Tech Support HELL

Do they block certain sites for a reason? Yep; and for many thousands of them, that reason is "because the web filter software included that site without us having any idea what it is or what it's for". I had a paper on an Oracle vulnerability blocked the other day because evidently one of several blogs on the site was deemed "bad". They blocked access to "everything2.com" because "that's what the software came with". Did I wait two weeks for management review of my requested changes before reading up about a brand-new vulnerability in my software? Nope. I did my job.

Yyyyyup.

In a previous job for [national telecommunications vendor], I frequently ran into problems because WebSense would let users in my regional office get compromised and spywared so deep in the ass they could taste bitstream; yet it would block me from accessing any ANTI-spyware tools to help fix them. Did I set up a proxy through another machine elsewhere? You bet your ass I did.

In my current life as a consultant, one of the more common things I get called for is road warriors with home offices working for large corporations who need to get printers working. Printer won't work without administrative privileges. User is not allowed by corporate policy to have administrative privileges. I come in with a SAM reset disk, wipe the local administrator password, log in as local administrator, and add "Everyone" to the local "Administrators" group. Poof, user can print. The really hilarious thing? These are usually printers supplied by the corporate office to begin with.

Big corporate IT departments tend to not even understand the concept of daylight, much less what it looks like.

From:

Congratulations... you've just helped these users become a part of the botnet/malware/virus epidemic on the Internet. Thank you for making MY job harder.

From:

Riiiiight. Because modern malware is neither capable of running without administrative privilege nor using any number of local privilege escalation exploits if it wants to, yes?

Users who actually hire consultants in the first place aren't the users making up the botnet population. The folks making up the botnets are the users who don't pay anything to anybody for any kind of support, and just buy a new $400 PC once their last $400 PC has gotten so thoroughly malwared up that it "seems too slow" even to them.

If one of my customers gets malwared, I find out about it in a hurry and it gets removed in an equal hurry. Conversely, if idiots setting corporate IT policies weren't making it impossible for users to do their jobs while following them, maybe those policies would actually do a bit of good.

From:

I'm not saying the corporate IT, in your scenario, aren't stupid. I agree with you there. They could set up server-side installations (http://support.microsoft.com/kb/326473) for these supplied printers. They don't.

But still, you're being called out there to install the printer, not subvert the security of the user running laptop. If you don't have an admin account, then pester corporate IT until they give you one. Enough trouble tickets in their system will make them figure it out eventually, but silently "fixing" things doesn't let them know about the problem.

User-level accounts (NOT power users or Admins) don't get nearly the malware/worms of other users because they don't have the permissions to run that software. I think it was one of the tech magazines that did a test comparing user/power/admin rights and how much spyware was installed.

From:

The first step is ALWAYS calling the corporate IT and trying to get them to give me a fix. You might be surprised just how often the folks manning the help desks do a careful "what I don't actually tell you to do isn't my problem" number. It's often HARD to get the attention of the IT policy Nazi at a big corporation. REALLY hard. To the point of impossible.

In a shiny happy sensible world, it would be nice to restrict users to heavily neutered permission levels. In the real world, with corporations using for god's sake Windows and trying to maintain 500:1 user:support ratios, with many users very literally never setting eyes on an actual administrator, it's very very difficult to make that work.

I can't make the user's IT department do something sensible. I can (and do) contact them and try to get them to do something sensible, and if (and when) they absolutely refuse - but still expect the user to, you know, WORK anyway - then I quietly make an end-run around them on the user's behalf. It's what I'm getting paid for.

From:

pat-barron.livejournal.com

"It's often HARD to get the attention of the IT policy Nazi at a big corporation. REALLY hard. To the point of impossible."

You should try it when the "IT policy Nazi" is actually a committee, rather than an individual, that's a lot of fun too... :-)

In all fairness, though, to my employer (which does have an "IT security policy committee"...), at least I work at a place where employees are generally treated like adults. We don't block any sites at the corporate firewalls (we rely on security tools installed on each individual machine to catch malware and such). There are rules about what you can use the company's computers and networks for, and you're expected to understand and to follow them. If we catch you breaking the rules, you're going to have problems. But if you can honestly say that you need to go on MySpace for some reason related to your job, then we trust you until proven otherwise. (Plus our rules do allow for a certain limited amount of non-work usage, realizing that people our going to be checking their Yahoo mail, or updating their blog, or whatever once in a while while they're in the office, whether you prohibit it or not.) Sometimes people complain that there are too many rules and they shouldn't have to know anything about them. But it's sort of the cost of being treated like an adult...

From:

That sounds like a much more reasonable policy than most places have.

For reference, when one of my customers (an engineering firm) asked me for something like WebSense, what I did instead was block all internet access from every workstation in the company completely... except for one, labeled the "hot seat", with completely unfettered access. That's visible to EVERYBODY because it's dead in the middle of the engineering space.

Net result: nobody uses it to surf for porn or whatever (anybody could see!), nobody sits in the hot seat more than 5 minutes or so (anybody could see!), nobody has problems with shitty web filters keeping them from downloading something they actually need for work.

From:

the-xtina.livejournal.com

That's a fantastic idea! *jots it down*

From:

superbus.livejournal.com

I guess that's why you're a consultant, and we're fixing your shit.

But that's perfectly OK, because if these big companies are really as idiotic as you say, you'll never get caught. ^__^

From:

You aren't fixing my shit, sweetness.

From:

If AFTER GETTING ADMIN PRIVS you have to add Everyone to Administrators *just* to install a printer I *never* want you on one of my remote users computers.

They don't need it, and while SOME spyware can bypass privs, there is enough out there that CAN'T that I'm happier with them NOT being able to delete/modify/etc things they're not supposed to touch.

From:

You weren't reading properly: the printer can't be *USED* without admin privileges. Depressingly common among all-in-one printer/scanner/fax/copier devices. Yes, it's shitty driver design. Unfortunately there's nothing I can do about that.

From:

Then I apologize, and I should have caught that. We've ONE machine that HAS to have admin to work with POS printer. (er, Point Of Sale.) EVERY other machine with that configuration works fine "as-is" but this one is scheduled for a wipe and re-install now.

From:

Thanks. =)

From:

phrogg.livejournal.com

Oddly, i have never run across this problem. I've been installing/configuring all-in-one devices for about 4 years, now. Unless you're talking about some archaic equipment.

I've mostly dealt with HP's and Lexmarks. Both of which i hate with a passion, but i've never because of a problem like that...

From:

The two that leap to mind were an HP and a Canon, IIRC.

Brothers also frequently have that problem, but I haven't had to deal with one of those in a context of having to run under an otherwise non-privileged user account.

From:

greeklady.livejournal.com

Just be a consultant at a high rate. So if they need your help, sure tell them there is a two hour minimum at $X per hour. It makes em think twice before calling you.

From:

I have to do that with co-workers and home machines already.

From:

the-s-guy.livejournal.com

Meh. There's nothing in there a competent IT team won't have blocked a long time ago. Even the slippery suckers like tunnelling over DNS requests on port 53 to an external proxy can be detected simply by noting the average number of packets that get sent from any one internal address to any external IP or block on a given port, and flagging/shaping/isolating/terminating the connection accordingly. And given that there should be very few unblocked ports available in the first place, it's fairly simple to keep track of.

Bonus points for rigging all standard corporate environments with software which tests every so often for things like sudden wide-open internet access, and rings alarm bells if it can see raw internet.

Locking down corporate machines so they can't run any nonapproved executables or change most software defaults is another favorite if the staff start getting too clever, as is running a root-level set of checks to see if they've managed it anyway (cadged or badgered an admin-level account from the CEO etc).

Of course, given that the users have access to the PC hardware, it's inherently untrustable anyway, which is why all network connections should verify the authority of any given PC to be given access to any part of the corporate network before even allowing things like logging on. A PC that doesn't respond correctly to the network security heartbeat can be isolated and flagged. PCs could be forced to accept all software updates and possibly run scans before anything else, if they haven't been connected in a while. That kind of thing.

I wonder if anyone's written 101 Ways to be a Network Nazi. Could be a best-seller.

From:

Maybe, but everything they listed can be blocked with a good proxy, or proper egress filtering.

From:

I spent yesterday listing proxies they had found at home and tried at work, then brought the list to their manager.

Didn't see them today...

From:

edling.livejournal.com

Hmm- that article should probably be called 'How to get yourself in a lot of trouble quickly'- like

the_s_guy said, there's nothing in there that's particularly tricky to detect, and in the company I work for at least knowingly circumventing an access policy is considerably more serious than trying to access a website you shouldn't.
Having said that, my personal preference is not to block more than the obvious (known malware sites, porn, etc), but to make everyone aware you do monitor things and pulling people up if they're spending all day on facebook etc. It's less admin overhead and doesn't annoy users when they can't get to useful sites without going through the corporate hoops. Sadly that doesn't seem to be the opinion of the policy makers in many of the places I've worked for...

From:

jecook

Bingo.

At my place, doing it (knowingly circumventing access controls) *will* get you fired, no ifs, ands, or buts, plus possible additional action depending on just what occurred. Not our rules, but the regulators that oversee the company, sadly.

From:

kuang.livejournal.com

I still can't get around this assumption that people have a right to use our systems to bring their crappy insubstantial little lives into work. I currently work at a school although not for much longer) and the kids are a nightmare for tracking down web proxies. My current line is to say 'you know how that site lets you break the rules? Well, that means it was probably set up by people who are into a few not quite legitimate ventures, yeah? Well, by logging into Myspace through it, you've just given these unknown individuals your username and password, and you're now on your own..'. Potential inaccuracies aside, it seems to do the trick.

From:

Actually, no inaccuracies about it. Logging in through a proxy allows for the POSSBILITY of man-in-the-middle login grabbing attacks. Even though most pages nowadays encrypt the login before it's ever sent over the wire (through SSL, or hashing, or whatever), if I'm in the middle that doesn't matter. I replace the hashing code with my own code transparently, and I've got your password. SSL is a little harder, but most people don't look at or care about the certificate error popups. I think there was even a study done where people were browsing to fake malicious sites, SSL cert errors popped up, and they clicked right through without even reading them.

From:

kuang.livejournal.com

Absolutely, that's really why I take this line with them - they don't care about the wellbeing of the system, but faced with the idea of their much loved Myspace page being tampered with they go very quiet.. ;) I only add the 'potential' part because many of them say that 'they can't all be bad' and technically they're right but it doesn't hurt to put the FEAR into them once in a while ;)

From:

shifuimam.livejournal.com

Of course, if you're like my company and you're stuck with WebSense on top of a firewall, all the proxy sites are blocked, too. I can use archive.org if I really need to see something, but since WebSense monitors all outgoing traffic on a per-user basis, it's not really worth it.

From:

forever-damned.livejournal.com

Makes me glad all of our remote systems that I need are web-based with their own individual logins so I don't need to VPN into Sydney and use the corporate policies on their end. Computer freedom for the win.

From:

canray.livejournal.com

Do these people think we block websites just to piss them off?

In two of the places that I worked, yes.

I'm sorry, but when you start blocking *GOOGLE*!

"We don't allow entertainment Websites, only work related and research websites." "Google is research website. It's a Search Engine Website."

From:

Google *IS* the internet.

But in fairness, I shut off ALL outside access to an entire department for a few days because they wouldn't take the hint and the DIRECTOR wouldn't do jack about it. Sometime extreme measures are needed.

"First, you have to get the mules attention..."

From:

gholam.livejournal.com

I just found out that FortiNet classified apple.com as "Multimedia Download". And pushed it to god knows how many of their firewall appliances running FortiGuard web filtering worldwide.

On the upside, I doubt many, if any, large organizations where policy changes take a long time to go through run Fortinet firewalls, or Apple hardware, much less both of them simultaneously.

(deleted comment)

From:

Trust me - 75% of my users understand proxy site!

They also know the sites and the ENTIRE bank of IPs the used don't work after I find them. They also understand that I read logs and am merciless about it.

Actually had one guy try to convince me he needed MySpace for his job.

Asshat no longer works here for other reasons.

From:

jon787.livejournal.com

Well if the stupid defense contractor hadn't blocked the corporate webmail site of my employer and refused to unblock it I wouldn't have had to circumvent the firewall on their "secure" network :P

From: