Best practice: Should I always install a fresh OS for new employees?

Solution 1:

Absolutely you should. It's not just common sense from a security POV, it should also be practice as matter of business ethics.

Let's imagine the following scenario: Alice leaves, and her computer is transferred to Bob. Bob didn't know it, but Alice was into illegal shota porn and left several files tucked away outside of her profile. IT wipes her profile and nothing else, which included only her browsing history and local files.

One day, Bob is checking out the bells and whistles on his shiny new work machine, while sitting at a Starbucks™ and sipping at a latte. He stumbles across Alice's cache and innocently clicks on a file that looks strange. Suddenly, every head in the store whips around to watch in horror as Bob's PC flouts several state and federal regulations at full volume. One little girl in the corner starts crying.

Bob is mortified. After six months of depression and after having been fired for his unintentional act of public indecency (and possible criminal charges), he finds himself a really crackin' legal team and lays waste to his former employer with an outrageously damaging lawsuit. Alice is in Thailand and escapes extradition.

Maybe all this is a little beyond the pale, but it absolutely could happen if you don't take the time to scour through a former employee's every action. Or you could save time, and reinstall from scratch.

Solution 2:

You should definitely reset/reinstall the computers. There could be malicious programs on it that would put the business at risk. Those could be viruses or trojans or something the former employee left there intentionally (not everybody leaves on good terms). All reasons in @axl's reply are valid, too.

To make your life easier, create a snapshot/image/backup of a freshly installed computer with all your usual software already installed and just push this on every new or recycled computer. No manual reinstall needed.

Solution 3:

I'm not an IT admin, but my feeling is that you should reinstall for a couple of reasons:

  • Local admins can take ownership of the previous user's files.

  • You're less likely to have to deal with problems arising from system changes made by the old user.

  • The old user's personal applications would still be available in Program Files.

If you don't have local admins and they really can't change or access anything outside their home folder, then I'd be less concerned, but then there's always disk space to consider.

Have you considered using Ghost or another imaging system instead of manually installing all the software?

Solution 4:

If all machines you handle are identical (or there are groups of identical machines), make a clean install once, update the OS and install basic software the users will need. Then create a HDD image, which you can restore the system from in case of reassigning the machine to another user, HDD failure, virus infection, etc.

All you have to do is just is restore the "clean install" HDD contents from disk image, and change the Windows product key if this is needed.

If you want to protect the HDDs against users using forensic tools - use a data shredding tool (e.g. shred, available in most linux distros) on the HDD before restoring data from the image to it. With about an hour's worth of work you can even prepare a live USB that'll shred the HDD then re-fill it with data from the image.

This way you can save yourself quite a bit of work while still protecting users' and company's data.

Solution 5:

This is missing the best answer ... write down your hardware as a business cost, and when someone leaves then give them the laptop and buy a new clean one; this saves the most time of all, and is a positive way to approach work-life balance. Of course, if they've only been there a few weeks then a reset is probably best.