A friend sent me the following screenshot tonight. Yes, the combination of advertisement and topic is funny, and ironic, but the article itself is also very good reading (btw, the jury is out regarding the advertisement.. despite my best efforts, I couldn't get that particular advertisement to appear) (a discussion about the article continues below the graphic).
<<shudder>> Google toolbar
<<shudder>> No IE7
<<shudder>> ICQ!!
The article itself is an in-depth discussion about corporate network security from the perspective of what we should or should not allow users to do, and how various IT administrators handle what can be a very sensitive topic (how do you tell the managing partner that he cannot have whatever free software application it is that he wants to download).
As the article points out, the "philosophical and management questions are harder to answer than the technological solutions".
My personal opinion is that I don't want to upset staff, but at the same time I don't want (nor do I have time) to spend every second day cleaning malware off a machine or trying to work around whatever weird side effect is being experienced by a user who just has to have whatever freeware it is that he has installed. I deal with a mix of users from both ends of the computer-skills spectrum, whether it be the user who thinks their computer is broken because the monitor is turned off, or the more savy user who knows just enough to be confident (and therefore less than cautious and dangerous) and sometimes I take a lot of heat for taking a position on the cutting edge of security thinking.
Discussion and disagreement can become as granular as the question of whether we should set Internet Explorer's Internet Zone to High or Medium-High/Medium. I look at this question from the perspective of the current environment, at developing risks and attack trends and adjust my behavior to suit not only the improving security in our software, but in anticipation of a problem I see developing. The growing trend towards compromising legitimate sites with a goal of infecting visitors is one such problem (hence the danger of throwing too many sites into the Trusted Zone).
My personal feeling is that with a fully patched XP machine running the latest version of IE, properly firewalled and with appropriate antimalware/antispyware protection in situ, that running machines at Medium-High is actually safer than running at High Security (which forces users to add virtually every site they visit to IE's Trusted Zone, thereby negating much of the progress that has been made in Browser security). Forcing our users into unsafe behaviour can never be a good thing, especially when I know that they cannot differentiate between dangerous and safe sites - if you tell such people to fix *one* issue by adding a site to the Trusted Zone they will then proceed to add every site they encounter to the same zone.. after all, it worked on Site X, therefore it should also work on come-and-look-at-the-dancing-pigs.com - then there is the problem of popular sites being compromised by hackers injecting hostile code into the Web pages of reputable sites - if a compromised site in your trusted zone is compromised, you're screwed.
The Trusted Zone is meant for sites that you trust not to damage your computer or your files; it was never meant to to be used for every site that you want to visit because your Internet Zone security settings are too damned high.. see the difference?
Anyway, back to the article... the opinions touted are many and varied. I won't repeat them here, but will leave you the pleasure of reading the article for yourself.
One thing that did make me look twice was this comment:
"One way to control the environment is to use hosted systems, such as Citrix, with thin clients. For example, one IT professional who works in a government branch in Norway has about 6,000 employees: "Every one uses a Citrix client. Hard to install apps there." The paper pushers browse the Internet through a Citrix gateway."
Ok, sensitive topic here. Citrix with thin clients can be a security solution, yes, unless everybody is connecting to the Terminal Server using Remote Desktop, and they're all DOMAIN ADMINS!!! Disclaimer: I did not set up the network mentioned in my blog post. I did not hire the people who set up that network. The company that set up that network, and those that came after who were not willing or able to take the hard road and improve security are no longer on site. The compromised server has been decommissioned, NOBODY is domain admin anymore and guess what... nothing was broken by taking away domain admin rights, so why the hell were such rights granted to every employee, irrespective of role or rank, in the first place??? I tell ya, sometimes what passes for professional IT support makes me despair.
Also, Citrix with thin clients is fine, until the Terminal Server goes down and you have no redundancy available. If the TS goes down and you don't have an alternative NOBODY works. The chances of an entire office of desktops going down at exactly the same time is, what, nil and buckleys? Every time I hear of Citrix being pimped to a business with 20 or so employees, and no road warriors who need any more than the ability to read their emails, and when Citrix is seen as no more than a way to defer the purchase of new desktops, I cringe, because you can bet that those poor sods will have been sold *one* terminal server (and probably a cheap as chips white box, at that). Tell me something guys, are we *really* suggesting what is best for the client here, or do we have an eye on the required sales to maintain our Citrix reseller licence? Do them a favour and offer them SBS with Remote Web Workplace instead. Hell, if they already have SBS, at least tell them that RWW exists!!!
Now for solutions mentioned in that article ... I tell you, there are some nightmare stories out there... but what's up with this??
"Glue can be your friend." If you're really serious about blocking data from coming into the company, he says, "Fill your USB ports with hot glue or epoxy so they can't be used."
What??? They can't use the BIOS to disable USB??? Jeez. You'd better hope that all that hot glue/epoxy doesn't seep out and touch areas it shouldn't. Anybody want to buy an overpriced doorstop? Going cheap. Would also make an excellent fishtank if you happen to be handy with tinsnips, glass cutters and silicon sealant.
Oh, and if you have an employee who is going to fiddle in the BIOS to bypass such a restriction, I have two words for you ... "PINK SLIP". Honestly, nobody "needs" a USB keyboard and mouse - PS2 does just fine thanks.
BTW the Jury is back.. check this out... oh, the irony... mind you, I have no idea why anybody would think that somebody who wants a SpongeBob screensaver would be reading itbusinessnet.com
http://blog.siteadvisor.com/2006/08/kids_cartoons_and_adware.shtml
