If you were a corporate network admin?

Post by **Don Carlos** » Tue Jul 19, 2005 6:53 pm

I'd just threaten them with a big twat bat

Post by **Cool Blue** » Tue Jul 19, 2005 6:53 pm

A SINGLE proper perimiter appliance would filter ALL of this.

By default, all corporate network traffic should be blocked unless deemed necessary to operate (mail, web, ftp, etc are the only protocols that should be allowed to get through your gateway. Why? Because it's corporate. In an enterprise environment, security and reliablility are the primary objectives, therefore should be put above user convenience all the time.

To begin with, users DO NOT EVER need to install their own apps. I've work on several huge networks were the users couldn't install shit without an admin. As a direct result, there were almost no user created problems from crap, non-corporate software.

Users should have standardized software packages installed on their machine allowing them to perform all the functions of their job. Any program after that is gravy and therefore not IT's problem.

Sorry G}{, but Tormentius is right, your firm should be standardizing your policies and software. Specifically to address the problem you face right now. Now I know you're thinking, 'your situation is different from everybody elses' but it's not. :P We ALL (net admins) have special needs users and special circumstance, but we learn to fit them into the plan, even though the user might not always have it the way they want, when they want it. it's just too bad.

When addressing issues like this Mike, you need to consider what the primary objective is; the users convenience or the corporate networks well being?

Pandering to the end user always ends in trouble. They know DICK, that's why they pay us to tell them what to do with their networks.

My opinion anyway.

But if your hands are truely tied, here's my two cents:

This device would allow you to filter traffice at the perimter and allow you to set individual user profiles defining their internet usage ability:

http://www.watchguard.com/products/x2500.asp

Installed with the upgraded software image, Fireware Pro, it can perform some insanely finite configurations and monitoring. Combine that with the optional Web Blocker software, and it can filter content, URLs, IPs, networks, etc from the perimeter.

This device is top notch. Sounds perfect for what you need G}{.

Post by **Giraffe }{unter** » Tue Jul 19, 2005 6:54 pm

Foo wrote:
If you're running an all-windows system, and presumably active directory-based administration, I'd recommend building a container with properly restricted policies, and migrating users into this container sections at a time.

Course I can't give too much advice without asking questions as I go along, so hit me up on IM for a chat? 31864930 or thegreatfoo@hotmail.com

yeah like I said we cannot limit 80% of our users, the ones we can limit (mostly production and test department) are setup with user rights, strict policies right down to the desktop background and Icons. They are also setup on a VLAN with no internet access.

:icon19: we've had some test guys actually come in early and route a home made network cable through the ceiling to a conference room to get internet access. Of course the same idiot printed a porn pic on the department printer later that day and was dismissed. :icon19:

Post by **Foo** » Tue Jul 19, 2005 6:54 pm

I think that's fine as a paradigm but perhaps taken too far. As far as I approach it, IT is a service and not a gift. Within the corporate environment, things are really fucking easy for admins, compared to a commercial environment (dealing with 'customers'), but I don't think that's an excuse for a reign of terror.

I'm doing IT support in a Steel Mill. It doesn't get much more rough and ready than that, and 'troglodyte' doesn't come near to cutting it for some of our users, but that's just a part of the job.

In the last year, I've reported only one incedent of inappropriate use up the chain, and that was only a minor spyware outbreak. Why? The desktops are locked down but we provide such a complete service that people feel they're insulting us to misuse the equipment, rather than they're 'beating' us by trying to get away with it.

Post by **sancti0n** » Tue Jul 19, 2005 6:56 pm

Also block any site where they can get unlicensed software.

http://www.download.com/
http://www.tucows.com/
http://www.jumbo.com/
http://www.nonags.com/
http://www.majorgeeks.com/

Post by **Giraffe }{unter** » Tue Jul 19, 2005 6:56 pm

Kracus wrote:I wouldn't let them install anything that isn't installed by me. It's tough to do with all those web programs but once you determin what's need for the buisness to run you just make sure nothing else get's in.

you gotta read man....

there are way too many employees that need to swap software versions on a minutes notice, we don't have the staff to do that every day. we're down to about 1 idiot outbreak a week, which is not bad compaired to how it used to be.

Post by **+JuggerNaut+** » Tue Jul 19, 2005 6:59 pm

no one other than a few data center techs have full internet access. even fewer than that have admin rights to install anything. if it's not a deployment, then it probably shouldn't be on the pc. it's company property, not a box you can store your .mp3's on and install the latest version of yahoo.

Post by **Foo** » Tue Jul 19, 2005 7:00 pm

Giraffe }{unter wrote:
Kracus wrote:I wouldn't let them install anything that isn't installed by me. It's tough to do with all those web programs but once you determin what's need for the buisness to run you just make sure nothing else get's in.
you gotta read man....

there are way too many employees that need to swap software versions on a minutes notice, we don't have the staff to do that every day. we're down to about 1 idiot outbreak a week, which is not bad compaired to how it used to be.

How many people do you have who need to swap software versions? Are these in-house produced pieces of software? Are they supporting it within the business, or talking to members of the public?

Have you looked into VMWare and/or Citrix/Terminal server as a solution to this problem? it's pretty easy to set up a clump of 10-20 old desktop machines with Windows XP pro loaded on and a different version of the software on each.

Post by **+JuggerNaut+** » Tue Jul 19, 2005 7:01 pm

dzjepp wrote:Mein fuher! :lol:

sometimes that's what it takes.

Post by **Giraffe }{unter** » Tue Jul 19, 2005 7:03 pm

Cool Blue wrote:A SINGLE proper perimiter appliance would filter ALL of this.

By default, all corporate network traffic should be blocked unless deemed necessary to operate (mail, web, ftp, etc are the only protocols that should be allowed to get through your gateway. Why? Because it's corporate. In an enterprise environment, security and reliablility are the primary objectives, therefore should be put above user convenience all the time.

Veto by the VP

To begin with, users DO NOT EVER need to install their own apps. I've work on several huge networks were the users couldn't install shit without an admin. As a direct result, there were almost no user created problems from crap, non-corporate software.

they do reason posted in this thread

Users should have standardized software packages installed on their machine allowing them to perform all the functions of their job. Any program after that is gravy and therefore not IT's problem.

this isn't your standard IT department everything is our problem in a company where they are creating and inventing high end technology, with show deadlines, we cannot limit our engineers in any way, if they install 30 porn dialers and it takes us 2 hours to remove, it is our fault it took so long, it's our fault we let him do it, and it is our fault if we slow him down, but putting restrictions on his user rights

Sorry G}{, but Tormentius is right, your firm should be standardizing your policies and software. Specifically to address the problem you face right now. Now I know you're thinking, 'your situation is different from everybody elses' but it's not. :P We ALL (net admins) have special needs users and special circumstance, but we learn to fit them into the plan, even though the user might not always have it the way they want, when they want it. it's just too bad.

When addressing issues like this Mike, you need to consider what the primary objective is; the users convenience or the corporate networks well being?

Pandering to the end user always ends in trouble. They know DICK, that's why they pay us to tell them what to do with their networks.

My opinion anyway.

But if your hands are truely tied, here's my two cents:

This device would allow you to filter traffice at the perimter and allow you to set individual user profiles defining their internet usage ability:

http://www.watchguard.com/products/x2500.asp

see below I am working on a few of these bad boys

Installed with the upgraded software image, Fireware Pro, it can perform some insanely finite configurations and monitoring. Combine that with the optional Web Blocker software, and it can filter content, URLs, IPs, networks, etc from the perimeter.

This device is top notch. Sounds perfect for what you need G}{.

>>> http://enterprisesecurity.symantec.com/ ... ductID=540

Post by **+JuggerNaut+** » Tue Jul 19, 2005 7:03 pm

rep wrote: I would install Winamp on the file server so people can listen to shoutcast. It would also be on all their computers as well if they work well with headphones.

lol?

Post by **Giraffe }{unter** » Tue Jul 19, 2005 7:07 pm

Foo wrote:
Giraffe }{unter wrote:
Kracus wrote:I wouldn't let them install anything that isn't installed by me. It's tough to do with all those web programs but once you determin what's need for the buisness to run you just make sure nothing else get's in.
you gotta read man....

there are way too many employees that need to swap software versions on a minutes notice, we don't have the staff to do that every day. we're down to about 1 idiot outbreak a week, which is not bad compaired to how it used to be.
How many people do you have who need to swap software versions? Are these in-house produced pieces of software? Are they supporting it within the business, or talking to members of the public?

Have you looked into VMWare and/or Citrix/Terminal server as a solution to this problem? it's pretty easy to set up a clump of 10-20 old desktop machines with Windows XP pro loaded on and a different version of the software on each.

That's a whole other debate we set them up with a few laptops with fresh windows installs on them to test their software.

How great is that one laptop with an image of
Windows 95
Windows 98
Windows ME
Windows 2000
Windows XP and it takes 10 minutes tops to restore any clean image they want. They complained it took to long to setup :icon19:

Post by **+JuggerNaut+** » Tue Jul 19, 2005 7:07 pm

Giraffe }{unter wrote:this isn't your standard IT department everything is our problem in a company where they are creating and inventing high end technology, with show deadlines, we cannot limit our engineers in any way, if they install 30 porn dialers and it takes us 2 hours to remove, it is our fault it took so long, it's our fault we let him do it, and it is our fault if we slow him down, but putting restrictions on his user rights

that's pretty lax. any spyware detected and the machine gets a brand new image, no if's, and's, or but's. we don't have two hours to get rid of spyware, the box just gets yanked from the network.

also, we rebuild every one of our laptops that gets checked out for offsite use upon return, harddrive is wiped before being put back on the network, then SMS shoves a new image on it.

Post by **+JuggerNaut+** » Tue Jul 19, 2005 7:10 pm

Giraffe }{unter wrote:
rep wrote:
Giraffe }{unter wrote:Part of the problem is streaming music, it's kicking the crap out of our T3 line. That and eDonky, torrents, P2p apps etc.
I think the P2P stuff is your trouble. If there are 20 employees all listening to different 128kbps shoutcast stations, that's not all that much bandwidth.
Try like 200+

We had one guy sucking up some serious bandwidth last year running an eDonky server... When we shut him down there were over 230 simultanious downloads going on...

Sucked for him on monday morning

rofl, he still works there?

Post by **Underpants?** » Tue Jul 19, 2005 7:13 pm

just be sure when being the network nazi that you do not piss people off that are bigger than you, Geoff }{unter.

including, but not limited, to her.
:lol:

Post by **Foo** » Tue Jul 19, 2005 7:17 pm

Giraffe }{unter wrote:
Foo wrote:
Giraffe }{unter wrote: you gotta read man....

there are way too many employees that need to swap software versions on a minutes notice, we don't have the staff to do that every day. we're down to about 1 idiot outbreak a week, which is not bad compaired to how it used to be.
How many people do you have who need to swap software versions? Are these in-house produced pieces of software? Are they supporting it within the business, or talking to members of the public?

Have you looked into VMWare and/or Citrix/Terminal server as a solution to this problem? it's pretty easy to set up a clump of 10-20 old desktop machines with Windows XP pro loaded on and a different version of the software on each.
That's a whole other debate we set them up with a few laptops with fresh windows installs on them to test their software.

How great is that one laptop with an image of
Windows 95
Windows 98
Windows ME
Windows 2000
Windows XP and it takes 10 minutes tops to restore any clean image they want. They complained it took to long to setup :icon19:

hehe. That's the right approach though. the key paradigm is that if the company requires an IT facility which is badly thought out and unreasonable to yourself, you implement it and give the lions share responsibility to the people who clamoured for it.

Good example: we recently had a SAP implementation set up across the whole company. I've subtly refused to touch it. We have 'super users' who are responsible for creating users, and all other admin tasks surrounding the system. The system is massive and would be a huge burden if we took it on. This way, all I have to worry about is an ICA deployment which is, (thank you Citrix) completely painless. And does this shifting of responsibility take any control out of the hands of IT? No... the system is an administrative mistake to begin with, as I mentioned at the start.

Post by **Giraffe }{unter** » Tue Jul 19, 2005 7:17 pm

+JuggerNaut+ wrote:
Giraffe }{unter wrote:
rep wrote: I think the P2P stuff is your trouble. If there are 20 employees all listening to different 128kbps shoutcast stations, that's not all that much bandwidth.
Try like 200+

We had one guy sucking up some serious bandwidth last year running an eDonky server... When we shut him down there were over 230 simultanious downloads going on...

Sucked for him on monday morning

rofl, he still works there?

Yup believe it or not....

Post by **+JuggerNaut+** » Tue Jul 19, 2005 7:19 pm

in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.

Post by **Foo** » Tue Jul 19, 2005 7:19 pm

+JuggerNaut+ wrote:that's pretty lax. any spyware detected and the machine gets a brand new image, no if's, and's, or but's. we don't have two hours to get rid of spyware, the box just gets yanked from the network.

also, we rebuild every one of our laptops that gets checked out for offsite use upon return, harddrive is wiped before being put back on the network, then SMS shoves a new image on it.

What imaging solution you using, SUS? Asking because Norton Ghost 9 still leaves us with some after-configuration to do on the user profile. Not even sure why.

Post by **Foo** » Tue Jul 19, 2005 7:20 pm

+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.

I fucking love a challenge. Especially if there's power in reserve to actually make changes.

Post by **+JuggerNaut+** » Tue Jul 19, 2005 7:23 pm

SMS 2k3. boot up with cd and it's off and running. choose application .cfg based on job description and it's done in <45 minutes. the only after imaging configuration we do is setting resolution, refresh rate, power cycles, and time zone. that's it.

Post by **+JuggerNaut+** » Tue Jul 19, 2005 7:24 pm

Foo wrote:
+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.

that's beyond a challenge. just look at Mr. eDonkey. he still works there? that's incredible. you can't have that kind of employee in a corporate environment. at least not on your network.

Post by **Foo** » Tue Jul 19, 2005 7:25 pm

What's the cost involved for licensing, have to deal with CALs just like ghost I imagine?

Even for the RES and zones and shit, there's group policy. I'm convinced SUS is the way forward.

Post by **Giraffe }{unter** » Tue Jul 19, 2005 7:26 pm

Foo wrote: hehe. That's the right approach though. the key paradigm is that if the company requires an IT facility which is badly thought out and unreasonable to yourself, you implement it and give the lions share responsibility to the people who clamoured for it.

Well that's similar to what I am looking to do, before I started there were virus outbreaks on a regular basis, I got tossed into fixing them and decided why not prevent them. Norton Antivirus Corporate was the available weapon and in about a year every PC was protected, and connected to a central monitoring console. Mail servers were then locked down, witch caused a riot, but since the respect I gaind form all the higher ups who were no longer loosing months of work due to a virus they had a felling this was necessary. They problem is I get slack for a few months for every change until people realize "holy crap" he was right...

I'm getting the managers to take responsability for their looseness, and they complain much less about downtime. I just wish there was a way to catch it before it happens.

Lets compair my company to an average household.
The VPs= daddy
ME = the Big Brother
Users = my 999 12 year old daughters
Computers = Wide open PCs

Without limiting their access to backsteet boys.com what can you do to prevent their computers form getting destroyed without actually touching them. Because if you though then they scream and daddy gets pissed off.

Post by **Foo** » Tue Jul 19, 2005 7:27 pm

+JuggerNaut+ wrote:
Foo wrote:
+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.
that's beyond a challenge. just look at Mr. eDonkey. he still works there? that's incredible. you can't have that kind of employee in a corporate environment. at least not on your network.

I know what you're saying, but hell yes, that's the kind of FUBAR place I'm talking about. I thrive on that kind of thing.