessing their computers.
They are clueless to realize that their computers can be used as botnets to spread the problem of junk email. It's only after their computers get damaged or someone complains do they take action, which then they become paranoid and make more rules to protect themselves.
It's always the person who uses the computers fault when it comes to these kinds of things. They are just to ignorant to look at the big picture of someone from another country accessing their computers across the internet.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
| | 
phattieg
join:2001-04-29
Winter Park, FL
 ·Verizon Wireless B..
·Sprint Mobile Broa..
| Re: SPAM , the problem just continues to get worse. said by antiphishing :I have seen state agencies computers and local library free access computers infected with spyware and adware. Nothing is done about the problem because the people who run those computers are clueless about internet security. The local libraries are more worried about patrons doing damage then the real risk of scum on the internet accessing their computers. They are clueless to realize that their computers can be used as botnets to spread the problem of junk email. It's only after their computers get damaged or someone complains do they take action, which then they become paranoid and make more rules to protect themselves. It's always the person who uses the computers fault when it comes to these kinds of things. They are just to ignorant to look at the big picture of someone from another country accessing their computers across the internet. You'd think they would make a logon/off script that ftp'd the number of processes running, and the names, for each machine at the end of the day. They should ALL be running the same identical image, so if anything odd occured, they'd know right away...
--
SIPPhone/Gizmo # 17476200648 / PIMPNET Chatline / Ran by Asterisk & Slackware 10.1. | |
| | |
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| Re: SPAM , the problem just continues to get worse. said by phattieg :said by antiphishing :You'd think they would make a logon/off script that ftp'd the number of processes running, and the names, for each machine at the end of the day. They should ALL be running the same identical image, so if anything odd occured, they'd know right away... You know that would be way to easy and still most people would just ignore any warning no matter how serious they where. Holy sh@@ my warning icon (above) just went off, better go check my Windows processes.  --
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
| 
xerxes3642
join:2006-02-24
Saint Charles, MO | many anti-spyware programs such as adaware is banned by our it people. they have no replacement for it though. | |
| 
woody7
Premium
join:2000-10-13
Torrance, CA
·EarthLink
·DSL EXTREME
| hmmmm...... I know this sounds simplistic, but at the school I work at has "DeepFreeze" on all the computers ,and we just reboot after each user, that along with limited user privileges we don't have much of a problem. That with a policy of IT is the only one that installs programs, seems to work great.(but it wasn't always that way) JMT
--
BlooMe | |
| | haertig
join:2000-12-31
Broomfield, CO
| Re: hmmmm...... quote:
That with a policy of IT is the only one that installs programs, seems to work great.
That approach might be fine for libraries and maybe schools, but it won't fly when your employees are developing and writing software. Policy: "Nobody installs executables except IT". Employee: "But my job is to write executables!" | |
| | | | |
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| DeepFreeze == bad The big problem with DeepFreeze is the people use it as an excuse not to bother even try to secure the computer, and never update their master images with the latest security updates.
The result is that master images get stale and vulnerabilities add up and the systems are perpetually infected with network worms. Even if you shut them all down to be refreshed, there are usually one or two machines somewhere on the network that are infected and still up, which make refreshing a PC is futile.
I've seen the scenario I've described above play out myself at schools I've virited and heard of it from a security consultant who had visited other schools that use DeepFreeze.
If your school is using deepfreeze along with limited user accounts, I say they are wasting money on a grand scale. Limited accounts along with deploying security updates in a timely manner is just as, or more effective than band-aide, bad-habit-inducing programs like DeepFreeze.
--
Hate your enemies. Save your friends. Find your place. Speak the truth. | |
| | | 
quetwo
That VoIP Guy
Premium
join:2004-09-04
East Lansing, MI
| Re: DeepFreeze == bad At our University, we use Rembo, which allows our "IT" staff to slipstream images into the PCs on next boot. Works like a charm, and they get updated once a month at the very worst.
Oh, and we don't have firewalls, IPSs, etc. Every PC on campus has a 35.0.0.0/8 address. | |
| | | |
woody7
Premium
join:2000-10-13
Torrance, CA
·EarthLink
·DSL EXTREME
| Re: DeepFreeze == bad I can understand software developers not liking this, at home I use "true Image" and that isn't a problem. You need some kind of solution for various users, or you would be spending all your time / resources cleaning them up. School has a lot of intelligent people, but you wouldn't know it by the way they act. When something goes horribly wrong, they expect you to drop what you are doing and fix it. They don't even want to spend $10 dollars on a flash/pen drive to back up their data.. and then can't understand why it is lost...and 9 out of 10 times it is something they have done...Ours is "deepfreeze" enterprise, they are on a domain, with group policy in place, thawed space to save to, and yes it is a pain to install programs for them , but only with the districts approved apps (licensing wise, can't install same program on 10 computers unless you have the license..etc. I'm not an enforcer, but I just say then let the district do it...seems to work everytime. This seems to work, and not a lot of complaints.Is this for everyone, no,but for schools and librarys, internet cafe's etc, it is a good solution.JMT
--
BlooMe | |
| 
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| Thank MS and the MCSE culture... There are so many bad admins because they are focused on Windows technologies rather than general networking and internetworking knowledge.
For example, anyone with a smidgen of common sense and a basic understanding of network security would not have PCs in a "Fortune 1000" company setup in such a way that they can connect outbound to port 25. The network design should not make that a requirement (connecting to arbitrary outside hosts). There are plenty of simple, logical ways to protect the internet from windows boxes... | |
| | joebarnhart
Paxio evangelist
join:2005-12-15
Santa Clara, CA
| Re: Thank MS and the MCSE culture... Exactly! I was going to ask about this. It seems like the logical solution is to block the SMTP port (25) so 'bots can't send email. There's no good reason for the PC to be sending mail directly (i.e. not through the company's mail system). I even set up my home network this way. Plus, looking at the firewall logs to see who's trying to access port 25 alerts you to compromised machines. | |
| | | |
|
|
Fortune 1000 Spam
·