RE: [NTSysADM] OT: IT Philosophy

[Melvin Backus]

Care to share what that software is?

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Thursday, December 8, 2016 9:46 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] OT: IT Philosophy

Software we use has a "rights discovery mode" that you can use to audit the 
environment first and find out exactly which software needs admin access, which 
really helps :)

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: 08 December 2016 14:17
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] OT: IT Philosophy

One thing we did when we pulled admin was make a very serious and very public 
declaration that we would jump all over their requests for additional software 
or taking care of issues related to no admin.  Then we made sure we delivered 
on that promise.  We also did it a department/building at a time so neither 
they nor us would be over whelmed.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, December 8, 2016 8:49 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] OT: IT Philosophy

In environments where people are used to having admin access we use a software 
feature called "self-elevation". The users have their admin taken away, but 
when they want to do anything as an admin, they just right-click the file or 
folder and choose "Elevate to admin". No need to type in username and password 
(which is the biggest hurdle people who are used to being admins find), they 
just invoke the context menu and elevate their access.

In this way, if malware strikes it isn't doing it with admin access, yet the 
user can still "be an admin" as much as they want.

Once you get this foot in the door, it's only a matter of time to slowly work 
on their processes and expectations to bring them down to a level where they 
maybe don't need to be admins at all. Various ways you can approach this, which 
I won't go into here.

Of course being a non-admin doesn't protect you from ransomware. Application 
execution management is key here (Windows 10 brings cool stuff like Device 
Guard which can complement traditional app management methods like AppLocker). 
We use a further extension of the software to manage this in a hands-off way, 
but again, it's a busy space and there are lots of solutions.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: 08 December 2016 13:22
To: 'ntsysadm@lists.myitforum.com' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: RE: [NTSysADM] OT: IT Philosophy

1 and 2 are up to management as long as they give you the resources to do it.

3 really surprises me, knowingly allowing company resources for certain 
copyright infringement seems really negligent.

On 4 you can never have enough layers against malware.  In the environment you 
describe I would be scared to death of ransomware.  And I would argue that you 
currently have zero protections in place if your users are admin. Especially 
when they are at home, you have nothing to protect them.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kish N Kepi
Sent: Wednesday, December 7, 2016 11:29 PM
To: Kish N Kepi
Subject: [NTSysADM] OT: IT Philosophy

We keep a lax environment - our users are local admins on their Windows laptops 
and we not stop them from installing any software they want - the only caveat I 
ever say is 'don't be stupid'. And yes, we are a hi-tech house, well beyond the 
startup stage.

During a conversation about potential changes to the way we do backups today, I 
stated that the current back up routine specifically excludes most media files, 
and also that I'd used psexec to kill utorrent processes. My boss, who is 
actually quite knowledgeable in IT matters, had a response surprised me: why? 
Why not backup the media files? Why not allow torrent traffic? His points were 
as follows:

1.       We give them laptops and smartphones and expect them to be available 
at all hours of the day - that's convergence of home and office life - why 
shouldn't we backup the photos of their kids, pets and vacations too?

2.       Do we have bandwidth issues? We have a broad link to the internet and 
only at periodic peaks do we hit anywhere near our limit

3.       Legality of torrents? Really? How many people care about the legality?

4.       Malware? We have other protections in place.

I couldn't come up with any answers that sounded reasonable to me, so at this 
stage, we're planning increase our backup storage capacity.

Does anyone here have answers that I lack? Sorry for cross-posting, but I this 
question is bothering me, and I know that many people in this for a have 
strong, well-formed (and well-expressed) opinions

Kish n Kepi