How Strict are you on domain users?

L

lone wolf

Gawd
Joined
Feb 4, 2003
Messages
705
Hello Everyone!

Lately I have been noticing that our domain users profiles are getting rather large. After looking around I found that some of our users have profiles in excess of 2 gigs, which makes our DFS replication rather slow at times. Users were downloading tons of pictures and screen savers and then displaying them in plain view of our customers (this is a bank here)
So to stop this I set a GPO to force all desktops to the company logo. Now I'm getting alot of complaints about not being fair, and not being able to be an "individual" and now I'm being called a "control freak" which doesn't bother me. I also have installed a program that will block certain sites, ie yahoo, msn, hotmail, you get the picture.

Does anyone else have this issue in their domain? If so what do you do to prevent this from happening? Or am I now just being a "control freak"?
 
lone wolf said:
Hello Everyone!

Lately I have been noticing that our domain users profiles are getting rather large. After looking around I found that some of our users have profiles in excess of 2 gigs, which makes our DFS replication rather slow at times. Users were downloading tons of pictures and screen savers and then displaying them in plain view of our customers (this is a bank here)
So to stop this I set a GPO to force all desktops to the company logo. Now I'm getting alot of complaints about not being fair, and not being able to be an "individual" and now I'm being called a "control freak" which doesn't bother me. I also have installed a program that will block certain sites, ie yahoo, msn, hotmail, you get the picture.

Does anyone else have this issue in their domain? If so what do you do to prevent this from happening? Or am I now just being a "control freak"?
Click to expand...



Why do users think company assets are their own. They don't own the systems and why managment allows anything at all to be controlled by users is beyond me.
 
You mention that it's a bank.

You mention they download and install stuff on their PC. Also mentioned is "screensavers". Most people who are in IT support are aware that those "free screensavers" are one of the bigger sources of trojans/malware, such as CoolWebSearch, New.Net, etc.

Security and integrity of computers at a bank would be important, no? Wouldn't trojans and keyloggers be a bad thing on tellers computers at a bank? Typing in clients account numbers all day long?
 
my domain users cant do crap, im a super GPO nazi, they cant access any local drives, any control panel, change any settings like display settings, homepage, download anything, change wallpaper etc

if they have a complaint they can kiss it
 
YeOldeStonecat said:
You mention that it's a bank.

You mention they download and install stuff on their PC. Also mentioned is "screensavers". Most people who are in IT support are aware that those "free screensavers" are one of the bigger sources of trojans/malware, such as CoolWebSearch, New.Net, etc.

Security and integrity of computers at a bank would be important, no? Wouldn't trojans and keyloggers be a bad thing on tellers computers at a bank? Typing in clients account numbers all day long?
Click to expand...

I agree aobut the security. This is why I'm making it my main focus right now. We just were audited and there are several points that we need to work on. I have just had enough of seeing different wallpaper of fantasy lands, half nude pixies, or their dog giving birth. Local Admin rights have been removed from all of the users. They are upset because they have lost alot of priviliges lately because they can't be responsible and remember that this is a business.
Their internet has been limited because at the branch that I work at, the average age of the tellers is 20, and they are hitting myspace while customers are waiting. I'm just getting really irriated and feel that they are taking advantage of me. I'm just not standing for it anymore....

Edit: I definetely know about the screen savers...we have one person who went and complained to HR that I caused her distress by removing her screen saver, and since she is pregnant, it is causing stress on the baby. I told our HR person to have her go to the doctor, and get some sort of proof that by doing this is causing her stress. I don't think I will be getting a Christmas card from her this year....:)
 
Reading this thread was pretty awesome. Thanks for the brief storys.
 
Step one: Sit down with management and work out an IT policy.

In this policy, specify that all equipment owned by the company is for company use only; no personal. Then nail down internet and email policy. Then work out a discipline procedure for anybody who violates the policy. I'd recommend any infractions go straight to the HR division instead of that person's manager.

Step two: lock down the desktops. I'd force "mandatory profiles" as well, seeing how this is a bank.

Step three: no system has direct internet access out. Everyone goes through the proxy, which is locked down and logged. After this is implemented, I'd watch the logs for a while and block sites that you haven't already but need to.

Anybody complains, forward them on to management or ask them straight out if these computers belong to them. It's not about ego, it's about doing the job right.
 
Aye, I used to work at a call center. We were forced to go all nazi with the GPO and basically prevented any modifications at all and users were unable to do anything but run the database, surf to approved sites, etc. No downloading or saving anything besides certain file types using installed programs.

Its shocking to users at first, but they adjust. Sometimes it might take a meeting, and sometimes it takes getting a particularly bad user fired, but users soon realize that company property is not where they put their pictures or songs, and they don't get to be individuals when using that company property.
 
check out iPrism for a nice website blocking software. They have the "blacklist" already set for you, which you can alter. I don't manage it but we use it at work and it seems to do the job. Dunno the cost either.
 
XOR != OR said:
Step one: Sit down with management and work out an IT policy.

In this policy, specify that all equipment owned by the company is for company use only; no personal. Then nail down internet and email policy. Then work out a discipline procedure for anybody who violates the policy. I'd recommend any infractions go straight to the HR division instead of that person's manager.

Step two: lock down the desktops. I'd force "mandatory profiles" as well, seeing how this is a bank.

Step three: no system has direct internet access out. Everyone goes through the proxy, which is locked down and logged. After this is implemented, I'd watch the logs for a while and block sites that you haven't already but need to.

Anybody complains, forward them on to management or ask them straight out if these computers belong to them. It's not about ego, it's about doing the job right.
Click to expand...

100% agreed here. You absolutely have to have an acceptable use policy in place and then make all employees sign the damn thing and keep it on file. Once that is all done then you get to nail everything down. I would highly recommend some some of proxy filter like squid or untangle or astaro. Untangle and Astaro can also scan your web traffic for virus and malware and strip it out. You can also block ActiveX controls and crap like that. Neat stuff.
 
Captain Colonoscopy said:
100% agreed here. You absolutely have to have an acceptable use policy in place and then make all employees sign the damn thing and keep it on file. Once that is all done then you get to nail everything down. I would highly recommend some some of proxy filter like squid or untangle or astaro. Untangle and Astaro can also scan your web traffic for virus and malware and strip it out. You can also block ActiveX controls and crap like that. Neat stuff.
Click to expand...


Too bad in large organizations the people with the power to make thsoe decsions are a part of the offending users. Therefore they tend to disagree with your policies.
 
this is simple as far as i'm concerned your job is to protect the syustem from viruses / keyloggers etc can you do this when everyone is downloading custom screensavers no. who will get the blame if viruses start appearing / customers accounts get raided you will. Make sure this is clear to management so that it is their desicion ultimatly removing any blame from you, if they have any sense they will enforce it else just leave as they are not allowing you to do your job
 
lone wolf said:
the average age of the tellers is 20, and they are hitting myspace while customers are waiting.
Click to expand...

Holy crap...I've never seen a bank not care about things like that.

My Space? Holy double crap! Talk about guaranteed infection. :rolleyes:

I've never seen tellers surf the web. I'd never imagine that any teller at any bank is allowed to surf the web with office PCs, at all...not even hit Google.

Those computers should be locked down tighter than a gnats ass.

How many customers there complain about illegal activity in their accounts?
 
Bank teller PC's shouldn't have access to the web period. They should only have access to the client software required to operate. END OF STORY

Take a look at something called PCI DSS. This usually applies to point of sale systems but that is more or less what bank teller systems are.

http://en.wikipedia.org/wiki/PCI_DSS

I hope to god your bank is running a domain based system and not a workgroup based system.

Oh and did I mention that in case it ever comes up...never mention what bank you work for especially now that you have exposed a way to exploit computers within your company since they are wide open to the internet.
 
oakfan52 said:
Too bad in large organizations the people with the power to make thsoe decsions are a part of the offending users. Therefore they tend to disagree with your policies.
Click to expand...

I've walked away from companies where the higher ups didn't want to comply with security standards and policies. You want more mailbox space? sure what the hell, you want more profile space? yeah no problem. you want to compromise the data integrity and security of the company? i'll be sure to let the BBB know and here is my 2 weeks...
 
What's the name of the bank so I know I'm not a part of it. :)

I've always been a firm believer of stricter is better. Keeping the GPO as strict as possible and if need be, letting up is a solution that works (for me).
 
lone wolf said:
Edit: I definetely know about the screen savers...we have one person who went and complained to HR that I caused her distress by removing her screen saver, and since she is pregnant, it is causing stress on the baby. I told our HR person to have her go to the doctor, and get some sort of proof that by doing this is causing her stress. I don't think I will be getting a Christmas card from her this year....:)
Click to expand...

I'd wait for her to do one thing wrong after that and file a harassment complaint using that bs complaint as part of the evidence.

YeOldeStonecat said:
Holy crap...I've never seen a bank not care about things like that.

My Space? Holy double crap! Talk about guaranteed infection. :rolleyes:

I've never seen tellers surf the web. I'd never imagine that any teller at any bank is allowed to surf the web with office PCs, at all...not even hit Google.

Those computers should be locked down tighter than a gnats ass.

How many customers there complain about illegal activity in their accounts?
Click to expand...

Yea really I wouldn't go near a bank as lax as that if I knew about it.
 
General guideline: "Implicitly block that which is not explicitly required."
 
YeOldeStonecat said:
Holy crap...I've never seen a bank not care about things like that.

My Space? Holy double crap! Talk about guaranteed infection. :rolleyes:

I've never seen tellers surf the web. I'd never imagine that any teller at any bank is allowed to surf the web with office PCs, at all...not even hit Google.

Those computers should be locked down tighter than a gnats ass.

How many customers there complain about illegal activity in their accounts?
Click to expand...
My girlfriend was a teller for a local bank and she along with the rest of the banks employees were able to surf the web. Scary huh?
 
`danny said:
My girlfriend was a teller for a local bank and she along with the rest of the banks employees were able to surf the web. Scary huh?
Click to expand...

You know I remember seeing 2 computers on my bank mangers desk like 2 years ago. He said one was for accessing the bank systems and the other was for web access.
 
Agree 100% with XOR's suggestion.

Have an IT Policy. Make people sign it.

Also having your bank system open to the internet is probably the worst idea I've ever heard. You should put an end to that immediately.

You sound like one of the most lax network administrator I've ever heard of actually. If your users think you're a control freak now, just wait until someone breaks into your computer system. The guy that replaces you will have that shit locked down like fort knox I can guarantee.

If I was you'd I'd GPO the shit out of the network, since it's a bank and all.

Squid proxy is your friend.

Good luck:)
 
Volcanon said:
You sound like one of the most lax network administrator I've ever heard of actually. If your users think you're a control freak now, just wait until someone breaks into your computer system. They guy that replaces you will have that shit locked down like fort knox I can guarantee.
Click to expand...


QFT
 
`danny said:
My girlfriend was a teller for a local bank and she along with the rest of the banks employees were able to surf the web. Scary huh?
Click to expand...

Wow...
I go to quite a few different banks...being in IT, I always eyeball the PCs wherever I go. The banks I go to, I can tell they're locked down, business wallpaper, minimal desktop icons in perfect arrangement....I've never seen a PC at a bank that looks like the staff gets to do what they want...nevermind surf the web.
 
very, my users are idiots. GPO, Squid and dansgaurdian. I also use smnp to keep an eye on all ports for high useage and all shares are hidden using $
 
To answer the question at hand, I'm fairly open on my lockdowns, just basic things, wallpaper remains company wallpaper, no installation of applications without my consent and I will be doing the install, secure PWs, and web filtering done on a transparent proxy thanks for Untange.

This is for a 15 user plumbing office, where the most important information we handle is marketing campaigns, or our CRM Database....

As for a bank, as mentioned, get with the higherups, have the users sign a policy and ask them to kindly stfu. If higherups don't want to play nice, schedule an audit...
 
Volcanon said:
Agree 100% with XOR's suggestion.

Have an IT Policy. Make people sign it.

Also having your bank system open to the internet is probably the worst idea I've ever heard. You should put an end to that immediately.

You sound like one of the most lax network administrator I've ever heard of actually. If your users think you're a control freak now, just wait until someone breaks into your computer system. The guy that replaces you will have that shit locked down like fort knox I can guarantee.

.

Good luck:)
Click to expand...

It was mentioned earlier on that upper management is sometimes the most notorious offenders, and in my case that is the exact point. My boss, who has to call me to change the resolution of his desktop, spends most of his day on ebay, or in "meetings offsite". I bring up items like this to him all of the time, but am told to let it go. And with him being the son of Chairman...well you get the point.
Lax? By no means am I lax. I walked into this mess about 3 months ago. The first thing that I purchased was some Content Filtering software that allows me to lock out certain sites such as myspace, yahoo, msn, etc. They complained about that. Unfortunetely the tellers at this bank, and it is a very small home town bank, also open new accounts, so they need access to certain websites, which I have now granted. Its funny, because I have a meeting with the new CEO, who came onboard also from large bank, tomorrow about my concerns, which I was given the go ahead and fix whatever is broke right now, and was told that if the users don't like it, there is always an opening at Wal Mart, in his own words.
So...this evening I've been setting GPOs like a mad man, everything from the screen saver, login restrictions, you name it. I have completely blocked out the control panel, and various other places that users do not need to be.

I know that I have a lot of work ahead of me, I was told today that I will be losing alot of friends, my reply is that I haven't been here that long and haven't made that many yet. I appreciate all comments and suggestions. I came from a big company that was very organized with everything, to this town of less than 6k people, so I'm an outsider trying to make changes to something that has been so lax for the better part of the last decade.

Oh yeah, the IT guy that I replaced, he was also a relative of the Chairman, he decided that he didn't like working on computers anymore, so he went into construction.
 
I would start with the bank teller machines and work from there.

Office computers can be a little more open and maybe have internet access.
 
lone wolf said:
Oh yeah, the IT guy that I replaced, he was also a relative of the Chairman, he decided that he didn't like working on computers anymore, so he went into construction.
Click to expand...

That is hilarious! We just picked up a new client a few months ago that had their new server and accounting software setup BY a concrete company. The owner's son fancied himself a computer whiz so daddy let him add that to their repertoire of services. Quite funny, I was talking to the client and he said, " I should have known something was up when the guy showed up wearing a flannel shirt and then said he hoped it didn't take too long because he had to go hunting later . . . "
 
FLECOM said:
my domain users cant do crap, im a super GPO nazi, they cant access any local drives, any control panel, change any settings like display settings, homepage, download anything, change wallpaper etc

if they have a complaint they can kiss it
Click to expand...

EDIT: Wow, sorry for bring up an old post. I didn't realize!

Although I agree, I wouldn't tell any end user to kiss it (Not that I thought that's what you meant directly). It's important that the user base trusts and respects IT.

To the OP, I know it doesn't bother you that people complain and that's good, but perhaps you can send out a system-wide e-mail explaining the importance of security or something along those lines, and just explain why. You don't have to justify yourself, just being coutresous so people don't think you're just being a Network Nazi for the sake of being a Network Nazi.
 
Unfortunently I can only restrict my customer to what the bosses there will allow. My office network is not that strict, mostly because we are a small company and i believe in managing my people, not just restricting their access (except in extreame cases)

However, i did remove the shutdown option from some users at a clients, lol they got the point to leave their PC's on.
 
Wow, reading all this has made me realize how lax our dept is. I don't really think they know what domain restrictions are.

We are a receptionary style for Dorms. really only need access to forms on a network share (often down) but they are allowed to do everything, even things they shouldnt. You can install programs under share, shares are per computer (so you could have multiple instances of a share across several computers) If you accidently stay logged on, other employees will make your desktop image something from 4chan.

God I hate college kids.

I didn't know enough when I was a freshman working for RezNet, now that I'm a senior, I see it all , thankfully I work the desk where I don't have to worry about this kinda stuff (will when I get out into the job world.)

But then again, The main point of our job is that we just be "there" (similiar to a 24hr system admin) And you could go 5-8hrs without helping a single person. They just need someone there when they arn't.
 
I almost think you should go stricter on the domain policy. Heck, this is a business, not their home. Tell them to do that stuff at home, not at work. I plan to make my network so locked down that they can only run installed software and get to certain network drives. No changing of any settings. :D They'll think i'm a left winged communist but i don't care :D
 
Try working for a law firm if you think you can tell the partners that they don't own the systems. lol
 
lone wolf said:
It was mentioned earlier on that upper management is sometimes the most notorious offenders, and in my case that is the exact point. My boss, who has to call me to change the resolution of his desktop, spends most of his day on ebay, or in "meetings offsite". I bring up items like this to him all of the time, but am told to let it go.
Click to expand...

My current company is big and privately held. Some of the top Execs are not on the Domain because of their "special needs." Some have 30GB plus of outlook *.pst files that they keep on the server wasting space. Heaven forbid that they write that all to a DVD. How often do they have to look up that crap anyway? Apparently too much.


lone wolf said:
The first thing that I purchased was some Content Filtering software that allows me to lock out certain sites such as myspace, yahoo, msn, etc.
Click to expand...

We have a acceptable use policy for our computers (IT policy) that all employees have to abide by. We mainly block all 3rd party email sites. If you need to conduct business then it needs to be with our Email server and not a third party. There are some exceptions and all are approved. Some sites need access to their clients using myspace and messaging.myspace.com. Case by case basis but general logging in BS is blocked using Bluecoat proxy content filtering. It's amazing how many viruses and trojans this device blocks. Statistics are in the millions every month.


lone wolf said:
So...this evening I've been setting GPOs like a mad man, everything from the screen saver, login restrictions, you name it. I have completely blocked out the control panel, and various other places that users do not need to be.
Click to expand...
Are users have to change their password every 90 days and we keep 10 passwords. I get the ocassional can my password just be the same. No. No it can't and I have to follow the rules so do you. Live with it. The desktops of users can set their own background, add shortcuts, but all installations of programs, system utilities kind of thing are all denied. I use the runas command quite a bit.

lone wolf said:
I came from a big company that was very organized with everything, to this town of less than 6k people, so I'm an outsider trying to make changes to something that has been so lax for the better part of the last decade.
Click to expand...

They get used to the policies and maybe the bank will become better at service and treatign their customers with more value instead of dicking around with thumbs up the ass surfing away on the net checking their myspace and opening every damn chain letter that comes in and letting us know that somebody is trying to kill them or a great investment can be found in Africa.

Lock that shit down and rest easy at night.
 
At my company we deal with healthcare, so we're starting to become stricter, we have to. The company started as smaller companies that were bought out by one, and this wasn't that long ago, so a lot of people still have the small time mentality. It's a bitch to deal with.

A lot of people put in requests asking for access to servers, shares, what have you. And we have an approval process which they have a hard time following. We need details - Why do you need access to this folder? What are you doing? Etc.

This guy today emailed helpdesk at like 4pm or 5pm demanding access to this server he had before and suddenly lost. I didn't have access to the server to give rights and the other guy left on an emergency. So I told the guy "I don't have rights to do this, what do you need it for, etc". So I get an email hours later from his boss (I think) stating with many exclamation points that he had to "leave work" because he didn't have access and he's ALWAYS had access. Tough shit, tell him to follow our policies. I don't know everyone's access to all our servers, there's fucking 300 of them.

ugh, people.
 
Dallows said:
Tough shit, tell him to follow our policies. I don't know everyone's access to all our servers, there's fucking 300 of them.ugh, people.
Click to expand...

With have SAP for our ERP system and until security and access to certain transactions has been approved by another group, the requesting person doesn't get anything thanks to Sarbanes-Oxley. It's easy to give access but do you need it for your current job duties?

Seems like the users just get used to a certain thing. Especially on job title changes / responsibilities. A user said I used to have access and did blah blah. Well your job changed nimrod so you don't have access to that system anymore. You have new access to X, Y, and Z now.
 
You must log in or register to reply here.
Back
Top