Quake3World

If you were a corporate network admin what programs would you not allow users on your network to install?

Say you have employees with the browsing habbits equivalent to those of a group of 12 year old backstreet boy fans. They are mucking up your network and screwing up their computers.

P2P file sharing, hotbar, save now, gator, claria, edonkey etc...

let the list begin...

bonzi buddy,
dialers,
gain,
hotbar
weatherontray
iwon
kazaa
napster
webshots
zipclixx

to name just a few

We use LANDesk Management Suite for inventory, software distribution and software denial, patch management etc..

I think the right question is: "What *would* you allow?"

Nothing. If it's a corporate system everything that needs to be on there should have already been put on: and an admin can install them if the user needs it.

Just disallow everything except the three sites they're supposed to use.

If you're gonna be a nazi, be a real Austrian nazi!

I wouldn't allow people to install Firefox because it would slow down their productivity.

I also probably would somehow set up an e-mail quota system so they can send unlimited e-mails to certain domains, but to outside sources only a few per day and at a limited size. That way, people wouldn't be using the company's bandwidth to send pictures of their kid's stupid soccer game to relatives.

I'd also get someone to program a Solitaire game that only allows an hour per day of play. When ten seconds passes with no activity, it pauses the game and the hour timer.

I would install Winamp on the file server so people can listen to shoutcast. It would also be on all their computers as well if they work well with headphones.

I'd block a lot of sites from being accessed as well, like those stupid video sites... You know the ones that archive shit like the Star Wars Kid. As the boss, I shouldn't have to have a weight on my shoulder trying to determine if I should or shouldn't give someone the pink slip just because they were laughing at kid_falls_out_of_car.mpg instead of doing their job.

I'd introduce some cool shit too... Maybe as a reward everyone gets a few free iTunes songs a week.

Part of the problem is streaming music, it's kicking the crap out of our T3 line. That and eDonky, torrents, P2p apps etc.


I've already got most of that under control, and port blocking is going into effect for thee streaming.

Cannot do email quota systems, because we take on so many new customers daily that require programs to be sent to them via email (for now another FTP server is in the works)

What I am doing is using our deployment software to scan a user's registry on login any software that I setup a trigger for will inform me as well as give them a message to call the I.T. Department immediately.

I just want to add to my triggers

PhoeniX wrote:Nothing. If it's a corporate system everything that needs to be on there should have already been put on: and an admin can install them if the user needs it.

Bingo :icon14:. Installing software without administrative approval is something that can result in being written up or terminated on any of my networks. Its easy enough to spell those things out in the network usage policy that new employees sign. Once thats done a reminder of the policy and its consequences is usually enough. Since ActiveX has been disabled on those networks instanaces of malware have stopped.

If its keywords you're after though here are the ones we block at the gateway:

funwebproducts.com
gator.com
xxxtoolbar.com
mysearch.com
bonzi.com
iwon.com
mywebsearch.com
hotbar.com
planetsmilies.com
cometcursor.com
globaltoolbar.com
cometsystems.com
weatherbug.com
browserwise.com
freewebupdates.com
sqwire.com
xupiter.com
xzoomy.com
freescratchandwin.com
db105.com
ez-finder.com
greatsearch.biz
searchmeup.cc
coolwebsearch.com
smartsearch.ws
newdotnet.com
i-lookup.com
click2findnow.com
6freeze.com
screensaver.com
smileycentral.com
customer-care.rbc.com

Dek wrote:We use LANDesk Management Suite for inventory, software distribution and software denial, patch management etc..

Just a heads-up: you could shave some licensing costs off of your budget by using Active Directory group policy to do all of the above (provided your machines are either 2k or XP).

Also force them to use firefox, I think you can probably get thigns to force iexplore.exe to load firefox too, that should fix most of the spywareproblems.

PhoeniX wrote:Also force them to use firefox, I think you can probably get thigns to force iexplore.exe to load firefox too, that should fix most of the spywareproblems.

Can't do that the custome service admins use an applet that only runs in IE...

Tormentius wrote:

PhoeniX wrote:Nothing. If it's a corporate system everything that needs to be on there should have already been put on: and an admin can install them if the user needs it.

Bingo :icon14:. /color]

Can't there are too many variables here and we are way to loose.

Look in the spybot s & d hostsfile and the immunize list (restricted sites)... add those?

Fucking hell, you need to get a grip on your systems.

Seriously. What platforms are you running, what industry, what's your rough user/terminal count, and what's your position within the IT department?

Giraffe }{unter wrote:Part of the problem is streaming music, it's kicking the crap out of our T3 line. That and eDonky, torrents, P2p apps etc.

I think the P2P stuff is your trouble. If there are 20 employees all listening to different 128kbps shoutcast stations, that's not all that much bandwidth.

rep wrote:

Giraffe }{unter wrote:Part of the problem is streaming music, it's kicking the crap out of our T3 line. That and eDonky, torrents, P2p apps etc.

I think the P2P stuff is your trouble. If there are 20 employees all listening to different 128kbps shoutcast stations, that's not all that much bandwidth.

Try like 200+


We had one guy sucking up some serious bandwidth last year running an eDonky server... When we shut him down there were over 230 simultanious downloads going on...

Sucked for him on monday morning

Foo wrote:Fucking hell, you need to get a grip on your systems.

Seriously.
What platforms are you running?2000/XP
What industry?Sales/production/manufacturing/customer service
What's your rough user/terminal countabout 1000+
What's your position within the IT epartment?The Man (nicknamed hitler)

what foo said, and to a lesser extent - what foo asked.

edit, lol - beaten to it

you can buy dedicated bandwidth boxes. shape your traffic however you want.

in that type of enviroment it could be your best bet.

Giraffe }{unter wrote:

Foo wrote:Fucking hell, you need to get a grip on your systems.

Seriously.
What platforms are you running?2000/XP
What industry?Sales/production/manufacturing/customer service
What's your rough user/terminal countabout 1000+
What's your position within the IT epartment?The Man (nicknamed hitler)

If you're running an all-windows system, and presumably active directory-based administration, I'd recommend building a container with properly restricted policies, and migrating users into this container sections at a time.

Course I can't give too much advice without asking questions as I go along, so hit me up on IM for a chat? 31864930 or thegreatfoo@hotmail.com

When this kinda thing was my job, we had all win2000 and winXP computers. We just set all the computers user account permissions up so that only an admin could install programs, no end users.

Mein fuher! :lol:

Pooinyourmouth_needmerge wrote:When this kinda thing was my job, we had all win2000 and winXP computers. We just set all the computers user account permissions up so that only an admin could install programs, no end users.

Word. Also, I made it my personal mission this year to get everyone off 2000 and onto Windows XP. 1 operating system means you can concentrate on a unified service. No 'this works on XP but not on 2000', or vice versa.

It's tough to get a grip, it's taken me 3 years to strike fear in the hearts of users when I personally get off my ass and come up to their computers. I put my foot down with the hotbar outbreak. Then it was lifted slightly by their managers, because we cannot have people doing program version support if they cannot install the version in question.

Now things are much better, people call down and they know they fucked up, they know when they clicked on the wrong thing. I have allot of people that respect the no software policy and as a reward for their respect they get certain priveledges the non-conformist do not.

What pisses me off is the sneaky bastards that try to install this stuff and disable all the admin accounts and think the computer is theirs to do as they please. The ones that hide folders and encrypt their porn drive and think we’re dumbasses and not going to notice.

I set a new policy you install something that is prohibited we take you pc for as long as it takes to remove it. You get to explain to your boss why you cannot work, and to assure you didn’t bullshit your boss gets a copy of the work order.


The only leverage I have is fear of their boss finding out, and since I do my best to help the computer illiterate and guide them I know when our policy is not being respected and will not stand for it.

I wouldn't let them install anything that isn't installed by me. It's tough to do with all those web programs but once you determin what's need for the buisness to run you just make sure nothing else get's in.