Personal server admin question

[rparsons1000]

I just landed a pretty cool job a month ago where I am officially primary server admin for about 50 servers. I am very good at what I do but beings how this is my first official role I have a question for you all.

When I build a new server I keep any unnecessary software off of them, especially DC's to reduce possible issues. My supervisor insists that I put something similar to PC Anywhere on them, even DC's just because there is a feature on the host that allows for clicking an icon and it polls the servers. This is good for him because he can tell whether servers are running. Also, everyone even uses the program to remote to servers (2003 servers). I've pretty much been told to install it but I think that using ping or What's up Gold and Remote desktop would be much better. I am the one who will have to fix the computer and diagnose if something goes wrong.

Furthermore, this supervisor thinks that all Domain Admins should log into a server using the Domain Administrator account for the mere reason no additional profiles are created thereby using up disk space. I tend to think it's good to know who is doing what if ever needed. I mean even PC support personell have the Domain Admin Account password.

I hope you all don't mind me posting this here. I'm just frustrated and am near quitting. So my question, am I being too anal or is it somewhat standard to keep unnecessary programs off DC's, keep admins down to a minimum, and log in with your own logon account?

 

[tfg13]

I would suggest you talk with your boss, and bring up some of your concerns. It sounds to me like your boss already has his mind made up, so it will be some rough going, but you can not cave into the demands if you know you are correct.
I would find some documentation that supports your stance. Having something in black and white can be a great supporter of your cause. Such as:

http://www.windowsecurity.com/whitepapers/An_Intro_to_Windows_NT_Security_.html

One thing I must recommend, and this is your call, give a class on network security. Maybe show case files of issues created by too many people with domain admin rights, unneeded software vulnerabilities, and ways to do the same function in a more controlled environment (scripts, RDC, and other "trusted" programs).
As far as the software issue, you could always Google for "bad stuff" concerning the software.

One more thing. Frustration happens in a lot of jobs, especially when it comes to security of systems. You have to decide if it's worth the "battles" ahead, or to keep your mouth shut when something bad does happen (no I told you so's).

Good Luck!

 

[markdmac]

I have to agree with TFG13.

Talking it out with your boss is the best course of action.

Personally I would not want to have any software to remote other than Remote Desktop.

I would work on some kind of a web page to show server status before hand so you can eliminate that argument as being why the extra utility is needed.

I hope you find this post helpful.

Regards,

Mark

 

[NickFerrar]

I guess it depends on how willing to listen your new boss is and how much you want to risk finding out

Your concerns and reasoning are correct but if you're in a new position it's not easy to make those concerns known without offending people that already work there.

I'd start with the Domain Admins thing. Even for stuff like SOX compliancy you should be able to audit access to financial systems etc, using generic admin accounts is not acceptable. You should all have normal user accounts and personal admin accounts as well, the personal admin accounts don't need roaming profiles so disk space usage on servers will be minimal.

 

[Spirit]

Overhead for additional profiles: minimal......

Overhead for PCAnywhere or whatever: minimal.....? (Not sure as I would NEVER use this due to problems with it many many many years ago - on dial up it was THAT long ago but I have a long memory!)

I would compromise and just let your boss get on with the PCanywhere thing but in regards to the security I would try to get my point across. I need to know who did what and when and why and the only way is logs so if all it says is Admin went into HR files then your up the swanny....

Iain

 

[ncotton]

Not a big PCAnywhere fan, but it does the job i suppose, nothing better than WinRDC. As for showing Server Status. As Mark said, as we do, we have a webpage running on some server somewhere that you can view/refresh that gives you all the server states and stats / uptime / disk space / processes / memory etc. I think you would be able to find some HTA script for that on a website somewhere. Mark would be the best person to point to that I think. Or you could create on, from remote WMI calls. If you detect that you cant detect (if you know what I mean), a machine, then you know its offline. You don't even need any dynamic detection of systems, just hardcode, or create a entry dialogue for you to add servernames \ IPs to run the query on.

I think you could probably also use the GPInventory tool free from Micrcrosoft. Just save a config that has the servers listed, and specify the things you want to know, diskspace \ memory etc. That runs live with no datastore, so if you get an "not able to connect", again you know the machine is down.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[markdmac]

Another thing to consider when approachine the new boss is that he hired you for your expertise and opinions and you should show backbone but be respectful when you discuss this.

Let him know that in the end you know he is the boss and will do as directed but be equally clear on what your concerns are, why you have them and what your suggested solution is.

I hope you find this post helpful.

Regards,

Mark