[itdiscuss] Need advice

Dayron Daugherty ddaugherty at precept.org
Mon Jul 6 15:26:38 EDT 2009 

Our policy is if it is on the network it is managed by IT. We have some
video editing computers that the media department insisted not be
managed by IT and gave some sound technical reasons However, they also
agreed those computers were not going to be a part of our domain, or on
the internet. They purchased all the equipment needed for this config.
They are now part of their own network that is separated by a
multi-homed server. The standard protections are configured on that
multi-homed server (antivirus and such). The workgroup that is not
managed by IT can communicate with that server. However routing is
configured where that group cannot pass beyond that server to the
corporate subnet and can only access shares on that server. Those on the
corporate subnet can access that server's shared folders as well. That
is how data is exchanged between the 2. Keep in mind this configuration
is due to the highly specialized requirements of our video editing
department and the server mentioned above is designed for this specific
purpose, though you could cook up the same configuration by adding an
additional network card in a server you have available to act as the
router between 2 networks. 

 

All others here that do not require a specialized configuration are part
of our domain, and adhere to the same group policies, updates, etc that
everyone else does.   I would request a specific, bulleted list be made
as to why those computers should not be centrally managed. When we have
had these kinds of requests by other departments the reasons tend to
have workable solutions that work from an infrastructure and user
perspective.

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Rob Shaw
Sent: Monday, July 06, 2009 12:52 PM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Need advice

 

Thank you, Ken.  To everyone else, if you have a strong opinion on this
(either way), please drop me an email on this even if someone else has
already voiced your viewpoint, as it would be helpful to hear from as
many churches, as possible.

 

Thanks!

 

 

 

 

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Thompson, Ken
Sent: Monday, July 06, 2009 12:37 PM
To: 'IT Discussion Forum'
Subject: Re: [itdiscuss] Need advice

 

Nope, if not on our domain, can't get to file shares or network devices.


 

We're looking to implement Network Access Protection soon. Might be able
to change this at that point. We understand that NAP should give us more
options as it will pre-screen a system before it can get on the domain
and / or access network devices. But, don't think it'll work for Macs. 

 

Updating monthly seems terribly long these days - seems that malware
issues are on the rise and one would want to exert more care rather than
less. 

 

We can empathize with the desire but it is a fallen world and security
is a "necessary evil" if Greenwood is going to demonstrate good
stewardship in providing safe computing for all staff and church
members. I doubt that the Worship and Arts staff would want to be
responsible for compromising the Greenwood network and exposing staff,
member and visitor information to hackers - which could happen were one
of their systems to be compromised and then that compromised data passed
into the network via the file share. 

 

Another option for file sharing in a more "open" environment is to use
an application like SharePoint. We're looking at this for all staff,
missionaries and ministry partners. Then SharePoint handles the security
pieces, scanning files, etc. this might be the better way to go if you
can't fight the security battle mentioned above.

 

Ken Thompson

IT Manager, Mission to the World

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Rob Shaw
Sent: Monday, July 06, 2009 11:55 AM
To: discuss at itdiscuss.org
Subject: [itdiscuss] Need advice

 

Our Worship Arts dept is insisting they have some computers they believe
have no need to be on the network or under IT's protection ("control" is
actually the word they used).  But they still want to be able to
transfer files between networked and non-networked PCs.

 

I am wondering if anyone else is in this situation and how you handle
the non-controlled (or less controlled) PCs in your environment (PCs
include Macs, too)?

 

As a compromise, I am currently thinking that even these computers
should be networked (for their stated need, as well), but can be outside
of the regular nightly updates and would only be updated monthly(?).
Additionally, these PCs would be outside of the usual desktop control.
And one person in their department (the most computer-savvy), would be
given local admin rights on their PCs (giving them the faster/instant
service) but would be responsible for reporting to me anything they
needed to do with these rights on any of their computers. And above all,
EVERY PC would maintain proper antivirus protection (currently using
SOPHOS on Macs and PCs).

 

PLEASE... any thoughts or suggestions???!!

 

 



 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://optimus.thompsonic.com/pipermail/discuss/attachments/20090706/d032d053/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 13778 bytes
Desc: image001.jpg
URL: <http://optimus.thompsonic.com/pipermail/discuss/attachments/20090706/d032d053/attachment.jpe>

More information about the discuss mailing list