Re: Draft I: Why You Don't Want to Install Software

From: Susan Bradley, CPA aka Ebitz SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 12/05/04 

Date: Sat, 04 Dec 2004 16:56:56 -0800

Dr J renames "Network Neighborhood" to "My victims"

:-)

Andrew M. Saucci, Jr. wrote:
> Actually, I got the hang of it long ago. I agree with everything
> you've written and couldn't have said it much better. My problem is that
> I've been hanging around this newsgroup too long, and I'm impressionable.
> Before I tied my first two computers together, I never thought I'd become
> that evil IT guy-- the party pooper who runs his network with an iron fist.
> Now that my days are spent running Windows Update and cleaning the effects
> of running a loose ship, I see that the loose ship model just isn't going to
> work. The next document is going to be a defense of Internet whitelisting.
> Yes, I'm now convinced that everyone-- everyone-- should have an ISA
> whitelist, and SBS Standard is a short-term plus but a long-term liability.
> If I couldn't do attachment blocking I'd go for e-mail whitelists too.
>
> My problem is that our company has always had an "accomodating"
> culture. It means "make the client happy." It means that if I want to do a
> lockdown I have to sell it first to my boss and then to the clients. That
> means I need sales tools. I have to make the clients want what I want for
> them. It isn't enough for me to say, "I'm the consultant and this is how it
> will be." At one point I started blocking ZIP files and it just didn't cut
> it at one client; we had to back off, even though I'm convinced that
> receiving ZIP files via e-mail should be a "call supervisor" function at the
> minimum.
>
> Now, do you rename "My Computer" or leave it? I'd do it if I had
> the "Master Console for IT Consultants" I proposed about a year ago, but I
> can't have half the workstations with the default name and half with
> something else while I'm trudging through the whole lot . My colleagues
> would have my head if they had to guess what to tell people to click while
> on a phone support call. I'd love to be able to sit at my desk in the office
> and issue a command to all 350 workstations and servers, wherever they are,
> "Change 'My Computer' to 'Company Workstation'." Hey, I rename AOL icons
> every time I sit at a workstation that's been contaminated with AOL. I can't
> stomach "Double-click to start" on a desktop icon any more than I'd be able
> to stomach a sticker on my car door that read "Insert key here and turn
> clockwise to unlock."
>
> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> news:eHO4iiE1EHA.3236@TK2MSFTNGP15.phx.gbl...
>
>>You're starting to get the hang of it Andrew, but there is a lot further
>
> to
>
>>go.
>>
>>Something I have recently heard discussed as the 'least privelage'
>
> account.
>
>>It ties in with MS 'Secure by design, secure by default, secure by
>>deployment' intitiative.
>>
>>A 'user' should be able to do no more than is required to perform their
>>function. Reconfigure network properties? WHY? You're out of here.
>
> Shutdown
>
>>the system? WHY? You're out of here. Add device drivers? WHY? You're out
>
> of
>
>>here. Visit Windows Update. WHY? You're out of here.
>>
>>All these functions should be under the control of the system
>
> administrator.
>
>>You want something done in a manner which doesn't take the machine off the
>>air? ask the admin to do it.
>>
>>I have less experience of this than some of our other contributors. I
>
> admit
>
>>to having systems where either 'interactive user' or 'domain users' have
>>been made members of the 'local administrator' group. Yes, I lose sleep
>
> over
>
>>it.
>>
>>I even have a problem with 'My Computer'. This terminology suggests to the
>>user that it is his/her computer. Sorry buddy, it ain't. It's 'My
>
> Company's
>
>>Computer'. Get used to it. You're lucky the owner lets you touch the
>>keyboard, that's where most of the problems start.
>>
>>If anyone reckons I'm a bit overboard here. NOTE: Yes, I am trying to make
>
> a
>
>>point. However guys, including you gal type guys, this is where we're
>>heading, and for good reason.
>>
>>
>>"Andrew M. Saucci, Jr." <spam-only@2000computer.com> wrote in message
>>news:On1WXbD1EHA.1524@TK2MSFTNGP09.phx.gbl...
>>
>>> I've prepared the first draft of a document I hope to convince
>>
>>my
>>
>>>boss to distribute to our clients in hopes of drastically reducing the
>>>number of local administrators we have lurking around our networks. I
>>>figured others might benefit from this, so I'm posting it here. Anyone
>
> who
>
>>>cares to contribute is more than welcome to do so. It may well need to
>
> be
>
>>>fleshed out a bit, but I'm hoping that by the time I'm finished, my SBS
>>>clients in particular will come to me and plead, "Please don't let me
>>>install software-- you do it."
>>>
>>> "Why You Don't Want to Install Software"
>>>
>>> Many of you may believe that installing software is part of having a
>>>computer, much like placing bread into a toaster is part of owning a
>>>toaster, or filling the gasoline tank is part of owning an automobile.
>
> The
>
>>>idea of contacting your network consultant to install software probably
>>>sounds as necessary as having a pet consultant to put food in your pet's
>>>bowl. In this document we will endeavor to demonstrate why software
>>>installation must be left to professionals.
>>>
>>> In earlier versions of Windows-- namely, those descended from DOS,
>
> the
>
>>>3.x/9x/ME line-- there was only one type of user, the "super user." Any
>>
>>user
>>
>>>could install software. Any user could access any file on the hard
>
> drive.
>
>>>Any user could modify or delete any file on the hard drive. Any user
>
> could
>
>>>trash the entire operating system, just by deleting or modifying one
>
> file.
>
>>>And trash they did. Windows 9x was notoriously unstable and fragile.
>>>Installing one program could cause other programs to stop working.
>>
>>Moreover,
>>
>>>this was long before adware, spyware, malware, e-mail scams, and
>
> Internet!
>
>>> Microsoft knew that this model would be woefully inadequate for an
>>>operating system on which businesses would depend to conduct their
>>
>>affairs.
>>
>>>If a home user trashed his computer, he could curse a bit, reformat,
>>>reinstall, and get over it. Businesses would not tolerate that sort of
>>>instability. They would need some security. The idea of an operating
>>
>>system
>>
>>>that allowed anyone to do anything-- like an ATM that consisted of
>
> nothing
>
>>>more than a stack of $100 bills in an open drawer on a street corner
>
> with
>
>>a
>>
>>>pencil and a *** of paper for people to record what they had
>
> withdrawn--
>
>>>simply would not suffice.
>>>
>>> Enter Windows NT. This was Microsoft's operating system for
>>
>>businesses.
>>
>>>It was redesigned from the bottom to the top, and one improvement that
>
> was
>
>>>built-in security. Users fell into one of two main groups--
>
> administrators
>
>>>and users. Administrators would install programs, while users would run
>>>them. Programs would be installed into a "Program Files" folder, and
>
> this
>
>>>folder as well as the Windows system folders were off-limits to users.
>
> Key
>
>>>parts of the system registry were also off-limits. That would prevent
>>>accidental (or intentional) deletions and modifications. If a user
>>
>>attempted
>>
>>>to execute a virus-laden program, the operating system would prevent it
>>
>>from
>>
>>>doing any serious damage, simply because the key folders were protected.
>>
>>The
>>
>>>days of system instability were numbered-- or so everyone thought.
>>>
>>> Let's jump to today. Windows XP, a descendent of Windows NT (and,
>>
>>later,
>>
>>>Windows 2000) is now the dominant desktop operating system. We all know
>>>that system instability and fragility are with us as much as ever.
>
> Systems
>
>>>are routinely reformatted and reimaged. Cleanup of adware and spyware is
>
> a
>
>>>commonplace task for the network consultant. What on earth happened?
>>>
>>> Somewhere along the way, the application vendors got lazy and
>>
>>careless.
>>
>>>They started writing software that would run only if the user was made
>
> an
>
>>>administrator. They never tested their software under ordinary user
>>>accounts. In short, they just didn't give a hoot. Consultants were stuck
>>>making everyone administrators because otherwise the applications
>
> wouldn't
>
>>>run, and the application vendors either didn't even know the difference
>>>between an administrator and a user or they simply wouldn't support
>>
>>running
>>
>>>their programs as a user. Users didn't help, either-- they insisted that
>>>they needed to be able to install software.
>>>
>>> The situation today is critical. Because users are generally allowed
>>
>>to
>>
>>>be administrators, not only can they consciously install software, but
>>
>>they
>>
>>>can inadvertently install trojans, adware, and spyware, sometimes
>
> without
>
>>>even clicking "Yes" to anything. Antivirus and anti-spyware software can
>>>stop some of these pests from gaining a foothold in a system, but
>>
>>basically
>>
>>>the workstation is wide-open for serious damage to be done. We've
>
> returned
>
>>>to the bad, old days of Windows 3.1.
>>>
>>> The single most effective defense against adware, spyware, trojans,
>>
>>and
>>
>>>viruses is simply not to allow users to be administrators. When these
>>>attempt to install, Windows will stop them dead in their tracks if the
>>
>>user
>>
>>>is not an administrator. For this to be effective, however, users must
>>
>>agree
>>
>>>not to be administrators and to leave software installation to
>>>professionals. Professional network consultants, or network managers,
>
> have
>
>>>the experience to deal with glitches that may arise during installation.
>>>Furthermore, tools now exist to help the network manager to determine
>>>exactly what has to be done to make an application run with ordinary
>
> user
>
>>>privileges-- but this process is not trivial and does require the
>>
>>experience
>>
>>>of a professional.
>>>
>>> In summary, then, you don't want to be an administrator of your
>>>workstation because the power to install software also gives anything
>>>running with your name and password the power to install software-- and
>>
>>the
>>
>>>power to destroy your system beyond simple repair. Even experienced
>>
>>network
>>
>>>consultants don't run their own office workstations with administrator
>>>accounts for everyday tasks. So stay behind the white line and leave the
>>>driving to us!
>>>
>>>
>>
>>
>
>