Good idea, never thought of that. ----- Original Message ----- From: James Hill To: NT System Admin Issues Sent: Thursday, January 14, 2010 5:05 PM Subject: Local Admin Permissions WAS: RE: Internet Policy
I don't even run my desktop as an admin and I don't allow any of the other IT staff to run as admins either. That's what run-as is for. From: James Kerr [mailto:cluster...@gmail.com] Sent: Friday, 15 January 2010 8:02 AM To: NT System Admin Issues Subject: Re: Internet Policy +1000 Even the top dog at our company is a standard user. My boss is a standard user. Only admins are me and my minion. James ----- Original Message ----- From: James Hill To: NT System Admin Issues Sent: Thursday, January 14, 2010 4:21 PM Subject: RE: Internet Policy Sometimes that just requires making it painless for them. So that they don't notice they aren't admins because it isn't causing any issues. Sometimes it means educating management on the risks of being admins and how it could affect their business. If all that fails then sometimes you are stuck with terrible management J From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, 15 January 2010 6:43 AM To: NT System Admin Issues Subject: Re: Internet Policy That is good if you can get management buy in but not always possible. Jon On Thu, Jan 14, 2010 at 3:27 PM, James Hill <james.h...@superamart.com.au> wrote: Agreed. No offence intended but I'm amazed at how many people still allow users to be more than just that, users. I've never allowed it any company I have worked for. There are always ways to work around any picky apps that want higher permissions. From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, 15 January 2010 4:14 AM To: NT System Admin Issues Subject: Re: Internet Policy Power Users can install software just FYI. Jon On Thu, Jan 14, 2010 at 9:41 AM, John Aldrich <jaldr...@blueridgecarpet.com> wrote: Sounds reasonable to me. I wish I could enforce a more restrictive policy than we do here, but I really don't have the resources to enforce much of anything. We have people using FaceBook/MySpace and doing online shopping, etc. I've told people numerous times not to download anything, period, without explicit permission, but they tend to do so anyway, up to and including installing apps. I finally had enough of people installing crap with spyware attached and pretty much removed local admin permissions and made most users "Power Users" so they can have enough permissions to run stuff, but not install anything! So far that seems to be working. As I work on desktop machines, I find coupon printer software and other "crap" that has been installed over the years and clean it out. Back to the topic at hand, I think that's a reasonable policy. I would suggest outlawing social networking sites and game sites (yahoo games) as those often seem to have spyware/adware associated with them and even just playing online games could lead to a "drive by install" of malware due to exploits. From: James Kerr [mailto:cluster...@gmail.com] Sent: Thursday, January 14, 2010 9:35 AM To: NT System Admin Issues Subject: Internet Policy I know this has been discussed in the past but I'm in the process of making changes to ours so I was interested in a little input from my peers. We have always had a policy of not allowing our desktops, email and Internet connection to be used for personal use at all. That being said we have always turned a blind eye to occasional personal use through the day. This has been a problem for us. Now we are looking to change the policy to reflect that we do allow this type of use. We want the staff to know that's its ok but we also want them to know what's not ok. I was looking to basically say the following. "Some personal Internet use is allowed but must not interfere with the performance of work duties and responsibilities. Personal Internet use must be restricted to reasonable sites and materials such as news or information that might be considered reasonable if read as a text publication in an office environment." I'm also going to add that downloading files is not allowed unless approved by IT and that this includes email attachments from personal email as well. Any thoughts? James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image/jpeg>>
<<image/jpeg>>
