How Do You Protect Servers From a Rogue Admin?

Treborto writes "I work with a non-profit that has an extensive collection of photos and videos. These are used in publications and on the web. We have several levels of privileges: read-only of small, watermarked images; read-only of large, clean images; edit of the site; and admins who can confer privileges. It has happened that people leave the organization in anger. So far, no Admin has done so. Is there a back-up, site mirroring, privilege, or other strategy you'd recommend so we have protection from an Admin gone bad?"

backups and snapshotting

FS snapshotting and backups are the only way, but make sure your backups are protected (locked up) etc.

Re:backups and snapshotting

[ron_ivi]

And one more thing to add - extensive logging of anything done with administrative privileges.

I worked at a place where everyone had sudo privileges; but any command done using it was logged to a couple different remote servers not administered by the same person. Worked out well; and anyone misusing it (say, running sudo bash) got noticed and talked to pretty quickly).

What's the real problem?

If people routinely leave your non-profit organization in anger, then the organization's leaders probably need to address a more fundamental problem than server administrative rights.

Re:What's the real problem?

[Artifakt]

Author didn't say people routinely leave in anger, just that it happens. I've worked with a non profit charitable in the past, that had to make a decision whether to fund an alternative to planned parenthood, called choices. From what we saw, choices wasn't offering a lot of choice. They wanted to provide more of an alternative to abortions, and show women how adoptions could be a possible solution, and I really can't fault them for that, but they didn't want to provide information on preconception birth control, only abstinence, and in actual practice, they were tending to also push this message that not getting a ring from the male involved first made it all the woman's fault. Surely you can see how issues such as those can lead to angry resignations and workers who feel there's no compromise with management possible, and who might even break privacy laws as a result. Not all the risk is juvenile attitudes and L33Tspeak hacker volunteers who might get into petty arguments and storm out, much of it if is from people who sincerely think the issues are critical and worth bending a few rules over, and that the people who don't agree are all somehow stupid or hypocritical or venial, justified targets for anger.

This comes up almost daily on PHB websites...

[Fallen+Kell]

First, you need to stop drinking the coolaid. You are paying the sys-admin to keep your systems up and running. They do have "the keys to the kingdom", because you are paying that person to hold them. If you don't trust that person to hold the keys, then you shouldn't have hired them in the first place.

The ways you mitigate the issue of "rogue" admins, is vet them, listen to what they are saying in terms of technology, don't micro-manage them, and pay them well. The good ones without a doubt will know the technology better than their manager/management structure will ever know it. The reason the admin says something about the setup/configuration/technology is almost always because it is needed change. If you can't afford to make those changes, then you need to explain that is the reason, don't make up some BS about how you want things to stay the way the are, or you want to change the organization/structure to something else, because they will "call" you on it. Again, they know the technology better than you ever will.

The other thing to do is to pay them appropriately. You are trusting them with running some of the most complex systems in your entire company, as well as safe-guarding your data, your processes, and your daily operations. The reason why you don't see many rogue CEO's is because he/she is being paid well to run the company, choose its path, and steer the ship, so to say. The system admins in today's information based businesses are the guys keeping your entire company running. If your servers/data were all destroyed, and your business would not survive, then you might want to consider paying the people who keep that data/servers a more appropriate amount of compensation since they are so vital to your business.

Again, there are very few admins who go rogue, and even fewer who did not do so after being mistreated by their bosses/management. If people want to point out at the case of Terry Childs, they need to get a clue. Were mistakes made, sure. Did Terry have some issues? Yes. Did he actually go rogue? No. In his eyes, he was protecting the network from idiots and incompetents, and following the rules as currently defined. He wouldn't give out the passwords in a room of strangers, over the phone, or via email where it can easily be intercepted and then misused, as well as be cause for firing him because policy stated not to do any of those things. So he was placed into a situation where he would be fired if he handed out the passwords, or fired if he didn't. And once fired, he really had no obligation at all to give it out anymore, why? Because he didn't work there. Same as if you fired your top salesman, or stock broker, or process manager. They don't have any obligation to tell you anything about the contacts/client relationships/methods for picking stocks/how things work. If you fired them before you obtained that information, then you should have been fired. In the Childs case, were they trying to obtain that information, sure. But in the wrong way according to policy. They should have taken Terry into a one on one conversation, in a private room, with no one the phone and asked in that setting. Even then, he might have refused to have the manager have the password because the manager didn't have the knowledge or skill to know how to properly vet someone as being capable of having the password. The only thing that would happen is that it will cause someone to screw up the settings and create work for Terry since he will be the one called in to fix it, and most likely not paid for that extra time he had to spend fixing someone else's screw up.

Again, it comes down to properly compensating the admins, listening to them, and not trying to play office politics with them. You treat them well, and they will do whatever it takes to keep the systems running because they take pride in their work. You treat them like crap, blindly disregard their expertise in terms of operating the servers/network because "you know better than they do", you are asking for th