Dear Bob, I too generally agree with you, but this time I must disagree. We were forced to implement a lock down policy due to the number of machines we were having to rebuild on a regular basis. We are a fairly small shop - appox. 120-140 users. However, we were constantly, and I do mean constantly rebuidling machines. We finally removed local Admin privileges and IT must approve and install software. This has lead to a great reduction in down time, support calls, as well as support costs. The problem is that most users do not intentionally download or install programs that they think will be distructive. However, they apparently can be tricked or conned into installing software they did not intend to install. Or they install conflicting products to test them. Or their friend, "who knows alot about computers" told them too, etc., etc. This leads to creashed, virus outbreaks and network congestion. Sorry, it just was not worth it.

Dear Bob,

Your comment, "My own experience has been that maybe 5% of all end-users would even be interested in installing anything. Doing the numbers, in a company with 1,000 employees that would mean 50 would be installing non-standard software." Is much too narrow. Installing non-standard or unsanctioned software merely takes IE and that Freedom that you were talking about. Add to that, the types of software that get installed are some of the most insidious ever created and work to get themselves installed without the users knowledge -- I believe that your estimate of 50 out of 1000 is off by a factor of 5. 250 out of 1000 is a more solid number -- unless you start being a "prude" and locking down systems.

When repaving a system is easier than removing the offending software, that is a real problem.

I don't disagree with your premise that a balance needs to be found. I do it by giving power users more freedom and being more restrictive down the chain. Occasionally some machines, irregardless of the user, need to be locked down more tightly due to the nature of their tasks.

Sincerely,

Jeff Hinrichs
Technical Lead

Only 5% installing their own software??? In my own experience I'd say it is more like 30-50%. Granted, most of it is benign but it seems that it gets worse the longer it goes on, either on the technical side or because of HR issues (i.e. unprofessional screensavers).

5% for installing sounds low to me as well. For users actually bringing in software, they purchased, to help them do work then the number is high, maybe 1%.

For users stumbling across some software on the internet they think is neat and then getting infected with spyware the number is much higher.

The number of machines actually needing rebuilt vs. the number IT decides to rebuild so they don't have to troubleshoot is very low (many more rebuilds are due to IT lazyness than actual need.)

Sometimes us IT departments get lazy as you say is because we know how much time is involved in rebuilding a PC, thus a known quantity of time. Compared to the time spent troubleshooting, (an unknown quantity of time), it's a no-brainer: Reinstall. You can't tell me that you haven't ran accross sometime in your career that one machine or two that started out simple and just turned into a nightmare of days! Besides, in our company all your data should be on the server, where it is backed up nightly.

I'm with yakko on this one. Users aren't installing "productivity" software - like Acrobat Reader - but "frivolous" software - screensavers, "blinking Christmas lights", etc. I've seen lots of machines around the office with the "Gator" ad/spyware on them. Every Internet Explorer toolbar known to man and beast. I've made good money over the years cleaning that kind of garbage off of peoples' home computers; I'm not surprised to hear that corporate IT departments are having problems, too.

I've had personal experience with this.

If you get your organization to a point where machines are highly standardized, it actually is more productive to pull the plug early and reload the machine. The point is that you are using known, standard machine images. What the client is currently running is having problems and is, therefore, unknown. Even if the problem turns out to be hardware, this can be a valuable isolation step to determine that.

The math is simple. Do you want to spend (potentially) hours troubleshooting, taking up valuable IT Tech time, and your client is down too, or do you want to get back to business? Sure, spend a little time investigating, but not a lot of time. The threshold guideline is the full reload time itself.

This takes into account the real-world PC rule that software installs are more reliable than uninstalls. What gets used more? What gets fixed, for sure, if it's buggy/broken? The install, because that's the money step for vendors. If the uninstall doesn't work... well, many customers will never try that anyway.

Nor do your images need to be the final word. If the client has productivity software they need, and is not part of the standard image, you simply load it on after loading the standard image. Everybody wins.

As much as I dislike "me, too" posts, I feel I have to make one here. Five percent is, indeed, way too low. I support about 130 users at my shop, out of whom about 30 require local admin privileges for various reasons. Almost all of them have installed apps of their own, and almost none of those apps even have anything to do with work. Many of them are even downright dangerous to the network (e.g., P2P apps, fake spyware removal tools, etc). The other 100 or so who don't have admin privileges are always asking me to install apps for them -- although, in that case, they ask only for job-related apps, which is rather telling. It isn't even just software, either. Some users, particularly the younger and more tech-savvy ones, try to install their own hardware as well.

I don't favor treating users like children -- or even just making them feel as though we think they're children -- but the principle of least privilege is a best practice in security for good reasons.

The IT policy where I work (a 150 employee manufacturing company) is like this: No PCs are locked down, but you have to ask before you can install ANYTHING. Is that the best of both worlds? IT control along with user freedom? NO. Our department was doing some web development, so I installed Firefox. I guess I just assumed that that was OK, but I did think that it was odd when www.Mozilla.org was blocked. So the next time that the IT was fixing some network stuff that was messed up on my PC, he saw the firefox icon in my quicklaunch toolbar and completely went off on me. Firefox is not supported, and users are not allowed to install it under any circumstances.

I see a little glaring inconsistency where 'a new prude' missed his own message. He said, "... became very expensive for the company as people were bringing in apps from home to improve their productivity."

I'm trying to see where the company and the IT people miss the part about improving productivity. An employee sucks in the companies money at a rate that is generally more then 3 times their rate of pay. (Think taxes, insurance, benefits, infrastructure, etc...) It is a truly unusual piece of 'extra software' that someone would bring from home that could exceed even half of one day's cost of having an employee. If there is any real productivity gain then the mistake is not getting the software. If this is all taking place on a single network then there is the additional mistake of not having a simple software auditing tool on the systems. There are some decent ones out there that are FREE.

On the separate issue of having to reload systems that are unstable because of 'other' software...
I do think that 5% with 'bad' software is an exceeding low estimate but if you have 6 pc support techs that aren't supporting software (i.e. training) they should easily be able to support at least 1000 computers. I have 6 hardware techs and we support 800 independent offices in all 50 states, DC, US Virgin Islands, and Guam. We do this without having to pull our hair out. On a single network it really is very easy. You limit how many different systems you use, you use canned images, you tell them that any data that isn't on the server won't be backed up, and you ACTIVELY train the users that business computers should be BORING. If it is 'exciting' then it probably isn't business and if it is free on the Internet then there is something hidden in it that isn't free. A 'boring' computer just sits there and works so you can ignore it and just pay attention to your work.

The perfect business computer is one that is treated like a toaster. You don't spend lots of time trouble shooting your toaster. You might check a couple things but if it is messed up you toss it and start over.
Voila, you are working again.

The secret here I think is in the comments regarding MS Office. Basically as long as users are given tools that allow them to do their jobs they will as Bob said generally use those tools. They will do so even if some other tool might be more optimal or be one that they are more use to from some other setting. So where users have the tools they need to do the job the 50 out of a 1000 is probably close to on target. The 10 units in a year is also maybe even a little high. Because those people who do this are generally your most experienced users and generally fix the problem themselves.

Now on the other hand the users are given tasks they can not perform with the tools they are given then they will find a way. If the "approved" software suite for the user's computer will not allow them to perform their job then they have a number of options. None of which the IT department will like. Most of them will find a way to get software which will do the job and will get it installed. Now in this case you are having your much less experienced users choosing and installing software. This is a recipe for disaster. If you don't provide the tools they need then out of our 1000 sample systems I would expect 900 or more to get nonapproved software installed. Of these in a given year I would expect close to all to have a problem that IT must respond to and would expect multiple responses per year to at least half of the stations.

Now this multiple is the situation that the pro lock down people are describing. Basically if you are experiencing this many problem with non approved software then you really have three choices as to the reason.

a. The approved software as installed is actually not functional.

or

b. The approved software will not do the job. (which is the most likely option.)

I will also say that if you have "improved your customer support) there is a good chance that what has actually happened is that there is now a second "IT department" this in some manner underground which is now supporting the users. Either the line departments have set this up by hiring some extra people and having them do this instead of the official job they were hired for, or the users have set it up an informal users group. It is also possible that the line departments are now outsourcing their computer support. But the bottom line is that there is about a 50% chance you are actually not doing a job the company needs done any more, and so your job security is not that good.