Fog Creek Software
Discussion Board

your most absurd IT policy?

From a recent topic:

>I didn't say the current policy was rational :)
>The rationale is something like "Web servers have >vulnerabilities and web servers not under central control >can't be guaranteed to be securely configured".

IT policy making has always fascinated me because
it usually tends towards the absurd. And because
they control everything they can be very diffcult to fight.

What is the most absurd IT policy you have had to live

son of parnas
Thursday, July 1, 2004

Mine was the requirement that only email lists with
10 or more people can be created. And it took
a manager to ask for new email lists.

The lifeblood of development is communication and
they wanted to choke off small groups from having
email lists.

The reason for this policy was unclear. Exchange couldn't
handle the email lists. They had a hard time keeping them
updated. A lot of email lists weren't used anymore.

Just crap. But they got the policy through.

Thursday, July 1, 2004

Lotus Notes.

Has been the case on several employers.

Flamebait Sr.
Thursday, July 1, 2004

At college - "you aren't allowed to look at any file outside your home directory, even if you have read permission , without explicit permission of the tutor".

A quick script to mail him every time cpp wanted to open a header file !

Martin Beckett
Thursday, July 1, 2004

Making MS office the standard office suite.

Thursday, July 1, 2004

No smtp relay. Attachments being blocked from external e-mail addresses. 

Thursday, July 1, 2004

The worst IT policy I have heard in a while which my buddy just told me about was that employees were not allowed to use any joins in their SQL statements.

All database tables must be flat with no normalization techniques....

Thursday, July 1, 2004

having so few staff, we are barely be able to respond to the demand for our services.

Thursday, July 1, 2004

Making MS office the standard office suite.

Okay, I'll bite.  (1) What's so wrong with Office, (2) What's overall better?

Thursday, July 1, 2004

has to be either: "don't waste your time doing documentation", "all columns must be VARCHAR's", or "don't use sourcesafe"

Al A. Kazaam
Thursday, July 1, 2004

> "don't use sourcesafe"

Hmm sounds like a good policy to me.

christopher (
Thursday, July 1, 2004

An IT company writing some software which require superuser status to run. Rather than have that portion as a daemon and the rest of the system talk to it when needed, the entire software package required root access. Not setuid root, you understand, actual root. So everyone needed root access. So not only did everyone have root access to their machine, not only were they using it to do day-to-day things, everyone had to have one of a set of known root passwords so they couldn't end up locked out of a machine...

A certain bank I can't name decided that developers couldn't have personal CD players. On the basis that the other workers on site (the ones in the call centre) weren't allowed them. This was while they were piping music into the entire development "shed". Which neatly meant NO-ONE got their choice of music to work to, and those of us who wanted quiet couldn't have that either...

There's a logistics company which names all of the computers as their IBM model number. This means that a) the machines have completely unmemorable names and b) when they upgrade a machine, all the comms systems need to be reconfigured. Oh, and c) Massive confusion when someone tried to order a duplicate model when they needed more computing power. So much confusion, in the end they gave up trying to order it.

The same place bought a quarter million pounds of processor power and handed it over to network ops to install. Network Ops have run out of ten quid token-ring adaptors.They've been forbidden from buying token-ring cards because we're upgrading to something else "really soon". You can guess this story.

I think the best one was Weir Systems. They used to put staff information on the intranet. Unfortunately, no-one was allowed access to a network connection, so they used to print out the staff information part of the website and pin up the printouts in the staff kitchen...

Katie Lucas
Thursday, July 1, 2004

I worked at a place where managers had to request creation of email distribution lists. What's really insane is that the requests were denied.

USPS ran proxy reports and published a list of the top ten "unauthorized sites" every quarter. I don't know which was funnier - that yahoo and were on the list, or that I had a really good source for five or six new porn links every three months.

Locking down the desktop in Windows 95 (which I'm sure was simply a matter of "if we can do it, we should do it")

Limiting all employees to 10MB email stores when the CEO's email was 250MB and growing. (not an IT policy, but this was the same place where the CEO had to sign every purchase order. Of course he generally left at 2pm Friday for golf and spent Monday morning in a staff meeting that often lasted until 3pm, so if you didn't get it signed Friday morning, it wasn't getting ordered until Tuesday)


Thursday, July 1, 2004

A bit "off-topic", maybe, but the worst case I've ever seen was not from the existence of policy, but rather from the absence of policy.

All accesses to servers were handed with admin rights to everyone; same thing about shares.

User sa on every SQL Server had its default pwd. Every connection made to the DB (e.g., Access via ODBC) used sa. We're talking about production DBs, naturally.

In short, everyone had full access to everything on that network.

Paulo Caetano
Thursday, July 1, 2004

How about: "You can upload files to the repository, but you cannot retrieve them".

Mmmmm.  Write only memory.

Thursday, July 1, 2004

On the list of inappropriate uses for our Internet connection is 'fact-finding'. Clearly completely frivolous in a media organisation.

Thom Lawrence
Thursday, July 1, 2004

when I said,"don't use sourcesafe", i meant "don't use source control."  That's a fun policy, but not as good as  "use 'password' for ALL passwords"

Al A. Kazaam
Thursday, July 1, 2004

One place where I worked a while ago had the policy "no instant messengers"  and "no personal email messages".

Yeah like getting on a phone and chatting is quicker than a simple IM or email message.

Code Monkey
Thursday, July 1, 2004

When I worked at Tyco ( ), they implemented a policy that email could not be archived. You could save individual emails, but you couldn't create an archive file that was easily accessible from Outlook.

The reasoning was that if it ever were investigated, they didn't want to make it easy on the investigators!

Thursday, July 1, 2004

In high school I worked phone tech support for AOL, and they had a policy that your desktop must be kept at a resolution no higher than 800x600, so that the supervisor could walk up and down the aisle and see what you were doing.

That was fine, except that the program we used for troubleshooting was designed for 1024x768, and if you resized it you'd have to scroll back and forth every time you asked the caller a question.

Thursday, July 1, 2004 about the fact that at my old company their homegrown database was written in Mumps (aka M) on VMS on Dec Alphas, and they were migrating to Informix.

There were days I was begging for a head shot with a deer slug.

Aaron F Stanton
Thursday, July 1, 2004

> Yeah like getting on a phone and chatting is quicker than a simple IM or email message.

Email leaves a trail, and outside of calling a meeting is the easiest way to get your info to multiple people.

The email trail can be good or bad.  If it instructions on upgrading your compiler when it finally shows up, it's good.  If it's the newest pr0n site you just found, it's bad.

Thursday, July 1, 2004

I was the star employee in my department and they locked me out of email because I occasionally got ~1MB emails. I just left.

Companies should really educate themselves that there is a HUGE difference between "regular" and "star" employees.

Thursday, July 1, 2004

You want to hear a stupid one?  I work for a nonprofit, and we had a all dept meeting yesterday....all departments have to bring in 3x their budget in grants, boss is truly clueless.  We have 100k a year budgetted, between myself and the MIS guy we take 70k of that, the other 30 is for the IT budget, but that also has to be spent on computers, software, etc for the other departments.  There is simply no way.  Especially because the main app i'm working on is not even anything that generates revenue, it is for informational use. 

Thursday, July 1, 2004

Alex - your company locking you out of your e-mail was totally unnecessary.  The swelling of your head would have eventually prevented you from walking through the front door.

Thursday, July 1, 2004

Some from companies I worked at.  It seems a few of us have worked at the same places or brains cells are dead everywhere.
- All users had the same password so desktop support could do updates without being admins
- All users had a password that matched their user id
- Lock down. A company rewriting their system for mainframe to JAVA, had a desktop lock down policy that prevented:
    - Changing the resolution (1024x768 at 60mhz)
    - Changing the theme or any user settings such as color
    - Adding _ANY_ software to the desktops
    - upgrades to a desktop before its three year depreciation
    - non-employee users
  Needless to say, it took four weeks and the CIO to get the policy changed for seven desktops so developers could work.  The desktop support team wanted input into the application to ensure it was developed to run in this environment.  Luckily, midway through the project the fired the director of desktop support
- No mailing lists unless requested by a VP or above (that is four levels above we mortals)
- Flex time, that required being the office between 9 and 5. (Someone actually found a Dilbert on this very issue)
- A networking group who thought that they could keep IP addresses secret by requiring they put them into the servers.  Their logic being people should only use DNS and should never know what the real address is. (Including the Unix Admins)
- While not an official policy, at one telco, if you ordered upgraded laptops/desktops, you had to order one for everyone above you too, as part of the project.  Failure to do so had side tracked several careers.

Thursday, July 1, 2004

Hmm, working at a bank, all the PCs were locked down about as tight as you can get. I think they really did all the things you needed to do to get C2 compliance with NT4.

Well, I was hired to make web pages with Visual Interdev. But that was not on the approved software list. So I had to figure out how to hack a C2 compliant nt4 box. Which I did. It was that, or bribe some of the IT guys to get the admin password (going price was $100 for a password that changed weekly).

Then, 3 months later, during a software audit, I get dismissed for having unapproved software on the PC: Visual Interdev.

Thursday, July 1, 2004

Don't buy any LCD monitors, because the people who don't get one will be jealous.

Thursday, July 1, 2004

I do independent consulting and one of my clients has the rule 'no blank lines allowed in programs' . The explanation: some bad codes can be hidden there and the compiler will interpret them badly and the program will do unexpected things.

I suggested that they read 'Code Complete'...

Regards from Chile

Thursday, July 1, 2004

17" monitors.  Meanwhile there's a full screen projector showing CNN in the lunchroom.

Thursday, July 1, 2004

I was writing custom software for an engineering group  in a defence contractor.

The IT department didn't like the fact that the engineers hadn't gone through them, and insisted on using my software. So the IT manager issued a verdict that all users had to remove "unlicensed software" by Monday.

So I wrote out licences to the engineering department on the spot.

The engineers won, the last I heard.

Thursday, July 1, 2004

Animated passworded company screensaver that kicked in after a minute (this behind keypassed doors) - for everbody.  Made some SOE SOB's spec simpler or day better.

Thursday, July 1, 2004

Implementing IT policies designed to protect intellectual property on user's laptops....then having to disable those policies for upper brass (the very people most at risk to industrial esponiage) because the brass didn't like doing things like entering passwords.

Thursday, July 1, 2004

Oh, I forgot this one - at Camel the official policy was "no freeware allowed on facility computers"

Not "personal software" or "unlicensed software" - "no freeware"

Why? "Because freeware might have viruses"

Even considering my current employer, that was lunacy.


Thursday, July 1, 2004

My wife received an email today from some lowly person in HR saying something like...

Please J could you make sure all your emails have subjects because if it doesn't we might assume that its a personal email which isn't allowed under the Communications Policy.

And then they further clarified it in another email by saying...

...oh no I didn't mean that it would be assumed to be personal, nor that if it had a subject that it would be assumed to be non-personal it just makes it easier when we are scanning hundreds of pages of emails...

As my wife actually wrote the Communications Policy (under duresss and she never wanted to ban personal email), she was surprised as that wasn't part of the policy at all.

Simon Lucy
Thursday, July 1, 2004

I worked in a company that was:

- Too cheap to buy Access '97 so we export a client's data into PostgreSQL. I had to spend days writing a perl script to export all the data

- Had a development server that was a p100, whereas the production server was a p500. I spent days optimising PHP code to run smoothly on the development server, whereas it didn't matter as it was totally acceptable on the production server.

- Had a development server with a 1Gb hard disk in 2002, so I had to write a cron job to email me the disk space everyday so I could go in and dump all the temporary files made.

- Too cheap to buy anything but the absolute cheapest brand of instant coffee (Nescafe International Roast - yuck) So employees would spend about 1 hour a day doing coffee runs to the local coffee shop.

- Couldn't afford more than 128Mb of RAM in 2002, except for one machine. So the developers would steal RAM from other developer's machines when they were on holiday.

Matthew Lock
Thursday, July 1, 2004

I was leading a group of developers through a company inflicted death-march when the head of IT had the brilliant idea that nobody needed admin or even superuser rights to their machines. Naturally, they didn't inform anyone of this change; they made it at 5:30 PM while they walked out the door.

Fast forward about 7 hours when my one of my team members needs to re-install their compiler but can't because the IT staff removed that priviledge.

So, here I am at 12:30 AM, leading a project that was doomed from the beginning but doing everything I could to salvage it, coaxing my team to stick together and put in the hours and we can't even install a compiler.

I did what any level-headed manager would do. I picked up the phone, woke the CEO up out of bed and told him that his precious project wasn't going to meet it's deliverable in the morning unless the IT manager got his worthless butt down there to give us our priviledges back.

I was secretly hoping to get fired for being such an ass to the CEO and CIO, but it didn't happen...

Mark Hoffman
Thursday, July 1, 2004

There is the policy for developing/modifiyng database only with the participation of data modeler(separate centeralized group ) .
As a result , when I need to expand the length of the char field , I should''ve wait for a month at least . The development of the logical model  ( physical impementation - 50 tables) took almost a year since the start.

Thursday, July 1, 2004

"Only development groups may have a network and network printer.  No printers on individual desks in any department."  I was in the pubs group at the time.  How I was supposed to print the manuals I was being paid to write was left up to me.    Never one to give up, I soddered printer cables (our manager had no PO authority) and hooked together an impressive stack of AB and ABCD switch boxes so the group of 15 could print to a central laser printer.  I, uh, scrounged the needed parts off the manufacturing floor, called HP for the cable specs, and borrowed my dad's soddering iron.  Ultimately I was part of the revenge for that idiocy. 

Most absurd company policy was: "No coats may be worn in the building. No space heaters are allowed."  Come to think of it, I was part of the end of that idiocy too.

Friday, July 2, 2004

In the interests of protecting the company's valuable IP:

No internet access, except on the boss' machine, which was not networked. No floppy drives or burners, except on one machine, which was closely guarded by the office manager.

One of the bosses, upon hearing about some USB HDD, went around with a silicon gun closing up USB ports.

Of course, if I was really interested in pirating their stuff, I could have walked out with a hard drive in my pocket and they probably would never have known. Although, a co-worker did tell me that he was patted down on a couple of occasions.

Also, forcing graphic designers and multimedia development people to use 17" monitors should be illegal.

name withheld out of self-preservation
Friday, July 2, 2004

CIO: "No Active Directory. I am not ready to sell my soul to Microsoft"

This is for a network of ~ 3-400 PC's on Windows 2000. Yep, every one logs in with a local account (in the administrators group), and the techs are running around with installation CD's everytime something needs changing. To top it off, the passwords to these accounts fly unencrypted over the network all day to POP from a UNIX mailhost (you don't really believe users are going to use different passwords for different purposes now do you?).

Just me (Sir to you)
Friday, July 2, 2004

"We don't use DNS"

"Why not?"

"Someone told the CIO that it was insecure, so it was banned".

"Oh for the love of satan. So.... we have to remember the IP addresses of all the machines??"

"Well. There is a secret DNS server. We try not to tell too many people about it in case the CIO finds out... I'll add you to the email list to get mailed the new location every week."


The thing about being a contractor and going round so many companies, is that you see just HOW MANY of them are insane, know they're insane and decide to stay that way.

Katie Lucas
Friday, July 2, 2004

Back in the day, I worked for a company that had Nato defence quality assurance. Mostly they used Vaxes which come with compilers. We did some work on a PC which didn't come with a compiler, so we had to find an approved supplier who would sell us a Fortran compiler and editor for a PC. We eventually got a compiler, but not an editor, so we had to develop the software using EDLIN

Harvey Pengwyn
Friday, July 2, 2004

Speaking of people who should be shot.

Graphic designers, locked down so that they couldn't install any fonts other than the standard fonts (Even less than the standard Windows install), on a standard machine that couldn't do 24 bit color at anything other than 800x600, who were therefore forced to keep Macs handy.  Oh yeah, and incredibly small amounts of RAM.  Folks who were doing web stuff, of course, weren't so lucky.

But at least Photoshop was on the approved list, although nothing else was.

Flamebait Sr.
Friday, July 2, 2004

Kate: "...soddered...soddering iron..."

Somehow that word seems more appropriate to the circumstances than what you probably meant to write.


Friday, July 2, 2004

*  Recent Topics

*  Fog Creek Home