Remote Management and User Consequences? 139
NNWizard asks: "I work in a large university in Belgium where the people in charge of university computer systems want to install LANDesk on every single computer connecting to the university network. The aim is to be able to manage software and provide centralized remote user support. In the old days, every department had computer guys dedicated to the department, and they knew all about the users and their needs. Now, they want to make the management of computer resources global. In most non-engineering faculties this is well accepted, however in the Applied Sciences Faculty the users are computer savvy -- they do not like the idea of giving out control of their computers to people they don't know. What experience does Slashdot have with such a situation? Was the deployment of LANDesk (or a similar software package) a good or a bad thing for the users? How were the privacy issues tackled? Were people still able to use their computers the way they wanted to use them?"
At my company... (Score:5, Interesting)
If you are concerned about privacy, I'd look into something simple like VNC if you have the management software to know who's using what computer when. It works VERY well with us and is very versatile--I can't tell you how many times it has saved our butts from having to drive 300 miles when we just put a VNC connection over an SSH tunnel at a remote jobsite.
Re:At my company... (Score:2)
Re:At my company... (Score:3, Informative)
Re:At my company... (Score:2)
Re:At my company... (Score:1)
When I did work at a University t
Re:At my company... (Score:1)
Now-a-days, I use the Remote Assistants feature in Windows/MSN Messenger. This would probibly work better in a company using LiveCommunication Server to acutally run their messenging client though.
and who looks at the IT people? (Score:1, Insightful)
Re:At my company... (Score:5, Informative)
Academics are a very different beast from for-profit corporations. Faculty are effectively BOFHs, as they are absolutely vital (they bring in serious outside funding and desirable students and press) and are very tempermental. Faculty do not appreciate or enjoy administrative work. Schools are generally lucky if they can get them to teach well, let alone learn anything not directly related to their research.
The software used in labs tends to be poorly coded at best. Downright hacks from the Stone Ages are not uncommon, even on $50K microscopes (how many of your microscopes run Windows 95?!), so IT is going to have to be very careful in defining "computers".
Have the heads of IT, along with engineers and project managers, meet with Department Chairs, Deans, the Faculty Senate, and any star faculty. Individually and en masse. Throughout the planning, implementation and follow-up stages. Keep clear lines of communications open at all times. Be prepared for quick, courteous responses to irate and unreasonable faculty. Whatever you do, though, do NOT allow the faculty to define the terms of their relationship with IT. They are horrible clients; they don't know what they want, communicate it even worse and have the power to make your lives miserable. Perhaps the Marketing department can be hired to help out?
I wish the OP the best of luck with this endeavor. And with the future job hunt when faculty come back screaming at the Deans, only to have them turn around and blame IT.
Re:At my company... (Score:2, Informative)
We use Altiris where I work. Through Altiris we have two different ways of controlling a computer. First, through the Notifica
Re:At my company... (Score:2, Interesting)
need to purchase another XP license? [realvnc.com]
UltraVNC is the best VNC. (Score:2)
--
Loose Change [google.com]. Interesting free movie.
Hamachi? (Score:2)
Re:Hamachi? (Score:2)
What has been your experience with Hamachi? (Score:2)
UltraVNC is great for remote maintenance, but does not go around NAT routers very well, I understand. And, I've never been able to make the UltraVNC encryption work.
Hamachi and security? (Score:2)
Re:At my company... (Score:2)
If you decide not to agree to that, you will not get a laptop.
Re:At my company, we're hell-bent nazis (Score:1)
I don't think so.... (Score:5, Interesting)
That having been said, what the university wants to do is 1) completely different and b) a Very Bad Thing. In my case, *I* am the admin and the machines are *MINE* . The university is looking to force anyone who wants to use its network to give them root on their machines? Puh-lease. It's time for departments who don't want to lose control of their PCs at this university to start looking for an outside ISP. Chances are there's already money in the budget for it: they probably kick in to the general IT infrastructure budget already.
-J
Re:I don't think so.... (Score:2)
Re:I don't think so.... (Score:2)
This isn't universally true, and in some circumstances, it's probably the right model. But at a research facility or University, other than administration, it's probably not.
Re:I don't think so.... (Score:2)
Exactly. This policy might be fine for clerical staff, but for researchers - especially those working in the computer field - it's a non-starter.
Giving a remote, central IT department control over the computer engineering faculty's computers is like putting the agricultural research tracts under the control of university groundkee
Re:I don't think so.... (Score:2, Funny)
Absolutely. Nine times out of ten, when we ask a user over the phone to read the error message and title in a dialog box that pops up, we don't get the complete picture, even though we ask for the user to tell us EVERYTHING that is on the screen. That makes telephone troubleshooting annoying. It's why we use remote management whenever possible, and
They're full of crap (Score:5, Insightful)
And the worse part is, people who THINK they know all about computers are also the ones who will blame YOU when they hose their installation of Windows. Frankly, I find it unlikely that these engineers need the control of their computers. More likely they want to install unapproved software and various adware bullcrap which will bring your network to a crawl.
I say this from experience. Initially I thought it would be OK to give some 'expert' users local admin rights, so that they wouldn't have to call the help desk in those situations where they simply want to install real player to listen to Rush Limbaugh or whatever else these dopes do. However, they instantly manage to get spyware, trojans, keyloggers, and other worms and viruses. They do this despite fully updated Microsoft Spyware (granted, it is a beta) and fully updated antivirus software.
It is only recently, as we moved to managed antivirus software, that I began to understand the amount of damage these people were doing. I now get reports of virus activity, and I am never going to make the mistake of giving a user local admin rights again. It is easy to do, but they will abuse it, and taking it away is 1000x as hard as just sticking to a policy of never doing it. Once you give in they will know that you can bend the policy, and when you take it away you are telling them through your actions that you don't trust them to know what they are doing.
And the one thing these people always think is that they somehow know what they are doing.
Let me make it a simple maxim: 'If you are not responsible for the maintenance of a computer, you WILL NOT UNDER ANY CIRCUMSTANCES have administrator rights on said computer.'
Re:They're full of crap (Score:4, Informative)
Re:They're full of crap (Score:1)
Truly "personal" computers on the university network are another story. I don't know the best ending to that one.
-J
Re:They're full of crap (Score:4, Insightful)
"No." Meaning that such devices are not allowed.
That's the way my company does it. If it's an asset owned by the corporation, it is allowed to get Ethernet packets. If not, it's not.
I bring my personal machine in, but there's no cat5 going into it even though it's safer by far than any corporate machine.
Re:They're full of crap (Score:1)
That's what I was thinking initially. However, this is a school we're talking about. Many (most?) schools allow students to plug their desktops into the network ethernet and use their laptops on the school's wireless LAN. We are talking about private machines here. Of course, there is the acceptible use policy (or whatever a given school calls it) dictating what is okay for the student to do. I can't imaging it saying "no running viruses", though.
-J
Re:They're full of crap (Score:2, Interesting)
Well, maybe it's true for big universities l
Re:They're full of crap (Score:3, Insightful)
Re:They're full of crap (Score:1)
That worked great for them until we changed the smbios of all the systems we wanted on the network to old systems that had never been removed from the asset register... =D
But then again our IT people are smart. They left a voice message on my cell phone when I logged a call about my cell phone being faulty.
Re:They're full of crap (Score:2)
Well, the summary says any computer connected to the university network.
When I was in school, many profs/departments bought their own machines out of their own budgets/research moneys.
I can't see someone who paid for the machines being willing to hand over hand over control to remote people. Such uniform policies work for the lowest common denominator, but not for everyone.
And,
Re:They're full of crap (Score:3, Informative)
*bzzzzt* Wrong answer.
A professor who gets research grants not provided by the University upon purchasing equipment has not bought something for the University. Some departmetnal funding comes from external sources, not the school. These assets are tracked and accounted for differently, since they most assuredly were not bought with the school's money.
When I was in school, many profs ha
Re:They're full of crap (Score:5, Insightful)
-J
Re:They're full of crap (Score:4, Insightful)
Allowing the department to manage it means that the guys who know the most about how to keep Matlab or LabView or whatever they are using running are the guys keeping them running.
Re:They're full of crap (Score:1)
Trust is built by personal relationships - i.e. sharing lunch or at least anecdotes. The central guys,
as competent as they may be, will simply be too far away from most end users.
Once the remote admin thing is in operation, and end end user can see them working on their own
machine, and fixing things, the air my clear. But my feeling is that the hurdle will be too big for most users.
And I certainly wouldn't wan
Re:They're full of crap (Score:1, Interesting)
Re:They're full of crap (Score:1, Informative)
I maintain a mix of about 300+ Windows, and Unix stations. None of the 100+ Windows Boxes I've ever maintained ever got spyware/adware/malware on my watch. I don't let users run IE carte blanche. Since I don't completely uninstall IE, I secure it with group policy. I set a group policy to disable features and block out Bad websites at the firewall.
Re:They're full of crap (Score:1)
Re:They're full of crap (Score:2)
Re:They're full of crap (Score:2, Interesting)
I'm working in the developer group of an IT hosting services company. Until recently we had always been local admins of our own boxes, we had "direct" (read: 3 layers of firewalls) access to the internet so we could download patches, etc. and everything was rosy. With all the deadline pressures we hated *any* downtime so we made sure we didn't f**k-over our own machines, installed and maintained our own anti-spyware and anti-virus software (almost uniformly Ad-Aware, SpyBot and
Re:They're full of crap (Score:1)
How do you distinguish between people who believe they know about computers from those that actually *do* know? After all, you would (presumably) also claim to 'know about computers', right?
Re:They're full of crap (Score:3, Interesting)
You don't always need the Service pack to be securely patched. You need to know what is a critical patch and what is just a bug fix that might fuba
Re:They're full of crap (Score:2)
responsibility! (Score:2)
Re:responsibility! (Score:1)
Lets face it, people in IT departments are just as capable as screwing things up as anyone else. It's just because they get the blame that they claim they should have (type-A) 'control'.
IMO, the system should be change
Re:responsibility! (Score:2)
Re:They're full of crap (Score:1)
Re:They're full of crap (Score:1, Interesting)
How glad I am, to be out from under your Reichstag ways.
We have many of you, where I work, MCSE BOFHs by the bucketfull, stomping about in your big important boots.
Our department got around you by running Macs, which you are inclined to preternaturally fear and loathe. Every drone in the office installs whatever they want, does their own maintenance, and helps the others when things go wrong. The only time we have a problem is when your IIS servers crash. Needless to say, your scary spywa
Re:They're full of crap (Score:2)
People were a lot more productive because they could use the software they were happiest with (e.g. Firefox rather than IE makes a huge difference to anyone who uses the web for research rather than entertainment).
On the other hand the place I worked at with the most central control, had some obviously badly configured PCs - e.g. access to a remote serve was given to anyone who logged in to a particular PC, rather t
Re:They're full of crap (Score:1)
and? (Score:2)
Re:They're full of crap (Score:1)
Re:They're full of crap (Score:2)
Unapproved software? What makes you think you have a clue as to what software a scientist or engineer needs to do their job?
Re:They're full of crap (Score:2)
From your post it is clear that you are one of the people who 'know what they are doing'. I'm a nazi because every time some person ruins their computers installation I have to take time out of other important things to image their hd, although sitting around waiting 20 minutes for a hd to image does give me an excuse to g
Re:They're full of crap (Score:2)
If you complain about taking 20 minutes to image someone's HD, I'm surprised you don't complain about taking half a day or more to install all the custom software each person needs to do their individual research.
This is not a company with thousands of identical worker drones. Your perspective is incorrect here.
(Even at m
Re:They're full of crap (Score:2)
You also have no idea what is installed on your network. Probably almost all of your IP is going out the door, straight to competitors or hackers.
People don't need to install software on a daily basis. If they do need custom software, you dispatch a 'worker drone' to them and they can install the software while the person looks on and helps if necessary. The point is that commercial software will rarely cause a huge security p
Re:They're full of crap (Score:3, Insightful)
Probably almost all of your IP is going out the door, straight to competitors
Odds are, so is yours. The difference in your case is that it's carried out the door by pissed off ex-employees. Most of it innocuously, in their heads, as they take their accumulated experience and expertise to go work for your competitors, but at least some of it deliberately and with malice aforethought.
As a consultant I've worked for a lot of different companies and I've noticed a very strong correlation between companie
Re:They're full of crap (Score:2)
An account that can install software outside of its home folder is a de facto Administrator account. How do you resolve the contradiction you've put forth?
I didn't say don't give the users administrative access. I said that policy should ban Administrative logins. If you don't see a difference, you've been using Windows too long.
Re:They're full of crap (Score:2)
If your competitor wants your data, he will have it.
Lock the network, prevent software installs?
USB stick, done.
DRM the files to a machine?
Steal the machine. Blame the cleaning crew.
DRM the files to the local network?
Print em, stick it in a folder, walk out the door.
Lock the network, DRM the machine, break USB, DRM to a license server, search your employees?
Throw it away in the trash. Pick a break room, toss i
Re:They're full of crap (Score:2)
any other security app that monitors processes and has lockdown on new registry
entries without authorization might work in it's place
http://www.safer-networking.org/en/faq/33.html [safer-networking.org]
Tea Timer can be a bit annoying if you install a lot of new software/plug-ins/extensions
or other bits of code that engage the monitored regions, but the alternative is being
"owned" by the latest method of backdooring the M$ OS yet again
Ex-MislTech
Re:They're full of crap (Score:2)
Let me make it a simple maxim: 'If you are not responsible for the maintenance of a computer, you WILL NOT UNDER ANY CIRCUMSTANCES have administrator rights on said computer.'
A good way to control that while not appearing inflexible is to say that ANYONE may choose to have admin rights, but if they do, support is limited to wiping and re-imaging their PC (Gee, I sure hope you have backups!) coupled with surrender of admin rights (now that they've demonstrated that they are not qualified admins). If a PC
Seems alright to me (Score:5, Interesting)
If they completely lock down the machines and take away your admin privilges, well that's life and it can be good or bad. Most often this is only a problem if need to install software and once this has been deployed for a short time and things are running more smoothly again this, too, should be relatively painless; just call or send an e-mail and someone can type in the password and install it. This kinda depends on the strength of your IT department, though. When I was in highschool the instructors machines were secured tightly and there wasn't enough staff to assist in installing software, preventing teachers from getting work done occasionaly. That was an extreme case, though (1 guy, hired as the Video Productions instructor, doing IT for the whole building...) I would expect that in your case it shouldn't be too painful.
As a disclaimer, I am an IT guy and our engineering college at the university has it's own IT group that engineering student fees pay for. I know our professors (and students) were less happy when IT was managed by the main campus group; we're more responsive and less politically hampered.
Well at MYYYY university... (Score:2)
Re:Well at MYYYY university... (Score:2)
if that's using the built-in remote control, it is possible to adjust the policy under the user's profile in active directory to allow administrators to remote control without asking permission first.
Dial-out assistance (Score:3, Insightful)
I control my own inbound routing, so having the ability to control which connections are sent through the routing machine to my PC would make it much easier for me to have other's "dial-out" for assistance from me... rather than having them configure a router to allow me to "dial-in" to their machine.
Re:Dial-out assistance (Score:2, Informative)
Re:Dial-out assistance (Score:5, Informative)
Simple! Just install an SSH server on your computer and create an account for them to connect to.
1) Have them download putty
2) Send them a PDF showing exactly what to configure (for the port forwarding)
3) have them connect with the username/password you created
4) Have them send the request to local host.
You could blend steps 1 and 2 togther by creating an MSI or something that pre-configures putty with a connection for your computer with the proper port forwards.
Oh wait... you wanted a good way, not just a way...
If only there were a windows vnc that bundled the ssh somehow...
Re:Dial-out assistance (Score:2)
Re:Dial-out assistance (Score:3, Interesting)
I've run into two problems that make it a challenge to use, for now: the encryption is buggy and sometimes won't connect, and as far as I know, the VNC protocol it serves has some non
R T F M (Score:2)
Vnc has supported this for quite a while.
The mods must be on crack today...
Re:R T F M (Score:1)
Re:Dial-out assistance (Score:2)
Although their server-side proxy software isn't available, the source code to their "client" (which is based on the VNC client and server) is available under the terms of the GPL [copilot.com].
HIPPA and Remote Control (Score:4, Interesting)
This is a tough line. Someone other than the authorized personnel needs access to the files to be able to do the techie admin stuff. At the same time, they should not be looking stuff up, as it's illegal and an invasion of privacy. The whole thing of "Who's PC is it, ITs or the User's" adds another party, the person profiled in the data on that system. (Usually, it's the employer's PC, but that doesn't stop users, esp. ones with Dr. sized egos, from feeling & acting otherwise.)
I've worked in a hospital using Seagate / Funk Software Proxy. We had it set so that we could remote to a desktop, but the user had to grant permission to see the screen. Usually, this resulted in a decent situaton and an understanding - the user would clear all sensitive data from the screen before accepting, and if they got surley and decided not to accept, they got pushed to the bottom of the priority list (and they knew it). In return, the IT staff didn't abuse this ability, and for the most part would rather read slashdot than check out someone's PC.
Re:HIPPA and Remote Control (Score:1)
Now, IANAL, but I think you've just shown yourself the loophole. If there's a reason for the admin to log into that machine and he sees information that's there that he "shouldn't see", it's actually ok. Why? He nee
Re:HIPPA and Remote Control (Score:2)
Re:HIPPA and Remote Control (Score:2)
It all passes around the hospital on the networks, is intercepted by the interfaces to the internal databases, and ends up on my servers.
Now, I've signed many a form which amounts to "If I release any of the medical data, I'll never really be able to work in IT again", which I consider a fair clause.
Everyone in the tech department is basically bound by the same agreement.
If a
Re:HIPPA and Remote Control (Score:1)
THEIR jobs (Score:5, Insightful)
Re:THEIR jobs (Score:2)
Re:THEIR jobs (Score:2)
1) excessive restrictions are bad
2) excessive support calls are bad
3) your network being compromised or going Foom! is bad
4) restricting some areas of a client PC reduces likelihood of users messing with stuff on their client that will need fixing
5) restricting some areas of a client PC reduces likelihood of users messing with stuff that will threaten the integrity of the network
it's all about balance. IT are there to do a job, just like you are.
Let's take on
STAFF... Autonomy... privacy... (Score:5, Insightful)
As for your questions, I don't think the privacy question needs to really become an issue. Pretty much every place I've worked in IT or Tech Support, I've had system privileges that gave me access to damn near anything on institution-owned equipment, from the president's e-mail to the custodian's bowling-league stats. And I've told them that... with the assurance that even though I could get at this stuff, I had no intention of doing so. I'm too busy to monitor people's private stuff and it's none of my damn business. I tell them that techies are just like janitors: we have keys to everything. {shrug}
What's likely (hell: inevitable) to become an issue is autonomy. If people have to come to you to do things they're used to being able to do themselves, they'll understandably resent you for it. The only solution I can suggest to that problem is to give them the same level of service they're used to getting from themselves. e.g. If they want some software installed, you get the software installed. ASAP. (This is why you probably need more staff.) If you make it clear to them that you're trying not to get in the way of their work, they'll resent it less. And when you can't deliver, or have to say "no", they'll hopefully be more understanding if they know it's not just you being a control freak or lazy or not caring.
We lock them down, and have remote access (Score:3, Interesting)
The staff just love it. When they have a problem, can't remember how to do something, or come across a strange error message they don't understand, they just call the helpdesk, start TightVNC, give us their IP, and we take control of their desktop. We can show then how to do things, read the error messages for ourselves, watch as they go through the steps. Cuts our call times down, gives the users a greater sense of support, and virtually eliminates the "spend 20 minutes driving to a site to spend 5 minutes fixing the problem" kinds of workorders. Now, the onsite techs are only sent out for major problems.
The choice of LANDesk... (Score:2)
Or, what's the difference?
Maybe there's some cfengine-like stuff going on? But in that case, why not use cfengine?
I would not want to give control to a bunch of admins who jump over the first shiny product that comes along, without being aware of the free (as in beer) solutions that already exist. If they make stupid purchases, they'll probably make other stupid decisions.
Re:The choice of LANDesk... (Score:2, Interesting)
It can install itself on the client, and you can do a lot remotely without bringing up the screen of the luser. I respect their privacy and often try and fix stuff in the background while they do their job. If I need to have their screen I phone them up and ask for permission. Then I go in and they see a big warning that I remotely took control.
In the beginning I was worried that the lusers w
Re:The choice of LANDesk... (Score:3, Informative)
Or, what's the difference?
If you google LanDesk you'll see it's a full desktop support package, along the lines of Novell's ZenWorks product line: remote control, application deployment, desktop imaging, etc, etc, etc. VNC only fills one piece of that puzzle.
My experience is only anecdotal, (Score:5, Insightful)
1 - One central admin for all the desktop machines in a massive department, no one else gets root on any machine.
2 - One central admin who is mostly an advisor, people are allowed to administer their own desktop machines if they want.
3 - Free-for-all, in which most groups have one or two principle computer gurus who handle multi user servers and almost everyone administers their own desktop machines.
#3 is far and away the best. In #2, no one that I knew of actually took them up on the remote administration option, essentially reducing it to #3. #1 was a nightmate for everyone. When the deparment computing committee tried to talk everyone into switching to something closer to #1, we all resisted fiercely and eventually they backed down.
In an environment where people are actually using their computers as research tools, rather than as expensive notepads with which to writeup the results of their research, it pays to place control at the lowest feasible level. Every time a user is forced to ask someone else to fiddle with software, it adds *days* to what should be simple tasks.
Sure, you create an occasional security risk when a bad user fails to install patches. But, there's no comparison between the number of man hours spent on dealing with those sort of incidents and the amount of wasted energy in trying forcing every minor change to go through a central administrator.
In a computer lab or a corporate environment, you might be able to make a case for central administration. For academics, it's just crazy. (And I suspect enforcing it will just drive everyone to switch to personal laptops instead, in addition to pissing them all off.)
Re:My experience is only anecdotal, (Score:2)
For an academic, on the other hand, getting something to run at all, even if it locks up the machine and occasionally forces a hard rese
Dunno about LANDesk (Score:2)
I Wonder (Score:2)
A honeypot of sorts.
Not Good (Score:2)
We're set up this way (Score:2)
LANDesk (Score:1)
reassure your users (Score:1)
There is no privacy on institutional networks. (Score:2)
We use SMS, Dameware, RDP, PCAnywhere, VNC (Score:2)
Our desk
The tool isnt the problem (Score:2)
Sounds like its time to set some policies and enforce them.
Issues of ownership. (Score:2)
They are the Universities computers.
Keep it open and honest - it works (Score:2)
1. Left the indication that the PC is being viewed remotely always in the taskbar, so the user knows if an admin is on their system. It's a simple Red/Green thing.
2. They have all IT personnel make a serious attempt at not ever connecting unless asked to, or until they've spoken with the employee in person before connecting.
This gives the IT group the visibility th
Re:"their computers" (Score:2)
A decent solution (Score:1)
We were fed up with lost productivity, the M$ only policy, and slooooow response from IT when we finally fragmented and broke away from IT after an M$ virus took down the net and several of our machines. BTW, that was a nicely executed power play by our PHB. Now there is a firewall/filter/cache between us and the rest of the company network. We(three of us whenever needed) manage our own mix of M$/Sun/Linux/and now even an Apple, boxes. We don't have to wait for IT to come and