Study: Majority of workers admit to installing personal software on work PCs

It's not a shock to learn that malware infections can cost money and time to fix, but just how much time and cash is lost dealing with these kinds of cyberattacks? Microsoft decided to find out in a new study that it commissioned from research firm IDC.

The result of the study claim that worldwide, consumers will spend a total of 1.5 billion hours, along with $22 billion, in finding, fixing and recovering from malware attacks. Businesses will spend $114 billion worldwide with dealing with its own malware issues. IDC interviewed 2,077 consumers and 258 IT managers around the world for the study, along with checking out 270 websites and peer-to-peer networks, 108 software downloads, and 155 CDs or DVDs.

One interesting part of the study revealed just how much unauthorized software is downloaded and installed on a PC by an employee at work. Microsoft said:

Although 38 percent of IT managers acknowledge that it happens, 57 percent of workers admit they install personal software onto employer-owned computers. What is alarming is that respondents told IDC that only 30 percent of the software they installed on their work computers was problem-free. Sixty-five percent of IT managers agree that user-installed software increases an organization’s security risks.

The study was commissioned as part of the new Play It Safe campaign to education both consumers and businesses on the dangers of installing malware or counterfeit software.

Source: Microsoft
Email malware image via Shutterstock

Report a problem with article
Previous Story

Since 2004, the EU has fined Microsoft 3.04 billion dollars

Next Story

HTC's February revenue down 44% year-over-year

95 Comments

Commenting is disabled on this article.

With everything locked down from websites, USB Ports and the Wallpaper is actually frustrating after a few days. I understand there are other users who totally mess systems up if given admin rights; but for smarter users, there should be some flexibility. The only softwares I typically need to install are firefox (Company is still on IE7), Bing Desktop and Notepad++.

An excellent illustration for two statements: "Don't mix business with pleasure." BOYD has not place in the office, save for a very few very well defined situations.

I'll admit to doing it. Much is due to necessity, while some is due to my own arrogance and knowing that our IT is inept.

Our company is a large corporation and has around 100,000 employees worldwide. Most of our IT is centralized, so the offices I've worked at, if I wasn't given admin access them we'd have to lose a few days of productivity.

Now, like most users of Neowin, I'm not installing spyware crap on my PC. I get for a shared kiosk or workstation that a standard employee shouldn't have admin access. In my engineering role, I'm our unofficial IT person that everyone goes to. Most of the issues I see on company machines is due to the terrible choices they have made in regards to anti-virus/spyware and firewall programs.

My policy is pretty simple, I don't bother IT and they don't bother me. The only time I will go to IT is to fix a hardware issue and get an RMA.

I already have admin access, but they do audit our PCs regularly. Like many companies, they push IE down our throats. Until last year, we were "forced" to use IE6. This notion that big companies can afford to or will spend money to upgrade isn't always true. So yes, I have a third party browser that is better for me and I use skpswi.dat to prevent it from being scanned by our inventory system. Besides that, the only programs I've installed were a freeware image editor and a tool for batch renaming files. Oh, and VLC to play media files sent in from customers without the need of codecs. Do I *need* these things to perform my job? Nope, but they make me one helluva lot more productive.

When I went on vacation, I took my laptop but partitioned it with my legit copy of Windows 8 and then enabled bit locker, while hiding the drive from my work's XP partition. That'll probably make a few of you cringe, but does even 1% of the workforce outside of IT even have this ability?

I'm not ashamed of doing what I want to make me more productive because I single handedly was responsible for an 8 figure profit last year.

So all of my arrogance aside, I'm with the balanced approach that there isn't an across the board policy. Certain people need to have access. When I set up new employees on our systems to be able to engineer products, I follow a 30+ page bible that I developed to get every program installed and all access provided. I'd love for a standard image to be available, but what we do is so specialized that it just isn't feasible.

I spoke with some IT people at our main facility and we are switching to Windows 7 by the end of the year as a corporate IT mandate. Nobody, including the local IT group will have admin access. It will be a disaster, considering that most of our internal programs don't work with Windows 7 yet. Corporate's fault for not upgrading them sooner, but it'll cripple a good percentage of our workforce.

Everybody's going to have a lot of opinions about this when the simple fact is that security demands are going to vary from industry to industry, business to business, and user to user.

There is no across-the-board best practice for administering corporate computers, and simply having experience working in IT won't make your opinion any more globally valid.

This is exactly the reason why I disagree with software installers that put the program files within
the Username sub-directory of C:\Users\ (or C:\Documents and Settings\). Yes, Google Chrome
default auto-installer, I'm looking at you! The C:\Program Files\ directory is there for a reason!

If you don't have the relevant admin level privileges to install software on a PC that isn't yours,
then tough titty, do not attempt to install ANY software on it, whether or not the admins have
set up their network and all workstations to automatically disallow unauthorised software.

Google Chrome is considered malware at my company. Most of the sites we use require internet explorer. Our main software requires IE to be the default browser. Chrome and firefox interfere with it as much as possible, and so they are black listed (if they get installed, spiceworks tells me and I promptly remove them)

Kia just recently started using Chrome for testing, so we use the Iron browser (chrome without the google spyware) and it seems to be okay for those few instances.

I just don't have time to lock down our PC's like Fort Knox and deal with the bureaucracy that creates and I know all our employees personally which is different then if you're dealing with people you've never had any interaction with.

Of course if it was a huge corporation with buckets of money and plenty of resources I'm sure it's different but we don't have that luxury.

Edited by matt4pack, Mar 6 2013, 8:42pm :

IT departments take on a lot of responsibilities, but ultimately are not responsible for profits. Profitability is increased when IT departments do what they need to do to support their users and beyond that get out of the way.

If you are the IT department for a studio that makes software and has mostly a staff of engineers (where I am at), these kinds of users need as much flexibility as they can get.

If you are the IT department for a call center, well then sure, lock the computers down. You need to meet the end users needs.

I interview IT applicants, and if I get the feeling that they want to do what they want to do and not listen to the users then they won't be hired here.

When I started my current job 5 years ago we had an open policy because the other admin was lazy. After several major viruses and constant spyware/malware infections I decided enough was enough. Get manager support and put in a pretty strict content filter. Combine that with setting everyone up as a power user and restricting software installs and it seems to have curbed the problem. Do users get mad when they can't install the coupon printer toolbar?, yes.... but usually those employees don't last too long.

I just wish more of the software we use would be written correctly without the need for Admin access. It's a combination of lazy programmers and uneducated developers. I'm not generalizing programmers/developers... i'm sure there are good ones, but we seem to buy software written by the lazy ones.

No user should have admin access to the machine they work on... period. I have heard all the excuses under the sun as well. Even IT people shouldn't have admin access on a desktop account, they should have a separate admin account just for admin purposes. Also a lot of freeware/shareware do not cover use in an enterprise environment and should be removed and a paid for application should be purchased and used. IT shouldn't be allowed to remote to home servers/desktops either. Lead by example.

Really. Let's say you can stop me from having admin access. Can you stop me from running programs from my 64GB Flash drive? portableapps.com is a great site. I don't need to access it from work. I can do it at home, drop it on my drive and run it on my work computer.

Stup0t said,
Also a lot of freeware/shareware do not cover use in an enterprise environment and should be removed
Really? Let's say you can stop me from having admin access. Can you stop me from running programs from my 64GB Flash drive? portableapps.com is a great site. I don't need to access it from work. I can do it at home, drop it on my drive and run it on my work computer.

Stup0t said,
No user should have admin access to the machine they work on... period. I have heard all the excuses under the sun as well. Even IT people shouldn't have admin access on a desktop account, they should have a separate admin account just for admin purposes. Also a lot of freeware/shareware do not cover use in an enterprise environment and should be removed and a paid for application should be purchased and used. IT shouldn't be allowed to remote to home servers/desktops either. Lead by example.

You are wrong. Please don't ever apply for an IT position where I work. IT is there to support the user not lead a computer dictatorship. Lots of users need admin access to their machine and cannot afford to wait on IT to get basic things that need to get done. You are wrong in that you think that developing a policy across the board is the right approach. Nope, the right thing to do is to listen to your users and meet their needs, not dictate to them.

Shadrack said,

You are wrong. Please don't ever apply for an IT position where I work. IT is there to support the user not lead a computer dictatorship. Lots of users need admin access to their machine and cannot afford to wait on IT to get basic things that need to get done. You are wrong in that you think that developing a policy across the board is the right approach. Nope, the right thing to do is to listen to your users and meet their needs, not dictate to them.

^ THIS. Which is why I did what I had to do. I'm more efficient now that I don't have to wait on our IT department.

DarkNet said,
Really. Let's say you can stop me from having admin access. Can you stop me from running programs from my 64GB Flash drive? portableapps.com is a great site. I don't need to access it from work. I can do it at home, drop it on my drive and run it on my work computer.

Yes they can. Just the fact you are plugging your personal USB drive into company workstations.

Shadrack said,

You are wrong. Please don't ever apply for an IT position where I work. IT is there to support the user not lead a computer dictatorship. Lots of users need admin access to their machine and cannot afford to wait on IT to get basic things that need to get done. You are wrong in that you think that developing a policy across the board is the right approach. Nope, the right thing to do is to listen to your users and meet their needs, not dictate to them.

This is also why time and time again companies get hacked from within by a single users workstation.

warwagon said,

This is also why time and time again companies get hacked from within by a single users workstation.

Again, case-by-case user situation. My point isn't that workstations shouldn't be locked down. In some work environments it makes sense. But I'll be damned before I come get my IT guy to install the software I just compiled to make sure it installs and works properly. Some work environments need to be flexible. You guys spouting totality of IT dictatorships are wrong.

DarkNet said,
Can you stop me from running programs from my 64GB Flash drive?

Sure I can and have stopped people before. Its called disabling mass storage devices company wide and only allowing authorized drives. Last job the only drives we allowed were company purchased flash drives. Anything else was blocked.

I gave myself admin rights by running a program during bootup to erase the password of the admin thus allowing me to log in as the admin and putting my username as admin.

Not hard at all.

The admin password is changed every 4 hours, so as long as I don't connect the computer to the network, I can log in as admin. Once logged into PC and making necessary changes to my account, I can reconnect to network and never need to have admin "password".

Yeah, it's not traceable and nobody is the wiser because I don't call help desk. I don't get viruses and when hardware fails or I'm due for an upgrade, I just do this all over again.

But on a side note, I am a consultant. I don't work at my company. I work at a client's office. So the machine technically isn't my companies it is my client company. But almost the same thing.

Once it was discovered I had admin access because they needed to upgrade my Autodesk to 2010. They removed it, next day I put it back on. I've been doing this since 2005 at the same site. Nobody has been the wiser.

And what reasoning do you have for giving yourself this right against the will of the company you are working for? If I was your "client", I would fire your ass in a heart beat if it ever came to light.

And it is traceable if the company did such a thing as auditing.

Klownicle said,
And what reasoning do you have for giving yourself this right against the will of the company you are working for? If I was your "client", I would fire your ass in a heart beat if it ever came to light.

And it is traceable if the company did such a thing.

Again, the one time it was caught they had no clue why I was given admin rights and they reverted it. No biggie. Even my boss told me to do what I have to do. IT can't fire me. Know the place you are doing it in and it really isn't that scary.

It's also a good thing that they want my services for this long. Have you ever heard of one person getting a two year contract over and over again? It's rare. They like what I do.

Edit: Main reason for doing it: There is a program that doesn't work if this plugin (which really is a just a program in itself) is installed. But I need it when doing one thing, and don't need it when I am doing another thing. So it is constantly getting installed and uninstalled. Which is what prompted my boss to asked me if there is anything I can do to not waiting for IT. I said yes. He said I don't want to know (since he works directly for them) and that was that.

Now, I am efficient.

Klownicle said,
If I was your "client", I would fire your ass in a heart beat if it ever came to light.

And it is traceable if the company did such a thing as auditing.

It's also a good thing I don't work for A**holes. That's a plus. All the programs on my machine is legal with their licenses. All the freeware apps are on the approved list. Again, untraceable. Just read my previous comment to understand why it was done.

Anything that isn't allowed I run as a portable app. IT knows it. And they said it is pretty cool. They had no idea one can do that.

DarkNet said,
I gave myself admin rights by running a program during bootup to erase the password of the admin thus allowing me to log in as the admin and putting my username as admin.

Major abuse of company equipment and here, you would of been fired no questions asked.

DarkNet said,

It's also a good thing I don't work for A**holes.

Security and restrictions are put in place to protect the company, and its employees. Its not because people are *******s. Funny that a lot of people call IT *******s since they have to enforce certain policies and deny access to software/hardware. So if someone doesnt get what they want, it always reflects bad on IT.

deadonthefloor said,

You are possibly the WORST type of IT worker there is.

I am not IT. Where did you get that?

techbeck said,

Security and restrictions are put in place to protect the company, and its employees. Its not because people are *******s. Funny that a lot of people call IT *******s since they have to enforce certain policies and deny access to software/hardware. So if someone doesnt get what they want, it always reflects bad on IT.


A) I can't be fired. I am a consultant. Maybe (that's a huge stretch) they kick me out of the position for the client.
B) My Boss at the client's office and my boss at work know about it. I'm safe.
C) How would you prove that I did that?
D) Can you fire someone without proof? If so, thank god my client likes me. They keep renewing my contract.
E) I wasn't calling IT workers *************s, I said I don't work for ***********s Did you read anything I wrote?

Perhaps you should ask your self why you said all these things. Fired without proof? Misreading who I called **************s. Are you an IT worker and somehow feel slighted? I think now we are getting into human behavior topic.

I'm sorry if you seemed insulted. I assure this wasn't a personal attack on you. You can go to bed a happy person tonight

DarkNet said,

E) I wasn't calling IT workers *************s, I said I don't work for ***********s Did you read anything I wrote?

Where did I say you did call IT workers that? Maybe you should read. You made a comment that you are happy you dont work for *******s that would fire you for the things you do. I simply commented that its funny that people think if IT as *******s for doing their jobs and enforcing the policies. I never once pointed at you.

And nothing you say or anyone else on here will interfere with my sleep. I will sleep just fine.

techbeck said,

Security and restrictions are put in place to protect the company, and its employees. Its not because people are *******s. Funny that a lot of people call IT *******s since they have to enforce certain policies and deny access to software/hardware. So if someone doesnt get what they want, it always reflects bad on IT.

Seriously I have to ask you again. Did you read anything at all. This is you in response to my insult. What's wrong with you? You need help?

techbeck said,

Where did I say you did call IT workers that? Maybe you should read. You made a comment that you are happy you dont work for *******s that would fire you for the things you do. I simply commented that its funny that people think if IT as *******s for doing their jobs and enforcing the policies. I never once pointed at you.

And nothing you say or anyone else on here will interfere with my sleep. I will sleep just fine.

Please learn to read. Do I need to give you a screenshot. You do realize it was in response to me with just the online you quoted. Maybe you do need to get some sleep.

techbeck said,

Security and restrictions are put in place to protect the company, and its employees. Its not because people are *******s. Funny that a lot of people call IT *******s since they have to enforce certain policies and deny access to software/hardware. So if someone doesnt get what they want, it always reflects bad on IT.

Seriously I have to ask you again. Did you read anything at all. This is you in response to my insult. What's wrong with you? You need help?

DarkNet said,

Seriously I have to ask you again. Did you read anything at all. This is you in response to my insult. What's wrong with you? You need help?

I said a lot of people. I never said you. Read again. I was making a general comment on how some people perceive IT. Why I used the term PEOPLE and not YOU or you nick.

That is all. Your childish condescending tone shows your maturity. IF you think whatever you do cannot be traced and at some point in time you will not get in trouble, then keep thinking that. Policies and security are getting stricter all the time. May not be this job...but you better watch yourself.

Have a good evening.

Sorry for the late response. I actually just went to sleep. I gave you no second thought (well I normally don't).

Funny you decide to quote me and respond to me but this was all "general". Very interesting that you are now back peddling.

Have a good day.

DarkNet said,
Sorry for the late response. I actually just went to sleep. I gave you no second thought (well I normally don't).

Funny you decide to quote me and respond to me but this was all "general". Very interesting that you are now back peddling.

Have a good day.

I am not back peddling. I never called you by name or said you did anything. And it was a general comment regardless if you think so or not. You think you are untouchable and obviously not aware on what IT departments can do to track you and log your activities. Instead you preceive people who put these polices in place as *******s, and yes you did call these people *******s. Should I quote you?


It's also a good thing I don't work for A**holes. That's a plus.

In which my response was it is funny that PEOPLE think of IT as *******s since we have to enforce these policies. This is a GENERALIZED comment since in a lot of areas, IT is considered the dicks of the company for the restrictions and rules we enforce. If you worked in IT, you would realize that and wouldnt of taken my comment so personally.

Now, if you cannot understand all of that, then I really have no time for you. Actually, that is all I have time for this topic. Tired of explaining myself to you.

techbeck said,
...

Did you see what I was responding to? I said IT can't fire me. Only the client can. I also stated they are not **********s. You are taking this too personal. Let it go my friend.

Hopefully you can read that and finally understand. Now I am done with you.

Teamviewer people, remote into your home environment. There you can have all the porn and personal applications (and audio transferring). No need to mock up your works environment.

Its all I use in my IT position.

For my job I get admin privileges on my work computer but I don't have any personal software installed. But does having teamviewer installed so I can remote back into my home computer count and get personal work done count?

Brony said,
Usually, strict IT policies hurts productivity. And worst, some policies are easy to bypass it.

And open IT policies don't? I've fixed up company networks because of their open policies. Casual users will install any junk. The amount of computers slowed down to a crippling halt because of this is mindboggling. And the only thing the employees or your coworkers do then is complain and have a low productive work day.
And downtime of the system or overtime for the IT to 'repair' this computer.
Companies being blacklisted on mailservers because of your idea of 'open policies' when it can take up to 48hours or more for blacklists around the world to clear it... must be very productive.

Brony said,
Usually, strict IT policies hurts productivity. And worst, some policies are easy to bypass it.

This. I'm a developer at my work and need to be able to install and uninstall even my own software builds. I'm glad our IT department has their head on straight and realize that they are support for the users and not the dictatorships a lot of the asshats here think they should be.

There is not a single solution that solves all troubles. In the case of Active Directory, even a dumb user could install it (dcpromo). However, for fine tune it, it could takes a lot of effort and experience (most of the time, IT are unable to do that). It is so damn tricky. And, i am not talking about pre-defined GPO and security group but custom GPO and custom user permission.

Also, some programs fails if they don't run without administrator rights.

And don't forget that the current Active Directories relies in a way of work that is way different than the current way that the business works, specially the use of notebook and wifi.

Shadowzz said,

And open IT policies don't? I've fixed up company networks because of their open policies. Casual users will install any junk. The amount of computers slowed down to a crippling halt because of this is mindboggling. And the only thing the employees or your coworkers do then is complain and have a low productive work day.
And downtime of the system or overtime for the IT to 'repair' this computer.
Companies being blacklisted on mailservers because of your idea of 'open policies' when it can take up to 48hours or more for blacklists around the world to clear it... must be very productive.

Your work should stop hiring stupid users as oppose to trying to solve their stupidity with IT policies. The result will be much better.

Brony said,
Usually, strict IT policies hurts productivity. And worst, some policies are easy to bypass it.

Unless it causes problems and costs the company money. The company I work for is currently being sued (suit started before I started the job) by a big anti piracy group. forget the name. All because we had outdated licensing info and according to them, we exceeded what we could install software wise from MS. We talked to MS and explained to them the mix up and they even called the antipiracy company to get them off our backs. We are still being sued even tho MS, the company we supposedly violated, called them and we can now prove we are licensed.

We have some people with local admin rights on their PCs but most do not have them. IT supplies the software they need and if anything else is needed, that is what IT is for. All people in IT have admin rights tho.

Shadowzz said,

And open IT policies don't? I've fixed up company networks because of their open policies. Casual users will install any junk. The amount of computers slowed down to a crippling halt because of this is mindboggling. And the only thing the employees or your coworkers do then is complain and have a low productive work day.
And downtime of the system or overtime for the IT to 'repair' this computer.
Companies being blacklisted on mailservers because of your idea of 'open policies' when it can take up to 48hours or more for blacklists around the world to clear it... must be very productive.

Depends on the users. At my job (very large international corporation) we have admin access to our computers and it hasn't been an issue. We're all mostly engineers and I assume people here are a little more cautious about what they're installing on a work computer.

Shadrack said,

Your work should stop hiring stupid users as oppose to trying to solve their stupidity with IT policies. The result will be much better.

Then they would not be able to staff the company.

Stupid users are a fact. "Hire smarter people" is easy to say, but hard to actually accomplish.

I'm guilty of this at times. If I'm visiting the family on a weekend but I need to work as well, I'll just take my work laptop with me (rather than my work laptop and my macbook). During that time I may install Steam and a couple of games to play for a bit, but I'll uninstall them before returning to the office.

It's not a shock to learn that malware infections can cost money and time to fix, but just how much time and cash is lost dealing with these kinds of cyberattacks? Microsoft decided to find out in a new study that it commissioned from research firm IDC.

It's not a shock to learn that in many companies time is lost by using inadequate softwares because they are coming in a package the company bought. Often a better free alternative does exist (Notepad++ is a good example of a program that should be installed on all dev workstations if the company doesn't want to buy something like UltraEdit or Sublime). Employees installing the free alternative actually do a favor to the company by being more productive. I'm sorry but i'm not using Oracle Jdeveloper because it is already installed as part of an Oracle package. If Eclipse or Netbeans is not there i'm gonna install one of those. I'm also not doing web dev using MS Notepad ... sorry about that but i'm gonna install Aptana Studio.

Edited by LaP, Mar 6 2013, 4:09pm :

My job, if unauthorized software is found, the person gets a warning. Next time, the person gets fired. They dont put up with it...unless you are in IT.

Shadrack said,
And IT makes what percentage of the profits where you work?

IT doesnt make anything and this rule came above IT, not from IT itself. We have had issues in the past where we were fined big money because of illegal software installed (trial/demo software isnt tolerated eithet) . So there is basically little to no tolerance on this anymore. Everyone reads the New Employee Orientation that explains this. If they dont read it, its their fault. Installing your own software without IT knowledge also creates a support nightmare and causes problems.

IT deparments constantly install new apps. It is expected for testing and trying out new solutions.

techbeck said,

IT doesnt make anything and this rule came above IT, not from IT itself. We have had issues in the past where we were fined big money because of illegal software installed (trial/demo software isnt tolerated eithet) . So there is basically little to no tolerance on this anymore. Everyone reads the New Employee Orientation that explains this. If they dont read it, its their fault. Installing your own software without IT knowledge also creates a support nightmare and causes problems.

IT deparments constantly install new apps. It is expected for testing and trying out new solutions.

Our IT department scans computers periodically for unauthorized software and then talks to us about it. I like our IT department though. They solve problems, not create them.

Shadrack said,

Our IT department scans computers periodically for unauthorized software and then talks to us about it. I like our IT department though. They solve problems, not create them.

I...my department...solves problems as well. But when it is user induced and they have been warned before, it causes a problem and we are less willing to help fix it. You can keep talking to people about it, and that may work to an extent, but sometimes more drastic measures are needed.

We dont do regular scans on computers but rather most software thy cannot install anyway without getting a prompt needing admin rights. Every now and then tho a program gets installed that requires little system changes.

Of course they do. Often times you need third party tools to ensure that you can do your job.

As a developer, I like to use ReSharper, for instance, even though no one else on my team does. Of course, there are other examples, but you get the idea.

Vinny4 said,
Thats a case of "Lazy Admin" syndrome.
While I agree with you. In many cases the decision makers above IT won't back IT up when push comes to shove about restrictive measures imposed on users.

bull****, its a case of giving users responsibility. Most Admins aren't there to baby sit or micromanage your PC. That institutional approach is a dead end.

lol what???? What responsibility?? r u serious? most people don't care and I'm not talking about BYOD, I'm taking about devices provided by a company, in that case, YES you should be micromanaging, thats why there are GPOs.

GPOs are generally a waste of time in vast majority of organizations. There are much better, simpler ways to limit app installs. GPOs simply aren't worth the time in such cases and are simply busy work for admins without the skills to find something better to do.

Dashel said,
GPOs are generally a waste of time in vast majority of organizations. There are much better, simpler ways to limit app installs. GPOs simply aren't worth the time in such cases and are simply busy work for admins without the skills to find something better to do.
It's great to see someone exercising their right to have a completely terrible and uninformed opinion.

Dashel said,
Say the BOFHs.
As I've said for years. It's not the users who know what they're doing or know nothing that I worry about. It's those that think they know what they're doing. A user who feels as if they don't know what they're doing will ask when met with a confusing situation. A user who knows what they're doing will usually do the right thing. A user who thinks they know what they're doing will usually break something.

Give a user enough rope to hang himself, I always say. Once they do, lock them down as needed. However, don't give them administrative rights, because w/o a doubt they're do one of two things, install applications that reduce their productivity, or blindly install malware that causes network wide problems.

Dashel said,
What kind of rope are you giving the user then?
In 15+ years of managing a network that rope, by default is none. They are users on their machines as I am. Those with my trust get a local admin user to install applications when needed with the knowledge that if they abuse that privledge I'll take it away. We don't do any web filtering but that is about to start for social networks and sports since it has become a problem with so many people. In that case those sites will be allowed on a schedule.

So you really never give them rope is my point. That institutional mentality is what no longer makes sense in this more user focused, multi-site, telecommuting, BYOD world. As Dot would say, its time for change. Why would I manage a company owned device differently than a BYOD one?

Does. Not. Compute.

As you say, its an issue of trust (personal favoritism), not policy. You know what they say about admins that don't trust their users...

Dashel said,
As you say, its an issue of trust (personal favoritism), not policy. You know what they say about admins that don't trust their users...
I play favoritism with users who do not fall pray to malicious packages or install counter-productive software. So I may not care at all for a user personally, but if they need access to software and have a track record of being careful I'll start opening up some access to them.

The BYOD world is not nearly as prevalent as is made out on tech news sites (as most of these sites have no concept of real world network management and IT... I think back to when Neowin was taken out by a single water leak... Sick DR there guys). Your network is at the mercy of your users in many cases with malware that exists out in the real world. More importantly, hardening a network from malicious hackers is much harder when you reliquish control of security on the desktops themselves.

Bottom line, in reality, the easiest point of entry into a network is the click of a user. The world isn't pansies and butterflies. Even in a user focused, multi-site, telecommuting, BYOD world you'll see competent IT protect the companies network infrastructure and productivity through IT restrictions.

Do they not have strict enough group policies? We can't run any installer file or executable that wasn't already installed on the system, and if we plug our own USB drive into it, the computer disables the USB port and sends a report to the IT Admins.

McKay said,
Do they not have strict enough group policies? We can't run any installer file or executable that wasn't already installed on the system, and if we plug our own USB drive into it, the computer disables the USB port and sends a report to the IT Admins.

Talk about some paranoid IT admins. Unless you're working on top secret/export controlled stuff this is just overkill.

For the Air Force, if you do plug any USB device in they confiscate it too, saying that as it's been connected to a Restricted system, that device is now restricted.

Someone plugged his iPhone 5 into the PC to charge it one day, yea they took that away. He still looks upset after all these months.

mrp04 said,

Talk about some paranoid IT admins. Unless you're working on top secret/export controlled stuff this is just overkill.

Paranoia has nothing to do with it.

unless you're running in an environment not completely controlled by active directory, as then it's anything but trivial.

ajcdotme said,
unless you're running in an environment not completely controlled by active directory, as then it's anything but trivial.
If you're not running Active Directory, you're asking for problems.

ajcdotme said,
unless you're running in an environment not completely controlled by active directory, as then it's anything but trivial.

You don't need them in a constant AD controlled environment, even cooperate laptops they take home can be completely locked down so they can't do anything they aren't authorized to do. And thanks to UEFI with secure boot you can easily prevent the more technical individuals from adjusting this too.
(Yes secure boot has more reasons to be pushed by MS then just adding a layer for malware prevention for casual home users)

techbeck said,
Really depends on the size of the business and if they have the money or resources to implement more control.
There are just too many companies in any decent sized city who could walk in and drop a SBS install or just regular windows and set it up for you. Only really small companies (5 pc's or less) really can't afford to do it. The problem is selling the efficiency savings to those smaller shops as they are generally run by folks with no concept of computers.

Well in some corporations you really just need the ability to install whatever, whenever. As a Microsoft Employee, I'm a local administrator on all my machines and can install whatever software I wish, nothing is enforced, except java updates etc.

We have strict policies I have to think of whenever I install software, but there are no GPO ensuring I don't, simply because it would be a nightmare for Microsoft IT to keep a list up to date of software we can use and as a developer I need the ability to make custom builds, write my own tools etc.

Portable or not, the traffic is able to be tracked back to that device the company lets you use. While their internet is faster, is it worth it?

I have to agree. I work for a fairly large organization and our PCs are so locked down that we can't even change our desktop background pictures. Employees can download files however, .exe files won't install.

MrHumpty said,
If you're not running Active Directory, you're asking for problems.

Actually it's very easy, you enable only running of signed and trusted and code then install the organisation's certificate on the PC and then, magically, only signed software from MS, etc. and your organisation runs, and best of all it's been built in since XP or 2003.

Kenman said,
Well in some corporations you really just need the ability to install whatever, whenever. As a Microsoft Employee, I'm a local administrator on all my machines and can install whatever software I wish, nothing is enforced, except java updates etc.

We have strict policies I have to think of whenever I install software, but there are no GPO ensuring I don't, simply because it would be a nightmare for Microsoft IT to keep a list up to date of software we can use and as a developer I need the ability to make custom builds, write my own tools etc.

Same at my job. It would be a huge hassle to have to get permission from IT every time someone needs a program installed.

mrp04 said,

Same at my job. It would be a huge hassle to have to get permission from IT every time someone needs a program installed.

\

Not really. If you have software deployment software, the system can get the software installed within minutes.

n_K said,

Actually it's very easy, you enable only running of signed and trusted and code then install the organisation's certificate on the PC and then, magically, only signed software from MS, etc. and your organisation runs, and best of all it's been built in since XP or 2003.

NPGMBR said,
I have to agree. I work for a fairly large organization and our PCs are so locked down that we can't even change our desktop background pictures. Employees can download files however, .exe files won't install.

There's always a way to get around all of those setup. I remember a government agency where I went for a contract job. The manager was so proud to show me how he had everything lock-up so tight. Took me 10 minutes to unlock the stations, he almost had a heart attack.

zeke009 said,
Portable or not, the traffic is able to be tracked back to that device the company lets you use. While their internet is faster, is it worth it?

A faster internet connection is ALWAYS worth it. One day, you'll have an internet connection so fast, not even the Gibson will stand a chance!

Seriously though, I can't understand the need for them to install software on the machines.. what exactly are users installing, firefox, java, some games .. or crap they click install for stupid smiley faces in chat on facebook?

n_K said,
Actually it's very easy, you enable only running of signed and trusted and code then install the organisation's certificate on the PC and then, magically, only signed software from MS, etc. and your organisation runs, and best of all it's been built in since XP or 2003.
Ok, implement and maintain those settings on 200 machines w/o active directory.

Kenman said,
Well in some corporations you really just need the ability to install whatever, whenever. As a Microsoft Employee, I'm a local administrator on all my machines and can install whatever software I wish, nothing is enforced, except java updates etc.

We have strict policies I have to think of whenever I install software, but there are no GPO ensuring I don't, simply because it would be a nightmare for Microsoft IT to keep a list up to date of software we can use and as a developer I need the ability to make custom builds, write my own tools etc.

You're living inside your bubble. I'm a developer as well. I have no restrictions and have an administrator account I can use to add whatever I want to my machine. However, the vast majority of users have no business maintaining their machine nor should they be allowed to choose what is ok to install.

mrp04 said,
Same at my job. It would be a huge hassle to have to get permission from IT every time someone needs a program installed.
IT at the desk should be dead. If a user asks me to install something on their machine, as long as it is needed I barely do anything other than launch a remote admin of their machine, and install it. An added step in some corps is to log what was installed on that user's machine or get another to sign off on the install.

Frankly, I use a ton of software and get new stuff regularly, but this concept that people are installing software all the time is just nonsense. The average user *wants* other software than they have, but need is another story.

Kenman said,
Well in some corporations you really just need the ability to install whatever, whenever. As a Microsoft Employee, I'm a local administrator on all my machines and can install whatever software I wish, nothing is enforced, except java updates etc.

Wait, Microsoft allows you to install Java on your machine?! Isn't that just asking for trouble?