Lockdown Schmockdown

There are small debates going on around local school districts about “locking” down computers in the district.

I support and have implemented a strict policy at my district restricting all end users to a standard user membership in windows on our network. Here is why:

5-6 years ago when I started working for my district I came into a network in which there was no full-time tech on staff. All users had administrative rights to their computers and everyone was mad, frustrated and inefficient because of the technology problems. The majority of staff had computers that were relatively new at the time but they couldn’t do anything on the computers. Within the first 3 months of my employment the network had come to a complete halt due to Spyware, Malware, AdAware, Popups, Viruses, etc. This occurred not 1 time but 4 times. All 4 times it took the entire district network down for a minimum of about 1-2 full days.

This is an extreme story, but I use it to make my point. I’ve gone through it. I’ve seen first hand what happens to a network that allows end users to install whatever they want. But moreover it allows anyone else access to do whatever they want to your computers.

The removal of administrative rights was a difficult concept for some staff and still is for some. We implemented a procedure for getting software installed in which staff are asked to give us 2 weeks notice of the need for software to be installed. It was also explained that we understand there are circumstances in which 2 weeks is not realistic. We take requests and fulfill them the same day if we can. The 2 weeks is primarily for lab installations or other large implementations.

So… Why else do we “lock” down our computers? Is it because I’m mean? Is it because I don’t trust you as an employee or a user? Is it because I don’t like change or innovation?

Absolutely and unequivocally no to all questions. Whenever you implement a product it is a good idea to read the documentation from the manufacturer of the product to see what the “Best Practices” are for deployment. In researching with Microsoft no matter what version of Windows you are using the preferred method of user deployment is to not allow users membership to the Administrators group on the local machine.

This does mean that users will likely run into hurdles which may cause headaches and even discourage them from trying new things. On a daily basis some staff will want to install more software than others. The majority will not need to install anything. The amount of time saved not having to scan and fix infected computers should allow you to address these requests assuming you aren’t understaffed.

We have gone one step further and have created a user account that does have local administrative rights to all workstations in the district. Staff can make an installation request and then be given the account to login and install the software themself.

Another issue you run into is licensing. Most people fall into 3 categories when it comes to licensing.

  1. Those that don’t understand it
  2. Those that do understand it
  3. Those that don’t think it applies to them or education

The 3’s are the ones that can be a real liability to a school district. It is no secret that schools are scrutinized for everything they do now days. If you are non-compliant with your licensing you could be sued. Eliminating the ability for staff to install software reduces your risk.

There is a reason computers are “locked” down and it is not to stop innovation. There are casualties in many things we do and sometimes some innovation gets caught up and lost because of policies procedures and other organizational methods. As an IT Director I work to re-evaluate why we do what we do. Not everyone does and that is unfortunate.

Don’t ever give up on a good idea, but be respectful and patient and reasonable and you’ll usually get results, even with that stubborn tech guy who’s locked up in that secure vault they call a server room 24/7.


One thought on “Lockdown Schmockdown

  1. It sounds like you walked into a technical nightmare when starting your “journey” in your district. I like the idea that now you have things cleaned up, you do have a way for staff to install apps if you can not provide support in a timely matter. I understand whitepages and best practices, but when our teachers offices went “mobile” we needed a better solution as I cant provide timely support when they are off our campus.

    I understand your concerns about licenses and we have tried to educate our staff on a yearly basis. However, if they do decide to install unlicensed software anyways – we have a policy to back us up. (as I am sure you do to) They need to be accountable for their actions.

    I am glad to hear (and I am sure your staff is to) that you are open to new ideas! Great Post!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s