Administrator's Responsibilities

[Tiger Shark]

Dino: Allow me to re-phrase......

Don't worry, you _are_ a fine admin....

[MrCoffee]

Tiger Shark:

It was a poor example but I was trying to make the point of "When is it the users fault"? Clearly the IAD was in my area of responsibility. But when someone denies common sense, ignores a posted sign, I feel that person should be held responsibile for it. Clearly it would have been best if the IAD was in a different, secure location, or if the maintence guy didnt have a key to the room. But that isnt possible. Neither choice was mine, so why should I take the blame for his action.

With the 12th grader from that other post, had he been instructed not to use the command line? If not, clearly the admin is at fault... but if he had....?

With with the database app I had the crash with, I did unplug the workstation from the switch when I ran the next update (water under the bridge etc...). But my point on that is SHOULD I have to? I clearly did not want to have problems with a main application, I took what I consider very reasonable steps to prevent a problem. Should not the user who 1) ignored the sign, 2) ignored the instructions sent via email, 3) who reconnected a machine he had no business touching, and 4) logged in after being told not too not have to take the blame for his/her actions?

I am not a "kid". I have been doing this as long as Dino has, and like all network admins, I have had my share of mistakes, blonde moments, and just plain... damn... I just screwed the pooch. I too have overlooked possible problems, security risks and other actions, because it didnt occur to me that a user could be that stupid, or I understimated someones abilities. I have no problem taking blame for my action, short commings or lack of knowledge, just the unreasonable and stupid actions of others.

"Therefore, any administrator who allows anything to occur on his network that he didn't want to have happen has no-one to blame but himself." If you look at your own network, and think about the possibilites of someone either thru stupidity or intent to harm it, would you really want to take the blame for all those actions?

Either way, the example I gave was a poor one, and the last thing I wanted to do was start either a flame war, or set a bad impression of myself my first day on AO. I disagree with your statement, until you add the words, "with in reason" to it.

[MrCoffee]

oh and Tiger Shark?

>>I had a major database app......

>Had you been smarter you would have unplugged the cable from the switch _not_ the user's >computer. You prove my point really, don't you?

>>The company owner proceeded to tell me it was my fault.

>He was right..... See above

Actually no he was wrong, and so are you. The user in question is 28 years old. He is a adult, working in a place of business. His actions were directly opposite of the Acceptable use policy he himself signed when he joined the company. And once the owner calmed down, and found out that a week later he tired to log in again (ignoring the warnings and signs and etc) he was fired. Do you really believe that no user should be held to blame for his/her actions within the networking environment?

>>Kiss my fuzzy oversized butt.

this was ment to add a bit of humor to the post.....

>"Oversized"...... Maybe we sat on it too long during your 18 months..... You could have your >network locked down by now.......

If in your own personal judgement, you feel that you could have and can do better with this staff, the equipment, no budget to speak of, and work environment here, you are welcome to come here and put your money where your mouth is. I am one person, dealing with 4 NOS plateforms on 3 different networks within this building alone, 7 Server and over a hurdred workstations, 150 employees running 24/7. Not to mention the specialized CAM and manufacturing areas. That comment as just as cheap as what the school admin did to the 12th grader.

[Tiger Shark]

MrCoffee:

First I'll say that when you start a message with "thats a crock" it's kinds difficult to see the humor in "Kiss my ass"..... Don't you think????

To address your concern that people break your written policies and do things you don't like. You always have two choices:-

1. Physically secure your assets
2. Adminstratively secure your assets.

In both the cases you cited you administratively secured them when they could have been physically secured. An administratively secured asset is akin to a restraining order on a crazed murderer. It does _nothing_ to prevent the act except tell the person(s) that it is naughty!!!

Had you had a lock installed that the maintenance man does not have the key to and had you removed the connection at the switch, (which should be physically secured also), then neither of these situations would have been possible.

Firing the chap after the damage is done is nothing more than "closing the stable door after the horse has bolted". Having said that I am fully aware that I am not perfect and also that there are situations where there are no technical solutions to certain administrative problems. Example: User A must have unfettered access to the internet in order to carry out his job functions but he also spends six hours a day surfing porn in full view of his co-workers. You can't remove all the porn, (tried it.....), and you can't cut his internet access. There is no viable technical solution to this problem so an administrative solution has to be sought. Ok. we'll schedule a report of his daily activity and have it sent directly to his administrator every night. If he screws up we fire him.....

Do I believe that "no user should be held accountable for his actions". Of course not! But we both know, (both of us through experience), that a restraining order, (which is what a policy is), isn't worth the paper it is printed on if the user dosn't want to obey it. Therefore, whenever you are presented with an issue your first research should be to find the technical solution not just any old solution. Administrative solutions are your _final_ resort.

I work for a non-profit so I don't know what dollars are! I have some 30 fileservers and 350 workstations that I am directly responsible for in eight locations in three counties. In addition I am, to all intents and purposes, the internet service provider for 4 sister organizations which adds another 300 workstations and servers in another seven locations. All locations are connected by T1 so I have some 650 assets on a single WAN across three counties. I am solely responsible for the security of all those assets yet I have administrative control over only about half. I support access from the internet, (VPN), to some 50 remote workers in addition who mocve from contratcor location to contractor location at will. I have staff, 5 of them at varying levels of technical ability but it is still a daily grind to accomplish normal maintenance let alone be "flashy".

So, my wiener is bigger than yours........ (Humor detector on please..... )

[MrCoffee]

Tiger Shark:

Clearly it is a difference of opinion, between you and I, but the result we would like to see is the same. You network is a great deal larger then mine, with it's own chanllenges, no doubt.

The maintence guy BY LAW had to have access to my IAD. He is in charge of the electrical equipment, and is required to have access, by VT law. Administrative step where to explain to him what the IAD was, and why it needed to be apart from the other equipment, and explain why it wasnt to be touched. I asked the power to be to move it and the power to my secured server room, but it was not worth the $$$ to them. I guess in this case, my failure as an admin was not being able to justify the cost before the problem.

In the case with the employee that was canned for trying to log in during the next update, he got what he deserved. He wasnt fired for causing the first crash, but for repeating the same exact behavior a second time. After being warned. In the case with you guy surfing the porn sites, if you have set policy, warned him, and told him straight out that he is not to do it, or he will be fired, and he does it again anyways, then he should be fired. Period.

When you can not solve a problem technically, you must resort to administrative solutions, but those too will fail, if you 1) do not have the management, or administrative authority to take actions or to enforce policy, and 2) if those who do have the authority choose not to use it, or will not take action to prevent the problems. (i.e. not allowing my to secure the IAD).

For me, I stop taking the blame when people openly disreguard the instructions, policy, and proposals I have given. I had to beg and plead for several months with the management here, to replace an aging and flaky backup drive on our accounting network, and I was turned down until the server's hard disk died and they lost several weeks worth of work. THEN and ONLY then was I allowed to install a new drive. Stupid, yes, but since there never HAD been a problem with THAT server, why worry about it? I guess the case could be made that I should have found a creative solution to backing up the server to another system or something, but if memory serves, that same week I was trying to track down an intrmitten faiure on a section of cable in the production area, and ended up replacing a couple hundred feet of cable that the acid fuses had eatten the cabling because the former admin here hadn't bothered to run the cabling thru the protective piping. And I was also trying to find out why one section of 10base2 cabling was completely dead in programming.

I guess the point I am trying to make, is we as administrators can only prevent issues which we have some degree of comtrol over. While the are assets on my network which I am responsibile for, I have no real say how they are used, or in some cases abused, due to management of this company. Case and point. I had a network server that was running really low on drive space. On that drive I found a user directory filled with about 12 gigs of porn. This user is one of the orginal owners of this company and insists on having full administrative rights on the entire network. So he can adjust his quotes, hide and protect folders on the servers at will. I have asked him to remove the files, and he wouldnt. I couldnt get premission to buy the additional storage, so all I can do is move other files to other locations. This kind of thing is where the "with in reason" comes into play. I am clearly responsible for the network storage, but have no authority to enforce policy. So when the server run out of storage, and the users got errors, I steadfastly refused to take the blame for it. The best i was able to come up with in this case was to bring in a 40Gig I had at home, install it into the user's machine, and moved his stuff there. Had I ignored the quotes, and let the machine fill up without ever checking it, until it run out of storage, then yes it would have been my fault, and the blame placed on me.

Either way Tiger, I believe because of our different network environments, and different peronalities, we are not going to agree on this subject. I read your central logging paper late last night, and I am going to read it again today. Clearly from the text you have a much higher security and admin skill set then I do. But I can say without a doubt, that if I can get approval to put some of the info in the paper into action here, it is going to save me a butt load of work...

Cheers!

[MrCoffee]

Tiger Shark:

>So, my wiener is bigger than yours........ (Humor detector on please..... )

Yup, maybe... but then again, I can lick my eyebrows...

[bballad]

Tiger shark useualy you have good points, this time you are wrong. It seems that you are forgetting that there are to types of security mesures put in place on local systems, the mesures that are inforced by computer policyies that block your access and those inforced by pink slips. Esxample, we don't allow viewing of ofensive sites at work, sure we have a proxy that blocks the sites, but it wont catch all of them, if you find a site that is open it dosn't meen that you are allowed to view it and you will be terminated. If a school says that you are not allowed to do x and you find out that it isn't actively blocked don't go and do x (or if you do accept your punishemnt without too much whineing please.)

[MURACU]

MrCoffe.
I can see why you might be frustrated. In the type of situtations you describe I make sure that all my sugestions are sent by e-mail with more than one person in copy. In my experiance the problem in a lot af cases is how you are able to present the information. For the disk space for example I would run a little audit on the different types of files on the disk and how much space is used by each type. Then I would present the information in a nice little pie chart in Excel for example. Explaining that it is much more cost effective to have a proactive network administration than a reactive one.
This type of action might make the management take a bit more notice then again it might not. In the worst case when the sh*t does hit the fan you can always say that they were warned of the dangers.
Obviously this is a very simplified view on things. If the management really doesn't want to listen they wont.
What it come down to is an admin is always responsiable for his mistakes, sometimes responsiable for the mistakes of others but should not , as in Sephir0th case, give false information to justify his mistakes.

edit Maestr0 you post came in just as i was finishing mine and i am totally in agreement with you. If you expect all your end users to be mature, sensible adults then you are just asking for it.

[Maestr0]

I think the point Tiger is trying to make is that what a user is (or more often is not) allowed to do should be defined in an AUP (Acceptable Use Policy) which would be the administrative equivalent of a security policy, however if you rely on common sense and administrative policy to govern users behavior you are in for a good corn holing with no vaseline, so here is where we decide to implement other forms of access control and security measures to insure our network operates smoothly. If the system administrator does not have a policy enforced by either management or the network itself (hopefully you have both) then you have no one to blame but yourself when something goes horribly awry (as it will). Will users actively and maliciously try to circumvent policies put in place by management and/or the network? Of course they will, and they should be held ressponsible for any transgressions of these policies when these policies have been explained and laid out clearly for the user. Will users do something inconcievably stupid or bizzare out of ignorance or even just curiosty? You bet your ass they will, and although I would like to be able to hold people ressponsible for ignorance I have not had much success so far. Of course it is impossible to forsee every action an ignorant or deranged user might perform (alas, not for want of effort), so there will be cases when someone sets a precedence for a new policy (administrative or otherwise) to be put in place to prevent such problems in the future, it is at this point the admin must accept it and move on, and not cry about how some kid destroyed his network with a net send (which we all know is total horseshit anyway) to cover up the fact he had no idea someone was going to do this sort of thing.

-Maestr0

[MrCoffee]

One of the things that Tiger Shark and other posts has made me think about differently, is now looking at my net, I look at the assets and think, ok, now how can I (meaning end user) mess this up. While I did this to some extent before, I hadnt approached it from a point of view of circumventing the protection/measures I had in place. Now I look at it and say, are there steps I should take? If there are measure I can take to improve the security/operation, and I can do it within the limits of my authorization, I will do them. If I dont, then any failure is my own fault.

Muracu: Your right, and as a rule I document everything. In scientific circles, if you dont document it, it didnt happen, is a rule of thumb. In my case it is more simple then that. I have so many different projects and problems going on at the same time, that I document everything in order to remember exactly what changes I have made and when and why. In the case with the drive space, I had the graphs and reports all ready, and I even showed the Managing members on a 27" monitor in the conference room the Win2k drive properities pie chart. You know the saying... you can lead a horse to water but ya cant me him drink.

Maestro: Your right, and AUP is very important. My point was more that unless the Network Admin has the authority to enforce that policy, you end up in deep sh*t every time. I may be foolish (which is most likely the case) but I believe I am in a business environment, and expect people to behave like professionals. It is also amazing how intelligent, well trained professionals can do truly stupid things when placed in front of a PC. If a user doesnt know any better, and makes a mistake that causes a network issue, that is one thing. In one case, I had an employee delete a folder on one of my servers because in my haste, I added her (instead of the user name above her in the list) to have premission. Clearly it was my own fault. If however you are an adult working for a company, you have had the AUP explained to you and you sign it, you ignore the Network Admins instructions, and you cause a networkwide problem, then it is time for you to find different employment. IMHO, there is an expected level of professionalism, a level of assumed (bad choice of words but.....) behavior when someone is given both a job and AUP they they should follow it. PERIOD.

if I got up now, and walked down into the cleanroom downstairs, ignored the sign on the wall, didnt both to put on the lab coat, the hairnet, and use the compressed air to blow the lint and dust off my clothing, and as a result, a complex product we were making was damaged, who's responsibility is it? The manager of the Imaging department, or mine for not following clear policy? Mine of course. Same for that network users. They have clear written and verbal instructions, and if they chose to ignore both. Why should the network admin be held responsibile for that?