Many sysadmins report directly to people who do not have a technical background. Reporting to someone without a technical background can be problematic. For example: As some of you may have found, some managers see the membership of security groups as a status symbol. They figure that if the sysadmin who reports to them is a member of an important sounding group (such as the Enterprise Admins group), that they as the sysadmin’s manager should also be a member of that group. Administrators with patience and excellent communications skills might be able to explain to the manager why they should not be a member of such a group. Unfortunately, some of us, when broaching the topic of security risks come up against the philosophy:
“I could never be a security risk, I know what I’m doing, so I don’t see why I shouldn’t be a member of this important group.”
As a favor to his wife, a manager who held to such a philosophy used to bring his 13-year-old son and 9-year-old daughter in to the office with him on Saturday mornings. The manager’s 9-year-old daughter was not a problem, she would curl up on the couch and read whilst her father worked. The 13-year-old son was a different kettle of fish.
It is common knowledge that during non-working hours many IT support teams like to play LAN games such as Valve’s Counter-Strike. This IT support crew was no different and manager allowed his team to play games during off hours as his way of encouraging his team to bond. The IT support team’s computers were a generation ahead of the dated computer the manager’s family had at home and ran Counter-Strike a whole lot better. Whilst the daughter read, the manager would log his son on using his own user account at one of the IT team’s workstations.
This was the same user account that the manager had demanded be added to the Enterprise Admins security group.
Although on most Saturday mornings this was enough to ensure that the manager could get on with whatever work he was spending his Saturday morning doing, on one particular Saturday morning the excrement encountered the rotary cooling device. Rather than play Counter-Strike, the 13-year-old son decided to explore the contents of the workstation’s Administrative Tools menu.
The problems became apparent the following Monday morning. To understand the nature of problems, you need to think like a bored 13-year-old boy. If, when you put yourself in that mindset, you consider excessively using expletives to be the epitome of wit, you can probably predict the sorts of things that happened. Problems included, but were not limited to:
Creatively renaming user accounts so that they included expletives
Resetting user account passwords to expletives
Adding security groups with names that contained expletives
Giving Organizational Units names that were more expletive oriented
Adding descriptions to random user accounts that included expletives
Renaming existing security group names so that they now included expletives.
In the end, the manager was not fired, but he did ask the IT support team if they could remove his user account from the Enterprise Admins group.