Article in the works: trusting your administrators

At TechEd US this year Jesper and I noted a new worry many of you were having: trusting your administrators. Or, more accurately it seems, an inability to trust your administrators. This is troubling, since these are the people who have unfettered access to pretty much everything in your network. Seems that it's time for an article on the topic, so look for it in the upcoming July security newsletter.

Speaking of articles: if you've got ideas about something you'd like to see in an article, please let me know! While I'm full of opinions, I want to make sure I'm giving you the information you need. Drop me a note with topics that interest you. Thanks!

Existing stuff:
Security Management columns
Security newsletter for IT pros
What's new on TechNet about security

Published 16 June 05 03:36 by Steve Riley

Comments

# Xi Wang said on June 21, 2005 7:56 PM:
I really agree on this article.
I encounter many times for this issues.

I hope there is a real good article about this.
do not use EFS, which is too complex for users. do not relay on delegate control only!
many customers think it is complex.

thanks.
# Hao Hu said on June 23, 2005 6:47 AM:
I think most boss just don't want Admins visit their files.
Never let admin complex. ^_^
If some way can encrypt these file by thirt-party (I means not by Admin, eg: passport or infocard), and easy to use, may be can resolve this problem.
# mhass said on July 11, 2005 2:59 PM:
As a consultant for big telcos, I come across this all the time. Telco's like many other businesses are big enough that their web properties and internal properties are not managed by a single group. It is a mixture of business unit admins, OS admins, hardware admins, operations admins, etc. Through in a network guy or two for good measure, and what a mess. None of which trust each other.

We usually find a happy medium to setup group rights/permission to have each group get their job done. But the thing that I see more than anything is that they use a single user to login everyone in their group (ex Bob, Bill and Steve all use the OpsAdmin account to login).

** EVERYONE NEEDS THEIR OWN ACCOUNT ** This is the first step in developing "trust" when you can hold individuals accountable for good and bad things.

BTW, nice to see your blog Steve.
# Bruce McNeill said on July 16, 2005 1:14 AM:
Very interesting and thought-provoking article, Steve. As I said in my brief comments when rating the article itself:
Isn't the "loyalty" you espouse and exult so highly throughout the article necessarily a two-way street (or even a two-edged sword, to use a different analogy). One possible way to address this point might be to make every System Administrator position in the country (despite some states employment law, e.g., mine - Virginia's "right to work" law) backed by a strictly constructed industry standard contract. This might go a long way towards making the SysAdmins earn and deserve the respect of management, as well as making that position "immune" from the increasingly arbitrary and capricious terminations by these same distrustful managers!! Thanks for letting me vent a little...
# No Loyalty said on July 17, 2005 10:38 PM:
I echo the comments of Bruce McNiell.

Corporate culture everywhere pines for the loyalty and commitment of the old days while ignoring the facta that: a)they display none; b)in the old days most companies returned loyalty. Staff used to be viewed as more than operating costs.

Many IT staff now call for Unions citing the same abuses that labour and all other sectors report.

What do companies want for nothing? Most people understand companies go south; but in that case human resources should be the last to go and after that lay off across the board from the mail room to the board room.

You might regain loyalty that way; especially if you didn't waste half your money in the first place.

They might further consider their own productivity, their own byword: Get rid of 90% of non-productive middle management no matter what they are named. This is per capita where the most operating capital and GNP bleeds out for the least return. Business continues in spite of these people, not because of them.

One last thought: Considering the plethora of creative management titles and staff, why don't they do their own admin instead of dumping it on people that have work to do? That's why they're there, supposedly.
# emro said on July 18, 2005 4:40 AM:
Most admins can be trusted. I find that there is a general suspicion by people with a lack of IT knowledge, which includes top-level management and every Tom, Dick and Harry in the company. I am not surprised that there was no-one in your auditorium who raised their hands, as a good and trustworthy administrator needs to prove and prove him/herself continuously. One constantly needs to fight this general, dark suspicion of all things IT.
People tend to think we have nothing better to do than sit and spy on them.
Admins do not have the time to read other people's data or emails, nor the inclination. One sees enough of other people's (boring) data while assisting them. I'd far rather read Security or other IT-related e-zines and update myself regularly than read their emails, if and when I do find the time.
An article like this, while valuable, is just adding fuel to the fire, and causing all the good admins out there to feel like a huge pimple.
New Comments to this post are disabled
Page view tracker