After a couple of pretty bad weeks, in which virtually everything that could conceivably have gone wrong has, things are finally starting to settle down. Despite a couple of “weeks from hell” in which my network survived virtually every “network down” scenario back to back, none of that actually bothers me. Some of these worst …
> "For those that haven’t already, disable autoplay in Windows; this alone can save you quite a bit of grief. It is absolutely unreal how much trouble autoplay can cause on a Windows system where the user is logged in with administrative privileges."
And your surprised you had viruses on your network?! Firstly autorun should never be enabled at all, ever and secondly the users should never have administrative privileges! What do they NEED them for?
Personally, as well as disabling autorun and the other obvious stuff I lock down the system with a software restriction policy to only allow programs to run from C:/ program files unless your a local admin. (which by extension means network admin, because users do _NOT_ need admin accounts.) Hey presto, in one fell swoop i've blocked trojans from being run regardless of if the users download them through either through a web browser, email client or a USB stick.
Apart from the fact that most windows "sysadmins" are morons I can't see why other people don't do the same, it near completely closes off possible attack vectors to the desktop.
Did I say I had autorun enabled on my network? There is a difference between articles like the one previous to this; a confession based entirely on my own network config, and trying to pass along some best practice information. It is "obvious" to any practiced systems administrator, but it bears repeating for the newbies. Remember; some of El Reg's readers are a little wet behind the ears, and it is largely them I am trying to target. The more experienced folks read white papers and practice guides and have decades of strong opinions anyways.
As to users "needing" administrative privs...the debate has been had.
Did you read the other article
In the previous article, he made it clear that some users needed Admin to do their work
Actually sometimes users DO need admin privileges on Windows machines - ever tried configuring a new wireless connection on a laptop without them? Yes, you can bypass this problem using IBM Access Connections (or similar) but that doesn't help the bulk of home users who probably don't know such things exist.
I agree that desktop users shouldn't need them (which doesn't mean many mainstream applications make that easy to achieve) but Windows laptops users are often screwed without them.
If only it were that simple...
"and secondly the users should never have administrative privileges! What do they NEED them for?"
Umm, perhaps because some users need to install software without having to bother the IT department? Or perhaps because some software is so badly written it requires admin rights to run properly? I'm an electronics/embedded software R&D engineer, so if we're just going to split employees into two simplistic user/admin categories then I'd be a user, because I'm not employed to look after the network, nor do I have any desire to do so. Yet in every company I've worked for I've had local admin rights for my PCs, even where the written IT policy of the company suggests nobody outside of the IT department would ever be granted such rights.
It's a bit simplistic to say that users don't need admin rights, since "user" encompasses the whole sweep of non-sysadmin employees from the office temp who only needs to run Word and Outlook, right through to developers who need to run whatever bit of software or install whatever bit of hardware they deem necessary in order to do their job properly, and who are trusted by the company to be sufficiently tech-savvy not to stuff up their PCs in the process.
That doesn't, however, justify always running with admin privileges (and responsibilities), which on certain products will inevitably become the common case simply because switching is such a pain. Needlessly so. Even with the ``user switcher'' enabled, that itself is quite the impressive resource hog.
Best practices are safe habits, and to become and stay habits they must be easy, simple, and unbothersome enough to not invite switching to something easier, simpler, and unsafe. sudo, for example, is quite a good example of facilitating easy elevated access with little bother and still clear ``super''/``not super'' distinction. Certain large software vendors make it a fetish to, uh, fail spectacularly in what is arguably a major responsibility of theirs, facilitating best practices. No wonder that the plebs can't get it right.
Secunia PSI deal with at least some of these issues (albeit on a windows box)?
Yes, it is one of a number of excellent tools that can help mitigate these sorts of problems. Like all such tools, it isn't comprehensive enough to solve the problem entirely, but it does most certainly do nothing but good.
There are several similar applications offered by various vendors; some I have had opportunity to use, others I haven’t. I would love the opportunity to test all the big ones side by side, but sadly, this isn’t on my project list for at least the next six months.
I personally think these programs have come a long way since the last time I really looked at them in depth, (2007.) Not getting the chance to dive back into things like this more than once every five years makes me a sad panda.
Secunia PSI is one reason I've changed my machine to Ubuntu.
Don't get me wrong. I liked Secunia PSI. In one place, an application that showed what patches are necessary to keep my XP machine up to date. The problem was _implementing_ them - it took more than a hour of downloading either patches (preferable) or for programs such as Safari, downloading the latest exe for the product. It was cumbersome, as each product had its own way of keeping itself up to date. Faced with the implications of "this is how you keep XP safe", I changed over to using Ubuntu full time. At least that OS has a centralized package manager.
I really like Paint.NET 's auto-upgrade process which, on running the app itself, gives you the option of installing the upgrade when you close the program DOWN. This means I can get on with what I was wanting to do in the first place. For most other apps, many is the time I've declined an update because I needed to get something done immediately and didn't want to wait for the update process to download & install.
Perhaps not 100% suitable for a security patch but very helpful nevertheless.
That's certainly a new approach. The only thing I can say about that is...
It is a particularly nice solution to the problem of installing an update without interrupting what you launched the application to do. Kudos to the developer which came up with that one.
Firefox quite annoying
I've been getting annoyed with Firefox recently, it silently installs an update then restarts itself (haven't got as far as locating the relevant config to change this), can be very irritating if you are in the middle of something (especially if testing a web app - is it a Seg Fault or has it jsut updated?).
I'd love to say I'm surprised that they set that behaviour (just do it..) as default, but the reality is no user would install the upgrade otherwise! How many people when presented with a box detailing an available upgrade and a skip button, will skip because they want to watch youtube/use Internet Banking/whatever?
At least it does update itself though, I used to hate Amsn. It'd tell you an update was available, and then leave it to you to download the new app and install, even when the existing code could simply have been patched!
For Windows WSUS is great (assuming it's configured properly) whilst Linux Distros use a variety of tools (i.e. apt/portage/yum etc). I'm surprised to hear that Macs are left out in the cold aswell, you'd have thought someone would have knocked something up (unless there's a reason for the dumbed down interface?).
This post was a bit of a ramble, and I couldn't resist the Apple dig. But before anyone flames me, think about this - I just wasted a few seconds of your life talking utter crap - you may struggle to beat that?
Icon cos I'm feeling a little morbid, something to do with Death of El Reg due to infestation with iTards - more critical than woodworm, more repugnant than dry rot! (there I did it again!)
Mac OSX has an OS-level updater...but it doesn't have much in the way of third-part application support. Compared to yum or apt, it's still pretty primitive.
The ultimate solution to these problems are for Microsoft and Apple to allow other applications o register with their patching solutions so all applications have a single patch management solution.
The only reason these companies don’t is some vague fears about liability, which says a lot about culture that we let crap like that stand in the way something as critical as system security. It’s a sad state of affairs…
'twould be nice if they would. That said, they'd also need the support of the third party apps. Think about the furore when they decided to 'update' firefox for you. Not quite the same thing admittedly, but a similar crticism would be levelled.
I'm betting they'd happily open their API to devs... given the right price.
It's a pity that such basic politics can leave everyone in the crap, much as I'd love to convert everything to *nix, it just isn't feasible as it stands
Tools menu -> "Options..." -> "Advanced" section -> "Update" tab. Choose the "Ask me what I want to do" option.
How can you develop a web app when you haven't even got as far as setting up your browser?
Got as far as "Tools"...
But didn't find the rest. Had to go to Edit - Preferences, Advanced. (Still didn't get the "Ask me what I want to do" option) (Ver. 3.6.3, English version)
Guess Ubuntu is different*. Don't find Windows XP updater particularly obscure, either. Just tells me not to turn off the computer while it does it.
Maybe I'm the 'fartie' this article was written for? Puzzling.
* Why should the Windows version, and the Linux version differ so much?
A recent OS re-install as a result of a failed upgrade. Been catching up on lost time, which is why I haven't got around to configuring the OS yet, still set to 1 click opens files.
It's on my list.....
you can do it....
As I said before, I've not got as far as looking as I've a lot to catch up on before worrying about such things. You can definitely do it in about:config though there must be a simpler way!!
Did strike me that the poster assumed I was running windows, as well as assuming that firefox is my main browser, but there ya go!
I don't think that the apt way is good for Windows machines.
It works on Linux because it (in the default configuration*) does not allow third-party developers to push updates on my system. Rather, the Ubuntu people take the source code, compile it themselves, put it on their own server and then push it to me. I trust them to do this competently, without letting a threat through.
Now imagine what would this look like if Microsoft decided to make an apt-like utility for Windows. They certainly cannot get the source code of the popular windows software and offer compilations of it on their servers. What they can do is to offer an API for third party software developers which will let them register their software with the new MS Apt. This registration will possibly happen without my knowledge during the Install Shield process, just like nowadays so many Windows applications use the install process to configure themselves to start together with Windows and sit in the system tray all day long, even if I only need them once a month. But the biggest problem is that this creates the perfect vector for malware. Imagine that CyberMafia Inc. writes a perfect little tool for something. The tool is good, it is free, and it becomes popular. Let's say that 10% of all Windows machines have this software installed. Then CyberMafia Inc. pushes a so-called update, which is actually a dangerous malware? It will take CyberMafia years to pull it off, and they'll probably only have 3-4 hours before antivirus tools get their own updates and start banishing the thing, but if they get enough banking credentials or pull off the biggest ddos in history, it may be worth it. And just imagine what happens if antivirus manufacturers decide to use this mechanism for their updates: we'll have created the perfect one-stop malware target.
Ultimately, it broils down to who you can trust to install software on your computer. I trust Canonical, and Adobe, and Sophos, and Mozilla, and also Microsoft. I'd trust Apple, if I had a use for their software. But the apt-like approach coupled with closed-source applications only functions well with a stringent white list, like the iPhone app store. I don't think even Microsoft can pull this one off in the Windows ecosystem.
*Of course, apt allows the user to add software sources over which Canonical has no power whatsoever. This doesn't result in massive infections within the current ubuntu community for the same reasons which hold linux infections through other vectors low. But if you as a professional admin allow your (windows or linux) users to do this, I'd say it is the biggest gaping security hole in your network. A solution where there is a centralised update mechanism, but only the administrator can choose which apps may use it, could theoretically function for a well managed network, but let's face it, most computers in this world aren't parts of well managed networks, and introducing such a wide open door for malware on every windows computer will result in absolute disaster.
I am sorry, but I have to completely disagree with you on this one. Microsoft has proven to be excellent at vetting corporations for inclusion in such ventures. Look at the WHQL driver program. If Microsoft were of half a mind to, they could build on the WHQL driver program and create a list of Microsoft-qualified patch suppliers.
These companies and developers would register with Microsoft, and the whole system could be driven via Microsoft Update.
Companies that don’t want to play ball don’t have to; but it would rapidly become a selling point for one type of software over another, especially in a business environment. Just as I am not going to deploy a piece of hardware without a WHQLed driver in a business environment, I wouldn’t deploy a non-Microsoft-certified application partner unless my back was right up against the wall.
This is what Microsoft *does.* This kind of ecosystem building is why they became what they are. You have a lot of talk about how Microsoft needs to innovate and do something actually useful and new, instead of just following Apple?
How about returning to their roots: business computing. Give me a business computing ecosystem I can TRUST; one that’s tested and vetted to work together by corporations with the kind of money and power that Microsoft and Adobe and all these corporations have. Get an industry group together, and a gigantic patch testing lab filled with people who’s job it is to do nothing all day but vet patches. Take the Apple iStore idea, and do it one better. Give me a platform I can install anything I want; but to which you also provide me a nicely managed, tightly knit walled garden that I can choose to opt in to.
You might not think it would work, but I think it’s worth a yearly subscription.
And another thing about Adobe
That Adobe updater sits on my system constantly, using a steady 10mb or memory to do absolutely nothing.
Now I know that memory is cheap these days, but what possible use can it have for ten fricking megabytes the whole time? Maybe a bit of memory when it checks for an update, but the whole time?
It's an absolute bunch of cock.
Someone should enlighten them to the task scheduler
I quite agree. Particularly as a suitable scheduled task would do the job just as effectively, after running the updater program could then terminate entirely.
But what would you expect from a company which invented the Acrobat speed launcher thing that ran perpetually just to increase acrobat reader launch time by some fraction of a second.
Default 'yes' or Default 'no'?
"Default ports for applications such as SSH, or remote administration applications are a must."
Is this a vote for or against using the 'default' port assignments? You then mention port scanning, and so I _think_ you are saying non-standard assignments are a waste of time, but I'm not sure the intent here?
CHANGING default ports are a must.
I really need to stop writing these things at 10pm, and proof-reading at 1am...
(I say as I know that I have an article due tonight, which I will once more be up late writing…) I will strive to do better!
actually, they're not
Since any self-respecting bot-net has more than 64511 machines, running a port scan of every port above 1024 can be done with only a single hit per client.
Strong firewall policies and pre-written, pre-verified fill-in-the-blank scripts are your friends. It doesn't take 2 days to open up a firewall port, it takes 5 minutes to fill in the on-line form and once approved (now, that could take a while), applying the change takes less than 10 seconds.
One other thing to note is that you need to regularly audit your firewall rules, since having unused holes in a firewall defeats the purpose....especially if it is the GFI rule, that one should be scripted on/off into the job that runs your GFI scans.
Re : Apologies
I use a non-standard SSH port and although this could be seen as security by obscurity it is interesting to look at the router logs. When SSH is on a high, non-standard port I've never seen ANY attempts to login. On the standard port they run at ~10/day
My experience mirrors your own. It wouldn't stop a determined attacker, but it is cheap, easy solution to keep most script kiddies at bay. The idea that your solution must be "perfect" is not one I subscribe to; defence in depth is about combining security ideas. Changing default ports is just the low hanging fruit.
Re : @Chemist →
Thanks Trevor - I agree entirely about a determined attack
Just to round this out - I also only have one user account authorized for SSH - this has a non-trivial username and a long complex password. I also immediately su to a working account after login.
( I know I could use other methods but I've written a custom passphrase > complex password generator that I use for other things anyway)
Pity that's not true
"Sadly, despite all the facilities built into the iStore that have simplified application updates on iPhoneOS devices, full-fat OSX users suffer the same level of third-party neglect that Windows users do."
Umm, Sparkle? http://osx.iusethis.com/top?sparkle=1
(Better tech wri.. oh, why do I even bother?)
Correct me if I am wrong, but 1) Sparkle also exists for Windows, and b) It is a third party offering, not somethign funded and supported by Apple Inc.
ever heard of repackaging?
In another life i used to repackage apps and one of the most important things was NOTHING runs with admin privileges. If it needed it, we would work with the vendor to fix it or dump it for something else that doesn't. Granted, this was quite some time ago and badly written apps are now common place in the enterprise COTS software world. :-(
I don't agree about re-imaging workstations monthly. If your QA process is questionable or non-existent and if something goes south, keep your resume up to date!
There was someone who mentioned wireless connectivity on laptops outside of the managed environment as a reason to be admin. Sorry, wrong get a better supplicant like Juniper's Odyssey.
There was another comment about Power Users and regular users or something to that affect. Sorry, there is only one class of "user" not developing or administrating, that's "L"users and they will F!@# up a paperweight if given enough time and permissions.
I will say this very very slow for everyone who lets their users install software on corporate managed infrastructure.
If you allow them to you do not have a managed network, you have a bunch of home PCs all plugged in and accessing your IP. You introduce so many risks to the organization the el' Reg comment box would puke if i tried to list them all. Here are some highlights though,
Licensing, Incompatibility, Internal Support costs, Security, Privacy and on and on and on
Albeit, if you don't have the $$ to fully manage your infrastructure you are bailing at best. I do feel for you and ultimately security and stability have to make concessions to reality. :-( Not a good place to be but you can befriend a CISSP ;-)
"Sorry, there is only one class of "user" not developing or administrating, that's "L"users and they will F!@# up a paperweight if given enough time and permissions."
Will we? Let me think, in the decade and a bit that I've had local admin rights to all the various corporate IT resources I've used, the number of times I've stuffed things up can be counted on the fingers of no hands. In that same period, the number of times things have been stuffed up by the IT departments would require at least two hands-worth of digits to count. Add to that the number of times when the only people within the company who knew how to fix an issue with a particular bit of hardware/software were the engineers who used it daily, and where if we'd been forced to rely on the IT department to resolve the issue we'd still be waiting for a fix, and I'm forced to reach the conclusion that in my experience it's not the "l"users who cause problems...
"Licensing, Incompatibility, Internal Support costs, Security, Privacy and on and on and on"
The legal stuff has always been covered by my contracts and the IT AUP's - if I install unlicenced software, spyware, malware etc. etc. then I'm putting my career at risk (at best a first offence would see me receiving a serious bollocking, at worst it'd be grounds for instant dismissal). So guess what, I don't do it. Anything to do with support, maintenance etc. is also my responsibility - if it wasn't installed by the IT department, it doesn't get supported by them, simple. As a professional engineer, I'm trusted by the companies I work for to do my job properly, and part of that job is to be able to configure development systems correctly.
Please see the conversation at the top of this thread it was mentioned that your approach has flaws. It references previous a previous thread where this idea was completely torn apart.
Old problem "solved" 10 years ago
I had this issue when I was doing Windows system administration years ago. The answer is (was) in repackaging the software yourself in MSI packages and using existing Microsoft tools to do the installation and updates centrally. It's a drag, sure, but you can make sure those lousy Adobe apps have the correct registry permissions such that a regular user is able to use them.
There's no reason to let users have admin rights. If they need a piece of software you repackage and publish it via Active Directory, and normal users can choose to install it via the Control Panel. If you don't like the default Microsoft tools, there are 3rd party utilities for packaging and distributing/publishing software for users. Even Windows 2000 Pro came with a utility from Veritas for repackaging software, although I found the 3rd party ones to be better.
There are even websites that describe how to repackage specific software. Can't be bothered to Google them now.
Sometimes a piece of software appears to be difficult to manage centrally as it is provided with an executable installer, but actually it has well documented procedures for creating the MSI package and setting it up for centralized distribution and configuration using the standard Microsoft tools. Norton antivirus corporate was one.
Repackaging software is a lot of work for a lone administrator in a small environment, but should still be a priority. Once you're familiar with the quirks of each software package it becomes easier. As a customer the ease of deployment should also factor also into your choice of software purchases, and you should also push the supplier to package the software in MSIs. Many vendors have already "got it", and it's high time others caught up. The facility has been there for 10 years from Microsoft's side!
BTW, it's not always rosier on the Linux side. Especially commercial software vendors provide a binary installer instead of RPMs or Debs. Luckily there's no registry to worry about so making your own RPMs and Debs is a lot easier than creating MSIs, but again as a customer it's your duty to inform the vendor about your needs.
The problem is people tend to think if you can maintain your home PC you have the skills to be a Windows sysadmin. Wrong. As a sysadmin you need the power to maintain hundreds of PCs by yourself without lifting your butt off your chair. If scripting, the command line (yes you need it on Windows) or the registry are too scary you should reconsider your chosen profession.
Please see the conversation at the top of this thread it was mentioned that your approach has flaws. It references previous a previous thread where this idea was completely torn apart.
I take it by "torn apart" you refer to this survey
"Of 542 networks, 218 ran BISS.
316 unique BISS applications were identified.
292 were identified as requiring administrative privilege."
I believe it's possible that BISS software absolutely requires admin privileges. However, if you don't ask why you've got to turn in your geek card right now. In my own experience a piece of software that "requires" admin privileges has simply been installed with administrator-only file and/or registry permissions, which are a doddle to change. In other words, the admin privileges are not an intrinsic requirement for the software, merely the result of a poor installer. Of the above 292 pieces of software, how many would work with a simple visit to registry and file permissions? My guess is many. When I had to worry about this stuff I used the sysinternals tools to follow what directories and registry entries to software was trying to access and change. Granting users write access to those parts worked like a charm. YMMV.
I'm not saying one never needs to grant administrative privileges to end users. I meant to point out that by repackaging software (for ease of installation, patching, accounting etc) you often get the benefit of setting the registry and file permission such that those privileges are not required.
My main point was about patching software. Since I quit my admin job I've worked in two very large companies as a developer and my approach has been vindicated. Never has anyone from IT touched my PC to install or upgrade software. Each company had a centralized software repository, including plenty of bespoke software, and mechanisms of delivering new installations and software updates. There's never a case of "oops, I missed a PC in room 413", or having to rely on the half-dozen software update agents running on each PC.
Note that disabling autorun/autoplay may be not trivial
There are at least two Windows XP patches that apply to creating the facility to disable autoplay by drive letter and/or drive type in the registry, and -then- there's ambiguity between whether the registry key(s) in per-user or per-machine are in control.
I think the registry key confusion is why Windows suddenly decided to create its own key to re-enable AutoPlay after I disabled it and then changed some hard disk partitions and letters, although the event had the side effect of discouraging me from using the bootable Linux SystemRescueCD, with which I'd done the partitioning and then a clamav virus scan for the heck of it. And also because, last I saw (a few months ago), the Malwarebytes internet-blocker flagged SystemRescueCD as a nasty. This seems to have been in fact because some other sites using the same hosting service as SRCD are nasty and are moved around and Malwarebytes decided that a lazy response was best (meanwhile they were recommending using SRCD for system maintenance), but it cured me of most of the urge to play with all of the exciting new Linux distros - or even to have the latest edition of every tool, which is SRCD's angle.
Another gotcha was the partitioner tools - parted, libparted, gparted - suddenly becoming dangerous on the new Linux kernel at the time. Something about failing to persuade the kernel to recognise the new partition table, a communication timing issue, disks left unreadable, if was happening rarely (or not?) and randomly and, the last that I heard, still was - they just managed to patch the program to make the odds more favourable. So when they say BACK UP YOUR DISK FIRST they are NOT KIDDING. But I suppose most people who have read this far already hold that opinion.
It's another case where the moral is that being playful gets you into trouble.
Disabling Autoplay /entirely/ is absolutely required for at least one of my usage scenarios.
Ready for something terrifying?
We have dedicated "client stations" at each of our locations whose sole purpose is to have customers walk in with CDs, DVDs, Flash keys or portable hard drives to submit information in a completely unsupervised area into our system. No, this can't be changed, and no we can't afford a nanny. We have to...TRUST OUR CUSTOMERS. (This has negative consequences.)
Our entire business relies on receiving dozens to hundreds of gigabytes of new information a day from our customers. While our client systems did periodically get pwned, it hasn't happened ONCE since we moved to Windows 7.
<3 properly done privilege escalation.
Hey ChrisC and Trevor
Competence and skill or lack there of is not isolated to a single field! GFY for understanding the the ramifications of your actions, you are a minority indeed. Daily, i deal with people that are "Decision Makers" and "Leaders" that make you wonder how they even remember to breath never mind use a mouse. They are the majority, remember that. ;-)
Every organization assumes and mitigates risks differently; maturity generally dictates their level of risk management and governance. In your case the cost of the control (admin access) is perfectly acceptable by the organization. My questions to you: does the company truly understand the risk associated with you having that access? Do you? Does risking your career because of crapware sneaking on your workstation worth loosing your job for? One could make the argument that even without local admin this could happen but the risk is transferred from you to the IT department.
Just my 2 cents on that.
My friend, please bone up on ITIL, PCI, HIPPA, COBIT and ISO27001. Just to name a few (BIG ONES LOL).
From standards and practices to risk management of IT; never mind corporate risk management; not having total control of your assets is risky. Hell maybe you have done all this and your company knows what could truly happen. I hope for your sake!
From my standpoint, I really don't care how dismissive another thread is about fully managed infrastructure down to the desktop. In my country i have to abide by a Privacy Act and we constantly have auditor's fingers up the you know where. If we fail to satisfy a control audit such as COBIT it is ineffective. You best learn what the "Prudent Person" rule is! If you or your employer has to stand in front of a Judge and say "we did all we could to protect those 2.5 million IDs" and you don't have control of your desktop, well you're fucked! Plain and simple. The saving grace for your position on "Users that are Local Admins" is that if you can prove that your controls work, you are OK. I doubt it though. I really wish a CISSP or GSEC professional would jump in here. Please? I guess after you stop laughing at everything including my ramblings and Trevor's views, you can.
At the end of the day we, in IT, are here to serve the business. This includes managing risks we inherently create by the technology. If the end user understood the ramifications of the assumed risks they are taking on, they would gladly hand over the keys.
Yes, patching is a pain, big big hemorrhoid kind of pain! Just keep thinking about all the overtime...
No one ever said it was easy and it doesn't look like it will anytime soon. :-(
I hope I'm a tad more salient tonight because i haven't had a whole bottle of wine yet. Working on it though :p
If it makes you feel better, the drive for Windows 7 is exactly the ability to run as a non-privileged user in all cases, while allowing those few who require escalation to do so properly, with /much/ training as to why they need to think first, click later.
I’d love to say “my network is where I like it to be, I’m telling you all about my awesome build.” Instead I come before the commenttards of El Reg saying “hey, this isn’t all that grand, so I’m changing it.”
By the end of August, every single VM in my entire network will have been replaced. We are building new domain controllers out on test hardware now, and the new network is building from absolute scratch. All desktops are getting new images, and thanks to the marvels of VDI, one build covers 80% of our users.
I expect to completely replace every install of every chunk of software in the next here months.
It's a Good Thing.
Also: the new network is being designed to be PCI compliant, amongst a raft of other security buzzwordy things. If you are taking the time to do it from scratch...do it right, no?
Of all my clients who aren't mickey mouse - about 90% of them use a centralized desktop pushed out via citrix or RDP connections to users - so that the environment can be adequately maintained. IT staff might get admin access to an actual PC. Engineers using CAD or other high resource demand applications might get to work from their local machines. Everyone else gets an SOE with only applications that can recieve forced updates, locked down so that they can't do very much from it and works from a centralized desktop where they get a controlled environment.
There are different ways to do things - basic lockdown of an SOE is pretty well documented - but disabling default gateways in the DHCP server so that only the central server and machines with a reservation can get a route to the internet, and unified threat management solutions at a router level with whitelists of what can and can't pass through, and a threat management capable proxy are cheaper than managing the fallout from less restrictive practices if you're running a large office network now.
For situations where you're forced to trust your customers - I'd have those customer machines in a Kiosk configuration, tools like Untangle come with templates out of the box. Isolated subnets with restricted network access and maybe even PXE booting them from an SOE image with a forced overnight restart can all make that situation less horrific.
Trusting any user, and realistically, most IT admins - is always fraught with danger. Anything that relies on humans not making a mistake is bound to dump you in it eventually. It's a pain in the neck sometimes - but locking down the environment - or investing in infrastructure that locks down the environment for you is a cost saving measure for any decent sized business. Sometimes it takes giving the warning and waiting for an expensive outage to get the budget approved, but businesses are all eventually going to start doing a proper job of securing their environment - or take unsustainable losses from outages and lose out to competitors who did it right.