I spent a good part of a recent day discussing the reasons why I had instructed the removal of certain unauthorised software from a number of PCs on the company network. The arguments that came my way were:
– they needed it
– we should be accommodating
– it’s not posing any risk
It’s all rubbish. They didn’t need it. In fact they circumvented a GPO by changing the name of the executable in order to get it working in the first place. The company already provisions suitable software, however that, apparently, was not good enough. Should we be accommodating? Sure! But we also need to remain in control of our corporate network or else there is no hope of the IT department being able to provide support or ensure that PCs remain patched up to date and free of malware.
Which brings me onto the last argument given: that there was no risk. It’s usually an uninformed one where an individual will state something along the lines of “we had it at my last company” or “I use it at home all the time.” Ask them about licensing, configuration, or where to obtain security updates from for it though and you’ll get a blank stare in response.
Some of you are reading this and about to ask: why are desktops provided with local admin rights anyway? In general, they are not. A certain group of users – web developers – have local admin rights. Unauthorised software is prevented through the Windows GPO but otherwise they have full control. How much more accommodating can we be?
The trump card in all such discussions is the risk ownership signature. If you really really want and need the software then we’ll fill out a risk assessment, complete a departure from policy form and ask the CIO to sign it off. Funny how the requirement quickly changes under those circumstances.