Dealing with Network Politics and Insecure Users?

Rob asks: "I work at a large university as an IT support person for one of the college's Novell networks, and I frequently find that my hands are tied on security issues--highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens. They routinely share their passwords, leave their machines unlocked, and go weeks on end without rebooting. They demand Administrator access on their local machines. They demand Internet Explorer have minimal security (but it's our fault when they get a piece of spyware). So, Slashdot community, I ask you this: how do you limit a user's access without making it look like you're limiting their access?"

Say its just a bug?

[djsmiley]

Weird one this but i've heard it used when i was at college in the UK....

Everytime a problem came up which the IT staff COULD fix instantly but couldn't be arsed to because we were just "lowly" firstyears then they would say "Oh its a bug, you will have to work around it".

And that was it, we could ask if they were planning to fix it, and they would claim they are waiting for a new version of the software. Shame is in this day and age, people EXPECT bugs, so much so that when one causes a problem, they find away around it.

Re:Learn to say "no"

[buysse]

What rankles the professors is that someone lower on the totem pole is dictating to them what they can and cant do (its an ego thing). Take it to the next level, and they wont complain.

Incorrect.

As far as I can tell, a significant portion of academia believes that nobody may dictate what they can and cannot do. This group considers it a critical part of academic freedom, and in many cases rely on the insecurity for the way they work. I've heard of faculty threatening to unionize for less.

The problem runs much deeper than a simple "Get their boss to tell them." It doesn't matter if the president of the University decrees it; there are many professors that just won't care, and won't see the problem. I've had to argue with people about whether they should have a password at all, much less a strong one.

"If someone wants to see my work, I welcome them, and nobody would have any reason to destroy my work." Even if the account is compromised, many won't care because that doesn't affect their work -- it may cause some minor disruption, but nothing compared to changing the way they work. To make the system secure, you have to prevent Dr. Alice giving her password to Grad Student Bob so that they can share files. They have to change the way that they've worked for the past 15 years, and in general, that's not going to happen.

Even something as simple as removing administrator-level access to the desktop is almost impossible. Often, there are even valid reasons, like strange software that doesn't run without it but that is actually essential to their research, or the need to install and run extremely esoteric software that's not in general use. This isn't the corporate world where >90% of users are fine with {Outlook|Notes|etc.} and MS Office, and maybe a couple of custom apps that are widely deployed to a group of people. Each researcher often has unique requirements.

Even focusing on the almighty {Dollar|Euro} probably won't help, because at least in the US, NSF and NIH regulations prohibit charging a grant with some of the basic costs, like telephones and network connectivity. If the support staff were charging for service, the funding streams *could not* pay it, under federal law. The last time I really looked at this was years ago, so it may be more relaxed now, but I doubt it.

If anything, academia has more inertia than government.