1: I set up user rights so that they cant install anything and if they some how do I remove the installed app. if they want something installed they should fill out a request forum. If they asked why I removed something I tell them I removed it and explain to them that they can't do that and need to send a request from in. Also tell them the truth when there system gets messy if its there fault for installing crap, just be sure to be able to explain it on a second garage level as you will likely need to but don't be rude about it.

2: I gotten complainants about all sorts of crap. Not so much for sec policy's. I had one user complain about a new computer having too big of a monitor (was 2 inch bigger) said it gave her too much mental distress or something. 🤣

If I find a written down password for a user I make them create a new one and dispose of their written down password. If a user does complain about sec policy (they should not if you set everything up right) I tell them that they will ether need deal with it or send in a request forum to grant permissions that they do not have. I usually don't grant them any more permissions unless if its 100% required for there job.
Also be sure to audit your sec policy and users. If you can apply disciplinary action to users that brake sec/tech policy. People tend to fallow the rules if their job is on the line. You can also take the computer away in a extreme case. My supervisor did that once. Worked grate.

You also have to be friendly when dealing with users, you can't just go and do something without giving then a valid reason, at least you need to give your supervisor/higher up's a valid reason. But each user is different and you need to handle some users differently.
It's really hard to give good advice for this, it comes with experience and knowing your users. And given my language skills I can't really give good advice in writing.

edit:
Also a few tips.
know your users. Knowing what type if people your dealing with is a big help.
Work with the idea of least permissions possible.
Keep your users as happy as possible without compromising your workplace's sec.
If need be get out side help with a more experience pro.
Be sure your users know your work site's tech/sec policy's, get with HR and have them do a yearly/monthly training and for new hires.
Stay away from the angry mob, don't let it forum. (if your work in IT you get it)

I was thinking this

Otherwise do as in above reply 😄

You need to have written policy about company computer security & usage and approved by the manager/boss. This way if anyone complains you have written rules everyone have to comply.

1: Don't allow them to install anything. Software in a corporate environment needs to be deployed by IT. If a needed piece of software is not available for deployment, an official request form should be sent to add it.

2: Employees intentionally disregarding policy is a HR issue, not an IT issue. Just make sure you document it.

no wonder i get what i get if that's the standpoint;
since im working with pdf files quite often and sometimes it makes sense to have 1 doc i send to the customer not 3 i asked for installation of gnu software for this purpose; answer i got: we have software that does this and will not consider a new piece (commercial, huge, full of hogging services and sec holes) i shall ask the local IT to install it for me; local IT: we do have software, but since its commercial, we install it for the moment you need it and remove then for someone else to use - we dont have the money to keep it on everyones machines perma;
happy policy compliant user

mrau wrote:

no wonder i get what i get if that's the standpoint;
since im working with pdf files quite often and sometimes it makes sense to have 1 doc i send to the customer not 3 i asked for installation of gnu software for this purpose; answer i got: we have software that does this and will not consider a new piece (commercial, huge, full of hogging services and sec holes) i shall ask the local IT to install it for me; local IT: we do have software, but since its commercial, we install it for the moment you need it and remove then for someone else to use - we dont have the money to keep it on everyones machines perma;
happy policy compliant user

I'm certain there's software that does not require installation that can be used to join multiple PDF documents together. pdftk, perhaps. Your IT department would never know it was there.

Lucky lucky people, I work in a public university where each department own's their computers, and IT has limited authority over it, since they have a contract with us instead of being designated campus wide IT that is in charge. What this means is everyone gets admin rights, anyone can install anything that isn't blocked by Sophos because its considered a security risk, and if a password is on display i can say no and report them to the infosec but that's about it. Oh and I can shove encryption down their throat since we are a medical school and Hippa require's it.

Pretty much any violation I just get to warn them and say don't do that.

Focusing on the human aspect, you're a human too, just doing your job and just as annoyed by the things that are annoying to the users. Make sure your users know that. 😀 If you can commiserate with them, that will go a long way toward sowing a better relationship with them. If you have to make a trip to their desk, roll your eyes, shake your head, and make some comments about these crazy hackers that force you to have to implement policy x or y. You're on their side!

A couple of things to consider if you haven't looked into them yet:
-make your own security training. It could be a simple slide show with youtube video links. Ask HR to make it part of new hire training for those who will be working with an internet-connected computer. Since you're making it, you control what goes in it.
-use something like Spiceworks to help automate network management. You will know when somebody installs something because SW will tell you. Consider software restriction policies (enforced with group policy if you have an AD server).
-the more protections you install at the gateway, the less you have to deal with individual users. Things like a transparent squid proxy server, a filtering DNS, a domain blocklist using well-known public lists (MVPS HOSTS, bambenekconsulting.com, zeustracker, malwaredomainlist.com, etc) will block almost all bad stuff at the gateway. If they complain, blame it on your ISP. 😀 Or give the old "crazy hackers force us to put up all these walls, it sucks for all of us" spiel.

Also if its an issue go into local group policy and hide and restrict access to C to force them to save to the network

Jorpho wrote:

mrau wrote:

no wonder i get what i get if that's the standpoint;
since im working with pdf files quite often and sometimes it makes sense to have 1 doc i send to the customer not 3 i asked for installation of gnu software for this purpose; answer i got: we have software that does this and will not consider a new piece (commercial, huge, full of hogging services and sec holes) i shall ask the local IT to install it for me; local IT: we do have software, but since its commercial, we install it for the moment you need it and remove then for someone else to use - we dont have the money to keep it on everyones machines perma;
happy policy compliant user

I'm certain there's software that does not require installation that can be used to join multiple PDF documents together. pdftk, perhaps. Your IT department would never know it was there.

Depends if they block all executables except approved ones using Applocker,SRP,or Mcafee.

At my previous job there wasn't much money spent on IT so I just used SRP to block executables in the user profile. Stops those portable browsers and malware pretty good.

Thanks everyone for the advise! Seems like this was a good place to ask. I like the idea on request forms, but don't see such happing it the small office I am facing. In general though, this is probably where to start:

kixs wrote:

You need to have written policy about company computer security & usage and approved by the manager/boss. This way if anyone complains you have written rules everyone have to comply.

Even if the manager won't be on the same page on all things IT, and the policy may not not be entirely to my liking, it is surely preferable above the current wild west situation some users have created.
Then, all the other ideas are also very interesting, I will take my time to consider them.

Strangely, when remembering my past trainee jobs, like a decade ago: the PCs that I was allowed to use were never locked out. I could install what I wanted. Even in big companies. It was only at college that the systems were locked down. That may be part of the reason why I am lacking knowledge on this subject.

Yes I agree that the management approved policy is the way to go. The specter of hackers is enough to get management to sign up, and then you can be the sympathetic I.T guy with "I know it's draconian, but this is what management are enforcing now". The last place I worked was a free-for-all and the support guys spent so much wasted effort on iTunes installs gone rouge, etc - also another good angle to use on management "if you don't agree to lock it down then we'll need more support staff".

The place I work now has half the internet locked down, a driver locker so you can't copy anything off your machine, etc. It's the strictest I've seen but people get over it and move on with their lives.

I say this as someone working for a very large (global) company, and having been on both sides of the fence, working for IT, and working outside IT.

Your job isn't to be the IT bossy pants. Your job is to help the business accomplish their goals, not stand in the way of that. Remember that computers and IT are just tools that people use to get work done.

If you stonewall the business in the name of "best practice" or "the way I want to do things", you're going to meet resistance, and eventually you'll find yourself without a job. If you make things too difficult for people, then they will find ways to subvert you, and they'll have management on their side in doing so. At this stage, you need to reach out and work a solution, not point the finger and say "no way, Jose".

@SqualStrife: That. And a lot of company IT departments don't understand that.

However, it does not mean you have to let users install anything they want. Personally I never understood why a previous employer did not block certain entertainment websites or let some users to install iTunes while at the same time complaining when you asked them to install/buy special software needed for work. No, for the latter I had to request a special policy that let me (the user) install anything I wanted locally with IT accepting no support responsibility at all, but not while connected to the internet, out of "security reasons" (any real evil malware can be written to circumvent such limitations). Which of course led to problems when I had to install a program that needed to download its install files from the internet (solution: install to USB-stick at home, then transfer to work PC - which was not blocked 🙄 ).
Likewise, they forced users to "completely change" their passwords every three months, but a) as one user discovered, "completely changing" meant "I can change a single letter and be done with it", b) users routinely pasted their passwords to their screens, which combined with the easy-to-guess usernames..., and c) the "three months"-thing appeared to not apply for off-site (remote log-in) workers 😵 .
So their policies were inconsistent at best and dangerous at worst - as was shown when a clueless user got his system repeatedly rooted by installing malware, which then infected his network partition 😲 . The same company employed IT techies that had very backwards ideas about open source, Unix, and Apple Macs, and a very limited viewpoint when actually bothering to use Linux and the like - they just grabbed the first thing that came under their attention instead of checking whether there were better or more efficient solutions at hand. E.g. using a dedicated code editor instead of Red Hat Linux's standard text editor, which led to whining about "it's not licensed under the only open source license we know!" (then they need to review their nonsensical policies).
Meanwhile I composed my own software suite out of some paid programs and some variously licensed free ones, and ended up with a better combination for less money. All of which could also be run on my work machine from USB, the desktop or by dumping them into my network My Documents folder - awesome but at the same time worthy of a massive facepalm (because executing programs from My Documents etc....ah).

So, have written policies in place. Have sane written policies in place. Enforce them. Enforce them consistently. Enforce them consistently and be able to explain in normal language why things are like that. Also understand that users can't wait three months (or three weeks) before something they need for work is installed. And understand that <insert large vendor/popular choice here> does not always have the best/cheapest solution for a problem.

Additionally, have things vetted by management. Be critical of what management proposes: Microsoft Office might be everything they need, but it certainly can't replace dedicated desktop publishing software meant for pre-press and therefore wouldn't be a good choice for use on the floor in a printing office. Likewise, Google Docs doesn't equal Microsoft Office (however Google would like it).

Oh, and if you think things are out of your league, ask for advice or go on an appropriate course instead of doing things you (and management) may regret later on.

SquallStrife wrote:

I say this as someone working for a very large (global) company, and having been on both sides of the fence, working for IT, and working outside IT.

Your job isn't to be the IT bossy pants. Your job is to help the business accomplish their goals, not stand in the way of that. Remember that computers and IT are just tools that people use to get work done.

If you stonewall the business in the name of "best practice" or "the way I want to do things", you're going to meet resistance, and eventually you'll find yourself without a job. If you make things too difficult for people, then they will find ways to subvert you, and they'll have management on their side in doing so. At this stage, you need to reach out and work a solution, not point the finger and say "no way, Jose".

Yup. Successful businesses are usually able to communicate well internally. If someone wants to do something which you perceive is risky, it's important to engage them to arrive at a workable solution rather than starting a war.

No one said to work against management, but IT should be working with management to try to encourage best practice.

Doing things the easy way in order to get things done is all well until your company leaks confidential data, your company gets sued into oblivion or your entire IT infrastructure collapses.

Yeah, bringing these two together:
1- Realistic protection against leaking important data.
2- Happy and cooperative employees.
Seems rather impossible really.
The users just don't have a clue on (1) at the moment, even when another business in our field just leaked important data. They don't see that their preferred way of working is just a matter of statistics: every year there are several incidents that could have been leak. Or that actually have been a leak without the company knowing.
My manager now seems to understand it a little though. Not by me telling him, but by seeing these incidents occuring: If there is no policy against phishing mails, no policy against lack of backups (outside of the server), no policy against leaks: then these exact issues seem to bite sooner or later. The question is then: is that acceptable? The usual weak answer 'not acceptable, but we won't change policies, we will hope for the best'.

It kind of depends on the size and culture of the company, but with one company in particular I made the point of removing restrictions imposed by the previous IT manager for remote users (laptops) and dealt with the problem through policies and communication. As a result of this policy the overall workload of the IT team was reduced because even though we had to fix a few more issues we weren't continually called on to install software etc. (Internal) customer satisfaction went up.

My current employer delivered my workstation to me in its box with the instructions on how to connect to the company network written on a piece of paper. The pre-installed Windows 8.1 business suite lasted long enough for me to download Fedora. I am the only one with root access or even a user account on the machine. Every piece of software on it was installed by me because I knew what I needed.

I wouldn't last very long in some of your IT environments.