During my time working at the Happy Hunting Grounds, one of the more “special” users I encountered was a doctor. He felt that because he was a doctor, this somehow exempted him from the normal rules concerning laptop usage.
My first interaction with him occurred soon after I took over laptop duties from my predecessor. I got a call from the doctor’s secretary, saying he was getting pop up’s constantly on his laptop, and needed them taken care of. So I wrote up a ticket for bookkeeping purposes while on the phone with $secretary, and swung by his office to get the laptop. I fired up the laptop after getting back to my office, and did my usual forensics on it. Pretty quickly, I noticed several problems. First off, $doctor’s profile was HUGE (the GB’s of space used was well into the double digits), and also saw there were a number of toolbars, children’s games, and other unauthorized programs installed, as well as a children’s movie in the DVD drive.
So I went to work, deleting all the toolbars and unauthorized programs from the computer, and also ran several cleaners to get rid of the temp internet files in all the profiles, which only seemed to make a small dent in $doctor’s profile size. On a hunch, I went into his user folder to see what he had there, and discovered he was basically using this laptop as the family computer. There were shortcuts and favorites for the whole family, and several gigabytes of personal photos, videos and other memories from several vacations.
Continuing with my hunch, I also checked if he had administrative rights on the laptop, since it seemed a little hinky that someone from my department would willingly install any of the programs I had just removed, and sure enough, $doctor did. I went into the laptop’s logs, discovering that my predecessor (the one who was fired for pirating DVD’s at work) was the one who gave him admin rights, which is a huge security violation. I promptly took a screencap of it and sent it off in an email to $CIO and the information security officer, along with all the other information I found.
Understandably, $CIO was livid when he read the email, since he had suspected that my predecessor had done these sorts of things, but never had the proof until now. He said he wished someone had come across this sooner, but would talk to the chief of staff and $hospitalDirector regarding $doctor’s flagrant violation of the security rules, and to hold onto the laptop in the meantime.
A couple days later, I got an email from $doctor, asking when he could pick up his laptop, since he really needed it, and replied with a couple of leading questions about what he used the laptop. His responses to my questions almost caused my jaw to hit the floor. He admitted he allowed his children to use the laptop instead of buying a computer for them, and claimed that his wife refused to let him spend the money on a new computer for the family, so he requested a laptop from us to circumvent this. $doctor also said he (rather easily) managed to convince my predecessor into giving him admin rights to install programs for the kids and whatever else he wanted on there. I bcc’d my boss in my reply to this, and said that this was a major security violation, and per policy, I’d have to report it.
$doctor got mad, demanding that I not do so (not knowing that I already had), and that he needed the laptop because his kids needed to do their homework, and had nothing else to use. My response was simple: The paperwork $doctor signed explicitly stated any equipment we gave him was to only be used for things directly relating to his job, and that he was forbidden from allowing anyone else, including family members, to have access the device for any reason whatsoever, even going so far as to find a scanned copy of the form he signed, highlighting the sections where it spells that out, again, adding $CIO to the email.
After a few more emails back and forth like that, $CIO sent me a separate email saying to just re-image the laptop, and put our stuff back on to re-encrypt it, and to only give the laptop back to $doctor if $hospitalDirector approved it, and even then, only after he took all the appropriate security classes again. $doctor also had to go to the store and purchase a computer for his kids and come into our office with the receipt.
All that took about another 10 days, but the good doctor finally got his laptop back, and we never had a problem with him again.