Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remote Management and User Consequences?

Cliff posted more than 8 years ago | from the battle-between-adminis-and-computer-saavy-users dept.

139

NNWizard asks: "I work in a large university in Belgium where the people in charge of university computer systems want to install LANDesk on every single computer connecting to the university network. The aim is to be able to manage software and provide centralized remote user support. In the old days, every department had computer guys dedicated to the department, and they knew all about the users and their needs. Now, they want to make the management of computer resources global. In most non-engineering faculties this is well accepted, however in the Applied Sciences Faculty the users are computer savvy -- they do not like the idea of giving out control of their computers to people they don't know. What experience does Slashdot have with such a situation? Was the deployment of LANDesk (or a similar software package) a good or a bad thing for the users? How were the privacy issues tackled? Were people still able to use their computers the way they wanted to use them?"

cancel ×

139 comments

Sorry! There are no comments related to the filter you selected.

FP! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14880328)

first

At my company... (5, Interesting)

parasonic (699907) | more than 8 years ago | (#14880357)

We simply use the freeware version of RealVNC. When employees first join, they have to give up rights to "privacy" for the I.T. people. We respect official business, but unless it's someone high up in the company is working on some sensitive information, we typically assert our authority as our workers should only be working on official business.

If you are concerned about privacy, I'd look into something simple like VNC if you have the management software to know who's using what computer when. It works VERY well with us and is very versatile--I can't tell you how many times it has saved our butts from having to drive 300 miles when we just put a VNC connection over an SSH tunnel at a remote jobsite.

Re:At my company... (1)

agm (467017) | more than 8 years ago | (#14880405)

ssh provides ample access, and if you need access to a GUI then remote X will do the job (we use an NXClient connecting to a FreeNX server). All over an ssh tunnel.

Re:At my company... (2, Informative)

BobPaul (710574) | more than 8 years ago | (#14880432)

I don't understand why remote X is brought up every time someone mentions VNC... VNC runs on windows, too. I'm sure his company probably has primarily (if not all) Windows machines. Remote X doesn't do so well on windows (by nature of the lack of X).

Re:At my company... (1)

agm (467017) | more than 8 years ago | (#14880836)

I was assuming they have the same setup as me, all Linux. At home and work. I use NXClient (remote X with additional compression) and it's great.

Re:At my company... (1)

Pulse_Instance (698417) | more than 8 years ago | (#14882190)

How did you get modded to a 5 for saying that you are an idiot who assumes everyone uses the the same setup as you? Especially when the summary says that they work in a large University in Belgium! Sure it would be nice if everyone in the University were using linux, but there is a better chance that like most schools and large businesses that the majority of the machines are using Windows 2000 / XP and that there are few if any linux machines that IT actually administrates.

When I did work at a University the only linux boxes that were on the network in my building were the IT admin machines, a couple servers and one that a researcher used for running MATLab simulations (the researcher had a deal with the IT team and they never touched his linux box). In any large setting you need to assume that there is going to be a mix of machines and if you can find that a solution that is cross compatible that is the best choice you could possibly go with.

Re:At my company... (1)

lt.com.riker (946759) | more than 8 years ago | (#14883691)

Why is he an idiot? VNC runs on Windows, until I read this thread I didn't even know that it could run on Linux. We used it at my High School to keep tabs on the users in the labs.

Now-a-days, I use the Remote Assistants feature in Windows/MSN Messenger. This would probibly work better in a company using LiveCommunication Server to acutally run their messenging client though.

Re:At my company... (0)

Anonymous Coward | more than 8 years ago | (#14880643)

At my company people installed more VNCs and zombie networks than the IT department wants to know.

and who looks at the IT people? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14880630)

oh wait, youre more equal

Re:At my company... (5, Informative)

glorpy (527947) | more than 8 years ago | (#14880674)

Academics are a very different beast from for-profit corporations. Faculty are effectively BOFHs, as they are absolutely vital (they bring in serious outside funding and desirable students and press) and are very tempermental. Faculty do not appreciate or enjoy administrative work. Schools are generally lucky if they can get them to teach well, let alone learn anything not directly related to their research.

The software used in labs tends to be poorly coded at best. Downright hacks from the Stone Ages are not uncommon, even on $50K microscopes (how many of your microscopes run Windows 95?!), so IT is going to have to be very careful in defining "computers".

Have the heads of IT, along with engineers and project managers, meet with Department Chairs, Deans, the Faculty Senate, and any star faculty. Individually and en masse. Throughout the planning, implementation and follow-up stages. Keep clear lines of communications open at all times. Be prepared for quick, courteous responses to irate and unreasonable faculty. Whatever you do, though, do NOT allow the faculty to define the terms of their relationship with IT. They are horrible clients; they don't know what they want, communicate it even worse and have the power to make your lives miserable. Perhaps the Marketing department can be hired to help out?

I wish the OP the best of luck with this endeavor. And with the future job hunt when faculty come back screaming at the Deans, only to have them turn around and blame IT.

Re:At my company... (2, Informative)

slonkak (648358) | more than 8 years ago | (#14882045)

I agree with the "keep them involved" idea. However, you are also correct that they do not know what they want. Bottom line is, those computers are not their personal computers. When they were hired, they, like myself, should have signed many papers, one of which basically says that absolutely nothing you do at work is private. Whether they like it or not, it's not their call.

We use Altiris where I work. Through Altiris we have two different ways of controlling a computer. First, through the Notification Server, is Carbon Copy. This is done via webpage and can be configured to prompt the user to choose whether to allow someone to connect or not. Second, through the Deployment Console, is Remote Control. This is a high-bandwidth feature with no user prompting. Basically the last resort. Either way, you should devise a plan to explain to them how this is necessary.

Re:At my company, we're hell-bent nazis (0)

Anonymous Coward | more than 8 years ago | (#14881012)

Damn, what incredile assholes. Who do you work for, so I can ensure I never apply there? My brain would melt in short order if I had to focus on work only all day, and couldn't kick back for a minute here and there to check Slashdot or a web comic or two.

Re:At my company, we're hell-bent nazis (1)

Pulse_Instance (698417) | more than 8 years ago | (#14882220)

I have been in a couple situations where IT could take complete control of the computer, once at a University and at a fairly large company. In both cases IT never once cared if you took some time to read slashdot, play a game demo or anything else anyone wanted to do, as long as it wasn't porn. The people who weren't allowed to do that had stupid bosses who wouldn't let them, IT doesn't really care (except occasionally in the case of playing LAN games that used up too much bandwidth). Fortunately I have had bosses who realized that a happy worker is a more productive worker.

Re:At my company... (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14881274)

Too bad that vnc is not permitted [devhood.com] or here [realvnc.com] by the windows XP EULA, or maybe you are just
need to purchase another XP license? [realvnc.com]

UltraVNC is the best VNC. (1)

Futurepower(R) (558542) | more than 8 years ago | (#14881790)

UltraVNC [sourceforge.net] is the best VNC, in my experience.

--
Loose Change [google.com] . Interesting free movie.

Hamachi? (1)

Futurepower(R) (558542) | more than 8 years ago | (#14881834)

I haven't tried it, but what about Hamachi [hamachi.cc] ?

Mod parent UP (0)

Anonymous Coward | more than 8 years ago | (#14881858)

Interesting comment about the tunneling. Therefore, mod 'em up.

Re:At my company... (1)

Richard Steiner (1585) | more than 8 years ago | (#14883498)

My company does not permit non-company machines to connect to the corporate LAN. Since they control the machines which connect, they can install whatever they want on those machines.

If you decide not to agree to that, you will not get a laptop. :-)

I don't think so.... (5, Interesting)

jipis (677451) | more than 8 years ago | (#14880359)

I gotta say: As an admin, I enjoy having the ability to remotely see what's going on on my machines. If they're users' desktops, it's much easier to just get a view of their screen (think PC-Anywhere) than to keep asking them what they see now only to get half answers and useless replies.

That having been said, what the university wants to do is 1) completely different and b) a Very Bad Thing. In my case, *I* am the admin and the machines are *MINE* . The university is looking to force anyone who wants to use its network to give them root on their machines? Puh-lease. It's time for departments who don't want to lose control of their PCs at this university to start looking for an outside ISP. Chances are there's already money in the budget for it: they probably kick in to the general IT infrastructure budget already.

-J

Re:I don't think so.... (1)

RMH101 (636144) | more than 8 years ago | (#14881735)

if what you're advocating is that every individual department is allowed to break away from the main network, setup their own infrastructure, and service it any way they like, then it's a dangerous road to go down. sure, it may appeal to the freedom-loving geek in you, but it has a lot of downsides: no economies of scale (e.g. licencing, helpdesk, etc), difficulty in communication across departments, loss of standardisation etc. all this probably *doesn't* translate into a lower Total Cost of Ownership. I appreciate you're in an academic setting so you don't have a requirement to maximise shareholder revenue, etc, but chances are you're still on a constrained budget and so cost *will* be a factor...

Re:I don't think so.... (1)

dpilot (134227) | more than 8 years ago | (#14881915)

All too often, real maintenance and security can get replaced by "checking off boxes on the form," and the higher up the company it goes, the more likely that is to occur, IMHO. Moving maintenance and security higher up the company also tends to pressure things into "one size fits all."

This isn't universally true, and in some circumstances, it's probably the right model. But at a research facility or University, other than administration, it's probably not.

Re:I don't think so.... (0)

Anonymous Coward | more than 8 years ago | (#14881946)

The university is looking to force anyone who wants to use its network to give them root on their machines?

Welcome to the modern world of IT. Even when you buy your own PCs, like the Intel Apple Mac or newer Dells and HPs, come with TPM chips on the motherboard to ensure that you can't even have root on your own machine. "Root" is priviledge reserved for the tech companies.

Re:I don't think so.... (2, Funny)

parasonic (699907) | more than 8 years ago | (#14882342)

it's much easier to just get a view of their screen (think PC-Anywhere) than to keep asking them what they see now only to get half answers and useless replies

Absolutely. Nine times out of ten, when we ask a user over the phone to read the error message and title in a dialog box that pops up, we don't get the complete picture, even though we ask for the user to tell us EVERYTHING that is on the screen. That makes telephone troubleshooting annoying. It's why we use remote management whenever possible, and if that is not an option, we explain how to email screen shots. Either way, having a picture of the user's screen is EXTREMELY useful and saves us I.T. workers much time and therefore saves the company big lumps of change.

They're full of crap (5, Insightful)

ltbarcly (398259) | more than 8 years ago | (#14880365)

People who believe that they 'know about computers' are the biggest problems from an administration standpoint. Of all of my users, the ones who don't think they know how to manage their computer end up doing a lot less damage than those users who think they know what they are doing.

And the worse part is, people who THINK they know all about computers are also the ones who will blame YOU when they hose their installation of Windows. Frankly, I find it unlikely that these engineers need the control of their computers. More likely they want to install unapproved software and various adware bullcrap which will bring your network to a crawl.

I say this from experience. Initially I thought it would be OK to give some 'expert' users local admin rights, so that they wouldn't have to call the help desk in those situations where they simply want to install real player to listen to Rush Limbaugh or whatever else these dopes do. However, they instantly manage to get spyware, trojans, keyloggers, and other worms and viruses. They do this despite fully updated Microsoft Spyware (granted, it is a beta) and fully updated antivirus software.

It is only recently, as we moved to managed antivirus software, that I began to understand the amount of damage these people were doing. I now get reports of virus activity, and I am never going to make the mistake of giving a user local admin rights again. It is easy to do, but they will abuse it, and taking it away is 1000x as hard as just sticking to a policy of never doing it. Once you give in they will know that you can bend the policy, and when you take it away you are telling them through your actions that you don't trust them to know what they are doing.

And the one thing these people always think is that they somehow know what they are doing.

Let me make it a simple maxim: 'If you are not responsible for the maintenance of a computer, you WILL NOT UNDER ANY CIRCUMSTANCES have administrator rights on said computer.'

Re:They're full of crap (3, Informative)

ltbarcly (398259) | more than 8 years ago | (#14880372)

I am only talking about computers owned by the institution. Obviously nobody should give up root access to their personal computer.

Re:They're full of crap (1)

jipis (677451) | more than 8 years ago | (#14880397)

I'll agree to this. Mostly. The admins of a machine should be at the level of ownership of that machine -- unless the level defers to a higher level. That is, if the Applied Math Dept or the Computer Science Dept wants to admin their own machines (ie, have admins to take care of all dept machines -- not to have each user take care of his/her "own" machine), this should be allowed.

Truly "personal" computers on the university network are another story. I don't know the best ending to that one.

-J

Re:They're full of crap (3, Insightful)

rah1420 (234198) | more than 8 years ago | (#14880623)

Truly "personal" computers on the university network are another story. I don't know the best ending to that one.

"No." Meaning that such devices are not allowed.

That's the way my company does it. If it's an asset owned by the corporation, it is allowed to get Ethernet packets. If not, it's not.

I bring my personal machine in, but there's no cat5 going into it even though it's safer by far than any corporate machine.

Re:They're full of crap (1)

jipis (677451) | more than 8 years ago | (#14880737)

"No." Meaning that such devices are not allowed.
That's what I was thinking initially. However, this is a school we're talking about. Many (most?) schools allow students to plug their desktops into the network ethernet and use their laptops on the school's wireless LAN. We are talking about private machines here. Of course, there is the acceptible use policy (or whatever a given school calls it) dictating what is okay for the student to do. I can't imaging it saying "no running viruses", though.

-J

Re:They're full of crap (2, Interesting)

martinultima (832468) | more than 8 years ago | (#14881883)

“That's what I was thinking initially. However, this is a school we're talking about. Many (most?) schools allow students to plug their desktops into the network ethernet and use their laptops on the school's wireless LAN. We are talking about private machines here. Of course, there is the acceptible use policy (or whatever a given school calls it) dictating what is okay for the student to do. I can't imaging it saying "no running viruses", though. ”


Well, maybe it's true for big universities like OP is talking about, but as far as anything less than that, don't expect to get anywhere...

I happen to be a high school student myself, and apparently my school district really hates me now. The entire network is basically a bunch of Windows XP machines with every possible lockdown technique imaginable – can't clear browsing history, can't even lock the screen any more. And of course they spy on everyone 24/7, even if whoever they're spying on hasn't even done anything.

Why do they hate me? Because I was using PuTTY and VNC to tunnel my Linux box's desktop at home to the school machine so I could work on a LEGITIMATE SCHOOL PROJECT that happened to be stored at home. (Namely, my Linux distribution [distrowatch.com] that I'm doing for an IB personal project this year.)

And now the really good part – they're now working on converting all the high schools to wireless, even though they don't allow personal computers from home to be brought in anyway. The entire place is already wired up for all their machines, so it's not like we really need any more connectivity stuff.

Makes you wonder if they even know what they're doing sometimes.

Re:They're full of crap (2, Insightful)

Curmudgeonlyoldbloke (850482) | more than 8 years ago | (#14882105)

I'd have thought that "an effective, up-to-date, virus checker" would be an excellent start to an AUP.

Re:They're full of crap (1)

danielrose (460523) | more than 8 years ago | (#14882120)

We had that setup, with some wacky ass login script that would pull the smbios info from the machine and if it wasn't in the asset register then bye bye ip address...
That worked great for them until we changed the smbios of all the systems we wanted on the network to old systems that had never been removed from the asset register... =D
But then again our IT people are smart. They left a voice message on my cell phone when I logged a call about my cell phone being faulty.

Re:They're full of crap (1)

gstoddart (321705) | more than 8 years ago | (#14880789)

I am only talking about computers owned by the institution. Obviously nobody should give up root access to their personal computer.

Well, the summary says any computer connected to the university network.

When I was in school, many profs/departments bought their own machines out of their own budgets/research moneys.

I can't see someone who paid for the machines being willing to hand over hand over control to remote people. Such uniform policies work for the lowest common denominator, but not for everyone.

And, remote control stuff is pretty annoying. My company has set up the antivirus stuff to start scanning at pre-determined times of day. The problem is, for my desktop (an always-on server which I use for developing software and have a couple of databases) the scan starts in the middle of my workday, making the machine crawl.

Trying to convince the people who set it up to change it is maddening. Their rationale is that since so many computers are laptops, they need to get them during working hours to be sure the machine is scanned.

A one-size fits all, remote managed approach is more of a nuisance than anything.

Re:They're full of crap (0)

Anonymous Coward | more than 8 years ago | (#14882156)

"Their own budgets/research moneys" is still the school's money. The computers still belong to the school, not to them.

Re:They're full of crap (2, Informative)

gstoddart (321705) | more than 8 years ago | (#14882479)

"Their own budgets/research moneys" is still the school's money. The computers still belong to the school, not to them.

*bzzzzt* Wrong answer.

A professor who gets research grants not provided by the University upon purchasing equipment has not bought something for the University. Some departmetnal funding comes from external sources, not the school. These assets are tracked and accounted for differently, since they most assuredly were not bought with the school's money.

When I was in school, many profs had some really cool equipment that they purchased with the grants they received from external sources. And if they left, they could take it with them.

Re:They're full of crap (5, Insightful)

jipis (677451) | more than 8 years ago | (#14880383)

I think you're missing something important here. The admin rights are being taken away from the local heretofore admins in favor of giving them to the corporate-level admins. As an admin to whom this has happened, I can tell you that this policy change / procedure change / whatever marketing-speak term you want to give it is a Very Bad Thing. The corporate IT people -- even if they know what they're doing (personally, I've found that too many ppl at the "corporation-wide" IT support level know less about computers than my dog) -- cannot do as good (good at all??) a job at the admin stuff as a local admin could.

-J

Re:They're full of crap (3, Insightful)

jonwil (467024) | more than 8 years ago | (#14880410)

This is especially true if (as is likely the case) the department involved is using specific software (e.g. the science dept might have scientific or math software that they use).

Allowing the department to manage it means that the guys who know the most about how to keep Matlab or LabView or whatever they are using running are the guys keeping them running.

Re:They're full of crap (1)

rp (29053) | more than 8 years ago | (#14881498)

Not only that, trusting other people with the machine you depend on for your work requires trust.
Trust is built by personal relationships - i.e. sharing lunch or at least anecdotes. The central guys,
as competent as they may be, will simply be too far away from most end users.

Once the remote admin thing is in operation, and end end user can see them working on their own
machine, and fixing things, the air my clear. But my feeling is that the hurdle will be too big for most users.
And I certainly wouldn't want any admin to look over my shoulder when I'm unaware of it.

Re:They're full of crap (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14880541)

This is why I locked the "central" computer support people out of the computers in the tiny lab I manage. I dont know about you, but all my user accounts are limited accounts, and they still manage to get infested with spyware. Every machine in the entire organization gets spyware. I do know what I'm doing, and I resent people who come in like ghosts, mess with my configs without telling me, try to lock me out of the systems I'm responsible for supporting and then refuse to tell me anything about what they did. I manage my own systems, checking them for spyware and viruses using the limited tools I have with the budget I have (zero.) We do have a powerful antivirus program with central management capabilities, and you can bet I watch the activity on these machines. I patch them myself, I fix them myself, and I clean them myself. What do you do with people like me?

Re:They're full of crap (1, Informative)

Anonymous Coward | more than 8 years ago | (#14881034)

How the hell do you still get spyware if you've properly maintained the machine? Why are your "limited" accounts allowed to install software on the system?

I maintain a mix of about 300+ Windows, and Unix stations. None of the 100+ Windows Boxes I've ever maintained ever got spyware/adware/malware on my watch. I don't let users run IE carte blanche. Since I don't completely uninstall IE, I secure it with group policy. I set a group policy to disable features and block out Bad websites at the firewall. I also install firefox and opera, just because I like people to have a choice, and I can quickly turn off one or the other if there's a security hole awaiting a patch release.

Maybe you need to uninstall IE, Outlook and Outlook Express or just figure out how to set group policy to block users from being stupid while using them. If you can't figure that out, you should just uninstall these three biggest Viral agents. If you have any stand-alone IM clients, uninstall those too and if your users really need IM, install Trillian Basic or GAIM. Doing that will get rid of another bunch of Spyware/Adware. No matter how usefull you perceive the Google Bar to be, don't install it. If you aren't running a domain with NT based machines, you should definitely uninstall these Viral agents and force your users to use Firefox and/or Opera. Firefox might be better, since you can disguise it to look like IE.

On my watch, only one machine, an SQL server, ever got cracked, because I was not originally in charge of it. Even though it wasn't my job to maintain it, I was in charge of re-installing it. I took it upon myself to take over the machine after the second security breach. Once I took over, nothing bad ever happened on it. Those people running the box just weren't admins and shouldn't have been in charge in the first place.

Now, our group has just taken over another group's 200+ Windows only machines and I found a whole slew of problems. Stupid MCSE paper admins; a lot of MCSE's are just idiots. They enacted all the simple inconsequential security fixes, but left gaping holes in all the important stuff. The SQL server was probably hacked and has been under constant attack for last 3 years. Gigabytes of SQL logs, that they obviously don't check, go back 6 months showing cracking activity. Windows SQL or any SQL server should never be directly accessible to the entire world. They used IE to surf the web on their critical servers, since I see adware cookies, ebay, and other personal sites in the local Administrator accounts. I don't let anyone with admin priveleges touch IE on any of my servers. I used to download the patches manually, but some of them now require ActiveX to get to. I have a separate server with IE installed that I run windows update and download patches manually. If you want to surf the web, do it on your own workstation, not on a critical server.

Windows can be secure if you stay on top of things and lock things down properly. This goes the for unix, linux and OSX machines that I maintain as well. While there are much fewer critical holes in the unix world, it is not maintenance free. Anyone who doesn't keep up with security patches is an idiot and shouldn't be an admin. If you can't patch because of some software(I had a 2k server running SP2 until last summer because upgrading broke Clustering), then at least firewall it properly. There's no excuse for allowing an unpatched box to sit directly on the internet.

There's also no reason for any user to be able to automatically install software from IE, outlook, IM, or install any third party software without your permission. If you do it right, you get no spyware and no junk to clean. If you're getting spyware, I'd disable your admin priveleges too.

Re:They're full of crap (1)

thaWhat (531916) | more than 8 years ago | (#14881527)

I know he's an AC but how about an informative?

Re:They're full of crap (1)

RMH101 (636144) | more than 8 years ago | (#14881740)

You locked them out of your lab PCs? Is this like the classic "You're Fired", "You can't fire me, I resign!" conversation?

Re:They're full of crap (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14880544)

This cuts both ways, you know.

I'm working in the developer group of an IT hosting services company. Until recently we had always been local admins of our own boxes, we had "direct" (read: 3 layers of firewalls) access to the internet so we could download patches, etc. and everything was rosy. With all the deadline pressures we hated *any* downtime so we made sure we didn't f**k-over our own machines, installed and maintained our own anti-spyware and anti-virus software (almost uniformly Ad-Aware, SpyBot and AVG), etc.

Recently, however, it was decided that the ISG group would take over admin'ing our boxes. Since then we've lost "direct" internet access having to go through a (not-so-)transparent authenticated and content-filtering proxy (which broke a number of our http apps), gained Trend OfficeScan (our machines are absolute dogs now, barely usable), gained Windows Firewall (CVS would *not* work, even with Application and port exceptions until we coaxed the admins to switch the damned thing off) and various machine-wide .NET settings have been f**ked-over by patches before we found out why. Thank goodness for override capabilities in App.config's.

The "Responsible Admin" has also come around trying to manually install some patches on our machines which he claimed couldn't be deployed by SUS. He so badly broke two machines that they had to be reimaged.

Granted, not all admins are so inept, but you get the picture.

Re:They're full of crap (1)

dwater (72834) | more than 8 years ago | (#14880593)

> ... People who believe that they 'know about computers' ...

How do you distinguish between people who believe they know about computers from those that actually *do* know? After all, you would (presumably) also claim to 'know about computers', right? ...or is it all about where you work? IE, if you work in the "IT Department", then you 'know', otherwise you don't.

Re:They're full of crap (3, Interesting)

Anonymous Coward | more than 8 years ago | (#14881176)

People who think they know about computers fuck things up. It does not matter where they work. I've seen people in IT royally Fuck up, because they only thought they knew. People who know about computers know not to patch so and so server or workstation to a certain level because some app breaks. I kept 150+ Windows workstations running because I kept notes.

You don't always need the Service pack to be securely patched. You need to know what is a critical patch and what is just a bug fix that might fubar a server. Just because Windows update tells you to patch doesn't mean you patch blindly. Firewalls, real hardware ones, not just software ones, are essential in this case.

You have to test your patches and need to know which ones you can back out of. You need to be able to re-image the machine back to its original state if you fubar a patch. Imagecast and ghost are great for these. You need to know what tools are available to you. I work in a small group under a slightly larger group that dictate the rules, but most of their windows admins don't know how to use the Windows resource kits or script things. They don't come from a unix world, so they all drag and drop. I do both Unix and Windows, so I know how to patch, compile, script, and program on both systems. I started as a programmer.

You need to know which apps require admin priveleges and how to set them up so users can still use them without giving them full access to fubar things. Filemon and Regmon from systernals are quite usefull for that. I also admin unix and unix users should not have or need any Admin priveleges to do their work. Unfortunately, in the Windows world, you have to do a lot more work to get Apps to work properly in user space. A lot of Windows programmers just don't know how to program for users. Many just set up their box and run as an Admin and forget about users, so they write all these broken apps that work Only for admins. Windows makes it a complete PITA to properly write apps for user space.

Visual Studio is just broken. I can't believe the number of people who waste time and use the IDE to build their entire projects instead of doing it 5-10 times faster by exporting it to a make file and run nmake. Yes Visual Studio can do Make files. Windows people are stuck to the GUI. It's a crutch. They like watching a useless GUI display things slowly. There's so many things on windows that can be done quicker and easier on the command line, unix style. You can compile faster. The IDE is a crutch. I can't believe so many users are using eclipse on Windows, an utter waste of CPU and RAM on both Unix and Windows. Eclipse just doesn't play nicely in Windows user space. I install it in c:\temp with full user control so users can clobber each other's work. If I had a choice I'd force them back to the command line.

Good admins don't come to fubar your machine just because it needs patching. They track the patches and install ones that work. They know which patches break things because they've tested them. The problem with Windows is that most MSCE certificates are only good for toilet paper. I don't put my faith on paper admins.

A good admin has some scripting and/or programming experience, a more common trait in the unix world than in the windows world. It's amazing how many MCSE's don't bother to learn either batch file scripting or VB. Both are as usefull as unix shell scripting. Windows only needs ssh to be able to match unix in ease of admining. Terminal Server is just a hog at times. It would be nice to have an ssh server always turned on instead of doing things in a round-about way when you wish to remotely script things on several machines securely.

Re:They're full of crap (1)

EngineeringMarvel (783720) | more than 8 years ago | (#14881815)

I have no idea why my immediate parent posted as an AC, but I agree with him 100%. I wanted to add though is that you never really know which IT people are knowledgeable until they actually do some work on your workstation. With that said, farming out the IT work makes it impossible for any client to know who is working on their workstation. At my current job, they use DameWare to assist with the quick problems and I have no issues with that, but when something even semi-major happens they send down Leroy and it's always Leroy. I like this because not only do I trust him, but everyone else around here does too because we A) know who he is B) know he gets the job done and C) will bend over backwards if we ask him to so we can make a deadline. To me, this is invaluable, especially when your hardware goes kaput one week before a huge deadline. Leroy was at my desk within 15 minutes our emergency and he had us back up in running within a half day. No way someone could have fixed that particular software problem from a remote terminal in a half a day. To answer the parent's article question, I say, getting rid of any company's or department's Leroy is a bad idea and in a way it's taking away a company benefit. Instead of farming out to remote terminals, mabe they should get a better IT manager who can effectively use 3 people to do 10 peoples jobs.

responsibility! (1)

RMH101 (636144) | more than 8 years ago | (#14881743)

it's not what you think you know, it's what you're responsible for. Your IT department are responsible for the integrity of the IT systems. Someone who works in a lab but likes tinkering may have knowledge about the IT systems, but they're not responsible for them: it's not their job.

Re:responsibility! (1)

dwater (72834) | more than 8 years ago | (#14881778)

Ah, so it's not that they think they know (since IT dept people also thing they know), nor whether they actually know or not (since IT dept people can also not know), but whether they are responsible if things go wrong. IE, it's because the fingers only point at the IT dept that's the problem.

Lets face it, people in IT departments are just as capable as screwing things up as anyone else. It's just because they get the blame that they claim they should have (type-A) 'control'.

IMO, the system should be changed so that not just IT people can get the blame. ...or implement some kind of system where it doesn't matter (so much) if things go wrong in some lab somewhere. Perhaps a network for which IT are responsible (eg only business critical applications) and a network for others (eg gurus and labs) and restrict routing between the two. At least then, it's eas{y,ier} to say it isn't my (whether that be IT or some guru somewhere) fault.

wow youre a prick (1)

hildi (868839) | more than 8 years ago | (#14880652)

youre tire dof getting blame for stuff so you become nazi BOFH.

if all the admins were like you i 1. wouldnt have any experience in computers 2. wouldnt have been able to learn linux in school 3. wouldnt have been able to solve dozens of problems at work

you sir, are the reason that PCs took over from mainframes.

Re:They're full of crap (1)

Fess_Longhair (695896) | more than 8 years ago | (#14880729)

Parsing through all the attitude in bluster in your post it is clear that you are not dealing with the same user base as the author (engineers or scientists). Although I'll get it if I ask, I don't want root privs on my machine, because when I ping my admin I want it to be his problem, not mine. Furthermore, I can build and install most code myself in ~/ without root privs.

Re:They're full of crap (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14880734)

Oh, Mr. Insightful.

How glad I am, to be out from under your Reichstag ways.

We have many of you, where I work, MCSE BOFHs by the bucketfull, stomping about in your big important boots.

Our department got around you by running Macs, which you are inclined to preternaturally fear and loathe. Every drone in the office installs whatever they want, does their own maintenance, and helps the others when things go wrong. The only time we have a problem is when your IIS servers crash. Needless to say, your scary spyware and virii are not a problem.

Meanwhile, Vice Presidents above us are running crippled XP boxes and have to call the "Help" Desk to take a piss, much less download Firefox.

I don't miss you much.

Re:They're full of crap (1)

the_womble (580291) | more than 8 years ago | (#14880904)

My last job was in a software company that gave everyone who wanted it admin on their own PC.

People were a lot more productive because they could use the software they were happiest with (e.g. Firefox rather than IE makes a huge difference to anyone who uses the web for research rather than entertainment).

On the other hand the place I worked at with the most central control, had some obviously badly configured PCs - e.g. access to a remote serve was given to anyone who logged in to a particular PC, rather to particular users.

What it seems to boil down to is whether you want to make users productive or the IT dept productive.

Re:They're full of crap (1)

kbolino (920292) | more than 8 years ago | (#14881045)

It should be noted that utilites like ntpasswd can grant any user access to any local account, including Administrator. Of course, the users who know how to do THAT generally fall into a more select group, and are probably working on the wrong side of the IT line.

and? (1)

RMH101 (636144) | more than 8 years ago | (#14881748)

local admin can still be restricted by group policy in the windows world. our users can crack local admin, but they still have account restrictions that stop them doing anything *really* bad that might threaten the integrity of our network.

Re:They're full of crap (1)

jibjibjib (889679) | more than 8 years ago | (#14881644)

Microsoft Spyware

...

Re:They're full of crap (1)

Detritus (11846) | more than 8 years ago | (#14881704)

Here, hold on to these wires, one in each hand. Our department is doing a study of the feasibility of replacing the dump resistors in our high-voltage capacitor banks with IT nazis.

Unapproved software? What makes you think you have a clue as to what software a scientist or engineer needs to do their job?

Re:They're full of crap (1)

ltbarcly (398259) | more than 8 years ago | (#14881957)

It's easy. They submit a list of all the software they need, and it gets installed. If they need more software, it get's installed. If they're using UNIX, they can install it locally.

From your post it is clear that you are one of the people who 'know what they are doing'. I'm a nazi because every time some person ruins their computers installation I have to take time out of other important things to image their hd, although sitting around waiting 20 minutes for a hd to image does give me an excuse to go to slashdot.

As I said, authority should not exceed responsibility. If they don't fix it when it breaks, they shouldn't be in a position to break it, unless they MUST have such authority to do their job. People simply do not need root to do work. Unix is designed that way, intentionally. Windows works just fine without root, and be assured it will be configured with every program you need (because if you need it you can ask, the admins exist to facilitate you in the end, which includes preventing YOU personally from causing yourself loss of work through negligent security practices, and protecting others from losing work through your ability to gather spyware and viruses and intrusions).

Don't confuse policies 'you don't like' with 'things that are not good'. It is tempting to see the world this way, but it isn't accurate. Sometimes you will not get all the cookies just because you threaten to cry, because there are other people in the world besides you who also want cookies.

Re:They're full of crap (1)

Alan Shutko (5101) | more than 8 years ago | (#14882077)

And in the meantime, they've wasted two weeks while you get around to their software, and then you've done it wrong because you don't know anything about the package they're trying to use.

If you complain about taking 20 minutes to image someone's HD, I'm surprised you don't complain about taking half a day or more to install all the custom software each person needs to do their individual research.

This is not a company with thousands of identical worker drones. Your perspective is incorrect here.

(Even at my rather large Fortune 500 company where there are IT controls in place, there's an exception process for development so that we can install our own software. Strangely, I haven't met anyone who has hosed their windows install and needed a respin. We do get them occasionally, but only when getting a new machine, new OS, or new hard drive.)

Re:They're full of crap (1)

ltbarcly (398259) | more than 8 years ago | (#14882136)

I haven't met anyone who has hosed their windows install and needed a respin.


You also have no idea what is installed on your network. Probably almost all of your IP is going out the door, straight to competitors or hackers.

People don't need to install software on a daily basis. If they do need custom software, you dispatch a 'worker drone' to them and they can install the software while the person looks on and helps if necessary. The point is that commercial software will rarely cause a huge security problem so long as the person running it does not have admin rights.

Keep in mind that it is NEVER good to run any OS with admin rights for normal use. Of course, since you 'know computers' you know all about that.

Re:They're full of crap (2, Insightful)

swillden (191260) | more than 8 years ago | (#14882565)

Probably almost all of your IP is going out the door, straight to competitors

Odds are, so is yours. The difference in your case is that it's carried out the door by pissed off ex-employees. Most of it innocuously, in their heads, as they take their accumulated experience and expertise to go work for your competitors, but at least some of it deliberately and with malice aforethought.

As a consultant I've worked for a lot of different companies and I've noticed a very strong correlation between companies without draconian IT policies and those that are successful, innovative and with happy development teams. Good companies tightly manage the systems of most of their employees, but recognize that software developers, network engineers and other IT staff are happier and more productive when allowed to manage their own systems. Good companies provide such users with tools and (if necessary) training on how to keep their systems secure, put reasonable policies in place (e.g. root/Administrator logins are not allowed, virus scanners are required (for Windows), screen locking must be turned on, etc.) and perform resonable due diligence in ensuring that the policies are followed, but allow the more technical staff to manage their own systems. Crap like not allowing experienced users to install software on their own machines just pisses people off and reduces productivity.

People don't need to install software on a daily basis.

True. I rarely install software more than two or three times per week. Still, it's often enough that I'd really hate to have to wait for some semi-clued 'worker drone' to come do it for me.

Re:They're full of crap (1)

Ex-MislTech (557759) | more than 8 years ago | (#14882179)

You might install spybot and turn on the Tea Timer on these machines, also
any other security app that monitors processes and has lockdown on new registry
entries without authorization might work in it's place .

http://www.safer-networking.org/en/faq/33.html [safer-networking.org]

Tea Timer can be a bit annoying if you install a lot of new software/plug-ins/extensions
or other bits of code that engage the monitored regions, but the alternative is being
"owned" by the latest method of backdooring the M$ OS yet again .

Ex-MislTech

Sounds like a wonderful idea to me... (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14880401)

Create one central point through which someone can hijack every single computer on your university network. Then, just to be sure, institute a policy making the backdoors mandatory.

Is this poster serious?

Re:Sounds like a wonderful idea to me... (0)

Anonymous Coward | more than 8 years ago | (#14880431)

Replying to my own post: I shouldn't have been so quick to blame the poster. He seems to be opposed to the policy.

The point stands, however, when applied to the administrators in charge.

Re:Sounds like a wonderful idea to me... (0)

Anonymous Coward | more than 8 years ago | (#14881969)

Poster is but not willing (allowed?) to say so out loud

Seems alright to me (4, Interesting)

BobPaul (710574) | more than 8 years ago | (#14880408)

I don't have any experience with LanDesk, but I think remote management/remote control software in general isn't so bad. If it's just remote control, that really isn't any big deal and comes in quite handy if you ever do have to call them for help.

If they completely lock down the machines and take away your admin privilges, well that's life and it can be good or bad. Most often this is only a problem if need to install software and once this has been deployed for a short time and things are running more smoothly again this, too, should be relatively painless; just call or send an e-mail and someone can type in the password and install it. This kinda depends on the strength of your IT department, though. When I was in highschool the instructors machines were secured tightly and there wasn't enough staff to assist in installing software, preventing teachers from getting work done occasionaly. That was an extreme case, though (1 guy, hired as the Video Productions instructor, doing IT for the whole building...) I would expect that in your case it shouldn't be too painful.

As a disclaimer, I am an IT guy and our engineering college at the university has it's own IT group that engineering student fees pay for. I know our professors (and students) were less happy when IT was managed by the main campus group; we're more responsive and less politically hampered.

Well at MYYYY university... (1)

RasputinAXP (12807) | more than 8 years ago | (#14880454)

Users have no expectation of privacy beyond "We don't go digging into your files unless you ask us." To wit:

Access to the University computing resources is a privilege and must be treated with the highest standard of ethics. The University expects all members of the community to use computing and information technology resources in a responsible manner, respecting the public trust through which they've been established, the rights and privacy of others, the integrity of facilities and controls, and all pertinent laws and University policies and standards.

  Although all members of the University community have an expectation of privacy, if a user is suspected of violating this policy, his or her right to privacy may be superseded by the University's requirement to protect the integrity of information technology resources, the rights of all users and the property of the University. The University, thus, reserves the right to examine material stored on or transmitted through its facilities if there is cause to believe that the standards for acceptable and ethical use are being violated by a member of the University community.


On Windows machines, our remote access software asks for permission. It's a hassle in we-the-supportings' eyes because if someone decides to get up and grab a cup of coffee or something we're stuck with our thumbs in your pie until you get back.

Conversely on the Macs, there's no "Do you want to allow this user?" involved at all.

If I had it my own personal way, every machine would have RealVNC on it, with local user lockout so that they can't screw around while we're remoting to their machine.

Re:Well at MYYYY university... (1)

LordEd (840443) | more than 8 years ago | (#14881258)

On Windows machines, our remote access software asks for permission. It's a hassle in we-the-supportings' eyes because if someone decides to get up and grab a cup of coffee or something we're stuck with our thumbs in your pie until you get back.

if that's using the built-in remote control, it is possible to adjust the policy under the user's profile in active directory to allow administrators to remote control without asking permission first.

"their computers" (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14880461)

"their computers"

There it is right there; the beginning, middle and end of the problem, and it's your own damn fault. You have allowed, through neglect and indifference, the notion that use implies ownership. Truth is they don't own the machines you're trying to manage any more than they own the pavement they park on. Not the hardware, data, software, accounts or anything else involved.

I recommend you farm out the blame. Yes, it's possible to pay someone else to take the blame for your mistakes. Auditors work well for this. Get the powers that be to pay Qualys or some other security auditing outfit to examine your system, produce a crop of guidelines, rules and regulations, and make the system users sign it. Put abbreviated versions of this on the bottom of every email document, on the enforced home page of every browser, in the sign-on message of every feasible system and application. In the end the only real value this produces is the unambiguous understanding that the assets do not belong to the users.

Do this or suffer quietly. Your choice.

Re:"their computers" (0, Flamebait)

KlomDark (6370) | more than 8 years ago | (#14880647)

Um, your point? (Other than let us all know you are a bureaucratic control freak?) Where do you profit by devoting all this effort into stamping into everyone's head that they do not own the computer?

The 'My' in My Machine can also mean "The machine assigned to me by the company to get my work done'.

Let me guess, you're from the psuedo-side of IT - the Fix-It Monkeys, rather than the software developers. All you do is play with install disks and poke around with config files. Both the software on the install disks and the config files were not created by you. You're a trained monkey, nothing else. You're not an artist, you're a tracer.

Re:"their computers" (0)

Anonymous Coward | more than 8 years ago | (#14880663)

You're not an artist

People who confuse computing with art get outsourced.

Re:"their computers" (1)

KlomDark (6370) | more than 8 years ago | (#14880671)

Whoosh! You totally missed the Kevin Smith/Banky Edwards reference.

Dial-out assistance (2, Insightful)

phorm (591458) | more than 8 years ago | (#14880468)

What I'd prefer, is something cross-platform that would let my user's dial me. Really, there's not much need to poke into a user's machine when no help is needed, and for the mostpart I have a heck of a time dealing with friend's who have VNC, but haven't configured the router, etc to let me in.

I control my own inbound routing, so having the ability to control which connections are sent through the routing machine to my PC would make it much easier for me to have other's "dial-out" for assistance from me... rather than having them configure a router to allow me to "dial-in" to their machine.

Re:Dial-out assistance (2, Informative)

cjunky (89004) | more than 8 years ago | (#14880497)

VNC can do this. You start the "Viewer" in listen mode (on your computer), and have the vnc server do a remote connection out to you from their computer. I have had to walk people through doing this when their router went poof @ one of our offices one day, and was able to get back in and redo the routing since I couldn't get it from the outside. Of course, it doesn't have a good way to wrap ssh around it, but nothing can be perfect.

Re:Dial-out assistance (4, Informative)

BobPaul (710574) | more than 8 years ago | (#14880559)

Of course, it doesn't have a good way to wrap ssh around it, but nothing can be perfect.

Simple! Just install an SSH server on your computer and create an account for them to connect to.
1) Have them download putty
2) Send them a PDF showing exactly what to configure (for the port forwarding)
3) have them connect with the username/password you created
4) Have them send the request to local host.

You could blend steps 1 and 2 togther by creating an MSI or something that pre-configures putty with a connection for your computer with the proper port forwards.

Oh wait... you wanted a good way, not just a way...

If only there were a windows vnc that bundled the ssh somehow...

Re:Dial-out assistance (1)

phorm (591458) | more than 8 years ago | (#14880582)

I never even realized PuTTY could do port-forwarding for other apps. I generally SSH linux-linux but I'll have to look into this. Thankee!

Re:Dial-out assistance (2, Interesting)

Baricom (763970) | more than 8 years ago | (#14880614)

UltraVNC [uvnc.net] does one better - they provide a small server app that only runs when the user is calling in to you. All of the settings - IP, port, you name it - are custom-compiled into the EXE, meaning they're locked out. You just double-click the program and push the shiny "Connect button." It even supports built-in encryption.

I've run into two problems that make it a challenge to use, for now: the encryption is buggy and sometimes won't connect, and as far as I know, the VNC protocol it serves has some non-standard stuff that won't run on Mac or *NIX VNC clients.

Dial-in, not dial-out (0)

Anonymous Coward | more than 8 years ago | (#14880637)

I have my Mom's Windows system set up to connect to me with PuTTY and VNC. I have a static IP, she doesn't. So she reads from the cheat sheet that I made for her, clicks one icon to start a preconfigured VNC server, then clicks another icon to start a preconfigured PuTTY client, and types in the passphrase for the SSH key. The PuTTY ssh session forwards the VNC port to my firewall. I ssh into my firewall, again forwarding the VNC port, and start the VNC client. I don't have to be at home to do this, all I need is a VNC client and the ability to ssh into my firewall.

You can VNC between any two systems with unknown IP addresses by tunneling through sshd on a third system with a known address. Three-way (or more) ssh tunneling is quite useful, once you figure out the syntax.

R T F M (1)

woolio (927141) | more than 8 years ago | (#14880859)

Hey you, RTFM!

Vnc has supported this for quite a while.

The mods must be on crack today...

Re:R T F M (1)

phorm (591458) | more than 8 years ago | (#14880950)

Erm... no. If I RTFM on every since application I used I'd be done in about 20 years from now, assuming I didn't find new ones to RTFM from.

Re:Dial-out assistance (1)

Schraegstrichpunkt (931443) | more than 8 years ago | (#14881357)

I don't know about software, but Copilot [copilot.com] is a service that's designed to simplify the whole process of remote support via VNC.

Although their server-side proxy software isn't available, the source code to their "client" (which is based on the VNC client and server) is available under the terms of the GPL [copilot.com] .

HIPPA and Remote Control (4, Interesting)

GJSchaller (198865) | more than 8 years ago | (#14880508)

Something to consider that may not directly apply here, but will in related fields, is the legality of a non-authorized person having access to data, even though they administer a system. Specificaly, it is against HIPPA regulations for someone to look at medical records without permission or need for their job. For example, an IT guy would not be allowed to look at a medical record on someone's screen, if, say, they remoted in (or walked by, or had network access to a share).

This is a tough line. Someone other than the authorized personnel needs access to the files to be able to do the techie admin stuff. At the same time, they should not be looking stuff up, as it's illegal and an invasion of privacy. The whole thing of "Who's PC is it, ITs or the User's" adds another party, the person profiled in the data on that system. (Usually, it's the employer's PC, but that doesn't stop users, esp. ones with Dr. sized egos, from feeling & acting otherwise.)

I've worked in a hospital using Seagate / Funk Software Proxy. We had it set so that we could remote to a desktop, but the user had to grant permission to see the screen. Usually, this resulted in a decent situaton and an understanding - the user would clear all sensitive data from the screen before accepting, and if they got surley and decided not to accept, they got pushed to the bottom of the priority list (and they knew it). In return, the IT staff didn't abuse this ability, and for the most part would rather read slashdot than check out someone's PC. ;-)

Re:HIPPA and Remote Control (1)

jipis (677451) | more than 8 years ago | (#14880619)

Specificaly, it is against HIPPA regulations for someone to look at medical records without permission or need for their job. For example, an IT guy would not be allowed to look at a medical record on someone's screen, if, say, they remoted in (or walked by, or had network access to a share).
Now, IANAL, but I think you've just shown yourself the loophole. If there's a reason for the admin to log into that machine and he sees information that's there that he "shouldn't see", it's actually ok. Why? He needed to see it in order to do his job. Yeah, it sounds a bit nit-picky, but I think I might perhaps possibly have something of a leg to stand on with this.

-J

Re:HIPPA and Remote Control (1)

malkavian (9512) | more than 8 years ago | (#14881832)

Hmm.. I'm the database admin for a hospital over here in the UK, and there is absolutely no restriction on me seeing any medical data.
It all passes around the hospital on the networks, is intercepted by the interfaces to the internal databases, and ends up on my servers.
Now, I've signed many a form which amounts to "If I release any of the medical data, I'll never really be able to work in IT again", which I consider a fair clause.
Everyone in the tech department is basically bound by the same agreement.
If anyone is found to abuse the privilege, the consequences are dire. Thankfully, everyone has a healthy lack of curiosity in that area (frequent trips past the operating theatres do that for you).

Re:HIPPA and Remote Control (1)

GJSchaller (198865) | more than 8 years ago | (#14882134)

The UK sounds more lax than the US in regards to medical record privacy - we're not even allowed to look at the stuff, w/o clearance. There was a good cartoon at a nurses station where a wife came to pick up her husband from the hospital - by the time she cleared security, identification, and all the paperwork acknowledging she was indeed his wife, he had gotten tired of waiting and took a cab home... The sad part is, it's pretty much accurate.

THEIR jobs (4, Insightful)

msbsod (574856) | more than 8 years ago | (#14880526)

The whole thing is not about better support, privacy, security, whatsoever. People are using the Internet since two decades. No, those who deploy such software and restrictions only want to secure their jobs. It is that simple.

Re:THEIR jobs (1)

pintomp3 (882811) | more than 8 years ago | (#14881222)

and the number of viruses and crap on the internet has gone down in two decades? i think it's the otherway around. management wants to reduce the cost of support. we don't use anything like this, but stopped giving users admin rights on their desktops a few years ago. we used to have 4-5 ppl staffing the helpdesk, now we only need 1. i think this is the way support will happen in the future. though i don't agree that just anyone connecting to the network should have to install it. if they are responsible for fixing my office machine, i'm fine with it. but not on my personal laptop.

Re:THEIR jobs (1)

RMH101 (636144) | more than 8 years ago | (#14881780)

absolute crap. consider the following:
1) excessive restrictions are bad
2) excessive support calls are bad
3) your network being compromised or going Foom! is bad
4) restricting some areas of a client PC reduces likelihood of users messing with stuff on their client that will need fixing
5) restricting some areas of a client PC reduces likelihood of users messing with stuff that will threaten the integrity of the network

it's all about balance. IT are there to do a job, just like you are.
Let's take one example: users at our site being irritated they can't change their screensaver from a dull Win2K screenlock to pretty fishes. Sounds petty? It's there because it turns out we have a legal requirement to lock unattended workstations to show due diligence in security - we work in a very tightly regulated industry.
This doesn't mean that you should lock down *every last thing* though - if it can't cause harm or there's a business case for it, let them have it. If you're not sure, don't allow it until a business case has been made.

He who pays the piper calls the tune (0)

Anonymous Coward | more than 8 years ago | (#14880546)

Who paid for the computers? If department paid out of its budget, it should manage the computers. If the central IT department paid, then they should manage them.

This isn't a technology issue. Any time that authority and responsibility become decoupled, it's a sign of poor management. If IT is responsible for keeping the computers running, then they need the authority. If the department wants the authority, then they get the responsibility.

Follow the money. Whoever has power over the budget is who is responsible for managing the resources purchased with that budget.

A decent solution (1)

marcus (1916) | more than 8 years ago | (#14882619)

That's about how it works here.

We were fed up with lost productivity, the M$ only policy, and slooooow response from IT when we finally fragmented and broke away from IT after an M$ virus took down the net and several of our machines. BTW, that was a nicely executed power play by our PHB. Now there is a firewall/filter/cache between us and the rest of the company network. We(three of us whenever needed) manage our own mix of M$/Sun/Linux/and now even an Apple, boxes. We don't have to wait for IT to come and install something, or build, or buy something new. We just do it. All we pay IT for is bandwidth.

IT infection (0)

Anonymous Coward | more than 8 years ago | (#14880567)

The whole central IT management is like herpes. Once you caught it, you never get rid of it.

STAFF... Autonomy... privacy... (4, Insightful)

tverbeek (457094) | more than 8 years ago | (#14880616)

One of my first questions to those mandating this change is how many more people they're going to give my department to perform these duties, and how you all are going to be trained to be familiar with the other department's apps. This is a pile of work being dumped in your lap.

As for your questions, I don't think the privacy question needs to really become an issue. Pretty much every place I've worked in IT or Tech Support, I've had system privileges that gave me access to damn near anything on institution-owned equipment, from the president's e-mail to the custodian's bowling-league stats. And I've told them that... with the assurance that even though I could get at this stuff, I had no intention of doing so. I'm too busy to monitor people's private stuff and it's none of my damn business. I tell them that techies are just like janitors: we have keys to everything. {shrug}

What's likely (hell: inevitable) to become an issue is autonomy. If people have to come to you to do things they're used to being able to do themselves, they'll understandably resent you for it. The only solution I can suggest to that problem is to give them the same level of service they're used to getting from themselves. e.g. If they want some software installed, you get the software installed. ASAP. (This is why you probably need more staff.) If you make it clear to them that you're trying not to get in the way of their work, they'll resent it less. And when you can't deliver, or have to say "no", they'll hopefully be more understanding if they know it's not just you being a control freak or lazy or not caring.

We lock them down, and have remote access (2, Interesting)

phoenix_rizzen (256998) | more than 8 years ago | (#14880682)

We do something similar. All the computers that go out to users are locked down with DeepFreeze, with TightVNC installed (with a nice Helpdesk icon on the desktop). We don't do remote management, just remote control and remote support.

The staff just love it. When they have a problem, can't remember how to do something, or come across a strange error message they don't understand, they just call the helpdesk, start TightVNC, give us their IP, and we take control of their desktop. We can show then how to do things, read the error messages for ourselves, watch as they go through the steps. Cuts our call times down, gives the users a greater sense of support, and virtually eliminates the "spend 20 minutes driving to a site to spend 5 minutes fixing the problem" kinds of workorders. Now, the onsite techs are only sent out for major problems.

The choice of LANDesk... (1)

SanityInAnarchy (655584) | more than 8 years ago | (#14880949)

The choice to shell out money for what's essentially VNC?

Or, what's the difference?

Maybe there's some cfengine-like stuff going on? But in that case, why not use cfengine?

I would not want to give control to a bunch of admins who jump over the first shiny product that comes along, without being aware of the free (as in beer) solutions that already exist. If they make stupid purchases, they'll probably make other stupid decisions.

Re:The choice of LANDesk... (2, Interesting)

tyldis (712367) | more than 8 years ago | (#14881416)

I'm not familiar with LANDesk, but I assume it's similar to VNC. I do use DameWare at work, which is VNC on steroids.
It can install itself on the client, and you can do a lot remotely without bringing up the screen of the luser. I respect their privacy and often try and fix stuff in the background while they do their job. If I need to have their screen I phone them up and ask for permission. Then I go in and they see a big warning that I remotely took control.

In the beginning I was worried that the lusers would question privacy, but none have done so since I installed DameWare a year ago. When asked, they feel confident in that popup warning.

As a single admin responsible for 10 servers and 260 lusers spread across 6 locations (two of which require boat for access, one require a 2 hour drive...) this is absolutely godsent. Those long travels are replaced with radio links and remote management and everyone is happy.
Before this the luser had to wait up to weeks for me to find time to dedicate an entire day to traveling and fixing their small problem.

Cheap too!

For patches I use WSUS and for software deployment I use Group Policy (AD is the directory service around here, Windows on desktops, but mostly Linux servers).

Re:The choice of LANDesk... (2, Informative)

BobPaul (710574) | more than 8 years ago | (#14881503)

The choice to shell out money for what's essentially VNC?

Or, what's the difference?


If you google LanDesk you'll see it's a full desktop support package, along the lines of Novell's ZenWorks product line: remote control, application deployment, desktop imaging, etc, etc, etc. VNC only fills one piece of that puzzle.

My experience is only anecdotal, (5, Insightful)

munpfazy (694689) | more than 8 years ago | (#14881243)

But, I've worked in three somewhat different academic research environments.

1 - One central admin for all the desktop machines in a massive department, no one else gets root on any machine.

2 - One central admin who is mostly an advisor, people are allowed to administer their own desktop machines if they want.

3 - Free-for-all, in which most groups have one or two principle computer gurus who handle multi user servers and almost everyone administers their own desktop machines.

#3 is far and away the best. In #2, no one that I knew of actually took them up on the remote administration option, essentially reducing it to #3. #1 was a nightmate for everyone. When the deparment computing committee tried to talk everyone into switching to something closer to #1, we all resisted fiercely and eventually they backed down.

In an environment where people are actually using their computers as research tools, rather than as expensive notepads with which to writeup the results of their research, it pays to place control at the lowest feasible level. Every time a user is forced to ask someone else to fiddle with software, it adds *days* to what should be simple tasks.

Sure, you create an occasional security risk when a bad user fails to install patches. But, there's no comparison between the number of man hours spent on dealing with those sort of incidents and the amount of wasted energy in trying forcing every minor change to go through a central administrator.

In a computer lab or a corporate environment, you might be able to make a case for central administration. For academics, it's just crazy. (And I suspect enforcing it will just drive everyone to switch to personal laptops instead, in addition to pissing them all off.)

Dunno about LANDesk (1)

biglig2 (89374) | more than 8 years ago | (#14881629)

But at our company we use Netsupport Manager, which amongst many useful features has an option to require the user sitting at the computer to click a button to allow the support engineer to connect. This allows us to reassure the user that we won't take over their computer without their knowledge.

I Wonder (1)

ratboy666 (104074) | more than 8 years ago | (#14882086)

I wonder if the LANDesk client runs under Windows under VMWare.

A honeypot of sorts.

Not Good (1)

the eric conspiracy (20178) | more than 8 years ago | (#14882172)

My experience working in a R&D role in a major corporation with outsourced centralized support was very frustrating. Support was geared towards secretaries and business managers using MS-Office and some AS-400 applications over a terminal emulator. Anything other than that and you had problems because it wasn't covered under the support contract. If I needed to run an NMR modeling tool that required extra RAM on my PC, forget it. That was a non standard configuration and thus you weren't allowed to order the stuff needed to make it work.

Eventually we were able to get an exception for so-called 'scientific instrumentation' but that stuff wasn't allowed to connect to the site network, which was some brain-damaged token ring thing.

In any scientific enviroment you are going to have out of the box requirements that a central support organization isn't going to be able to handle - if you don't you aren't doing your job. You had better get consideration of that in any IT support/management plan up front.

We're set up this way (1)

CXI (46706) | more than 8 years ago | (#14882487)

I have to manage three physically separate offices, so remote administration is the only way to go. Almost everyone is on Windows XP so we just use a domain policy to allow us to offer unsolicited remote assistance to the users. They get a request for us to connect and a chat window to talk with us (although I do prefer to call them on the phone first, or have them call me). If it isn't a problem directly related to their session, then we Remote Desktop in for software installs and other administrator level issues after they log out. It's all built right into Windows, which, despite what many people here seem to think, has some very robust enterprise level abilities.

LANDesk (1)

ajkst1 (630286) | more than 8 years ago | (#14883321)

Everybody is going on and on about remote access, which is fine and should be a topic to be disucssed and not a policy handed down from on high. Unlike VNC, LANDesk is a remote MANAGEMENT package. Yes it has remote control software built-in, but it is also an inventory system (which is an absolute godsend when you can't find a PC) and a software distribution system. I work for a very very large company and LANDesk allows us to deploy software in hours in what would take days to do by hand. Instead of doing all installations by hand, we can push a "package" with the installation options preset. It's very helpful in upgrade situations and the packages can still be run by hand later if the machine wasn't connected to the network doing the push (e.g. laptops).

Yes VNC is a free (as in beer) and very good piece of software, but in the grand scheme of things a remote management package is much better, especially for a medium to large network. As for the current "gurus" who manage the individual departments, I would say don't just cut them off and leave them for dead. They are still helpful and many people still trust them. I would say that this is more of a consolidation of resources and will allow for better service. To ease the pain, I would probably give access to the LANDesk console and allow the "gurus" to play a part in the support world. Nothing beats having someone in the field that knows the lay of the land and the people in it. I would say go forth with LANDesk, but don't immediately cut off the previous "gurus"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>