Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Dealing with Network Politics and Insecure Users? 170

Rob asks: "I work at a large university as an IT support person for one of the college's Novell networks, and I frequently find that my hands are tied on security issues--highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens. They routinely share their passwords, leave their machines unlocked, and go weeks on end without rebooting. They demand Administrator access on their local machines. They demand Internet Explorer have minimal security (but it's our fault when they get a piece of spyware). So, Slashdot community, I ask you this: how do you limit a user's access without making it look like you're limiting their access?"
This discussion has been archived. No new comments can be posted.

Dealing with Network Politics and Insecure Users?

Comments Filter:
  • Dupe them (Score:2, Funny)

    by Bin_jammin ( 684517 )
    Tell them they're getting a mandatory system upgrade, then put them in Kiosk mode, give them access to email, whatever office apps they have, and whatever other critical functions they need. If they ask for more, tell them it's been obsoleted. After all, they've got tenure, they're smart, right?
    • Bah. Charge the department for services rendered when you have to fix things due to the professor willfully ignoring the stated rules.
      • Exactly. Lay down some groundrules. If getting spyware or launching a worm on campus, or taking the time to debug the non-standard machine needs done - then charge the department back. Then the department head has a battle to fight with respect to budget.
    • Just realize because these academic types will always need you, your job is secure into the forseeable future. Everyone should be so lucky.
    • I work in a similar situation as a K-12 sys admin. When someone has a problem with spyware, virus, computer not plugged in (I get this call at least once a week) I try to educate the user. I sit down with them for five minutes and offer basic computer usage advice. This usually includes: When you get an email with an attachment do not open it. First either call the sender or email them back and ask if they sent the attachment. I try to convert them to Firefox for web browsing but they still must use IE
  • by ssclift ( 97988 ) on Thursday December 16, 2004 @08:03AM (#11102842)

    Face it, totalitarianism lives and thrives among system admins for a really good reason. Your only solution, I think, is to play the dictator and do it with a happy-friendly smile. Recycle some old Communist propaganda posters to get people in the right spirit.

    And... as I tell my colleagues when they have Window's problems: hey, you have a Ph.D. in computers, you fix it.

  • Here (Score:5, Funny)

    by KDan ( 90353 ) on Thursday December 16, 2004 @08:06AM (#11102861) Homepage
    is the ultimate guide [theregister.co.uk].

    Enjoy!

    Daniel
  • by jbarr ( 2233 ) on Thursday December 16, 2004 @08:08AM (#11102880) Homepage
    "...highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens.."
    ...that someone has to break. Depending on the political environment, IT may or may not have the authority to impose such restrictions. If IT does not, then it would be prudent of IT to inform those who do have the authority of the risks, consequences, and measures that can be taken to ensure a secure computing environment. When a virus or a rogue program infiltrates the mailboxes or directories of these "highly paid, highly respected professors" and destroys their work, or better yet, if their work is stolen and ends up in the public domain without their credit or consent, then they'll be the ones asking why IT isn't doing their job.
    • That's a good call. I also work in IT at a university, and the department was kind of toothless until our network got hosed for a week last year after a *major* infection of two viruses simultaneously. Since then, we haven't had many complaints about things being locked down.

      Nonetheless, you'll still run into professors who are just plain averse to change. We give shell access to one of our academic servers, and earlier this year, I shut down telnet access in favor of ssh. A small change, but with mor

      • When they share their passwords, change it for them, and tell them that an automated system detected that their account had been compromised, and "here is your new password". It's much easier to blame things on an automated system, even if you wrote it.

        Trust the computer. The computer is always right. The computer is your friend. The Computer says so.
          1. Trust the computer. The computer is always right. The computer is your friend. The Computer says so.

          Along those lines, people that argue with you will not argue with a sign...they will obey it almost always. So it is written, so it will be done. Simple conditioning.

          • I'd have to disagree with the sign thing. How many people test the "wet paint" sign?
            • If you tell the same people 'the walls here have just been painted', how may will touch it? Signs are more authoritative. Kind of like emails or memos in an office; you've been put on notice.

              Besides, the only negitive to touching paint is that your fingers get sticky for a few moments, though the color washes soon enough. "Please take a ticket" seems to be more effective; you don't take a ticket, and someone else may 'get ahead' of you. Even if the room is mostly empty.

              Additonally; if someone ignore

        • +1 Paranoia reference
    • Go over their head. go to the damn president if thats what it takes. A good way to get changes made is say (after an outbreak), well, your computer cuased our IT staff to put in 20 hours of overtime. Which one of your budget accounts should we bill that to?

      My IT department has a rather drastic statement in our AUP. Since we purchase, fix, and maintain all the PC's on our campus, our rule is, We control it totally, or it doesn't go on the network. If they want to run as admin, or don't want to bother w

        1. Which one of your budget accounts should we bill that to?

        Exactly. You may not get the money, but insist on it and take collecting seriously -- though not so rabbidly as to get the overtime issue slapped down. That could harm other legitimate requests. Hopefully, you'll only have to go through that once ... with small reminders later.

    • How about this: Setup the system in a properly gestapotronic secure mode. Then, start making forms. Paper ones. If a prof requests somethign stupid, fax him the form to fill out and sign. The form includes a complete description of the risks, giving you, the IT guy, a big filing cabinet full of deniability.

      Tell them that they're getting special IT administrator priviledges and so they have to sign as "admin-users".
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) * on Thursday December 16, 2004 @08:13AM (#11102909)
    Comment removed based on user account deletion
    • That's all fine and dandy until you're unemployed because someone with a lot of clout tells your boss that you're being "uncooperative".

      If you have to go up against those kinds of people, you'd better have a comprehensive written security policy with the full backing of the entire IT department (and if that's just the one person, then the IT "person"'s boss as well), as well as the higher administration.
      • by override11 ( 516715 ) <cpeterson@gts.gaineycorp.com> on Thursday December 16, 2004 @08:26AM (#11102978) Homepage
        I run into this with a sister company here. You need to engineer a situation that illustrates how the current low security causes your company to loose money, in front of the professors as well as your management, and then offer a solution of increasing security. When you get your management on board with increasing security, it will work. What rankles the professors is that someone lower on the totem pole is dictating to them what they can and cant do (its an ego thing). Take it to the next level, and they wont complain. :)
      • Comment removed based on user account deletion
        • In a typical business you are correct. However this is a university where the professors are boss. If the CEO of a big company gets mad at you personally, then your job is on the line no matter how much your boss likes you. At best your boss will suggest you send out resumes, and take any offers.

          Professors have a lot of power in a university. If they really hate your IT department, they will hire their own IT guys to run things how they want it. Doesn't matter if how they want it is wrong, they direc

          • I don't think this is any different in the corporate world - explaining to a senior manager that he doesn't have access to that system isn't any easier. The key is in how you communicate it. Telling people that that's the way it is and "they have to live with it" is basically rude, and rudeness begets rudeness. The difference is, unlike the intern down the hall or the members of the freshman class, the senior manager / important tenured professor really doesn't have to take any stick from some gnome in IT s
            • Well yes, but in the corporate world most people are not that high, for them what IT says goes unless things are really really bad. In the university world you have a larger number of people with senior management clout. Worse, in the corporate world there is likely a CIO who is about as high as the others who should (but often won't) back you up, while in the university world the CIO doesn't have as much political power.

              • i'm not sure i agree. i've never worked for a university so feel free to dismiss this as the musings of an idle mind, but it seems to me that once you factor in students the depth of the heirarchy at the average university and average corporation would probably fall into roughly equal ranges. After all, the bofh didn't have to change his tactics that much when he got a "real" job ;)

                Anyhow - even if there are more people who can tell you to go piss up a rope when you come by with your anti-virus ("but it ma
                • To expand on this, stop calling user access levels 'rights' or 'privileges' - call them 'responsibilities'.

                  'Admin rights' sounds cool.
                  'Admin privileges' sounds like something I am entitled to because I am powerful.
                  'Admin responsibilities' - screw that, that's what we pay IT to do.

                  Additionally, when they hose their box, you can look at them and say 'hey - you specifically requested the responsibility to admin that box, so go admin it.'

                  You can get folks to give up their admin access as soon as it sounds li
            • my partner manages IT for a law firm. here you have senior lawyers who are partners - they literally do OWN the firm. what you don't typically have is IT representation at that level - the partner says they want to, say, dial in from home or access their mail from cybercafes, and you then have to nicely point out that it's not really all that simple and you've got to nail security first.

              in a corporation, you typically have an IS organisation that has clout at the highest levels - in parallel to your othe

    • Explain to them that security is inconvenient and that they have to be adults and accept it. It's your job to secure the network and it's their job to teach the students...
      So you want them to act like adults, but you treat them like children? Adults have adult responsibilities. Cars don't have safety features that keep them from going more than 35 mph. Instead, we have driver's ed classes, driver's licenses, penalties for speeding, penalties for drunk driving, etc.

      The best solution to security problems

      • Comment removed based on user account deletion
      • In other words, if you want to hook up a computer to the network, it has to be a Windows box provided by the administration, that is locked down so only they can administer it.

        Lock down your DHCP server to only give IP addresses to registered MAC addresses. Granted you need to do a little work up front, but a lot less work long term.

        Disclaimer - I know how to do this off the top of my head for the wireless router I have a home, not entirely sure this is possible with home-grade commercial wired routers
    • ... so make a deal with them: You won't tell them how to teach their courses and they don't tell you how to run the network.

      And their counter-offer will be: you won't work there any more, and they won't tell you how to run the network at your new place of employment.

      Professors with tenure are worse than any PHB you can imagine.

  • Get a backbone (Score:4, Insightful)

    by Yankel ( 770174 ) on Thursday December 16, 2004 @08:14AM (#11102917) Homepage
    You either have a network policy or you don't.

    I deal with this kind of stuff on a different level. I manage an intranet and need to deal with people wanting things 'their way,' only to have them complain when their way is the wrong way.

    I get them to e-mail me acknowleding that this is against my recommendations or against policy X. When it blows up the first time, I fix it and hopefully gain his or her trust.

    If he or she is still pig-headed one major experience or a couple minor ones, put solving their problem at the bottom of your list of priorities. Remember, you hold the power.

    Just remember to have them acknowledge in writing or via e-mail that whatever they're demanding is against your recommendation or policy if you can't convince them to back off.

    And if you run out of ideas, just follow Simon's lead http://bofh.ntk.net/Bastard.html [ntk.net].
    • Re:Get a backbone (Score:3, Interesting)

      by fuzzybunny ( 112938 )
      This is pretty well-stated. The problem is that in a lot of environments, the admin is in a "lose-lose" situation.

      As a consultant, I try to advise clients on what's the optimal thing to do for their own good in the long run, but also cover my ass with documentation and so. As a sysadmin of any kind, you often tend to run into issues where, even if you can show "I told you so", no matter how civilly or correctly it's documented, presented, whatnot, it's still your fault.

      Remember also that professors are
  • Make a document (Score:4, Insightful)

    by keesh ( 202812 ) on Thursday December 16, 2004 @08:22AM (#11102960) Homepage
    Get them to sign a document accepting full responsibility for all data loss, nasty crashes etc. on their machine. Make sure you include a list (several pages long if possible) of examples of things which they must accept responsibility for if they don't follow the normal security procedures. Either they'll be scared into following the rules or you'll be totally safe when the shit hits the fan.
    • Sure, s/he won't be legally responsible if the document is written properly, but s/he'll still be the person hired to clean the network afterwards (for no additional pay, I assume).
    • Right approach, but unless you have a really buck passing organisational culture it should not be necessary to even get it in writing.

      I have worked for two companies where at least some people had admin on their own machines. But these were places where people did not pass the buck to IT if they messed things up. On the other hand IT did help even if it was your fault - which did not actually happen too often.

      The advantages of having admin were that you could fix problems yourself (if you knew how), and y
  • remotely manage their machines, using any of a number of tools.

    Restrict logons to one instance.

    Use the administrative tools available to restrict the hours a professor may be logged in to match his or her published office hours, and enforce automatic logouts for extended (more than one hour) idle times.

    When a workstation has been detected to be infected with a virus, or spyware, remotely set the gateway for that workstation to 127.0.0.1, disable the switch port the workstation is connected to, and set th
  • by justanyone ( 308934 ) on Thursday December 16, 2004 @08:31AM (#11103003) Homepage Journal

    Disclaimer: I'm NOT a SysAdmin, I'm a developer.

    I could really live without admin rights on my box at work. Really. Almost. Except for the bunch of stuff that I have to do that demands that I have it.

    Most employers (and a Uni is the prof's employer, so this is about the same) have a 'standard build' which includes lots of software that most people need. The trouble is they never get the mix right for me, the developer. UBS Warburg had a damn good IT department (to cite the best employer I've ever worked for) but they didn't know about http://ultraedit.com/ [ultraedit.com]. They were very responsive with new software, but it was still a delay.

    For general mode programming, I don't need new software but for maybe once a month, and I can stand a 2 hour or even 4 hour delay to get it installed. This is fine and thus I don't need admin rights for it.

    The employer I most recently worked for (not UBS) is okay but they're typical of the industry (as a former consultant I've worked for about 20 companies in the past 14 years). Their standard build is not my standard build.

    The times I need admin rights are:
    • Correcting the system clock (if they had a timeserver I wouldn't need this);
    • Adding the appplications they never get right:
      • UltraEdit
      • Filezilla
      • Mozilla/Firefox
      • Cygwin
      • Quicktime
      • Acrobat Reader
      • PowerDesk
      • ActiveState Perl
      • Folding at Home
      • MySQL & MySQL admin

    • Evaluating New software;
    • Running Apache on my own box - starting and stopping the service;
    • With several of my admittedly small C# .NET programs, adding them as a service, starting, and stopping them;
    Of course, my employer could have installed all the programs I've named and that would get me through the tough times, but the problem comes when I'm doing the other stuff.

    Admittedly I'm a huge power user. But, there's no reason a departmental secretary needs admin rights. She shouldn't be installing that much stuff her/himself.

    An organization that has that many rampant security violations obviously needs consequences for those violations. I can say that if I shared a password to my personal account, or a production account even, I would expect a reprimand from my manager. If it was a business critical system, I could be warned and then fired very easily.

    Frankly, moving to Linux would not correct the basic organizational problems of disregard for data security. When a prof finds his tests were stolen and thus has to write an entirely new set of questions (a LOT of work, and strangely, I've done it as a Teach. Asst.), they'll think again about security.

    If you schedule a computer switch-up, meaning taking all boxes away and redistributing them, you might force the issue of what software should be installed (get licenses for it if needed), putting data on server shares that are backed up regularly, and changing admin passwords. But I DON'T ENVY YOU THE TASK (grin). Of course, there's easier ways - reset admin passwords, announce a reinstall of the OS and thus they'll need to move all their files to a server share, require passwords be changed once every semester and enforce having a number and mixed case in the password, etc.

    -- Kevin Rice
    "Soon to be laid off from BankOne due to JPMChase Merger (don't want to move to NYC); looking for a Perl / C programming in Chicago Northern Suburbs - know of anything? Hints? Email me, kevin@justanyone.com with 'job' in subject line (due to spam filter)"
    • Disclaimer - I AM a sysadmin, not a developer.

      And when someone comes to me with a list of non-standard applications that have to be installed ASAP or they cannot do their job (oh my god, how will we ever survive as a company if I don't make this one overzealous power user happy in the next 30 seconds), and smack in the middle of the list is:

      Folding at Home

      Guess what? Straight to the bottom of the pile. Don't waste my time because you like to play.
      There are people out there trying to get work done. And th

  • ...highly paid, highly respected professors do not like to see the words 'Access Denied', not even on their secretaries' screens.

    If it's any consolation, you (or at least your boss) gets paid more than they do. The rest of their compensation package is in self-importance.

    • 10 years ago when I was in school tenured professors got as much as $80,000 per year, and less than half of that is spent teaching. (note that the first years they spend a lot of time preparing for class, but once you have taught physics a few times you know how to do it, and this time is all spent before they get tenure). No they are not rich, but they are making double what the average person makes, at least in the US.


      • I've taught a discussion section of Physics, "Intro to Astronomy" at University of Kansas [ukans.edu]. I wasn't paid, I took the teaching as a class, Physics 571 Astronomical Instruction. It was a fantastic class to work on, Dr. Steven Shawl was a kickass 'boss' as well as teacher.

        Writing a good test takes about 10 times longer than taking it. You have to:
        • Come up with plausible misconceptions as alternates;
        • make the questions cover stuff reasonable students should understand given the exposure to it;
        • Make the questi
        • Teaching is only half of a professor's job anyway... Research, papers, projects, whatever is appropriate given the field of study the professor is involved in, that is a full year job for a majority of professors.

          And this isn't just an issue at big 'research factory' universities. It's that way at pretty much all colleges, and in pretty much all fields. The idea that professor's only work during the school year is pretty much a 'common myth.' Shoot, it might even be arguable that in general a profess
        • Note that I was very careful to specify tenured professors. For those who do not have tenure there are more teaching duties, and they have less experience teaching, both of which lead to far more work. Once you have been teaching for a while, you have a good handle on what works, a good drawer full of tests that you used last time (Good professors will modify this old tests), and experience on grading tests fairly.

          Of course as a tenured professor you are expected to spend most of your time in research,

      • Well, I don't know where that was, but my father has taught at a liberal arts college in the Northeast for nearly 20 years now, and had tenure for most of that time, and he barely makes $60K. So professor certainly isn't always a job you want to get into for the money...

        Dan Aris

  • Say its just a bug? (Score:2, Informative)

    by djsmiley ( 752149 )
    Weird one this but i've heard it used when i was at college in the UK....

    Everytime a problem came up which the IT staff COULD fix instantly but couldn't be arsed to because we were just "lowly" firstyears then they would say "Oh its a bug, you will have to work around it".

    And that was it, we could ask if they were planning to fix it, and they would claim they are waiting for a new version of the software. Shame is in this day and age, people EXPECT bugs, so much so that when one causes a problem, they fin
  • Security policies at the U where I work are set by the Office of the Provost. IT is a part of Division of Academic Affairs and my boss works directly for the Dean of the College of Engineering. Enforcing the University's security policies is easy when they come from that high up.

    His (my boss's) attitude is "we do not support student or faculty administered machines, other than to shut them down when they get compromised. If you want Administrator or root access to your machines, professor, you get to ke
  • by QuietRiot ( 16908 ) <cyrus.80d@org> on Thursday December 16, 2004 @08:55AM (#11103118) Homepage Journal

    Rename Administrator "toor" and create an account "Administrator" with more then they have, but not all, permissions.
  • oh and did I mention policy.

    If they aren't adherring to a written policy then there should be 'measures' available in the policy you can take.

    If you haven't got a policy - write one.
  • If you maintain the machines, they do not get admin access. Install a lot of useful software on these machines, and be responsive to requests for more software.

    If they maintain the machines, you don't have a copy of the admin password. They get access to your servers (which you back up of course) as a user. If they want their local machine backed up they have to do it themselves. If your normal network monitoring reveals this machine has a problem (often meaning it is running a spam bot), you turn it of

  • ... and Novell lets you add or remove FileScan rights. If they don't have access, take away filescan too, so they don't even see it. Then give them access (and visibility) to only exactly what they need.

    I'm pretty sure there is no equivalent to filescan rights at the server level in NT. There might be a way to do it in *nix, but I don't know off the top of my head what it is.
  • Give me the strength to change the things I can. The courage to accept the things that I cannot. And the wisdom to know the difference.

    There's only so much you can do in a situation like that. Give them the reasonable to semi-reasonable things they want and try to protect them without getting in their way. Most importantly, don't be adversarial with these guys unless someone is a big problem and it is clear to users and staff alike that the person is a problem.
  • by erth64net ( 47842 ) on Thursday December 16, 2004 @09:38AM (#11103643) Homepage
    Sometimes policy overides politics, but many times that's not the case. If your written policy supports the action, then start slowly locking the systems down.

    Other than the small group who seeks a power-trip or "administrator badge", you'll find that the bulk of those requesting admin/root access to a system are those who feel the need to do something at that level. Maybe it's a broken Win32 app which requires a lot tweaking to run as a non-administrator, maybe the SysAdmin never setup sudo (properly?). In any case, the user is likely just seeking the access needed to do their job (or what they believe to be is their job).

    Start by locking things down slowly. When something breaks, blame it on "a bug" and quietly back-off the restriction until you can figure out what/why something happened. Then either deturmine why/if its needed, fix it, lock it down, and move on. Make sure your IT group/boss supports this action - they love to play along with things like this, as it gives them more power to do their job, enfore policy, secure/stablize the systems, and at times to tell those arrogant users (usally in-front of their boss) "Computer working great? Good. Oh by the way, that access you said you needed, you havent had it for three months...". Oh god, I love to be in the room when we do that!

    Intresting thing is, in the business world, the user insisting on the higher-level access is usally having issues elsewhere in their job. I've seen the bulk of employees leave/quit anywhere from a few weeks to a few months after completing this stunt.

    Overall, this technique has worked great for me in public/education enviroments and still works very well in the business world.
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • "...The problem is that many of the people who are asking for more administrative control over their own machines do, actually, know what they're doing..."

        False. In both the academia and business worlds many of the folks who insist on this access are sales, customer service, support (business, admin assistants, etc), and administrative (again, business-related) staff who's "...home computer has never crashed...and never had any problems with full access...". In my experience, most of them where never able
        • Comment removed based on user account deletion
          • Bullshit. Frankly, if you were a system administrator working for me, I'd fire you outright right now as, on the basis of what you've said, you're clearly too arrogant and incompetent to do a capable job.

            Ouch, terminating an employee for following company policy - now that's harsh. The fact is, for the two employers I've worked for in the last ten years this has been the standard department attitude and policy. Most users clearly don't and shouldn't need to administer their systems - not only do they usu

  • it's not a short-term solution, and it won't work in research facilities quite as easily, but as you replace desktop PC's, replace them with thin-clients. There are many kinds, they use many OS's, they are cheap, easy, and practically bulletproof, and they save you money (once again, in the long run) on licensed application fees.

    I like these ( http://www.sun.com/sunray/sunray170/index.xml ), but any system will do.

    Finally, they return actual control over the desktop to central IT, while preserving the il

  • how do you limit a user's access without making it look like you're limiting their access?

    Start users without dangerous guns they know nothing about.

    Then, if they ask for access, say you'll be happy to provide them with access if they sign this responsibility form you need to keep on file to cover yourself. Load the form up with I have read and understood my responsibilities, etc.

    You can mumble something about how you need to do this to keep out of trouble after another user asking for access that wasn

  • by bolix ( 201977 ) <bolix AT hotmail DOT com> on Thursday December 16, 2004 @11:03AM (#11104952) Homepage Journal

    Don't blame the users, part of your complaint is poor user education(!). You know its bad but your users don't. Build and document exactly why you want the user to be secure and why it is a good thing for EVERYONE.

    The following suggested discussion points are in no particular priority:
    1. Have the user sign a document assuming responsibility for any legal liability
    2. Have the user sign a document absolving you/IT/Corporation of any responsibility
    3. Have the user sign off that you're not going to give their non-standard box priority. Custom solutions require expertise and your best fit, economy of scale is to standardize on "bricks" AND not to shit them when Chief Asshat calls
    4. Have the user technically justify their reasons for the request
    5. Have the user sign off that they know and recognise what they are doing is against company policy
    6. Research, document and educate people to the costs behind their actions - emphasive individual desktop customization/attention is prohibitively expensive. See other bullets for ammunition.
    7. Scale the lockdown. Try Power User. Try stripping rights. Give them a gun with no bullets
    8. Emphasize your expensive security efforts are concentrated at the network level and based on users not shooting themselves (or the company) in the foot
    9. Emphasize that users are their own worst enemy, you're trying to protect them from themselves - the dumbed down modern spyware/viruses use user rights
    10. "Encourage" users with administrative rights to attend a responsibility/learning class/session.
    11. Use what you have put together to educate YOUR management. The pervasive executive buddy system is fiscally irresponsible and leads to spineless management
    12. Go surf the NSA website [nsa.gov]. Lots more info there.
  • Give up. (Score:3, Funny)

    by Neck_of_the_Woods ( 305788 ) on Thursday December 16, 2004 @12:29PM (#11106091) Journal

    Just give up, and fix it when it breaks. Go Back to playing World of Warcraft in the corner cube where no one can see your screen.

    Hate to break you away from the 23rd level warrior.

    --honestly--> Your boss's problem, not yours.

  • Use group policies. There's a wealth of settings you can change to give users very fine-grained control over their machines. That way you allow them to do exactly what they need and no more. Principle of least privilege, dude.
  • I'm a sysadmin. I am not the most senior person in the company. While I can suggest levels of security to better safegaurd data, if someone more senior than me wants to be an Administrator on their local PC, they're more than welcome. In fact, all my users are automatically setup as Administrator on their local PCs, or else the database app we use doesn't work.

    Where I work, everyone is responsible for the security of the company, and everyone is trusted within their own area of expertise. Occasionally s

  • You lost me when you said they "go weeks without rebooting" as if this was a *bad* thing...
  • If you're getting unreasonable demands then someone needs to back up your reasonable position. You can't do things like let the security lapse to prove a point. If you need a certain level of access control, then maintain it.

    If you receive undue complaints from Professors, it's not your duty to bow to them, but make sure they're known by your (IT) seniors. If you *are* the IT senior, then you've got to deal with the problem by explaining your position. Agree to as many meetings as they want, but don't
  • It's your network, they are the user. Do you have and documentation relating to network access policies? Normal users need very little access to things. The rest is just to make themselves feel important. Once you have everything wide open, it is very difficult to reign it in. Good luck.
  • by macdaddy ( 38372 ) * on Tuesday December 21, 2004 @01:47AM (#11144913) Homepage Journal
    If your employer can't pull their heads out of their asses long enough to comprehend how much security lapses costs them each year then you need to find a better place to work. It's as simple as that. I don't care what the job market is like. Staying in a position like that is tantamount to continuing to working for someone that asks you to do a job knowing you'll have to break the law to do it (not saying that lax security is against the law (perhaps it should be) but I am saying that the effects are of an equivalent degree IMHO).

    That said security initiatives must be supported from the top down. Your university president must understand the financial hit lax security is to the university. He must support a security initiative and push it down to the provost and deans' council. It must be made absolutely clear through all deans down to the people that work beneath them that there is a university security policy in effect and it will be followed. Violation of which will result in repremand, possible loss of network privileges, and can ultimately result in termination. This is the only way to get the message across. I worked the helpdesk as a fairly large unversity for 3 years and have seen it all (or pretty damned close). Whenever an employee becomes beligerent you pass the person up the food chain to your supervisor or another full-timer. We full-timers aren't there to take any guff off other bitchy employees (whereas students are much less likely to defend themselves against a verbally abusive professor; students are also much more likely to be walked upon by professors than full-timers). "We don't make the official campus security policy. The university president and his advisors do. We're here to enforce it. Now do you want to pick your password within the established security parameters or would you like me to generate a random one for you?" I can't recall how many times I had to do that or saw it done myself. If you couldn't get through their thick skulls you called your IT department's director who in turn called the provost who in turn called the dean over that professor department who in turn called that department head who told the professor what for and why not. Let the chain of command fight the battles for you when the combatant is equal to or above you. It might as well be useful for something.

    That university established basic security procedures for changing passwords. It was a mandatory password change every 6 months for faculty/staff and every 12 months for students. If the passwords weren't changed by the well-advertised cut-off day then the accounts were locked. The first couple of times the cut-off date was passed we had lines out the door, across the library and down the stairs. That didn't last for very long though. Sure people bitched and moaned about the inconvienance for a while but they soon grew accustomed to it. Likewise sharing passwords violated both our security policy and our campus network AUP. Violating that got the user a royal reaming by a sysadm or full-timer.

    I worked for a second university later where I was the netadm. Napster was a big problem for us at that point and time. A handful of users consumed all available inbound bandwidth. Staff weren't excluded. After bringing this to the attention of our dept director a few times I ultimately got the go ahead to shut off the port of any staffer previously warned about using P2P applications on their office machines. One guy in particular had a very thick skull and I shut him off numerous times. Each time I'd let the director know; he would in turn call that person's super and let them know what the problem was and what was needed to correct it. I'd get a call a while later asking me to enable the switch port because the problem was fixed. Simple as that. The chain of command fixed the problem. All I was effectively was a tool, the way it should be.

    What all of this boils down to is that it is possible to get security on your campus. I've seen it done. First and forem

"Hello again, Peabody here..." -- Mister Peabody

Working...