SF Not an Exception In Giving IT Too Much Control

CWmike writes "The city of San Francisco's IT department is certainly not the exception when it comes to allowing just one person to have unfettered rights to make password and configuration changes to networks and enterprise systems. In fact, it's a situation fairly common in many organizations — especially small to medium-size ones, IT managers and others cautioned in the wake of the recent Terry Childs incident."

Not news to nerds

[iamhigh]

They claim that you should have more than one person that knows the password and configuation of the network. I work mainly in small-mid sized business; I have never heard of only one person knowing the password. In fact, the smaller the business, the more the owner wants to know the password (IME). Generally IT doesn't want $random_user to have the admin passwords. Also, everyone that has them is another person that can potentially "lock down" the system (see third para).

The configuration? Well I am not real sure what they mean? Basic configs such as IP addreses and such have been documented at even the shoddiest implementations I have seen. Plus, if you know how to run that server, you probably know or can find and make changes to the "configuration". But if there is only one person at that company that knows that server/technology, well then there is probably only one person that knows the configuation! What should the accounting manager know how to run our servers?

But the bigger issue is that in a SMB, and in my current positions, I could CHANGE THE PASSWORD!!! Doh, they forgot that you can do that!

TFA goes on to say things about hiring an administrator and then an auditor for the admin. WTF? Never heard of this happening in my career. I do know the military uses these methods, but that makes sense for them. The average sign printing company (even a 200 employee company) can't do that.

TFA highlights a situation that we all knew existed... and didn't even give a (reasonable) proposed solution.