Slashdot Mirror
Dealing with Network Politics and Insecure Users?
Rob asks: "I work at a large university as an IT support person for one of the college's Novell networks, and I frequently find that my hands are tied on security issues--highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens. They routinely share their passwords, leave their machines unlocked, and go weeks on end without rebooting. They demand Administrator access on their local machines. They demand Internet Explorer have minimal security (but it's our fault when they get a piece of spyware). So, Slashdot community, I ask you this: how do you limit a user's access without making it look like you're limiting their access?"
Tell them they're getting a mandatory system upgrade, then put them in Kiosk mode, give them access to email, whatever office apps they have, and whatever other critical functions they need. If they ask for more, tell them it's been obsoleted. After all, they've got tenure, they're smart, right?
Face it, totalitarianism lives and thrives among system admins for a really good reason. Your only solution, I think, is to play the dictator and do it with a happy-friendly smile. Recycle some old Communist propaganda posters to get people in the right spirit.
And... as I tell my colleagues when they have Window's problems: hey, you have a Ph.D. in computers, you fix it.
I've managed to maintain good karma thus far but i think id like to reply to this anyway and risk the down modding..
Dear CluelessAdmin,
If you would like to ask questions to the slashdot readership, please utilize the "Submit Story" link on the left hand side of your page.
It is disrespectful to ask unrelated questions in other peoples threads.
Thank you,
- Frank J. Mattia
is the ultimate guide.
Enjoy!
Daniel
Carpe Diem
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
Unrelated?
/. is "Tell me how to do my job, /.!"
/. rule that says "If you can find an answer on google in under 5 minutes, you cannot submit this story"
Every single ask
And this one is no different.
He's asking us to do his job for him for free, while he gets paid for it.
And, hey, what happened to google? Did they close down already?
There needs to be an ask
Not a Twitter sockpuppet... but I wish I was.
I ask you this: how do you limit a user's access without making it look like you're limiting their access?
You don't. You limit their access and tell them that they have to live with it. Explain to them that security is inconvenient and that they have to be adults and accept it. It's your job to secure the network and it's their job to teach the students, so make a deal with them: You won't tell them how to teach their courses and they don't tell you how to run the network.
You either have a network policy or you don't.
I deal with this kind of stuff on a different level. I manage an intranet and need to deal with people wanting things 'their way,' only to have them complain when their way is the wrong way.
I get them to e-mail me acknowleding that this is against my recommendations or against policy X. When it blows up the first time, I fix it and hopefully gain his or her trust.
If he or she is still pig-headed one major experience or a couple minor ones, put solving their problem at the bottom of your list of priorities. Remember, you hold the power.
Just remember to have them acknowledge in writing or via e-mail that whatever they're demanding is against your recommendation or policy if you can't convince them to back off.
And if you run out of ideas, just follow Simon's lead http://bofh.ntk.net/Bastard.html.
--- Dan
Get them to sign a document accepting full responsibility for all data loss, nasty crashes etc. on their machine. Make sure you include a list (several pages long if possible) of examples of things which they must accept responsibility for if they don't follow the normal security procedures. Either they'll be scared into following the rules or you'll be totally safe when the shit hits the fan.
remotely manage their machines, using any of a number of tools.
Restrict logons to one instance.
Use the administrative tools available to restrict the hours a professor may be logged in to match his or her published office hours, and enforce automatic logouts for extended (more than one hour) idle times.
When a workstation has been detected to be infected with a virus, or spyware, remotely set the gateway for that workstation to 127.0.0.1, disable the switch port the workstation is connected to, and set the dhcp record in the dhcp server specific to the mac address for the workstation to also set the gateway to 127.0.0.1 until the workstation has been cleaned.
Feel free to advise the professors involved that you will get to them as soon as you have handled the network issues for the university president, and his or her immediate staff, as well as the people who are paying you.
Lastly set their network storage space to read only pending confirmation that that space does not contain any viri.
Should be simple enough to go take a look at the BOFH journals and improvise from there.
-Rusty
You never know...
If you can find the answer to this on google in 5 minutes, let me know, because I'm not even sure what to look under!
Two things are infinite: the universe and human stupidity, though I'm not yet sure about the universe. - A Einstein
Install antivirus and set it up to run updates as frequently as possibly.
Block ports that the user shouldn't need.
Install Firefox.
Set up an administrator account on said computer for the IT staff. Then go through and reassign rights to certain folders so that said individual can't touch it, but you can (ie/ for those antivirus settings, so they can't do something dumb like disable it).
Make sure all the standard software that should be installed works after you perform the above, otherwise they will chew you out about it and rightfully so.
Another solution, which could be used in conjunction with the above, is to make a standard reload image that you can slap onto a computer (using Norton Ghost and others). Every time the individual screws up their computer, take it away for several hours, slapping the image back on and then just sitting on it for a while. The loss of productivity will eventually hurt them, but you can explain it as time spent re-installing things from scratch. Decide on how you want to handle restoring their user files.
Disclaimer: I'm NOT a SysAdmin, I'm a developer.
I could really live without admin rights on my box at work. Really. Almost. Except for the bunch of stuff that I have to do that demands that I have it.
Most employers (and a Uni is the prof's employer, so this is about the same) have a 'standard build' which includes lots of software that most people need. The trouble is they never get the mix right for me, the developer. UBS Warburg had a damn good IT department (to cite the best employer I've ever worked for) but they didn't know about http://ultraedit.com/. They were very responsive with new software, but it was still a delay.
For general mode programming, I don't need new software but for maybe once a month, and I can stand a 2 hour or even 4 hour delay to get it installed. This is fine and thus I don't need admin rights for it.
The employer I most recently worked for (not UBS) is okay but they're typical of the industry (as a former consultant I've worked for about 20 companies in the past 14 years). Their standard build is not my standard build.
The times I need admin rights are:
- Correcting the system clock (if they had a timeserver I wouldn't need this);
- Adding the appplications they never get right:
- UltraEdit
- Filezilla
- Mozilla/Firefox
- Cygwin
- Quicktime
- Acrobat Reader
- PowerDesk
- ActiveState Perl
- Folding at Home
- MySQL & MySQL admin
- Evaluating New software;
- Running Apache on my own box - starting and stopping the service;
- With several of my admittedly small C#
.NET programs, adding them as a service, starting, and stopping them;
Of course, my employer could have installed all the programs I've named and that would get me through the tough times, but the problem comes when I'm doing the other stuff.Admittedly I'm a huge power user. But, there's no reason a departmental secretary needs admin rights. She shouldn't be installing that much stuff her/himself.
An organization that has that many rampant security violations obviously needs consequences for those violations. I can say that if I shared a password to my personal account, or a production account even, I would expect a reprimand from my manager. If it was a business critical system, I could be warned and then fired very easily.
Frankly, moving to Linux would not correct the basic organizational problems of disregard for data security. When a prof finds his tests were stolen and thus has to write an entirely new set of questions (a LOT of work, and strangely, I've done it as a Teach. Asst.), they'll think again about security.
If you schedule a computer switch-up, meaning taking all boxes away and redistributing them, you might force the issue of what software should be installed (get licenses for it if needed), putting data on server shares that are backed up regularly, and changing admin passwords. But I DON'T ENVY YOU THE TASK (grin). Of course, there's easier ways - reset admin passwords, announce a reinstall of the OS and thus they'll need to move all their files to a server share, require passwords be changed once every semester and enforce having a number and mixed case in the password, etc.
-- Kevin Rice
"Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"
Unitarian Church: Freethinkers Congregate!
If it's any consolation, you (or at least your boss) gets paid more than they do. The rest of their compensation package is in self-importance.
What I'm listening to now on Pandora...
Weird one this but i've heard it used when i was at college in the UK....
Everytime a problem came up which the IT staff COULD fix instantly but couldn't be arsed to because we were just "lowly" firstyears then they would say "Oh its a bug, you will have to work around it".
And that was it, we could ask if they were planning to fix it, and they would claim they are waiting for a new version of the software. Shame is in this day and age, people EXPECT bugs, so much so that when one causes a problem, they find away around it.
- http://www.milkme.co.uk
Actually,
ethics-related debates and thats all this can be simplified to.
on the one hand.
even if he is a clueless admin who cant defend himself against smuck professors - he still has the right to ask dumb questions. it just lowers peoples opinion on him... i hate freedom preachers... but its the truth.. its his right. and should be assumed.
on the other hand...
its up to the editors to exercise their right to dump off the crap stories they find appropriate and even put up some crap stories if they like.. basically they have the right to run the site how they want...
and on the last hand,
we as users have the right to complain about anything we want... even if it makes people think less of us.
so how far down does the buck get passed untill someone accepts responsiblity for what happens here? certainly not the questioner... hes asking a question to a public forum knowing full well the odds of getting it asked on the homepage..
certainly not the end reader.. no one forces us to come here... which brings us to the editors..
so while they have the right to put anything they want on their site... its in their best interest to not post crap... and when they do.. its in our best interest to complain.. its how they'll know theyre posting crap..
opk im done with this.. and tired.. goodnight.
Security policies at the U where I work are set by the Office of the Provost. IT is a part of Division of Academic Affairs and my boss works directly for the Dean of the College of Engineering. Enforcing the University's security policies is easy when they come from that high up.
His (my boss's) attitude is "we do not support student or faculty administered machines, other than to shut them down when they get compromised. If you want Administrator or root access to your machines, professor, you get to keep both halves when it breaks."
Of course, our favorite trick to discourage use of telnet and XDMCP is showing the prof his username and password in a sniffer log from one of his compromised machines.
utter rubbish
Rename Administrator "toor" and create an account "Administrator" with more then they have, but not all, permissions.
oh and did I mention policy.
If they aren't adherring to a written policy then there should be 'measures' available in the policy you can take.
If you haven't got a policy - write one.
If you maintain the machines, they do not get admin access. Install a lot of useful software on these machines, and be responsive to requests for more software.
If they maintain the machines, you don't have a copy of the admin password. They get access to your servers (which you back up of course) as a user. If they want their local machine backed up they have to do it themselves. If your normal network monitoring reveals this machine has a problem (often meaning it is running a spam bot), you turn it off at the network connection, and refuse to turn it on until it has been re-imaged. Once in a while you could check for illegal software (child porn, or anything else illegal), and turn anyone with it into the police, but do it via documented procedures.
... and Novell lets you add or remove FileScan rights. If they don't have access, take away filescan too, so they don't even see it. Then give them access (and visibility) to only exactly what they need.
I'm pretty sure there is no equivalent to filescan rights at the server level in NT. There might be a way to do it in *nix, but I don't know off the top of my head what it is.
I am not your blowing wind, I am the lightning.
It's amazing how many people get around to asking "How could I have avoided this" the second or third time they lose their computer for a day or two...
First, you install Firefox and you tell the user to use it as IE is inherently prone to spyware and corruption issues. (In your case you can add in that these issues go away if you are no longer administrator on the local machine.)
After about 2 weeks, copy your own iexplore.exe and open it in a hex editor. Switch the first two bytes in the exe. Then have the victim's login script move the old iexplore.exe and copy the new iexplore.exe into the Internet Explorer directory. (Network shares.) Let things simmer for a while. Eventually, be it windows update or whatever the user will reboot and hit your script. Bingo IE no longer works.
When you get the call you ask the user, have they been using Firefox? When they say no, tell them that you need to take their computer for a day to fix the problems IE has caused. Repeat the process till the user stops using IE.
By making it clear, that the cause for the machine repairs is IE.
Special Note:
This does not work well on CS Instructors or other people who look closely at login scripts. If you find such a person, it is easy enough to shame them into using Firefox by asking "how someone who's obviously as smart as them would ever use IE?"
Good luck on this.
=================
Unix is very user friendly, it's just picky about who its friends are.
1. Make everyone security equivalent to admin.
2. When it breaks, blame the problem on terrorist network activity.
3. Go play golf.
Either they don't get admin access and their machines keep working or you do give the admin access and they have the opportunity to mess up their machine. I'd make it a policy to not spend too much time trying to fix their machine infested with malware/spyware, missing dll's, deleted application files etc. Penalty to pay for seriously messed up machine: you get a nice clean brand new install (takes you 2 minutes pulling an image of the OS on the machine if you take some time to set things up properply). Just my 0.02
Sample this!
I guarantee that your time is worth far less than theirs, and in fact, getting you to do some of these things would probably end up saving the university money in the long run.
Give me the strength to change the things I can. The courage to accept the things that I cannot. And the wisdom to know the difference.
There's only so much you can do in a situation like that. Give them the reasonable to semi-reasonable things they want and try to protect them without getting in their way. Most importantly, don't be adversarial with these guys unless someone is a big problem and it is clear to users and staff alike that the person is a problem.
Sometimes policy overides politics, but many times that's not the case. If your written policy supports the action, then start slowly locking the systems down.
Other than the small group who seeks a power-trip or "administrator badge", you'll find that the bulk of those requesting admin/root access to a system are those who feel the need to do something at that level. Maybe it's a broken Win32 app which requires a lot tweaking to run as a non-administrator, maybe the SysAdmin never setup sudo (properly?). In any case, the user is likely just seeking the access needed to do their job (or what they believe to be is their job).
Start by locking things down slowly. When something breaks, blame it on "a bug" and quietly back-off the restriction until you can figure out what/why something happened. Then either deturmine why/if its needed, fix it, lock it down, and move on. Make sure your IT group/boss supports this action - they love to play along with things like this, as it gives them more power to do their job, enfore policy, secure/stablize the systems, and at times to tell those arrogant users (usally in-front of their boss) "Computer working great? Good. Oh by the way, that access you said you needed, you havent had it for three months...". Oh god, I love to be in the room when we do that!
Intresting thing is, in the business world, the user insisting on the higher-level access is usally having issues elsewhere in their job. I've seen the bulk of employees leave/quit anywhere from a few weeks to a few months after completing this stunt.
Overall, this technique has worked great for me in public/education enviroments and still works very well in the business world.
Tell them that to improve the academic experience they should only work in the computer labs that the students use; which is where you have deep freeze, right?
Ok, aside from that what I have seen done that works well is to setup Service Level Agreements with the faculty outlining supported and unsupported applications. Essentially that washes your hands of hanving to fix unsupported software and having the excuse to remove it or even install a clean image on the machines. Also, track all service requests in some sort of database so when your department gives an annual report it can show that it spend xx% of its man hours fixing easily prevented things.
Finally, treat all faculty and staff as hostile and plan accordingly.
The Houkster "Oh yeah brother, what you gonna do when Houk O' Mania runs wild on you? Besides wet your pants in laughte
whine whine whine.
"Ask Slashdot" is a moderated method for people to ask questions of a larger community, getting moderated responses.
in this case, his is a social question, one that there's no single answer to. Any solution is going to have to come from people who've encountered it before, and who can describe their situation.
If you don't like it, disable the Ask Slashdot topic in your user preferences.
tasks(723) drafts(105) languages(484) examples(29106)
Insecure machines should be treated like any other machine on the public internet - and should be on the other side of a firewall from your core systems.
If your professor wants their secretary's system to be able to see every share on their computer, then set them up as an island to themselves, and put a firewall between their little sub-net and your main network.
And charge them for it. Hit them in the grant $$$, and they will eventually get a clue (or, they will cough up).
Explain the situation to the department chair and get him/her on your side. Then the complaints from the other professors just becomes griping.
First let me start of by stating that I have worked in the same exact environment.
I know this will ruffle a lot of feathers, it even upset me when I discovered it but: YOU ARE INSIGNIFICANT. Let me say that again, You Are Insignificant, despite its white collar veneer, your job is no more important that the foreigners' that polishes the floors. If he wanted to implement a policy of "everyone must remove their shoes before entering the building" he would be laughed out the door.
For your sanity, you need to concentrate on two things.
Relax and let them have their way, but ALWAYS let your management know the potential consequences of their policies, not in a "Chicken-little" way, but in a sober well, reasoned fashion. Don't forget to backup religiously, data loss will be your fault.
The profs don't necessarily hate you personally, its just that your "rules" are an impediment to their productivity. Your job is not to manage the systems, it is to enhance their productivity. If your systems are as 'invisible' as the fax machine your have done well.
Working in academia has many many fringe benefits, don't loose sight of those just because you want to be the BOFH.
--ac
it's not a short-term solution, and it won't work in research facilities quite as easily, but as you replace desktop PC's, replace them with thin-clients. There are many kinds, they use many OS's, they are cheap, easy, and practically bulletproof, and they save you money (once again, in the long run) on licensed application fees.
I like these ( http://www.sun.com/sunray/sunray170/index.xml ), but any system will do.
Finally, they return actual control over the desktop to central IT, while preserving the illusion of control in the consumer of information's experience.
how do you limit a user's access without making it look like you're limiting their access?
Start users without dangerous guns they know nothing about.
Then, if they ask for access, say you'll be happy to provide them with access if they sign this responsibility form you need to keep on file to cover yourself. Load the form up with I have read and understood my responsibilities, etc.
You can mumble something about how you need to do this to keep out of trouble after another user asking for access that wasn't nearly so responsible as Professor Bigname ended up with a machine serving child porn and a nightmare investigation....
"Provided by the management for your protection."
I like ask slashdot, asshole, I just don't like how it is becoming a way to say "Please do my job for me because I'm a complete moron and cannot do it myself" read some of the previous ask /.'s and check for yourself. "How do I set up *blah* at my work?" "How do I get *blah* working at my company?"
If you cannot do your job, leave it and let your place of employment get someone who can do the job.
Not a Twitter sockpuppet... but I wish I was.
Don't blame the users, part of your complaint is poor user education(!). You know its bad but your users don't. Build and document exactly why you want the user to be secure and why it is a good thing for EVERYONE.
The following suggested discussion points are in no particular priority:It's easy to find a way to do something. It's not easy to find the best way to do something. Which is why people will often ask, "What's the best way to ___?"
As an example, look at one of my questions posted to USENET. Look at the solution I came up with, then look at the solution I was presented with.
tasks(723) drafts(105) languages(484) examples(29106)
I've taught a discussion section of Physics, "Intro to Astronomy" at University of Kansas. I wasn't paid, I took the teaching as a class, Physics 571 Astronomical Instruction. It was a fantastic class to work on, Dr. Steven Shawl was a kickass 'boss' as well as teacher.
Writing a good test takes about 10 times longer than taking it. You have to:
- Come up with plausible misconceptions as alternates;
- make the questions cover stuff reasonable students should understand given the exposure to it;
- Make the questions somewhat entertaining to read if possible to induce people to not dread the tests;
- Create sets of questions that cover basics, medium, and advanced subjects so you make sure the C students can pass but not everyone gets A's
- the breadth of the questions has to cover the breadth of the classroom topics reasonably well
Grading tests (even multiple choice, but especially essay questions) involved reading all the tests, deciding what the scope of the answers was so you don't fail or Ace the entire class or bias the grading of the first papers you grade, etc.Things change in Physics all the time, and a teacher who doesn't adjust the curriculum to their students will disincline their students to ever study the subject again - which I believe is one of the three goals of education:
- Give them a theoretical framework of basic concepts they'll use the rest of their lives;
- Give them enough knowledge to (a)back up the above framework, (b)Prepare for further academic study, and (c) inspire them to regard the subject as interesting and worth future study for the rest of their lives.
Of course, this is usually impossible, but a good teacher would probably echo these concepts in formal 'Educational Methodology' language.-- Kevin
"Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"
Unitarian Church: Freethinkers Congregate!
Just give up, and fix it when it breaks. Go Back to playing World of Warcraft in the corner cube where no one can see your screen.
Hate to break you away from the 23rd level warrior.
--honestly--> Your boss's problem, not yours.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
So you want them to act like adults, but you treat them like children? Adults have adult responsibilities. Cars don't have safety features that keep them from going more than 35 mph. Instead, we have driver's ed classes, driver's licenses, penalties for speeding, penalties for drunk driving, etc.
The best solution to security problems is to educate users. Most people are not slashdotters. They don't do this stuff for fun -- for them, computers are just a tool to get the job done. Considering what a black art it is to keep a Windows box secure, it's not surprising that they don't know how to do it competently, especially if nobody has made an effort to educate them.
I teach at a college. Talking to my colleagues in the hall (who are all scientists, but not computer scientists), I hear stuff like this:
- I got my AOL account hacked, but I don't understand how, because my password was my dog's name, and nobody knows my dog's name.
- I don't worry about security on the machine on my desk, because it doesn't have any information on it that I need to keep private.
To the slashdot crowd, these comments may seem stupid, but the people who said them are smart people; they're just not computer security experts.I actually submitted almost exactly the same Ask Slashdot recently, but from the prof's point of view. The network admins at my school want to block people from connecting their own machines (laptops brought from home, etc.) to the campus network. In other words, if you want to hook up a computer to the network, it has to be a Windows box provided by the administration, that is locked down so only they can administer it.
Wake up, folks -- that means no Linux!
Is this what we really want?
You also have to realize that security is not an absolute. You have to pick the level of security that is optimal for you. At my school, the only school-provided computers that you can use without an account are in the library. This is required by agreements we have with other schools -- people are supposed to be able to go to a different school to use the library, and have full access. This is entirely appropriate. Well recently, we had an incident where someone sent a death threat via e-mail from a machine in the library, so the network admins want to require an account to use those machines as well, violating our agreements with other schools. I'm sorry, but the incident isn't an indication that security was too lax; it's an indication that the internet is fundamentally an anonymous medium.
It's also worth pointing out that network admins are not perfect either. In the room where I teach physics lab courses, we have 6 Windows machines provided by the school, plus a FreeBSD machine I brought from home. The Windows machines, which are maintained by the network admins, have been infected by worms twice within the last year. My BSD box, strangely enough, was unaffected :-)
Find free books.
Lots of good ideas above this post.
Here's another suggestion:
Ask them precisely what privilages they need. In MS-Windows, there are many, many, privilages that you can add and take away individually.
Do they need to set the time? fine.
Do the need to manage printers? fine.
Do they need to ghost-image their drives? fine.
Do they need to make file-by-file backups of everything? fine.
Do they need to install oddball software without bugging you? fine.
Do they need to install system-monitoring software for experiments? fine.
Except for the maybe the last one, none of these requires full administrative privilages on a Windows box.
If the privilage they want is "dangerous" in any way, make them demonstrate competency before you give it to them on a long-term basis, say, 1 semester or the duration of whatever project they need the privilages for. Give them a class in administration if you have to.
If they only need it for a short time, give it to them for a week and offer to back up their machine first. If they turn down your offer, they are on their own if they lose data when you re-image the box.
For *nix boxes, sudo with detailed remote-logging of sudo-usage helps. I'm not sure, but I think Windows-box security logs can similarly be sent to a remote machine.
Technically-minded professors, such as those in computer engineering, can generally be trusted with additional privilages, but they too should be required to prove competency.
You will have professors that need to set up a "private network" that they can run and administer. This is fine and dandy, just put a good firewall between you and them, preferably one that watches for viruses-in-transit or other suspicious behavior. If they need access to parts of the university network from inside their private lab, give them only what they need and nothing more. If they don't need campus-level access but do need Internet access, give them that.
In any case, abuse is a "one strike and you're out" proposition:
If you share passwords that aren't meant to be shared, run programs that are not supposed to be run, or otherwise engage in deliberate activity that harms the network, I'll boot your machine and/or change the password until I have a nice chat with you, your boss, and your boss's boss. You'll sign an acknowledgement that what you did is prohibited, and my boss will get a copy of it.
If you are merely careless, I'll just yank the privilages and if necessary disconnect your machine.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Teaching is only half of a professor's job anyway... Research, papers, projects, whatever is appropriate given the field of study the professor is involved in, that is a full year job for a majority of professors.
And this isn't just an issue at big 'research factory' universities. It's that way at pretty much all colleges, and in pretty much all fields. The idea that professor's only work during the school year is pretty much a 'common myth.' Shoot, it might even be arguable that in general a professor's primary job is the reasearch work, not the teaching(that is certainly the case at some schools, though not necessarily all).
When our new IT person started here the first thing she did was change all our passwords and educate us about not giving them to everyone.
She demonstrated this by #1 running a password geussing program, and showing how easily it geussed our passwords.
Then #2-she asked me for help. Using social engineering I managed to get the login and password of someone at our other division. This person has access to all the payroll records.
Imagine the chaos if everyone was sent a copy fo what everyone else was making.....
The letters PhD does not give them the right to put other networked systems or the confidential data they are entrusted with at risk.
Remember what happened at UC-Berkeley? Over 600,000 residents with their personal information compromised because a researcher did not follow procedure and patch their software (I think it was Oracle and a patch was available).
Many times academic/research systems paid for by grant money are not known to central IT until the system is compromised, a situation that could have been completely avoided if the researcher had asked for their systems to be checked by IT personnel. Unfortunately a PhD does not like to be told what they can and can't do...until their system is compromised and blocked from network access.
While many professors are very well educated with respect to the application software they use to get their work done, they seem to have very little if any knowledge of basic system security. Having said that I will now say not all PhDs are like that and it is a pleasure to work with them because they understand.
It's too bad that in most cases a PhD + computer = compromised system
Just realize because these academic types will always need you, your job is secure into the forseeable future. Everyone should be so lucky.
Use group policies. There's a wealth of settings you can change to give users very fine-grained control over their machines. That way you allow them to do exactly what they need and no more. Principle of least privilege, dude.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Where I work, everyone is responsible for the security of the company, and everyone is trusted within their own area of expertise. Occasionally someone screws something up, but that's what backups (and a whole heap of data integrity reports) are for.
You lost me when you said they "go weeks without rebooting" as if this was a *bad* thing...
Well if they are kind of stupid you could change the icon of firefox to IE and say it was an IE upgrade from microsoft. But they might see Firefox at the top but oh well. Why must they use IE anyways, you can import everything from IE to Firefox...
"Desire is the key that opens the champions door."
I work in a similar situation as a K-12 sys admin. When someone has a problem with spyware, virus, computer not plugged in (I get this call at least once a week) I try to educate the user. I sit down with them for five minutes and offer basic computer usage advice. This usually includes: When you get an email with an attachment do not open it. First either call the sender or email them back and ask if they sent the attachment. I try to convert them to Firefox for web browsing but they still must use IE for taking attendance (damn ActiveX apps) Not my decision BTW. I always tell them that fewer programs on a computer means fewer potential problems. Many of our users insist on having Webshots installed (a wallpaper program that when said aloud makes me flinch) and Weatherbug (because it is too difficult to go to weather.yahoo.com to view the weather.) I show the user how to change their desktop picture and create a shortcut to Yahoo weather on their desktop. I have found this to be the best way to reduce the number of calls I get. Sure there are a few users who refuse to take my advise and I respect that. All that means is that I take their computer back to the shop and work on it "when I have the time."
If you can't get around staff wanting / needing local administrative access then spend your time developing a neat SOE. If a support call comes in and it is determined that the issue is local to that workstaion then simply rebuild. Regards, Liam.
Sure, s/he won't be legally responsible if the document is written properly, but s/he'll still be the person hired to clean the network afterwards (for no additional pay, I assume).
in a corporation, you typically have an IS organisation that has clout at the highest levels - in parallel to your other management structures.
basically, it sucks ass, but it IS different...
our schools are now on SiPS: http://www.pearsondigital.com/sips/.
mozilla, firefox, safari offically supported for all parts.
It has a good attendance system and reports and the rest is nice too.
All the technology in the world will not fix your issues, if you keep getting beat back by politics and demanding customers. The REAL key to stopping these problems is ensuring you have the support of senior management. If you bosses will back you when yelling department heads ask for higher access, you'll quickly see things change.
Write good, sound IT policies, explain the pros and cons to senior management/CIO, spell out the risk to your org, and your sure to get support. They have to be willing to make the tough calls though, or your doomed at the start.
At the company I work at, it is a condition of employment to comply with IT security policy.
If you're getting unreasonable demands then someone needs to back up your reasonable position. You can't do things like let the security lapse to prove a point. If you need a certain level of access control, then maintain it.
If you receive undue complaints from Professors, it's not your duty to bow to them, but make sure they're known by your (IT) seniors. If you *are* the IT senior, then you've got to deal with the problem by explaining your position. Agree to as many meetings as they want, but don't back down unless you decide they've got a point.
But do accept that they might have a point. You can degrade a system's usablity by making it secure. I know some people would say that there's no such thing as over secure, but...
jh
So whats wrong with asking? that's how you learn. It's idiots like you that ensure reduced learning and understanding.
Saying Apple is better than MS is like saying Botulism is better than rabies.
If you cannot do your job, leave it and let your place of employment get someone who can do the job.
Your lucky you don't work for me as I would relive you of that decision and fire you, why would I fire you? Because the biggest mistake you can make is to not know something and not ask and as you think you know everything you would never ask or even discuss with someone if a new problem came up, you can not do your job.
Saying Apple is better than MS is like saying Botulism is better than rabies.
It's your network, they are the user. Do you have and documentation relating to network access policies? Normal users need very little access to things. The rest is just to make themselves feel important. Once you have everything wide open, it is very difficult to reign it in. Good luck.
I hate sigs.
That said security initiatives must be supported from the top down. Your university president must understand the financial hit lax security is to the university. He must support a security initiative and push it down to the provost and deans' council. It must be made absolutely clear through all deans down to the people that work beneath them that there is a university security policy in effect and it will be followed. Violation of which will result in repremand, possible loss of network privileges, and can ultimately result in termination. This is the only way to get the message across. I worked the helpdesk as a fairly large unversity for 3 years and have seen it all (or pretty damned close). Whenever an employee becomes beligerent you pass the person up the food chain to your supervisor or another full-timer. We full-timers aren't there to take any guff off other bitchy employees (whereas students are much less likely to defend themselves against a verbally abusive professor; students are also much more likely to be walked upon by professors than full-timers). "We don't make the official campus security policy. The university president and his advisors do. We're here to enforce it. Now do you want to pick your password within the established security parameters or would you like me to generate a random one for you?" I can't recall how many times I had to do that or saw it done myself. If you couldn't get through their thick skulls you called your IT department's director who in turn called the provost who in turn called the dean over that professor department who in turn called that department head who told the professor what for and why not. Let the chain of command fight the battles for you when the combatant is equal to or above you. It might as well be useful for something.
That university established basic security procedures for changing passwords. It was a mandatory password change every 6 months for faculty/staff and every 12 months for students. If the passwords weren't changed by the well-advertised cut-off day then the accounts were locked. The first couple of times the cut-off date was passed we had lines out the door, across the library and down the stairs. That didn't last for very long though. Sure people bitched and moaned about the inconvienance for a while but they soon grew accustomed to it. Likewise sharing passwords violated both our security policy and our campus network AUP. Violating that got the user a royal reaming by a sysadm or full-timer.
I worked for a second university later where I was the netadm. Napster was a big problem for us at that point and time. A handful of users consumed all available inbound bandwidth. Staff weren't excluded. After bringing this to the attention of our dept director a few times I ultimately got the go ahead to shut off the port of any staffer previously warned about using P2P applications on their office machines. One guy in particular had a very thick skull and I shut him off numerous times. Each time I'd let the director know; he would in turn call that person's super and let them know what the problem was and what was needed to correct it. I'd get a call a while later asking me to enable the switch port because the problem was fixed. Simple as that. The chain of command fixed the problem. All I was effectively was a tool, the way it should be.
What all of this boils down to is that it is possible to get security on your campus. I've seen it done. First and forem