RE: Locking down user downloads
- From: TRadtke@xxxxxxxxxxxx
- To: isalist@xxxxxxxxxxxxx
- Date: Fri, 4 Mar 2005 13:23:33 -0600
Hi Dan,
That is why I said "most of the time." The difference I'm seeing here
between your install and my install base is that when my system is down due
to a user running CoolElfBowling.exe, it's the difference in time it takes
to get a cash letter out the door to the federal reserve or not. Some of
the banks can lose 10's of thousands of dollars in interest that way on a
given day, none the less interfere with the way our applications run which
could cause them to have the bank go out of balance and cost them hundreds
of man hours to sort through the mess.
Troy
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, March 04, 2005 1:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Locking down user downloads
http://www.ISAserver.org
I was referring to the fact that I'm in the Education industry. It's a
proven fact that teachers are the hardest to train!
Actually though, we started off with a scenario like you mentioned.
Lock down everything, don't let them do squat, etc... Let me summarize
this by saying it was a LIVING NIGHTMARE! Every time someone wanted to
change something, we had to visit the computer, every time they wanted
to install something, we had to visit the computer, etc... Then came
the hate mail, the meetings with the higher powers about what to do with
us, the constant whining and complaining. Union representatives were
telling their people to use e-mail sites such as Yahoo because they
didn't trust our department-run server. It just wasn't worth it!
At that time, we have over 1000 computers that we have to maintain
between three of us (soon to be two of us with 1500 computers), and we
were stretched so thin with visits to these computers that we were
running 2-3 months behind. We then switched to Windows XP, migrated to
AD, opened the permissions back up, and it has been a piece of cake
since (well, sorta)...
We found that by opening up the permissions to allow faculty and staff
to install programs (set them up as local administrators via GPO), and
allowing the students to do basic changes, we've cut our workload down
significantly, and hear very little complaining. We also informed our
users to save all their documents on the server, as we wouldn't
guarantee recovery of anything saved/installed on the local computer.
Now, when someone reports a problem with their computer, we run a virus
scan remotely, then have them run an anti-spyware scan, and that will
clean it up over 90% of the time. Occasionally we'll come across one
that is pretty messed up, in those cases, we tell them to save anything
they have still on the computer to their network drive (if they're able
to), and we just re-image the computer. All of the extra software such
as MS Office, Symantec Anti-Virus, etc. are all automatically installed
via GPO as Managed Software. This imaging process takes about 15
minutes, and requires no intervention once we get it started.
To summarize, while locking down the workstations seems like a great
thing, it is only practical in certain circumstances. There are
many-many other ways to "guide" the users in the right direction without
inciting them to hold riots outside your office.
Here's what we got to handle the most common trouble makers:
- Virus Detection - Running Symantec Anti-virus on all servers, all
workstations, and the Exchange server. Definitions are checked/updated
once an hour. Viruses have a hard time getting in via e-mail due to the
Exchange server, they are blocked from coming down from a web page due
to the workstation real-time protection, and they stopped from getting
brought in via removable media due to the real-time protection also.
Known viruses are immediately quarantined, and we are notified
immediately. If I encounter any suspicious files, I quarantine them,
and they are automatically sent to Symantec for analysis. (I had a
situation the other day where I submitted one and within two hours we
had new definitions that detected it.)
- Spam - Three levels of protection here. The Exchange server scans all
e-mail using IMF, then Symantec (for Exchange) scans it, and finally
Outlook has its own built-in scanning. We don't automatically delete
anything, as we've seen many valid e-mails (especially listserv
messages) get flagged as spam, so we route everything to the person's
Junk E-mail folder in Exchange.
- Spyware - Definitely the most elusive beast. We have Surf-Control set
up on the ISA server, and have it block known hacking and spyware sites,
which catches a lot of them before they install. Then Symantec
Anti-Virus will catch the more nefarious ones as soon as they are
written to the hard drive. Then, for those that make it through, we've
been using the MS Anti-Spyware program, which prompts the user when
programs attempt to install themselves.
Not the perfect solutions, but it works well for us. If you need
clarification on any of these topics, let me know.
-----Original Message-----
From: TRadtke@xxxxxxxxxxxx [mailto:TRadtke@xxxxxxxxxxxx]
Sent: Friday, March 04, 2005 12:26
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Locking down user downloads
http://www.ISAserver.org
Let's put it this way, after one user decided that since he couldn't get
out
to the internet after I was done (couldn't launch IE), he brought his
spyware games in on floppy disk..... New set of GPO's were flapped down
20
minutes later that the only thing they could do was left click on one
icon.
Sometimes you have to protect them from themselves. A basic ROI showing
all
of the calls that would be eliminated by a basic GPO makes it a no
brainer
from an accounting standpoint.
One of our larger customers that called in all of the time for missing
icons, screen resolutions that were out of range, spyware, viruses,
"weird"
things, etc..., all there calls are basically gone except for real
issues
with the system. Cheaper support contracts for them, cheaper support
costs
for us, less headaches from them, less of a workload for us.
GPO's are a win-win situation most of the time.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, March 04, 2005 11:14 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Locking down user downloads
http://www.ISAserver.org
Oh, how I wish it was that easy!!!
-----Original Message-----
From: TRadtke@xxxxxxxxxxxx [mailto:TRadtke@xxxxxxxxxxxx]
Sent: Friday, March 04, 2005 12:10
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Locking down user downloads
http://www.ISAserver.org
GPO's, non administrative users, non local administrative users, TEACH
YOUR
USERS, written policy stating that they shouldn't do it and what happens
when they do, training, training, training!
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
