I would love to try this again without causing my point to get lost somewhere else :-)
Where I currently work, we originally started out by trying to determine the worst programs to run and reasons for denying them. This quickly became an exercise in frustration and anger management for both IT and the employees we are there to help. So, we reversed the approach and determined what we did want to allow and why. We used the criteria of departmental need, job function, requirements for customer interaction and ability to properly support (what skill sets in IT or other departments that could be leveraged). Then we banned everything else and waited for the requests to come in. This made everyone feel like we were trying to help them instead of block them, so most employees became allies to the effort. We run a wide range of platforms and applications by nature of our business, so it took a little time. When requests came in, we looked at each one to see if there was a legitimate reason to use it and went from there (can we support it well with our limited resources, is it safe enough, is there an alternative, etc.). The only exception was in the browser area. We allowed a little more latitude there. Except Netscape, which is not Netscape anymore, it is AOL, and we don't allow anything AOL related. The more technically adept and trustworthy employees could run Mozilla, Opera, etc. Everyone else IE. We set up Software Update Service internally to handle the patching and management of IE. The others require a lot more management time to keep patched and secure so only those we knew would keep up with it could use them (understanding that if they lapsed and something happened their favorite browser would be gone for good). The only area we really banged heads on after that was for IM. Many employees had been using AIM. We killed it through global policy hash. MANY insisted they needed it for day to day internal uses. To solve that we set up our own internal IM server and cut it off at the firewall. AIM is still banned and hashed because it can not be effectively controlled at the firewall - AOL intentionally designed it to circumvent any attempts to control it (one of the many reasons anything AOL related is banned). The whole approach has worked very well. Employees no longer ask for things unless they have researched the need and the application first on their own. They then trust that we will take a serious look at it and their information. They also trust that if it ends up being denied there will be a legitimate reason and we will offer a suggestion for an alternative. Best Regards, Dan Bartley ------------------------------------------------------------------------ ------------- I'm putting together a list of what seem to be the ten least secure computer items in use today with the idea of having a set of things to recommend AGAINST people using, probably to be posted on the IT room door with a note like "NO, you cannot use the following!!". Here is what I have so far, I'm looking for additions and comments. The list is in order from with the worst offender being number one. These should be products whose inheirent design is flawed, not that are just difficult to secure. I expect vigorous discussion. *putting on flame retardent garments* Oh, and leave Operating systems out of this one. 1) Microsoft Outlook 2) Telnet 3) Sendmail 4) IIS Server 5) Wireless networking 6) PHP 7) ? 8) ? 9) ? 10) ? Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------