Remote Management and User Consequences? 139
NNWizard asks: "I work in a large university in Belgium where the people in charge of university computer systems want to install LANDesk on every single computer connecting to the university network. The aim is to be able to manage software and provide centralized remote user support. In the old days, every department had computer guys dedicated to the department, and they knew all about the users and their needs. Now, they want to make the management of computer resources global. In most non-engineering faculties this is well accepted, however in the Applied Sciences Faculty the users are computer savvy -- they do not like the idea of giving out control of their computers to people they don't know. What experience does Slashdot have with such a situation? Was the deployment of LANDesk (or a similar software package) a good or a bad thing for the users? How were the privacy issues tackled? Were people still able to use their computers the way they wanted to use them?"
Re:They're full of crap (Score:4, Informative)
Re:At my company... (Score:3, Informative)
Re:Dial-out assistance (Score:2, Informative)
Re:Dial-out assistance (Score:5, Informative)
Simple! Just install an SSH server on your computer and create an account for them to connect to.
1) Have them download putty
2) Send them a PDF showing exactly what to configure (for the port forwarding)
3) have them connect with the username/password you created
4) Have them send the request to local host.
You could blend steps 1 and 2 togther by creating an MSI or something that pre-configures putty with a connection for your computer with the proper port forwards.
Oh wait... you wanted a good way, not just a way...
If only there were a windows vnc that bundled the ssh somehow...
Re:At my company... (Score:5, Informative)
Academics are a very different beast from for-profit corporations. Faculty are effectively BOFHs, as they are absolutely vital (they bring in serious outside funding and desirable students and press) and are very tempermental. Faculty do not appreciate or enjoy administrative work. Schools are generally lucky if they can get them to teach well, let alone learn anything not directly related to their research.
The software used in labs tends to be poorly coded at best. Downright hacks from the Stone Ages are not uncommon, even on $50K microscopes (how many of your microscopes run Windows 95?!), so IT is going to have to be very careful in defining "computers".
Have the heads of IT, along with engineers and project managers, meet with Department Chairs, Deans, the Faculty Senate, and any star faculty. Individually and en masse. Throughout the planning, implementation and follow-up stages. Keep clear lines of communications open at all times. Be prepared for quick, courteous responses to irate and unreasonable faculty. Whatever you do, though, do NOT allow the faculty to define the terms of their relationship with IT. They are horrible clients; they don't know what they want, communicate it even worse and have the power to make your lives miserable. Perhaps the Marketing department can be hired to help out?
I wish the OP the best of luck with this endeavor. And with the future job hunt when faculty come back screaming at the Deans, only to have them turn around and blame IT.
Re:They're full of crap (Score:1, Informative)
I maintain a mix of about 300+ Windows, and Unix stations. None of the 100+ Windows Boxes I've ever maintained ever got spyware/adware/malware on my watch. I don't let users run IE carte blanche. Since I don't completely uninstall IE, I secure it with group policy. I set a group policy to disable features and block out Bad websites at the firewall. I also install firefox and opera, just because I like people to have a choice, and I can quickly turn off one or the other if there's a security hole awaiting a patch release.
Maybe you need to uninstall IE, Outlook and Outlook Express or just figure out how to set group policy to block users from being stupid while using them. If you can't figure that out, you should just uninstall these three biggest Viral agents. If you have any stand-alone IM clients, uninstall those too and if your users really need IM, install Trillian Basic or GAIM. Doing that will get rid of another bunch of Spyware/Adware. No matter how usefull you perceive the Google Bar to be, don't install it. If you aren't running a domain with NT based machines, you should definitely uninstall these Viral agents and force your users to use Firefox and/or Opera. Firefox might be better, since you can disguise it to look like IE.
On my watch, only one machine, an SQL server, ever got cracked, because I was not originally in charge of it. Even though it wasn't my job to maintain it, I was in charge of re-installing it. I took it upon myself to take over the machine after the second security breach. Once I took over, nothing bad ever happened on it. Those people running the box just weren't admins and shouldn't have been in charge in the first place.
Now, our group has just taken over another group's 200+ Windows only machines and I found a whole slew of problems. Stupid MCSE paper admins; a lot of MCSE's are just idiots. They enacted all the simple inconsequential security fixes, but left gaping holes in all the important stuff. The SQL server was probably hacked and has been under constant attack for last 3 years. Gigabytes of SQL logs, that they obviously don't check, go back 6 months showing cracking activity. Windows SQL or any SQL server should never be directly accessible to the entire world. They used IE to surf the web on their critical servers, since I see adware cookies, ebay, and other personal sites in the local Administrator accounts. I don't let anyone with admin priveleges touch IE on any of my servers. I used to download the patches manually, but some of them now require ActiveX to get to. I have a separate server with IE installed that I run windows update and download patches manually. If you want to surf the web, do it on your own workstation, not on a critical server.
Windows can be secure if you stay on top of things and lock things down properly. This goes the for unix, linux and OSX machines that I maintain as well. While there are much fewer critical holes in the unix world, it is not maintenance free. Anyone who doesn't keep up with security patches is an idiot and shouldn't be an admin. If you can't patch because of some software(I had a 2k server running SP2 until last summer because upgrading broke Clustering), then at least firewall it properly. There's no excuse for allowing an unpatched box to sit directly on the internet.
There's also no reason for any user to be able to automatically install software from IE, outlook, IM, or install any third party software without your permission. If you do it right, you get no spyware and no junk to clean. If you're getting spyware, I'd disable your admin priveleges too.
Re:The choice of LANDesk... (Score:3, Informative)
Or, what's the difference?
If you google LanDesk you'll see it's a full desktop support package, along the lines of Novell's ZenWorks product line: remote control, application deployment, desktop imaging, etc, etc, etc. VNC only fills one piece of that puzzle.
Re:At my company... (Score:2, Informative)
We use Altiris where I work. Through Altiris we have two different ways of controlling a computer. First, through the Notification Server, is Carbon Copy. This is done via webpage and can be configured to prompt the user to choose whether to allow someone to connect or not. Second, through the Deployment Console, is Remote Control. This is a high-bandwidth feature with no user prompting. Basically the last resort. Either way, you should devise a plan to explain to them how this is necessary.
Re:They're full of crap (Score:3, Informative)
*bzzzzt* Wrong answer.
A professor who gets research grants not provided by the University upon purchasing equipment has not bought something for the University. Some departmetnal funding comes from external sources, not the school. These assets are tracked and accounted for differently, since they most assuredly were not bought with the school's money.
When I was in school, many profs had some really cool equipment that they purchased with the grants they received from external sources. And if they left, they could take it with them.