"More worrying for the BOFH is that 36 per cent of employees believe they have the right to install any application they like on their desktop computer, regardless of IT department approval."

In the same way I have the right to install small gardening tools directly into their brains.If any crap appears on their machines, lock down all their internet access for a week, and make it aware to them that you can read their email with ease.

Bastard users!

I work in a school and curious kids are a far worse prospect than limewire/msn'ing adult employees. If we can keep our network and web access locked down enough to prevent pretty much everything except web access working. Businesses with actual 'money' really have no excuses.

We have a tool to counteract people who install unauthorised software on their employer's PCs - the Luser Attitude Readjustment Tool, to be applied as often and as hard as needed. In some cases, the LART may even become an embedded system.

This is why network policies should be applying PLP.

If there's a business case for "the web", allow HTTP/HTTPS (and make sure it's *actually* HTTP/S). Same for FTP ([AV-checked] downloads only, most likely), etc. How many networks allow any machine access to the internet for SMTP - far too many, I bet - the only machines that should have SMTP net access are the company mail servers.

And so on...

On my own network, even *I* don't have blanket outbound access, and I'm the one responsible for administering the firewall!

Most places I've worked have IT workers who impose such policies then abandon them when they realise (a) they need to the user to help them install applications, (b) the time taken waiting for IT to pull its finger out usually damages critical company business, even when advised as far as possible in advance and, sometimes, (c) the workload being too much. I've more than once nursemaided IT staff through installation processes of technical applications.

"In the same way I have the right to install small gardening tools directly into their brains.If any crap appears on their machines, lock down all their internet access for a week, and make it aware to them that you can read their email with ease."

Thats hardly the BOFH way of doing it is it?

Leaving sacks of quicklime and shovels lying around if you want to be subtle, or ordering a large number of skips to be placed around the perimeter of the office and increasing the number of accidents involving falls from windows would be good if you really want to make your point.

I too am a BOFH and I totally sympathize with the above comments but I can't help feeling a little wary about absolute clampdown on users. It seems to me that you can't expect human personal lives to completely disappear when they come into work.

Banks, financial institutions et al I feel your pain but in my industry (entertainment) keeping employee turnover low is the name of the game. I can't do that if all the employees are pissed because they can't check their bank accounts and IM with the missus.

So where's the common the ground? Fortunately for us their's less than ten pcs and two servers to manage so I can run nightly images on their systems. But even that doesn't help much with the malware.

Oh if only we could lock the users in the closet when they're not needed...

Have a Intranet web page for top ten web surfer.

Generate a web page with the list of the top ten web sites and who was accessing them.

There, that'll keep web surfing down a notch or two.

Make sure the Director gets a weekly email report.

I drew it recently when a user with a sick PC was curiously reluctant to let me get at it.

Came back after working hours and it took me all of 5 minutes to find the copy of micro-Torrent where they thought they'd hidden it. And the downloaded movies, mp3s and apps.

Sadly they were the MDs's favourite, the individual in question that is, not the downloaded content.

aHowever, it gave me the opportunity to preach a sermon to everyone from the MD down and formulate an Internet usage policy document which is being added to everyone's job description.

During IT induction of new employees I would explain that Britain uses Magna Carta (the legal principle that one can do whatever is not forbidden). I explain that our IT uses Code Napoleon (whatever is not explicitly allowed is forbidden).

After that all it takes is a quick description of the different between a benevolent dictatorship (the status quo) and a malevolent dictatorship (when I get pissed off) and the groundwork for a happy relationship is set.

I work in the public sector & even when you remind the mpeg storing, CD ripping loon who just installed the 180solutions toolbar "cos it looked cool" that they signed an acceptible use policy, they just complain of harrassment. I'd like to show them what real harrassment is - BOFH style!

... A VLAN that goes nowhere is where I drop any user that is doing something stupid on the network. I then wait for the escalated helpdesk call to reach me and then tell them their unauthorised app must have triggered some automated defences in our firewalls.

If they're downloading porn, I sometimes set one of their downloads as their desktop background. Another gag was to redirect the user to the Metropolitan Police Computer Crime Unit website, instead of their porn site. If it's really bad stuff, I just grass them up to management.

How long was Windows 2000 in the marketplace? MacOS X? Ever since Win2K supported DirectX games I gave up on Win9x, embraced "least privilege" and before-the-fact security, and haven't looked back once.

Now, convincing the accountants that they don't need "administrator" access to run Accpac? That's a challenge. Any ideas?

A few years ago we employed an ex-telephone guy, and we got a new office with rather nice phones which one could save favourite telephone numbers in.

So this guy changed the managers favourite numbers to things like the local red light district massage parlour etc. Oh boy, did we crease up when he next used the phone!

Once again, we have an example of policies and standards being made wthout a thought given to the cost of sustaining them.

Certainly, if I write a policy absolutely forbidding IM or admin rights on a user's platform, a teensy percentage of my user base will notice it and a teensy percent of those who notice will "do the right thing". If I invest a little money in an education program and tell the users why our poicy says what it says, those percentages will go up - a little.

Now, if I invest more money in an ongoing, monitored education program, more money in tools and procedures to monitor and enforce my policy and more money in a framework to support my policy then the percentages are going to rise again.

But chances are that I won't. I'd rather have a couple of public hangings a year or complain about 'bloody users' because I can't be bothered cost-justifying the money I'd need to spend on a more effective approach.

"More worrying for the BOFH is that 36 per cent of employees believe they have the right to install any application they like on their desktop computer, regardless of IT department approval."

Here, they call it "intellectual freedom".

I work in a school. We get resources in the form of QuickTime movies and flash animations to use in lessons. We link our laptops to our projectors to do this. This is part of the point of having a laptop. Flash player and QuickTime is NOT installed by IT. If you take your laptop to IT to "fix" there is a 25% chance that you will never see it again and if you do, the fastest "fix" lasts about two months. My laptop never connects to the Internet or the network and doesn't have wireless access. It takes about 2 mins to start up. Laptops that have been "fixed" with all the latest security gubbins and wireless network access etc take about 20 mins to start up (lessons are 50 mins), have all the QuickTime and Flash malware removed and a damm administrator password dumped on them. May as well chuck them in the bin!

I just tell them that if they can't follow the rules, they'll be relegated to the thin terms on the linux servers..... It usually silences everyone below C?? level.

When something goes awry and it seems to be related to non-corporate software or sites I tend to troubleshoot less and re-image more. That is, goodbye MP3 collection and chat software and whatever other crap was lodged on the box, hello virgin company desktop. Depending on the user you can work more or less before dropping the big one, but just having the discussion can leave a great impression: "The SLA for your PC ends with the corporate image, approved software and corporate documents. When we can't get that to work we'll help you get those things running by whatever means necessary, often including wiping your machine clean." Folks upstairs tend to back up IT when informed of the number of hours it could take to save that MP3 collection and what those hours cost.

*It seems to me that you can't expect human personal lives to completely disappear when they come into work.*

If you give a luser an inch... If you feel that the policy is absurd then change it. But once a policy is in place it's not the BOFH's place to question it, only to enforce it. And realistically speaking, clamping down on luser abuse of Internet connection makes an admin's job so much easier. Because it's easier to prevent than to fix.

Of course this is just the latest incarnation of the 1970s attitude of only those in white coats being allowed to access the mainframe.

What IT departments should do is provide a range of central services (email, line of business, connectivity) as demanded by the business and leave desktops to individual departments. Just like when PCs first became available and groups bought them retail for their own use, because "Data Processing" weren't providing what they wanted.

Of course that will collapse IT department empires, so it's never going to be popular. And "security" is a good boogeyman to use to prevent it.

is what most IT admins experience while adding a mildly gaming related web forum to the 'blacklist'. Ahh the constant battle between the software developer and the IT admin. What suprises me is the look on their faces when I explain that providing access to an 'add/remove programs' page with a command line with enhanced privelidges begs for a compmgmnt.msc ->take me to the local admin group :)

there's my sadistic delight...

So, in summation, some [L]users are stupid, and some [sh]IT departments are useless. Plus ca change..

What nobody's mentioned is this stunningly insightful survey. From Facetime. Who are.. "the leading provider of security solutions enabling businesses to secure and control greynet applications such as instant messaging, Skype, [etc]"

Smashing. Advert, meet content. I think you already know each other..

Our IT dept was upset that the network drives were all full and started searching and destroying all MP3s...so we had been told. Later on got to be a pal of one of the IT fellas and found out they had moved all the songs to their own private server where they could access thousands of songs all day long while they were doing the hard work of support day to day operations. nice.

... of you are reading this at work. Is this personal use of company assets?

As a Helldesk Bastard, I hated people installing crap on "their" machines, to the point that if someone cheesed me off about it being slow, I'd ask if their work materials were on the network drive and re-image the thing by remote when they went to lunch :)

Being relegated back to (L)User class, anything I want to use that's not work related, I bring in on a cd. My music is in OGG format with winamp running from the cd so I'm not installing anything to the system. I just wish that I could put Firefox on.

... of you are reading this at work.

My employer's net nanny doesn't let us look at forums - except this one!

That must mean the IT outsourcing contractor doesn't know it's here, mustn't it?

No.

Unless you are willing to take on the burden of dealing with federal regulations, including, but not limited to, going to "pound-me-in-the-ass" prison for 2 years or more, once that password has been breached (something that will happen within 2 minutes after that password's been released to the luser population).

"and with that capability expanding to Windows Mobile there's still plenty of opportunity to keep users under control."

Did I miss something, or was this a shameless plug?