I need to forbid itunes in my company. Users have already been warned no to
install it but I believe we can't trust them.
On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
itunes store anymore. That should stop 80% of the people.
Regarding downloads, they still work because a podcast to "NBC Today Show"
for example goes directly through NBC.com. So I guess, there's not much I
can do more, right?
But is there a way where I can forbid people to register to new podcasts?
> Hi there,
>
> I need to forbid itunes in my company. Users have already been warned no to
> install it but I believe we can't trust them.
First, why? What is the business issue? Not wanting external devices
plugged into the computer? Bandwidth associated with downloads? Core
business interrupted by someone listening to music? What about
Windows Media Player?
> On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
> itunes store anymore. That should stop 80% of the people.
ITunes certainly runs without being able to contact the itunes store.
> Regarding downloads, they still work because a podcast to "NBC Today Show"
> for example goes directly through NBC.com. So I guess, there's not much I
> can do more, right?
Depends what you're really trying to accomplish and why.
> But is there a way where I can forbid people to register to new
> podcasts?
Depending on what sort of gateway protection you have in place there
are products you can tell to say block mp3 file downloads period.
But I for one wouldn't be too excited about working for a company with
such an authoritarian approach to IT, and I suspect I'm not alone.
choowie <choowieNO_SP_AM@free.fr> wrote:
> Hi there,
>
> I need to forbid itunes in my company. Users have already been warned no to
> install it but I believe we can't trust them.
This is a self-fulfilling prophecy. If you don't think you can trust
your users, then eventually all of the ones you CAN trust will leave
in disgust for jobs where they're treated like grown-ups.
"Todd H." <comphelp@toddh.net> wrote in message
news:84wsq0hbky.fsf@ripco.com...
> "choowie" <choowieNO_SP_AM@free.fr> writes:
>
>> Hi there,
>>
>> I need to forbid itunes in my company. Users have already been warned no
>> to
>> install it but I believe we can't trust them.
>
> First, why? What is the business issue? Not wanting external devices
> plugged into the computer?
Indeed + itunes already conflicted with other business software.
> Bandwidth associated with downloads?
As well.
> Core
> business interrupted by someone listening to music? What about
> Windows Media Player?
Don't care about people not working or listening to MP3 while working. This
is not a security issue. Same as watching porn. Don't care unless they go to
porn sites from which they download malware or if they go to illegal porn.
Not judging the moral here.
>
>> On the filtering proxy, I blacklisted phobos.apple.com so users can't go
>> to
>> itunes store anymore. That should stop 80% of the people.
>
> ITunes certainly runs without being able to contact the itunes store.
Yes but it limits users from registering to video podcasts. Few have the
knowledge to understand they can get podcasts from other places than itunes.
>
>
>> Regarding downloads, they still work because a podcast to "NBC Today
>> Show"
>> for example goes directly through NBC.com. So I guess, there's not much I
>> can do more, right?
>
> Depends what you're really trying to accomplish and why.
>
>> But is there a way where I can forbid people to register to new
>> podcasts?
>
> Depending on what sort of gateway protection you have in place there
> are products you can tell to say block mp3 file downloads period.
Size of MP3 are usually small compared to video podcasts. Video is more of
the issue here but some videos are used for business purposes. Youtube and
Dailymotion are bandwidth killer and have been filtered out.
More simply, I'll sniff what happens when a podcast is registered and create
a rule on proxy for it.
"Colin B." <cbigam@somewhereelse.nucleus.com> wrote in message
news:W_Klj.832$jw.650@pd7urf2no...
> choowie <choowieNO_SP_AM@free.fr> wrote:
>> Hi there,
>>
>> I need to forbid itunes in my company. Users have already been warned no
>> to
>> install it but I believe we can't trust them.
>
> This is a self-fulfilling prophecy. If you don't think you can trust
> your users, then eventually all of the ones you CAN trust will leave
> in disgust for jobs where they're treated like grown-ups.
>
You don't know anything about the context which lead to such restrictions.
Please provide a technical advice, not a moral judgement.
| "choowie" <choowieNO_SP_AM@free.fr> writes:
|
>> Hi there,
>>
>> I need to forbid itunes in my company. Users have already been warned no to
>> install it but I believe we can't trust them.
|
| First, why? What is the business issue? Not wanting external devices
| plugged into the computer? Bandwidth associated with downloads? Core
| business interrupted by someone listening to music? What about
| Windows Media Player?
|
>> On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
>> itunes store anymore. That should stop 80% of the people.
|
| ITunes certainly runs without being able to contact the itunes store.
|
>> Regarding downloads, they still work because a podcast to "NBC Today Show"
>> for example goes directly through NBC.com. So I guess, there's not much I
>> can do more, right?
|
| Depends what you're really trying to accomplish and why.
|
>> But is there a way where I can forbid people to register to new
>> podcasts?
|
| Depending on what sort of gateway protection you have in place there
| are products you can tell to say block mp3 file downloads period.
| But I for one wouldn't be too excited about working for a company with
| such an authoritarian approach to IT, and I suspect I'm not alone.
|
| Best Regards,
Todd:
This is TOTALLY understandable as we too have a corporate wide ban of iTunes software.
|
| This is a self-fulfilling prophecy. If you don't think you can trust
| your users, then eventually all of the ones you CAN trust will leave
| in disgust for jobs where they're treated like grown-ups.
Grownups who violate corporate policies on the use of company provided equipment SHOULD quit
or be fired.
David H. Lipman <DLipman~nospam~@verizon.net> wrote:
> From: "Colin B." <cbigam@somewhereelse.nucleus.com>
>
>
> |
> | This is a self-fulfilling prophecy. If you don't think you can trust
> | your users, then eventually all of the ones you CAN trust will leave
> | in disgust for jobs where they're treated like grown-ups.
>
> Grownups who violate corporate policies on the use of company provided equipment SHOULD quit
> or be fired.
That was actually my point, in a roundabout way. Policy is usually a
better solution that technical means. If you say, "No iTunes on company
machines" then if someone installs iTunes, you discipline them, up to
and including firing if appropriate. No need to waste cycles trying to
add handcuffs. Applying software or network blocks is pretty much a big
message saying, "we don't trust you to follow the rules." It takes time,
effort, money, and creates a hostile environment. As often as not, it
also interferes with people's actual work.
To the OP, I don't really recommend any technical solutions (although here
are a few options: Block all MP3s on the wire, remove admin privileges
from users for their workstations so they can't install software, block
traffic by port number or destination, and so on) because I don't think
that it's a predominantly technical problem. You're trying to direct
behaviour with technical means, and behaviour is almost always better
managed with policy.
Not trying to judge you here, just suggesting that it's not the right
solution for your problem.
| David H. Lipman <DLipman~nospam~@verizon.net> wrote:
>> From: "Colin B." <cbigam@somewhereelse.nucleus.com>
>>
|>> This is a self-fulfilling prophecy. If you don't think you can trust
|>> your users, then eventually all of the ones you CAN trust will leave
|>> in disgust for jobs where they're treated like grown-ups.
>>
>> Grownups who violate corporate policies on the use of company provided equipment SHOULD
>> quit or be fired.
|
| That was actually my point, in a roundabout way. Policy is usually a
| better solution that technical means. If you say, "No iTunes on company
| machines" then if someone installs iTunes, you discipline them, up to
| and including firing if appropriate. No need to waste cycles trying to
| add handcuffs. Applying software or network blocks is pretty much a big
| message saying, "we don't trust you to follow the rules." It takes time,
| effort, money, and creates a hostile environment. As often as not, it
| also interferes with people's actual work.
|
| To the OP, I don't really recommend any technical solutions (although here
| are a few options: Block all MP3s on the wire, remove admin privileges
| from users for their workstations so they can't install software, block
| traffic by port number or destination, and so on) because I don't think
| that it's a predominantly technical problem. You're trying to direct
| behaviour with technical means, and behaviour is almost always better
| managed with policy.
|
| Not trying to judge you here, just suggesting that it's not the right
| solution for your problem.
|
| Colin
I disagree. There are legal and technical ramifications of some software and it is proper
for a corporation to not only make a statement, an Authorized Use Policy (AUP) is *BEST*,
but to block software as well.
You can NOT trust employees explicitly. It is a case that peple just don't follow the rules
and a company must protect their assets.
Prevention is better than cure. Prevention starts with FireWall and Group Policies.
This is my opinion and it is based upon experience.
> "Colin B." <cbigam@somewhereelse.nucleus.com> wrote in message
> news:W_Klj.832$jw.650@pd7urf2no...
> > choowie <choowieNO_SP_AM@free.fr> wrote:
> >> Hi there,
> >>
> >> I need to forbid itunes in my company. Users have already been warned no
> >> to
> >> install it but I believe we can't trust them.
> >
> > This is a self-fulfilling prophecy. If you don't think you can trust
> > your users, then eventually all of the ones you CAN trust will leave
> > in disgust for jobs where they're treated like grown-ups.
> >
>
> You don't know anything about the context which lead to such restrictions.
> Please provide a technical advice, not a moral judgement.
I dont' think Colin's words were a moral judgement--they did properly
reflect how such restrictions affect morale and people's willingess to
work for an employer. Depends entirely on the employees though.
I know where I work, if people were unable to listen to music while
they worked because of some corporate edit they'd all find somewhere
else to work.
On Jan 23, 4:51*pm, comph...@toddh.net (Todd H.) wrote:
> "choowie" <choowieNO_SP...@free.fr> writes:
> > "Colin B." <cbi...@somewhereelse.nucleus.com> wrote in message
> >news:W_Klj.832$jw.650@pd7urf2no...
> > > choowie <choowieNO_SP...@free.fr> wrote:
> > >> Hi there,
>
> > >> I need to forbid itunes in my company. Users have already been warnedno
> > >> to
> > >> install it but I believe we can't trust them.
>
> > > This is a self-fulfilling prophecy. If you don't think you can trust
> > > your users, then eventually all of the ones you CAN trust will leave
> > > in disgust for jobs where they're treated like grown-ups.
>
> > You don't know anything about the context which lead to such restrictions.
> > Please provide a technical advice, not a moral judgement.
>
> I dont' think Colin's words were a moral judgement--they did properly
> reflect how such restrictions affect morale and people's willingess to
> work for an employer. * * Depends entirely on the employees though.
> I know where I work, if people were unable to listen to music while
> they worked because of some corporate edit they'd all find somewhere
> else to work. *
>
> --
> Todd H.http://www.toddh.net/- Hide quoted text -
>
> - Show quoted text -
SafeBoot (www.safeboot.com) includes application control software, so
you could simply blacklist itunes and then it would never run, ever.
|
| SafeBoot (www.safeboot.com) includes application control software, so
| you could simply blacklist itunes and then it would never run, ever.
|
| S.
"Through a centralized management console, you establish security policies that control how
users copy information to removable devices and media."
Please show me how SafeBoot would blacklist iTunes and "...it would never run, ever.".
From what I read this is a security end point control software to prevent
sensitive/proprietary egress of information.
"Colin B." <cbigam@somewhereelse.nucleus.com> wrote in message
news:W_Klj.832$jw.650@pd7urf2no...
> choowie <choowieNO_SP_AM@free.fr> wrote:
>> Hi there,
>>
>> I need to forbid itunes in my company. Users have already been warned no
>> to
>> install it but I believe we can't trust them.
>
> This is a self-fulfilling prophecy. If you don't think you can trust
> your users, then eventually all of the ones you CAN trust will leave
> in disgust for jobs where they're treated like grown-ups.
>
a grown up understands business policies and integrity.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:FsPlj.10$%x.1@trnddc06...
> From: "Colin B." <cbigam@somewhereelse.nucleus.com>
>
> | David H. Lipman <DLipman~nospam~@verizon.net> wrote:
>>> From: "Colin B." <cbigam@somewhereelse.nucleus.com>
>>>
> |>> This is a self-fulfilling prophecy. If you don't think you can trust
> |>> your users, then eventually all of the ones you CAN trust will leave
> |>> in disgust for jobs where they're treated like grown-ups.
>>>
>>> Grownups who violate corporate policies on the use of company provided
>>> equipment SHOULD
>>> quit or be fired.
> |
> | That was actually my point, in a roundabout way. Policy is usually a
> | better solution that technical means. If you say, "No iTunes on company
> | machines" then if someone installs iTunes, you discipline them, up to
> | and including firing if appropriate. No need to waste cycles trying to
> | add handcuffs. Applying software or network blocks is pretty much a big
> | message saying, "we don't trust you to follow the rules." It takes time,
> | effort, money, and creates a hostile environment. As often as not, it
> | also interferes with people's actual work.
> |
> | To the OP, I don't really recommend any technical solutions (although
> here
> | are a few options: Block all MP3s on the wire, remove admin privileges
> | from users for their workstations so they can't install software, block
> | traffic by port number or destination, and so on) because I don't think
> | that it's a predominantly technical problem. You're trying to direct
> | behaviour with technical means, and behaviour is almost always better
> | managed with policy.
> |
> | Not trying to judge you here, just suggesting that it's not the right
> | solution for your problem.
> |
> | Colin
>
> I disagree. There are legal and technical ramifications of some software
> and it is proper
> for a corporation to not only make a statement, an Authorized Use Policy
> (AUP) is *BEST*,
> but to block software as well.
>
> You can NOT trust employees explicitly. It is a case that peple just
> don't follow the rules
> and a company must protect their assets.
>
> Prevention is better than cure. Prevention starts with FireWall and Group
> Policies.
>
> This is my opinion and it is based upon experience.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
I totally agree.
Give the users the minimum rights and permissions required to do their job.
No more, no less.
On Jan 23, 7:09*pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "SafeBootSimon" <hunt.si...@gmail.com>
>
> |
> |SafeBoot(www.safeboot.com) includes application control software, so
> | you could simply blacklist itunes and then it would never run, ever.
> |
> | S.
>
> "Through a centralized management console, you establish security policiesthat control how
> users copy information to removable devices and media."
>
> Please show me howSafeBootwould blacklist iTunes and "...it would never run, ever.".
>
The product also has signature based executable code control built in,
so every time a piece of code tries to create a process we get to
inspect it first and see if it's on a black or white list. If the
code's not on the approved white list, we simply discard it so it
never gets to execute. This is good for anything which runs, exe's,
DLL's etc, anything which starts a process or thread. Of course it
won't prevent macros from running or other interpreted code, but
that's not it's point. It's application control.
>
> The product also has signature based executable code control built in,
> so every time a piece of code tries to create a process we get to
> inspect it first and see if it's on a black or white list. If the
> code's not on the approved white list, we simply discard it so it
> never gets to execute. This is good for anything which runs, exe's,
> DLL's etc, anything which starts a process or thread. Of course it
> won't prevent macros from running or other interpreted code, but
> that's not it's point. It's application control.
It's not an application control, since it doesn't control what applications
can do when they run - instead of controlling if they run at all.
At any rate, this functionality has been there since Windows XP, and this
one doesn't require adding complicated, error-prone kernel-mode hooks to the
system.
| The product also has signature based executable code control built in,
| so every time a piece of code tries to create a process we get to
| inspect it first and see if it's on a black or white list. If the
| code's not on the approved white list, we simply discard it so it
| never gets to execute. This is good for anything which runs, exe's,
| DLL's etc, anything which starts a process or thread. Of course it
| won't prevent macros from running or other interpreted code, but
| that's not it's point. It's application control.
Sounds like the wrong type of application for the job.
> At any rate, this functionality has been there since Windows XP, and this
> one doesn't require adding complicated, error-prone kernel-mode hooks to the
> system.
Ok, I was told and warned to killfile you Seb, and I ignored them, and
now I got my comeuppance. Congratulations.
|
>> At any rate, this functionality has been there since Windows XP, and this
>> one doesn't require adding complicated, error-prone kernel-mode hooks to the
>> system.
|
| Ok, I was told and warned to killfile you Seb, and I ignored them, and
| now I got my comeuppance. Congratulations.
Unfortunately, in this situation, I agree with Sebastian!
"choowie" <choowieNO_SP_AM@free.fr> wrote in message
news:47973000$0$20762$426a74cc@news.free.fr...
> Hi there,
>
> I need to forbid itunes in my company. Users have already been warned no
to
> install it but I believe we can't trust them.
>
> On the filtering proxy, I blacklisted phobos.apple.com so users can't go
to
> itunes store anymore. That should stop 80% of the people.
>
> Regarding downloads, they still work because a podcast to "NBC Today Show"
> for example goes directly through NBC.com. So I guess, there's not much I
> can do more, right?
>
> But is there a way where I can forbid people to register to new podcasts?
>
> Cheers,
>
> --
> Choowie
>
>
I always championed the guy who brought in his own Linux boot disc,
partitioned his workstation, installed his own software, and proceeded to do
his job while totalling ignoring everyone who tried to stop him.
What I am saying is, if you "need to forbid iTunes", resign, start a
daycare, and supervise the children you obviously need in you life.
| I always championed the guy who brought in his own Linux boot disc,
| partitioned his workstation, installed his own software, and proceeded to do
| his job while totalling ignoring everyone who tried to stop him.
|
| What I am saying is, if you "need to forbid iTunes", resign, start a
| daycare, and supervise the children you obviously need in you life.
|
The actions you describe is a prescription to the unemployment line and possible
prosecution.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:BC9qj.18419$hF2.6949@trnddc02:
> From: "Leon Trollski" <leon@garyrock.com>
>
>
>| I always championed the guy who brought in his own Linux boot disc,
>| partitioned his workstation, installed his own software, and
>| proceeded to do his job while totalling ignoring everyone who tried
>| to stop him.
>|
>| What I am saying is, if you "need to forbid iTunes", resign, start a
>| daycare, and supervise the children you obviously need in you life.
>|
>
> The actions you describe is a prescription to the unemployment line
> and possible prosecution.
Good, good! It's much easier for everyone once you accept and internalize
the controls.
> I always championed the guy who brought in his own Linux boot disc,
> partitioned his workstation, installed his own software, and proceeded to do
> his job while totalling ignoring everyone who tried to stop him.
I always championed the administrator who didn't fix the boot sequence, put
a password to the BIOS and physically locked the case.
Forbidding itunes 
Linear Mode
