Forbidding itunes

Discussion in 'Computer Security' started by choowie, Jan 23, 2008.

  1. choowie

    choowie Guest

    Hi there,

    I need to forbid itunes in my company. Users have already been warned no to
    install it but I believe we can't trust them.

    On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
    itunes store anymore. That should stop 80% of the people.

    Regarding downloads, they still work because a podcast to "NBC Today Show"
    for example goes directly through NBC.com. So I guess, there's not much I
    can do more, right?

    But is there a way where I can forbid people to register to new podcasts?

    Cheers,

    --
    Choowie
     
    choowie, Jan 23, 2008
    #1
    1. Advertising

  2. choowie

    Todd H. Guest

    "choowie" <> writes:

    > Hi there,
    >
    > I need to forbid itunes in my company. Users have already been warned no to
    > install it but I believe we can't trust them.


    First, why? What is the business issue? Not wanting external devices
    plugged into the computer? Bandwidth associated with downloads? Core
    business interrupted by someone listening to music? What about
    Windows Media Player?

    > On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
    > itunes store anymore. That should stop 80% of the people.


    ITunes certainly runs without being able to contact the itunes store.


    > Regarding downloads, they still work because a podcast to "NBC Today Show"
    > for example goes directly through NBC.com. So I guess, there's not much I
    > can do more, right?


    Depends what you're really trying to accomplish and why.

    > But is there a way where I can forbid people to register to new
    > podcasts?


    Depending on what sort of gateway protection you have in place there
    are products you can tell to say block mp3 file downloads period.
    But I for one wouldn't be too excited about working for a company with
    such an authoritarian approach to IT, and I suspect I'm not alone.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Jan 23, 2008
    #2
    1. Advertising

  3. choowie

    Colin B. Guest

    choowie <> wrote:
    > Hi there,
    >
    > I need to forbid itunes in my company. Users have already been warned no to
    > install it but I believe we can't trust them.


    This is a self-fulfilling prophecy. If you don't think you can trust
    your users, then eventually all of the ones you CAN trust will leave
    in disgust for jobs where they're treated like grown-ups.
     
    Colin B., Jan 23, 2008
    #3
  4. choowie

    choowie Guest

    "Todd H." <> wrote in message
    news:...
    > "choowie" <> writes:
    >
    >> Hi there,
    >>
    >> I need to forbid itunes in my company. Users have already been warned no
    >> to
    >> install it but I believe we can't trust them.

    >
    > First, why? What is the business issue? Not wanting external devices
    > plugged into the computer?

    Indeed + itunes already conflicted with other business software.

    > Bandwidth associated with downloads?

    As well.

    > Core
    > business interrupted by someone listening to music? What about
    > Windows Media Player?

    Don't care about people not working or listening to MP3 while working. This
    is not a security issue. Same as watching porn. Don't care unless they go to
    porn sites from which they download malware or if they go to illegal porn.
    Not judging the moral here.

    >
    >> On the filtering proxy, I blacklisted phobos.apple.com so users can't go
    >> to
    >> itunes store anymore. That should stop 80% of the people.

    >
    > ITunes certainly runs without being able to contact the itunes store.

    Yes but it limits users from registering to video podcasts. Few have the
    knowledge to understand they can get podcasts from other places than itunes.

    >
    >
    >> Regarding downloads, they still work because a podcast to "NBC Today
    >> Show"
    >> for example goes directly through NBC.com. So I guess, there's not much I
    >> can do more, right?

    >
    > Depends what you're really trying to accomplish and why.
    >
    >> But is there a way where I can forbid people to register to new
    >> podcasts?

    >
    > Depending on what sort of gateway protection you have in place there
    > are products you can tell to say block mp3 file downloads period.

    Size of MP3 are usually small compared to video podcasts. Video is more of
    the issue here but some videos are used for business purposes. Youtube and
    Dailymotion are bandwidth killer and have been filtered out.
    More simply, I'll sniff what happens when a podcast is registered and create
    a rule on proxy for it.

    Cheers.
     
    choowie, Jan 23, 2008
    #4
  5. choowie

    choowie Guest

    "Colin B." <> wrote in message
    news:W_Klj.832$jw.650@pd7urf2no...
    > choowie <> wrote:
    >> Hi there,
    >>
    >> I need to forbid itunes in my company. Users have already been warned no
    >> to
    >> install it but I believe we can't trust them.

    >
    > This is a self-fulfilling prophecy. If you don't think you can trust
    > your users, then eventually all of the ones you CAN trust will leave
    > in disgust for jobs where they're treated like grown-ups.
    >


    You don't know anything about the context which lead to such restrictions.
    Please provide a technical advice, not a moral judgement.
     
    choowie, Jan 23, 2008
    #5
  6. From: "Todd H." <>

    | "choowie" <> writes:
    |
    >> Hi there,
    >>
    >> I need to forbid itunes in my company. Users have already been warned no to
    >> install it but I believe we can't trust them.

    |
    | First, why? What is the business issue? Not wanting external devices
    | plugged into the computer? Bandwidth associated with downloads? Core
    | business interrupted by someone listening to music? What about
    | Windows Media Player?
    |
    >> On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
    >> itunes store anymore. That should stop 80% of the people.

    |
    | ITunes certainly runs without being able to contact the itunes store.
    |
    >> Regarding downloads, they still work because a podcast to "NBC Today Show"
    >> for example goes directly through NBC.com. So I guess, there's not much I
    >> can do more, right?

    |
    | Depends what you're really trying to accomplish and why.
    |
    >> But is there a way where I can forbid people to register to new
    >> podcasts?

    |
    | Depending on what sort of gateway protection you have in place there
    | are products you can tell to say block mp3 file downloads period.
    | But I for one wouldn't be too excited about working for a company with
    | such an authoritarian approach to IT, and I suspect I'm not alone.
    |
    | Best Regards,

    Todd:

    This is TOTALLY understandable as we too have a corporate wide ban of iTunes software.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Jan 23, 2008
    #6
  7. David H. Lipman, Jan 23, 2008
    #7
  8. choowie

    Colin B. Guest

    David H. Lipman <DLipman~nospam~@verizon.net> wrote:
    > From: "Colin B." <>
    >
    >
    > |
    > | This is a self-fulfilling prophecy. If you don't think you can trust
    > | your users, then eventually all of the ones you CAN trust will leave
    > | in disgust for jobs where they're treated like grown-ups.
    >
    > Grownups who violate corporate policies on the use of company provided equipment SHOULD quit
    > or be fired.


    That was actually my point, in a roundabout way. Policy is usually a
    better solution that technical means. If you say, "No iTunes on company
    machines" then if someone installs iTunes, you discipline them, up to
    and including firing if appropriate. No need to waste cycles trying to
    add handcuffs. Applying software or network blocks is pretty much a big
    message saying, "we don't trust you to follow the rules." It takes time,
    effort, money, and creates a hostile environment. As often as not, it
    also interferes with people's actual work.

    To the OP, I don't really recommend any technical solutions (although here
    are a few options: Block all MP3s on the wire, remove admin privileges
    from users for their workstations so they can't install software, block
    traffic by port number or destination, and so on) because I don't think
    that it's a predominantly technical problem. You're trying to direct
    behaviour with technical means, and behaviour is almost always better
    managed with policy.

    Not trying to judge you here, just suggesting that it's not the right
    solution for your problem.

    Colin
     
    Colin B., Jan 23, 2008
    #8
  9. choowie

    Sebastian G. Guest

    Colin B. wrote:

    > remove admin privileges from users for their workstations so they can't


    > install software,


    That won't stop them from using installer-free software, software with
    working installers, patching installers or porting installed applications.

    The real solution, aside from the obvious necessity you stated, is to
    globally remove exec rights.

    > block traffic by port number or destination,


    Won't help against proxzing and/or tunneling. Again, globally removing exec
    rights does the job.
     
    Sebastian G., Jan 23, 2008
    #9
  10. From: "Colin B." <>

    | David H. Lipman <DLipman~nospam~@verizon.net> wrote:
    >> From: "Colin B." <>
    >>

    |>> This is a self-fulfilling prophecy. If you don't think you can trust
    |>> your users, then eventually all of the ones you CAN trust will leave
    |>> in disgust for jobs where they're treated like grown-ups.
    >>
    >> Grownups who violate corporate policies on the use of company provided equipment SHOULD
    >> quit or be fired.

    |
    | That was actually my point, in a roundabout way. Policy is usually a
    | better solution that technical means. If you say, "No iTunes on company
    | machines" then if someone installs iTunes, you discipline them, up to
    | and including firing if appropriate. No need to waste cycles trying to
    | add handcuffs. Applying software or network blocks is pretty much a big
    | message saying, "we don't trust you to follow the rules." It takes time,
    | effort, money, and creates a hostile environment. As often as not, it
    | also interferes with people's actual work.
    |
    | To the OP, I don't really recommend any technical solutions (although here
    | are a few options: Block all MP3s on the wire, remove admin privileges
    | from users for their workstations so they can't install software, block
    | traffic by port number or destination, and so on) because I don't think
    | that it's a predominantly technical problem. You're trying to direct
    | behaviour with technical means, and behaviour is almost always better
    | managed with policy.
    |
    | Not trying to judge you here, just suggesting that it's not the right
    | solution for your problem.
    |
    | Colin

    I disagree. There are legal and technical ramifications of some software and it is proper
    for a corporation to not only make a statement, an Authorized Use Policy (AUP) is *BEST*,
    but to block software as well.

    You can NOT trust employees explicitly. It is a case that peple just don't follow the rules
    and a company must protect their assets.

    Prevention is better than cure. Prevention starts with FireWall and Group Policies.

    This is my opinion and it is based upon experience.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Jan 23, 2008
    #10
  11. choowie

    Todd H. Guest

    "choowie" <> writes:

    > "Colin B." <> wrote in message
    > news:W_Klj.832$jw.650@pd7urf2no...
    > > choowie <> wrote:
    > >> Hi there,
    > >>
    > >> I need to forbid itunes in my company. Users have already been warned no
    > >> to
    > >> install it but I believe we can't trust them.

    > >
    > > This is a self-fulfilling prophecy. If you don't think you can trust
    > > your users, then eventually all of the ones you CAN trust will leave
    > > in disgust for jobs where they're treated like grown-ups.
    > >

    >
    > You don't know anything about the context which lead to such restrictions.
    > Please provide a technical advice, not a moral judgement.


    I dont' think Colin's words were a moral judgement--they did properly
    reflect how such restrictions affect morale and people's willingess to
    work for an employer. Depends entirely on the employees though.
    I know where I work, if people were unable to listen to music while
    they worked because of some corporate edit they'd all find somewhere
    else to work.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Jan 23, 2008
    #11
  12. On Jan 23, 4:51 pm, (Todd H.) wrote:
    > "choowie" <> writes:
    > > "Colin B." <> wrote in message
    > >news:W_Klj.832$jw.650@pd7urf2no...
    > > > choowie <> wrote:
    > > >> Hi there,

    >
    > > >> I need to forbid itunes in my company. Users have already been warned no
    > > >> to
    > > >> install it but I believe we can't trust them.

    >
    > > > This is a self-fulfilling prophecy. If you don't think you can trust
    > > > your users, then eventually all of the ones you CAN trust will leave
    > > > in disgust for jobs where they're treated like grown-ups.

    >
    > > You don't know anything about the context which lead to such restrictions.
    > > Please provide a technical advice, not a moral judgement.

    >
    > I dont' think Colin's words were a moral judgement--they did properly
    > reflect how such restrictions affect morale and people's willingess to
    > work for an employer.     Depends entirely on the employees though.
    > I know where I work, if people were unable to listen to music while
    > they worked because of some corporate edit they'd all find somewhere
    > else to work.  
    >
    > --
    > Todd H.http://www.toddh.net/- Hide quoted text -
    >
    > - Show quoted text -


    SafeBoot (www.safeboot.com) includes application control software, so
    you could simply blacklist itunes and then it would never run, ever.

    S.
     
    SafeBoot Simon, Jan 24, 2008
    #12
  13. From: "SafeBoot Simon" <>


    |
    | SafeBoot (www.safeboot.com) includes application control software, so
    | you could simply blacklist itunes and then it would never run, ever.
    |
    | S.

    "Through a centralized management console, you establish security policies that control how
    users copy information to removable devices and media."

    Please show me how SafeBoot would blacklist iTunes and "...it would never run, ever.".

    From what I read this is a security end point control software to prevent
    sensitive/proprietary egress of information.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Jan 24, 2008
    #13
  14. choowie

    Sebastian G. Guest

    SafeBoot Simon wrote:


    > SafeBoot (www.safeboot.com) includes application control software, so
    > you could simply blacklist itunes and then it would never run, ever.



    And what exactly stops the user from modifying iTunes to circumvent the
    blacklist?

    At any rate, why should be listen to security advices from a guy who seems
    to abuse MSIE as a webbrowser?
     
    Sebastian G., Jan 24, 2008
    #14
  15. choowie

    eager Guest

    "Colin B." <> wrote in message
    news:W_Klj.832$jw.650@pd7urf2no...
    > choowie <> wrote:
    >> Hi there,
    >>
    >> I need to forbid itunes in my company. Users have already been warned no
    >> to
    >> install it but I believe we can't trust them.

    >
    > This is a self-fulfilling prophecy. If you don't think you can trust
    > your users, then eventually all of the ones you CAN trust will leave
    > in disgust for jobs where they're treated like grown-ups.
    >


    a grown up understands business policies and integrity.
     
    eager, Jan 28, 2008
    #15
  16. choowie

    eager Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:FsPlj.10$%x.1@trnddc06...
    > From: "Colin B." <>
    >
    > | David H. Lipman <DLipman~nospam~@verizon.net> wrote:
    >>> From: "Colin B." <>
    >>>

    > |>> This is a self-fulfilling prophecy. If you don't think you can trust
    > |>> your users, then eventually all of the ones you CAN trust will leave
    > |>> in disgust for jobs where they're treated like grown-ups.
    >>>
    >>> Grownups who violate corporate policies on the use of company provided
    >>> equipment SHOULD
    >>> quit or be fired.

    > |
    > | That was actually my point, in a roundabout way. Policy is usually a
    > | better solution that technical means. If you say, "No iTunes on company
    > | machines" then if someone installs iTunes, you discipline them, up to
    > | and including firing if appropriate. No need to waste cycles trying to
    > | add handcuffs. Applying software or network blocks is pretty much a big
    > | message saying, "we don't trust you to follow the rules." It takes time,
    > | effort, money, and creates a hostile environment. As often as not, it
    > | also interferes with people's actual work.
    > |
    > | To the OP, I don't really recommend any technical solutions (although
    > here
    > | are a few options: Block all MP3s on the wire, remove admin privileges
    > | from users for their workstations so they can't install software, block
    > | traffic by port number or destination, and so on) because I don't think
    > | that it's a predominantly technical problem. You're trying to direct
    > | behaviour with technical means, and behaviour is almost always better
    > | managed with policy.
    > |
    > | Not trying to judge you here, just suggesting that it's not the right
    > | solution for your problem.
    > |
    > | Colin
    >
    > I disagree. There are legal and technical ramifications of some software
    > and it is proper
    > for a corporation to not only make a statement, an Authorized Use Policy
    > (AUP) is *BEST*,
    > but to block software as well.
    >
    > You can NOT trust employees explicitly. It is a case that peple just
    > don't follow the rules
    > and a company must protect their assets.
    >
    > Prevention is better than cure. Prevention starts with FireWall and Group
    > Policies.
    >
    > This is my opinion and it is based upon experience.
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    >
    >


    I totally agree.
    Give the users the minimum rights and permissions required to do their job.
    No more, no less.
     
    eager, Jan 28, 2008
    #16
  17. On Jan 23, 7:09 pm, "David H. Lipman" <DLipman~>
    wrote:
    > From: "SafeBootSimon" <>
    >
    > |
    > |SafeBoot(www.safeboot.com) includes application control software, so
    > | you could simply blacklist itunes and then it would never run, ever.
    > |
    > | S.
    >
    > "Through a centralized management console, you establish security policies that control how
    > users copy information to removable devices and media."
    >
    > Please show me howSafeBootwould blacklist iTunes and "...it would never run, ever.".
    >


    The product also has signature based executable code control built in,
    so every time a piece of code tries to create a process we get to
    inspect it first and see if it's on a black or white list. If the
    code's not on the approved white list, we simply discard it so it
    never gets to execute. This is good for anything which runs, exe's,
    DLL's etc, anything which starts a process or thread. Of course it
    won't prevent macros from running or other interpreted code, but
    that's not it's point. It's application control.
     
    SafeBoot Simon, Jan 29, 2008
    #17
  18. choowie

    Sebastian G. Guest

    SafeBoot Simon wrote:


    >
    > The product also has signature based executable code control built in,
    > so every time a piece of code tries to create a process we get to
    > inspect it first and see if it's on a black or white list. If the
    > code's not on the approved white list, we simply discard it so it
    > never gets to execute. This is good for anything which runs, exe's,
    > DLL's etc, anything which starts a process or thread. Of course it
    > won't prevent macros from running or other interpreted code, but
    > that's not it's point. It's application control.



    It's not an application control, since it doesn't control what applications
    can do when they run - instead of controlling if they run at all.

    At any rate, this functionality has been there since Windows XP, and this
    one doesn't require adding complicated, error-prone kernel-mode hooks to the
    system.
     
    Sebastian G., Jan 29, 2008
    #18
  19. From: "SafeBoot Simon" <>


    | The product also has signature based executable code control built in,
    | so every time a piece of code tries to create a process we get to
    | inspect it first and see if it's on a black or white list. If the
    | code's not on the approved white list, we simply discard it so it
    | never gets to execute. This is good for anything which runs, exe's,
    | DLL's etc, anything which starts a process or thread. Of course it
    | won't prevent macros from running or other interpreted code, but
    | that's not it's point. It's application control.

    Sounds like the wrong type of application for the job.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Jan 29, 2008
    #19

  20. > At any rate, this functionality has been there since Windows XP, and this
    > one doesn't require adding complicated, error-prone kernel-mode hooks to the
    > system.


    Ok, I was told and warned to killfile you Seb, and I ignored them, and
    now I got my comeuppance. Congratulations.
     
    SafeBoot Simon, Jan 30, 2008
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgQ2xhcms=?=

    File Sharing Intermittent but Pings fine and iTunes Sharing works

    =?Utf-8?B?Q2hyaXMgQ2xhcms=?=, Dec 5, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    760
    Malke
    Dec 5, 2004
  2. =?Utf-8?B?Vml4?=

    Help with iTunes

    =?Utf-8?B?Vml4?=, Jun 5, 2004, in forum: Microsoft Certification
    Replies:
    0
    Views:
    651
    =?Utf-8?B?Vml4?=
    Jun 5, 2004
  3. Replies:
    0
    Views:
    2,405
  4. JP

    itunes

    JP, Jul 17, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    721
    TJ Robertson
    Jul 17, 2003
  5. Richard Fangnail

    Apple Itunes - "Accessing Itunes Store" hangs

    Richard Fangnail, Dec 8, 2007, in forum: Computer Support
    Replies:
    2
    Views:
    9,009
    Richard Fangnail
    Dec 8, 2007
Loading...

Share This Page