If Jon Stewart said this on The Daily Show, it would come out “It's not your F-beeeep computer!” I say "It's Not Your &#%*@$ Computer!" because beeps don't come out well in print. But the thought is the same: they may be called “personal” computers, but employees do NOT own the computer on their desk or in their briefcase. If the company provides the computer, the company owns the computer and has the sole right to decide how the employee uses that computer and what software can be loaded.
This discussion started a couple of days ago when I made mention of Computerworld's story Removing Admin Rights Stymies 92% of Microsoft's Bugs. When users don't have administrative rights to the Windows operating system, many spyware attacks, viruses, and other security breaches are thwarted.
As usual, some readers agree and some disagree. The argument for letting users add their own software is "productivity" by letting users find their own software tools to enhance their personal working environment. Sorry, but that's a crock of beeeep. Do users who drive company delivery vehicles get to choose the color and rims on the vehicle? Do users bring in their own chairs and desks and demand the company pay for and support them? No, and no, and they shouldn't continue to believe they control how to use their "personal" computer.
Ask your lawyer, and you'll learn employees have no control over the tools of their workspace. Worse, employees have absolutely no legal expectation of privacy when using company equipment, which is why users can't complain when companies read employee e-mails and check disk contents. If the company provides it, they legally control how the employee uses it. Period.
Some readers missed my point about control. I didn't mandate all computers be configured the same way, because you need different tools for different jobs. But once the system is set, the user shouldn't have rights to change it. I said nothing about eliminating new programs that may help, just that IT should install them, not the user. Some groups, like IT, will certainly need full administrative rights to at least some of their computers for testing and troubleshooting. But does an accounting clerk need the ability to install a new kitty screensaver from Viruses-R-Us.com? Absolutely not.
One comment came from an IT consultant who tries to convince clients to lock down their systems. Those that follow that good advice "have fewer problems and lower support bills to prove it." One client had no virus or spyware related support incident in over three years. How's that for an endorsement? Can your company say the same?
Another IT person took the Computerworld article to upper management. Guess what? Idiot vice presidents said no, and reiterated their instructions giving all users full administrative rights. As an IT person, you can only remember the wise words of science fiction writer Larry Niven: "Not responsible for advice not taken."
Idiot vice presidents always trump IT. Write that in stone beside "the sun rises in the east" because they're both absolutely true.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Amen and amen
Our users haven't been admins for years. Duh!It's a business decision
VPs aren't necessarily idiots because you don't like the point on the security vs flexibility tradeoff spectrum that they've chosen. Virus infections and malware have costs; locking down computers to everyone but IT also has costs. If users know they will have to go through some (inevitably under-resourced and overbooked and slow) IT department to get new software installed, they will often not bother, even if that software would have helped them get their jobs done better.As security professionals we tend to see only one side of the equation. Certainly there are places that could and should lock down their company-owned machines, but don't do so due to cluelessness or laziness; but there are others where, although it would reduce the amount of malware, it would have a net negative effect on the bottom line. Business is not, after all, just about malware prevention...
It Needs to be a "Smart" Business Decision
Naturally, users' will perceive that going through IT to install software is one additional "hop" to getting what they need done. (Because at home, _THEY ARE_, the computer expert.) This is a common perception whether "IT response time" is acceptable to the business or not. And the excuse that "I could get this done quicker without IT involvement" ends up costing the company more than it bargained for in damages and lost productivity.Maybe the user would like to explain to the VP (the VP who also supports admin rights to users) why it cost the company over 100k to clean-up their mess (errr, security incident) that was created when "said user" decided to install some questionable software on their system?...all in the name of "efficiency". Then, they BOTH can explain to the CEO. (While the CISO, sitting next to the CEO, smirks.) (The VP needs an education)
You can pay me now (by following good processes/policies)or pay A LOT later by ignoring good processes/policies.
Yes, there is a balance between flexibility and security. But in my experience, they BOTH can normally be met. (Normally there's a "cop-out" when both objectives can't be met.)
GOOD processes and good policies are not optional. Further, both have good "business decisions" behind them. Security should no longer be viewed as "counter" to productivity but as an asset to productivity. Once you're both on the same page, it works pretty well.