Locking down Workstation functionality...

[RedvGreen]

Of many other responsibilities, we have a <100 workstation network, and have received reports that personnel are watching movies and streaming media when they should in fact be working. As this office requires flexibility with portable media and USB devices we cannot deny this functionality without impeding productivity. Similarly, viewing video files for <10secs each is required, so we cannot deny media players.

We are considering several ways of dealing with this in addition to formal warnings and locking down websites:

- Is there a way to disable headphones in Group Policy (thereby forcing all audio to be on the speakers)?

- Is there a cheap/free piece of remote monitoring software which is totally stealthy (i.e. no advertised task or obvious process?) where the workstations can be viewed by Supervisors and Management?

- Any other ideas?

(Server 2008 domain, with Win 7 Pro/Ultimate workstations)

Thanks in advance!

 

[LostCorpse]

first thing to do is, remove admin rights. then set up group policy to control what people can do.

- Is there a way to disable headphones in Group Policy (thereby forcing all audio to be on the speakers)?
i cant think of a way to disable however their are smarter people than me out their. maybe something in Bios to disable audio jacks. other wise best option is to physically disable them or bung them up, but given enough time and energy easy to fix..

- Is there a cheap/free piece of remote monitoring software which is totally stealthy (i.e. no advertised task or obvious process?) where the workstations can be viewed by Supervisors and Management?
first thing on this is talk to HR before you implement anything, this could get you in to a lot of trouble. vnc comes to mind you can rename the executable to some thing system related and regedit hide the system icon or do the reverse and have the pcs stream the desktop image to a server somewere

- Any other ideas?
Steaming media, ave you not set up a poxy and or firewall to allow only certain site for streaming media?
regardig video files, could set up a scrip to run every 1minute to check if the process for media player / vlc / media player classic ect are running then terminate them and have the script run continuously.

Edit : one thought is completely disable all the audio via Bios, and then only allow audio via external usb audio sound cards. if their desperate they'll pay the cost to get the same model, you should be able to allow this for certain people if needed

 

[Little_Crow]

Without knowing your business it's hard to know how far you can go without disrupting people from actually doing work, but make sure you have some kind of policy in place regarding computer and internet use. Without that you have nothing to enforce.

I'd suggest getting a proxy of some kind. If these people are using bandwidth to the point that it is affecting other peoples productivity then you really need to get a handle on it.
You really don't want to be heading down the formal warning route yet, it's pretty distasteful and shouldn't need to get to that point.
Before we had any decent blocking in place, but did have the ability to log traffic our IT Security guy took a novel approach which we found to work well:
> From the logs, he found the people abusing internet access (It sounds like you know who they are, so can skip this step).
> Send them an E-Mail along the lines of 'We've noticed an unusual amount of internet access from your workstation, and need to send an IT bod to check for viruses, etc'
> If they aren't a complete idiot they will see the thinly veiled message, and stop.

However, if they're bringing in their own media to watch on USB/DVD then you're looking at some premeditated slacking.
We use port control software, but don't have a great deal of portable media to deal with that isn't provided by ourselves. You would have to research it, but it's possible you could offload temporary whitelisting to managers and have them vet the DVD/USB stick instead.
Or have workstations that are specifically whitelisted (Maybe the managers machine) for any device (keep that AV up to date!) where people go to copy the data off to be worked on from their own workstation.


We've found that managers often want an IT solution so that they don't have to actually manage their staff. As I've found myself saying far too much - 'We aren't the internet police'. We'll provide reports on request, and block stuff that could be harmful to the business as a whole, but we won't manage an individuals usage.

 

[GodAtum]

I second Little Crow's comments. We are not the "internet police". I would suggest verifying the company's legal standing and the implementing a firewall/proxy.