On Tue, Mar 31, 2009 at 9:22 AM, Tom Miller <[email protected]> wrote: > We have a web page where we allow users to install networked printers as > needed. This saves IT Support lots of time, since we just tell users which > printer to click on, drivers are downloaded, printer installed, done.
Set up a print server, make sure the drivers for the workstations are installed on the print server, and the users should be able to add the printers and have Windows get the drivers from the print server without needing admin rights. Print servers give you other benefits, like access control for printers, better job spooling, the ability to log/audit/account, the ability to migrate physical printers while keeping the same queues, etc., etc. (I'm not sure how this works with ZenWorks, but I know it's trivial for Active Directory and NTLM domains.) > - Similar situation with our USB drives. We use secure USB drives which run > a little program each time the user inserts the drive into the port. Those > drives (seemingly) need administrator permissions to run the program. Then they're not actually secure, they're actually making things *less* secure. Depending on software *on* removable media to *secure* the same media is a bad idea for a number of reasons. For one, anything that needs admin rights for day-to-day operations is bad, evil, wrong, broken, run away, kill it with fire, etc. This has been a best practice in the industry since before there *was* a Microsoft. There is a *MAJOR* malware threat right now with malware using USB drives to propagate. Conficker is merely the latest. I suggest disabling autorun entirely. If that "secure" drive is plugged into an untrusted computer (e.g., home PC full of spyware, etc.), you've just lost your security. The "encryption" provided by some of those "secure USB drives" is a joke. (Not all of it, but a non-trivial proportion.) You're tied to that manufacture's proprietary solution. I would use a general-purpose disk encryption program; that way it can work with USB flash, USB HDD, eSATA HDD, CD/DVD, etc. If you do want to stick with that brand of USB drive, then find a way to have the software installed automatically via network administration, so it's "ready to go" and doesn't need to run from the USB drive. If the USB drive software doesn't support this, switch to a different brand of USB drive that sucks less. (I'm aware of the costs associated with replacing them all; see above about proprietary solutions.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
