Slashdot Mirror
Dealing with Network Politics and Insecure Users?
Rob asks: "I work at a large university as an IT support person for one of the college's Novell networks, and I frequently find that my hands are tied on security issues--highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens. They routinely share their passwords, leave their machines unlocked, and go weeks on end without rebooting. They demand Administrator access on their local machines. They demand Internet Explorer have minimal security (but it's our fault when they get a piece of spyware). So, Slashdot community, I ask you this: how do you limit a user's access without making it look like you're limiting their access?"
Face it, totalitarianism lives and thrives among system admins for a really good reason. Your only solution, I think, is to play the dictator and do it with a happy-friendly smile. Recycle some old Communist propaganda posters to get people in the right spirit.
And... as I tell my colleagues when they have Window's problems: hey, you have a Ph.D. in computers, you fix it.
I ask you this: how do you limit a user's access without making it look like you're limiting their access?
You don't. You limit their access and tell them that they have to live with it. Explain to them that security is inconvenient and that they have to be adults and accept it. It's your job to secure the network and it's their job to teach the students, so make a deal with them: You won't tell them how to teach their courses and they don't tell you how to run the network.
You either have a network policy or you don't.
I deal with this kind of stuff on a different level. I manage an intranet and need to deal with people wanting things 'their way,' only to have them complain when their way is the wrong way.
I get them to e-mail me acknowleding that this is against my recommendations or against policy X. When it blows up the first time, I fix it and hopefully gain his or her trust.
If he or she is still pig-headed one major experience or a couple minor ones, put solving their problem at the bottom of your list of priorities. Remember, you hold the power.
Just remember to have them acknowledge in writing or via e-mail that whatever they're demanding is against your recommendation or policy if you can't convince them to back off.
And if you run out of ideas, just follow Simon's lead http://bofh.ntk.net/Bastard.html.
--- Dan
Get them to sign a document accepting full responsibility for all data loss, nasty crashes etc. on their machine. Make sure you include a list (several pages long if possible) of examples of things which they must accept responsibility for if they don't follow the normal security procedures. Either they'll be scared into following the rules or you'll be totally safe when the shit hits the fan.
whine whine whine.
"Ask Slashdot" is a moderated method for people to ask questions of a larger community, getting moderated responses.
in this case, his is a social question, one that there's no single answer to. Any solution is going to have to come from people who've encountered it before, and who can describe their situation.
If you don't like it, disable the Ask Slashdot topic in your user preferences.
tasks(723) drafts(105) languages(484) examples(29106)
The problem is that many of the people who are asking for more administrative control over their own machines do, actually, know what they're doing. While it's certainly true that a lot of people who do not know what they're doing want administrative privileges over their PCs, it's equally true that almost everyone who knows their machines, who's familiar with proper security, who knows what Central Services isn't covering, and who finds their "security systems" get in the way, wants administrative privileges too.
And when you lie to that group, they know it.
My advice to the average central administrator is to find solutions to problems instead of lying about them or turning into a control freak. People generally want control over their own machines, so it's important to give them that control.
Decentralize the network. Allow teams limited access to the network in return for complete control over their own machines. Manage a handful of central servers that provide certain services to everyone, but rarely need a password of the type that would have to be shared with others. If people are sharing passwords, find out why and provide alternatives (many modern email systems, for example, allow people to authorize each other to be able to look at each other's mailboxes, Exchange does, for instance. That's a common reason in academia to share passwords. Show them how. I've yet to come across a sysadmin who does this.)
Firewall teams from each other.
Provide the option of managing people's PCs if they want it, but if so the whole team's PCs are managed, not just their's. If they still want unmanaged PCs, provide an additional subnetwork that's firewalled off, just as their's is.
Anyone who "wants their PC fixed" if it's unmanaged, and the fix is because of viruses or worms or whatever, gets one option: a format and an operating system reinstall, with the latest Ad-Aware/etc tools installed. That's not being mean, because most of the time that's all they want.
The critical problem is that most organizations have one network and connect everything to it. There's little reason to do this. Be flexible, the people you work for have different jobs. They're not identical drones, don't treat them as drones.
You are not alone. This is not normal. None of this is normal.
I'd install everything but Folding. If you drop it to the bottom, you're getting at odds with staff, deliberately delaying him working
I don't think so. I'd do exactly the same; I'd put him to the bottom of the pile.
Why? I have a list of people who need software installed. By including Folding At Home, he's demonstrating that he'll put virtually anything that crosses his mind on the list. That means the importance I place on his "needs" is much, much lower than the importance I place on the average person.
It's not about punishing him, it's about getting your priorities straight. This guy submitted a wishlist. Everyone else is submitting what they actually need to get the job done. Everyone else should be the priority.
The problem is IT isn't treated like your local mechanic, if you (general) treated your mechanic the way people treat IT he would tell you to take your car elsewhere.
When a mechanic tells you it will take 3 hrs to fix your car, but confirms it might be less and he'll call you as soon as it's done you accept it.
When IT says the problem will take 3 hours to fix you tell them they have an hour.
When the mechanic says sorry, it took longer than 3 hours because
When IT says sorry, it's going to take longer than expected you tell them to wrap it up and fix it later. Later never comes and the problem migrates until it hits critical priority and they have 15 minutes to fix what would have taken an hour more to fix previously, but now they aren't sure how to proceed since it was left in an unknown state.
And, you blame them for the problem in the first place; regardless of their lack of any prior involvement.
That said security initiatives must be supported from the top down. Your university president must understand the financial hit lax security is to the university. He must support a security initiative and push it down to the provost and deans' council. It must be made absolutely clear through all deans down to the people that work beneath them that there is a university security policy in effect and it will be followed. Violation of which will result in repremand, possible loss of network privileges, and can ultimately result in termination. This is the only way to get the message across. I worked the helpdesk as a fairly large unversity for 3 years and have seen it all (or pretty damned close). Whenever an employee becomes beligerent you pass the person up the food chain to your supervisor or another full-timer. We full-timers aren't there to take any guff off other bitchy employees (whereas students are much less likely to defend themselves against a verbally abusive professor; students are also much more likely to be walked upon by professors than full-timers). "We don't make the official campus security policy. The university president and his advisors do. We're here to enforce it. Now do you want to pick your password within the established security parameters or would you like me to generate a random one for you?" I can't recall how many times I had to do that or saw it done myself. If you couldn't get through their thick skulls you called your IT department's director who in turn called the provost who in turn called the dean over that professor department who in turn called that department head who told the professor what for and why not. Let the chain of command fight the battles for you when the combatant is equal to or above you. It might as well be useful for something.
That university established basic security procedures for changing passwords. It was a mandatory password change every 6 months for faculty/staff and every 12 months for students. If the passwords weren't changed by the well-advertised cut-off day then the accounts were locked. The first couple of times the cut-off date was passed we had lines out the door, across the library and down the stairs. That didn't last for very long though. Sure people bitched and moaned about the inconvienance for a while but they soon grew accustomed to it. Likewise sharing passwords violated both our security policy and our campus network AUP. Violating that got the user a royal reaming by a sysadm or full-timer.
I worked for a second university later where I was the netadm. Napster was a big problem for us at that point and time. A handful of users consumed all available inbound bandwidth. Staff weren't excluded. After bringing this to the attention of our dept director a few times I ultimately got the go ahead to shut off the port of any staffer previously warned about using P2P applications on their office machines. One guy in particular had a very thick skull and I shut him off numerous times. Each time I'd let the director know; he would in turn call that person's super and let them know what the problem was and what was needed to correct it. I'd get a call a while later asking me to enable the switch port because the problem was fixed. Simple as that. The chain of command fixed the problem. All I was effectively was a tool, the way it should be.
What all of this boils down to is that it is possible to get security on your campus. I've seen it done. First and forem