How does your company keep employees from loading apps on their PCs?

Howdy, folks. I'm senior writer and editor at the IT Business Network
(http://www.itbusinessnet.com). I've decided to write a "real world"
story about the way that companies (large and small) control their
employees' desktop computers.

I'd like your input about what your firm does... and perhaps about what
you wish it would do. I might call this a "best practices" article,
except that I'm not sure there's any "best" here, just what works for a
given company. My aim, however, is to collect enough data to give other
IT professionals a sense of the tradeoffs among the varying choices.

This all started because I overheard an IT person complain about her
users. The company has 300 employees, many of whom would have been
called "paper pushers" in an earlier era. Some of those employees
decide to download software and install it on their computers. The
specific example was screensavers (some of which carry a payload of
spyware, making it a security issue as well as a support problem), but
it could have been anything else. The IT pro whom I overheard had
looked at a $10,000 hardware solution, but even that required 10 hours
a week to keep up with permissions and such. But that didn't sound like
a great option.

So I'm curious -- and I dare say, so are a lot of other people.

How does YOUR company deal with employees installing apps on the
company computers? My guess is that the answer breaks down in these
rough categories.

1. We let them do whatever they want. And then we cope with the
consequences.
2. They can install what they want, but we'll only support the apps we
install. If they break the computer or get a virus... THEY get to fix
it.
3. We control their installations by administrative policy (i.e. "if
you install unapproved software, you're fired").
4. We control their installations using technology. What technology
would that be?
5. Something else?

Which of these best fits your company's choices? Which option do you
wish the company chose?

If you use some sort of technology, please tell me about it. How well
does it work? Was it expensive, in financial or other terms? How
annoying is it?

Similarly, how well does administrative policy work? Do employees
follow the rules, or do they imagine that gosh, installing a
screensaver doesn't qualify as an *app*, does it?

I'm hoping to get the article written by the end of the week (which
might be pushing it -- I have major dental surgery scheduled for
Thursday). So I'd appreciate hearing from you sooner, rather than
later.

Also: if I quote you in the article, I'll need some way to refer to
you. The usual format is &name, &title, &company, &location ("Esther
Schindler, an IT manager at the Groovy Corporation in Scottsdale, AZ,
says..."). If you can't be identified specifically without company
approval, let me know privately and we'll work out an alternative
("Esther Schindler is a IT professional at a southwest financial
firm"). And, of course, you're welcome to contact me privately at
(E-Mail Removed), if you prefer not to answer here. (Though I think
it could be an interesting discussion!)

Thanks in advance for your help!

Esther Schindler
IT Business Network



eschindler

Hi,

In environments where I usually work users don't have administrative
privileges on their desktops. This means they can't install applications
(but can run what was pre-installed for them by administrators)
Some of these environments implement some filters of what can be downloaded
(e.g. prohibition of downloading .exe files, .zip files). This is usually
achieved using Microsoft ISA Server where you can also force what site users
can visit based on their group membership.

Some of these environments use Microsoft SMS server to check what is
installed and what software actually gets used. If they figure out that some
software is not used -- they might not buy upgrades (or only buy necessary
number of licenses for users who actually use this software).

--
Mike
Microsoft MVP - Windows Security

"eschindler" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Howdy, folks. I'm senior writer and editor at the IT Business Network
> (http://www.itbusinessnet.com). I've decided to write a "real world"
> story about the way that companies (large and small) control their
> employees' desktop computers.
>
> I'd like your input about what your firm does... and perhaps about what
> you wish it would do. I might call this a "best practices" article,
> except that I'm not sure there's any "best" here, just what works for a
> given company. My aim, however, is to collect enough data to give other
> IT professionals a sense of the tradeoffs among the varying choices.
>
> This all started because I overheard an IT person complain about her
> users. The company has 300 employees, many of whom would have been
> called "paper pushers" in an earlier era. Some of those employees
> decide to download software and install it on their computers. The
> specific example was screensavers (some of which carry a payload of
> spyware, making it a security issue as well as a support problem), but
> it could have been anything else. The IT pro whom I overheard had
> looked at a $10,000 hardware solution, but even that required 10 hours
> a week to keep up with permissions and such. But that didn't sound like
> a great option.
>
> So I'm curious -- and I dare say, so are a lot of other people.
>
> How does YOUR company deal with employees installing apps on the
> company computers? My guess is that the answer breaks down in these
> rough categories.
>
> 1. We let them do whatever they want. And then we cope with the
> consequences.
> 2. They can install what they want, but we'll only support the apps we
> install. If they break the computer or get a virus... THEY get to fix
> it.
> 3. We control their installations by administrative policy (i.e. "if
> you install unapproved software, you're fired").
> 4. We control their installations using technology. What technology
> would that be?
> 5. Something else?
>
> Which of these best fits your company's choices? Which option do you
> wish the company chose?
>
> If you use some sort of technology, please tell me about it. How well
> does it work? Was it expensive, in financial or other terms? How
> annoying is it?
>
> Similarly, how well does administrative policy work? Do employees
> follow the rules, or do they imagine that gosh, installing a
> screensaver doesn't qualify as an *app*, does it?
>
> I'm hoping to get the article written by the end of the week (which
> might be pushing it -- I have major dental surgery scheduled for
> Thursday). So I'd appreciate hearing from you sooner, rather than
> later.
>
> Also: if I quote you in the article, I'll need some way to refer to
> you. The usual format is &name, &title, &company, &location ("Esther
> Schindler, an IT manager at the Groovy Corporation in Scottsdale, AZ,
> says..."). If you can't be identified specifically without company
> approval, let me know privately and we'll work out an alternative
> ("Esther Schindler is a IT professional at a southwest financial
> firm"). And, of course, you're welcome to contact me privately at
> (E-Mail Removed), if you prefer not to answer here. (Though I think
> it could be an interesting discussion!)
>
> Thanks in advance for your help!
>
> Esther Schindler
> IT Business Network
>

That's great feedback, Mike -- thanks!

First: how should I refer to you in the article, if I quote you?

Also: how do the users respond to those rules? How often do they come
to the IT support staff and wheedle for special permission? How often
is it given?

Miha Pihler [MVP] wrote:
> Hi,
>
> In environments where I usually work users don't have administrative
> privileges on their desktops. This means they can't install applications
> (but can run what was pre-installed for them by administrators)
> Some of these environments implement some filters of what can be downloaded
> (e.g. prohibition of downloading .exe files, .zip files). This is usually
> achieved using Microsoft ISA Server where you can also force what site users
> can visit based on their group membership.
>
> Some of these environments use Microsoft SMS server to check what is
> installed and what software actually gets used. If they figure out that some
> software is not used -- they might not buy upgrades (or only buy necessary
> number of licenses for users who actually use this software).
>
> --
> Mike
> Microsoft MVP - Windows Security
>

Hi,

Answers are in-line.

> First: how should I refer to you in the article, if I quote you?

Mike? ;-)

> Also: how do the users respond to those rules?

They got used to it. Some of them might even appreciate it since from the
time we implement these policies there were practically no major outbreaks
or major problems with their computers.

> How often do they come to the IT support staff and wheedle for special
> permission?

There is practically no need. All applications are evaluated by IT --
including permissions necessary to run the application. This is major
decision factor. So if the application is approved it will be installed
(pushed) to the users that need it by e.g. using Microsoft SMS.
When users get their (new) computer installation image also includes all
necessary applications.

>How often is it given?

The only exceptions might me users with laptops. Still if they abuse the
policy (e.g. get infected, try to mess with Windows installation ...) their
computers is fixed (image deployed again), but they lose the privileges.

The main concern here is if user installs software and company gets audited
by e.g. BSA who is responsible for paying the license for software installed
by user on company computer? Company or the user? If the user, how do you
force him/her to pay (specially software that is really expensive)? Most
companies simply do their best not to get into this situation in the first
place

--
Mike
Microsoft MVP - Windows Security

> Miha Pihler [MVP] wrote:
>> Hi,
>>
>> In environments where I usually work users don't have administrative
>> privileges on their desktops. This means they can't install applications
>> (but can run what was pre-installed for them by administrators)
>> Some of these environments implement some filters of what can be
>> downloaded
>> (e.g. prohibition of downloading .exe files, .zip files). This is usually
>> achieved using Microsoft ISA Server where you can also force what site
>> users
>> can visit based on their group membership.
>>
>> Some of these environments use Microsoft SMS server to check what is
>> installed and what software actually gets used. If they figure out that
>> some
>> software is not used -- they might not buy upgrades (or only buy
>> necessary
>> number of licenses for users who actually use this software).
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>

I think you find the large sites generally run user-accounts in limited
mode, but then they have onsite staff to take care of any day-to-day issues
this generates.

On smaller sites this isn't too practical as you can hardly send out an
engineer every time something trivial needs adjusted - and having to log
off/on to be an Adminstrator creates issues with remote maintenance.

In any case there are always hacks or workarounds for any lockdown, and the
more-effective way to stop this sort of thing is to let users know that you
can tell what they're up-to, and not just whodunnit but exactly what, and
when.

For example I could've set all sorts of restrictive firewall-rules when a
pornsurfing epidemic surfaced in an outlying office, but a simpler and
more-effective measure was to show the offenders the proxy logs, detailing
exactly which pages they'd visited, how much bandwith they'd wasted, and
exactly how many hours they'd been skiving for. That put the frighteners on
them, as they never thought they could be tracked as accurately as that.

Miha Pihler [MVP] wrote:
> > First: how should I refer to you in the article, if I quote you?
>
> Mike? ;-)

Well, the usual format is &name, &title, &company, &location: "Esther
Schindler is an IT manager at the Groovy Corporation in Scottsdale,
Arizona." Contact me privately if you can't be that exact, and we can
work out the details.

It's all about credibility, you see. "According to advice I got from
some stranger on the Internet" isn't as authoritative as Mike Pihlher,
a Microsoft MVP. :-)

> > How often do they come to the IT support staff and wheedle for special
> > permission?
>
> There is practically no need. All applications are evaluated by IT --
> including permissions necessary to run the application. This is major
> decision factor. So if the application is approved it will be installed
> (pushed) to the users that need it by e.g. using Microsoft SMS.
> When users get their (new) computer installation image also includes all
> necessary applications.

Gotcha!

> The main concern here is if user installs software and company gets audited
> by e.g. BSA who is responsible for paying the license for software installed
> by user on company computer? Company or the user? If the user, how do you
> force him/her to pay (specially software that is really expensive)? Most
> companies simply do their best not to get into this situation in the first
> place

Good point!

> On smaller sites this isn't too practical as you can hardly send out an
> engineer every time something trivial needs adjusted - and having to log
> off/on to be an Adminstrator creates issues with remote maintenance.

Define me a smaller site ;-). Where I come from and where I work 600 users
is considered a large site... :-). I mostly work for customers ranging few
hundred users to few thousand users.

You could use RunAs option... (either the one on the right click on from
command line)... And this is something that we might use time to time. Of
course this would be an account that is local admin on the computer, but not
domain admin.

> In any case there are always hacks or workarounds for any lockdown, and
> the
> more-effective way to stop this sort of thing is to let users know that
> you
> can tell what they're up-to, and not just whodunnit but exactly what, and
> when.
>
> For example I could've set all sorts of restrictive firewall-rules when a
> pornsurfing epidemic surfaced in an outlying office, but a simpler and
> more-effective measure was to show the offenders the proxy logs, detailing
> exactly which pages they'd visited, how much bandwith they'd wasted, and
> exactly how many hours they'd been skiving for. That put the frighteners
> on
> them, as they never thought they could be tracked as accurately as that.
>

Thanks to everyone who replied!

Here's the final article:

Keep Yer Paws Off Your PC: Preventing End-Users from Installing
Applications
Surely, users think, downloading a screensaver can't hurt anything!

IT professionals need to strike a balance between user freedom (such as
letting them install any app they want) and keeping a predictable and
safe computing environment. Several network admins give their advice
about the best way to find and maintain that balance -- with tech tips
for each operating system.
http://www.itbusinessnet.com/article...e.jsp?id=60584