Hi Dan, That is why I said "most of the time." The difference I'm seeing here between your install and my install base is that when my system is down due to a user running CoolElfBowling.exe, it's the difference in time it takes to get a cash letter out the door to the federal reserve or not. Some of the banks can lose 10's of thousands of dollars in interest that way on a given day, none the less interfere with the way our applications run which could cause them to have the bank go out of balance and cost them hundreds of man hours to sort through the mess. Troy -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, March 04, 2005 1:06 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Locking down user downloads http://www.ISAserver.org I was referring to the fact that I'm in the Education industry. It's a proven fact that teachers are the hardest to train! Actually though, we started off with a scenario like you mentioned. Lock down everything, don't let them do squat, etc... Let me summarize this by saying it was a LIVING NIGHTMARE! Every time someone wanted to change something, we had to visit the computer, every time they wanted to install something, we had to visit the computer, etc... Then came the hate mail, the meetings with the higher powers about what to do with us, the constant whining and complaining. Union representatives were telling their people to use e-mail sites such as Yahoo because they didn't trust our department-run server. It just wasn't worth it! At that time, we have over 1000 computers that we have to maintain between three of us (soon to be two of us with 1500 computers), and we were stretched so thin with visits to these computers that we were running 2-3 months behind. We then switched to Windows XP, migrated to AD, opened the permissions back up, and it has been a piece of cake since (well, sorta)... We found that by opening up the permissions to allow faculty and staff to install programs (set them up as local administrators via GPO), and allowing the students to do basic changes, we've cut our workload down significantly, and hear very little complaining. We also informed our users to save all their documents on the server, as we wouldn't guarantee recovery of anything saved/installed on the local computer. Now, when someone reports a problem with their computer, we run a virus scan remotely, then have them run an anti-spyware scan, and that will clean it up over 90% of the time. Occasionally we'll come across one that is pretty messed up, in those cases, we tell them to save anything they have still on the computer to their network drive (if they're able to), and we just re-image the computer. All of the extra software such as MS Office, Symantec Anti-Virus, etc. are all automatically installed via GPO as Managed Software. This imaging process takes about 15 minutes, and requires no intervention once we get it started. To summarize, while locking down the workstations seems like a great thing, it is only practical in certain circumstances. There are many-many other ways to "guide" the users in the right direction without inciting them to hold riots outside your office. Here's what we got to handle the most common trouble makers: - Virus Detection - Running Symantec Anti-virus on all servers, all workstations, and the Exchange server. Definitions are checked/updated once an hour. Viruses have a hard time getting in via e-mail due to the Exchange server, they are blocked from coming down from a web page due to the workstation real-time protection, and they stopped from getting brought in via removable media due to the real-time protection also. Known viruses are immediately quarantined, and we are notified immediately. If I encounter any suspicious files, I quarantine them, and they are automatically sent to Symantec for analysis. (I had a situation the other day where I submitted one and within two hours we had new definitions that detected it.) - Spam - Three levels of protection here. The Exchange server scans all e-mail using IMF, then Symantec (for Exchange) scans it, and finally Outlook has its own built-in scanning. We don't automatically delete anything, as we've seen many valid e-mails (especially listserv messages) get flagged as spam, so we route everything to the person's Junk E-mail folder in Exchange. - Spyware - Definitely the most elusive beast. We have Surf-Control set up on the ISA server, and have it block known hacking and spyware sites, which catches a lot of them before they install. Then Symantec Anti-Virus will catch the more nefarious ones as soon as they are written to the hard drive. Then, for those that make it through, we've been using the MS Anti-Spyware program, which prompts the user when programs attempt to install themselves. Not the perfect solutions, but it works well for us. If you need clarification on any of these topics, let me know. -----Original Message----- From: TRadtke@xxxxxxxxxxxx [mailto:TRadtke@xxxxxxxxxxxx] Sent: Friday, March 04, 2005 12:26 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Locking down user downloads http://www.ISAserver.org Let's put it this way, after one user decided that since he couldn't get out to the internet after I was done (couldn't launch IE), he brought his spyware games in on floppy disk..... New set of GPO's were flapped down 20 minutes later that the only thing they could do was left click on one icon. Sometimes you have to protect them from themselves. A basic ROI showing all of the calls that would be eliminated by a basic GPO makes it a no brainer from an accounting standpoint. One of our larger customers that called in all of the time for missing icons, screen resolutions that were out of range, spyware, viruses, "weird" things, etc..., all there calls are basically gone except for real issues with the system. Cheaper support contracts for them, cheaper support costs for us, less headaches from them, less of a workload for us. GPO's are a win-win situation most of the time. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, March 04, 2005 11:14 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Locking down user downloads http://www.ISAserver.org Oh, how I wish it was that easy!!! -----Original Message----- From: TRadtke@xxxxxxxxxxxx [mailto:TRadtke@xxxxxxxxxxxx] Sent: Friday, March 04, 2005 12:10 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Locking down user downloads http://www.ISAserver.org GPO's, non administrative users, non local administrative users, TEACH YOUR USERS, written policy stating that they shouldn't do it and what happens when they do, training, training, training! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx