Dealing with Network Politics and Insecure Users?

Rob asks: "I work at a large university as an IT support person for one of the college's Novell networks, and I frequently find that my hands are tied on security issues--highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens. They routinely share their passwords, leave their machines unlocked, and go weeks on end without rebooting. They demand Administrator access on their local machines. They demand Internet Explorer have minimal security (but it's our fault when they get a piece of spyware). So, Slashdot community, I ask you this: how do you limit a user's access without making it look like you're limiting their access?"

It's a vicious cycle...

[jbarr]

"...highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens.."

...that someone has to break. Depending on the political environment, IT may or may not have the authority to impose such restrictions. If IT does not, then it would be prudent of IT to inform those who do have the authority of the risks, consequences, and measures that can be taken to ensure a secure computing environment. When a virus or a rogue program infiltrates the mailboxes or directories of these "highly paid, highly respected professors" and destroys their work, or better yet, if their work is stolen and ends up in the public domain without their credit or consent, then they'll be the ones asking why IT isn't doing their job.

Re:It's a vicious cycle...

[saintp]

That's a good call. I also work in IT at a university, and the department was kind of toothless until our network got hosed for a week last year after a *major* infection of two viruses simultaneously. Since then, we haven't had many complaints about things being locked down.

Nonetheless, you'll still run into professors who are just plain averse to change. We give shell access to one of our academic servers, and earlier this year, I shut down telnet access in favor of ssh. A small change, but with more people using wireless, I thought it wise. Even though, for most people, the change amounted to choosing a different protocol from a drop-down menu, several fought it as hard as they could. Direct quote: "Well, my username has never been hacked. I don't see why you need to do this." The notion of being "proactive" on security completely escapes some people.

Q: How many professors does it take to change a lightbulb?
A: CHANGE?!?!?!?

So, in summary, as another user said, lock 'em down and don't take any flak. If they share their password, change it for them. (They should thank you for your diligent service.) If they insist on running IE with no security, put Firefox on everything as a "security initiative." (Better yet, MOSAIC.) If they don't like being denied access to certain resources, tell them that you'll give them access to it -- in return for the right to publish their home directory or "My Documents" folder on the web. After all, other people are denied access as well!

Remeber: Fearmongering isn't just for the media and the government anymore. When George Tenet makes wacko comments about limiting access to the Internet because the terrorists will come in through your fiber, turn that into a campus-wide announcement. Forward every "new virus" announcement you get to all the professors. Once their quaking in their Birkenstocks, they'll be much happier to hand some control over to you.

Disclaimer: I'm only half serious about most of this.

Re:Get a backbone

[fuzzybunny]

This is pretty well-stated. The problem is that in a lot of environments, the admin is in a "lose-lose" situation.

As a consultant, I try to advise clients on what's the optimal thing to do for their own good in the long run, but also cover my ass with documentation and so. As a sysadmin of any kind, you often tend to run into issues where, even if you can show "I told you so", no matter how civilly or correctly it's documented, presented, whatnot, it's still your fault.

Remember also that professors are not usually the most rational of people--someone whose grant money feeds a large amount of IT services is not going to be as easy to corral as a middle manager who has to answer to a more highly defined company hierarchy.

That said, your statement about trust is about one of the most insightful things I've seen in a while.

Regardless, there are a _few_ passive mechanisms you can use if "having a strong security/usage policy", "getting on well with users" and "changing jobs" are not an option.

Things like http traffic inspection (transparent proxying), a good running/incremental backup model for desktops (with that much access they _will_ fuck it up) combined with an easy rescue & restore mechanism, and one-way firewalling (outbound OK, inbound not OK) in front of the group of people most likely to collaborate over a network (research team, prof & secretary, whatnot) are a good start.

I wouldn't Need Admin Rights, Except...

[justanyone]

Disclaimer: I'm NOT a SysAdmin, I'm a developer.

I could really live without admin rights on my box at work. Really. Almost. Except for the bunch of stuff that I have to do that demands that I have it.

Most employers (and a Uni is the prof's employer, so this is about the same) have a 'standard build' which includes lots of software that most people need. The trouble is they never get the mix right for me, the developer. UBS Warburg had a damn good IT department (to cite the best employer I've ever worked for) but they didn't know about http://ultraedit.com/. They were very responsive with new software, but it was still a delay.

For general mode programming, I don't need new software but for maybe once a month, and I can stand a 2 hour or even 4 hour delay to get it installed. This is fine and thus I don't need admin rights for it.

The employer I most recently worked for (not UBS) is okay but they're typical of the industry (as a former consultant I've worked for about 20 companies in the past 14 years). Their standard build is not my standard build.

The times I need admin rights are:

• Correcting the system clock (if they had a timeserver I wouldn't need this);
  
• Adding the appplications they never get right:
  • UltraEdit
  • Filezilla
  • Mozilla/Firefox
  • Cygwin
  • Quicktime
  • Acrobat Reader
  • PowerDesk
  • ActiveState Perl
  • Folding at Home
  • MySQL & MySQL admin
  
  
• Evaluating New software;
  
• Running Apache on my own box - starting and stopping the service;
  
• With several of my admittedly small C# .NET programs, adding them as a service, starting, and stopping them;

Of course, my employer could have installed all the programs I've named and that would get me through the tough times, but the problem comes when I'm doing the other stuff.

Admittedly I'm a huge power user. But, there's no reason a departmental secretary needs admin rights. She shouldn't be installing that much stuff her/himself.

An organization that has that many rampant security violations obviously needs consequences for those violations. I can say that if I shared a password to my personal account, or a production account even, I would expect a reprimand from my manager. If it was a business critical system, I could be warned and then fired very easily.

Frankly, moving to Linux would not correct the basic organizational problems of disregard for data security. When a prof finds his tests were stolen and thus has to write an entirely new set of questions (a LOT of work, and strangely, I've done it as a Teach. Asst.), they'll think again about security.

If you schedule a computer switch-up, meaning taking all boxes away and redistributing them, you might force the issue of what software should be installed (get licenses for it if needed), putting data on server shares that are backed up regularly, and changing admin passwords. But I DON'T ENVY YOU THE TASK (grin). Of course, there's easier ways - reset admin passwords, announce a reinstall of the OS and thus they'll need to move all their files to a server share, require passwords be changed once every semester and enforce having a number and mixed case in the password, etc.

-- Kevin Rice
"Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"

Re:I wouldn't Need Admin Rights, Except...

[Aphexian]

Disclaimer - I AM a sysadmin, not a developer.

And when someone comes to me with a list of non-standard applications that have to be installed ASAP or they cannot do their job (oh my god, how will we ever survive as a company if I don't make this one overzealous power user happy in the next 30 seconds), and smack in the middle of the list is:

Folding at Home

Guess what? Straight to the bottom of the pile. Don't waste my time because you like to play.
There are people out there trying to get work done. And their computers don't have spare cycles because they are doing work. That's what "our standard build" is centered around.

Tighten the screws slowly

[erth64net]

Sometimes policy overides politics, but many times that's not the case. If your written policy supports the action, then start slowly locking the systems down.

Other than the small group who seeks a power-trip or "administrator badge", you'll find that the bulk of those requesting admin/root access to a system are those who feel the need to do something at that level. Maybe it's a broken Win32 app which requires a lot tweaking to run as a non-administrator, maybe the SysAdmin never setup sudo (properly?). In any case, the user is likely just seeking the access needed to do their job (or what they believe to be is their job).

Start by locking things down slowly. When something breaks, blame it on "a bug" and quietly back-off the restriction until you can figure out what/why something happened. Then either deturmine why/if its needed, fix it, lock it down, and move on. Make sure your IT group/boss supports this action - they love to play along with things like this, as it gives them more power to do their job, enfore policy, secure/stablize the systems, and at times to tell those arrogant users (usally in-front of their boss) "Computer working great? Good. Oh by the way, that access you said you needed, you havent had it for three months...". Oh god, I love to be in the room when we do that!

Intresting thing is, in the business world, the user insisting on the higher-level access is usally having issues elsewhere in their job. I've seen the bulk of employees leave/quit anywhere from a few weeks to a few months after completing this stunt.

Overall, this technique has worked great for me in public/education enviroments and still works very well in the business world.

Some sage advice. . .

First let me start of by stating that I have worked in the same exact environment.

I know this will ruffle a lot of feathers, it even upset me when I discovered it but: YOU ARE INSIGNIFICANT. Let me say that again, You Are Insignificant, despite its white collar veneer, your job is no more important that the foreigners' that polishes the floors. If he wanted to implement a policy of "everyone must remove their shoes before entering the building" he would be laughed out the door.

For your sanity, you need to concentrate on two things.

Relax and let them have their way, but ALWAYS let your management know the potential consequences of their policies, not in a "Chicken-little" way, but in a sober well, reasoned fashion. Don't forget to backup religiously, data loss will be your fault.

The profs don't necessarily hate you personally, its just that your "rules" are an impediment to their productivity. Your job is not to manage the systems, it is to enhance their productivity. If your systems are as 'invisible' as the fax machine your have done well.

Working in academia has many many fringe benefits, don't loose sight of those just because you want to be the BOFH.

--ac

Uphill Battle Ammunition

[bolix]

Don't blame the users, part of your complaint is poor user education(!). You know its bad but your users don't. Build and document exactly why you want the user to be secure and why it is a good thing for EVERYONE.

The following suggested discussion points are in no particular priority:

1. Have the user sign a document assuming responsibility for any legal liability
2. Have the user sign a document absolving you/IT/Corporation of any responsibility
3. Have the user sign off that you're not going to give their non-standard box priority. Custom solutions require expertise and your best fit, economy of scale is to standardize on "bricks" AND not to shit them when Chief Asshat calls
4. Have the user technically justify their reasons for the request
5. Have the user sign off that they know and recognise what they are doing is against company policy
6. Research, document and educate people to the costs behind their actions - emphasive individual desktop customization/attention is prohibitively expensive. See other bullets for ammunition.
7. Scale the lockdown. Try Power User. Try stripping rights. Give them a gun with no bullets
8. Emphasize your expensive security efforts are concentrated at the network level and based on users not shooting themselves (or the company) in the foot
9. Emphasize that users are their own worst enemy, you're trying to protect them from themselves - the dumbed down modern spyware/viruses use user rights
10. "Encourage" users with administrative rights to attend a responsibility/learning class/session.
11. Use what you have put together to educate YOUR management. The pervasive executive buddy system is fiscally irresponsible and leads to spineless management
12. Go surf the NSA website. Lots more info there.

Time committment underestimated

[justanyone]

I've taught a discussion section of Physics, "Intro to Astronomy" at University of Kansas. I wasn't paid, I took the teaching as a class, Physics 571 Astronomical Instruction. It was a fantastic class to work on, Dr. Steven Shawl was a kickass 'boss' as well as teacher.

Writing a good test takes about 10 times longer than taking it. You have to:

• Come up with plausible misconceptions as alternates;
• make the questions cover stuff reasonable students should understand given the exposure to it;
• Make the questions somewhat entertaining to read if possible to induce people to not dread the tests;
• Create sets of questions that cover basics, medium, and advanced subjects so you make sure the C students can pass but not everyone gets A's
• the breadth of the questions has to cover the breadth of the classroom topics reasonably well

Grading tests (even multiple choice, but especially essay questions) involved reading all the tests, deciding what the scope of the answers was so you don't fail or Ace the entire class or bias the grading of the first papers you grade, etc.

Things change in Physics all the time, and a teacher who doesn't adjust the curriculum to their students will disincline their students to ever study the subject again - which I believe is one of the three goals of education:

• Give them a theoretical framework of basic concepts they'll use the rest of their lives;
• Give them enough knowledge to (a)back up the above framework, (b)Prepare for further academic study, and (c) inspire them to regard the subject as interesting and worth future study for the rest of their lives.

Of course, this is usually impossible, but a good teacher would probably echo these concepts in formal 'Educational Methodology' language.

-- Kevin
"Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"

Re:not to troll, but...

[Robert+The+Coward]

Part of the blam for that goes to microsoft. They have been telling people the windows is so good anyone can manage them. So the people who take care of computers and networks are viewed more as a trained monkeys and are treated as such about the same as most people treat a cashier or bank teller.