Administrators Part II

[megadan2000]

Hi people,

I started a thread about the subject a while ago and got some real good responses.

Link Below

http://www.tek-tips.com/viewthread.cfm?qid=1131920&page=1

Now this is where part II comes into it.

Just before Christmas I was asked to give the user Domain admin rights by my boss even though I strongly disagreed. I still have not but it is getting to a point now where I'm gonna turn round and have a word with my boss. Even though she thinks he's responsible etc etc. I don't want him to have domain admin control. This compromises all and any security that I have spent so long working on.

The reason that he wanted access was as the students were having problems with their printing. This is because the quota was running out. They have a 2.50 balance (10p per page) and as they were printing out their projects it was killing their limits. So I said that I will raise it to £15 this way that should fix the problem. So I did but he still went off to my boss and started complaining. Then she came to me and said give him domain admin rights. I was not going to do this as this involved terminaling into the server and resetting the print balance. So I gave him a shortcut on his desktop for the print server software and he can double click on the icon and reset the balance which is safe enough but I still had to give him full access to the system32 dir on the server which I don't like.

Now he emailed me today saying why hasn't he got domain admin rights and that he can't update or install software. I asked him what he's trying to install and have had no reply back.

What can I do as this is really really really starting to tick me off.

Thanks

 

[porkchopexpress]

Stay firm.

Ask him to tell you in writing why he needs admin access then you can easily pull his argument down in writing, this will more than likely deter them straight away.

If you're the sys admin then you should know about all software on your network anything that he wants to install should go by you. I'm assuming this is a school or college by the way you are talking, i've setup a few college networks and always insist that they limit the amount of admin users whenever they ignored me it ended in disaster or expense.

 

[porkchopexpress]

The problem is that most users don't understand the importance of the admin account. I bet if you gave them an admin account they would be logged on as it all the time inc browsing the internet and installing all manner of freeware.

 

[megadan2000]

Porkchopexpress

I have been asked by my boss that's the thing. No one else in the whole school as a problem apart from him. I am really worried about the end result. I know this is going to end in disaster but how can I put this forward to them!!!

 

[megadan2000]

The thing is the admin account would be his domain user. There would be no way of me knowing what he's doing/installing. Our internet is filtered via 3rd party. So I cannot see what is going on. Also he will never call me for support as he trys to fix things himself. The only time I get on his pc is when I need to update something manually. If this was via an MSI then I would never get on his pc.

 

[porkchopexpress]

Go to your boss and express your concerns and tell them the technical reasons why it is a terrible idea to have a general user with domain admin access. If you have too give them a lesson in trojan programs and the recent WMF flaw and explain how this could of totall compromised your network had a domain admin clicked on the worng link (as simple as that).

What reasons has he given for needing admin access?

Take a look at these links for some ideas

http://www.microsoft.com/technet/security/topics/serversecurity/administratoraccounts/aapgch01.mspx

http://www.windowsecurity.com/articles/Protecting-Administrator-Account.html

 

[porkchopexpress]

You could also point out that you cannot perform your duties as sys admin when it comes to network security if there are rogue admins on the system, if this is part of your contract or job spec then it would be worth noting as any serious security issues would bring blame on you.

 

[pancake]

I have been in a similar situation, but perhaps not quite as messy as yours seems to have escallated to. I just downright said NO and I think that you are correct by sticking to your guns. As an IT manager you are in a privelidged position of trust and you are the most technically competent person within a school to decide what goes with your network. (or why else are you there?) After all who will be in the firing line when it does all go wrong ?

You cannot possibly control your systems when there is a rogue element on the network, and you have no idea of what is being installed.

More dangerously though the vulnerability of data is a real threat from someone without proper training and awareness of what implications some changes have. Can you trust them not to go through confidential files for example if they have this level of power?

The time has come for you to get some clarification from higher up, and as others have suggested to get some written justification of why they want it. Ask for a meeting with this person and the head of the college to sort it out once and for all.

Do you have procedures for other things - e.g. requests for new software/hardware and configuration changes ? If so treat his "Request for Admin rights" in the same way and go through a process of justification.

Good Luck

Vicky.

 

[megadan2000]

Hi People I have put the following together to express my concerns.

Dear Boss (will be replace),

Just before Christmas I was asked by you to give User X Admin permissions. At the time I strongly disagreed but as you insisted I carried out what I was asked to do. This issue has been ‘bugging’ me since I have carried it out. The reason for this is that this has compromised all the security that I have ever put in place.

Microsoft state:

An important aspect of your network security is the management of users and groups that have administrative access to the local account database on stand-alone computers and domain member computers, and to the Active Directory® directory service on your domain controllers. There are primarily two kinds of attackers that you should guard against:
• Malicious individuals, who obtain administrative-level access to member servers or domain controllers, could breach the security of your entire network. These individuals might be unauthorized users who have obtained administrative passwords, or legitimate administrators who are coerced or disgruntled.
• Users who are granted administrative access. These individuals might inadvertently cause problems because they fail to understand the ramifications of configuration changes.
Unauthorized or unknowledgeable people who have administrator privileges can maliciously or accidentally damage your organization if they copy or delete confidential data, spread viruses, or disable your network. It is vitally important to properly manage the users and groups that have administrative control over the servers and domain controllers in your network.


Domain admin does mean just more than being able to install software on his PC it’s controlling the entire domain. He has been given a shortcut to Active Directory and a shortcut to Print Manager. These two options give him the options to reset student and staff passwords and reset the print balances on student accounts.

I do not log onto my pc with a domain admin account as this leaves the system open to attack. As he is logging onto his pc with a domain admin account and installing software he is putting the system at risk. I do not know what software is installed on his pc but I strongly believe that if the other 90 members of staff are able to use the system without special privileges then I think that the system is more than capable to suite his needs.

This has not just sprung on from incident but this has been a series of re-occurrences that I have encountered which you might or might not be aware of.

One which I’m not sure if you are aware of was that recently he had installed a DVD-Writer and software to his pc. I was there to install an update and I found that he had opened his computer and installed the drive without letting me know. May I add that this will invalidate the warrantee on the machine if it is opened. When I asked him about it he was adamant that it was his machine and he has admin rights and he should be allowed to do it. I explained further that giving him local admin rights did give him the right to go and open pc’s and install pieces of hardware as you feel like.

This completely circumnavigates the system of if a user has a problem then he should seek advice rather than have a go himself. I am not saying that he is not capable, but not using an anti-static wristband he could have taken out the memory modules or other parts in the pc.

I know User X is a trustworthy person and he wouldn’t do anything to bring the system down but in most cases now the user does not have to do anything as there are Trojan’s, Spyware, Viruses, and the list goes on. I have never said no to any request that he has asked for. As my responsibility as Network Manager if he not knowing makes a mistake who stands in the firing line? This will still leave me to clear up the mess. If he not knowingly brings down the system the whole school will suffer as a consequence.

 

[nsantin]

Personally I'd threathen to leave as they obviously don't respect your authority and position.

 

[porkchopexpress]

Are you based in the U.K? If so you should be able to get a list of best practices from your LEA.

 

[pancake]

Wow, there is a lot of technical stuff in there I know that my boss wouldn't understand it, is he fairly clued up ? You might run the risk that he does not read it if he cannot understand it.

Ask what will push your bosses buttons and stick with that. For me it would be :-
1. almost guaranteed disruption to service.
2. Illegality of the school as software is not properly controlled.
3. Potential for data theft.

Vicky.

 

[megadan2000]

Pancake

I don't think that i've gone in too techinical in there that my boss won't understand. She is pretty ok with most things as long as I explain them to her.

Nsantin

I've only been here under a year plus I really enjoy the job other than this person.

Porkchopexpress

We do not have a LEA as it is a private school!

Any other suggestions are welcome plus if you want to re-word the letter then you are also welcome.

 

[pancake]

I think that Nsantin was trying to emphasise how important an issue this is, to your professional integrity as well as for the good of the school.

The only other thing that I can suggest is that you go and talk informally to your boss and let her know how this one issue is affecting you. If she is a good boss then she will back you all the way.

How about printing out the comments that we all have made and show her them in the first instance.

Either way I think you will have to go and face it one way or another. Good Luck.

 

[Spirit]

Create a new user assign that as the domain admin THEN change the original rights to remove domain tasks, i.e. adding workstations, changing permissions etc then give him the access he wants.

Now he is already a local admin so can do anything he wants locally already but this will make him think he has the access he wanted. Now when he says I can't access area Confidential Wages File on the Network or Why can I alter the email settings so I get a copy of all the Head Teachers mail you can go back to your boss and say here that why he should have access"

Or if the user tries nothing funny then problem solved!

Good Luck,
Iain

 

[Spirit]

P.s. If you still struggle try;

forum717

Information Technology Ethics in the Workplace Forum

http://www.tek-tips.com/threadminder.cfm?pid=717

Sorry forget how to link to a forum........ of to getting the most from Tek-Tips FAQ's for me!

 

[downloadkid]

I am a n network manager at a school in somerset where traditionally everyone and his dog had some form of admin access - yeah completely crazy!!!
I rolled out to 2003 whole school network - the only person that has admin rights is me, not even the technicians!!
This caused a lot of fluster as you can imagine.
If your school is based in the UK YOU have a responsability under the data protection act to secure the integerity and data on the network.
Under no circumstances should a novice / user be given any form of admin rights.
Make the idiot a 'print operator' under software like Print manager plus' these rights are more then sufficient.
Do you have a 'user policy' in place which all staff must sign?
He is a 'tweaker', the most dangerous kind of user as when things go tits up, and they will, chances are he won't tell you - but you'll have to sort it out!!
Unfortunately especially in schools there is 'home user' mentality....'at home i just bung in the disk, load it up and use it in 5 minutes....etc.
you are dealing with ignorance, further i am surprised that your boss is soooooooo weak - i would hope judging by her actions, not a tech?

 

[fs483]

Ask your boss to define your duties. If she doesn't mention data/network security/stability then ask her. If she agrees that it's also part of your duties then tell her that in order for you to successfully do your job, then you must not comply with this persons request. Explain to her that the minute you give this security right, you pretty much lost control of the above mentionned duties. It can take as simple as a few seconds after this person to login and create chaos but take you a while to fix everything. Is your boss willing to take the blame for the downtime and pay you the overtime to fix everything ?