Your NT workstations are plagued with personal downloads and unauthorized software. Last week, a virus via screensaver corrupted the entire network. You’ve thought long and hard, and a lockdown seems like the most viable solution. But your already-overtaxed help desk staff has enough to do. Will the aftereffects of a lockdown create more harm than good? Is it really the best option? This selection of reader mail offers some advice for the undecided network administrator.
Avalanche of help desk calls
Initially, a lockdown means more work for the organization’s help desk. Member Jkelly offered this warning: “After you lock down your users, you will experience an immediate increase in help desk calls. Be prepared. The help desk staff must have detailed instructions on what they can and cannot do for users. You will need support from your boss so there is no misunderstanding.”
Bill Powers recommended careful consideration when implementing a lockdown. “Unless you implement version control of software, standard software suites, common configuration of stations, profiles, scripts, admin helper utilities on the workstation, and remote admin capabilities, (just to name a few), I would expect the job of the help desk to become overwhelming. Things the users were fixing on their own now become a problem.”
Member Thaight suggested that despite the increased demands on the help desk staff, a lockdown will prevent later, more severe problems. “You would have to give the help desk staff access to this admin group in order to install software. They will have to do all installs, but it beats having to go back numerous times to fix a corrupted OS when the user downloads the latest beta software or that shareware program that contains a Trojan horse that infects your entire network.”
After restricting access to things such as Network Neighborhood, the System shortcut in Control Panel, Desktop Background, and Screen Saver, Andrew.Brown, who works in an organization with about 2,000 Win95 machines, said, “We have avoided several things that have actually reduced our number of support calls…. We had a lot of space taken on the servers storing downloads of screensavers, etc., which is no longer an issue.
“We are now considering making a few items of freeware/shareware available from our intranet as downloads, such as Winzip, because users seem to download and install them anyway. At least that way, we can virus-check the download first.”
What about users who move around?
When you consider the preexisting demands on help desks and IT departments in dynamic office environments, where employees are often moved around to different workspaces, a lockdown can add significant stress to an already-pressed team. Network manager Packratt offers a solution that can accommodate both mobility and lockdown. “If your NT users authenticate to a Netware network, the perfect solution for you may be ZenWorks by Novell.
“We create application objects on a test machine, and ZenWorks records the changes and stores the application install on the network. When we assign the application to a user (or users), the icon will appear on their desktop. When they click it, the program will install with no other action on our part. After that, the application will run when they click the icon. These applications follow the user, not the machine, so if they move, they still have the same desktop and settings. They can modify their desktop if you let them, or you can force changes on your own from one place.
”No more desktop visits, no more unlicensed software, no muss, no fuss. It made me a happy network manager!”
Member Simon agrees on the benefit of ZenWorks in locking down NT. “I am working for a department that does user support for over 2,000 computers, some of them 1,000 kilometers apart. With ZenWorks, you have features like remote control of computers that are far away.”
Policy vs. lockdown
Not everyone advocates lockdowns as the best solution to crowded and corrupted workstations. Member Aparsons agreed that there are benefits to limiting a user’s ability to alter his or her desktop but ultimately finds policy to be the best preventative measure. “It would be far better that the senior management of the company lay down the strict policies on what a user may or may not do. I know it sounds mean, but all users should be told that the installation of anything other than software authorized by the IT department is a disciplinary offense and will be enforced by senior management.
“Any user who then installs unauthorized software and/or is caught messing in areas where they shouldn’t be will be in real danger of losing their employment.”
Jeffc also supported the company policy approach. “I agree that policies should be enforced at the flesh-ware end. Everything about the computer and the network is the property of the company, and users should be told what's acceptable and what is not. In our company, no one installs anything except the IT department. Unfortunately, that's just a policy and it’s difficult to enforce, but I still feel people come first.”
When departments rely on policy instead of a lockdown to keep users in line, managers must be held accountable for the activities of their staff. CET Geo wrote, “We use a chargeback system for tracking IT expenses, and the department manager's monthly report of IT expenditures definitely shows the time and expenses spent in freeing up hard drive space or eradicating a virus due to Web surfing or downloading unauthorized programs. With all I have going on in a day, I don't feel it is my responsibility to police workstation usage.
“I do, however, run biannual software audits (obviously I work for a semi-small company), and I provide abnormal findings to the department managers so they can properly manage their employees.”
Send us an e-mail and tell us how your organization was affected by a lockdown. Start a discussion below or send the editor an e-mail.