http://orbit.virtualcomputer.com/forums/ Join the discussion en Thu, 09 Feb 2012 10:46:52 +0000 http://orbit.virtualcomputer.com/forums/topic/user-admin-rights/page/2#post-80 Fri, 21 Aug 2009 18:46:17 +0000 Evan Karp 80@http://orbit.virtualcomputer.com/forums/ <p>Sorry for the late post. Admin rights is an issue we are frequently dealing with. On our student computers (college owned and managed) we not only lock them down as tight as reasonable, we use Windows Steady State (formerly Shared Computer Toolkit) and DeepFreeze to undo any changes a student may make. (Think of inappropriate pictures as wallpaper...) One reboot and all changes are dumped. However, it is a major pain to do simple software upgrades as each pc must be rebooted, unlocked, modified, rebooted and re-locked. Sometimes it is easier to re-image the whole lab.</p> <p>For our users we like to keep things locked down, but don't go to such extreme measures. For desktop users we keep them at normal user level. This is sometimes messed up when a tech upgrades their priv level to install software and they forget to remove the priv. We generally give laptop users admin rights to prevent late night support calls when the C-level can't get their laptop to connect to their home wi-fi network because they can't change then network settings.....</p> <p>[Admin Note: Originally posted by tficarra] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-79 Fri, 21 Aug 2009 18:45:41 +0000 Evan Karp 79@http://orbit.virtualcomputer.com/forums/ <p>Integrity:</p> <p>The biggest issue with trying to alter the Access Denied issue is that it is a Microsoft thing. They have dictated that. If they were to allow for customized messages I think the world would go insane. Still, it's something.</p> <p>The other alternative is to remove the options from the UI so that you aren't able to access your desktop settings. The problem with that is a user KNOWS from their home machine what they can do and would be puzzled by not finding it on their desktop at work and so generate a call to the Help Desk.</p> <p>I think the best solution is managing users' expectations from the moment they step in the door. You have to be upfront and tell them why certain actions are taken and then remove those options from the UI so they are quickly forgotten.</p> <p>In the virtualized world, or in a MS SteadyState world, these issues are less important. If a user has a non-persistent desktop then simply having them reboot will reset everything. Once again, that could be a problem for the user but it's just the way it needs to be. The other option is to keep the desktop persistent but allow the user to manually reset the image if needed. This is probably the best hybrid solution I have seen to date.</p> <p>Restricting by USB device ID is something that ReflexMagnetics had done for awhile. I believe they are now part of Pointsec and consequently part of Checkpoint. It is also something Guardian Edge had built into their encryption software. There is a complexity with those applications in managing that and an overhead from the administrative side such that when we evaluated our encryption vendor those features were completely dismissed by management. Still, an environment that needs it should have the option to use it.</p> <p>[Admin Note: Originally posted by randyf25] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-78 Fri, 21 Aug 2009 18:45:22 +0000 Evan Karp 78@http://orbit.virtualcomputer.com/forums/ <p>Our organization will provide a user local admin rights to their computer. We are an insurance general agency and many of our users have multiple pricing software from the carriers we represent. They must be able to update the pricing updates as they become available or it may cause pricing which is out of date and that tends to make our clients look else where if we cannot provide the current prices on our policy options. We do limit certain sites and software types from being installed on corporate computers through web appliances that block them from unauthorized access. Yes, problems do occur, but they cannot always be blamed on the users. There would be no time to address these problems if all of our time was spent installing updates.</p> <p>[Admin Note: Originally posted by jelledge] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-77 Fri, 21 Aug 2009 18:45:11 +0000 Evan Karp 77@http://orbit.virtualcomputer.com/forums/ <p>Loving the reaction. </p> <p>I think that part of the middle ground we seek, is in the way it is explained / communicated to the user, and vice versa how the desires and workable exceptions are communicated back to the User Admin Police.</p> <p>Here is a suggestion far on the non technical side and may be missing the point, but hey its just a thought. When I try to do something the laptop doesnt want me to do, it would be great if a well thought out response popped up to explain why it wont let me.</p> <p>Randyf25's explaination of the reasoning is so much more compelling than "acces denied". Moreover the examples offer compelling evidence as to why access has been denied and this could help appease the user in his/her moment of frustration and might even teach them a thing or two.</p> <p>I am not saying that a philosophical deconstruction is feasible in a pop up note, but a middle ground between that and "computer says no" would make me feel that I was being treated like a respectable human. </p> <p>Here is another analogy open for criticism:-<br /> Parent says to child, "don't do that", child replies "why not", parent replies "because I said so"....... Result = child has not learned anything other than to be submissive.</p> <p>It is this kind of closed communication that doesnt help toward a goal of better education that we should seek. We cant give up on the idea of better educating the user (despite the many barriers of impracticality) and likewise we must promote the freeflow of communication back to the User Admin Police to breakdown the admin/user enemy divide. </p> <p>As for the like it or lump it - "life is not fair" answer. I agree, but that is no reason to give up trying to make it fairer, or at least a little easier to swallow.</p> <p>[Admin Note: Originally posted by Integrity] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-76 Fri, 21 Aug 2009 18:44:41 +0000 Evan Karp 76@http://orbit.virtualcomputer.com/forums/ <p>Alright, now we are getting somewhere! I think part of our goal to create some middle ground between the needs of IT/management and the needs and desires of users. We expect that there will still be some organizations that choose to lock things down tightly, but our goal is to provide more granular options. For example:</p> <p>- The option to give users the ability have admin rights to install applicaitons they need on a temporary basis (e.g., hotel printer, WebEx plug-in), but then snap back to the standard image on a reboot.<br /> - Offer the option of running a personal virtual desktop and a locked down corporate virtual desktop side-by-side with full isolation from one another but with things like fast switching, application window compositing, and audio mixing. Steps could be taken to keep any personal apps off the corporate network by connecting the personal desktop to an external network/DMZ.<br /> - Allowing for more granular filtering of USB devices. Instead of it being limited to allow all / deny all USB, we can already filter by USB device class. We got a great recommendation from someone today to offer filtering by USB vendor ID, so IT can set a policy that only a specific type of USB hard drive that is encrypted and secure by default can be used.</p> <p>We probably won't immediately be at a place day one where IT and end-users are in perfect harmony, but we have definitely made it our goal to make major steps in this direction.</p> <p>[Admin Note: Originally posted by Doug] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-75 Fri, 21 Aug 2009 18:44:22 +0000 Evan Karp 75@http://orbit.virtualcomputer.com/forums/ <p>Integrity - Believe me, the people who make those decisions are aware of the implications to employee morale from the policies that are put in place. The problem is not usually because of a tinkerer but because of enterprise wide user ignorance.</p> <p>The arguments you make are common amongst every group who has ever had to deal with those policies. It's easy from a user standpoint to say that you won't cause any harm. This may be true, but you would be in the minority and it's a very small minority.</p> <p>In our environment users are granted Power User rights. This is far more rights than they should have and because of it IT operations are inherently inefficient because we are routinely called to repair the mistakes of a user. It's not the background that's the problem (although sometimes corporate backgrounds are used to provide relevant information). It's the screen saver, the spyware, the weather bug applications, the google toolbars, etc. that wreak havoc on LOB applications that cause the problem.</p> <p>In a perfect world the users of the systems would all have competence on how to use a computer or be trainable. In the real world this simply is not the case. User's are the enemy and they are so because they are ignorant of best practices. I've done quite a few observations of user actions and in the past 10 years there is little improvement in user behavior. We've tested our users not more than 2 weeks after warning them of email scams and they still fall for it. We've watched them repeatedly click Yes to whatever pops up on the screen. We've tested our users against social engineering attacks and they repeatedly continue to fall victim to these things. This is why there are computer policies in place to block access to USB drives. Yesterday we had an employee lose a USB flash drive. It had patient data on it (against posted policy) and it was not encrypted (also against policy). Nevertheless, it's missing and now we're in disclosure mode. Posted policies simply are not followed by employees (something I had argued for in turning off USB drives here). We can't simply tell the people whose data may have been compromised that a single employee acting stupidly caused their data to be exposed. It does not absolve us of ANY responsibility. Had we enforced a policy to mitigate against these circumstances we would not be in this boat.</p> <p>A few years ago we had an incident where an employee had chosen a desktop background that apparently was deemed offensive by a different employee. Because one person complained the decision was made for that area to lock their desktops so wallpapers could not be changed. It's simply easier to prevent the behavior. In this case it was not some risque background, it simply depicted something someone found offensive. If I am not mistaken it had to do with hunting or something. It did not depict a dead animal, etc.</p> <p>Your reference to the mall does not apply here because the entire existence of the mall is to SELL to customers. Obviously locking all customers out of the mall would be counterproductive and negate the mall's reason to exist. In the corporate world the reason to exist is to provide benefit to the company so that it may satisfy its customers/shareholders. Blocking backgrounds and access to USB drives does not prevent that from happening. It may negatively impact some employees (such as yourself) however it also provides improvements in other areas.</p> <p>It's not an easy decision to place limitations upon users. Even outside the IT world the process of taking something away from someone is more difficult than having never provided that same service. There is a sense of loss and certainly a feeling that you are no longer trusted. Unfortunately you work for a company along with many others and sometimes the actions of a single or small group of individuals is enough to force action against all. How else do you explain copy protection? A small group of people pirate software, music, movies, and there are laws in place that prohibit many of us from enjoying music, movies in a way that we would like. A person hacks the DVD encryption scheme and we get the CDMA clamped on us. Life is not fair, and if you don't like the rules you have to play by then you are free to choose a place where the rules are more to your liking or to put yourself in a position where you make the rules.</p> <p>[Admin Note: Originally posted by randyf25] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-74 Fri, 21 Aug 2009 18:44:05 +0000 Evan Karp 74@http://orbit.virtualcomputer.com/forums/ <p>I could and would love to philosophise about User rights until the cows come home (pardon if this English phrase does not translate well). I hope I can rouse some responses from the policy police on this panel. </p> <p>I am a victim on the user side of this battle for rights and whilst I fully undertsand the need for policy, restrictions and preventing a free for all, I could give you exmaples of instances where the policy is counter productive to efficiency but my concern is where the line should be drawn. </p> <p>I am not a tinkerer like some of my colleagues and am pretty happy to work with standard settings, but the tinkerers spoil it for the rest of us. Because they want to mess with techincal settings, I can no longer change the wallpaper on my desktop to the latest picture that I feel would motivate me throughout the day. Trivial though this may be, why should I be denied this right because Billy-Have-A-Go-Tecchy wants to re configure one of his screens so he can view it upside down ? The result being that all our rights are reduced to the rights required to control the worst offenders. Where in this policy is there any thought for the utilitarian greater good ?</p> <p>Surely, encouraging fair usage and nurturing trust would make us feel a little less controlled and a little bit more empowered to learn about responsible usage. I cant say I have read much in the way of user rights policy booklets (I dont have that much trouble sleeping), but I would be willing to bet that nowhere in the policy does it explain that "you the users shall all be treated as if you are imcompetent, tinkering, mailcious conspirators trying to bring the company down with your desire to have the new BMW images for a screensaver." </p> <p>Perhaps an anaolgy would emphasise my point. The Kleptomaniac has been barred from going to the mall, so we have decided to ban everyone from going to the mall, just prevent you all from turning into Kleptomanics. </p> <p>Perhaps I have gone a little over the top here, but I wanted to convey the deeper implications of what on the surface seems like fair policy. </p> <p>And for the empiricists...... </p> <p>At our company only I.T management and Upper Management have any admin rights which represent 5% of our users. This is a recent policy crackdown to allow for ease of management / standardisation. USB ports are disabled, ALL downloads and social networking sites are barred, the control panel only allows me to choose a printer and my online banking website is blocked because some weirdo 2 years ago clearly had too much fun on the site, and I am unfortunate to use the same bank so can not have a quick look at my balance for 2 minutes in my lunch break.</p> <p>[Admin Note: Originally posted by Integrity] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-73 Fri, 21 Aug 2009 18:43:44 +0000 Evan Karp 73@http://orbit.virtualcomputer.com/forums/ <p>Ahh the bane of my existence...</p> <p>Around here it's purely political. Essentially almost all notebook users have administrative rights so that they can resolve any computer related issues or install software while they are out of town. In addition to those users there are a great many physicians who demand administrative rights to their desktops and we are forced to comply with their requests.</p> <p>The good news is that nobody else gets admin rights. Overall I would say about 10% have administrative rights. In the long run that number may increase as we move away from worrying about the base PC and concentrate support on a more virtualized "supported PC" that can be run anywhere.</p> <p>[Admin Note: Originally posted by randyf25] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-72 Fri, 21 Aug 2009 18:43:32 +0000 Evan Karp 72@http://orbit.virtualcomputer.com/forums/ <p>We have some users with local power user rights only because the software application that they use requires it (or they need to update it often with pushed updates). Otherwise, it is all very limited to what users can do.</p> <p>[Admin Note: Originally posted by sens] </p> http://orbit.virtualcomputer.com/forums/topic/user-admin-rights#post-71 Fri, 21 Aug 2009 18:43:20 +0000 Evan Karp 71@http://orbit.virtualcomputer.com/forums/ <p>If at all possible we do not allow users to have admin rights on their machines. Less than 5% of our users have admin rights, this is a polictial reason rather than a techincal one. Implementing this policy has greatly decreased our helpdesk call volume. We generally do not allow users to install software that is not currently part of the "supported software list".</p> <p>[Admin Note: Originally posted by JadeX] </p>