I love my IT Department.....

[aap1966]

...it's a constant source of entertainment.

Disabling Flash on work computers for 'security' ?
Cool, I can understand that, security is important.

Preventing users from downloading or running their own programs?
Again, seems only sensible.

Mandating an online training program (to be done at work) that requires Flash to run ?
Guys..............you're not making it easy.

This is the IT Department that, when we had e-mail go down across the organisation, sent everyone an e-mail saying how to access your e-mail.

[masraum]

Wow, your guys are top notch!

We've got the flash thing, but you can go through a few clicks and enable it for a specific website for 1 time or forever. Hell, I think most of the browsers disabled flash via an upgrade a long time ago requiring me to do the same at home.

What we have is that the default browser is MSIE, but most of the internal websites only work with Chrome or Firefox. No problem, I have all 3, but it's crazy that they can't make the crap work with the default browser, that's fully integrated with the OS.

Fortunately, I mostly use FF. They finally installed some app that asks any time you click a link in a non-browser (email, pdf, spreadsheet, etc...) asking which browser you want to use.

[GH85Carrera]

Sounds like most IT departments. Think how secure you are from flash virus now!

For many years we dealt with clients that order a digital file from us. We would send them a link to out FTP server. In many organizations just having a link or the words FTP would automatically delete the email. We had to send the link to the IT department, and they had to grant special dispensation from the Pope of IT himself and make our client do tricks to get the file to download.

One client needed her file for a meeting that was coming up fast. She took her personal laptop to a local McDonald's and downloaded the file there. That laptop was then brought to the IT department for them to copy the file to the server so she could access it. And that only happened because the majority owner of the company told them to get her that file.

[John Rogers]

When I was in the hospital a while back for skin cancer surgery on the side of my face, I noted that the nurses used a bar code reader to check my wrist band and then scan the meds to make sure they were mine. The hand held reader used a USB port on the Dell computer that they used for accessing the various records. There were TWO USB ports on the side of the computer stand.

My room mate's son would plug his iPhone into the spare one to get it charged. I figured that was not quite right so I talked to the "charge nurse" (in charge person) and she didn't know what USB ports were so she called the shift manager who did know but said they were not to be used by non hospital people.

Well there was no sticker over the open port, or little sign or...…. so after a bit of searching (three days worth) I got hole of the IT department manager who didn't really understand the problem!!!! I mentioned that a flash drive can cause a "take over" of the PC or upload viruses or try to steal data since a copy is on the PC with the software program the hospital uses and is updated as needed! He thanked me for my concern but a year later when my wife was in the hospital...….open USB ports still!

[john70t]

(This topic is way above my paygrade, as in cirrus clouds moving overhead, but..)

-Is there some kind of temporary sandbox program for each node to run the program through the company server?
-Maybe implement a loggin secure handshake protocol for each node?

-Or use a confrence room "training station" with a disposable computer and server.
-No Wi-Fi. No USB. No cameras (per the bar code thing mentioned below). No microphone (i.e. phone phreak).
-Air-gapped from the company.

(I have no idea what I typed.)

[flipper35]

Most browsers make it a pain to use Flash, I don't think the IT department had to do much to disable it. Java as well has been on the way out for a while.

We make Chrome the default here as that is what our EHR prefers. We don't allow flash or external drives for most computers. Most are not local admins but can install some software themselves and if it is something they really need we can do it for them. They cannot grab something from the internet though as our firewall will block exe, msi, etc in the browser. We don't allow zip files via email. We do allow FTP from trusted sources so no mapping companies!

We had the Exchange server go down one time and our administrator emailed us to let us know. Our CEO once asked if we could replace the DECT phones with wired ones for the staff to take down the halls. I could start a humor blog with some of the tickets here.

That said, I don't know why ANY IT department would choose a training site that uses Flash or Java.

Oh, I hate how MS forces everyone to use Edge for everything like viewing a PDF or XML or ...

I do love GPOs.

[mepstein]

Quote:

Originally Posted by John Rogers

When I was in the hospital a while back for skin cancer surgery on the side of my face, I noted that the nurses used a bar code reader to check my wrist band and then scan the meds to make sure they were mine. The hand held reader used a USB port on the Dell computer that they used for accessing the various records. There were TWO USB ports on the side of the computer stand.

My room mate's son would plug his iPhone into the spare one to get it charged. I figured that was not quite right so I talked to the "charge nurse" (in charge person) and she didn't know what USB ports were so she called the shift manager who did know but said they were not to be used by non hospital people.

Well there was no sticker over the open port, or little sign or...…. so after a bit of searching (three days worth) I got hole of the IT department manager who didn't really understand the problem!!!! I mentioned that a flash drive can cause a "take over" of the PC or upload viruses or try to steal data since a copy is on the PC with the software program the hospital uses and is updated as needed! He thanked me for my concern but a year later when my wife was in the hospital...….open USB ports still!

My wife worked in a hospital for 20 years. When she first started working there, I told her not to type or view any websites that she didn't want read by her bosses since everything would be recorded. She listened but many of her peers did not. Year after year, they would be let go for all the things you shouldn't do at work. Some would even complain it "was an invasion of their privacy". I worked at a bank so I knew there was no privacy on your work computer - ever. And yes, the digital security was lax at best.

[flipper35]

John, on a network like that they could easily disable flash drives or external drives and still use the bar code scanner. If it is a MS domain then a GPO can disable it for all computers connected to the domain.

[flipper35]

Quote:

Originally Posted by mepstein

My wife worked in a hospital for 20 years. When she first started working there, I told her not to type or view any websites that she didn't want read by her bosses since everything would be recorded. She listened but many of her peers did not. Year after year, they would be let go for all the things you shouldn't do at work. Some would even complain it "was an invasion of their privacy". I worked at a bank so I knew there was no privacy on your work computer - ever. And yes, the digital security was lax at best.

We generally don't let anyone go for that unless it is reported that they are doing something during their work time or if they go to a site totally inappropriate for work (which are blocked anyway). Any of our work computers are not allowed on the "public" wifi either.

[legion]

I work in IT. I have to deal with the stupid policies as well.

In my experience, they are either crafted by middle managers who haven't had to use a computer to do more than send e-mails or schedule meetings in decades, or by analysts who convince their managers to endorse policies that make their jobs slightly easier and everyone else's jobs harder.

An example: the powers that be a few years ago decided that developers (or anyone else) should not be given admin access to their workstations. The problem is, most developer tools assume that you have admin access to your workstation. They assume that you can edit the registry and environment variables. There apparently was a new (three part) process (that took about two months to complete) for requesting a special badge to be given admin access, but that information wasn't being volunteered and navigating the process and multiple forms was an experience in trial and error. I basically couldn't do my job for two months and my boss dinged me both for low productivity and complaining about it.

[flipper35]

Boy, some of you all have crappy IT departments.

[Deschodt]

Easy to mock... But the reality is IT departments these days are the bi@tch of the security department (those are the ones with all the $ and power nowadays, and they don't do squat except telling people what to do), and those guys drive all the updates (most of which are crap), restrictions (like no admin rights), and software deprecations (java, flash, which are indeed crap).

But... they don't talk to the field or know what the field still uses and needs. That's the corporate world for you, the poor IT people are stuck between a rock and a hard place, and deluged with $hite and untested Microsoft patches to boot... I wish I'd picked a different career nowadays....

[flipper35]

We use a patch manager that tests the patches on some non-essential machines first and if it passes the sniff test it applies the patch domain wide.

^ Luckily, I answer to the CFO and CEO so we can make proper decisions in IT.

[GH85Carrera]

My wife worked at a state university in the HR department. Early on when the internet started and she got an email account and web browser one of the legal staff had a meeting. They told everyone in the room to think before you send ANY email that it will be archived for eternity, and that some day you could be in court under oath, and asked, if you typed a email and they are only asking to see if you will purger yourself. They also made it clear, don't use the computers to do on-line shopping, or go to any site not related to your job.

My wife heeded those words carefully. She had to process some terminations for coworkers doing stupid stuff.

We worked with a few major companies and had to deliver the final product to the client in person on a hard drive. The IT staff was there and they were the ones that physically connected the drives to the system, and put the data on a shared data source for the entire company. It was really cool to see computers in the entire GIS department all accessing the aerial images at the same time. Dozens of users all wanted to see the new images and it was such a relief to hear gasps of "Cool, look at that" and wow.

[Deschodt]

Quote:

Originally Posted by flipper35

We use a patch manager that tests the patches on some non-essential machines first and if it passes the sniff test it applies the patch domain wide.

This ^ made me giggle... it's good practice, and pretty much how everyone does it... The funny part in my case is I oversee about 60000 PCs for hospitals, and the patch tests almost *never* reveal anything... We wait as long as we can for early adopters to get burned, deploy in ever increasing waves of tests, representative users, people who blew up last time, ever evolving test groups all the way to the "dangerous" departments going last, and invariably there is *nothing* reported during the first 3 weeks and 45000 machines, and all of a sudden it's a giant clusterF$% of blue screens ;-) Or you blow up an entire department affecting patient care (only 0.5% but it's a big number affecting a whole clinic), with no apparent reason (same image, same patch level, same software)

It's become a game russian roulette, even with testing.. MS patches suck, their QA sucks, their constant superseeding of "bad" quality patches with other bad quality patches sucks, and their new model of rolling up patches (and preventing you from avoiding some bad ones), you guessed it, sucks. also they don't care one bit how they interface with non microsoft encryption or antivirus, and that's another source of lovely blue screens...

And IT gets blamed for all that junk - it's that or ransomware, welcome to 2020... I've started telling people we're UPS, we deliver the crap from security, don't blame the driver for the package you receive ;-)

[RKDinOKC]

Used to manage the company firewall in early 90's. Only certain users computers were allowed ability to surf past the firewall and few had email. There was one computer that had net nanny software running they could find work related sites with, then request access from their computer for that site. Most would request sites provided by customers or vendors.

If you tried to get to an unapproved site you got this...

[flipper35]

Quote:

Originally Posted by Deschodt

This ^ made me giggle... it's good practice, and pretty much how everyone does it... The funny part in my case is I oversee about 60000 PCs for hospitals, and the patch tests almost *never* reveal anything... We wait as long as we can for early adopters to get burned, deploy in ever increasing waves of tests, representative users, people who blew up last time, ever evolving test groups all the way to the "dangerous" departments going last, and invariably there is *nothing* reported during the first 3 weeks and 45000 machines, and all of a sudden it's a giant clusterF$% of blue screens ;-) Or you blow up an entire department affecting patient care (only 0.5% but it's a big number affecting a whole clinic), with no apparent reason (same image, same patch level, same software)

It's become a game russian roulette, even with testing.. MS patches suck, their QA sucks, their constant superseeding of "bad" quality patches with other bad quality patches sucks, and their new model of rolling up patches (and preventing you from avoiding some bad ones), you guessed it, sucks. also they don't care one bit how they interface with non microsoft encryption or antivirus, and that's another source of lovely blue screens...

And IT gets blamed for all that junk - it's that or ransomware, welcome to 2020... I've started telling people we're UPS, we deliver the crap from security, don't blame the driver for the package you receive ;-)

We have maybe 200 end points that are managed. Ours is setup to wait a long time and the only department that can get burned is the computer lab, which we can re-image fairly quick. Unless it is a specific 0 day exploit we put it off a long time since we don't like testing alpha products without being paid. We have only had the patch test computers reveal issues a couple times and once required re-imaging because the patch killed the OS entirely.

I agree it is a damned if you do and damned if you don't. Half the time the patches are worse than ransomware.

In your case you have a couple orders of magnitude to cover than us and I in no way envy you. No offense.

[john70t]

Quote:

Originally Posted by RKDinOKC

If you tried to get to an unapproved site you got this...

I get those web monkey blockades from Firefox and Malwarebytes all the time.
Neither provides an easy bypass..

I sure don't like to be "herded" "steered" or "red-lined".

[widebody911]

Quote:

Originally Posted by legion

An example: the powers that be a few years ago decided that developers (or anyone else) should not be given admin access to their workstations.

Pfft. I had the exact same problem; took me all of 20 minutes to engineer around it.

[legion]

Quote:

Originally Posted by widebody911

Pfft. I had the exact same problem; took me all of 20 minutes to engineer around it.

I'd love to hear how you can get something like maven to work without a .m2 folder or M2 or M2_HOME environment variables.