Trusting your admins

Every so often I see or hear from environments where the top level executives demand absolute privacy. They don't want the SysAdmins to have any access into their data. This can happen in tiny little shoe-string-IT non-profits and large companies.

In short, they don't trust the people they've given the keys to the kingdom to behave ethically. I can understand this in the shoe-string-IT non-profit where the SysAdmin is most likely a volunteer. But in larger corporations where the SysAdmin is a paid position? I don't buy that.

In Microsoft-land, 'Administrator' is very similar to 'root' in Unix-land in that they can get anywhere. Novell allowed locking out Admin, but Microsoft and Unix don't. Admin/root can always get places if they really want to. Doing the same in a Microsoft environment generally requires a completely separate authentication/administration domain.

You need to trust your system administrators. If you don't trust them to not poke their nose into things that are not directly business related, then you need new system administrators. Professional ethics say that I don't go perusing through confidential budget deliberation documents so I can get advanced notice of impending budget cuts so I can start spending my budget now. Or digging in my boss's email to figure out who is being considered for layoff lists. That's BOFH stuff, and we don't do that for a reason.

If Management finds out that they have a SysAdmin who has been doing that kind of thing, they are perfectly within their rights to fire their ass. For cause. They will not get an office 'fare well' party.

One of the harder things for newer sysadmins to grasp is the concept of, "Just because you may be allowed to see information, does not imply you are permitted to." Yes, I read other people's email, but only when troubleshooting specific problems or I've been invited in.

And yet... sensitive information leakage from a company comes from priviledged users more than it does normal users, in large part due to the priviledged users having access to more company data. It makes some sense to firewall off certain documents from your regular IT staff.

This can still be handled with correct IT rights structures. You shouldn't have umpteen people in Domain Admins, ideally you should have the absolutely trusted few in there, and everyone else granted rights to their specific areas. We've built tools that allow proxying specific Domain Admin tasks to people who aren't in Domain Admins, just so we can keep that membership low. There are three of us who can get anywhere in the Microsoft environment, and a slightly larger list of people who can get to any file in the Microsoft environment (that list includes the Domain Admins and a few mid-level managers in the Desktop organization). It's hard to do out of the box, which is one of the weaknesses of AD/Windows.

Lazy IT is what allows every person who needs to domain computers to be put into Domain Admins. Lazy IT is what grants helpdesk technicians unrestricted access into every mailbox. Lazy IT is a major information security threat. Lazy IT is what drives CxO's to want to firewall themselves from IT for privacy reasons.

Don't be Lazy IT. Have professional ethics, and ensure the sysadmins you hire also have them.