Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Managing Personal Electronics and Software In the Workplace

timothy posted about 6 years ago | from the sterility-vs.-chaos dept.

Businesses 387

darien writes "Last night Symantec hosted a round-table discussion on the topic of consumer devices in the workplace. John Brigden, Symantec's senior VP for EMEA, pointed out that regardless of the policies businesses may lay down, individuals will always try to use their favorite gadgets and websites at work. Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."

Sorry! There are no comments related to the filter you selected.

Fire them! (0, Insightful)

Anonymous Coward | about 6 years ago | (#25205599)

If they won't follow policy, you fire them! What's the problem? In this day and age, IT folks are easy to replace.

Think you can't? I beg to differ - I don't care who you are.

Re:Fire them! (0, Flamebait)

Anonymous Coward | about 6 years ago | (#25205639)

The deal is that power tripping eye-tee martinets like yourself don't have hire and fire authority over the people who, you know, actually produce revenue. And that is as it should be.

Re:Fire them! (0, Troll)

clang_jangle (975789) | about 6 years ago | (#25206195)

And how much revenue will you produce without your network, smartass?

Re:Fire them! (5, Insightful)

MightyYar (622222) | about 6 years ago | (#25206593)

I don't think anyone would question IT's value - just that when they get all self-indulgent like the obviously trolling grandparent... well, then.

You don't fire a guy for installing software - unless he's being malicious. And then you still don't fire him for installing software - you fire him for being malicious.

We used proxies to do our football pools while at work... after 10 years of doing it they suddenly installed a blocker. Did our manager know? Um, yeah, he was in the pool. Sure, we could have done the pool from home - but shouldn't work want me there? Old lab machines running Windows 95 suddenly stop working because some IT guy decides to put some policy enforcement agent on them that uses up the entire 32MB of RAM... doesn't put in RAM of course. We disable the program, computer fixed. As a result, the helpdesk guys refer people over to me when someone complains about a really slow ancient computer. IT one day caps our outgoing email size - tells us that "email is not suitable for large file transfer". Of course, they don't give us outward-facing FTP or anything else that is "suitable". Nice. So we buy space on a godaddy FTP server and use that until they get their act together.

IT is great - except when they aren't. Not everyone breaking the rules is someone you'd want to fire.

Re:Fire them! (4, Insightful)

IndustrialComplex (975015) | about 6 years ago | (#25205819)

If they won't follow policy, you fire them! What's the problem? In this day and age, IT folks are easy to replace.

Think you can't? I beg to differ - I don't care who you are.

I think you need to meet somewhere in the middle. Employees expect some flexibility with their equipment, and yes there should be limitations on what you can or can not use on that equipment, but a blanket statement like "Don't follow the policy-fired" isn't what is really being asked here.

How do you find a good position for where the policy and employee desires meet? I certainly wouldn't work for a company that refused to even consider installing certain programs or the use of certain 'gadgets'.

An example of this is that how certain 'closed' or camera restricted areas are modifying their policies and training so that people can carry their cell phones with them since they nearly all have built in cameras. IE: in areas where you are already allowed to carry a cell phone, you take a special training course and then are allowed to use a cell phone that has a built in camera. There are still restrictions, but it recognizes that it is hard to find a phone w/o a camera.

The result was that you ended up with VPs and such who couldn't pick the cell phone they wanted because the stores didn't carry them without cameras. And if you don't care that a VP wants to pick a certain phone, and the only rationale you can come up with is "It's policy" Then perhaps it is you that should be worried that IT folks are easy to replace.

Re:Fire them! (4, Insightful)

eln (21727) | about 6 years ago | (#25205959)

That's a nice theory, but unless you work in fast food high turnover is not a good thing. It's very expensive to find and train qualified people, so dumping them for minor things like this is unwise.

Re:Fire them! (4, Insightful)

IndustrialComplex (975015) | about 6 years ago | (#25206165)

That's a nice theory, but unless you work in fast food high turnover is not a good thing. It's very expensive to find and train qualified people, so dumping them for minor things like this is unwise.

Pretty much.

It is much easier (and cheaper) to restrict things, but give employees the ability to request certain features, programs, or support for gadgets. It does take time to evaluate those requests, but it is certainly cheaper than replacing an unhappy employee or one that needs to get around the blocks because there is no method to request acess. When you make the decision, it is also helpful to explain in a dept or company wide letter why the program or gadget is blocked. Do not install "XYZ" will only get you so far. Do not install "XYZ" because it has a known security flaw that we cannot allow on our system, will give you a much better response.

Another approach... (1)

BrokenHalo (565198) | about 6 years ago | (#25206187)

so dumping them for minor things like this is unwise.

In any case, if the tech support crew actually offer some guidance rather than a blanket prohibition, it's possible that they can forestall some of the more flagrantly insecure or unsafe idiocies that some users are apt to come up with.

Contrary to popular belief, not all users are criminals [gasp!] or even idiots [heresy!] and they will more often than not respond well if you take the trouble to explain *why* you don't want them running p2p on corporate machines.

Re:Fire them! (5, Insightful)

redscare2k4 (1178243) | about 6 years ago | (#25206183)

I've lost count of how many time I've been forced to circumvent stupid policies to be able to actually do my job. Cos neither my boss nor myself want to go through the nightmare of calling the stupid IT guys (I work in IT too, it's not an attack against the whole group, only against the ones that are stupid) to tell them let me download latest winscp executable, latest linux ISO, latest spring framework release, etc.

Cos yes, the bright minds at my working place have a blanket ban that prevents downloading every damn .zip, .iso, .exe file.

And of course they also ban every IM program available, even if using it actually would save time and improve productivity, cos we won't have to send a freaking internal email (slow as hell, btw) to just give the other a job related url, a block of code, or whatever.

Yes, I know I should just tell my boss "hey, can't do it, go and tell IT their policy sucks bigtime". But my boss answer is "download it at home and bring it back in your usb". And since I'm not going to spend my free time downloading things for my job, I just circumvent their stupid policies.

So before blindly defending a strict IT policy, make sure it actually makes sense.

Re:Fire them! (1)

diersing (679767) | about 6 years ago | (#25206525)

Who says its IT people breaking the policy? In my experience, too many business management types rely upon IT to enforce their policies.

Like you, I agree - if there is a policy against having music on your work machine - fire the people with music on their work machines. Don't ask me to find or craft a solution to delete music files from work machines.

Of course, it could be those accounting/marketing/sales folks aren't so easily replaced and like you said - its just us techo weenies that are a dime a dozen

Technologies are a part of life now... (4, Insightful)

BobMcD (601576) | about 6 years ago | (#25205601)

You have to shore these up with human controls: enforced policies, employee agreements, and the like.

This is a human problem caused by our adaptation to technology in our entire lives. Should the computer have been a device you only run into at work, the draconian idea of 'you may only do what we say' may have stuck. But since people get to experience life outside this kind of control, they're going to crave it everywhere.

And resisting it is mostly just frustrating everyone.

Now, I'm not saying you have to support every oddball app on the planet. I would recommend you have an 'approved software' list, and back that software up with support. Saying 'that is not supported, use this' is far better than locking things down, from my experience.

Focus on the wetware, not the software and hardware...

Good luck with that. (3, Funny)

khasim (1285) | about 6 years ago | (#25205765)

And resisting it is mostly just frustrating everyone.

Now, I'm not saying you have to support every oddball app on the planet. I would recommend you have an 'approved software' list, and back that software up with support. Saying 'that is not supported, use this' is far better than locking things down, from my experience.

Good luck with that.

Since you seem to believe that setting one limit is unenforceable, why do you believe that setting a different limit is enforceable?

You cannot use IM app X because:
a. You are not allowed to use IM at work.
b. You are only allowed to use IM app Y (which does not connect to the service you want to use).

And, from TFA:

Unless companies are prepared to lock down their systems in unprecedented ways - or otherwise radically reconceive their computing operations - this accelerating, unmanaged influx of new devices and services is going to force IT departments into a reactive role.

Why do so many people see "No" as "reactive"? You can evaluate new technology and new products and determine that they present security issues that outweigh their benefits.

In just about every other aspect of business this would be a non-issue. You don't allow people to replace the phone system with their own phone that is incompatible with your PBX but it's okay because they can just call the phone company and run a POTS line to their cubicle.

While they wait for that, they'll fire up a deep fryer in their cubicle and make up a batch of donuts for everyone.

Re:Good luck with that. (1)

cayenne8 (626475) | about 6 years ago | (#25206141)

It has been pretty darned simple where I've worked at in the plug an unauthorized computer onto the network, it is detected, they find you and immediately escort you off premise and you don't come back.

Heck, you are actually limited on bringing in any non-official laptops...but, then again, these places were pretty secured facilities.

Anyway....a policy of use it and LOSE it...pretty effective against any unauthorized electronics in the work place...

Works for me. (1)

khasim (1285) | about 6 years ago | (#25206245)

Because once you allow people to connect personal items to the network your security model is non-existent. And connecting them to the workstations counts as having them on the network in this instance.

If they want to play music or whatever, they can bring radios / players / etc in. But they cannot use the company's workstations to load iTunes and fill up their iPod. That just creates another potential issue that IT has to deal with.

Now, if they'd be willing to take a pay cut so IT could afford a few more employees who would handle iTunes problems and such ... say ... $100 a month ... each.

Re:Good luck with that. (4, Insightful)

MyLongNickName (822545) | about 6 years ago | (#25206301)

I think this is one of those things where you need to identify the work environment you are in. I have worked in banking. It the operation division, what you said would be absolutely true. No second chances. If you went over to corporate, you'd find a more lax attitude. Whether you like it or agree with it, that is the way it was.

If you go to a smaller company, you will probably see an even laxer attitude. The policies vary greatly depending on the organization.

Re:Good luck with that. (0)

Anonymous Coward | about 6 years ago | (#25206513)

We enforced our policy with a stern warning, listing company policy, with their manager present. If they still installed the software it was immediately flagged by our auditing software, at which time I informed my manager, etc. on up the line, within 5 minutes they were being escorted out of the building. In our case it was like the first poster said, it was much easier than locking everything down. It was amazing to see people ask if they can install something, then after being told with said managers present, "Don't do it, you will be fired.", and yet they still do it. Good Bye!

Re:Technologies are a part of life now... (1)

Beyond_GoodandEvil (769135) | about 6 years ago | (#25205875)

Indeed, as well as every 3 months somebody publishes a study to say that "evil lusers" are doing bad things sometimes to be more productive and sometimes to slack off. Unfortunately, like many things in life it is a sliding scale rather than a one size fits all solution. Sure block the pr0n, day-trading, ebay side business managing clowns, but for $deity's sake don't set the default home page to the bloated ass corp intranet portal. If I fire up a browser window to read some html documentation or to check a vendor's site I don't need the 30-45 second pause while the poorly written jscript or vbscript hell slowly loads.

ISeekYou (3, Funny)

negRo_slim (636783) | about 6 years ago | (#25205603)

No matter how many times we told users they weren't allowed to install ICQ

Ahhh, 1998 was a great year, wasn't it?

Re:ISeekYou (0)

Anonymous Coward | about 6 years ago | (#25205917)

Let's all start busting out our sub-million ID numbers.

Re:ISeekYou (1)

david.given (6740) | about 6 years ago | (#25205983)

I still have an ICQ account. Thanks to Pidgin, I'm even logged in on it. And I don't think anyone has *ever* tried to contact me with it.

Re:ISeekYou (1)

xaositects (786749) | about 6 years ago | (#25206363)

not since 1998 anyway... there were some stragglers in 1999, but they went elsewhere. all I get now is Russian spam.

Re:ISeekYou (1)

david.given (6740) | about 6 years ago | (#25206443)

I get that from Yahoo. Usually it goes:

[random sequence of letters] [my username]?

It's convenient that they do it that way, because it makes it really easy to identify...

Simple solution, stop trying to ban devices (4, Insightful)

umStefa (583709) | about 6 years ago | (#25205615)

Companies need to start looking at WHY their employee's want to connect personal devices to coporate systems. If its just so that they can import calenders, contact lists, etc into their PDA or calender at home then set up systems to allow it. If its to take confidential materials out of the office to work on at home (since how many people actually work a 40 hour week anymore), then set up proper encryption protocals to allow this but at the same time minimize the risks associated with data being lost.

Remember the best way to get somebody to do something is to tell them they are not allowed to.

Re:Simple solution, stop trying to ban devices (1)

CheshireCatCO (185193) | about 6 years ago | (#25205721)

I agree completely. Blanket bans on all devices or software beyond the bare minimum ITS wants to support is going to do nothing but create circumventions. A lot of that circumvention will be done as surreptitiously as possible, probably improving the chances of problems down the road.

A better approach is probably to allow employees to request exceptions, with explanation. For example, my personal laptop is currently plugged into my office. I do a lot of work on it and it travels with me when I go to meetings. Our IT manager knows about the laptop (as well as everyone else's) and provides a bit of support for them to make sure that they're secure, etc. It doesn't take a lot of his time to provide minimal support to a few extra machines (a lot of his job doesn't scale that way anyway), and it makes everything work more efficiently.

Re:Simple solution, stop trying to ban devices (1)

jcrousedotcom (999175) | about 6 years ago | (#25206587)

Wow, you've got a very gracious IT administrator. I cannot imagine having my users try and bring in their personal laptops and expect me to support them. Granted, I work for a state agency that is a call center for the taxpayers so they really don't take work home and the vast majority do not need access to state information outside the office.

We do have groups in other offices that have folks travel with laptops. Those must be encrypted and must be state owned hardware.

Some of my users are so problematic I end up reimaging their machines almost every other month. The additional problem is, working for the state, it is near impossible to make a user 'go away.'

Enforcing the policy is 100% the solution, providing said policy is adequate (another discussion entirely).

Re:Simple solution, stop trying to ban devices (1)

redscare2k4 (1178243) | about 6 years ago | (#25206023)

I guess having Unreal Tournament installed in my corporate laptop to use it when I take it to a LAN party is note exactly proper, then?

Re:Simple solution, stop trying to ban devices (1)

bb5ch39t (786551) | about 6 years ago | (#25206149)

Remember the best way to get somebody to do something is to tell them they are not allowed to.

You've got it! To stop them, you simply tell that that they MUST connect the device!

Re:Simple solution, stop trying to ban devices (1)

rickb928 (945187) | about 6 years ago | (#25206377)

No Facebook, MySpace, or YouTube at my workplace. I don't think iTunes works either, but I haven't tried.

Since our business has no use for those sites, they are simply blocked. Along with a host of others, including known malware sites of course.

My field support days often included long and tedious recoveries from users 'needing' Limewire so they could sync their music at work. No, they don't read the warnings, so when they got pwned they feigned ignorance.

And at my current employer, since they provide the PDA or whatever you're trying to sync with, they also provide the workstation to sync to. Arguments that you 'needed' to sync to your home system fall on deaf ears. Arguments that you 'want' to sync to your home system result in admonitions that corporate data is not to be on your home systems, in fact on nothing but provided corporate systems.

Many employers are more lenient, and I've worked with some. We inevitably sufferd a lot more trouble with those users, since their non-corporate systems were often subject to more threats, often including children and visitors.

It really depends on the security risk, your corporate culture, regulatory requirements, and howmuch your company values its data. Where I'm at now, data is beyond critical. I've been in less demanding environments, but users caused even more interruptions there. While I see both sides to the issue, I come down squarely on the side of the employer. It is, after all, their data. You just work there.

Not a problem (4, Insightful)

smooth wombat (796938) | about 6 years ago | (#25205629)

We block certain website groups (adult, gambling, games, etc) by default and everyone must go through our proxy to the outside world. Web logs are checked throughout the day and those who try 30 different ways to get to are reported.

Most people have only User permissions so they can't install something and we regularly do sweeps of unapproved software on those people who do have admin privileges. I'm the one who generally gets the call to remove the software. We also check for firewalls on PCs and other software which can potentially bypass our firewall or hide the user.

As far as electronics are concerned, the worst we have are people using fans or heaters, depending on the season.

Not sure what the big deal is. These are just basic network security measures which any decent admin should do and have set up.

Re:Not a problem (1)

smARMie (743226) | about 6 years ago | (#25205701)

Most people have only User permissions so they can't install something and we regularly do sweeps of unapproved software on those people who do have admin privileges. I'm the one who generally gets the call to remove the software. We also check for firewalls on PCs and other software which can potentially bypass our firewall or hide the user.

And what do you do when they must use software that requires administrator rights? Many manufacturers don't care about your problems with user rights (for the incompetents it' easier to build software this way) and not using their software is not an option.

Re:Not a problem (1)

spectre_240sx (720999) | about 6 years ago | (#25206177)

Where I work we're starting to strip away admin rights as well. The problem of software requiring administrative rights is nowhere near as bad as it used to be. Our biggest hurdle is mobile users that need to install printers wherever they might be working. It's not possible for everyone to take away admin rights, but for those that can, it's a good idea.

We're also using Sophos antivirus, which has software access control built in. We can tell it not to let users install Skype, etc. They'll have device control soon as well. No plugging in thumb-drives unless we say it's ok.

Re:Not a problem (5, Insightful)

MobyDisk (75490) | about 6 years ago | (#25205867)

I don't see why some IT departments bother to block web sites. It is a double-edged sword, and both edges cut against the company.

On one hand, if employees are visiting porn sites on company time, they should be fired. Setup a proxy, trap it, and get them out of there. Don't block them, and keep an unhappy unproductive employee around.

Second, if small things like checking the sports scores, or stocks, or news is what keeps them happy at work, then don't waste resources trying to stop them. Their boss has measures to determine if an employee is wasting time - let those measures work. If you want to keep logs of how often they do it, then fine. But don't try to block them because ultimately you can't. You can't stop them from talking about it at the water cooler or checking the scores on their cell phones, or bringing in magazines and newspapers. It isn't the IT departments job to police social behavior in the office. That's their boss's job. Often times these types of activities lead to comradery like the after-work fantasy football league. It bonds the employees and makes them more stable.

Re:Not a problem (3, Informative)

smooth wombat (796938) | about 6 years ago | (#25206057)

if employees are visiting porn sites on company time, they should be fired.

Absolutely agree. However, working for the government, the union will not let you just fire someone. You have to document everything from now til Tuesday, give them a warning, note it in their file, THEN bring action at which point the union makes all kinds of excuses for why the person shouldn't be fired.

I know for a fact that there was someone who, every day, was trying to get to dozens of different adult sites for 20 minutes at a time. Supposedly it was all documented and set on to the higher ups but the guy still has a job. Whether it wasn't pursued or the union found an excuse to keep the guy, I don't know. If it were up to me, anyone trying for more than five minutes should get auto-fired. No appeal.

It's one thing to accidentally type in a wrong address or click a link without looking (I did that recently) but the logs will clearly show you left the link quickly once you realized your mistake. It's another to see the same person day after day trying to get to

if small things like checking the sports scores, or stocks, or news is what keeps them happy at work,

We don't block those kind of sites. SI, MarketWatch, CNN are all perfectly accessible. Even overseas web sites are accessible. I look at two Japanese sites and the BBC and there is someone here who checks a Chinese-language site daily. The only ones we do block are what are considered time wasters (games, chat rooms, etc).

Some places are more strict, others more permissive. It all depends on the agency. I think the policy in place here strikes a good balance between letting people check news and such while limiting time wasters.

Re:Not a problem (1)

bb5ch39t (786551) | about 6 years ago | (#25206197)

Exactly what a coworker is always saying. Management wants to delegate their responsibilities to an automated process. That way, they don't have to manage their people. That gives them more time to mess around on the p0rn sites (because they are generally not restricted by the firewall / proxy / whatever).

Re:Not a problem (0)

Anonymous Coward | about 6 years ago | (#25206541)

My last company's IT department seemed pretty smart. They blocked all internet access aside from package tracking from UPS/FedEx and the like during normal work hours, but between 10:30 and 12, net access was unrestricted. Productivity wasn't really lost and employees still got to unwind during the day.

Then again, they kept us busy enough that there wasn't really time to miss internet access during work hours...

Re: I Had a PERSONAL Computer at work (0)

Anonymous Coward | about 6 years ago | (#25205929)

I used a computer I brought from home loaded with my favorite software to get off network work done at work. No different from bringing my own slide rule to work back in the day.

Re: I Had a PERSONAL Computer at work (1)

bb5ch39t (786551) | about 6 years ago | (#25206239)

The reason give around here why that is not permitted is that the IT department cannot verify that your personal machine is virus free. Their stated fear is that a personal machine will come in with some virus and it will spread uncontrolled behind our firewall, infecting hundreds of machines before it is noticed. We've had this happen and it was a real mess! Of course, we also allow people to VPN into the network from their personal machines. A bit of an inconsistency there!

Re:Not a problem (1)

ccguy (1116865) | about 6 years ago | (#25205931)

Your company seems like a joy to work for, where do I send my CV?

Re:Not a problem (1)

Toll_Free (1295136) | about 6 years ago | (#25206225)

Someone asking to send a CV in, and at the same time bitches about the company policies is, well.....

Maybe you should actually get some experience before you start knocking real world.

Just an observation.


Re:Not a problem (2, Funny)

ccguy (1116865) | about 6 years ago | (#25206303)

Please click here. []

Re:Not a problem (2, Insightful)

Just Some Guy (3352) | about 6 years ago | (#25206205)

I guess I'm lucky to work for a more enlightened company. Our policy is simple: we're all adults with a job to do, and as long as you do it efficiently without causing problems, nothing else really matters. Honestly, I'd hate working for your employer and probably wouldn't last a month.

Re:Not a problem (1)

BigRob7 (993743) | about 6 years ago | (#25206231)

"regardless of the policies businesses may lay down, individuals will always try to use their favorite gadgets and websites at work."

Exactly. Key word here is TRY. They can keep trying and trying, but there is no way for any of my users to install anything (small company - i'm the only one with admin rights), and all wireless connections are locked tight with encrypted keys + MAC filters. We don't care what websites they go to as there are no cubicles and no filters on the monitors - everyone can see what everyone else is doing.

Re:Not a problem (1)

Alexpkeaton1010 (1101915) | about 6 years ago | (#25206499)

Or they company can ban nothing, hire more real workers to make up for the loss of productivity, and fire the IT people who's job it is to police the networks.

Re:Not a problem (1, Insightful)

Anonymous Coward | about 6 years ago | (#25206523)

This has got to be a troll, but on the off chance it isn't: wow. You are the type of IT guy we "software" guys laugh at. What you must be letting slip by by thinking you can actually monitor to that degree. Not only that, but software guys are often excruciatingly hard to replace, and I've never had a manager not shield me from IT whenever I let him know I'd be "breaking the rules" by installing some FOSS tools. Frankly, they normally couldn't give a flying you know what, as long as I ran my decisions by legal first.

I hate to burst your bubble, but SSH beats pretty much every tactic you described and you'd be hard pressed to argue a developer doesn't need basic SSH tools. Did you use epoxy glue on all the USB ports as well?

How about trying to understand your users and work with them instead of lording it over them? If you have no one who can't get by your "restrictions" you might take that as a sign that your company only pays for and retains the worst talent, and you career may not be in good hands.

Hmm (2, Funny)

LizardKing (5245) | about 6 years ago | (#25205645)

Looking around my desk I see the following electronic widgets that are mine rather than the companies:

A pair of DEC Shark computers.
A Sparc based luggable.
Coffee percolator.

As long as I got them checked out for electrical safety the system support people here were fine with it, and this is nothing as compared to some of the stuff I saw at a big that likes exclamation marks. One guy had a pinball machine in his cube, and another had a large tropical fish bubbling away while percolators were everywhere.

Re:Hmm (1)

LizardKing (5245) | about 6 years ago | (#25205687)

... tropical fish *tank* ... Oh yes, and it's probably worth pointing out that our sys support people would have an issue with personal kit that runs Windows.

DEC, Sparc? (2, Funny)

NotQuiteReal (608241) | about 6 years ago | (#25205781)

Damn, your userid is old too.

Blender? (1)

mangu (126918) | about 6 years ago | (#25206007)

You have a blender at work? Wow, and I thought people who talk on the phone all day were annoying!

Re:Blender? (1)

Ares (5306) | about 6 years ago | (#25206273)

but someone has to make the frozen margaritas and daiquiris.

Some possible solutions. (1)

suck_burners_rice (1258684) | about 6 years ago | (#25205653)

To solve the issue of personal laptops being connected to the corporate network, there needs to be some kind of server software where every approved device's MAC address is registered. When a non-approved device is connected, it will not be assigned an IP address by the DHCP server. This will cut 90% of the devices from ever being connected, since most lusers have no idea about MAC addresses, IP addresses, DHCP, and the fact that they can manually assign an IP address if they know the proper range. This does leave a rather gaping hole, though, so another layer of security is needed. It's not coming to me just yet...

On the other issue of people installing ICQ and whatnot, you set up all computers used by lusers to boot from a fresh image every time they boot. You'll have to set the darn thing up exactly the way it needs to be and then use VMware or some other solution that causes the computer to start from a known image each time. They'll install ICQ, but the next time they boot, it won't be there. They'll install it again. It'll be gone again. After five or six iterations, they'll get tired of reinstalling it. I would say that by properly setting up permissions, the issue of ICQ or any other software being installed in the first place will disappear, but given the way permissions work in Windows (and the way most software ceases to work unless you have Administrator privileges), that isn't a very good answer. The advantage of the approach where the system boots from a known image each time is that your lusers can get all the viruses, spyware, adware, etc., installed on their machine, but it won't be there for more than a few hours. Like the previous paragraph, not a perfect solution, but one that cuts down on your headache by 90%.

Re:Some possible solutions. (4, Insightful)

thatskinnyguy (1129515) | about 6 years ago | (#25205879)

...since most lusers have no idea about...

you set up all computers used by lusers to boot

What kind of attitude is this? You come-off as a condescending PHB. All the other stuff is good but damn. That just put a bad taste in my mouth.

Re:Some possible solutions. (0)

Anonymous Coward | about 6 years ago | (#25206395)

No, he comes off as a condenscending BOFH.

Re:Some possible solutions. (1)

denis-The-menace (471988) | about 6 years ago | (#25205911)

We have something like this too called DeepFreeze.
It prevents permanent changes to the OS and no virtual Machines. We use it in the public library.

Re:Some possible solutions. (1)

genner (694963) | about 6 years ago | (#25206463)

We have something like this too called DeepFreeze. It prevents permanent changes to the OS and no virtual Machines. We use it in the public library.

Deep Freeze doesn't work for anything but a public console.
It doesn't let you save anything to the drive. Your office drones need their word documents.

It's called 802.1X. (1)

hal9000(jr) (316943) | about 6 years ago | (#25206095)

Using 802.1X with machine based authentication--requiring a certificate issued from your company CA, you can control which devices accesses your network. For anything that doesn't support 802.1X natively (printers, net cams, etc), you can white list the MAC on a port.

Re:Some possible solutions. (1)

bb5ch39t (786551) | about 6 years ago | (#25206337)

Too bad Windows is so entrenched. With a Linux desktop, you could set up an LTSP server and a PXE boot. The desktop itself would not have an hard disk or CD-ROM, maybe not even have any USB ports accessible. The PC boots from the network. The user's home directory is on the network. And it is mounted with the NOEXEC option so that nothing which is resident on it will be executed, regardless. IOW, the desktop would only have a CPU, RAM, video card, and monitor. If it did have a small hard drive, that would only be used for temporary files (/tmp subdirectory) and a swap area.

A plus of this is when the desktop dies, the user gets a new one, but all the user's files and setup are still intact. Also, being LAN resident, they are backed up periodically.

Just a thought.

At work, supposed to be working... (2, Insightful)

fprintf (82740) | about 6 years ago | (#25205659)

I know when I am at work, I am supposed to be working. Nevertheless, there really doesn't need to be an all or nothing policy as it improves employee morale to allow some personal flexibility in the workplace. I know my company tries very hard to lock things down, and yet does allow some off-topic internet browsing (Slashdot, right now for example) and the occasional personal telephone call. They are, however, quick to remind us that the electronic networks to which we connect are a) company property and b) exposed as a security risk anytime we try and connect a personal electronic device. Thumb drives, iPods, PDAs, cell phones etc. are all blocked from connecting to the network.

It is all a balancing act, and a tough one at that. In the end, and no matter how much I might dislike it at times, however, they are right to restrict my access to these devices. In a funny way, they are helping me with my addiction problem - getting me off the Web.

Re:At work, supposed to be working... (1)

SpicyLemon (803639) | about 6 years ago | (#25206415)

My company had a security meeting a while back. During the meeting (unknown to us) someone scattered some thumb drives around the parking lot. Two days later we had a follow up meeting. More than 50 people had picked up the thumb-drives and plugged them into their work computers. The security team knew this because they put a "virus" on the thumb-drives that sent them some info about each computer it was plugged into. Each person even got specifically called out at the follow-up meeting too.

That's how they taught us about unsafe outside devices. Seemed to work pretty well too.

On that note too, if your company maintains their own images, it's probably best to disable autorun. [] has some good instructions on doing that.

In my opinion, that should be just as standard as showing file extensions.

The more you educate your staff about the "whys" of security, the more likely they are to follow your security protocols. You can't just tell someone not to do something. You need to tell them WHY they shouldn't do it too. You can't learn from other peoples' mistakes if you don't know why it was a mistake. For example, say you walked into a room and someone said, "Don't touch this shiny cool looking thing." You'd be more much more likely to try to pick it up than if he or she said, "Don't touch this shiny cool looking thing because it's really hot."

Lock down ports and whitelist allowed MAC IDs (1)

PeeAitchPee (712652) | about 6 years ago | (#25205665)

Problem solved. I thought this was standard operating procedure in most corporate IT shops by now anyway.

Re:Lock down ports and whitelist allowed MAC IDs (0)

Anonymous Coward | about 6 years ago | (#25205739)

Right! It's not like you can reconfigure your laptop to use a particular MAC address... oh wait, yes you can.

Re:Lock down ports and whitelist allowed MAC IDs (1)

LizardKing (5245) | about 6 years ago | (#25205883)

Associating MAC addresses with specific switches and addresses on the DHCP server is precisely how my place does things. It means that even if someone does sneak in their laptop, plugging it into a network socket is going to result in no connection. Compare that to when I was on site as a consultant at a very large investment bank last year - they had personal wireless access points and laptops all over company network. Some of the company access points were unsecured while the personal ones were brought in by people wanting to subvert various inter-departmental firewalls. Infrastructure was outsourced, which meant getting things like ports opened for trading systems to communicate with each other was an extremely slow, bureaucratic process. Instead, it was much easier to plonk a wireless access point on each network.

Re:Lock down ports and whitelist allowed MAC IDs (1)

David Gerard (12369) | about 6 years ago | (#25206105)

My girlfriend got a job as a sysadmin at a new media agency by pulling out her Tungsten C and cracking their wireless networks right there. "You need these secured." One of her first jobs was to run Ethernet everywhere and keep one very locked-down wifi in the conference room.

(They got wifi everywhere cos it was l33t and k3wl and stuff. And it was several networks all on channel 6, as were the ones for other businesses on the floors above and below that were interfering. FAIL.)

Re:Lock down ports and whitelist allowed MAC IDs (1)

spectre_240sx (720999) | about 6 years ago | (#25206275)

Why do things the hard way? Active Directory + Radius + 802.1x would simplify things quite a bit for you. It's also much more secure.

People are still talking about this? (1)

visualight (468005) | about 6 years ago | (#25205671)

Ten years ago it was a topic, has anything changed recently that makes this a less exhausted subject? Whoever thought up this "round table" idea doesn't have enough to do I guess.

Generous Companies (1, Informative)

TheFarrMan (927799) | about 6 years ago | (#25205685)

Wouldn't it be a good idea if companies bought licences of AV/Security software for their employees to use at home. It would generally be in the companies interest and would work for the good of all Internet users if more people had better protection. If a company knew that the home/personal pc was protected to the same level as the work PC's the security risk would be reduced and the chance of a user bringing in a virus from home would be reduced

Look up "Enumerating Badness". (1)

khasim (1285) | about 6 years ago | (#25205881)

The problem with depending upon anti-virus packages is that they are reactive. And their is a delay in them.

It is a LOT easier (and verifiable) to identify what SHOULD be on a machine and then remove everything else.

Which is why most decent IT shops lock down the machines so that new apps cannot be installed on them.

Re:Generous Companies (1)

billcopc (196330) | about 6 years ago | (#25205897)

In such a scenario, the first thing the PHB would ask of IT is to require the company-endorsed security software to be used, and deny connections from "unsecured" hosts.

Which means if you're a Linux guru, or maybe you just don't want to bog your PC down with the joke that is Symantec Antivirus, then you're blocked off.

Don't be surprised, there are companies that specialize in such idiotic solutions. Remember RSA's SecurID ? What the hell did that accomplish, besides making a small heap of cash for the vendor ?

Re:Generous Companies (1)

David Gerard (12369) | about 6 years ago | (#25206115)

A lot of places do this. When I was at Ericsson all employees were in fact licensed for copies of Windows and Office at home on the corporate licence.

Re:Generous Companies (1)

dave420 (699308) | about 6 years ago | (#25206569)

Well, if you use Sophos AV, it's included in the price. Or it used to be, at least. Every desktop user of their software in the corporate setting would be allowed to use it at home.

Either Change Policy or Change Enforcement (0)

Anonymous Coward | about 6 years ago | (#25205707)

Many institutions can have a more open IT policy than they think that they can have. Excluding external devices and software is often arbitrarily enforced & is of questionable benefit, as insider devices/software can be just as bad or external tools/software from those that have cart blanche to ignore policy (upper management) will be just as bad. Why not just open things up? Companies can win, as employees use technology that they are most comfortable with, and so are more productive (and it doesn't cost the company a dime). Small startups and poor educational institutions sometimes require personally owned electronic devices!

If you want to keep support costs down, refuse to service outside software & hardware. Or suggest that a policy be put in place where the users would have to pay out of pocket for such support. Caveat emptor.

If you need to exclude devices due to contracts (often due to security), you need to change the way you enforce policy. Do random checks of people entering and leaving work. Suspend or terminate employees that violate the rules.

Failure to lock down machine = users WILL install. (1)

djsmiley (752149) | about 6 years ago | (#25205715)

"Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."

1. Users WILL attempt to install stuff
2. If they can't, they will eventually give up

However, if they manage, then they will push for more and more stuff, and demand support for stuff they never should of installed in the first place.

Surely they should never actually be able to install anything? Is it really THAT hard to lock a system down? My university never seems to have any problems unless people bring in external drives with stuff installed on them (someone managed to get wow running... but then the uni stopped it some how) and they could stop this easily enough by stopping USB.

Re:Failure to lock down machine = users WILL insta (3, Insightful)

eagee (1308589) | about 6 years ago | (#25205889)

Yea, try locking down the computer in a software RND department. If you succeed, you'll most likely have trouble keeping them around. IMHO there has to be a balance between security and freedom. Some security risks need to be a cost of doing business in order to keep your employees happy. I know if I couldn't read slashdot - I'd have a serious morale problem.

Re:Failure to lock down machine = users WILL insta (1)

ccguy (1116865) | about 6 years ago | (#25206051)

1. Users WILL attempt to install stuff 2. If they can't, they will eventually give up

I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen

a) They will succeed
b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
c) They will fail but find some decent-work around
d) They will tell you to fuck off and find a better place to work
e) If they are incompetent enough to do a, c or d they will give up but find another hobby.

So instead of frustrating yourself and your employees, you could just demand a level of productivity in return for a pleasant workplace where having an IM client is not a crime.

Re:Failure to lock down machine = users WILL insta (0)

Anonymous Coward | about 6 years ago | (#25206347)

>> Is it really THAT hard to lock a system down? It's impossible to lock a system down.


Worse case, they would just open the case and reset the bios password. Then they would boot with another drive they brought from home that has windows installed, copy the program to the directory of a legitimate program on the original and rename the .exe.

Solution (1)

cordsie (565171) | about 6 years ago | (#25205735)

Netbook (MSI Wind): EUR400
3G Modem (O2): EUR19.00 + EUR20.00 per month

Problem solved.

Oh jeeze (1)

thatskinnyguy (1129515) | about 6 years ago | (#25205757)

If I had a nickel for every time I absolutely had to install Real Player or get someone's personal camera to work with their work computer and it was a "life or death" situation, I would have enough money to buy lunch at London New York.

It's like Prohibition - Unenforcable (5, Insightful)

eagee (1308589) | about 6 years ago | (#25205791)

To quote Einstein: "The prestige of government has undoubtedly been lowered considerably by the Prohibition law. For nothing is more destructive of respect for the government and the law of the land than passing laws which cannot be enforced. It is an open secret that the dangerous increase of crime in this country is closely connected with this."

The same kind of thing applies in a corporation. You don't want to lower morale, and you especially don't want employees to lose respect for your policies. That certainly poses more risk to the success of an organization than connecting your iPhone to the wifi network.

Maybe a better solution would be investing in IT infrastructure.

Re:It's like Prohibition - Unenforcable (1)

magamiako1 (1026318) | about 6 years ago | (#25206201)

As an IT guy, my job isn't to keep you happy or keep you productive. My job is to keep the network safe and secure and make sure that business operations are not interrupted.

Re:It's like Prohibition - Unenforcable (2, Interesting)

jimicus (737525) | about 6 years ago | (#25206405)

The same kind of thing applies in a corporation. You don't want to lower morale, and you especially don't want employees to lose respect for your policies. That certainly poses more risk to the success of an organization than connecting your iPhone to the wifi network.

Maybe a better solution would be investing in IT infrastructure.

It's a bit awkward in IT. Hey, it's always a bit awkward.

You let everyone install anything they like and do whatever they want -> Congratulations, you've just been picked for BSA Raid of the Month! (In some countries, directors are criminally liable so you have to take it seriously) With extra interest from the PRS if MP3 files are found!

You let nobody install anything -> well, the implications depend entirely on the role of the end user. If the PC is being used by someone in a call centre, this is probably appropriate and call centre staff are relatively easy to replace. If it's in software development, you wind up spending the rest of your life installing software on people's behalf and being hated by everyone.

These things are blocked because the world's Windows support forums are absolutely chock-full of individuals who have got their home PC absolutely chock-full of rubbish like drivers for that cheap scanner which never really worked, 15 different and equally lousy photo editing programs after they found out how much photoshop costs, goodness-knows-what malware installed from a pirated copy of photoshop and whatever else besides. It is simply not practical to deal with these issues on every PC.

I am the IT manager. I'm very lucky in that I'm not having to support a vast number of people who, given the opportunity, would wind up with PCs as screwed up as what I described above - I can therefore operate much of this on a trust system- "I won't go searching for dodgy stuff, please don't leave it in plain view". However, the company I'm working for is growing at a rate of knots and I'm sure this will change in time.

Re:It's like Prohibition - Unenforcable (1)

SpicyLemon (803639) | about 6 years ago | (#25206527)

"Pick your battles wisely" is a nice way to put that.

I quit my last job partly because of their "security" polices and their fierce but lame attempts to enforce them. One was, "If you're in this area you have to have a red T-shirt on or your shirt tucked in. First violation is a warning, Second is termination." In my opinion that was a poorly fought battle and should have been left alone. They ended up never really enforcing it. All it did was lower moral and damage trust of management.

Mostly the fault of IT (3, Interesting)

Kohath (38547) | about 6 years ago | (#25205871)

When IT doesn't serve the users, the users have to be their own IT. Users are bad at it and it causes problems.

The answer is to stop saying NO when users ask for reasonable (non-harmful) things. Help the users instead of trying to make your own job easier.

Re:Mostly Bull$hit (0, Flamebait)

w1cked5mile (963365) | about 6 years ago | (#25206421)

IT will always be perceived as not serving the users interest since it's their job to provide a secure environment for the business. I've caught flak from day one in suggesting (succesfully) that DBAs and Developers didn't need to be Domain Admins or even local administrators of database servers of which 13 accounts were demoted. I caught flak when I suggested (successfully) strong password policies because people couldn't remember their password. The idea of letting every Tom, Dick, and Harry carry their personal laptop, thumb drive, pda, digital camera, iPod, cell phone, and wireless device around and connect into our network scares the $hit out of me. However, it's done because the senior management want it and don't see a problem with letting the guys in the trenches do it too. That being said, we don't support any personal device and will reset workstations to standard configurations if there's a problem. Luckily I'm not the person that supports that side of our network. Now, I've got to get back to downloading some podcasts to my iPod and syncing my calendar to my PDA while I'm waiting for this torrent to download on my laptop. It's good to be king.

Re:Mostly the fault of IT (0, Flamebait)

darth dickinson (169021) | about 6 years ago | (#25206543)

Let me've never done desktop/server support at a company with more than 50 employees...right?

Let me guess... (1)

fuzzyfuzzyfungus (1223518) | about 6 years ago | (#25205885)

Symantic would be happy to sell you some sort of "proactive compliance solution" to address this deep and serious problem that they were nice enough to convene a roundtable about.

Re:Let me guess... (1)

jimicus (737525) | about 6 years ago | (#25206475)

Symantic would be happy to sell you some sort of "proactive compliance solution" to address this deep and serious problem that they were nice enough to convene a roundtable about.

Yep. Symantec Endpoint Compliance.

They've basically taken the antivirus product as far as it's possible to go so now when you buy the corporate version you get centrally managed antivirus, firewall, intrusion prevention and a certain degree of management over what devices may be plugged in and what software (if anything) may be executed.

Most of this can already be done with Group Policies in Active Directory so unless you haven't got AD or anything analogous to it, I can't really see what the benefit is.

Mac or Linux (1)

JoeCommodore (567479) | about 6 years ago | (#25206045)

Nice thing of us having an all Mac office (even better would be Linux) is that users generally don't have compatible software, so employee installation are at a minimum.

On a few of our networks we have a wifi outside of the internal network which could be connected, though we provide enough computers so they should not require that.

I think part of the thing admins should look into is why are they wanting to connect their stuff or install software. If there is a valid unfilled need, then that should be addressed instead of throwing more roadblocks on them trying to do their jobs.

Re:Mac or Linux (1)

magamiako1 (1026318) | about 6 years ago | (#25206179)

Locking down a Windows network to prevent users from installing software, compatible or not, is one of the first things you learn on the way to becoming a Microsoft Certified Solitaire Associate.

There's no excuse.

Problem solved, and has been for a decade (1)

Toll_Free (1295136) | about 6 years ago | (#25206049)

May I point you to surfcontrol? []

I used this for a LONG time. You can have it set up to where it just blocks packets, blocks packets based upon a BUNCH of different rulesets, block packets based upon authentication (I had a private company that the owner HAD to be able to look at porn. I created a custom container for him, and no logging, reports, etc. came through).

It will block based upon port, protocol or keywords it finds in the packets.

Best product I ever found, at least for WinTel environments (It will integrate seamlessly with domains, etc). I prefer it over MS Proxy for web based content filtering at work.

Nothing better, in my opinion.


Perspective (1)

magamiako1 (1026318) | about 6 years ago | (#25206077)

I have to disagree with the people here stating that "many of these applications are harmless".

No, they are very harmful, and even if some of them are harmless right now does not mean things may not be harmful in the future.

When the business relies on IT, you cannot allow one person to be able to cause all the headaches for the network.

If a person visits a compromised website with a 0-day exploit that attacks the browser you have installed, and then proceeds to install a worm that traverses the network and attacks all of your machines, soon enough turning your whole network into a giant malware infested spamming machine.

The lockdowns are not because of "known" dangers, it's the unknowns.

You could have the most competent, updated anti-virus in the world, a rigorous patch scheme with Network Access Control implemented (mind you, NAC/NAP is a fairly new thing) that prevents people from connecting to the LAN without certain requirements being met, and a 0-day vulnerability could render all of that useless in an instant.

You have no choice but to lock down your machines and prevent users from doing things that are "harmless".

Re:Perspective (2, Insightful)

tbannist (230135) | about 6 years ago | (#25206431)

It's interesting you should mention that, because it's Internet Explorer that is most widely known for having such serious 0-day exploits.

You know, the browser that you're usually required use instead of that untrustworthy, shifty, new comer, Firefox.

If "it might break someday" is your excuse for saying "no", you might as well shut the whole company down now, crawl into a deep bunker and hide until the day you die.

Unreasonable cowardice is not a virtue.

It's amazing what people will do at work... (1)

Taibhsear (1286214) | about 6 years ago | (#25206129)

At work right now so I guess I'm a bit of a hypocrit, but anyways...

You'd be surprised the crap people try to get away with at work. I work at a college and we have several computers on mobile carts with projectors for class lectures. I do the immediate repair and updates to the systems and I've found registry scrubbers, online gambling software, chat programs, itunes downloads, and all sorts of shady things that shouldn't be on the systems. They aren't even the professor's office systems. These are only used during class. What could they possibly be doing while students are there in front of them? Boggles the mind. Thankfully I recently got the systems swapped out since they were old as shit. I had computer support set up a limited login for the professors and give me the admin so I can keep the stuff up to date and keep their paws off the important things. But man, there's some shady characters that have been on those computers over the years.

Re:It's amazing what people will do at work... (0)

Anonymous Coward | about 6 years ago | (#25206413)

How do you know it's the professors installing strange software on the computers, and not students who wander into unoccupied classrooms?

Solution: Give them a VM (4, Interesting)

scorp1us (235526) | about 6 years ago | (#25206137)

Just give them VMPlayer and a XP/SP3 image that is only like 5 gigs and they can install whatever they want.

Then lock down the the company machine.

If something goes wrong with the VM, just give them a new one. Sorry, but there is no support other than that. If they lose stuff in the VM, then that's not your problem.

I'll follow their rules.. (0)

Anonymous Coward | about 6 years ago | (#25206147)

...when they stop calling me at home.

Most personal devices have simply become ubiquitous in our daily lives. Most times I see Draconian measures by business taken on by lazy little control freaks who are too fat or whiny to be a beat cop. Companies where staff actually patrol the web logs have WAY too damn much time on their hands. These are obviously the same people that enforce having passwords like "1#$rf12aB$Qzx" that needs to change every 30 days - which mean everyone has their password on a post-it next to their monitors.

Put a wireless node in the dropped ceiling with an SSID broadcast with WPA-PSK. Hook it to a power box and just leave it. Watch the admins hunt around like busy little piss-ants trying to find it. Do this in the CEO suite - preferably in the CEO's office ceiling. The network gargoyles will look like retards.

Give it a rest (0, Troll)

aggles (775392) | about 6 years ago | (#25206185)

Shore up your applications and let users do what they will. Its a losing battle to lock down personal systems, especially for those with tech experience. Do YOU use a restricted system image? Most IT professionals do what they want, yet try to get others to follow their stupid rules. I'm fighting my IT department now because I've disabled all their crap except anti-virus and now my machine runs MUCH faster. I had zero tech support calls till they made me enable specialized spyware detectors, software installers and firewall software. With it running, blue-screens, hung applications and performance sucked. Now - their crap is disabled again. I'll take care of my own machine, thank you very much. Stay the fark out of my machine! I use my work PC for personal reasons and work during personal time. I'll fight them till they fire me.

It's time to get tough (4, Interesting)

jonnyj (1011131) | about 6 years ago | (#25206221)

We're already there in the UK Financial Services industry. Earlier this year, the FSA (our financial regulator) issued a report on best practice [] that, amongst other things, recommends that

  • organisations should work on the assumption that staff do not know what the firm's policies and procedfures are
  • staff handling customer data should not be allowed to have mobile phones or personal belongings at their desks
  • staff should not have access to external email or the internet unless there is a genuine business need
  • all USB ports should be disabled so that only approved, encrypted devices will work

If you're in the industry and doing less, expect regulatory sanctions if anything goes wrong. It's time to get tough on slack security.

Unsupported Apps (1)

Ohio Calvinist (895750) | about 6 years ago | (#25206297)

The problem is that already taxed desktop support teams are going out to fix problems that would have never been caused if the application had never been installed. If there is a bona-fide need for a particular piece of software, it should aquire, test, and support it.

As a state insitution, we had employees go out and buy various smart-devices all of which ran proprietary "push" clients; some of wich worked well, others not, others securely, others non-securely. The issue was we had literally hundreds of configurations to support, and when it worked, the users (mostly middle managers) flat-out expected the entry level techs to get their personally owned piece of equipment to work. I argued it was illegal to use state time to fix personally owned equipment and refused, but other techs weren't so lucky and hundreds of man hours for a small support group was spent supporting devices we'd never touch if management would have enforced a simple guideline of what devices and vendors we'd support. (e.g. we had no coverage on campus for Sprint, period).

At the same college college where someone installed some app similar to Picassa that caused major issues with some proprietary (approved) scanning software to record transcripts. We lost almost 2 days of productivity on that station after a full wipe and reconfigure, while the employee didn't catch any flack over it. I argued the employee violated the policy, the business suffered downtime, and she shoud have been sent home without pay. It was no different than breaking a copy machine by feeding stapled documents into it saying "I don't care what IT says, it SHOULD work!"

"no corporate devices outside of work" (1)

peter303 (12292) | about 6 years ago | (#25206481)

Then companies must institute to converse policty too: "the company cannot contact you using a electronic device outside of regular work hours." No phoning, email, computers ...

guestnet (1)

jasontromm (39097) | about 6 years ago | (#25206505)

The last two places I've worked they had a wireless "guest" network. It's not connected to the corporate network in any way so there is no security problem. I connect my iPod touch to guestnet right now so I can use all my favorite apps on it.

I fail to understand why you would try to do this (1)

dilvish_the_damned (167205) | about 6 years ago | (#25206549)

I mean, we do not allow people to send email using any outlook client, but thats for obvious and technical reasons. We first tried to enforce this by policy since I sort of expect people to obey policy. We had one guy who insisted on using it no matter how many times I tolled him not to. So we explicitly disallow it at the server. Along with this we disallowed common non-encrypted services like windows shares and the like.

However, whats the hatred of IM services? I mean, this sort of thing is a social problem not a technical one. The only reason you would usually try to keep a lid on it is if you supposed employees were wasting their time, and this is a problem for HR or management, not the IT department. If its simply a matter of installing unauthorized software then you have two choices from a technical point of view, authorize it or disallow users installing software using a technical solution. If your platform does not let you have this kind of control then your using the wrong platform for the kind of control you seek.

As far as users plugging in unauthorized devices, use managed switches, and explicitly allow the hardware you approve of. Those users found circumventing this are obviously not innocent, as they have actively circumvented your meager security, so shut them down and let HR know about it so they can decide what to do.

If you REALLY MUST keep users from using software, then shut down UDP and do explicit allows for IPs and ports after the user proves need. Force everything through a transparent proxy and do explicit allows for sites after the user proves need.

You now have control over everything on your network. If this seems draconian its because it is, welcome to 1984(+24).

The gist is twofold; fist, the IT department should try to stay out of the HR management game and stick with technical issues. Second, you can have as much control as you wish ( if you think its a good idea ) so quit your crying.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?