If you’re a typical small-business owner, you don’t have a centralized
provisioning system that can easily and automatically deploy each desktop or
laptop system. You might not even have a dedicated employee, let alone a whole
department, to manage your IT resources. And you probably give each user their own local
login, instead of using a centralized authentication server. In other words,
your employees have the keys to their local computer kingdoms. And that means
they can do just about anything on their machines: Install new applications,
install undesirable applications, change settings, and perhaps even
unintentionally corrupt the Registry or download malware. Giving your employees
the freedom to try new tools,
listen to music while they work, or visit social media sites in their off time
will improve their morale and enhance their productivity. But that flexibility
can quickly lead to disaster if they wind up ruining their computers, bogging
them down with garbage apps, or worse. So how do you balance keeping your employees happy with maintaining
control of your company’s assets?
The Decision
One strategy is to
deny your employees all administrative control over their computers. Such a
restriction would reduce the risk of your computers being waylaid by buggy apps
and malware, because no one would be able to install anything. The drawback is
that you--or your designee--would have to do all of the installing for them.
That can be a time-consuming process, especially if you’re deploying a new
application to your entire workforce--even if it’s just a handful of employees.
Then you have to consider periodic security patches, bug fixes, driver updates,
and upgrades. And don’t forget the need to install drivers and software for new
peripherals, such as printers and scanners.
Granting Administrator Access
Instead of managing everything yourself, you can take a number
of steps to bestow administrative rights to your employees without losing
complete control over the computers you’ve provided.
Before you open up
everyone’s computer for unfettered use, establish a baseline software
environment that will be standard for each staffer. Set a policy that allows
employees to augment their computers with new applications but prohibits them
from uninstalling or disabling the baseline programs--especially the antivirus
and antimalware tools, a secure Web browser,
an office suite (unless you use a cloud app, such as Google Docs), and whatever
proprietary software your small business needs to function. Then, use an
application such as DriveImage XML (free for private use; a five-user commercial
license costs $100) to clone the system drive on each class of computer you’ll
deploy. Your goal is to create an image of each type of desktop system in your
office, from standard administrative machines to function-specific desktops
(video-editing workstations, for example). If disaster strikes or an employee
renders their computer unusable, you can quickly restore it to its original
configuration. You should also establish policies and procedures that employees
must follow to minimize the chances that they’ll disrupt normal business
operations. For starters, establish a policy that every employee must create a
Windows user account, in addition to their administrator account, and that they
must sign in under that user account at all times unless they’re performing
functions that require administrator credentials. This policy will help prevent
rogue applications from gaining privileged access to the operating system. You
should also dictate that all employees store their work-related files on a
shared network drive (located on a server or NAS box), and that they keep
personal files in their personal cloud storage (Dropbox, SkyDrive, and the
like). Inform them that the personal data will not be included in the mandatory scheduled
backups.
The Power of Group Policy Editor
Local administrator
privileges seem unstoppable, but there is a means by which you can exert fine
control over the Windows operating system. The secret is to use Windows 7’s
Group Policy Editor. Log on with the user’s admin credentials, and type gpedit.msc in the Windows search box (you’ll find it in
the Start menu) and then press the Enter key. From here, you can disable access to
critical Windows elements entirely--including the Control Panel--or you can
choose which components you wish to allow your employees to modify. For
instance, you might give them the ability to switch screensavers, but not to
change printers or uninstall programs. Don’t discount the power of the Group
Policy Editor. If you’re the slightest bit hesitant about letting employees run
wild on their systems, this handy Windows feature offers the ounce of control
you need to keep your systems running smoothly. You’ll find all of the settings
worth browsing and editing under Group Policy Editor’s 'Administrative
Templates' folder in the User Configuration menu. You can also block access to
specific programs installed on a Windows machine; just open the Group Policy
Editor and navigate to the System folder under Administrative Templates in the
User Configuration setting. Double-click the Don’t run specified Windows
applications option, enable the
policy, click the Showbutton (it’s near 'List of Disallowed Applications'), and then
type in the names of executable application files (such as uTorrent.exe) as values.
This method won’t prevent industrious employees from renaming
their favorite peer-to-peer programs to, say, “hatemyboss.exe” and running
them, which is why you might want to combine your Group Policy edits with some
additional changes at the network hardware level. You could, for instance, go
into the configuration panel of your primary router and change the firewall
settings to block access to all ports for your employees’ systems, save for
those required for the computers to actually work--such as traffic on ports
110, 53, 25, and 80, to name a few. This is a nuclear option to prevent
employees from turning your small-business environment into downloading
central, but it is worth considering if peer-to-peer misbehavior is an issue at
your workplace.
Finer Administrative Control
If your systems are running either Windows 7 Ultimate or Windows
7 Enterprise, you can make use of the operating system’s built-in AppLocker
feature. Accessible via the Group Policy Editor, AppLocker provides even finer
control over the items that system users can run on their machines. For
example, instead of just blocking apps by executable name, you can go in and
block apps by publisher, file path, or file hash. The file-path option is
especially useful if you want to block all access to a digital download
service--such as Steam--that puts all downloaded programs into a specific
directory. Do you need a third-party application to control your users’
activity on their systems? Not really. However, if you discover that
recalcitrant employees with administrator privileges are circumventing your
Windows-based access controls, you might want to look into stronger solutions.
For example, if you install Faronics’ Deep
Freeze ($35.50 per year) on
employee machines, the program will restore each system to an identical
snapshot every time the PC restarts. Or you could provide staffers with a
virtual desktop that would give them the freedom to install their personal
programs in a sandboxed environment. As long as you’re willing to invest a bit
of time setting up the right configurations, granting your employees
administrator privileges on their small-business PCs won’t necessarily lead to
chaos. You can even control admins without making your employees feel as though
they’re working under parental controls from nine to five.
No comments:
Post a Comment