General discussion

Locked

Locking Down Users - Knowledge Needed

By tom.day ·
When I accepted my current position as NT Systems Admin three years ago, I was extremely naive about the problems users can get themselves into; and, as most of the already-existing users had been given Administrative rights to their workstations, Ididn't attempt to change that policy.
Fast forward three years.
I just did an internal audit of the software installed on workstations in my company, and the results are apalling. After discussing it with my boss and the fellow responsible for desktop support and the helpdesk, I've decided that we've got to lock down all desktops and laptops.
I'd like to collect information from those of you who have had to do this before or who work in an environement where the users have always been locked down. What increased load can I expect for my helpdesk? Is there a good way to allow laptop users to install their own printers? How do you handle screensavers (can the users pick their own)? In short, tell me everything you know, either on this forum or via email. Looking forward to a lot of responses. Thanks.

This conversation is currently closed to new comments.

74 total posts (Page 4 of 8)   Prev   02 | 03 | 04 | 05 | 06   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

Keep them locked

by Quest4 In reply to Lock 'em up for sure!

I Administer a medium size network and when I started, the first thing I did is lock almost everyone down. I use a little remembered program called Poledit, and I run the pc and user profile with the login script. I now have very little administrative work be cause no one can mess up the original setups. If your not locking them down now, al I can say is start.

Collapse -

Security is Inconvenient

by Nels In reply to Locking Down Users - Know ...

No doubt about it, change is hard. For the user and IS staff.
Users will always complain about change no matter what, especially if you limit their ability to play Duke Nukem. First you must get the backing of the upper management. Tell them what your going to do and how it will help problems. When you impliment your plan and the complaints come, and they will, explain to them that it is necessary and that it isn't any easier on you. (At first) You will be busy fixing problems initially, but once the initial shock sets in and the murmur of complaints has settled, your job will ease. Because the problems caused by user/administrators will no longer be a problem. Persevere.
"This job would be great if it weren't forthe users"

Collapse -

Locking Down On Users

by Dave Lodwig In reply to Locking Down Users - Know ...

Currently on my windows NT netwok i disallow any software installs and changes to the machines to be made by any one but me, this stops any software licence problems and or probs with prirate software as well as stoping them from breaking the settings on the machines less work fixing things, for a bit more effort supporting users.

Collapse -

Locking Out Users

by abi2 In reply to Locking Down Users - Know ...

I quite agree with most of the comments made with regard to this issue by other techies. However, whatever change you decide to implement, my advice would be to spend a lot of time on planning it before you go ahead. The word is consultation with all parties involved, i.e., Helpdesk engineers, etc. Documentation of all procedures and communications with all users are vitally important, as you may find that a number of them would most likely object to the new changes. Good luck.

Collapse -

by mitchell.love In reply to Locking Down Users - Know ...

We tried locking down Floppy drives, disabling them in cmos and password protecting the cmos. But our management keeps changing and we end having to unlock them. You are right, it is much better to lock systems down, especially when you are short staffed, but the problem is getting management to back us, when complants start, management usually backs down.

Collapse -

Lock 'em down

by SJD In reply to Locking Down Users - Know ...

Where locked down PC's have worked the best is where the PC build has all rights taken from users except those needed to run the applications they need. Access to Floppy disk rives CD-ROM drives are removed and a valid reason must be authorised before the user has access.

The right to change screen savers is removed and a default company screen saver is used.

Get approval from Directors and senior managers to this new tightning of computer access.

Prepare the users for the change by running seminars and e-mail users. Make sure users know the software that will be made available to them and what procedures are in place to get new software installed/certified on the PC's.

The most common comment from users is "I had X installed and it is critical to what I do and it will not be on my PC after the new build how can I do my job?". I have usually found that the software they are using is legacy software that they are use to working and brought it with them when they joined the company and that the company standard software will more tha meet the needs of 90% of users.

The other problem area is developers who will want to install all sorts of .dll and add on files for their environment. I will build their PC's tot he standard build and give them full access to their PC's but make them aware that any problems with their PC's is down to them and corrupted unusable machines will be rebuilt back to the standard build.

Laptops are harder to lock down as users need somewhere to store documents when not connected to the network. Again users can be prevented from installing software that is not authorised.

As always with change education of the users to the benefits both to the company and to them for the new tighter policy on PC builds will help reduce the number of calls to the helpdesk. Involve key 'Super users' in the design of the new build and half your job will be done for you.

Collapse -

Old School Thought process

by jpgohan In reply to Locking Down Users - Know ...

Being from the old school I believe in the administrator having the control and desiding what they want the use to to do and not to do. Every PC in my network is locked down even the Executives do not have the power to make modifications to the desktop on the file structure. All software is monitored be me and the IT staff and all request for new software has to go by us first. After we have tested it and made sure that there will be no problem with any of the rest of the applications running on the network we in stall it on the pc or pc's that need to have the software. The end user then has to sign a checklist stateing what software is installed on there system and that and we monitor the pc's to make sure that no software has been installed. If software has been installed on the pc then management is notified and the employee is terminated for violating the Security of the network. If you have a few (5-10) users you do not have to take it this far put if you have more (10-!!!) users it is good to have a good strong security stand and the backing of management. Remembe rit is your job to keep the network up and running and Secure. It is better to start from the inside and work your way out.

Collapse -

Lock-up NT / Save Support Calls

by mbodnar In reply to Locking Down Users - Know ...

We have had a great deal of success locking down our NT workstations. We currently run some 200 different odd applications across campus. It has minimized calls about the OS freezing or crashing because someone has installed an errant app. If we do get a call on a blue screen, 99% of the time it is hardware related. It does take a bit more planning and setup. ie.. We prime the computers with print drivers so users can add printers as needed. There are some tweaks (permissions edits) necessary in the WINNT directory to get MS Office to work properly. If you have laptops(roaming users), they will likely need a local username as well to allow them to logon when not connected to the network. In our operation, users can still install apps whichdo not right to the registry or WINNT subdirectory but this typically limits them to (DOS and a few self-contained Windows apps). SCE, Drive Image and/or Ghost are all wonderful tools to assist you with implementing a workstation configuration and security standard. We have several checklists we run through during system builds which I would gladly share. Let me know.

Collapse -

Lockdown Info

by C. M. Higgins In reply to Locking Down Users - Know ...

I work as IT Security Manager for a large Department of Defense hospital. As such, there is a huge military turnover and keeping users informed of the security policy is an ongoing effort. Locking down the workstations has been a real life-saver.Although command policy stresses that software shall be loaded only by the IT dept, users are constantly downloading and installing from the Internet. The virus problem alone was tremendous.

Microsoft has a white paper available on its web page if you have NT: Microsoft Windows NT Server White Paper. This has grand advice on NT security features. Of course, caution is necessary. Usually, it is best to implement and test one thing at a time on a few systems before deploying to all of the workstations. Good luck!

Collapse -

Locking Down Users

by elmer.santiago In reply to Locking Down Users - Know ...

First of all, I would recommend that you get the backing of management before implementing a lock down policy.

Secondly, if accepted by management, I would then explain to the end user community that a new corporate standard is going to be implemented over the next couple of weeks basically from department to department.

The introduction of the new corporate standard desktop should be presented in person one department at a time with an example desktop. This way most questions and misconception can be answered up front.

Thirdly, like most computer based environments, exceptions to the rules will come up. Users are going to say, "I need to be able to do this or I need to be able to do that." Requests to free up desktop policies must be done in writing (via memo form)and explain that such requests have to be review by the IT staff.

The problem with most computerized companies you'll find is that the job was done right the first time. The deployment of the PCs as the company computerized wasn't well thought out and if it was, the staff necessary to implement was not there. You can't do it all; however, with adequate staff, you can turn thing around. One tip, I would approach management with the cost savings idea of standard desktop since cost savings is what they like to hear most.

Emer Santiago
System Administrator

Back to Software Forum
74 total posts (Page 4 of 8)   Prev   02 | 03 | 04 | 05 | 06   Next

Related Discussions

Related Forums