ughh I hate IT

[IndyColtsFan]

I actually like the people who know stuff. Less stuff for me to do.

Those are the most dangerous people, because they can usually talk the talk but can't walk the walk and end up making more work for everyone.

 

[sourceninja]

Oh I hate people who do that. We had to lock down machines hard because people insisted on installing their favorite browsers on shared workstations. If people would stop screwing with that crap it would be a lot easier. At least here we are using an ancient browser for a reason. It is so much fun to find out the previous doctor installed IE7 because he liked it and now the next Doctor cannot view his radiology images before the next surgery because IE6 is required. But it is a balancing act because some of the disks that other hospitals send require a client to be installed before the images can be viewed, so the doctor needs to be able to install some software.

Sounds like a solution for VDI!

 

[bobdole369]

Oh I hate people who do that. We had to lock down machines hard because people insisted on installing their favorite browsers on shared workstations.

now the next Doctor cannot view his radiology images before the next surgery because IE6 is required.

The solution should NOT have been to lock the machines down, though that is indeed appropriate in most corporate environments for other reasons. Instead:

FIX YOUR CODE TO WORK ON ALL BROWSERS! And remove the ancient browsers that bend over and present to any passerby. Or.... Insist that your vendors do the same! If you are in a healthcare environment, your budget should allow for this! If not, the thought of HIPPA violation lawsuits due to spyware should compel your admin to press the issue!!

Allowing ancient browsers simply because you think you are in a walled garden is not a smart thing to do.

You sir, are part of the problem! Good Day Sir!

 

[IndyColtsFan]

Also, the problem is not just related to non-IT. I know several people in our IT department who are in many cases bigger idiots then standard users.

For example, we have a 'software specialist' who uses terms like LAND, SAND, VLAND, etc when talking to network admins about issues. That same person loves to ask if the 'vmware is down' when anyone calls in with a problem connecting to anything (We run a large about of servers virtualized).

Those are my favorite users -- the ones who come up to you in the bathroom, bitching, because they somehow got Firefox installed on their system and it won't work, because you have it blocked at the proxy. 🙂

User: "Uh, Firefox is more 'secure.' You need to let me use it."
Me: "It may or may not be 'more' secure, but it does have vulnerabilities and we do not patch for Firefox vulnerabilities. We DO patch for Internet Explorer vulnerabilities and that is our standard browser due to other application requirements."
User: <sigh> ...

That conversation was a few years ago with another "I know more than IT" user. Guess what? I have an EE degree and actually work in IT.

 

[sourceninja]

The solution should NOT have been to lock the machines down, though that is indeed appropriate in most corporate environments for other reasons. Instead:

FIX YOUR CODE TO WORK ON ALL BROWSERS! And remove the ancient browsers that bend over and present to any passerby. Or.... Insist that your vendors do the same! If your in a healthcare enviornment, your budget should allow for this! Allowing ancient browsers simply becasue you think you are in a walled garden is not a smart thing to do.

You sir, are part of the problem! Good Day Sir!

Good luck with that. Having worked in the medical field I know that you can't get medical software companies to do anything on your time table. They will update when government standards require it, and not a minute sooner.

There are medical devices out there that run on windows NT, no joke. So much vetting and testing goes into medical devices that updates are few and far between.

 

[IndyColtsFan]

The solution should NOT have been to lock the machines down, though that is indeed appropriate in most corporate environments for other reasons. Instead:

FIX YOUR CODE TO WORK ON ALL BROWSERS! And remove the ancient browsers that bend over and present to any passerby. Or.... Insist that your vendors do the same! If your in a healthcare enviornment, your budget should allow for this! Allowing ancient browsers simply becasue you think you are in a walled garden is not a smart thing to do.

You sir, are part of the problem! Good Day Sir!

That isn't realistic in many cases. If your financials run on a particular version of Oracle and that version is only certified for IE 6.x, for example, guess what? You're going to be running IE 6.x until either 1) You upgrade Oracle (hugely expensive) or 2) Oracle certifies their application to run on IE 8, which may or may not happen depending on how far behind you are on Oracle versions.

Your corporate CFO doesn't give three shits about which version of IE you're running; he DOES care about having access to his Oracle financials and he DOES care about spending money to do upgrades.

Seriously, some of these posts make me wonder. Locking down your machines is PRECISELY the solution for this and many other reasons.

 

[ViviTheMage]

I sit next to our level I help desk, hilarious.

It is good though, becuase they can turn around and ask ... hey is this server down, cluster down, blablabla...I am training them to not suck. Because if they suck, we get more tickets...and we've already got plenty of networking/server stuff to deal with.

 

[rcpratt]

Oh I hate people who do that. We had to lock down machines hard because people insisted on installing their favorite browsers on shared workstations. If people would stop screwing with that crap it would be a lot easier. At least here we are using an ancient browser for a reason. It is so much fun to find out the previous doctor installed IE7 because he liked it and now the next Doctor cannot view his radiology images before the next surgery because IE6 is required. But it is a balancing act because some of the disks that other hospitals send require a client to be installed before the images can be viewed, so the doctor needs to be able to install some software.

Meh, not a shared workstation. Some of my work sites don't work properly outside of IE, but good thing Chrome has this nifty "IE Tab" addon.

Those are my favorite users -- the ones who come up to you in the bathroom, bitching, because they somehow got Firefox installed on their system and it won't work, because you have it blocked at the proxy.

Those people are just dumb. It's pretty obvious that IT doesn't want us working outside of IE, so I'm not dumb enough to bring up my Chrome/Firefox issues with them. Not that I've had any.

 

[bobdole369]

User: "Uh, Firefox is more 'secure.' You need to let me use it."
Me: "It may or may not be 'more' secure, but it does have vulnerabilities and we do not patch for Firefox vulnerabilities. We DO patch for Internet Explorer vulnerabilities and that is our standard browser due to other application requirements."
User: <sigh> ...

Another "Part of the problem" admin!

Why won't you patch for Firefox?

I know there are application requirements for some other apps, but is it laziness, lack of support, or end of life that requires old-ass vulnerable browsers? Maybe lack of budget for upgrades to at least the latest IE? (as in sharepoint apps) Why isn't your code updated to work on other browsers? I can't conceive any app that can't be made to work with webkit. My programmers agree that its actually harder to keep things working on older IE than it is something webkit or Firefox.

Yup looking like its a lack of budget that keeps IE6 here. Sigh...... These days it making more and more sense to move to VDI.

 

[sourceninja]

That isn't realistic in many cases. If your financials run on a particular version of Oracle and that version is only certified for IE 6.x, for example, guess what? You're going to be running IE 6.x until either 1) You upgrade Oracle (hugely expensive) or 2) Oracle certifies their application to run on IE 8, which may or may not happen depending on how far behind you are on Oracle versions.

Your corporate CFO doesn't give three shits about which version of IE you're running; he DOES care about having access to his Oracle financials and he DOES care about spending money to do upgrades.

Seriously, some of these posts make me wonder. Locking down your machines is PRECISELY the solution for this and many other reasons.

Don't even get me started with oracle. I'd like to put this new app server in place, but it would require getting the IT guys to build a push to update the JVM on every computer on campus. I keep asking, they keep putting it off.

To make it worse, every now and then some IT guy will decide to update a jvm on a workstation for no reason, breaking our core business application for that user until another IT guy can go out and install the correct JVM. If only the company that makes that application would write it properly so it would just pick the right jvm version..but nooooo.

 

[BurnItDwn]

I spent some time working in a help desk. It wasn't bad work. That said, for part of my stay, I worked overnights, so we were allowed to go off script quite a bit, as long as we logged what we did, and, if they didn't like it, they would ask us why we did stuff.

Anyhow, I wouldn't be 100&#37; sure to blame the help desk for this problem, I would say there's likely an issue of left hand not talking to the right hand. Maybe the help desk doesn't have access to the downtime database or current problems tracking... So, without that knowledge, they need to be 100% sure everything is "OK" on your end before they go to the next level. Also, they do not have ESP, so they can not automatically know what troubleshooting you've already performed. That said, 45 minutes is crazy! I would think it would be no more than a 5 minute phone call (reboot, can you access other websites, what happens when you try to log in, try logging in this way instead, ok, now try the original way, ohh still broken, ok, we'll check it out on the back end)....

 

[bobdole369]

Seriously, some of these posts make me wonder. Locking down your machines is PRECISELY the solution for this and many other reasons.

A walled garden isn't going to help when something new pops up and makes its way in somehow. I found out the hard way about PDF vulnerabilities. Unheard of more than a year or so ago!

Just my opinion. A locked down workstation helps, but it isn't an end all, and the reason for it shouldn't be "to keep the users from hurting themselves". But to "ensure functionality." To that end - virtual desktops make even more sense. ANd there really isn't anything wrong with allowing chrome or firefox, provided the user knows enough to use the right browser for the job.

Of course thats more and more money.

 

[sourceninja]

Another "Part of the problem" admin!

Why won't you patch for Firefox?

I know there are application requirements for some other apps, but is it laziness, lack of support, or end of life that requires old-ass vulnerable browsers? Maybe lack of budget for upgrades to at least the latest IE? (as in sharepoint apps) Why isn't your code updated to work on other browsers? I can't conceive any app that can't be made to work with webkit. My programmers agree that its actually harder to keep things working on older IE than it is something webkit or Firefox.

Even Sharepoint

You assume a few things.

1) I get to decide what to support.
2) I write all the code for all the web applications we use.
3) I have infinite time to keep up to date on all security issues for any app someone might want to run.

The fact is, I have a boss, he tells me what to spend my time on. You have to convince him firefox is more important then my other work. Second, you have to call all the software vendors we use, many with no alternatives and get them to update their software. Finally, you need to figure out a way to keep the thing patched and continually tested with all our software.

It's not trivial. All of our in-house applications work on any browser, even text based. That is the joy of being in education. Most of our 'not developed here' applications work in IE only. Currently there are 3 applications preventing us from moving to IE8. There was 4, but I wrote a custom patch to fix one of them (which if we decide to use will require us to maintain our own code tree separate from the vendor and test that adding hours of more work)

I'd love to convince vmware to make lab manager work on macs and 64bit browsers, but they just don't give a shit.

 

[IndyColtsFan]

Another "Part of the problem" admin!

Why won't you patch for Firefox?

Why would we? What part of "it is not a corporate standard" do you not understand?

I know there are application requirements for some other apps, but is it laziness, lack of support, or end of life that requires old-ass vulnerable browsers?

What part of "application requirement" do I need to explain?

Maybe lack of budget for upgrades to at least the latest IE? (as in sharepoint apps) Why isn't your code updated to work on other browsers? I can't conceive any app that can't be made to work with webkit. My programmers agree that its actually harder to keep things working on older IE than it is something webkit or Firefox.

It isn't "my" code. In this case (years ago), it was an Oracle requirement. Again, I don't know how large the company you work for is, but we're talking global Fortune 500 IT here. You don't go out, willy nilly, and say "Ooo, Firefox 4.x is out, let's upgrade everyone!" especially if your PRIMARY application (Oracle) won't support it. Try telling your CFO about IE "vulnerabilities" when he can't get to his financials and tell me how that works, especially since you could patch most of those vulnerabilities with ease.

Yup looking like its a lack of budget that keeps IE6 here. Sigh...... These days it making more and more sense to move to VDI.

Or ThinApp.

 

[daishi5]

The solution should NOT have been to lock the machines down, though that is indeed appropriate in most corporate environments for other reasons. Instead:

FIX YOUR CODE TO WORK ON ALL BROWSERS! And remove the ancient browsers that bend over and present to any passerby. Or.... Insist that your vendors do the same! If you are in a healthcare environment, your budget should allow for this! If not, the thought of HIPPA violation lawsuits due to spyware should compel your admin to press the issue!!

Allowing ancient browsers simply because you think you are in a walled garden is not a smart thing to do.

You sir, are part of the problem! Good Day Sir!

A. Don't own or have access to code, therefore cannot fix.
B. Software was not purchased by us, it was purchased by the doctors office, the software the doctor uses requires IE6. I cannot insist that the doctors vendor do anything. (some concerns have been passed up higher along the chain, but see the next point.)
C. The law requires that any service we provide to 1 doctor we provide to all doctors, there are some exceptions for EHR systems, but as a general rule we do everything we can to keep the system working for all doctors to stay on the good side of the law.
D. We don't want to stay on IE6 we desperately want to move to more secure software because of the security holes, and we don't assume were safe because of a walled garden. But that does not change the fact that an upgrade leaves some systems non-functional.

 

[sourceninja]

A walled garden isn't going to help when something new pops up and makes its way in somehow. I found out the hard way about PDF vulnerabilities. Unheard of more than a year or so ago!

Just my opinion. A locked down workstation helps, but it isn't an end all, and the reason for it shouldn't be "to keep the users from hurting themselves". But to "ensure functionality." To that end - virtual desktops make even more sense. ANd there really isn't anything wrong with allowing chrome or firefox, provided the user knows enough to use the right browser for the job.

Of course thats more and more money.

Actually, one of the things we have toyed with when exploring vdi was allowing users full admin rights on their desktops, but destroying their desktops on logout (and just saving their documents). We decided against it.

However, it is easier to keep our VDI users patched and to add non-standard applications. If it was possible for us to run everyone VDI, I think we could offer more options then we do with standard pc's.

 

[bobdole369]

You assume a few things.

1) I get to decide what to support.
2) I write all the code for all the web applications we use.
3) I have infinite time to keep up to date on all security issues for any app someone might want to run.

This is every admins problem.

The fact is, I have a boss, he tells me what to spend my time on. You have to convince him firefox is more important then my other work. Second, you have to call all the software vendors we use, many with no alternatives and get them to update their software. Finally, you need to figure out a way to keep the thing patched and continually tested with all our software.

I wholeheartedly agree. This is another of IT folks unique issues. Not to mention to "upgrade" you often need to pay - often through the nose, in terms of time, user interruption, and monthly "maintenance" for the privilege. Don't get me started on the issues the upgrade will inevitably cause.

Its a dance for sure. But I still disagree that this dance is solved by locking users down. This is not the right attitude. Users are locked down to ensure continuity. Just a matter of semantics here.

 

[trmiv]

If it is an ActiveSync connection, AFAIK, the only requirements are server address and his credentials (which he would know). The only way to avoid this, I believe, would be to disable ActiveSync on his account. His company probably enables ActiveSync connections by default.

I know how it's supposed to work, but I think it being open to users being able to set it up themselves is a security problem. Where I work you can't get email on your phone until I or another admin verifies who you are, and then adds you to either BES or Good and sends out a password/PIN to your work email (and despite requests, said password/PIN won't be sent via text, gmail/hotmail/whatever or given over the phone). It's like this because when it was available for users to setup themselves, a few morons sent out their info in response to a phishing email and someone gained access to email. We want an actual person to be involved in verifying every device that is allowed to access email.

 

[IndyColtsFan]

A walled garden isn't going to help when something new pops up and makes its way in somehow. I found out the hard way about PDF vulnerabilities. Unheard of more than a year or so ago!

Locking down a workstation is the first, and possibly most important, step in a comprehensive security strategy along with working AV/malware detection on the workstation.

Just my opinion. A locked down workstation helps, but it isn't an end all, and the reason for it shouldn't be "to keep the users from hurting themselves".

Do you not understand the concept of not allowing users to install whatever the heck they want? This isn't Billy Bob's Software store, there are corporate standards and you use those standard pieces of software, like it or not. If you need something outside of the scope of those standards or feel an alternative product better fulfills those needs, there are proper channels to use to address those concerns.

But to "ensure functionality." To that end - virtual desktops make even more sense. ANd there really isn't anything wrong with allowing chrome or firefox, provided the user knows enough to use the right browser for the job.

Corporations have standards for a reason.

Of course thats more and more money.

Exactly. ThinApp is a cheaper solution than VDI but even that is too much for many companies.

 

[bobdole369]

Why would we? What part of "it is not a corporate standard" do you not understand?

The part where it isn't. I understand there is more (often a LOT) of work involved. Whats the gain? Security, and the eradication of a seriously bad browser.

I don't understand why it matters if 2 browsers exist - especially if your application is directed to use the appropriate one.

You don't go out, willy nilly, and say "Ooo, Firefox 4.x is out, let's upgrade everyone!" especially if your PRIMARY application (Oracle) won't support it.

Oh yes I get this. 1700 workstations ran NT4 until 2002 because of this. No way I was sending my staff of 6 out to do anything unless it gave me quite an advantage or (more likely) it was required. Not quite Fortune 500 stuff but I know your scale.

Try telling your CFO about IE "vulnerabilities" when he can't get to his financials and tell me how that works, especially since you could patch most of those vulnerabilities with ease.

Its worse when you realize your CEO has been compromised because the web page he browsed to installed something malicious that hadn't been patched for, and no patch existed. And try explaining that any of the users could have, and probably had done the same. And the reason we weren't using something different is that it costs money.

Its bad I get it. I understand. I won't argue anymore, other than I think that anything going out into the wild ought to be newer than 3 generations old and no longer supported.

Sure you can keep it internally but there is no reason users should use IE6 on the internetz. And of course that means users shouldn't be using the internetz anyway. But now you've got execs browsing. My favorite...

 

[imagoon]

Another "Part of the problem" admin!

Why won't you patch for Firefox?

Because Firefox, while being a good browser, still is missing the entire Enterprise section of their program. I can't deploy it via AD (without 3rd party support.) The updater requires admin rights on the machine to run. I can't push out settings to it via policy, like the homepage and security settings that are given to me.

I consider the 3rd party solutions still unacceptable because they are repackaging the app and quite frankly, I have no idea what they may have embedded in there without me knowing.

If Mozilla Org would get off their butts about this aspect of Firefox, I would deploy and manage it.

 

[rcpratt]

IE7 is bad enough, I can't even imagine using IE6. I don't even care about the security issues, the speed and functionality is just crippling.

A few weeks ago I grabbed my dad's work laptop while I was at home, I sat there mashing ctrl-T for a solid 5 seconds before I realized what was going on. It just seems ridiculous for a company as large as his (Ford) to still be using IE6 in 2010. That's almost TEN YEARS.

edit: From an end-user's perspective, obviously.

 

[Falloutboy]

wow look at the can of worms I unleashed. and no I don't hate IT I just hate the way I'm talked down at when 90&#37; of the time they can skip the 20-30 step diagnostics to make sure I'm not a idiot test and there is a real problem.

 

[bobdole369]

Because Firefox, while being a good browser, still is missing the entire Enterprise section of their program.

I'm hoping that IE9 will prove to be at least as functional and quick as FF and Chrome have been. I pray that an AD supported browser will be here that is something worth using. That might spur a lot of folks to get off their duffs.

 

[amdhunter]

Those are the most dangerous people, because they can usually talk the talk but can't walk the walk and end up making more work for everyone.

A good IT computer nerd can sense these things. 🙂