How restricted are your devices?

DJTza · Mar 8, 2016

Hello all

I am a solo IT manager at a primary school with around 60 staff and 800 learners. The classroom teachers each have a laptop, as well as some of the specialists. There is one computer lab for learners to use, and all admin staff have their own desktops. We run a pretty standard AD infrastructure with rules for both the kids and staff. To date, I've (and my predecessor) have kept rights locked down on the staff machines. I go around once a month to each of them to do updates, and I'm called if someone wants to install a printer, or a USB modem for use at home; as these require an administrator password. I don't mind installing applications that are requested by staff as long as I do the install and it is legal.

However, we've recently come under new management and the new principal is wanting staff to have free reign on their laptops. They must have the ability to download and install any apps that they want, and make any changes to their settings without having to call me to do it. I pointed out that this is dangerous and in my mind, definitely not best business practice but I got told as long as our AV is up to date (ESET End Point) in this case, it shouldn't be a problem. He's also being told by a member of our SGB that this is standard practice and we are behind the times. A quick check with another school tells me that this is not the case and they have even more restrictive policies than I do.

My question is, what sort of restrictions are in place at your business/school/organization. I'm keen to hear if I am being too restrictive or if you agree with me for sticking to my current policies.

Any input would be greatly appreciated.

Thank you in advance.

Tim

Idiosyncratic · Mar 8, 2016

DJTza said:
Hello all

I am a solo IT manager at a primary school with around 60 staff and 800 learners. The classroom teachers each have a laptop, as well as some of the specialists. There is one computer lab for learners to use, and all admin staff have their own desktops. We run a pretty standard AD infrastructure with rules for both the kids and staff. To date, I've (and my predecessor) have kept rights locked down on the staff machines. I go around once a month to each of them to do updates, and I'm called if someone wants to install a printer, or a USB modem for use at home; as these require an administrator password. I don't mind installing applications that are requested by staff as long as I do the install and it is legal.

However, we've recently come under new management and the new principal is wanting staff to have free reign on their laptops. They must have the ability to download and install any apps that they want, and make any changes to their settings without having to call me to do it. I pointed out that this is dangerous and in my mind, definitely not best business practice but I got told as long as our AV is up to date (ESET End Point) in this case, it shouldn't be a problem. He's also being told by a member of our SGB that this is standard practice and we are behind the times. A quick check with another school tells me that this is not the case and they have even more restrictive policies than I do.

My question is, what sort of restrictions are in place at your business/school/organization. I'm keen to hear if I am being too restrictive or if you agree with me for sticking to my current policies.

Any input would be greatly appreciated.

Thank you in advance.

Tim

The whole - "as long as our AV is up to date, it shouldn't be a problem" argument is bogus. Where I used to work there were little restrictions (that's code for "none"), but there was trouble if you did something stupid.
My suggestion is that you let them go through with this (as in, don't be a control freak, allow them to do as they wish) - but use programs like K9 to keep them from downloading from know malicious sites. It'll auto-update, and they can't remove it. K9 is pretty powerful and capable of blocking a variety of different categories.

$m@Rt@$$ · Mar 8, 2016

Our machines are all local admins. Too much of our software malfunctions (and some don't work at all) when the accounts don't have local admin.

irBosOtter · Mar 8, 2016

Tell the new principal that if he/she is prepared to do the support on the pc's/latops then sure, go ahead and make them all admins, but that would be the biggest mistake in the world.
Lock it down so that they can only do what they are supposed to, and that is use it as a work tool. It's not their personal tool to use as they please.

Q-Tech · Mar 8, 2016

Hi Tim,

I have been involved in supporting and consulting with schools on technology for a number of years and I feel your pain - there are very few environments that have to accommodate as wide a range of skill levels, from the maths teacher who is actually a BSc Comp Sci graduate to the art teacher who can't find the 'any' key ...

If the laptops being used by staff are the property of the school, the liability for unlicensed software remains with the school unless the staff member has accepted responsibility for any activities performed. This can be done by drafting a comprehensive policy covering piracy, inappropriate / offensive material, social media etc. and making it a requirement that the policy is read and signed off by the staff member before a laptop is issued. It is probably a good idea to inform people that there is a standard set of applications which you are able/willing to support and any issues resulting from non-standard app installations will result in the laptop being rebuilt to your basic spec.

Given that the level of control over end user devices is going to diminish, you may have to implement tighter control over centrally stored documents, etc. On-demand virus scanning on a server is a last resort as it kills your response times, but I would recommend increasing the frequency of scans. Backup strategy and online shadow copies might also need to be considered.

This will probably be a lot of work to begin with, but the 'bring your own device' scenario which is probably heading your way too will be a lot easier to handle if the policy is in place and the central resources are adequately protected.

Cheers,
Q.

KleinBoontjie · Mar 8, 2016

They'll come crying when they're hit by ransomware or something. Ransomware is really hitting(and hurting) a lot of businesses now.

syntax · Mar 8, 2016

Why are you going around monthly installing updates? Im useless on microsoft, but surely this can be scheduled and done via a group policy etc?

I would not unlock PC's. The question needs to be asked, why do they require full access, what do they need to do that they cannot do now?
Surely if 1 teacher requires a certain application or programme, a few of them require it. It gets added to the machine build or departmental machine build and rolled out.

Insider Threat Model · Mar 9, 2016

DJTza said:
Hello all

I am a solo IT manager at a primary school with around 60 staff and 800 learners. The classroom teachers each have a laptop, as well as some of the specialists. There is one computer lab for learners to use, and all admin staff have their own desktops. We run a pretty standard AD infrastructure with rules for both the kids and staff. To date, I've (and my predecessor) have kept rights locked down on the staff machines. I go around once a month to each of them to do updates, and I'm called if someone wants to install a printer, or a USB modem for use at home; as these require an administrator password. I don't mind installing applications that are requested by staff as long as I do the install and it is legal.

However, we've recently come under new management and the new principal is wanting staff to have free reign on their laptops. They must have the ability to download and install any apps that they want, and make any changes to their settings without having to call me to do it. I pointed out that this is dangerous and in my mind, definitely not best business practice but I got told as long as our AV is up to date (ESET End Point) in this case, it shouldn't be a problem. He's also being told by a member of our SGB that this is standard practice and we are behind the times. A quick check with another school tells me that this is not the case and they have even more restrictive policies than I do.

My question is, what sort of restrictions are in place at your business/school/organization. I'm keen to hear if I am being too restrictive or if you agree with me for sticking to my current policies.

Any input would be greatly appreciated.

Thank you in advance.

Tim

Laughable and patently criminal.
I caught a paedophile in a South African education institution last year, who was able to pursue his primary love for raping children with total freedom (local admin, AV as the only security mechanism) because of permissive leaders.
Tim, message me privately, I'll organise a no charge PoC for insider threat detection to assist your cause.

initroot · Mar 9, 2016

Hi,
We also running local admins for users just too much issues with software especially poorly designed ones eg. Pastel..
We do have very strong policies in place.
For the updates rather setup proper WSUS.
We have a great endpoint and malware solution which can't be disabled or uninstalled by local users even if they have admin rights.
We also heavily rely on exchange's remote functionality, recently had to wipe two phones that got stolen.

Johnatan56 · Mar 9, 2016

$m@Rt@$$ said:
Our machines are all local admins. Too much of our software malfunctions (and some don't work at all) when the accounts don't have local admin.

Same at uni but we are all IT department students.

My school had the OP setup, I don't see the reason to give students/teachers admin rights, what do they need it for?

Enigma_ · Mar 10, 2016

Staff shouldn't require administrative rights, but they at the same time shouldn't be locked down too much. So, maybe you could look at the following:

1) Explain to the principal that anti-virus is != complete safety. It's not total solution to stop malicious software from being installed, obviously. It's a big misconception many folks who are inexperienced/light users of their computers.

2) Do a survey of other local schools and report that the principal to display that it is actually not done at other schools and that there is probably a valid reason for that.

3) Create an application list, and allow those to be installed without administrator involvement.

4) Tell the principal that you can allow software installations, but caution against the hazards, and perhaps offer remote assistance to the staff computers to at least make the process easier on your side.

Insider Threat Model said:
Laughable and patently criminal.
I caught a paedophile in a South African education institution last year, who was able to pursue his primary love for raping children with total freedom (local admin, AV as the only security mechanism) because of permissive leaders.
Tim, message me privately, I'll organise a no charge PoC for insider threat detection to assist your cause.

Bit overkill for a small school, isn't it?

HavocXphere · Mar 10, 2016

Not really relevant to your school scenario tbh but might be of interest to the others...

-Admin rights
-No obvious restrictions on the laptop itself (aside from AV...can't turn that off easily).

But...

Crazy business recovery processes. e.g. IT keeps 10-20 spare laptops on hand. So if something goes wrong with a laptop that they can't fix immediate they sync one of those with the servers & issue that as a loan laptop. Couple hours later you then trek back to IT and swap the loan one for your fixed one.

In your case I'd definitely insist on an automated backup solution + imaging...else you'll be scrapping virii and toolbars off laptops for days.

Insider Threat Model · Mar 10, 2016

Enigma_ said:
Staff shouldn't require administrative rights, but they at the same time shouldn't be locked down too much. So, maybe you could look at the following:

1) Explain to the principal that anti-virus is != complete safety. It's not total solution to stop malicious software from being installed, obviously. It's a big misconception many folks who are inexperienced/light users of their computers.

2) Do a survey of other local schools and report that the principal to display that it is actually not done at other schools and that there is probably a valid reason for that.

3) Create an application list, and allow those to be installed without administrator involvement.

4) Tell the principal that you can allow software installations, but caution against the hazards, and perhaps offer remote assistance to the staff computers to at least make the process easier on your side.

Bit overkill for a small school, isn't it?

Not in the least, as it isn't a small school and the risk profile doesn't decrease with footprint.

Join the MyBroadband community

Get started

How restricted are your devices?

DJTza

Active Member

Idiosyncratic

Expert Member

$m@Rt@$$

Expert Member

irBosOtter

Expert Member

Q-Tech

Well-Known Member

KleinBoontjie

Honorary Master

syntax

Executive Member

Insider Threat Model

Guest

initroot

Senior Member

Johnatan56

Honorary Master

Enigma_

Senior Member

HavocXphere

Honorary Master

Insider Threat Model

Guest