c drive lockdown issue
Billy Verreynne
>we have our workstations locked down to disallow the users the ability to
>view their c drive.
This is an anti-dumb user meassure.
>we also have a firewall in place.
This is more of an anti-hacker meassure.
>my manager wants me to justify why we don't also lock down heavily the local
>hard drives with ntfs rights.
Which has nothing to do about making anything more secure IMO. Don't
get me wrong, I think that the only good user is a dead one. ;-)
However, a computer system should balance security with usability.
Making things to restricting for users interferes with their jobs.
>this makes life a misery for our support guys getting various prg's to run.
And yours..
>is it overkill to lock down with ntfs if the end users cannot view the drive
>anyway.
I agree.
>if a hacker got past our firewall would it not be more likely that they
>would try to gain access to the servers and not the workstations anyway.
Agree. Though the hacker will quite likely target any open machine. If
these "drive lockdows" are intended as an anti-hacker meassure, then
it is a waste of time IMO. Why try and make the furniture, fridge and
stove more secure after a hacker has gained entry into the house?
Rather spend that time, money and effort on making the house secure.
Not saying that there should be no internal security and restrictions.
We have to protect dumb end-users from themselves too. But if you
employ the same measures against your users as you do against possible
hackers, then there is definately something wrong with company policy.
Or is this just a case of another manager with a hacker & security
book up his arse? I for one have seen very anal company policies.
There's a difference in trying to protect the users than trying to be
punitive against users.
My thoughts anyway.
regards,
Billy
Billy Verreynne
>Hackers will target anything they can - we have to assume this. As a
>support engineer, I too have had problems caused by NTFS permissions being
>too restrictive. There were issues concerning users customising toolbars,
>desktop, screensaver etc - easily resolved - it was decided that the users
>should not have control over these things.
Iain, this is _exactly_ the type of thing that I have a problem with.
Company policy interefering with the way how a user wants to use his
computer. If he wants to change his toolbar let him! For heaven sakes,
why restrict that or what screen save he is allowed to use or not to
use!?
Security meassures like that.. to be very honest, I find this utterly
anal. I would not even go as far as to call it security meassures. It
is punitive meassures. And idiotic. What problems does this solve,
beside having a growing user resenment about the dictatorship of IT/IS
when it comes to how your are allowed to use your office PC?
These types of "meassures" only address a few symptoms and actually
make the problem worse. Driving the wedge between end-user and IT/IS
even deeper. It is time that we stop treating user like the idiots
(which the often are, no mistake), and provide them with the -right-
education how to use their computers safely and properly.
Besides, what is your job? To create a safe environment for the
end-user to work in, or to establish a restrictive environment? Make
no mistake - these are _DIFFERENT_ goals.
Nothing personal, but I have been in the support/security side of
things for a number of years. Now as a private contractor I am often
on the receiving end of restrictive use policies such as these that
you have. It makes doing my job utterly difficult and extremely
frustrating. Including that of the non-technical people that work with
me on these projects. And guess what, often they find ways around
these "meassures", defeating them.
Anyway, why many IT/IS security personnel want to have their end-users
as "enemies" by implementing punitive security meassures is beyond me.
regards,
Billy
Iain McCorkindale
I take your point about how it can be a pain when overzealous security is
applied. I actually agree with you up to a point. Usually the zealots
implement "security" because they can. They don't really understand what
security is. Real security is all about ALLOWING access to the appropriate
people in the appropriate circumstances. A Sony Playstation might be
considered to have excellent security, but I wouldn't like to try creating a
spreadsheet on one. A system that restricts users' options needlessly is,
as you suggest, a stifling one, and should be discouraged. But security is
there for a reason, and not only the obvious one:
1) How secure? should depend on which environment you are in. If you work in
a secure military establishment you have need of a C2, or even more secure
environment. If you work in a graphic design studio, you may not need such
strict security. Banks need very high security
2) Properly implemented security does not "inflict" security measures on the
users, but does define the environment in which you work. I assume you are
a contractor responsible for installing software and for local machine
changes, and therefore it would be sensible for you to be added to a Global
Group which has been added to every machine's local Administrators group.
If you need to install software on servers or work extensively at the server
administration level, however, you clearly need to be a Domain
Administrator. With this kind of access the company must trust you with
almost the entire success/failure of the company in some cases (Consider the
possible consequences were you to forget the weekly backup, or failed to
protect the system from viruses, or designed a system for the company which
didn't include a BDC etc etc).
3) Hackers are a concern, but not only those from outside the company. In
fact, studies have shown that the biggest hacker threat comes from INSIDE
the company. I do not believe in engendering an atmosphere of distrust
between the IT department and the users, but antihacker measures are an
advantage to the average user. The average user does not need or want the
kind of power that full administrative rights can give him, nor the kind of
responsibility that this brings (ah there's the rub) - imagine a user's
popularity (and job prospects) after removing a heavily used data share.
4) Admin work is the enemy and should be minimised! Think very carefully
before allowing users to install their own software. Any new software can
make a system unstable, which is particularly problematic if the computer is
shared by more than one user. Licence restrictions may be violated.
Viruses may spread. Conversely, allowing users to uninstall software has
obvious drawbacks.
5) Company image is important. If you visit a callcentre to decide whether
or not you wish to use its facilities for your own company in Nepal, you
will not be impressed by pornographic screensavers appearing. If you wish
to give an impression of industry, even "harmless" images such as rock bands
on the desktop will not do.
I am disappointed that you seem to have such a wide experience of companies
in which the rift between the IT department and the users is so vast. I
work for a company which is dedicated to good customer service, and this
extends internally also. I myself am dedicated to customer service to my
(internal) customers, and I never think the users are thick (if somebody
makes a silly mistake, then well, we all make mistakes sometime).
It's all about company culture.
Cheers
Iain McCorkindale
"Billy Verreynne" <vsl...@onwe.co.za> wrote in message
news:3928e2c8....@news.saix.net...
Gareth Jones
>Billy
>
>I take your point about how it can be a pain when overzealous security is
>applied. I actually agree with you up to a point. Usually the zealots
>implement "security" because they can. They don't really understand what
>security is. Real security is all about ALLOWING access to the appropriate
>people in the appropriate circumstances.
I'm currently working in an organisation that has attempted to
restrict user access to the C drive - their main reason is not to keep
hackers out, but to prevent the users saving files there. If they do
that, then the files aren't backed up, and so they are at risk, the
users can't access their files from other machines, and when the
machines are replaced (which happens every few years), the new rollout
is made *considerably* harder if any desktop machine potentially
contains important user data. User education helps of course - but
technical solutions to the problem are perfectly valid, and if
implemented correctly can make it easier for the user to do his job,
not harder.
Gareth
Billy Verreynne
>I'm currently working in an organisation that has attempted to
>restrict user access to the C drive - their main reason is not to keep
>hackers out, but to prevent the users saving files there. If they do
>that, then the files aren't backed up, and so they are at risk, the
>users can't access their files from other machines, and when the
>machines are replaced (which happens every few years), the new rollout
>is made *considerably* harder if any desktop machine potentially
>contains important user data.
Very valid reasons IMO.
>User education helps of course - but
>technical solutions to the problem are perfectly valid, and if
>implemented correctly can make it easier for the user to do his job,
>not harder.
Agree.
There are alternative solutions though than locking down drive C: -
which in itself can be a problem with Windows' swapfiles and so on.
One method is to hook into the FILE|SAVE function and FILE SAVE DIALOG
window. Novell's Groupwise does something similar - you can configure
it so that by default the Groupwise FILE SAVE DIALOG window appears
(which allows you to save your files in the Groupwise system/file
server).
However, the issue you are addressing is not that of security ito
preventing attacks or prohibiting/limiting user functionality, which
is what I have a beef with.
I believe that sometime a large lead pipe is warranted to be used.
Especially if users, after repeated requests, fail to adhere to policy
that is in their best interest.
In this situation I would run a regular batch job (propbably via the
login script) that does something like deleting -all- files from drive
C: that is after a certain date/file stamp. The user will quickly
learn what the correct usage policy is and not save any files to drive
C:
Unfortunately, this type of drastic action is sometimes the only way
you can make the user learn. I did something similar on a mainframe
system many years ago. We had a policy of using a specific type of
logon method that makes sys admin, perfomance management and user
support tons easier. However, despite numerous requests, over 90% of
the users fail to adhere to this policy. 3 days after I wrote a batch
job that automatically cancelled any mainframe dialog (interactive)
sessions not confirming to the policy, every single user in the
organisation used the correct method. And continued to do so long
after we stop this batch monitoring process playing cop.
Something along the lines of it can be difficult teaching users new
tricks, but once learned they seldom forget it. ;-)
Billy
Quorlia
vsl...@onwe.co.za (Billy Verreynne) wrote:
> "Iain McCorkindale" <ia...@jackiain.demon.co.uk> wrote:
>
> Besides, what is your job? To create a safe environment for the
> end-user to work in, or to establish a restrictive environment? Make
> no mistake - these are _DIFFERENT_ goals.
>
My job is an ICT Technician in a school running a network of
approximately 70 Win95 PC's (NT server). I _have_ to lock down the
sytem or spend hours reghosting and rebuilding. The vast majority of
users will just use the system as is, but there is always one who will
attempt to get around every security measure there is to simply destroy
the system.
The current problem is with winkey. The kids can't get to C:\ or
explorer through the start menu and they don't have My Computer on the
desktop but what they can do is Winkey-F or Winkey-E to get a find or
explorer window and then mess up the settings. And they don't just
download filth anonymously or attempt to hack each others accounts,
they delete files, edit files and generally break the system. I
haven't yet found a lock for winkey and the best I can do is rename the
*.cpl files (they haven't twigged that one so far)
If I could I'd let them have more freedom, but if I do that I spend all
my time wandering round the school with a network boot disk in my
hand. I plug holes as and when they find them and hope that the system
is watertight.
--
Kirsty <quo...@my-deja.com>
Sent via Deja.com http://www.deja.com/
Before you buy.
Gareth Jones
>In this situation I would run a regular batch job (propbably via the
>login script) that does something like deleting -all- files from drive
>C: that is after a certain date/file stamp. The user will quickly
>learn what the correct usage policy is and not save any files to drive
>C:
Have any major corporations allowed you to do this??? The problem is
users being reckless with company property (i.e. the files) - I can't
see many IT directors agreeing that destroying that property is the
best way to solve the problem. It is slightly reminincent of the guy
in Speed who says the best way to resolve a hostage situation is to
shoot the hostages.
>Unfortunately, this type of drastic action is sometimes the only way
>you can make the user learn. I did something similar on a mainframe
>system many years ago. We had a policy of using a specific type of
>logon method that makes sys admin, perfomance management and user
>support tons easier. However, despite numerous requests, over 90% of
>the users fail to adhere to this policy. 3 days after I wrote a batch
>job that automatically cancelled any mainframe dialog (interactive)
>sessions not confirming to the policy, every single user in the
>organisation used the correct method. And continued to do so long
>after we stop this batch monitoring process playing cop.
Perhaps things were different then, nowadays the business comes first,
and IT fits in with that, not the other way around.
Gareth
Gareth Jones
>In article <3928e2c8....@news.saix.net>,
> vsl...@onwe.co.za (Billy Verreynne) wrote:
>> "Iain McCorkindale" <ia...@jackiain.demon.co.uk> wrote:
>>
>> Besides, what is your job? To create a safe environment for the
>> end-user to work in, or to establish a restrictive environment? Make
>> no mistake - these are _DIFFERENT_ goals.
>>
>
>My job is an ICT Technician in a school running a network of
>approximately 70 Win95 PC's (NT server). I _have_ to lock down the
>sytem or spend hours reghosting and rebuilding. The vast majority of
>users will just use the system as is, but there is always one who will
>attempt to get around every security measure there is to simply destroy
>the system.
Ok, your main problem here is the use of Windows 95...
>The current problem is with winkey. The kids can't get to C:\ or
>explorer through the start menu and they don't have My Computer on the
>desktop but what they can do is Winkey-F or Winkey-E to get a find or
>explorer window and then mess up the settings. And they don't just
>download filth anonymously or attempt to hack each others accounts,
>they delete files, edit files and generally break the system. I
>haven't yet found a lock for winkey and the best I can do is rename the
>*.cpl files (they haven't twigged that one so far)
Attempts to lock down a Windows machine with system policies and the
like will always fail - they don't really deny access to stuff, they
just remove elements of the interface. To my mind, system policies are
very useful for giving users uncluttered interfaces where file dialogs
open in the right folder etc., but their use for security is
misconceieved. For security you must use NTFS permissions...which of
course you don't have on Win9x....time for NT / Win2k.
>If I could I'd let them have more freedom, but if I do that I spend all
>my time wandering round the school with a network boot disk in my
>hand. I plug holes as and when they find them and hope that the system
>is watertight.
Yeah, that's the alternative solution in an environment where all of
the machines are pretty much the same - ghost one, and when someone
messes up a machine, blow it away and reimage it - 10 minutes work. I
know large companies that do the same - rather than have someone
reasonably skilled spend an hour fixing a problem, they just re-ghost
the machine. Not a very elegant solution - but quick and cost
effective.
Gareth
Billy Verreynne
>>
>> Besides, what is your job? To create a safe environment for the
>> end-user to work in, or to establish a restrictive environment? Make
>> no mistake - these are _DIFFERENT_ goals.
>>
>
>My job is an ICT Technician in a school running a network of
>approximately 70 Win95 PC's (NT server).
Arrghh.. You should have said that from the beginning. Lock down
everything. Best also unplug all the keyboards and mice! ;-)
Don't envy you. Kids are a different set of users all together.
Billy
Billy Verreynne
>
>Have any major corporations allowed you to do this??? The problem is
>users being reckless with company property (i.e. the files) - I can't
>see many IT directors agreeing that destroying that property is the
>best way to solve the problem.
I had my tongue firmly in my cheeck when I said "delete files on drive
C and teach them a lesson". This type of stunt will quite likely get
you fired. At the same time, sometimes drastic action is required and
can be done without causing any real damage.. <visions of Texas
Chainsaw Massacre> ;-)
>It is slightly reminincent of the guy
>in Speed who says the best way to resolve a hostage situation is to
>shoot the hostages.
Hehehe.. Yeah, what a better way to deal with the problem than to
simply shoot it.
>Perhaps things were different then, nowadays the business comes first,
>and IT fits in with that, not the other way around.
Agree. However, what do you do when faced with users that -refuse- to
listen? Take away their access? Nope. You will have their managers
complaining and you can expect a few tonms of bricks being dropped on
you. So finally we just warned the users that any "incorrect" session
on the mainframe will be killed. The job I wrote ran every minute. So
at most, a user was online for a minute before he got that session
killed. Not enough time to loose any serious amount of data. But then,
I was also much younger and always carried a copy of the BOH with me..
Billy
Iain McCorkindale
> Agree. However, what do you do when faced with users that -refuse- to
> listen? Take away their access? Nope. You will have their managers
> complaining and you can expect a few tonms of bricks being dropped on
> you. So finally we just warned the users that any "incorrect" session
> on the mainframe will be killed. The job I wrote ran every minute. So
> at most, a user was online for a minute before he got that session
> killed. Not enough time to loose any serious amount of data. But then,
> I was also much younger and always carried a copy of the BOH with me..
>
>
> Billy
Lets face it, if you're dealing with a wayward user or users, you're dealing
with a political problem. Whether you like it or not, your solution will be
political too (as is your solution above). I say leave politics to the
politicians and get your manager to speak to their manager(s).
Mind you, I'm going to contradict myself now, because I actually like the
justice in your argument above ;-)
Iain