Roger A. Grimes makes a great case for why green screen terminals will continue to dominate corporate environments and PCs cause more headache than they're worth. It's for the users' own good--any software they install will be more likely to sap their productivity or steal their credit card numbers than improve their productivity. Go with green screens--they will encourage more creativity than any PC would.

Roger A. Grimes makes a great case for why green screen terminals will continue to dominate corporate environments and PCs cause more headache than they're worth. It's for the users' own good--any software they install will be more likely to sap their productivity or steal their credit card numbers than improve their productivity. Go with green screens--they will encourage more creativity than any PC would.

My problem with desktop lockdowns is that these are often accompanied with an "IT knows best" mentality. You know, the motto that "we'd have a great IT system if it wasn't for all these pesky users".

Yes, users install lots of crap on their workstations, but there are valid business needs there as well.

If IT forgets that it is there to serve users, then it is a hindrance, not a help. Desktop lockdowns can serve a valid purpose, but if users can't create their own solutions, you better make damn sure that IT is prepared to help find solutions for them.

I've said for years now that IT needs to work hand in glove with the business they serve. In fact, IT should *be* the "glove" for the business "hand".

If staff know that IT will work with them day in and day out to solve business-related (rather than IT-related) issues, productivity can be enhaced rather than hampered.

More importantly, user complaints about lack of rights should almost disappear if they know IT will be responsive enough to deliver high-quality tools to solve the problem at hand.

I think it depends on the role played by the worker within the organization. If the individual is in entry-level positions that involve customer service/data entry/corporate grunt work, their desktop needs are well defined and there shouldn't be any objections to tight control.

However, if an individual is involved in a strategic position, it's in IT's best interest to work with the individual rather than using the one-size-fits-all mentality. I'm not suggesting that these folks run wild but if IT fosters a relationship, you'll often find that the individual deserving more freedom will respect that freedom and in return is very willing to work with IT.

I firmly believe if security is on top of its game with regard to protecting customer/private data with best practices, the biggest concern from a new piece of software is not virus or spyware but licensing. All it takes is one disgruntled worker's call and you'll be audited and find yourself paying for TurobTax, Quicken, Winzip and a plethora of other petty software that may not even be illegal. Often it's purchased by workers, installed and they no longer have proof of purchase. However, this is typically a sign of a government-like purchasing bureaucracy that takes forever to allow the purchase of a $19 piece of software. I believe sound policy with regular audits ensures compliance.

Are these approaches harder than taking an Orwellian position with respect to the desktop? Sure but would you want the police to have the power to make their job easy or do you enjoy freedom within certain boundaries?

Agree with Robert and Stephen-- the lockdown approach depends on both the user's job being tightly stereotyped and (unlikely) the IT staff knowing enough detail to adequately supply tools. If all the user needs is a data entry screen, OK, but that is extremely rare.

Mr. Grimes himself shows that IT myopia by stating in no uncertain terms that IM applications are used only for personal messages, not for business. That may be true in his environment, but in other sectors, online collaboration through IM is a critical part of the process. And no, it usually isn't supported by IT, from what I've seen.

This viewpoint is also a little naive-- with the trend to mashups and user customization continuing, the users' control over their application environment is growing, not shrinking, and in some ways it is growing through means explicitly intended to minimize IT administrators' ability to interfere (how many applications do YOU know that use HTTP tunneling?).

Security isn't easy, but taking a shortcut through a desktop lockdown is appropriate only within a specific situation.

I wonder if you would have fired the person who installed the first copy of visicalc, lotus 123 or excel?

I'm not fan of IM, and at this point, it is NOT in use in my organization, but the idea the it never has any business use is simply not accurate. Do you really think that companies would have created the "corporate im" programs if they thought there was no market for it? Do you think that the IT shops that DO buy, do so so they can have private, personal conversations?

Locking down desktops the way you suggest works only if IT is willing to listen to what users really need, rather than telling them what they need, and is capable of actually delivering.

The issue of locked down desktops, in and of itself, would be less of a point if one could guarantee that any time one needed an application, it could quickly be obtained.

But to attempt to perpetuate the misguided idea that a system admin has the capability of predetermining what applications a company's employees are going to need, and then has the right to refuse any other application, seems ludicrous to say the least.

Recently I had the unfortunate situation of arguing for 3 years to obtain Firefox on a PC, because Internet explorer 5 and Netscape 7 were deemed sufficient for my purposes.

Likewise, to say that Joe, who needs tool ABC to complete his job, should be satisfied without the tool, seems at the very least short sighted, if not reeking of a hubris which is going to contribute to inefficiency and failure to meet deadlines.

There is a reason that the Engineering function in most high tech companies has its own IT support staff. Mr. Grimes represents the mass of IT organizations that want to have their finger in everything (i.e., control). These IT groups try to choose the "proper" engineering software tools and fail miserably. In several companies, I have seen Engineering tool IT people provide enormous productivitiy improvements over the IT function. For example, the rule of thumb in IT organizations is 7 staffers for every 100 engineering workstations. But in leading operations, the ratio is 1 - 2 per 100.

IT Security should support the business, not try to control change. There are many ways this can be done rather than the Grimes' shutdown.

Locking down desktops is a draconian, one size fits all approach - trading off ease of security for the ability of people to actually get their jobs done. This usually fits in with an IT department that has forgotten why they are actually employed.

I have no problem with locking down the desktops of the data-entry machines (if there are any of those not already out-sourced outside of the service industry). In fact, any work that is not part of your core business, which could easily be out-sourced, probably should be locked down. So if your advice if what should the hair-stylist business owner do, or what should the QA group overseas that is only allowed to run pre-canned scripts do - then fine.

However, if you are actually intending to deal with the high-tech industry - be it the person working late to get an RFC done, who gets a .png graphic from the customer (or downstream supplier), but has no approved tool to convert it, or the software developer trying to get truely innovative work done, then at least from my experience, a significant number of high-tech workers need rapid-response, or additional capabilities that most IT organizations just cannot handle. What would your response be to a 1 am page that a graphic received from a supplier has to be converted? If you are not willing to be on hand 24/7, matching the response time of downloading a custom tool, or installing a tool provided by a supplier/customer, then don't go down that path.

Your response reminds me of a situation I had in the defense industry - our group was doing some software tools on PCs, but there were strict requirements on what you were allowed to purchase (there were no other software development groups using PCs). Unfortunately, that included only half the memory requirements of the tools, and not being allowed to run the software we had to test. With mid-level approval the best approach that was settled on was to order 5 approved systems, and scavange all the parts into 2 workable systems, and run everything off-line in a lab the IT people couldn't get to. The IT department must not prevent people from doing their jobs - or waste weeks trying to work around some remote corporate policy.

And as for IM - I work remotely most of the time - IM is a job requirement, not optional. If I want to goof off, I'll walk over to the hotel bar, or use a company cell-phone.

Facilate people getting their jobs done - not making your life easy. Those pesky users are the ones actually bringing in revenue - not you.

Yes lockdown, No lockdown. No, because all too many users have no clue at all (and this is not necessarily a fault) to what they can potentially do to their Company PC's, it's Network, AND even their personal PC's if they take work home via thumb drives or e-mails. Not to mention, the bandwidth they use when listening to streaming radio or watching videos. Malware, spyware, and the such has gotten so bad at our site that when we find it we are not to spend any amount of time cleaning it up, but rather we have been given the authority to take users PCs and wipe them clean (smoke it). And if they loose anything (left off of the network and placed on their hard drive), then to bad, so sad. Then after the lecture about WHY we had to make the user start all over again, then maybe those users will get the point. Finally, remember that they call us complaining about their PCs locking up and running slow.
Now, I say NO to lockdown because of some legitimate reasons. One main one is the limitations that Power Users have in working with online sites (work related) that constantly need to upload/download data. And yes also because of the internal customer morale. A lot of us do like to have our family pictures set as our desktop wallpaper. Yeah, call this menial attributes to the companys best interest. But who is the heart of the business? Is this not your internal customers? Employees morale is a big driving force in how a business succeeds. There are security applications out there that can nickel and dime what the users can and can not put on their PCs, so let them use the wallpaper feature at least. If they want to play a game (AT LUNCHTIME) then inform them of the online games they can play without having to download/install anything or get pop-ups and spyware on their PCs. It can be done.

The problem with lockdown for small companies is that you don't have a 24/7 IT department to make necessary changes, especially in small branch offices with one or two people. Of course if they can load a pricing application from some associate company, they can usually load coolweb just as easily.

Lockdown works if and only if IT is, in fact, responsive to end-user needs. For example, there must be a quick and easy web-based software approval request process which can be completed in 1-2 business days. You'll pay a lot up front in terms of software review, but over time, everyone will end up with the tools available to them that they JUSTIFIABLY need.

IM is critical in your environment? Fine, work with IT to choose a client. And maybe an internal server, too. Of course IT can't magically know that Julie the administrative professional needs image-editing software because she's doing graphic design. But Julie's boss knows, and Julie knows, and IT's job is to make it easy for Julie and her boss to request the tools, and to approve needed tools quickly.

If IT is RESPONSIVE, then lock-down is not oppressive.

What's really a shame it that under a Windows desktop, of all flavors, there is this black and white, admin or not admin limitation. The ideal scenario would be to allow certain changes, while blocking most installations. The ability ti install applications is the root of all evils, while selecting a color or screensaver, already installed and/or approved, should be every user's right.

Having worked IT in the insurance industry, where all desktops are locked down and user accounts are all on the server, I can see the frustrations of looking at the same screen day after day. Due to the secure nature of the data collected, the PC must be absolutely secure, as well as the information collected on the servers.

On the other extreme, I have worked IT in the entertainment industry, where nothing is locked down. The techs spend just as much time fixing misconfigured and virus infected computers as dealing with real issues.

Somewhere, there needs to be a happy medium.

As an IT staffer I see both sides of the issue AND have a nearly perfect solution that keeps management and staff happy.

Managing many PC's is a daunting task. It is only possible if there is a mandated, locked down, image with few variations. Some users, myself included, have need/desire for personal variations the corporation will not justify for its own reasons. As a good company citizen, I obey the IT rules.

The solution for me was to buy and use my own laptop. It is easy, cheap, and gets the job done without a hitch. I can install apps, do personal email, browse the web, etc. A wireless bridge in the window gives me free internet from a nearby bookstore. A USB drive gives me file portability when needed.

If the company will not supply your favorite brand of coffee, or ballpoint pen, or whatever, you buy your own. A cheap laptop is no different. The Thinkpad I am using now I bought used for $200.

I get more work done on my own laptop than my company desktop. Fair? Maybe not, but who cares. It is a win-win as far as my boss and I agree.

I think I agree with the user role perspective. I have users that are more productive if they have the creative freedom to look for new solutions, and I have others that do not. In general I could probably classify my users as portable (laptop), call center (order takers & support), warehouse (fulfillment) and management/others.

I would probably lock down mainly the warhouse and call center folks as these are well defined jobs.

We had an initiative here where we rolled out a large number of thin clients (in fact I'm using one) and frankly, even with it being locked down and my having the requirement of being creative, I'm able to do my job -- in fact, it's nice to know the thing will always boot up because I wasn't able to damage the pristine environment.

As a knowledge worker in IT I know there are few absolutes, and what's good business doesn't always mean happy users -- but if we can do both, it sure helps.

-Dave

"Employees aren't sending IMs to other employees and partners about business issues. It's mostly a way for employees to conduct more private personal chats on company time without being seen connected to a telephone all the time."

I wish that were true, however, because of IM, I'm able to quickly get an update from my vendor. We can see if we're online, but not on a conference call. I don't know how many times I've IMed a con-call bridge number or told a business partner that I'm running late to a meeting because I'm on the phone.

IM has become a replacement to the one-line email. I'd rather have the quick IM then more email anyday.

Perhaps IM isn't in the author's business culture to understand its value?

Totally and wholeheartedly agree with you on the lockdown. Using Active Directory and least privelege here has done wonders for eliminating a lot of headaches. Only will install it if you really need it, leave the cute toolbars, smileys, games and stuff for your kids at home.

Most of the people here at work are tired of their teenager infested slow, crashing home computers and can see from the past year and a half of not having to experience any of that at work that not installing any old thing at the spur of the moment allows them to have a pretty hassle free work environment.

The one exception was the super intelligent "I can run my own computer" guy that we gave administrative access to his own system because he was one of those arrogant, strategic-position, barely able to secure his own system people with too much power. Guess which one had problems, until he got over the testosterone poisoning and agreed to run limited user. It was kind of neat not having to internally firewall him anymore.

If someone can make a sell on a piece of sofware increasing their productivity, I'll install it, I try not to be Mardak the preventer or whatever Dilbert called his IT demon. That's not what IT is about, I just don't have time as the one-person combined helpdesk/tech/installation/kitchen sink guy to run around stomping out fires anymore and managing the system this way hasn't really cut into user's productivity.

Remember the people in the great glass house. If you needed an extra copy of a printout, you couldn't get it because it would require 5-part paper and their budget was only good for 4-part. Remember how the PC revolution got started? We sneaked our PC's into the office to get work done over the strenuous objections of the glass house crowd. Why can't I have permission to access the appropriate development tools in Lotus Notes? Because if you develop an application that people like, we may have to support it some day. Can I use this app? NO! Why, just check it out to make sure it's clean. No don't have the budget (knowledge or interest I would guess as well). Any of this sound familiar. This is not made up. We'd still be using green screens with 40 characters per line (or making Xerox copies of printouts) if the miserable, rotten user community hadn't figured a way to get around the knuckleheads in the glass room. Not all user's are morons. You can't justify stifling and hobbling the technology to make your life easier. Get smarter, set up internal firewalls, figure out a way to save them from themselves. Don't forget you're there to support the user base (as well as executive row). Get smarter! You're #1 suggestion just reminded me of all the unnecessary grief and missed opportunities caused by IT since my first encounter with them over thirty years ago.

Lockdown will work great, as long as:
- you have the availability to quickly review and approve user software requests
- you have the skills to support your reviews

So, I need to get a new db2 admin client installed. Have you pen-tested it? Do you know if I *really* need it? Am I a DBA? I guess you should confirm with my management that I'm in the proper role, huh? And is this the best db2 admin client for the company? Well, I guess you need to do a software evaluation...

Of course, you'll never have the time, manpower or skills to support this. So, rather than get started with a plan like this only to immediately become a liability to the business - and then blame it on insufficient funding - just accept up front that there will always be insufficient funding to pull this off, that it will always fail, and that you need a different solution.

Now maybe that solution is a hybrid, where your non-skilled/data-entry/helpdesk/etc workers get more restrictions than everyone else. Of course, we've got fewer & fewer of these people all the time. But they still do exist and it wouldn't hurt too badly to restrict them.

My IT department prevents me from running unapproved software on computers connected to their network. My employer is a hospital. Unapproved software includes that used on commercial CT and MR scanners. My IT department doesn't know about medicine. All of our patients would die if we didn't find workarounds for the rules that IT imposes. IT needs to find solutions, not make assinine rules. I buy the medical equipment (computerized) that I need. IT needs to find a way to keep us secure not dictate what software we can use.

Roger suggests that the majority of unauthorized applications that get installed are not work related.

I've been in IT for about 25 years now and I have watched this phenomenon. Where I work, at Departement of Transportation, by far more applications are niche products that are in fact business related, but are not on the "standards" list. We have quite a diverse group of planners, designers, IT people, geologists, environmentalists, etc.

I see two reasons when people do in fact obtain these work related tools and install them themselves: (1) working with the IT group is too much hassle and they don't see the reason to do so, and (2) they don't know there are such rules.

In most cases these people's managers actively or tacitly support the working around the problem.

My opinion is the best way for IT to head off this issue is to proactively help the users get their software on the approved list. Don't just make up some rules that people are going to need to break to get their work done.

While security is necessary, the security folks tend to err on the side of a complete lockdown. If it was up to them, no user would have Internet access, and sneakernet would be the preferred way of data transfer (a slight exaggeration).

Interesting comment from Bob Lewis.

Guys,

Roger is right in what he is saying. The fears stem from our lack of education about the real issues affecting the enterprise and changing the perception of the Security function. Lockdown is the the same as hardening in terms of that people just adopt the lazy attitude and go for borke, stopping everything. That WILL cause the issues of which you speak, however if you speak to the stakeholders of your organisation (That is the people in your company) and find out what they need to do their jobs, then only allowing that software to run and ensuring that anything else is identified to your support people for assessment, you will make IT's life easier and so long as you have educated rather than dicatedt you will not be bypassed and will become more involved.

Non-techies don't get technical issues, so take the socialogical approach and bring the business benefits to them and educate them!

If we all think security is BS, then why ware all reading articles on security and trying to rip apart the system of lockdown..

Security is always absolute security and all those who disagree should try sleeping with thier doors unlocked at night...after all, burglars don't attack everyday and what do have the cops for??? Lets not stifle the feeling of being secure by locking our houses and feel like we're living in dungeons...

As a network/system/secuirty administrator for my company I have to agree with Roger. For a time we let one group of users have administrative rights to thier PCs and over and over and over again we had to reinstall the OS and apps, restore from backups, etc. We kept a log and this one small group of 5 was taking more time that the rest of the company of 120 put together. They were trained/counseled as to proper security. This group were actully much more computer literate that most average users. We were hit with SLAMMER because they had IIS and SQL that we did not know about. The list just goes on and on. Even though they protested VERY loudly - when we removed admin. capability and removed the ability to install software, our support time went down and thier productivity went up. After that experience I completely agree with Roger.

Whether Mr. Grimes realizes it or not, there are
those of us who do design work and do not spend
our days in Office or other Microsoft utilities.
I do fpga and circuit design. I am the only one
in my company doing this work right now. Every time
I need a service pack installed, update a library
or create a new project, or change to a different
project, I am expected to go to our IT guy and
hold his hand through the update or installation
process, when he gets around to it.

This situation came about because there were some
individuals who were installing everything they
could get their hands on. Our gutless management,
rather than discipline those people decided to turn
the problem over to IT.
IT is not a profit center. IT is going to do what
is easiest for them. I understand the need
for security, but what keeps the lights on at our
facility are happy customers using the products
we are trying to design.

I work for one of your Fortune 1000 companies that have this lock-down policy.

In order to do critical work I end up having to take confidential data home to uncompress it because I have been waiting six months to get the compression utility program approved - and my management is powerless to move IT.

So, is lockdown really accomplishing security for the business or security for IT?

Face it, total lock down works fine for people who just need to read their mail - but if you want to use that very expensive box on your desktop as a computer then it doesn't work. Geologists need geology tools that are different from the tools statisticians need which are still different than what chemists need which are also different than what engineers need, etc etc etc.

And if anyone thinks snearkernet is secure they don't get it - and that is what you end up with when you get total lock-down. You know that file I have to take home to decompress - just be lucky I run firewalls, virus scanners, etc on my home computer because guess what folks, any file sharing is a risk.

Is your next answer no file-sharing - awesome, no security issues, no IT headaches, and management will love it. Everything will be so secure that they can do away with the security folks (run smoothly, outsource, etc the way the business goes folks) and then maybe the rest of us can get on with our jobs.

IM could be provide value in a corporate environment if there was a filter eliminating any message containing any of the following "lunch", "last night", "my boss is a ...", "What are you doing this weekend", "American Idol", "Survivor", "Big Brother", "Lost" etc .
This would dramatically lessen the sever requirements and allow companies to affordably implement this invaluable tool. Being a slave to your email and voicemail is just not enough. Bring it on.

We are currently in the midst of debating this question were I work. After several virus outbreaks that crippled our network, as well as many users downloading and using google earth for work (yes work), which means we are in violation of the EULA, not to mention lawsuits becuase someone had porn up on their screen which offended another user, as well as the revenue generating departments complaining that net speed is slow (see google earth above) we are faced with how to best lockdown our users.

Directives have come down from senior management to let users do what they want to the desktop, just don't let them install apps.

Easier said then done.

It would appear that a happy medium must be found. From what I gathered from the other posts the main complaints from both sides are:
-Don't stifle my creativity
-But I need xyz for my job
-I have to take stuff home to do my job

The solutions were also posted, IT has to be more flexible and quick to respond.
We are always more then happy to tell someone who needs an application to have their manager (or some predetermined management level) send a request for it and they'll get it and then give it to them in a timely fashion. You would be amazed how quickly this gets rid of Yahoo toolbar and file sharing apps requests etc. If you need something you can have it.

If you have to take home secure insurance information (you would be terminated here for that) because you need a compression utility. How quickly would you get it if you told your boss, who in turn told thier boss and their boss and then IT, that they can't get their data till you have it. Remember IT hates getting yelled at.

mc

reading through the comments, it seems to me that the responding community is, by and large, advocating an all or nothing response.

Personally, I think that security can best be achieved by Training, Responsiveness (of the IT weenies), and layered defenses.

Training is a must. For everyone. Continuously. All of us, techno geeks, security weenies, and end-users of all levels need to understand the stakes, and be kept aware of the very real and growing threat to our systems. And the weakest link? PEOPLE. We generally want to do the 'right thing' but without training and awareness, most would not know the right thing if it reached up and grabbed their privates!

Systems SHOULD be locked down. In varying degrees. Corporate systems are corporate systems, NOT personal systems. They exist ot get a job done, not for personal enjoyment. HOWEVER, the IT/Security department must be responsive to the needs of business... at the speed of business.

Finally, layered defenses need to be applied. How many network segments does YOUR company operate? do you really want people tinkering on a production segment? What about SOX, Privacy Act, HIPAA, and a myriad of other external regulations and legislations to which companies are increasingly held liable? Certain data sets and types simply must be locked down hard. NOT because we want to, not because we like to, certainly not because it's simple and cheap, but because 1. failing an audit for SOX or HIPPA or (___) can result in substantial penalties, loss of corporate image, and/or contracts, potentially sinking some companies, and 2. In the event an actual security breach happens, not only can all of the previous liabilities result, but so can lawsuits and other civil and potentially criminal sanctions.

IT needs to be flexible but secure. Our users WILL understand (mostly) and are willing to help because ultimately THEIR jobs could be lost as a result of a breach, but ONLY if they understand (See training) and ONLY when IT is willing to meet them at least half way (see Responsiveness).

When people don't understand the significance of 'draconian' measures, one only needs to point at certain recent news releases. And in certain industries such as defense, a 'minor' breach can (and DOES) result in shutdowns and loss of work (i.e. revenue aka jobs aka stock value)