Network Administrators: Why We BREAK Harsh Rules

by kaigeX

I was bothered by some of the arguments put forth in 22:4 in the article Network Administrators: Why We Make Harsh Rules.  Here I offer my perspective on the policies and justifications laid out in the original article.

A lot of the original author's argument seemed to boil down to "We make harsh rules to make our lives easier" and/or "We make harsh rules to protect ourselves."

Neither of these arguments fly.  I appreciate that IT can be a difficult job, but if the harsh rules you're imposing to make your lives easier or cover your asses make life much harder for everybody else, then they just aren't appropriate.  It does suck.

To be fair, the author points out that there are some unsecured computers available, but to the security-minded that probably isn't a viable alternative since using those computers may incur an unacceptable level of risk since they are, by definition, unsecured.

He also makes the point that they are pretty lenient about approving things needed for work purposes.  Unfortunately, many companies are not so lenient.

In addition, it is often the case that the overhead of getting approval is too high to be practical in the course of a workday.

I know that at my college it is very hard to actually get exceptions made or to get software installed.  As a result, the vast majority of students have to waste a lot of time finding alternate methods of completing their tasks or, more often, just bring in their own laptops.

Another argument in the article is that it is necessary to have these Draconian rules to protect everyone from network downtime.  I agree to an extent.

But ask yourself - what is the real problem with network downtime?  It is that there is a substantial loss of productivity.  Thus, if the rules are so strict that they cause a loss of productivity from day to day then this becomes a balancing act because you may cumulatively lose as much productivity over time as you lose responding to network incidents when they occur.

The argument that bothers me the most was the suggestion that "If someone is doing something personal and not causing a problem, we probably aren't going to even notice."

This basic argument can be found in every nook and cranny of society, branching from network security rules to corporate policy and even into the legal system.  It basically seems to be saying "We realize the rules are harsh, but we are tacitly okay with you breaking them, except when we're not."

In many cases it is necessary and expected that the rules be broken in the course of normal business and that the user/employee/citizen/whatever assumes the company will enforce them fairly.

Think about the speed limit on the highway - almost everybody I know speeds most of the time.  In general it is okay.  But sometimes you get a ticket for it.  It really upsets me that so many systems seem to be in place where the rules are made overly harsh and then expectations are set up counter to the rules.

To briefly address the actual list of rules:

1.)  Use the network for business purposes only.  This is ridiculous and obviously any company knows it is constantly being broken.  To expect your user to not even surf the web is ludicrous, especially on their break time.

2.)  No one hooks up other devices to the network without permission (i.e., laptops, PDAs, thumb drives, wireless peripherals, etc.)  I understand this and mostly agree with it, but there are many cases where some type of removal storage may well be necessary and the burden of getting each device scanned and approved each time you want to use it is a bit harsh.  This is especially true since part of the solution to the restrictive policy was that users could use the non-secured computers... but how do they get their software over to them without a removal storage device?  I hope they're not on the same network as the secured machines...

3.)  No one installs their own software or does installs besides me.  I understand this, but I loathe it.  Those users who have a decent understanding of copyright and security should probably be delegated this ability.  Given, figuring out who can be trusted in this regard may be difficult, but in my experience the resulting loss of productivity due to this type of rule is staggering.  Also, I think it would be easy enough to say that the IT department is not expected to support user-installed software.

4.)  No one connects to personal email, either through a software client (i.e., Outlook Express) or through a web interface.  I've violated this rule at every job that's had it and disagree with it entirely.  Email is only a virus vector when used inappropriately.  Why not just a rule that users cannot download attachments from their personal emails?

5.)  No one uses chat software.  This is a real shame.  Yes, chat software can cause a loss of productivity because people use it to chat with friends, but it can also be a powerful communication tool within the workplace.  The places I have worked that allowed chat between employees seemed to have a much more organized and cohesive understanding of projects and the like as a result.  The mere fact that many of these clients can be used for file transfer does not seem to be a justification at all - in AIM, for example, it is easy to disable direct connections and file transfers but still allow chats.

6.)  No one uses file sharing software (i.e., Kazaa).  Okay, this one I agree with.  Except in rare situations I cannot see good job-related uses for these services and they can be a severe drain on bandwidth, especially upstream.

7.)  No use of Internet radio or downloading of music or video files unless related strictly for work purposes.  I can also agree with this, mostly for the same reasons as the above.

8.)  No copyright infringement.  This should go without saying, especially in a workplace.  That said, many places I have worked routinely required various forms of copyright infringement.  This was especially true for Microsoft products, where I was told we had a license and we were covered fine to use multiple copies even though on the face of it I was performing an illegal install.  I tried complaining, but was basically told that this is how things work and since I need the software, I had to install it.  I guess I just trust that the company is telling the truth and that I won't be responsible.  Of course, were it ever to come to court it would have been me who installed it, so...

9.)  No attempting to circumvent the current security systems or hacking.  LOL.  Yeah, right.  With such a ridiculously Draconian ruleset I suspect I would be expected to violate some of these rules at least some of the time.  Now I can understand the provision against hacking, especially as it pertains to hacking other users or entities outside the company, but if it takes a hack to do something I think is perfectly reasonable, I'll probably do it.

10.)  We make it clear that we offer no expectation of privacy on our network.  I really hate this.  Many organizations just use the blanket notion of removing all expectations of privacy to cover those few circumstances where they actually need the authority.  Yes, it is easier to operate with no expectation of privacy - hell, the U.S. government is clearly pushing for this - but that doesn't make it appropriate or moral.

11.)  All executable and ZIP files are blocked at the firewall.  Unfortunately I am going to say this rule is okay.  This is a huge vector for viruses... of course, that is largely because so many organizations use Microsoft Outlook.

In closing, I quixotically hope that network administrators will eventually realize that trying to push extremely restrictive rules is a bad idea.

It would be much better to come up with more reasonable rules that do not conflict with the reality of the workplace and then to work to educate users and enforce these.

When you give out a list of excessively harsh rules that seem unjustified then:

• Users are less likely to take them seriously since they are clearly being broken by everybody all the time.
• Once they've had to break one a little, a user may well decide that they've already broken one so they might as well get the most out of it.
• Users are working to keep their actions as secretive as possible which is what causes the antagonistic relationship between users and IT.

So network admins out there who think that just by making really harsh rules you're helping things - think again.

(Oh, and as to running Windows 2000... you should probably stop doing that.  Windows 2000 is officially no longer supported by Microsoft and notably that means no more security patches.  Given, this is an attempt by Microsoft to force an upgrade, but running their software without the benefit of them at least fixing their most egregious (or at least public) mistakes via security updates is an especially bad idea.)