113

I had an argument with a superior about this. Though at first glance the prior user of a laptop only did work in his own documents-folders, should I always install a new OS for the next user or is deleting the old profile enough? The software that is installed is mostly also needed by the next user.

I think an install is needed, but except my own argument of viruses and private data, what reasons are there for doing so?

At our company it is allowed to use the PC for e.g. private mail, on some PCs are even games installed. We have kinda mobile users, that are often on site at a customer, so I don't really blame them.

Also because of that we have a lot of local admins out there.

I know both the private use and the availability of local admin-accounts aren't good ideas, but that's how it was handled before I worked here and I can only change this once I am out of traineeship ;)

Edit: I think all of the answers posted are relevant, and I also know that a couple of the practices we have at my company aren't the best to begin with (local admin for too many people for example ;).

As of now, I think the most usable answer for a discussion would be the one from Ryder. Although the example he gave in his answer may be exaggerated, it has happened before that a former employee forgot private data. I recently found a retail copy of the game Runaway in a old laptop and we had a couple of cases of remaining private images, too.

Suici Doga
  • 103
  • 3
ExNought
  • 1,143
  • 2
  • 7
  • 9
  • 32
    You don't want to risk not doing it. Too many things can go wrong if you don't (and eventually, they will). – Mast Jun 13 '16 at 08:17
  • 4
    You don't blame your employees for playing games on company property... because they're doing so when with your customers? WTF? – Lightness Races in Orbit Jun 13 '16 at 11:36
  • 24
    @LightnessRacesinOrbit Well, if you are in a hotel for weeks (sometimes even including weekends) and there is, outside of work, absolutely nothing to do, yes, I think that is acceptable. Ofc there are concerns, but at least it keeps up morale. Also I and also my supperiors are pretty sure, that forcing people to maybe buy a laptop or tablet for their journeys will harm us. There are a number of reasons here, going into all of them would not only take too long, but also would make my employer look bad ;) – ExNought Jun 13 '16 at 11:43
  • 3
    @ExoWork: Oh, outside of work, sure. I myself am typically away on business for several days and nights each week and certainly make good use of my work laptop in those hotels! But you said _"on site at a customer"_ which is very different. – Lightness Races in Orbit Jun 13 '16 at 12:14
  • @LightnessRacesinOrbit Well you are correct, I was inaccurate there. When the employees play games with their customers, they should do that in either their free time or with the customers knowledge and approval ;) – ExNought Jun 13 '16 at 12:41
  • Does.. the Euro symbol mean edit? – Jake Lee Jun 13 '16 at 15:44
  • 8
    I would say definitely because of all the reasons listed here, but there is another: If the computer can be used for private use, then it may be illegal to give someone else access to that data due to data protection laws (this could definitely be problematic in Germany as far as I am aware). Formatting the drive ensures that no third party is given private data. – DetlevCM Jun 13 '16 at 17:32
  • 1
    Two things come to mind. First, wiping a disc (full reformat) and re-installing all software should be standard procedure, akin to a hotel changing the sheets on the bed before a new guest gets the room. Second - wiping the disk may destroy evidence of possible crimes, thus placing the company at legal risk. Better buy each employee a new computer, then warehouse the old ones for a to-be-determined period of time after they leave or are given a new(er) computer. Best thing to do would be to get rid of all computers and go back to pencil-and-paper - but don't shred anything! :-) – Bob Jarvis - Слава Україні Jun 14 '16 at 12:55
  • Ideally, setting up a new computer should be completely streamlined -- this will also reduce the impact of hardware failures on your business. – Simon Richter Jun 14 '16 at 17:19
  • 1
    Only reason I can see to not wipe & reinstall from scratch is to save some time. How much time are you going to save by skipping the reinstall? And how frequently do you need to do this? Say it takes an hour to reinstall the OS & apps, and you do it once a month. Is one hour a month worth the risk? – Andy Lester Jun 15 '16 at 19:11
  • 1
    The admin should have standard procedures in place for unattended reinstalls. If not, I would recommend getting it in place. Then it is a no-brainer - leave it overnight and it is good to go. – Thorbjørn Ravn Andersen Jun 16 '16 at 12:12
  • 1
    I assume @ExoWork is the writer for the Direct TV commercials. Can't malicious software live outside of the user profile, also causing damage to the new user and the network? – Goku Jun 16 '16 at 13:35
  • 1
    If you're a trainee, what does the person in the business who is training you have to say? And what makes you think you will have more weight after you finish training? – James Snell Jun 16 '16 at 20:39
  • @JamesSnell Well, if I talk about being a trainee, I talk about the german version, where I additionally have school, get learned for 3 years and become a "complete" worker after that. My superior in this case is also the guy training me, so thats what he had to say. I think you may be right, there will be not much of a change after completing my training. BUT I will still try ;) – ExNought Jun 17 '16 at 05:37
  • 1
    It depends. ALOT on how the computer is used. A normal windows box where the user uses it "normally" - Re-image. A Mac or Linux box that has no access to admin functions, don't re-image. Any OS where the local user can't do anything and it's acting like a client to Citrix or something, don't re-image. Any OS where the user has any admin access Re-image. It's not a straight cut answer. As a standard rule of thumb I would re-image. It only takes about 15-20 mins these days. – coteyr Jun 19 '16 at 06:21

8 Answers8

220

Absolutely you should. It's not just common sense from a security POV, it should also be practice as matter of business ethics.

Let's imagine the following scenario: Alice leaves, and her computer is transferred to Bob. Bob didn't know it, but Alice was into illegal shota porn and left several files tucked away outside of her profile. IT wipes her profile and nothing else, which included only her browsing history and local files.

One day, Bob is checking out the bells and whistles on his shiny new work machine, while sitting at a Starbucks™ and sipping at a latte. He stumbles across Alice's cache and innocently clicks on a file that looks strange. Suddenly, every head in the store whips around to watch in horror as Bob's PC flouts several state and federal regulations at full volume. One little girl in the corner starts crying.

Bob is mortified. After six months of depression and after having been fired for his unintentional act of public indecency (and possible criminal charges), he finds himself a really crackin' legal team and lays waste to his former employer with an outrageously damaging lawsuit. Alice is in Thailand and escapes extradition.

Maybe all this is a little beyond the pale, but it absolutely could happen if you don't take the time to scour through a former employee's every action. Or you could save time, and reinstall from scratch.

Ryder
  • 1,885
  • 1
  • 12
  • 13
  • 1
    Reinstalling from scratch would be not enough, you'd need to shred the contents completely to prevent this? – gerrit Jun 13 '16 at 09:40
  • 30
    @gerrit Reinstalling Windows from Scratch usually implies a full format of the disk as well. The only way Bob would get the files back after that is by running forensic tools, and you usually don't do that without a very good reason. – Nzall Jun 13 '16 at 09:52
  • 10
    Alice in Thailand does not help. [There is TH-US extradiction law](http://www.mcnabbassociates.com/Thailand%20International%20Extradition%20Treaty%20with%20the%20United%20States.pdf). Try pick a ther country. Notch Korea is my candidate ;) – vasin1987 Jun 13 '16 at 12:07
  • 38
    @vasin1987 Alice's lawyer just called. She said that, actually, she'd prefer to spend the rest of her life in a federal prison than stay in Pyongyang. Can you arrange something? – David Richerby Jun 13 '16 at 14:30
  • 9
    Why is it Bob that always get the shrt stick? – Mindwin Jun 13 '16 at 19:18
  • 42
    What happens next? I need to know! – FuriousFolder Jun 13 '16 at 19:39
  • 14
    This answer would benefit from a little addendum discussing the cheap cost of doing a full wipe as standard operating procedure as opposed to 1. spending time determining if it's necessary on each machine to change hands, and then 2. determining if the risk of something like this is worth the time saved. In practice, it's probably quicker (time = money) to just wipe it than to try to hunt down and erase the previous user's data, even disregarding the risk. – jpmc26 Jun 13 '16 at 23:09
  • 3
    This. Reinstalling a machine from the OS up doesn't take a whole lot of time. Certainly it takes less time than removing the prior users profile, searching for any extraneous files that might exist and perform a proper virus / root kit scan. Also it's the only way to be sure that you got everything. – NotMe Jun 14 '16 at 15:36
  • 6
    Most places I've worked, the IT staff had a "setup" disk (actually separate ones for different machine types) that would wipe the disk, then install the OS, then install whatever applications were supposed to be standard. Sometimes they'd have a separate disk for specialized software (mainframe comms, IDEs, document templates) for specific teams. I've heard some places now just have a USB stick that they boot from that does everything over the network. – TMN Jun 14 '16 at 15:44
  • 2
    God damnit Bob. Curiosity killed the cat, don't you know that by now? – Dirk v B Jun 15 '16 at 00:47
  • 2
    I signed up for this site just to upvote this answer. Thanks for giving a solid example. – yesman Jun 15 '16 at 10:59
  • 3
    +1 I was always taught the professional way is to treat computers like cattle, not pets. If you suspect an issue with a pet you fuss over it and call the vet, with cattle if you aren't 110% sure then you fire up the bbq... – James Snell Jun 16 '16 at 20:37
  • 3
    Nuke the entire site from orbit. It's the only way to be sure. – Mnebuerquo Jun 17 '16 at 18:45
  • 1
    My office sets up the machine from scratch and then images the system. Whenever anyone leaves, they run a simple restore from the image - fully automatic, restores it to the exact state they want. They then place the system on the desk, connect to the update server and push any updates since the image was made. By the time the new user comes in, everything's ready and totally clean. – Blackbeagle Jun 18 '16 at 01:46
  • 5
    I'm a close friend of Alice here in Thailand, and I want you all to know that Alice and her lawyer does not take kindly to you publishing this defamatory and libelous story online. You can expect to hear from us. – Fiksdal Jun 19 '16 at 06:24
  • Also, Alice installed a keylogger and now knows all of Bob's passwords. And she installed a trojan which provides her with remote access so she can covertly collate all those commercially-sensitive documents on the machine for her new employer, which just happens to be a competitor of her former one. – daiscog Jun 20 '16 at 09:31
  • 2
    I was reading this answer at work, and was puzzled about what "shota" means, so I googled. Long story short, I've now been fired from my job and am awaiting arraignment. Thanks a lot, @Ryder! – Teemu Leisti Jun 20 '16 at 15:34
43

You should definitely reset/reinstall the computers. There could be malicious programs on it that would put the business at risk. Those could be viruses or trojans or something the former employee left there intentionally (not everybody leaves on good terms). All reasons in @axl's reply are valid, too.

To make your life easier, create a snapshot/image/backup of a freshly installed computer with all your usual software already installed and just push this on every new or recycled computer. No manual reinstall needed.

Silent-Bob
  • 1,066
  • 6
  • 9
  • "There could be malicious programs on it that would put the business at risk." If it's a company laptop, then an employee was already trusted to use it prior to that. If you have an employee maliciously attacking your network, they've already had ample opportunity to making wiping just their machine an ineffective tactic. – jpmc26 Jun 13 '16 at 23:07
  • 4
    I received a former coworkers laptop at my last place of employment. They did not do reinstalls nor have a "standard build." I had a similar experience but not of the pornography kind. I ended up having to do a format and reinstall myself as NOTHING worked properly. The former employee had completely hosed the system trying to tweak things in the most incomprehensible ways. – Mike McMahon Jun 15 '16 at 14:59
  • @jpmc26 Not completely. We have had terminations where we suspected they could do something vindictive _after_ giving them the news. So we would proactively revoke their permissions from our applications and network. So while they might not had active access they could of still incorporated malware or keyloggers which could be used once the computer or device came in use by another employee. Also our concern wasn't them maliciously attacking our network as much as they could get a job with a competitor and still have access to sensitive company information. – Bacon Brad Jun 16 '16 at 04:03
27

I'm not an IT admin, but my feeling is that you should reinstall for a couple of reasons:

  • Local admins can take ownership of the previous user's files.

  • You're less likely to have to deal with problems arising from system changes made by the old user.

  • The old user's personal applications would still be available in Program Files.

If you don't have local admins and they really can't change or access anything outside their home folder, then I'd be less concerned, but then there's always disk space to consider.

Have you considered using Ghost or another imaging system instead of manually installing all the software?

Citizen
  • 1,103
  • 1
  • 10
  • 19
axl
  • 371
  • 2
  • 4
  • 1
    I actually did, but that is also one of the things, that was done manually before and NOONE seems to want to change that. It is on the list of ToDo's once I am done with my traineeship ;) – ExNought Jun 13 '16 at 11:36
  • 1
    It can take some time to convince people that there are better ways, especially if there's little or no perceived pain. :) – axl Jun 14 '16 at 15:03
9

If all machines you handle are identical (or there are groups of identical machines), make a clean install once, update the OS and install basic software the users will need. Then create a HDD image, which you can restore the system from in case of reassigning the machine to another user, HDD failure, virus infection, etc.

All you have to do is just is restore the "clean install" HDD contents from disk image, and change the Windows product key if this is needed.

If you want to protect the HDDs against users using forensic tools - use a data shredding tool (e.g. shred, available in most linux distros) on the HDD before restoring data from the image to it. With about an hour's worth of work you can even prepare a live USB that'll shred the HDD then re-fill it with data from the image.

This way you can save yourself quite a bit of work while still protecting users' and company's data.

Jakub
  • 256
  • 2
  • 9
  • 1
    Making a direct drive image of a Windows installation, and applying it to many different machines can cause problems, due to something called the machine SID.To do this correctly, before creating the drive image you have to run a windows utility called sysprep and "generalize" the installed OS. Also please note that you have to keep track of the number of windows activations, because some versions only allow so many activations, sometimes as little as five, and when you run out you cannot sysprep or image it any further. slmgr /dlv shows remaining activations. – Dale Mahalko Jun 14 '16 at 01:06
  • 3
    @DaleMahalko While SysPrep is required and the supported way to duplicate installs, [it's not because of SID duplication](https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/). – TessellatingHeckler Jun 15 '16 at 02:10
  • Even if they aren't identical it's easy to script up pc installation these days. Then you don't have the pain of out of date images. – James Snell Jun 16 '16 at 20:33
6

I have personal experience with non-reimaged PCs passing viruses on to new users. (And with unwanted files outlasting a user's employment, but that's a whole other story.)

As Ushuru pointed out, the best practice is to reimage rather than reinstall. (And yes, you need sysprep, but not because of SIDs, as TesselatingHector said.) They don't have to be identical hardware; you can include a wide variety of drivers in your image and even add new drivers offline (if your image is a .wim).

There's a whole market sector of desktop deployment software, and I've also seen people roll their own process with backup software and restoring a specialized "backup" image.

Or, you can rebuild the system if you happen to love installing the OS. ;) I get bored easily and prefer to automate.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
5

This is missing the best answer ... write down your hardware as a business cost, and when someone leaves then give them the laptop and buy a new clean one; this saves the most time of all, and is a positive way to approach work-life balance. Of course, if they've only been there a few weeks then a reset is probably best.

James 'Fluffy' Burton
  • 151
  • 1
  • 5
    "Write down your hardware as a business cost" does not make the cost disappear. This mindset is like buying a new phone each time yours runs out of battery. – Ranger Jun 15 '16 at 17:29
  • 7
    Not the "best" idea; bad idea all around. You must write down not just the cost of the hardware but also all of the licenses of the other software installed there (Some licenses may technically not be transferable). I don't know about your workplace but at mine, most everything has a "Company Confidential" designation on it. Do you want that valuable information walking out the door or do you write that off too? Assumes you are parting ways on friendly terms. If it's old HW and on good terms, "maybe" re-image then give away; maybe to charity vs employee ( tax credit! $$). – Ian W Jun 15 '16 at 21:17
  • @Ian W some software can be deactivated, freeing the license up for another worker in the company (most software I've seen have this option for corporate users). The confidentiality of data stored on the machine's hard disk on the other hand is an issue. You should wipe /shred/ the disk's contents. That of course makes writing down hardware a bad way to get rid of the problem (because you have to solve the problem first anyway). – Jakub Jun 16 '16 at 06:47
  • Businesses already use every possible expense as a business expense, "writing it off" doesn't do what you probably think it does - it's not like free money, the business still has to buy new equipment (laptop) and a penny saved is a penny earned. Maybe [Kramer can explain it better (probably not)](https://www.youtube.com/watch?v=XEL65gywwHQ) – Xen2050 Jun 18 '16 at 16:14
3

The answer to this really depends on whether you allow employees to be local administrators of their own machine.

In general a User group account only has write permission in its own profile directory, and nowhere else on the hard drive.

In this case no changes can be made to the system by the user, including installing or removing applications, or creating hidden files or directories outside of their profile directory.

Malware can potentially install itself, but again only inside that user's profile, typically in AppData or Temp.

For these restricted users, a new account is completely disconnected from whatever was in the old user profile.

Dale Mahalko
  • 725
  • 1
  • 6
  • 16
  • 7
    "Malware can potentially install itself, but again only inside that user's profile" – unless it exploits a privilege escalation vulnerability. So even without local admin rights, a certain risk remains. – user149408 Jun 13 '16 at 21:26
  • This is irrelevant because this kind of problem can affect anyone at any time. As an admin for about 500 desktops, I am not periodically erasing every single person's desktop every 6 months over some minor concern of a possible malware that might possibly escape the user security group. If you discover it has happened you deal with it, but otherwise don't worry about this and let the antivirus handle it. – Dale Mahalko Jun 14 '16 at 03:04
  • 1
    The employees have physical control of the laptop - to the point of bringing it with them while traveling. If they want admin access, they'll get it. – Andrew Henle Jun 14 '16 at 19:01
  • 1
    Assume anyone with physical access to a PC can do anything an administrator can do. – Bill K Jun 16 '16 at 21:54
3

I would never even dream of giving a used PC to a new employee without at least a hard disk wipe. If you wanted to be fairly safe, replace the hard drive completely.

Root kits are extremely powerful. A root kit is unknown by the OS and virus scanners because they are installed at a lower level (They actually load the OS and give the OS it's basic information such as what is on the hard drive, so they can very effectively hide themselves from the OS). Some even install themselves in to the BIOS of the hard drive which makes them extremely difficult to get rid of.

A few can install themselves in the BIOS of your PC and re-infect new hard drives as they are installed.

If any disgruntled employee with even mild hacking skills really wanted to they could return a computer to you in a state that would devastate your network repeatedly even after a hard disk "Reformat". A good one could make it so that even replacing the hard drive wouldn't help.

A really talented hacker-employee might use one of these techniques to gain unlimited access to your internal network systems and data. At any point in the future he could reconnect from the outside--in a way that would be almost impossible for you to stop (Since the infected computer is likely to call out occasionally and bypass all firewall security).

Luckily the really talented ones probably have better things to do than work for your company.

James's answer where he says "Give the computer to the employee when he leaves" should be sounding pretty good right about now--but really, just yank and shred the HD.

Bill K
  • 1,189
  • 1
  • 6
  • 7
  • I think your are correct, your and James's steps are the ones with the least amount of risk for a security breach, but this is hard to get in some people's heads, especially since they aren't willing to do a clean install for new employees in the first place ;) That's still a LONG way to go ... – ExNought Jun 17 '16 at 06:22
  • 4
    Perhaps people could be enticed to take a security seminar. There are serious ramifications to not taking security seriously. How many executives at your company would appreciate the contents of their work computer's being uploaded to the internet.? I just mention this because it happened to a friend's company recently. My work network is completely detached from the internet and hired hackers were still able to get in through laptops that were infected when attached to the internet then brought into our disconnected network. It happens! – Bill K Jun 17 '16 at 06:31
  • @BillK +1! I totally agree. The best route for security is to *trash* the drives, re-flash the BIOS, and install a new one. Aside from security, there's still the issue of your colleagues' privacy— which is a very different consideration, and one that shouldn't have to be subjected to a cost-benefit analysis. Which is why I'd maintain that a reimage, or wipe and reinstall should be a **Best Practice**, and shredding the disk part of a robust security policy (and *that* can be assessed against the cost). – Ryder Jun 17 '16 at 07:26
  • 1
    @Ryder agreed. Also, if the people about your company are worried about the cost of destroying a drive vs re-imaging one, get out FAST. Either there is an amazingly high turnover or they are going broke, either way that's not going to be a great place to stay in the long run. (bare-bones startups may be an exception, but maybe not). – Bill K Jun 18 '16 at 00:00