Dealing with Network Politics and Insecure Users?

Rob asks: "I work at a large university as an IT support person for one of the college's Novell networks, and I frequently find that my hands are tied on security issues--highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens. They routinely share their passwords, leave their machines unlocked, and go weeks on end without rebooting. They demand Administrator access on their local machines. They demand Internet Explorer have minimal security (but it's our fault when they get a piece of spyware). So, Slashdot community, I ask you this: how do you limit a user's access without making it look like you're limiting their access?"

Dupe them

[Bin_jammin]

Tell them they're getting a mandatory system upgrade, then put them in Kiosk mode, give them access to email, whatever office apps they have, and whatever other critical functions they need. If they ask for more, tell them it's been obsoleted. After all, they've got tenure, they're smart, right?

Benificent Totalitarianism

[ssclift]

Face it, totalitarianism lives and thrives among system admins for a really good reason. Your only solution, I think, is to play the dictator and do it with a happy-friendly smile. Recycle some old Communist propaganda posters to get people in the right spirit.

And... as I tell my colleagues when they have Window's problems: hey, you have a Ph.D. in computers, you fix it.

Re:Dear Slashdot,

[frankm_slashdot]

I've managed to maintain good karma thus far but i think id like to reply to this anyway and risk the down modding..

Dear CluelessAdmin,
If you would like to ask questions to the slashdot readership, please utilize the "Submit Story" link on the left hand side of your page.

It is disrespectful to ask unrelated questions in other peoples threads.

Thank you,
- Frank J. Mattia

Here

[KDan]

is the ultimate guide.

Enjoy!

Daniel

It's a vicious cycle...

[jbarr]

"...highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens.."

...that someone has to break. Depending on the political environment, IT may or may not have the authority to impose such restrictions. If IT does not, then it would be prudent of IT to inform those who do have the authority of the risks, consequences, and measures that can be taken to ensure a secure computing environment. When a virus or a rogue program infiltrates the mailboxes or directories of these "highly paid, highly respected professors" and destroys their work, or better yet, if their work is stolen and ends up in the public domain without their credit or consent, then they'll be the ones asking why IT isn't doing their job.

Re:It's a vicious cycle...

[saintp]

That's a good call. I also work in IT at a university, and the department was kind of toothless until our network got hosed for a week last year after a *major* infection of two viruses simultaneously. Since then, we haven't had many complaints about things being locked down.

Nonetheless, you'll still run into professors who are just plain averse to change. We give shell access to one of our academic servers, and earlier this year, I shut down telnet access in favor of ssh. A small change, but with more people using wireless, I thought it wise. Even though, for most people, the change amounted to choosing a different protocol from a drop-down menu, several fought it as hard as they could. Direct quote: "Well, my username has never been hacked. I don't see why you need to do this." The notion of being "proactive" on security completely escapes some people.

Q: How many professors does it take to change a lightbulb?
A: CHANGE?!?!?!?

So, in summary, as another user said, lock 'em down and don't take any flak. If they share their password, change it for them. (They should thank you for your diligent service.) If they insist on running IE with no security, put Firefox on everything as a "security initiative." (Better yet, MOSAIC.) If they don't like being denied access to certain resources, tell them that you'll give them access to it -- in return for the right to publish their home directory or "My Documents" folder on the web. After all, other people are denied access as well!

Remeber: Fearmongering isn't just for the media and the government anymore. When George Tenet makes wacko comments about limiting access to the Internet because the terrorists will come in through your fiber, turn that into a campus-wide announcement. Forward every "new virus" announcement you get to all the professors. Once their quaking in their Birkenstocks, they'll be much happier to hand some control over to you.

Disclaimer: I'm only half serious about most of this.

Learn to say "no"

[fmaxwell]

I ask you this: how do you limit a user's access without making it look like you're limiting their access?

You don't. You limit their access and tell them that they have to live with it. Explain to them that security is inconvenient and that they have to be adults and accept it. It's your job to secure the network and it's their job to teach the students, so make a deal with them: You won't tell them how to teach their courses and they don't tell you how to run the network.

Re:Learn to say "no"

[override11]

I run into this with a sister company here. You need to engineer a situation that illustrates how the current low security causes your company to loose money, in front of the professors as well as your management, and then offer a solution of increasing security. When you get your management on board with increasing security, it will work. What rankles the professors is that someone lower on the totem pole is dictating to them what they can and cant do (its an ego thing). Take it to the next level, and they wont complain. :)

Re:Learn to say "no"

[buysse]

What rankles the professors is that someone lower on the totem pole is dictating to them what they can and cant do (its an ego thing). Take it to the next level, and they wont complain.

Incorrect.

As far as I can tell, a significant portion of academia believes that nobody may dictate what they can and cannot do. This group considers it a critical part of academic freedom, and in many cases rely on the insecurity for the way they work. I've heard of faculty threatening to unionize for less.

The problem runs much deeper than a simple "Get their boss to tell them." It doesn't matter if the president of the University decrees it; there are many professors that just won't care, and won't see the problem. I've had to argue with people about whether they should have a password at all, much less a strong one.

"If someone wants to see my work, I welcome them, and nobody would have any reason to destroy my work." Even if the account is compromised, many won't care because that doesn't affect their work -- it may cause some minor disruption, but nothing compared to changing the way they work. To make the system secure, you have to prevent Dr. Alice giving her password to Grad Student Bob so that they can share files. They have to change the way that they've worked for the past 15 years, and in general, that's not going to happen.

Even something as simple as removing administrator-level access to the desktop is almost impossible. Often, there are even valid reasons, like strange software that doesn't run without it but that is actually essential to their research, or the need to install and run extremely esoteric software that's not in general use. This isn't the corporate world where >90% of users are fine with {Outlook|Notes|etc.} and MS Office, and maybe a couple of custom apps that are widely deployed to a group of people. Each researcher often has unique requirements.

Even focusing on the almighty {Dollar|Euro} probably won't help, because at least in the US, NSF and NIH regulations prohibit charging a grant with some of the basic costs, like telephones and network connectivity. If the support staff were charging for service, the funding streams *could not* pay it, under federal law. The last time I really looked at this was years ago, so it may be more relaxed now, but I doubt it.

If anything, academia has more inertia than government.

Get a backbone

[Yankel]

You either have a network policy or you don't.

I deal with this kind of stuff on a different level. I manage an intranet and need to deal with people wanting things 'their way,' only to have them complain when their way is the wrong way.

I get them to e-mail me acknowleding that this is against my recommendations or against policy X. When it blows up the first time, I fix it and hopefully gain his or her trust.

If he or she is still pig-headed one major experience or a couple minor ones, put solving their problem at the bottom of your list of priorities. Remember, you hold the power.

Just remember to have them acknowledge in writing or via e-mail that whatever they're demanding is against your recommendation or policy if you can't convince them to back off.

And if you run out of ideas, just follow Simon's lead http://bofh.ntk.net/Bastard.html.

Re:Get a backbone

[fuzzybunny]

This is pretty well-stated. The problem is that in a lot of environments, the admin is in a "lose-lose" situation.

As a consultant, I try to advise clients on what's the optimal thing to do for their own good in the long run, but also cover my ass with documentation and so. As a sysadmin of any kind, you often tend to run into issues where, even if you can show "I told you so", no matter how civilly or correctly it's documented, presented, whatnot, it's still your fault.

Remember also that professors are not usually the most rational of people--someone whose grant money feeds a large amount of IT services is not going to be as easy to corral as a middle manager who has to answer to a more highly defined company hierarchy.

That said, your statement about trust is about one of the most insightful things I've seen in a while.

Regardless, there are a _few_ passive mechanisms you can use if "having a strong security/usage policy", "getting on well with users" and "changing jobs" are not an option.

Things like http traffic inspection (transparent proxying), a good running/incremental backup model for desktops (with that much access they _will_ fuck it up) combined with an easy rescue & restore mechanism, and one-way firewalling (outbound OK, inbound not OK) in front of the group of people most likely to collaborate over a network (research team, prof & secretary, whatnot) are a good start.

Make a document

[keesh]

Get them to sign a document accepting full responsibility for all data loss, nasty crashes etc. on their machine. Make sure you include a list (several pages long if possible) of examples of things which they must accept responsibility for if they don't follow the normal security procedures. Either they'll be scared into following the rules or you'll be totally safe when the shit hits the fan.

I wouldn't Need Admin Rights, Except...

[justanyone]

Disclaimer: I'm NOT a SysAdmin, I'm a developer.

I could really live without admin rights on my box at work. Really. Almost. Except for the bunch of stuff that I have to do that demands that I have it.

Most employers (and a Uni is the prof's employer, so this is about the same) have a 'standard build' which includes lots of software that most people need. The trouble is they never get the mix right for me, the developer. UBS Warburg had a damn good IT department (to cite the best employer I've ever worked for) but they didn't know about http://ultraedit.com/. They were very responsive with new software, but it was still a delay.

For general mode programming, I don't need new software but for maybe once a month, and I can stand a 2 hour or even 4 hour delay to get it installed. This is fine and thus I don't need admin rights for it.

The employer I most recently worked for (not UBS) is okay but they're typical of the industry (as a former consultant I've worked for about 20 companies in the past 14 years). Their standard build is not my standard build.

The times I need admin rights are:

• Correcting the system clock (if they had a timeserver I wouldn't need this);
  
• Adding the appplications they never get right:
  • UltraEdit
  • Filezilla
  • Mozilla/Firefox
  • Cygwin
  • Quicktime
  • Acrobat Reader
  • PowerDesk
  • ActiveState Perl
  • Folding at Home
  • MySQL & MySQL admin
  
  
• Evaluating New software;
  
• Running Apache on my own box - starting and stopping the service;
  
• With several of my admittedly small C# .NET programs, adding them as a service, starting, and stopping them;

Of course, my employer could have installed all the programs I've named and that would get me through the tough times, but the problem comes when I'm doing the other stuff.

Admittedly I'm a huge power user. But, there's no reason a departmental secretary needs admin rights. She shouldn't be installing that much stuff her/himself.

An organization that has that many rampant security violations obviously needs consequences for those violations. I can say that if I shared a password to my personal account, or a production account even, I would expect a reprimand from my manager. If it was a business critical system, I could be warned and then fired very easily.

Frankly, moving to Linux would not correct the basic organizational problems of disregard for data security. When a prof finds his tests were stolen and thus has to write an entirely new set of questions (a LOT of work, and strangely, I've done it as a Teach. Asst.), they'll think again about security.

If you schedule a computer switch-up, meaning taking all boxes away and redistributing them, you might force the issue of what software should be installed (get licenses for it if needed), putting data on server shares that are backed up regularly, and changing admin passwords. But I DON'T ENVY YOU THE TASK (grin). Of course, there's easier ways - reset admin passwords, announce a reinstall of the OS and thus they'll need to move all their files to a server share, require passwords be changed once every semester and enforce having a number and mixed case in the password, etc.

-- Kevin Rice
"Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"

Re:I wouldn't Need Admin Rights, Except...

[Aphexian]

Disclaimer - I AM a sysadmin, not a developer.

And when someone comes to me with a list of non-standard applications that have to be installed ASAP or they cannot do their job (oh my god, how will we ever survive as a company if I don't make this one overzealous power user happy in the next 30 seconds), and smack in the middle of the list is:

Folding at Home

Guess what? Straight to the bottom of the pile. Don't waste my time because you like to play.
There are people out there trying to get work done. And their computers don't have spare cycles because they are doing work. That's what "our standard build" is centered around.

Say its just a bug?

[djsmiley]

Weird one this but i've heard it used when i was at college in the UK....

Everytime a problem came up which the IT staff COULD fix instantly but couldn't be arsed to because we were just "lowly" firstyears then they would say "Oh its a bug, you will have to work around it".

And that was it, we could ask if they were planning to fix it, and they would claim they are waiting for a new version of the software. Shame is in this day and age, people EXPECT bugs, so much so that when one causes a problem, they find away around it.

give them "Administrator"

[QuietRiot]

Rename Administrator "toor" and create an account "Administrator" with more then they have, but not all, permissions.

Tighten the screws slowly

[erth64net]

Sometimes policy overides politics, but many times that's not the case. If your written policy supports the action, then start slowly locking the systems down.

Other than the small group who seeks a power-trip or "administrator badge", you'll find that the bulk of those requesting admin/root access to a system are those who feel the need to do something at that level. Maybe it's a broken Win32 app which requires a lot tweaking to run as a non-administrator, maybe the SysAdmin never setup sudo (properly?). In any case, the user is likely just seeking the access needed to do their job (or what they believe to be is their job).

Start by locking things down slowly. When something breaks, blame it on "a bug" and quietly back-off the restriction until you can figure out what/why something happened. Then either deturmine why/if its needed, fix it, lock it down, and move on. Make sure your IT group/boss supports this action - they love to play along with things like this, as it gives them more power to do their job, enfore policy, secure/stablize the systems, and at times to tell those arrogant users (usally in-front of their boss) "Computer working great? Good. Oh by the way, that access you said you needed, you havent had it for three months...". Oh god, I love to be in the room when we do that!

Intresting thing is, in the business world, the user insisting on the higher-level access is usally having issues elsewhere in their job. I've seen the bulk of employees leave/quit anywhere from a few weeks to a few months after completing this stunt.

Overall, this technique has worked great for me in public/education enviroments and still works very well in the business world.

Re:Tighten the screws slowly

[squiggleslash]

When something breaks, blame it on "a bug" and quietly back-off the restriction until you can figure out what/why something happened.

I've seen sysadmins do this before.

The problem is that many of the people who are asking for more administrative control over their own machines do, actually, know what they're doing. While it's certainly true that a lot of people who do not know what they're doing want administrative privileges over their PCs, it's equally true that almost everyone who knows their machines, who's familiar with proper security, who knows what Central Services isn't covering, and who finds their "security systems" get in the way, wants administrative privileges too.

And when you lie to that group, they know it.

My advice to the average central administrator is to find solutions to problems instead of lying about them or turning into a control freak. People generally want control over their own machines, so it's important to give them that control.

Decentralize the network. Allow teams limited access to the network in return for complete control over their own machines. Manage a handful of central servers that provide certain services to everyone, but rarely need a password of the type that would have to be shared with others. If people are sharing passwords, find out why and provide alternatives (many modern email systems, for example, allow people to authorize each other to be able to look at each other's mailboxes, Exchange does, for instance. That's a common reason in academia to share passwords. Show them how. I've yet to come across a sysadmin who does this.)

Firewall teams from each other.

Provide the option of managing people's PCs if they want it, but if so the whole team's PCs are managed, not just their's. If they still want unmanaged PCs, provide an additional subnetwork that's firewalled off, just as their's is.

Anyone who "wants their PC fixed" if it's unmanaged, and the fix is because of viruses or worms or whatever, gets one option: a format and an operating system reinstall, with the latest Ad-Aware/etc tools installed. That's not being mean, because most of the time that's all they want.

The critical problem is that most organizations have one network and connect everything to it. There's little reason to do this. Be flexible, the people you work for have different jobs. They're not identical drones, don't treat them as drones.

Re:Dear Slashdot,

[Short+Circuit]

whine whine whine.

"Ask Slashdot" is a moderated method for people to ask questions of a larger community, getting moderated responses.

in this case, his is a social question, one that there's no single answer to. Any solution is going to have to come from people who've encountered it before, and who can describe their situation.

If you don't like it, disable the Ask Slashdot topic in your user preferences.

Uphill Battle Ammunition

[bolix]

Don't blame the users, part of your complaint is poor user education(!). You know its bad but your users don't. Build and document exactly why you want the user to be secure and why it is a good thing for EVERYONE.

The following suggested discussion points are in no particular priority:

1. Have the user sign a document assuming responsibility for any legal liability
2. Have the user sign a document absolving you/IT/Corporation of any responsibility
3. Have the user sign off that you're not going to give their non-standard box priority. Custom solutions require expertise and your best fit, economy of scale is to standardize on "bricks" AND not to shit them when Chief Asshat calls
4. Have the user technically justify their reasons for the request
5. Have the user sign off that they know and recognise what they are doing is against company policy
6. Research, document and educate people to the costs behind their actions - emphasive individual desktop customization/attention is prohibitively expensive. See other bullets for ammunition.
7. Scale the lockdown. Try Power User. Try stripping rights. Give them a gun with no bullets
8. Emphasize your expensive security efforts are concentrated at the network level and based on users not shooting themselves (or the company) in the foot
9. Emphasize that users are their own worst enemy, you're trying to protect them from themselves - the dumbed down modern spyware/viruses use user rights
10. "Encourage" users with administrative rights to attend a responsibility/learning class/session.
11. Use what you have put together to educate YOUR management. The pervasive executive buddy system is fiscally irresponsible and leads to spineless management
12. Go surf the NSA website. Lots more info there.

Time committment underestimated

[justanyone]

I've taught a discussion section of Physics, "Intro to Astronomy" at University of Kansas. I wasn't paid, I took the teaching as a class, Physics 571 Astronomical Instruction. It was a fantastic class to work on, Dr. Steven Shawl was a kickass 'boss' as well as teacher.

Writing a good test takes about 10 times longer than taking it. You have to:

• Come up with plausible misconceptions as alternates;
• make the questions cover stuff reasonable students should understand given the exposure to it;
• Make the questions somewhat entertaining to read if possible to induce people to not dread the tests;
• Create sets of questions that cover basics, medium, and advanced subjects so you make sure the C students can pass but not everyone gets A's
• the breadth of the questions has to cover the breadth of the classroom topics reasonably well

Grading tests (even multiple choice, but especially essay questions) involved reading all the tests, deciding what the scope of the answers was so you don't fail or Ace the entire class or bias the grading of the first papers you grade, etc.

Things change in Physics all the time, and a teacher who doesn't adjust the curriculum to their students will disincline their students to ever study the subject again - which I believe is one of the three goals of education:

• Give them a theoretical framework of basic concepts they'll use the rest of their lives;
• Give them enough knowledge to (a)back up the above framework, (b)Prepare for further academic study, and (c) inspire them to regard the subject as interesting and worth future study for the rest of their lives.

Of course, this is usually impossible, but a good teacher would probably echo these concepts in formal 'Educational Methodology' language.

-- Kevin
"Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"

Give up.

[Neck_of_the_Woods]

Just give up, and fix it when it breaks. Go Back to playing World of Warcraft in the corner cube where no one can see your screen.

Hate to break you away from the 23rd level warrior.

--honestly--> Your boss's problem, not yours.

Re:not to troll, but...

[topham]

The problem is IT isn't treated like your local mechanic, if you (general) treated your mechanic the way people treat IT he would tell you to take your car elsewhere.

When a mechanic tells you it will take 3 hrs to fix your car, but confirms it might be less and he'll call you as soon as it's done you accept it.

When IT says the problem will take 3 hours to fix you tell them they have an hour.

When the mechanic says sorry, it took longer than 3 hours because ... , you'll be upset but let him do his job.

When IT says sorry, it's going to take longer than expected you tell them to wrap it up and fix it later. Later never comes and the problem migrates until it hits critical priority and they have 15 minutes to fix what would have taken an hour more to fix previously, but now they aren't sure how to proceed since it was left in an unknown state.

And, you blame them for the problem in the first place; regardless of their lack of any prior involvement.

Re:not to troll, but...

[Robert+The+Coward]

Part of the blam for that goes to microsoft. They have been telling people the windows is so good anyone can manage them. So the people who take care of computers and networks are viewed more as a trained monkeys and are treated as such about the same as most people treat a cashier or bank teller.

Security from the top down

[macdaddy]

If your employer can't pull their heads out of their asses long enough to comprehend how much security lapses costs them each year then you need to find a better place to work. It's as simple as that. I don't care what the job market is like. Staying in a position like that is tantamount to continuing to working for someone that asks you to do a job knowing you'll have to break the law to do it (not saying that lax security is against the law (perhaps it should be) but I am saying that the effects are of an equivalent degree IMHO).

That said security initiatives must be supported from the top down. Your university president must understand the financial hit lax security is to the university. He must support a security initiative and push it down to the provost and deans' council. It must be made absolutely clear through all deans down to the people that work beneath them that there is a university security policy in effect and it will be followed. Violation of which will result in repremand, possible loss of network privileges, and can ultimately result in termination. This is the only way to get the message across. I worked the helpdesk as a fairly large unversity for 3 years and have seen it all (or pretty damned close). Whenever an employee becomes beligerent you pass the person up the food chain to your supervisor or another full-timer. We full-timers aren't there to take any guff off other bitchy employees (whereas students are much less likely to defend themselves against a verbally abusive professor; students are also much more likely to be walked upon by professors than full-timers). "We don't make the official campus security policy. The university president and his advisors do. We're here to enforce it. Now do you want to pick your password within the established security parameters or would you like me to generate a random one for you?" I can't recall how many times I had to do that or saw it done myself. If you couldn't get through their thick skulls you called your IT department's director who in turn called the provost who in turn called the dean over that professor department who in turn called that department head who told the professor what for and why not. Let the chain of command fight the battles for you when the combatant is equal to or above you. It might as well be useful for something.

That university established basic security procedures for changing passwords. It was a mandatory password change every 6 months for faculty/staff and every 12 months for students. If the passwords weren't changed by the well-advertised cut-off day then the accounts were locked. The first couple of times the cut-off date was passed we had lines out the door, across the library and down the stairs. That didn't last for very long though. Sure people bitched and moaned about the inconvienance for a while but they soon grew accustomed to it. Likewise sharing passwords violated both our security policy and our campus network AUP. Violating that got the user a royal reaming by a sysadm or full-timer.

I worked for a second university later where I was the netadm. Napster was a big problem for us at that point and time. A handful of users consumed all available inbound bandwidth. Staff weren't excluded. After bringing this to the attention of our dept director a few times I ultimately got the go ahead to shut off the port of any staffer previously warned about using P2P applications on their office machines. One guy in particular had a very thick skull and I shut him off numerous times. Each time I'd let the director know; he would in turn call that person's super and let them know what the problem was and what was needed to correct it. I'd get a call a while later asking me to enable the switch port because the problem was fixed. Simple as that. The chain of command fixed the problem. All I was effectively was a tool, the way it should be.

What all of this boils down to is that it is possible to get security on your campus. I've seen it done. First and forem