You can't really blame your users getting virus, spyware or other stuff if you have done nothing to warn them about it. A basic course should cover how to install and update the virus scanner, what to do when zone alarm shows an alert etc. When things go wrong - and they do - the user can't say "but I didn't know, it's not my fault, it's not my responsibility."

It is important to notice that students own pc's are their property, so faculty have no right to take away admin privileges, or install software. What can be done though is to define a set of requirements for obtaining access, and give the users the ability to maintain their system.

When a computer is compromised, the admin can rightfully shut off connection, the user have no right to complain because the he should have known better. I have practiced such a policy with success, although the response time could be hours depending on when the infection occured because we relied on manual intervention. In the other end of the scale I complained to an ISP that did absolutely nothing for two months allowing about 700.000 virus infected mails to be send from their client.

Really, it is a matter of pragmatically solving a problem that isn't yours. Access is not a right, it's a privilege and as such it should be treated with care or it is taken away.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/267/28484#28484