Slashdot Mirror
Ask Slashdot: Do I Give IT a Login On Our Dept. Server?
jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"
.... you'd be breaking network and security policies up the wazoo by plugging your own server into the network, much less having a machine that IT couldn't manage and audit.
But instead of asking "should I give IT a login account on a server that is not owned or managed by them?" perhaps you should ask "should I give IT a login account on a server that is on their network?"
It becomes a lot less clear in that formulation, huh?
Why does a server that is not owned or managed by the IT department exist inside the firewall?
In my workplace that's a sacking offence.
Have you asked him why he wants a shell? If not, why the hell not? And if so, why haven't you told us?
You shouldn't be deploying rogue hardware that is not company owned at any place of business let alone a hospital. Have you even considered the compliance ramifications?
You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?
You may not think that IT owns or manages your server, but they do own or manage the network. Imagine if some guy from IT came down to you and wanted to start looking through radiology records. I'm sure you'd ask him if it was ok to look over his shoulder every now and again before you gave him full access.
If you're hit by a car tomorrow and die you want someone else to be able to pick up the work and go forward. Once upon a time I had a VP I worked for at an ISP put me and the other head of the IT department on a plane with him to LA. The three of us were the only ones with access to the entire companies systems. I mentioned to him, if the plane went down, the company would probably be dead within a week. He just laughed it off.
That said, your IT department are the best ones to handle this. I doubt the hospital is paying you to play tech nerd, I'm sure you have other work you should be doing. The IT guys are PAID to do this and are screened carefully (at least I hope so) by management to be trustworthy in doing it.
It sounds to me more like you're looking for job security by being the only one with keys to the castle.
Let me tell you how this goes down in most corporations. If you don't, their security dept. simply won't give you what you want. They're likely to shut you out anyway. If you take it up the chain then you're calling attention to the fact that you have a non-hospital entity on the company network. This is/was a bad career move. You might get away with it and many do for some time. Given that you're running BSD is a plus as you're not as likely to propagate a virus. Unfortunately for you, IT already knows. So if you choose not to give them a login you might find yourself without an IP address. Or worse, without a job.
Asking what port 8443 is for wasn't a stupid question - if it's not in /etc/services, it's not a standard port number. As for giving him an account, look up "chroot jail". Problem solved.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
You are operating a server, behind the firewall, on their infrastructure, in their facility. You, (un)fortunately, don't make the rules. What you're doing sounds great and the lengths you've gone to make it happen are commendable. But I can't imagine any decent business being run while allowing any employee to run any server they want behind their firewalls without at least some oversight. You're going to have to follow their rules, sorry.
You say he doesn't want root access, only an account. Maybe he has an iPhone and is also stymied by the IT department's lack of support for CalDAV.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
What you've done would cause any professional IT group to get out the hot tar, feathers, and rail. Or at least come into your office and ask you politely to remove the damn server from their facility. And never do this again. You must have missed all the security briefings, the issues with HIPPA, and whatnot when you were looking at systems. What you've done is to create a 'rogue system'.
Imagine one of your kids sets up a server in your house. You don't understand it, you don't know if it's happily sniffing network traffic to steal passwords so pizza can be ordered using your credit cards, serving up pr0n, or just running minecraft. Would you willy nilly allow the kids to open a port on your firewall without the ability to audit what they're doing ?
Of course not.
Personally I'm amazed that they only asked for an account on your little server. I would have gone over and watched while you removed it from the facility and put in in your car.
Does it sit on an IT managed network? Connected to IT managed switches? Does it use IT managed/owned internet access? Did you get approval from IT to connect a server to their managed network and deploy an unapproved service from them before plugging it into the IT managed network?
Im willing to bet the answer to all of the above is "no". You should be prepared for the WWE type smackdown. You should also re-read the Acceptable use policy for your enterprise/organization and you should very politely offer them watever access they desire to allow your unauthorized service on their managed network.
My ,02.
Armaments, 2-9-21 And Saint Attila raised the hand grenade up on high, saying, 'O Lord, bless this Thy hand grenade' N
If you are able to put a server on the hospital's network and have it working without IT approval (apparently), then I'd say the hospital has a bigger problem.
Never mind the fact that IT is unable or unwilling to support the tools that you and your team need to do their jobs.
Go on, citizen, stamp the vote card. R or D, your choice.
They can also not provide it a network port. When the server gets pwned it will be IT people blame.
..."Should I give IT a login account on a server that is not owned or managed by them?"...
You mean not owned and managed by them right now. However, someday down the road, when you are gone, IT will have to manage the damn thing. The company I work for made a mistake many years ago by allowing every user to have Microsoft Access installed on their machines. A lot of power users went wild creating Access databases for their own purposes. Naturally, over time, two things happened: 1) The databases grew in size and complexity. 2) The company began to depend on them and link the information in them to each other. Very quickly, all these databases became IT's responsibility to manage, especially when the pinheads who designed them got promoted to their particular level of incompetence, or left the company. It has been very tedious getting the data away from these god-awful Access databases, and re-designed and normalized into proper SQL Server or DB2 databases.
Yes, IT should have access to your server. They'll have to manage it eventually anyway.
Proverbs 21:19
Sounds great. He can have access to the network switch port and the firewall opened up as soon as that transaction is complete. The Hospital IT should have switched off the network port the second they heard of this machine. Well really the network ports should just not all be on to begin with.
Of course they want "power and control." If you were held responsible and accountable for a system, reasonably or not, then you would want "power and control" over it as well.
Meaning that you're from the only kind of IT department in the world that allows any clueless asshole (students) to connect to your network. Meanwhile this guy works at a hospital where stuff like HIPPA means that if IT policies aren't carried out properly, IT people lose their jobs.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
WSUS / etc won't do much good for a Linux server...
bork bork bork!
jddorian - I'm going to bottom line this for you. It's really quite simple.
The request to have a non-root account on a box plugged into a network managed by IT could not be more reasonable. If you have problems with this request then you have bigger issues my friend than we could possibly deal with here on Slashdot. It might be interesting to know exactly why you are opposed to this request. If you can't live with it then take you box and go home with it.
Sorry dude. IT departments would take it in the ass if that server violated HIPPA laws. You JUST don't DO this now. PERIOD.
Gorkman
I would insist on the same if I were in that person's shoes. The network is managed by IT, and they need to know exactly what is running on it. It would be negligence to allow an unmonitored/uncontrolled server inside of the firewall. Also, anything related to IT stands a strong chance of being inherited by IT in the future. Someone sets up a system, and then they leave and IT is left to reverse-engineer the whole thing because they weren't involved.
Exactly. Unless you're willing to take full responsibility for any damages incurred on the organization as a result of your potentially insecure server providing a crack in the network (which could most likely be huge damages), you're out of your mind to suggest that IT shouldn't be allowed to manage the server. If it's so important to you, host it on an external network like you would host any other independently operated service.
As a person interviewing for an IT position at a large U.S. university, I'm thrilled to hear that the hassle of maintaining sane network policies won't be part of the job.
Hahahaha you must work in marketing. Ask Vanna if you can buy a clue.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
At the large company I worked for, hooking up personal computers to the network was a terminable offense. So no, you don't give them a login - you don't set this up at all.
The chief reason appeared to be fear of viruses and hackers, but there are many, many more. The hacker front can be a bit obscure: What if your CEO read the article about RSA getting hacked by an excel file with an embedded flash object, and the CIO assures the board that all computers will have flash removed and tasks IT with identifying and removing flash everywhere? How are they going to look having to explain 'well, we got everything, except for the personal computers that we don't have access to'?
Lets say people start relying on the service you are providing with a personal computer under your desk. What if it goes down? Helpdesk will get called, and need to know what to tell the caller so they don't appear incompetent, and need to be able to address the problem. What if IT is required to certify that all of their computers have X patch applied as part of a compliance audit for certification? What if a corporate policy goes out that no computer can run unecnrypted ftp regardless of port # they run it on? What if your company is obligated to ensure that terminated employees can't log in to servers? What if a lawsuit is served and your company is required to provide copies of all records pertaining to meetings with client xyz, and your calendar server has meeting info on it but your IT department doesn't even know it exists? None of these things are unreasonable, but none of them can be done easily if you're allowed to set up whatever box you want doing whatever.
Sure, it makes your job harder if you have to go through official channels to get the things you need to get your job done. But your company needs to be able to get their job done too, and a bunch of random whatever-somebody-set-up-under-their-desk systems makes that really hard.
is competition good, or is duplication of effort bad?
Tell them that the second they reimburse you for the server they can not only get a login, but they can become responsible for its maintenance and security and they had better be sure it has a solid uptime. That only seems reasonable. :-)
Nope, I'd just quietly get the MAC and blacklist it. No network traffic for you. If I'm asked to buy a CalDAV server, I'll buy real server hardware and run it in a real server room. Not under some guy's desk where the custodial staff can kick the cable.
If you're feeling REALLY confident about your value to the hospital, feel free to bet on your clout. But if that's the case, Management probably would have paid for the server if you asked.
1. install vmware server, configure a barebones virtual machine
2. configure local ssh to listen to an alternate port number.
3. configure port forwarding on your local machine to direct port 22 to the virtual machine.
4. give them access to the VM
Best of both worlds.
They think you've given them access, and you have...just not to the machine they think they're accessing.
If you decide to give them an account on the actual machine, configure an external location to backup your logfiles, even remote logging. When they attempt to do something bad on your machine (and they will) you'll have the proof you need to make someone regret their actions.
"Lame" - Galaxar
That explains a lot. Guess what, Head of the Division: just because you are smart, and well trained in YOUR field, does not make you a computer or network expert. As the head of a division at an academic hospital, you have a responsibility to not only follow HIPPA (or your country's equivalent) requirements yourself, but to set an example for the medical professionals training at your facility.
Do you simply not understand that plugging unauthorized and unaudited equipment into a hospital's network is not only a very bad idea, but against the law in most places? As the head of a division, you should understand that.
The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law. No one expects you to be a network expert, that is your hobby, not your profession.
In short, stop being a condescending ass and let the professionals do their job. If I knew an untrained "division head' was setting up unauthorized networking equipment, I would avoid that hospital like the plague, as I don't want hacked equipment broadcasting my medical history to the world, understand?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Is it really that hard to load into your smartphone a few weeks schedule occasionally? Even if everyone in the department is a techie, there is no need to try and get fancy. Sometimes the old fashioned really is better.
If you were talking a department of 100+, I can see some benefit. For a dozen freaking people though, you're just creating needless drama.
More than that, who says you are a qualified systems admin? You say "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented)." And I take it that you installed BSD and OpenLDAP. My question is... so what? Who is to say what you really know? You are operating in a hospital. You have medical records. The IT staff there MUST make sure ALL systems there comply with HIPPA and industry security standards.
Hey, the IT guy watches Grey's Anatomy. Can he perform medical tests in your hospital? No? So what makes you think you are comparable to IT? They respect your job, how about you respect their's.
I'm sorry, but there is no way in hell I would let you on such a network without root. Not an account, but root. And if I were a patient, I would be screaming bloody hell if I found out non-IT staff got to run their own servers on the hospital network. The fact that they let you run at all is mind boggling to me. Probably because they can't fire a department head or you have tenure or something similar.
But you are on the most sensitive type of network and balking at the most basic request. "Should I give IT a login account on a server that is not owned or managed by them?""
Should they allow you host a server on a network that is not owned or managed by you? Honestly, if you did this all without first passing it by my IT department, I'd do my best to have you fired. Don't wanna give access to your precious box... geez, you really think THAT is the big deal in all this. Unbelievable, foolish, and arrogant to say the least!
I8-D
The post is so stupid and bound to generate comments to that effect that I suspect that like many of the "Ask Slashdots" it's entirely fictional. Any hospital admin who is aware of Slashdot would know the reaction he would get here. It's just some twat trolling us. Or possibly the editor spicing up a slow news day.
The fact that you were "taken aback" by a request to follow policy indicates that you most likely view this as a dick waving contest. It is not. Your dick will not shrink if you allow the computer professionals to audit your work and comply with hospital policy and the law.
Now who's the doctor here?
Hilarious. This story has polarized Slashdot into the "I actually work in IT in a systems administration capacity" camp and the "I tinker with computers as a hobby" camp. The tinkerers are actually taking offense that the "so called experts" won't immediately recognize their superior genius. The experts, for their part, seem used to this crap. Here's the deal, tinkerers: we will respect your mad skillz only after you have demonstrated them several times and jumped through all the proper hoops. Until then, you are just like any other Little User. No insult intended, but this is our job, and our butts on the line, not yours.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Why even bother setting up a server with all the excellent online calendar applications? For instance, many schools use Google apps for education or MS Live.
That aside, going rogue, not talking to IT, and making a custom solution just for your one area, is one of the things that makes working in IT so frustrating at times. Among the many, many problems that implementing your own solution can create, just think about one: what happens if you change jobs? I can personally attest to getting calls from random new department heads saying "Joe Smith (former department head) set up system xyz to do abc for us and now he's gone, I expect IT to now support system xyz".
This scenario is especially prevalent in academia. Academic freedom is important, but all too often it spills over into areas that it really doesn't belong.
The OP is a troll.
The user ID "jddorian" is a fictional character on the US TV program Scrubs.
No head of department at any hospital or university I have been associated with would have had the time in their career to be more than passingly conversant on computer IT issues, forget know about ports. Heads of departments get to those positions only because they do nothing else with their lives.
A head of department would know better than to set up something themselves. They wouldn't also have the time to do something like that. They would be familiar with the idea that the hospital IT infrastructure is far more highly managed than normal corporate IT structures.
And, unless this is a seriously podunk hospital, they likely already run Microsoft Exchange for email, and so have electronic calenders.
Troll. It's a troll.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
I am the CIO/CTO of a major medical organization. Had you plugged that server in on my network without authorization from IT, without a security audit performed, and without any compliance auditing performed - you'd be looking for a new job. That being said, I completely understand the desire for tinkering and providing a good solution to your colleagues and peers. But, to do that without consulting the IT department is very inconsiderate. They are working their asses off to make sure that everything is working as it should, while managing user complaints, hardware failures, asset tracking, data retention policies, and a myriad of other odds and ends. By plugging in that server, you've just undermined everything that they are doing. You're putting an untested application onto a network that you're not familiar with and hoping it doesn't break anything - without any consideration of the port mapping schema, or IP addressing schema that is in place. The next time you're feeling technically savvy, my recommendation would be to consult your IT department beforehand. At the very least, you should be severely reprimanded for your actions. You are jeopardizing the reliability and security of hospital systems with your little project.
Remind yourself: You may be technical but you don't work in IT. You job responsibility is not IT.