Knowing James, I bet it is an AppSense product. Thanks
Carl Webster Citrix Technology Professional http://www.CarlWebster.com<http://t.sidekickopen01.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdV8QRW2zWLDn4XrdjzW7fK3rs56dwxZf67wwsR02?t=http%3A%2F%2Fwww.carlwebster.com%2F&si=6012126861197312&pi=4311b7b1-332d-4242-8585-36954b184dc7> The Accidental Citrix Admin From: [email protected] [mailto:[email protected]] On Behalf Of Melvin Backus Sent: Thursday, December 8, 2016 10:28 AM To: [email protected] Subject: RE: [NTSysADM] OT: IT Philosophy Care to share what that software is? -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Thursday, December 8, 2016 9:46 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] OT: IT Philosophy Software we use has a "rights discovery mode" that you can use to audit the environment first and find out exactly which software needs admin access, which really helps :) From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: 08 December 2016 14:17 To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] OT: IT Philosophy One thing we did when we pulled admin was make a very serious and very public declaration that we would jump all over their requests for additional software or taking care of issues related to no admin. Then we made sure we delivered on that promise. We also did it a department/building at a time so neither they nor us would be over whelmed. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Thursday, December 8, 2016 8:49 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] OT: IT Philosophy In environments where people are used to having admin access we use a software feature called "self-elevation". The users have their admin taken away, but when they want to do anything as an admin, they just right-click the file or folder and choose "Elevate to admin". No need to type in username and password (which is the biggest hurdle people who are used to being admins find), they just invoke the context menu and elevate their access. In this way, if malware strikes it isn't doing it with admin access, yet the user can still "be an admin" as much as they want. Once you get this foot in the door, it's only a matter of time to slowly work on their processes and expectations to bring them down to a level where they maybe don't need to be admins at all. Various ways you can approach this, which I won't go into here. Of course being a non-admin doesn't protect you from ransomware. Application execution management is key here (Windows 10 brings cool stuff like Device Guard which can complement traditional app management methods like AppLocker). We use a further extension of the software to manage this in a hands-off way, but again, it's a busy space and there are lots of solutions. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: 08 December 2016 13:22 To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: RE: [NTSysADM] OT: IT Philosophy 1 and 2 are up to management as long as they give you the resources to do it. 3 really surprises me, knowingly allowing company resources for certain copyright infringement seems really negligent. On 4 you can never have enough layers against malware. In the environment you describe I would be scared to death of ransomware. And I would argue that you currently have zero protections in place if your users are admin. Especially when they are at home, you have nothing to protect them. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kish N Kepi Sent: Wednesday, December 7, 2016 11:29 PM To: Kish N Kepi Subject: [NTSysADM] OT: IT Philosophy We keep a lax environment - our users are local admins on their Windows laptops and we not stop them from installing any software they want - the only caveat I ever say is 'don't be stupid'. And yes, we are a hi-tech house, well beyond the startup stage. During a conversation about potential changes to the way we do backups today, I stated that the current back up routine specifically excludes most media files, and also that I'd used psexec to kill utorrent processes. My boss, who is actually quite knowledgeable in IT matters, had a response surprised me: why? Why not backup the media files? Why not allow torrent traffic? His points were as follows: 1. We give them laptops and smartphones and expect them to be available at all hours of the day - that's convergence of home and office life - why shouldn't we backup the photos of their kids, pets and vacations too? 2. Do we have bandwidth issues? We have a broad link to the internet and only at periodic peaks do we hit anywhere near our limit 3. Legality of torrents? Really? How many people care about the legality? 4. Malware? We have other protections in place. I couldn't come up with any answers that sounded reasonable to me, so at this stage, we're planning increase our backup storage capacity. Does anyone here have answers that I lack? Sorry for cross-posting, but I this question is bothering me, and I know that many people in this for a have strong, well-formed (and well-expressed) opinions Kish n Kepi
