Security

Each of us accepts the responsibility for our actions. We try to convince ourselves that we are techs and are therefore above the common users, when in fact we are all humans and can be fooled. If we take the correct measures on our own machines and the machines we take responsibility for, then we feel that all is good in the world. The wolves are out there and its time we stopped acting like a bunch of blind sheep!

The majority of home and SMEs run on admin because it is just too difficult for them to run as a user and then find that many things don't work.
What would be nice is a revamp of the old 1988 Flushot, (It warned user if command.com was altered.) that would lock the registry and keep a backup of it for restoring, and lock the program files folder.
I use Frisks fp-win and when I run the ONDemand scan, it finds all the nasty stuff, keyloggers, rootkits, winnuke, BO2k, kkill, etc EVEN WHEN they are stored as zip files with a password.
I keep them in a normal ntfs folder for use, if required.
It even finds some nasty Linux sw that are kept as tar.gz... stored in a fat32 /download file.
It always, of course finds eicar.vom and netcat.
Its the small firms with 2 to 10 PCs that have the most trouble as they lack the skills to run the systems. The limit of their IT is often the European Computer Driving Licence, and those are the knowledgable ones. I remember at one meeting finding that the term "Firewall" was unknown to most. Some don't even update their anti-virus.

The European Computer Driver's License is called the Internet and Computing Core Certification (IC3) in the United States. This is the most under-used and under-rated certification, in my opinion. Note that this is a USER certification, not a TECHNICIAN certification (like A+).

so if you take away installing software, 'all **** breaks loose'.

I'd suggest all **** is likely to break loose once your PCs are loaded with programs that conflict (salesperson here installed new vsn office by herself), and rootkits, spyware, and unknown to your company (often unlicensed) copies of myriad other software

You are referring to a commercial environment. My post referred to a home user. There is a world of difference. The two in my opinion cannot be compared.

I also said, if you have a good policy and admin, you're unlikely to be affected anyway.

There are always exceptions to the rules..

Policies that are not strictly enforced by higher management, "special" users, laptops ... all of these have potential to be damaging inside an office environment and in some, the IT Staff just has to grin and bare it.

I was paid very very well to come in and help clean up a corporate network from Nimda/Code Red ... all it took was one user not to read the policy and poof everything was spreading.

But if management are not enforcing policy properly, they only have themselves to blame when things go pear shaped - don't blame IT, we told you so!!

A well written policy will allow for the deviations you mentioned, but hopefully, those with the "higher" privileges, will be aware of the damage they can potentially do and therefore act accordingly. If that is not the case, one has to ask if these users really should have that amount of freedom in a corporate environment.

As regards reading policy, it is my belief that all new employees, should have it spelt out to them during their induction period and *before* they are ever allowed access to a company computer. Relying on people to read the company policy, is akin to asking an eight year old to read the EULA before loading the latest game. It just does not happen.

I know... and our policy they have to sign.. we narrowed it down to a single page of don'ts .... but of course they don't remember them..

and as for a few of the ones that have higher privs .... several are owners ...

An example... we send an email telling all employes a new virus is spreading, some may already have it in the box.. etc etc..

if it looks suspicious don't open it, if its unexpected, don't open it..

not more than 30 minutes later after a read receipt for an owner & manager comes in.. the email comes.. I got this file from a previous employee and friend, I tried to open it but it didn't do anything .. the email didn't even make sense, can you figure this out for me?


at that point they had to put the straigh jacket on me before I went out to roll the jeep over the person 50 or 60 times..

what you are saying is a sad fact of modern computing. For every "convenience feature" there is an equal attack. So all of these features must be turned off. Computers shouldn't be run in admin rights. Its too dangerous.

Everyone blames the companies (especially Bill and friends) but the real problem is us (as in human beings, not in computer specialists). We keep believing the myth that computers are appliances and are easily accessable by the masses. They are not. Computers are not appliances that can be easily manipulated by anyone. Its an advanced skill set with some complicated subtasks.

The "personal computing revolution" was based on a premise that is totally violated today. A "personal computer" was designed to be a stand alone, never connected to a network entity. That is why its called a personal computer! As soon as it is attached to a network (to include the internet) it becomes a networked computer and all the rules are changed. We keep changing the rules for our convenience, and we have created the monster.

DOS/Windows varieties were not originally meant to be used on networks. They are 100% invulnerable as long as they are connected to nothing else! And that was the plan, I think. Ease of installation is a good thing on a stand alone machine. On a network, its a nightmare. Admin rights on DOS/Win 3.1/95/98/ME etc is unnecessary because it was meant to be stand alone. All the networking stuff is added on later.

Just my take on this. I don't know if you've ever read the essay "It All Began With the Command Line" but that author addresses this problem (and he addressed it around 10 years ago too!).

I cannot think of a more timely or astute observation on this site. Your post should be framed and on the wall in every single help desk, and IT Center on the planet.

Just because you can do something, does not mean tha tyou should do something.