Your neighborhood United Parcel Service driver, while quite possibly a good mechanic, isn't likely to be found at the local auto parts store searching for the latest in shocks, oil filters and nifty racing decals to jazz up that functional but drab delivery van.

Nor is your average UPS computer user expected to tinker with that standard-issue desktop or notebook.

"We don't want them to be able to change the workstation," says Glen Barry, a systems analyst and technical manager at UPS in Mahwah, N.J.

The term "lockdown".is a bit harsh for an industry that thrives on positive and encouraging messages, but it fits the bill.

"You have to be able to protect yourself against malicious, curious or clumsy users, who will go out and do all kinds of nasty things to the machine you've provided them with," says Steve Kleynhans, an analyst with Meta Group.

It's not clear how many corporate IT shops rely on actual lockdown programs. About 60% of organizations say they have some form of technical lockdown in place, but Kleynhans puts the real figure below 50%.

"I have a feeling a lot more people say they're using lockdowns than actually are," Kleynhans says. "In many cases, they just say 'Don't make changes to you machine,' as opposed to having a formal facility that actually prevents them from doing it."

It's a lock

Lockdown tools use access policies or security levels that hamstring users' ability to make changes to their systems or access unauthorized resources.

One of the more common, if minimal, forms of lockdown is simply denying end users administrative privileges, which prevents them from making major changes. It closes off access to the system registry and prevents users from taking actions such as selecting printers, and otherwise changing the configuration.

In some cases, an administrator might use an asset management package to set the license volume to zero for unauthorized applications that are known to circulate among users, a measure that prevents those applications from running.

Other measures include denying access to certain applications, based on job function or other grouping, or assigning an operating systems' administrative privileges to the IT department and not the end user, and otherwise opting for strict operating system security settings.

The lock as business tool

For most companies, the question is not whether it's technically possible to lock down user desktops, but whether there's a compelling business reason to do so.

"Why would you be wanting to lock down? Is it because people are using corporate assets for noncorporate reasons? Is it that in doing so they're exposing the company to risk? Is it lost productivity? Is it that the employees, through their own simple and well-intentioned, hard-working stupidity keep scrambling these great big fat PCs so that they crash and they lose productivity? Is it a TCO issue?" asks Valerie O'Connell, an analyst with market research firm Aberdeen Group.

"The technology is there to manage any business decision you might come up with," she says.

Given the range of options, IT managers need to balance the need for security and control with employee

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine