Re: Locking down computers
- From: "xpyttl" <xpyttl_NOSPAM@xxxxxxxxxxxxx>
- Date: Thu, 5 Jan 2006 14:02:45 -0500
The updated policy is a must, but you need to get that app fixed, too.
Take a look at the Internet Storm Center's time to live numbers. Figure
out what a worm would cost you if it shut down your company's PCs, and how
likely that is. If not business loss, at least you are talking a big
productivity hit. Then put together a case to get that app fixed. If folks
are routinely on the Internet, you cannot have them running with admin
privs. That is simply asking for trouble. There is no excuse for users
risking the company's assets that way. I'm sure there will be a lot of push
back, but without some pretty strong action, you are courting disaster.
And when the disaster comes, guess who will get blamed. If you make a
strong case to fix the problem, and it is refused, at least you won't look
like an idiot when the levees break. Managers have every right to decide
that the risk is worth taking, but you have an obligation to inform them of
the risk and the cost of remediation. If they say no, that's fine, at least
you did your job. But if you don't spell it out to them in single syllable
words that managers can understand, you aren't doing what you need to.
In most cases, when an app can't run as a normal user, especially an old
app, it is simply a matter of file protections. Unless the app does
something pretty strange, it should be a pretty simple fix. I'm sure
development feels it has higher (read more fun) priorities, but you need to
get that app fixed.
While you are at it, get something on those PCs that lets you push out login
scripts and policies. If you are going to run a network, you need to have
some ability to influence it.
Messenger, tho a PITA, can be a business asset. If folks aren't using it
for business purposes, block it at the firewall. Even if you can't stop
them launching it, they will quit if they can't do anything useful.
...
"CJC" <cjc82@xxxxxxxxxxxxx> wrote in message
news:1136482462.779981.173270@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Thanks for the last two responses.
>
> I am new to this company and if I had my way we would be much stricter.
> But they have had a more relaxed attitude. I believe they have a
> policy in which is signed when new people start. But it looks as
> though its not really taken too seriously.
>
> The reason why we need to stop messenger is due to the management fed
> up with seeing it constantly on.
>
> Secondly we need to stop people installing due to the industry we are
> in they have to use the internet alot and they seem to download things
> from the net often.
>
> The policy is a good idea, maybe we should get everyone to sign an
> extension to show we are more serious.
>
> I am actually working on a message to appear when they login saying
> what is and is not allowed and by logging in they agree to it. so then
> if we see anything we can moan at them.
>
> many thanks again guys
>
.
- References:
- Locking down computers
- From: CJC
- Re: Locking down computers
- From: Frankster
- Re: Locking down computers
- From: CJC
- Locking down computers
- Prev by Date: Re: OS Security Classification
- Next by Date: Re: Locking down computers
- Previous by thread: Re: Locking down computers
- Next by thread: Re: Locking down computers
- Index(es):
Relevant Pages
|
