Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Security Officers Be Network Admins?

Posted by Cliff on from the your-network-as-a-cellblock dept.

A Nameless Submittor asks: "I work as a network administrator for a large organization. Recently our security officer has demanded from our management that she be a network administrator on every system in our environment. Currently she is not an administrator on most of our systems, although she does have enough administrative power to do auditing, manage resource accesses, and manage users. Should security officers have unrestricted access to everything on a network? A security officer with the ability to shut down servers, disable services, etc. scares the hell out of me and my coworkers. Can I fight this or am I fighting a losing battle? What is done in the rest of the world?"

2 of 37 comments (clear)

  1. What's sauce for the goose... by unitron · · Score: 4

    Tell her that's fine as long as you get keys for every lock, schematics for all the surveillance and alarm systems, et cetera. Tell her you wouldn't *dream* of abusing your new powers.

    --

    I see even classic Slashdot is now pretty much unusable on dial up anymore.

  2. Security Officer? How about General Manager? by BigBlockMopar · · Score: 5

    Should security officers have unrestricted access to everything on a network? A security officer with the ability to shut down servers, disable services, etc. scares the hell out of me and my coworkers.

    I envy your problem. I really do. Because I have similar problems, but I think the scope may be a little different.

    My boss, the General Manager of my company, has entrusted me with ensuring that we having Internet access. Mail, website, connectivity for users, etc.

    We have some accounting software running on the Windows machines around the office that requires a $60 license fee every time you reinstall it. Criminal, okay. But that's the agreement that was made (by him) with the software vendor.

    Most of the machines around the office are aging Dell Optiplex Pentium 133s. 1 gig hard disk drives, mass-installed Windows 95A. Flakey to begin with, downright unusable with several years of OS decay.

    So, the machine that belongs to our receptionist went down. Windows has done its trademark self-corruption. And Pat's the ultimate do-it-yourselfer. Rather than calling me, he figured he'd fix her machine. Instead, he managed to make it blue screen and halt on startup. Then he spent 10 hours - I counted - playing with the machine, copying files, copying even the entire registry off another machine, back and forth until the thing started up with a minimum of accusatory dialog boxes.

    Now, Pat makes over $150/hour. So, minimum, it's cost the company $1,500 to not have to pay a $60 license fee. And the machine is still running Windows 95A, it's still as unstable as all hell. And now, there are ten "Missing File" warnings when the system starts up. At this point, I flatly refuse to touch it until I'm given permission to format the drive and reinstall Windows (95B this time).

    And now Pat wants root access on our Linux server. Why? Because no one should have root except him. No one should be able to read his private e-mail but him. (Like I care to read his private e-mail.)

    An IT guy from our (former) head office was visiting one day as our division of the company was sold and we were being disconnected from the WAN. While we were talking, Pat decided to show me up in front of the other IT guy.

    "Do you really think that the President of this fucking company has an e-mail account that can be looked at by any junior IT person?"

    Steve, the corporate head office IT guy, had had enough. He didn't care, Pat was no longer his boss. He just cracked up at Pat, and told him that he'd extricated choking attachments from the president's e-mail account a couple of times. Even so, Pat remained unconvinced.

    To shut him up, I gave him a shell account. Evidently, I didn't give him root, but I told him that I did. Of course, the dollar sign at the prompt wasn't a tip-off; I didn't think it would. A couple of days later, I checked his history file. The results were predictably amusing:

    1 dir
    2 dir c:
    3 win
    4 cd windows
    5 scandisk c:

    At approximately this time, the log files show that the filesystems were forcibly unmounted and the system rebooted. A minute after the reboot, Pat logged in again:

    6 dir
    7 win
    8 WIN!
    9 what the fuck is wrong with this piece of shit!
    10 WINDOWS
    11 sCANDISK

    After this, the system went down again, and remained down because it was "broken", until I arrived back in the office from a meeting with some of our customers. When I walked into the office, he started screaming at me about how unreliable the computer was.

    In fact, there was no problem with it at all, it had been working fine; our ISP had gone down briefly, and when our service was therefore interrupted, it was assumed that the server was at fault.

    It had already been explained to Pat that this machine was neither running DOS, nor was it running Windows, and that commands for those didn't work.

    Now, not knowing how your security officer is, I don't know how I'd feel about giving anyone access. If I'm the one who is gonna take the fall if the system goes down, no one gets administrator access but me. Period.

    --
    Fire and Meat. Yummy.