If an application is a known problem or contains potential dangers, or if the employee repeatedly downloads and installs unapproved software and is recalcitrant, "imposing some sort of sanctions seems appropriate," King says. These sanctions could range from formally noting the warning or event in the worker's file to building a case for suspension or dismissal. "Knowingly exposing an organization's IT assets or data to potential dangers is unnecessary and arrogant, and deserves to be addressed," he explains.
A number of organizations are successfully walking this line. Here's how four IT organizations are locking down their desktops while providing some flexibility for employees to do their jobs.
St. Luke's Hospital: Standardization with flexibility
Consistency across a large organization can be difficult. With 10 locations throughout Idaho, Saint Luke's Health System has been extremely careful about its standard desktop. For infrastructure manager Eric Johnson, one important goal was to give doctors and other staff flexibility around which hardware they can use -- from a list of approved devices -- and where they may work within the hospital.
"In moving from Novell to Microsoft for our back end, we had a blank slate," says Johnson. The organization decided to move from systems-based downloads for applications to user-based downloads. In other words, end users can choose from a library of pre-approved software that they download themselves.
This has led to significant time savings, he says. He declined to quantify the savings, but says it is mostly about freeing up IT staff to focus on managing the library rather than about them doing "one-off" application installs. He says the most significant challenge has to do with apps that are not yet in the repository, but that a department might need; the IT staff has to deal with this challenge on a case-by-case basis.
St. Luke's uses application virtualization software from Beyond Trust called PowerBroker Desktops. The rules-based engine can remove administrative rights from the user's desktop so that the person cannot install applications, and it watches for errant installs that did not complete correctly. A dashboard matches the look and feel of other Microsoft data center tools.
Johnson says his team uses PowerBroker to manage about 8,000 desktops in 90 buildings. He says the company has settled on Windows XP SP3, Office 2007, Adobe Flash, Microsoft Silverlight, the Citrix client and Microsoft Live Meeting as the core of its standard desktop.
A new employee is added to multiple groups as appropriate -- say, advertising, marketing and general business. For each group, the employee can then download multiple applications from the approved list, gain file permissions to gain access to network servers for those applications and configure some options locally, such as IE toolbars and Outlook menus.
St Luke's uses a committee approach to choosing the core software included in its standard desktop. For example, in choosing Live Meeting, Johnson said six different departments gave recommendations by looking at popular videoconferencing systems. They came to a consensus, and then IT started its testing and final approval process.
One other challenge at St. Luke's, and for most companies dealing with a standard desktop, has to do with versioning. The hospitals use a core image for base OS and apps, and tend to stick with one version for long periods. Yet, Johnson says the hospital manages about 22 different versions of Java through application virtualization -- and this argues against including Java in a standard desktop.