A MUST change in computer setup
Posted: Mon Mar 07, 2011 9:30 am
I'm not sure if this is the right category or not, but there is a serious problem with the Church's current computer setup guidelines. Having one generic Admin account on the computer that nearly everyone in the Ward knows the password to is a very BAD idea. This posses several problems.
First, at almost all times anyone logged on to the computer is running as an Admin. The opens up all kinds of virus and malware possibilities. If you just set up a single Admin account, and then set up the "Clerk" account as a standard account (assuming Windows 7), MLS works just fine and everything is peachy. Anyone using the computer can't simply install any application any time they feel like it. I set our new computer up like this, and I intend to provide the password to the Bishopric and Stake only. No one else needs that password, but can still use the regular "Clerk" account to log onto the computer, create documents, and run MLS. This doesn't work on XP (for reasons I won't discuss), but as new computer should have the option of Windows 7 and MLS now supports Windows 7, this shouldn't be a problem going forward.
Secondly, just as the first point made, anyone can do anything to the computer! Anyone!! Does this not just scream problem to anyone else? I understand needing an account that all Stake and necessary Ward leader can use is important, but it doesn't have to be done this way.
Third, I know we're not supposed leave confidential records on the computer, but having one copy of these records is a bad idea. If you change to this setup, this is no longer a problem because standard users can't access an Admin's documents. That way the documents are on the computer, and backed up on a thumb drive that the Bishop maintains. Personally, just to add a second layer of security, I use TrueCrypt (which is free and the Church should ABSOLUTELY be using for confidential documents) and create a secure, password protected volume and I, and I alone, have access to. I can then place my confidential documents inside this volume and keep them safe from any snooping eyes.
Now, I realize we all want to think this would never be a problem, and that no one would every maliciously or unintentionally harm our computers. But the fact is that is happens! And just implementing this simple change would make worlds of difference. Last time I checked 90+% of viruses and malware are defeated on Windows systems when the user is logged in with a Standard account rather than an Admin account. That's basically better protection than Sophos or whatever that AV junk is.
So, take it for what it's worth, but speaking from the years of experience in vulnerability and systems assessment, we in the Church are not setting up our computers in a very good manner and we need to change that!
First, at almost all times anyone logged on to the computer is running as an Admin. The opens up all kinds of virus and malware possibilities. If you just set up a single Admin account, and then set up the "Clerk" account as a standard account (assuming Windows 7), MLS works just fine and everything is peachy. Anyone using the computer can't simply install any application any time they feel like it. I set our new computer up like this, and I intend to provide the password to the Bishopric and Stake only. No one else needs that password, but can still use the regular "Clerk" account to log onto the computer, create documents, and run MLS. This doesn't work on XP (for reasons I won't discuss), but as new computer should have the option of Windows 7 and MLS now supports Windows 7, this shouldn't be a problem going forward.
Secondly, just as the first point made, anyone can do anything to the computer! Anyone!! Does this not just scream problem to anyone else? I understand needing an account that all Stake and necessary Ward leader can use is important, but it doesn't have to be done this way.
Third, I know we're not supposed leave confidential records on the computer, but having one copy of these records is a bad idea. If you change to this setup, this is no longer a problem because standard users can't access an Admin's documents. That way the documents are on the computer, and backed up on a thumb drive that the Bishop maintains. Personally, just to add a second layer of security, I use TrueCrypt (which is free and the Church should ABSOLUTELY be using for confidential documents) and create a secure, password protected volume and I, and I alone, have access to. I can then place my confidential documents inside this volume and keep them safe from any snooping eyes.
Now, I realize we all want to think this would never be a problem, and that no one would every maliciously or unintentionally harm our computers. But the fact is that is happens! And just implementing this simple change would make worlds of difference. Last time I checked 90+% of viruses and malware are defeated on Windows systems when the user is logged in with a Standard account rather than an Admin account. That's basically better protection than Sophos or whatever that AV junk is.
So, take it for what it's worth, but speaking from the years of experience in vulnerability and systems assessment, we in the Church are not setting up our computers in a very good manner and we need to change that!