Do end users in your company call the help desk looking for assistance with applications unsupported by the company? Or worse, when your tech support analysts visit user workstations to troubleshoot, do they find problems are the result of the installation of unauthorized hardware?

If so, you’ve got trouble, my friends. When anybody in the company can install applications or add new hardware, the results include an undue burden on tech support, security breaches, loss or compromise of data, proliferation of viruses, and increased use (waste) of precious network bandwidth.

So what can you do to prevent end users from installing software or hardware? I can answer that question in just one word: policies.

Specifically, I recommend you establish written policies that define who can install what on company computers. Then, wherever possible, put in place network operating system policies that prevent users from breaching your written policies.

Whose call is it to lock down user machines?
Help desk managers have a duty to protect company assets by reporting any unauthorized software and hardware installations. But what specifically can the help desk manager do?

The answer depends on how your information technology department is staffed. In some shops, the same person who administers the network is also the person who oversees technical support operations. In other shops, the help desk manager may have to get buy-in from the network administrator to establish security policies or to physically lock down user machines.

No matter who has ultimate authority over the network, the help desk manager is usually the first person to learn about unauthorized installations. Users inevitably make the mistake of calling for help getting Quake to run on the network or installing the nifty new USB port they bought over the weekend. Help desk analysts should inform management as soon as they find out someone is installing (or trying to install) unauthorized applications and devices.

Written policies the help desk can sponsor
The problem with trying to tell people they can’t do something is that they’ll push back. They want to know why they can’t just install whatever software or hardware they need on their machines. Without any policies in place, users may assume they can do whatever they darn well please, with or without help from the support team.

One way to eliminate confrontations with users is for the help desk manager to write policies that specifically outline what users can and cannot put on their machines. Put those policies through the normal corporate approval policy, publish the approved policies on the intranet and make sure departmental managers in the organization get the word out to their teams.

Your policy statements don’t have to be long-winded. Here are some samples that you can adapt to your shop:

  • The [Company] help desk department shall provide technical support and services only for those applications and devices that have been approved by the information technology department.
  • No software or hardware of any kind shall be installed on any [Company] desktop, laptop, or server computer without prior approval by the information technology department.
  • No unauthorized access or attempted access to the [Company] network via wireless connection of any kind is permitted. Wireless data connectivity is limited to evaluations or projects sponsored by the [Company] data network services team. Wireless access must be secured based on supporting standards.
  • Remote access to the [Company] network is granted only for legitimate business needs, and that access must conform to data security, audit, and regulatory requirements set forth in related policies and supporting standards.

You can sum up these policies in this way: “Nothing goes on company computers unless the information technology department has certified and approved its use, and nobody gets access to the network except by approved methods.” To give such policies administrative teeth, you may want to define specific consequences or penalties for anyone who violates them. At the least, you should authorize the tech support staff to uninstall any unauthorized software or hardware whenever it’s encountered.

Once policies are in place and have been communicated to end users, the help desk has an out that lets it refuse to provide support or help to an end user who does something against official company policy.

Network policies to back up the written policies
In one of the Fortune 500 shops where I consult as a technical writer, the network administrators and the help desk analysts joined forces to define the standard user configuration for end user desktop machines.

In this Windows 2000 environment, the standard user image is locked down by Group Policy Object (GPO) settings, or collections of settings that define the system and how it will behave for a specific group of users. For select power users and IT staff, the policies were less restrictive. However, for most end users, the following rules were in place:

  • No A or B drives. New end user machines are deployed without A or B drives. Machines already in service had those drives deactivated by policy.
  • The autorun feature is disabled for machines that have CD-ROM drives.
  • No Run option is available on the Start menu.
  • The number of Control Panel applets has been pared down to the bare minimum. Conspicuously absent is Add/Remove Programs.
  • The following file types are prohibited from running at any time: *.msi (Microsoft Install programs), *setup*.* and install*.* (no setup or installation programs of any kind will run), AOL*.* (because the company doesn’t want AOL’s Instant Messenger running on its network), and quake*.* (because the company doesn’t want users chewing up bandwidth playing Quake).

With such policies in place, even if users open the box and install a new video card or their own modem, Windows 2000 won’t let users see the new device. The policy protects the system at the level of the Hardware Abstraction Layer, affectionately known as HAL.

In this shop, the GPOs are managed using FullArmor’s Zero Administration (FAZAM 2000) for Windows NT, a third party graphical tool that broadens the functionality and flexibility of Group Policy management under Windows 2000.

Lock them down now or clean up the mess later
Some of you may believe that policies that require locking down end user machines are too restrictive. Some of you believe companies should allow end users as much freedom to install applications or configure machines as they like.

If the users in your organization can be trusted to add or remove hardware or software, more power to you and to them. And if you don’t mind providing help desk support for the picture-maker-of-the-month and gamers on the network, more power to you.

Be forewarned, though. The first time a user inadvertently launches a virus or brings down the network, you’ll wish you’d locked down your machines.

How do you lock down your end user machines?

To comment on this Help Desk Advisor column, or to share your own tips for keeping unwanted devices and apps off your network, please post a comment or write to Jeff.