General discussion

Locked

Best Practices for corporate desktop lockdown?

By ZalTech ·
I wanted to get some input regarding this topic - Here's why - let me apologize in advance for the book:

I work in a organization that only uses local workstation policies for workstation control or conformity - we have about 3000 ws nodes.

We don't have any written policy for workstation lockdown or deployment procedures.

We could use Zen or AD (have hybrid Novell/MS) to enforce group policies, but we don't do this. Neither NAL's or MSI's are used to install applications in a consistent manner (most apps are installed manually after the base image is loaded then (occasionally) the installers profile is copied as the default profile).

The workstations (Win2K) are locked down by tweaking the rights on the image (removing user rights to folders like WINNT, Program Files and most parts of the registry). I ran some Registry Exam/Repair tools and found that the base image has over 100 registry errors before it is joined to the network or any apps are even loaded. Often when there are application errors the desktop support team adds users to the local Admin group to resolve problems - a supposed no-no, but with no written policy...

Users cannot add their own printers, but even when printers are loaded by support personnel there is no consistency as to drivers or descriptions.

Patches and such are usually pushed using EPO (ePolicy Orchestrator) or occasionally Novell Workstation Manager. These patches are rarely ever tested before pushing so applications break on a pretty consistent basis.

I have worked in other (larger) organizations that seem to work much more efficiently so I am wondering if it is just me or does this process seem a bit unwieldy?

I guess my real questions are these:
1) Does desktop support control workstation security policy in any other organizations?
2) If so, does anyone else enforce security at a purely workstation level as opposed to using system policies of some sort?
3) Does the desktop support area dictate to the server support area when they can have access to the Zen Server anywhere else?
4) Any suggestions for hard data to show more effective and manageable ways?

Thanks FrustratedSupport

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Top management is the key

by Ocean1 In reply to Policies

To start a new policy in a corporate environment is wise to prepare a report in which you specify the threat and the solutions to the problem. Meaning that if you want a security policy to take place you need to justify it to the top dogs first, so, when people find out they dont have the same liberty on network resources for security reasons there will be no going back to less security because you used all the right channels and peoples complaints are preety much null.

Collapse -

Re: Management needs to be involved

by The Computer Doctor In reply to Management needs to be in ...

The fact that you need written policies from management has been stated clearly so I will just agree with everyone who has mentioned that already. You could get a great automated system setup but if management doesn?t back up your decisions your going to get flack from all directions.

I am a one man show managing 200 workstations at a small k-12 school and ZenWorks makes my life much easier! You have way too many workstations to be doing this manually. Doing things manually just adds errors and inconsistencies. What drivers are installed? How are those drivers configured? Did the MS Office installation get the same configuration? ZenWorks eliminates these problems. ZenWorks also has the ability to ?fix? broken applications it has installed. This can be done by the user without tech support, if they can right click, then left click.

The fact that you have ZenWorks and AD running gives you 2 powerful methods to choose from.

What version of ZenWorks are you running?

Using ZenWorks is the direction I would suggest based on these factors.

1. You own ZenWorks, so there is no added expense. (holds true for AD also)
2. You have a sister company that is willing to help you get up to speed with ZenWorks. (This would be enough for me. I had to learn and setup everything as I went. I am still fine tuning and it has been three years.)
3. Staying consistent between the two companies is an added bonus. In a crisis situation IT from your sister company can ?help? without having to learn about your system first. They would already know a great deal about your system.

Collapse -

Swimming up stream

by rstoebe In reply to Best Practices for corpor ...

You are a looking for a technology solution for a culture/organizational problem. You need a top down security commitment that you do not have. When different parts of an IT Infrastructure are not working for the same security goals you have the issues you talking about. Your issue is not about which tool. It is about policies, standards and procedures with senior management commitment. If you have some of these already either they need updated and added to, or they are being ignored. There are lot of big companies with the same issues.

Collapse -

Policies point to the products to enforce them not the other way around

by zaferus In reply to Swimming up stream

You need to first set your policies, then look for products that will fit that need, not the other way around.

When you try to work within the confines of a product, you'll always have to work around it as you grow.

The best thing you can do is first define your user policy by going to the top level and asking them who they want to be in charge of setting up your IT usage policy.

Then get these people locked into deadlines to get the policies set up. The best way to get this part done is to have a list of things they need to cover and decisions they will have to make. These policies will be as much fun as a root canal without freezing (I know from experience...), but they will set the framework for expectations, enforcements, and consequences for your organization. Try to look as far ahead as you can when you set these up as changing a policy can be tough once everything is set up.

There are a lot of different ways to enforce policies from GPO (with or without a DC), deepfreeze, zenworks, or a lot of other commercial products - but you need to always keep in mind that your policies should drive your product choice, not the other way around.

There are many of ways to set up desktop policies, but only one that will be right for your organization!

Collapse -

Basic Policy restrictions

by dfritzke In reply to Best Practices for corpor ...

We use Active Directory to push both Computer and User Policies out. I agree with many others about the need to have these policies Written and Published. We have used other tools like Script Logic but found that the cost does not Justify the meens.

Have fun and good luck!

Collapse -

Restrictions

by minterh In reply to Basic Policy restrictions

Not only do we use Active Directory, but we tweak the image registry before deploying our workstations. We also have written and enforced policies; which is a must. The only draw back that we face is the fact that some workstations and/or users are too restricted. These restrictions sometimes conflicts with needed resources. Good Luck.

Collapse -

RE: lockdown policies

by vandergawc In reply to Best Practices for corpor ...

I think the real answer lies somewhere between all of these posts. A top-down, management-backed policy decision is required to minimize grumbling from the users and lend legitimacy to your new strategy (hey, I'm just enforcing the policy..."). In order to get management to make this decision, a solid business case will definitely be required. The good news is that this case should be extremely easy to make, given the fact that you already own ZEN. Some simple math illustrating how much time you and your team spend dealing with issues caused by users running amuck times your average hourly rate should be convincing. For good measure, be sure to highlight how all of those projects that you've had to shelve could have been done by now if you didn't have to constantly run around putting out fires. Managing workstation lockdown on a node-by-node basis sounds mind-numbingly painful to me.

We use ZEN for Workstations at our company very effectively, and we have nowwhere near the number of workstations that you do. This one is a real no-brainer.

Collapse -

Zenworks is good, here's another one...

by wcox In reply to RE: lockdown policies

I've also seen "Deep-Freeze" deployed (albeit mostly at schools). It basically disallows the saving of any changes to a system and can be deployed network-wide with the upper-end version...

Collapse -

AD works for me

by zenkyoki In reply to Best Practices for corpor ...

In the company I work for, we have a massive AD system that allows for a top down lockdown approach. While our security department maintains the rights alotted, our support staff has admin rights (to a certain degree) that allow them to affectively troubleshoot and configure workstations.

Collapse -

Thanks

by ZalTech In reply to Best Practices for corpor ...

I wanted to say thanks for all of the posts and assistance offered. We had already presented the case several times - as suggested by many posts - as we went through 3 different CIO's. Our biggest problem is we have no leadership - no cohesive IS direction, and our most recent CIO also lacks the ability to provide any kind of vision. Well that may not be true his vision (or at least his handler's vision) is that most of IS will be outsourced to CSC (Yes the Ascension Health Contract recently announced).

As it turns out our so called "leadership" has completely missed the boat. Although reluctant, I feel I must move on as I am just plain tired of constantly having to battle over what should be done or explain what I do over and over and over, only to be marginalized with platitudes and ridiculous suggestions like - "I thought we were going to work smarter?" that have no hope of succeeding without executive buy-in.

Thanks again for all the helpful suggestions, and maybe I can use them somewhere that at least has a vision.

Related Discussions

Related Forums