[unisog] Google Desktop (cNET inquiry)

Gary Flynn flynngn at jmu.edu
Wed Feb 15 16:25:07 GMT 2006

Michael Holstein wrote:

>>I would tend to agree. But I believe the technical solution
>>to enforce a policy about software installations should
>>involve the actual installation process, not some Rube
>>Goldberg after the fact network solution.
> If you have everyone in the same domain, this is easy with GPO or 
> whatever else you might use (we, for example, block the .exe from running).
> This, however, dosen't catch everyone -- since there are plenty of 
> professors, etc. that might have what's considered "sensitive" data 
> (like a class roster, grades, whatever) on a PC that's not in the domain  .
> I agree that any policy must come from "up on high" and be enforced 
> unilaterally -- but you're always going to have somebody that "needs 
> admin rights", or has some goofy gas chromotagraph that needs to run on 
> Windows 95.
> At a previous employer, we contemplating disabling the "usb mass 
> storage" drivers in Windows to prevent information leakage by lost 
> thumbdrives .. but the outcry quickly quashed that idea.
> Short of making everyone use Citrix (or dumb Xterms), you're never going 
> to be able to force them into acting right. It's that never-ending 
> balance between security and usability -- I mean "fluffy is so cute, 
> I've just gotta have him as my desktop wallpaper".

Agreed. And it may be that if 85% of the computers are
addressed with desktop configuration management, then
security awareness would be sufficient to address the
residual risk associated with the other 15%. Or maybe
not, and a network based solution would be needed.

I was arguing against a purely network solution to a
desktop/operator problem. Simple, direct solutions
are sometimes discarded because they don't solve all
the problems or cause problems for a few (while
benefiting the many).

Gary Flynn
Security Engineer
James Madison University

More information about the unisog mailing list