+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.
:icon14: I love my job man, the challenges, the money, the toys, the power, the hours, and the team I work with make... all the silly user problems just something to worry about untill 5:30pm, then I hop in my car and forget about everything till the morning, unless my blackberry goes off
+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.
:icon14: I love my job man, the challenges, the money, the toys, the power, the hours, and the team I work with make... all the silly user problems just something to worry about untill 5:30pm, then I hop in my car and forget about everything till the morning, unless my blackberry goes off
sorry, but that doesn't sound like a corporate environment.
Foo wrote:
hehe. That's the right approach though. the key paradigm is that if the company requires an IT facility which is badly thought out and unreasonable to yourself, you implement it and give the lions share responsibility to the people who clamoured for it.
Well that's similar to what I am looking to do, before I started there were virus outbreaks on a regular basis, I got tossed into fixing them and decided why not prevent them. Norton Antivirus Corporate was the available weapon and in about a year every PC was protected, and connected to a central monitoring console. Mail servers were then locked down, witch caused a riot, but since the respect I gaind form all the higher ups who were no longer loosing months of work due to a virus they had a felling this was necessary. They problem is I get slack for a few months for every change until people realize "holy crap" he was right...
I'm getting the managers to take responsability for their looseness, and they complain much less about downtime. I just wish there was a way to catch it before it happens.
Lets compair my company to an average household.
The VPs= daddy
ME = the Big Brother
Users = my 999 12 year old daughters
Computers = Wide open PCs
Without limiting their access to backsteet boys.com what can you do to prevent their computers form getting destroyed without actually touching them. Because if you though then they scream and daddy gets pissed off.
Hire me. I'm serious. H-I-R-E M-E.
I don't like being anyone's bitch, but I'll be yours if this is genuinely how you conduct business.
Fuck me, I'll even move to yankeeland for a job oppotunity* likethat.
*just because you hire me doesn't mean I'll learn to type.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
So lock all your ports down except the ports necessary for operations then. That will drop your traffic load in half.
Then implement Content filtering, banning all non-corporate/business required/related sites.
Then implement logging and monitor which users abuse the priviledge. Log and generate reports to show their activity and then talk with them or their supervisor about it, asking for a behavior change.
+JuggerNaut+ wrote:
that's beyond a challenge. just look at Mr. eDonkey. he still works there? that's incredible. you can't have that kind of employee in a corporate environment. at least not on your network.
Mr. eDonky is actually a friend of mine, I told you the company is leiniant especially with people with valuable brain power.
So lock all your ports down except the ports necessary for operations then. That will drop your traffic load in half.
Then implement Content filtering, banning all non-corporate/business required/related sites.
Then implement logging and monitor which users abuse the priviledge. Log and generate reports to show their activity and then talk with them or their supervisor about it, asking for a behavior change.
exactly my idea.. Untill I nail the budget for this device is there a monitoring software to keep an eye on multiple vlans from one locations? al request, from specified ports?
Kracus wrote:I wouldn't let them install anything that isn't installed by me. It's tough to do with all those web programs but once you determin what's need for the buisness to run you just make sure nothing else get's in.
you gotta read man....
there are way too many employees that need to swap software versions on a minutes notice, we don't have the staff to do that every day. we're down to about 1 idiot outbreak a week, which is not bad compaired to how it used to be.
Ah I thought it was more like an office type setting where the employees don't need to install shit. If it's needed then the solution is to train your employees better if they're required to have that level of access. There's no stopping computers from getting bogged down unfortunately. you can decrease the ammount of time by limiting access to what can be installed but eventualy it will need to be serviced. But don't fret, your job probably depends on it anyway
+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.
:icon14: I love my job man, the challenges, the money, the toys, the power, the hours, and the team I work with make... all the silly user problems just something to worry about untill 5:30pm, then I hop in my car and forget about everything till the morning, unless my blackberry goes off
haha. Nothing like having your problems PUSHED to you. Thanks Blackberry.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
+JuggerNaut+ wrote:
that's beyond a challenge. just look at Mr. eDonkey. he still works there? that's incredible. you can't have that kind of employee in a corporate environment. at least not on your network.
Mr. eDonky is actually a friend of mine, I told you the company is leiniant especially with people with valuable brain power.
running a server off of a corportate network = brains? please.
Kracus wrote:If it's needed then the solution is to train your employees better if they're required to have that level of access. There's no stopping computers from getting bogged down unfortunately. you can decrease the ammount of time by limiting access to what can be installed but eventualy it will need to be serviced. But don't fret, your job probably depends on it anyway
There's a cost involved in training users 'up'. Always. That's not just the simple training costs, either. Sad;y the reality of being a network bod is that if something you beleive needs doing had to be done,. you'e solely responsible for not only deploying it, but being the only bastard who knows what it's all about.
The rest of the job is about taking people (non-it) for a ride safe in the knowledge that what you're doing is right and they don't know it.
Which is not the same as being an IT-Nazi.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
So lock all your ports down except the ports necessary for operations then. That will drop your traffic load in half.
Then implement Content filtering, banning all non-corporate/business required/related sites.
Then implement logging and monitor which users abuse the priviledge. Log and generate reports to show their activity and then talk with them or their supervisor about it, asking for a behavior change.
exactly my idea.. Untill I nail the budget for this device is there a monitoring software to keep an eye on multiple vlans from one locations? al request, from specified ports?
all the ones I see need to be on a specific Vlan to work
I'm not sure what you're using to segregate your LAN, I use Cisco appliances with allow traffic logging from the device itself. I'm not sure if yours do or not.
Ports wise. ALL of them it's not about what to block, but what to leave open.
Not knowing your exact needs, off the top of my head, you should keep open (and mapped to the correct servers):
20-21 for FTP
80 for web
25/110 for Mail(POP)/SMTP
500/1723 for VPN connections (if you have any)
3389 for RPC (Remote Desktop, if you use it to admin any of your servers from outside your network)
Those are the standard ports used by all your common network services. Blocking all but those ports would stop all P2P traffic on your network while allowing all your essential services to run comletely unaffected by the filter.
I wouldn't just block those at the firewall level. I'd go one step further and use a proxy. Even if it costs 40 grand.
Course that's an ideal. If 40 grand isn't in your job-role-budget, a cheaper bobajob proxy would be my vouch, except for specific, uh, exceptions (group policy, rmemeber)
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
Kracus wrote:If it's needed then the solution is to train your employees better if they're required to have that level of access. There's no stopping computers from getting bogged down unfortunately. you can decrease the ammount of time by limiting access to what can be installed but eventualy it will need to be serviced. But don't fret, your job probably depends on it anyway
There's a cost involved in training users 'up'. Always. That's not just the simple training costs, either. Sad;y the reality of being a network bod is that if something you beleive needs doing had to be done,. you'e solely responsible for not only deploying it, but being the only bastard who knows what it's all about.
The rest of the job is about taking people (non-it) for a ride safe in the knowledge that what you're doing is right and they don't know it.
Which is not the same as being an IT-Nazi.
So they say, it does cost time which in turn does cost money and depending on the size of the company it can be difficult but I think worthwhile in the long run, especialy since it can be integrated with training given to any corporate employee that's hired. At least that's how it's done around here. The only job you don't need training for is one you're fully qualified for in which case this wouldn't be a problem either. I more or less suspect the people he's talking about though are probably trained when they begin.
I'm not saying it's a perfect world but I remember when I was network admin for the local school I did train the staff on what to do and what not to do. Everyone didn't always listen to what I said mind you but a lot did and it helped curb others from repeating their mistakes. I dunno, it's all unique, certain things apply in certain sitatuations but if I had a situation where installing programs was a requirement for the job I'd definitely list what's acceptable to install and what's not and failure to adhere to these standards would result in corrective action if they seem to be a regular occurance.
riddla wrote:A much easier solution is to use a firewall that has access lists. I can access anything I want but my users can only use port 80, 443, 25, 110 and a couple other custom ports. This alone cuts out alot of the crap like filesharing and music streaming without me getting into the true Nazi-istic nature of my network
you are right I did miss the post, I went that route once last year, we use all Cisco routers, so it wasn't an issue on HOW to do it, I can't remember why we couldn't do it... I'm gonna look into it again.
PhoeniX wrote:Also force them to use firefox, I think you can probably get thigns to force iexplore.exe to load firefox too, that should fix most of the spywareproblems.
The reason that Firefox isn't usually used in corporate networks is because it isn't anywhere near ready for the enterprise yet. Updates are clumsy, there aren't any policies to control it, and it doesn't integrate with Active Directory like IE does.
By the way a simple registry entry (distributed via startup script) or changing one flag in Group Policy will disable ActiveX in IE completely. No additional software to support and a reduced learning curve for staff = cost savings.
PhoeniX wrote:Also force them to use firefox, I think you can probably get thigns to force iexplore.exe to load firefox too, that should fix most of the spywareproblems.
The reason that Firefox isn't usually used in corporate networks is because it isn't anywhere near ready for the enterprise yet. Updates are clumsy, there aren't any policies to control it, and it doesn't integrate with Active Directory like IE does.
my thoughts exactly but I didn't feel like starting that argument
By the way a simple registry entry (distributed via startup script) or changing one flag in Group Policy will disable ActiveX in IE completely. No additional software to support and a reduced learning curve for staff = cost savings.
Sadly active X is needed ofr our admin console one piece of our equipment monitors who is on the phone and who is available and reports it to a web page that uses active X
But seriousy. Firefox IS ready for enterprise, but enterprise locked themselves out of using Firefox because they blindly accepted activex as a standard platform. Stupid? Fucking too right , but it doesn't matter. What matters now is dealing with it.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis