Update: I realized I forgot to sub in some < and > values for < and >, so just ignore this update if you’ve already read it.
The conversation went something like this:
Female Employee: You said I could log in here with my username, but I can’t.
Me: Ahh, it’s because <so-and-so> left it logged in and locked.
I promptly enter my username and password to force a logout and allow her to login.
Female Employee: Well how did you do that?
Me: I entered my username and password, because I’m the administrator out of that “Only <so-and-so> or an administrator can unlock this computer” part.
Female Employee: Well well well!
My Boss: [after witnessing this] Yeah, why don’t we make it so anyone can do that?
Me: Would you want <so-and-so-other-peon> coming into your office and logging you out forcibly while the tax records for the company were open and unsaved on your computer?
My Boss: Well, no, but sometimes… [noticing the look of disgust on my face] Why is that such a problem?
Me: Because it would require making everyone domain administrators.
My Boss: So why don’t we?
Me: Absolutely not. Don’t even finish that thought, because it’s not going to happen.
At which point he noticed my look of near rage and realized that it was, indeed, not going to happen.
Sometimes you just have to say ‘no’…
With so much security stuff flying around, I din’t think there were any managers left who thought like that.
Another approach you could have used: “Because it would require making everyone domain administrators, and then anyone could read your files and email”. Not quite true, but a nice enough scare.
Hmm, good advice. I really hate scare tactics (like grc.com’s Shields Up bullshit), so it’s often hard for me to come up with them on my own, even when they may be warranted.
Did I ever mention that he used to sit in meetings and remind people not to use inter-office email because it wasn’t secure? Ok, so that’s not so bad, but honestly, it’s in the company, you’ve got to draw the line somewhere… His example was not to send anything you wouldn’t want me (being the Exchange Administrator) to read. True, but uncalled for.
Being in a small company, I’ve run into my share of these kinds of situations. He used to be the entirety of desktop setup and support, until they got to about 30 people and I showed up. Now that we’re up to about 70 people, it’s still difficult for him to let go. I just have this bad feeling that there’s going to come a day when he’s going to insist on doing something stupid (like the administrators thing) and I’m going to have to throw in the towel.
God knows I don’t want to be around when that shit hits the fan… And you know it will eventually.
Even with all the HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, etc. etc. stuff as of late, it’s amazing how resistant some people can be to security, most likely simply because it’s a change. In their view, things are hard enough as it is to get done, and anything (ANYTHING) that makes that the slightest bit more difficult or changes it in any way is out. Virus protection and a firewall is an obvious must, but beyond that, security is just something you don’t do… It’s not worth it because you trust everyone in your employ and they wouldn’t do anything to hurt you… Until they do.
It’s really pretty sad that, as humans, sometimes we have to get burned before we’ll learn a lesson. Ah well, back to better times and stories of other peoples’ troubles with security.
Incidently, if anyone reading does happen to have any suggestions about how to convince management security is a must (and I’m talking basic security, like strong passwords, password requirements, locking workstations automatically because people won’t do it when they leave their desks, not outrageous stuff like IPSec on the LAN), I’d love to hear your ideas.
I’d also love to hear how you’ve helped work your users into the plan. Our screensavers lock at 10 minutes (they bitched at 5 until it got changed by… you guessed it, management). Still, people don’t lock their stations when they leave. What can be done about such a minor infraction? Reminding them is obviously not going to do shit… Hey, I’m open to suggestions here. My idea that we cut $20 out of their next paycheck every time someone sees their desk empty and computer unlocked didn’t get too far…
Geez, that’s some quick typing.
If I saw an unlocked, unattended computer, I used to copy the My Documents or home folder to my “secret” share, and delete what they had there. When they came to ask for their documents back, I asked them why they were breaching the Security Policy which they had signed as having read.
They were allowed 3 strikes and they were out.
It took about a month in an office of 120 people, but they soon learned to lock things.
Admittedly I had the support of management, and a pretty free hand when it came to security. Talking nice, and being reasonable just did not work. People are lazy and will take the easy way out each time. I found I had to be “persuasive” (nasty?) for things to work. I was called “Hitler” by the rest of the office staff, but I have thick skin.
Hmm there’s heaps of other BOFH stuff you can do, it just depends on how narky you want to get.
Heh, you bring up another problem. According to HIPAA, of which we are governed by, you’re not supposed to store any PHI on local machines, it must all be stored on network servers where it can be secured and monitored, mainly incase your desktop happens to “walk off”, chances of a server doing so out of the locked server room (another HIPAA point) are somewhat less likely.
So in theory, there should be nothing for me to sabotage when I see such a thing happen. In reality, you know there would be. Still, I could do something obnoxious like changing their background to a scull and crossbones or something, just to get the point across, and to let anyone else who happens to walk by after me see they were caught with their pants down.
In such a small company, where everyone likes to stay as buddy-buddy as possible, it’s difficult to set policies for termination. Small companies have a hard enough time getting quality employees for the somewhat lower pay than a larger shop would offer, so they don’t want to can any of the ones they have managed to con into staying around. That’s why I suggested the financial slap on the hands - we wouldn’t lose anyone (with common sense), yet we’d teach the lesson. Honestly, it’s really the only thing I can come up with that would work.
First time is your warning. Second you lose $5. Third you lose $10. Fourth you lose $20. We can keep going until you actually owe us money each month if you like…
Just think, if something happened because you walked away and we got slapped with a suit for a HIPAA violation, we’re easily talking $200,000, if not $2 million. I think $5 to discourage it in the first place is a much better idea.
In any case, the problem is management. I’m all for doing this. I’d fire someone on the second offense if it were up to me, but it’s not, so I have to work around what I’m allowed to do.
This also brings up another conversation we had during the same conversation above:
Same thing with security. I tried doing what little I could without more equipment or large investments of time. It started with a GPO to force screensaver settings - 5 minutes, password required.
After the uproar that simple change (which, according to company policy they were supposed to be doing on their own already), I gave up. They don’t pay me enough to get bitched out for doing the government’s mandates…
“…We can keep going until you actually owe us money each month if you likeā¦”
Love it
It seems as thought your boss sort of knows what has to be done, yet won’t actually say yes. I don’t envy you there, but it does make for entertaining reading, so I think you should stay there as long as possible to keep us all amused
Well, fortunately for you, I don’t have any plans to leave any time soon. Sadly, I do enjoy the one-man-show type atmosphere. I’d get very bored very quickly if I only ever did system administration or if I only ever did web development, etc. Here I get to spread myself around touching a little of everything without actually dedicating myself to it for more than a few days.
With a big company, I may get paid better, but I wouldn’t have that kind of flexibility. There also don’t seem to be any small companies around that would be able to justify a full-time systems administrator (at least that don’t already have one), and honestly I imagine it would be very rare to find one that was any different anyway. (I’m also not ready to go with the added stress of contract work, not that there’d be a much larger market for that that didn’t involve mom and dad’s spyware ridden 98 machine…)
If people enjoy me ranting about the insane antics around here, I may do it more often. I have (sadly) an abundance of material, I just figured no one would give a shit about my work woes.
And I would say that my boss does know what needs to be done. It’s just a problem of 1) spending some money to do it and 2) telling people to shut the hell up when they bitch and whine about it being done. Unfortunately, you can’t run a successful busines over more than about 20 employees without having someone to be the bad guy. Personally, I’d love to be the bad guy. I’d love to be the guy that goes around and tells people to shut their pie holes or clean out their desks… But they don’t pay me for that (and I’ve had to tone down the freebies of that because people kept complaining to my boss).