Slashdot Mirror
Dealing with Network Politics and Insecure Users?
Rob asks: "I work at a large university as an IT support person for one of the college's Novell networks, and I frequently find that my hands are tied on security issues--highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens. They routinely share their passwords, leave their machines unlocked, and go weeks on end without rebooting. They demand Administrator access on their local machines. They demand Internet Explorer have minimal security (but it's our fault when they get a piece of spyware). So, Slashdot community, I ask you this: how do you limit a user's access without making it look like you're limiting their access?"
Face it, totalitarianism lives and thrives among system admins for a really good reason. Your only solution, I think, is to play the dictator and do it with a happy-friendly smile. Recycle some old Communist propaganda posters to get people in the right spirit.
And... as I tell my colleagues when they have Window's problems: hey, you have a Ph.D. in computers, you fix it.
I've managed to maintain good karma thus far but i think id like to reply to this anyway and risk the down modding..
Dear CluelessAdmin,
If you would like to ask questions to the slashdot readership, please utilize the "Submit Story" link on the left hand side of your page.
It is disrespectful to ask unrelated questions in other peoples threads.
Thank you,
- Frank J. Mattia
is the ultimate guide.
Enjoy!
Daniel
Carpe Diem
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
I ask you this: how do you limit a user's access without making it look like you're limiting their access?
You don't. You limit their access and tell them that they have to live with it. Explain to them that security is inconvenient and that they have to be adults and accept it. It's your job to secure the network and it's their job to teach the students, so make a deal with them: You won't tell them how to teach their courses and they don't tell you how to run the network.
You either have a network policy or you don't.
I deal with this kind of stuff on a different level. I manage an intranet and need to deal with people wanting things 'their way,' only to have them complain when their way is the wrong way.
I get them to e-mail me acknowleding that this is against my recommendations or against policy X. When it blows up the first time, I fix it and hopefully gain his or her trust.
If he or she is still pig-headed one major experience or a couple minor ones, put solving their problem at the bottom of your list of priorities. Remember, you hold the power.
Just remember to have them acknowledge in writing or via e-mail that whatever they're demanding is against your recommendation or policy if you can't convince them to back off.
And if you run out of ideas, just follow Simon's lead http://bofh.ntk.net/Bastard.html.
--- Dan
Get them to sign a document accepting full responsibility for all data loss, nasty crashes etc. on their machine. Make sure you include a list (several pages long if possible) of examples of things which they must accept responsibility for if they don't follow the normal security procedures. Either they'll be scared into following the rules or you'll be totally safe when the shit hits the fan.
Disclaimer: I'm NOT a SysAdmin, I'm a developer.
I could really live without admin rights on my box at work. Really. Almost. Except for the bunch of stuff that I have to do that demands that I have it.
Most employers (and a Uni is the prof's employer, so this is about the same) have a 'standard build' which includes lots of software that most people need. The trouble is they never get the mix right for me, the developer. UBS Warburg had a damn good IT department (to cite the best employer I've ever worked for) but they didn't know about http://ultraedit.com/. They were very responsive with new software, but it was still a delay.
For general mode programming, I don't need new software but for maybe once a month, and I can stand a 2 hour or even 4 hour delay to get it installed. This is fine and thus I don't need admin rights for it.
The employer I most recently worked for (not UBS) is okay but they're typical of the industry (as a former consultant I've worked for about 20 companies in the past 14 years). Their standard build is not my standard build.
The times I need admin rights are:
- Correcting the system clock (if they had a timeserver I wouldn't need this);
- Adding the appplications they never get right:
- UltraEdit
- Filezilla
- Mozilla/Firefox
- Cygwin
- Quicktime
- Acrobat Reader
- PowerDesk
- ActiveState Perl
- Folding at Home
- MySQL & MySQL admin
- Evaluating New software;
- Running Apache on my own box - starting and stopping the service;
- With several of my admittedly small C#
.NET programs, adding them as a service, starting, and stopping them;
Of course, my employer could have installed all the programs I've named and that would get me through the tough times, but the problem comes when I'm doing the other stuff.Admittedly I'm a huge power user. But, there's no reason a departmental secretary needs admin rights. She shouldn't be installing that much stuff her/himself.
An organization that has that many rampant security violations obviously needs consequences for those violations. I can say that if I shared a password to my personal account, or a production account even, I would expect a reprimand from my manager. If it was a business critical system, I could be warned and then fired very easily.
Frankly, moving to Linux would not correct the basic organizational problems of disregard for data security. When a prof finds his tests were stolen and thus has to write an entirely new set of questions (a LOT of work, and strangely, I've done it as a Teach. Asst.), they'll think again about security.
If you schedule a computer switch-up, meaning taking all boxes away and redistributing them, you might force the issue of what software should be installed (get licenses for it if needed), putting data on server shares that are backed up regularly, and changing admin passwords. But I DON'T ENVY YOU THE TASK (grin). Of course, there's easier ways - reset admin passwords, announce a reinstall of the OS and thus they'll need to move all their files to a server share, require passwords be changed once every semester and enforce having a number and mixed case in the password, etc.
-- Kevin Rice
"Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"
Unitarian Church: Freethinkers Congregate!
Rename Administrator "toor" and create an account "Administrator" with more then they have, but not all, permissions.
The problem is IT isn't treated like your local mechanic, if you (general) treated your mechanic the way people treat IT he would tell you to take your car elsewhere.
When a mechanic tells you it will take 3 hrs to fix your car, but confirms it might be less and he'll call you as soon as it's done you accept it.
When IT says the problem will take 3 hours to fix you tell them they have an hour.
When the mechanic says sorry, it took longer than 3 hours because
When IT says sorry, it's going to take longer than expected you tell them to wrap it up and fix it later. Later never comes and the problem migrates until it hits critical priority and they have 15 minutes to fix what would have taken an hour more to fix previously, but now they aren't sure how to proceed since it was left in an unknown state.
And, you blame them for the problem in the first place; regardless of their lack of any prior involvement.