There are a lot of reasons that network administrators are the hard ass nose to the grind stone types. One of those reasons is that they deal with users (many of them like you reading) that have burned them in the past. These burns go deep and are hard to change the thought process after the fact. There are some things that network administrators still do today that they have been doing for the last decade for these exact reasons. I would like to revisit some of these policies and suggest ways to deal with them with today's infrastructure.
Email storage quotas
This is one of the biggest mistakes that I see in most enterprise environments. Network administrators placing a quota on the disk space that users can save in their email. With the relative low cost of storage these days this is really an obnoxious practice. Especially concerning the amount of times users rely on email to pull up things that clients have asked in the past. Email can be a great tool to get you out of a tough spot when a co-worker is pressing an issue that you have already addressed, or if you ever have to show proof that something was communicated.
It also serves as a temporary brain for most folks. They can pull up info from 4 years ago and get information out to the people they need it much quicker than if they had to go look the data up again. This can of course have its drawbacks due to the fact that people tend to not VERIFY the information they had from 4 years ago, that may not be entirely correct now. It is important that users know the difference.
Something else that should be stressed is that if you are using a 3rd party to host your email, if you ever have to re-download all your mail due to a new computer or a re-install of your mail client if you have 10GB of email saved then it's going to take a really long time to pull all that down and start going again. I personally archive off all mail at the beginning of every new year around February. All email Older than December of the previous year gets archived off to an external hard drive. If I ever need that info for what ever reason its an easy attach in Outlook.
Restricting personal devices from network
This is one that I am honestly on the fence about. Users in today's environments are bringing in iDevices Tablets, laptops, music players etc, and with today's increasing movement to cloud storage and access these devices are all needing and consuming valuable address space on the network. The problem is not that the devices are bringing in nasty virii etc, but that most environments haven't planned for the surge in devices. You can segregate the devices from the main network quite easily, and creating an address space of a few thousand addresses is nothing. Hell you can even just have a DHCP with a netmask of 255.0.0.0 and serve up all the devices you can imagine (at least for now). Just make sure users know that you aren't their personal geek squad, and they are on their own for figuring out how to use the device. This includes, in my opinion, setting up corporate email.
User storage quota
Users are pack rats, and any network administrator worth his salt will know this. Users keep the most obscure documents in the most obscure locations on the network. Documents from the late 90's can probably be found on any network that has been running since that time. And realistically how useful is that document. It isn't the space itself with this that network admin are trying to wrangle, its the pack ratting. In my opinion there are other way better ways to do this. For instance you can use a Share service like SharePoint and have all documents stored on that server. Space these days is so cheap that adding a few Terabytes isn't going to blow the budget. Additionally this keeps your network from have 8 versions of the same document floating around, which also reduces the chance that someone will send an errant document to a client.
Ultimately you shouldn't limit storage. It is entirely too cheap, you just need to have better ways of organizing it.
Account lock outs
How many people reading this type their password in 2 times and then cringe and type the password in the 3rd time REALLY slowly. Account lockout policies are completely chaotic and should never be that stringent. The old adage was 3 attempts and you're done. There are so many problems with this that to even start on them could be a new post. But I will give you a couple reasons to loosen the grip on account lockout policies.
One major reason is that if it is so low users can easily screw it up 3 times and cause you to have to go in and unlock them. Additionally it could make it really easy to DOS the network. Want to cause complete chaos? Just get a list of users on the network (easy enough if you are on the network) and then proceed to fail them all one at a time.
The other reason that it should be loosened up is that people are increasingly using their accounts for testing software that requires network access. If you have a policy to change the password every 90 days this can cause software related lockouts. If you are worried about brute force attacks having the lockout at something like 50 is a pretty reasonable limit. Brute force attacks are going to try THOUSANDS in the matter of a couple seconds, so 50 is still a low number in that scenario.
Limiting open source software/or software in general
Limiting employees from using software has it's place, and I fully understand you don't want users running bittorrent clients, but let's be realistic here. In the case of open source it's usually free (as in beer), and the users are comfortable with it, which makes them more efficient, which in turn gets their work done faster. Users should be aware that any software that they wish to have installed will not be supported by the Network Administrators or the Help Desk or whatever they are called in your organization. Users need to self help on this stuff. Obviously your team doesn't have time to support every piece of software known to man. None the less most of the OSS tools out there are better than the ones most enterprises rely on. Off the top of my head 7zip is able to compress WAY better than winzip. So give some of the tools a try and see if they can hurt anything. Most times they won't.
I hope you enjoyed this and I also hope that if you are a network admin you will take these into consideration in your own environments.
0 comments:
Post a Comment