[Update 3/19/09: I’m cleaning out some unfinished posts that I didn’t want to lose, so I’m just publishing them as is. This post was written nearly as year ago.]
update: Odd, there was just talk about this, maybe I was influenced in a round-about way by this discussion at slashdot: Should Users Manage Their Own PCs? (read the comments!)
Also more here.
There is increasing talk about worker angst with IT teams locking down computers and being dictators when it comes to adding software their computers. Thin clients and terminals are suddenly becoming sexy again. Likewise, most office workers seem to have their own array of gadgets and devices that they want to use, IT policies be-damned.
Rather than tackle that debate which swings both ways, I want to play devil’s advocate and assume the direction is going to be taken where employees have full rights on their own fat systems. Let’s say I work at an SMB that values employee happiness and creativity (software shop, video game shop, design group, etc). And the decision has been made that employees are responsible for the software on their own systems, although the company itself may front the cost of any needed software; pirating is not allowed.
What does this mean to security of that organization? I know plenty of security geeks will go into immediate defensive mode, but I’d rather delve into what approaches are needed in such a situation.
The assumptions and setting:
- Users have administrative rights to their systems.
- IT also has administrative rights.
- Users won’t install pirated or illegal software, but instead get comped by the org.
- Servers are still the realm of the IT teams, so let’s just not think about them for now.
What are some issues that can arise in such an environment?
- Systems may slow to a crawl as they become infected with crap upon crap.
- Internal and external networks may slow to a crawl or becoming unusable due to worms, viruses, scanners, bots; both internal-only congestion and externally targeted congestion.
- Information may quickly get stolen, ala the program that installed and steals your aim/wow/bank account and password, either actively or triggered or keylogged.
- IT may have to answer questions and provide support for non-standard programs across a huge range of possibilities.
- Users may install tools that have malicious side effects, especially if they have a laptop that goes home. Things like BitTorrent and p2p apps tend to pop up on such systems.
- Most systems will have one or several IM programs installed and in use, opening the user to phishing/spam, an potential avenue to send information beyond the corporate garden, and lost productivity if abused.
- Users will use their personal webmail accounts, opening up the same avenues.
- Any type of development or creation processes may not be possible to move from the user’s computer to a server. “You want *what* installed on the web server?!”
And here are some measures to pursue. These are not in any specific order.
- A strong perimeter with aggressive ingress and egress rulesets with active logging on egress blocks. Yes, many apps will just tunnel through port 80, but that doesn’t mean we should forget the floodgates.
- Strong internal perimeter to protect the DMZ and the suddenly rather untrusted internal LANs. Isolate print servers, file servers, and others from userland, letting only what is absolutely necessary past.
- Strong internal network monitoring to identify traffic congestion and unwanted communication attempts.
- The staff to attend to the alerts this stronger network posture will require. With such an untrusted userland network, bad alerts can’t sit for very long, and there may be plenty of them.
- Consistent and regular user training about security concepts.
- Regular communication amongst employees and IT about how to properly solve various problems, use programs more intelligently, and so on. If one program can solve problems but everyone is just using what they know, perhaps opening communication may get everyone on a standard page. It certainly is better than everyone trying the same 10 programs to solve the same problem. [update: I’m not sure what I was saying here…]
- Foster an open environment where users can talk candidly with IT and security, without expecting laughter or a quick rebuke.
This is going to be much like the TSA assuming every passenger is a threat. - Will need an aggressive and automatic patching solution to keep the OS and major applications patched as much as possible.
- Have a strong imaging solution and architecture in place. People mess up their computers now and then and require them to be re-imaged. People who control their own computers will mess them up even more.
- Have strong network and file server anti-virus or malware scanning. Chances are pretty good that users will store their backup installs on your file server. Try to separate the screensaver crapware from the necessary stuff.
- Be proactive in supporting the software inventory needs of your users. If a user has a piece of software they had the company purchase, keep an inventory or even a backup of the install disk and serial under lock and key. This is far better than letting users manage (or steal! or lose!) their own copies. A photoshop disc left on a desk is a pretty easy crime of opportunity.
- Plan to have strong remote management of user’s systems, especially when it comes to inventorying various things, such as accounts, installed software, running processes, resource consumption, log gathering. You likely won’t parse these out regularly, but some you might want alerts for, such as new user accounts appearing.
- Proactively offer to assist users with any PC questions they may have. Often, users have lots of little annoyances they live with, but offering to help with the fixable ones can often go a long way towards satisfaction not just with IT but their job as well. If a system is running slow or they don’t understand why a window displays as it does, assist them with fixing it.
- When assisting users, take extra effort to include willing users in your troubleshooting. This not only opens lines of communication, but also teaches them as you go. Maybe next time they’ll already have checked for that rogue process before you get to their desk!
- Might be wise to evaluate DLP technologies. While administrative rights for users on their desktop means many forms of malware will do things like disable AV before it can interject, many users are not nearly as sophisticated when they purposely or accidentally move important data from the safety of the corporate environment to an outside entity. It might be enough to implement DLP to stop all but the truly crafty and determined insiders. That might be risk avoidance enough to deal with the determined ones on a case by case basis.
Sadly, the reality is a company that likely wants to have local administrative rights is likely too small to meet the needs listed above without some assistance.