SysAdmin "Attitude".... Is There Such a Thing? 1

[Dollie]

This doesn't apply to any specific operating system, corporate atmosphere or level of education, but I have a question about the proper "attitude" of a system administrator. To make a short story long, I'm a homegrown sysadmin, learning mostly hands-on and taking some classes to fill in the rest. We recently installed a firewall and had a consultant come out and set it up for us.

I had a knee-jerk reaction when he (the consultant) cut off almost all connections to the internet, not allowing most plug-ins, and wanted to eliminate all communications with sites such as search engines (Google and Yahoo primarily). We're a small office with internet problems occuring rarely. We don't have a problem with users browsing porn or spending too much time on the internet instead of working or even downloading stuff they shouldn't. I've tried to educate our users so they can help me keep our network safe and secure and functional.

After I reacted to what he did by immediately testing all of my programs (anti-virus software, ftp, data access, web data building, credit card software, etc.) and asked him to open up certain ports, allow certain plug ins and other things, he told me that I had the "wrong attitude" to be a system administrator. He said the purpose of a good sysadmin was to "deny, deny, deny." Basically, deny access to everything, make them beg for access, find out why they need the access, ponder whether you should give them access, make them beg more, then reluctantly giving it to them after berating them for wanting it to begin with. (He didn't say this, but this is how he does things from what I've seen.)

After he told me quite clearly (and loudly I might add) that I wasn't suited to be a sysadmin (while standing a few feet from my boss!), he proceeding to start talking about our system in such high technical terms that even our office Mensa member couldn't understand, and I sat and steamed about his comment and wondered how on earth I let him make me appear to be the I-D-ten-T error.

Tell me, is the purpose of a sysadmin "deny, deny, deny" or to keep the system as safe as possible in the proper environment for the entire office while allowing the freedom of functionality? My Napolean Syndrome has taken over I'm afraid, and I'm refusing defeat!

 

[DaveStL]

I'm not a sysadmin, but I've been around IT for over 20 years now and would like to make the following comments:

First, I'd fire that consultant and find another.

Second, talk with your boss and find out what your company's philosophies and/or policies are on this matter. Different companies handle security in different ways. There is no "one way" that is right for all. Ultimately, the company should set this policy and you should implement it. If your boss gives you the authority to make these decisions, so much the better for you.

Third, continue to educate yourself regarding system security. You can never know too much in this field, and things are changing rapidly.

Fourth, don't worry. If your boss takes the word of some arrogant and obnoxious outsider, you don't want to work there anyway. There are two extremes at work here: setting policies to the lowest common denominator, or creating an atmosphere of trust and confidence in the employees. It's not always easy to find a balance, and there's a lot to consider, but, then, that's your job, and it ulitmately depends on your company's policies. If it were up to me, I'd trust people (while monitoring) first. If abuse is found, take action to address the guilty person only. Just make sure everyone knows what the company policies are from the start.

Good Luck!

 

[Grenage]

I know what you mean

Some technical consultants feel the need to appear god-like and do this by putting others down, although many are just really passionate about their work.

With regards to the right attitude I believe IT has thought me one thing well - No one philosophy/solution is right for every network/situation. When we installed out Firewall here we did admittedly start of with deny deny deny but opened up certain areas as we found applications that needed them (although you would be surprised what you can have working without compromising your system in a big way by allowing most things out and not much in).

Ultimately it's your network and it's your choice on how it's run - especially in smaller networks where everything is clear to see. Security doesn't have to be absolute it depends what you have to lose and how much you will gain from the flexibility.

So my advice would be not to take too much to heart, I know what it's like

 

[chiph]

After he told me quite clearly (and loudly I might add) that I wasn't suited to be a sysadmin (while standing a few feet from my boss!), he proceeding to start talking about our system in such high technical terms that even our office Mensa member couldn't understand,

This is where you've got a problem. Fire his ass and get another consultant who will listen to what you want done.

Chip H.

 

[2ffat]

There is a forum here (forum717 Ethics and Information Technology) that might be of interest to you.

As far as his ideas, yes, I would lock every thing down then open them up on request (which is what you did). As far as his attitude, consultants are available "a dime a dozen." Hire another one. James P. Cottingham

When a man sits with a pretty girl for an hour, it seems like a minute. But let him sit on a hot stove for a minute and it's longer than any hour. That's relativity.
[tab][tab]Albert Einstein explaining his Theory of Relativity to a group of journalists.

 

[SgtB]

I'm agreeing with everyone else here...fire him.

About the deny,deny,deny theory...its just that...theory. A 100% secure network is one that does not aloow access to anyone. This of course is not an option. You need to get with the heads of departments, and find out what type of access they need. After getting this info, you need to create a policy. This policy is one that will weigh access vs. security.

Consultants like this, are just arrogant fools. They may know their field, but they have no idea how to properly implement their ideas into a working corporate environment.

Some adivce...NEVER let a consultant come into your network and start dictating what is to be done. That's your job, you're paying him....you tell him what needs to be done. After the policy is created by you, then hand that voer to him, and say, "This is what we want....do it." Listen to their adivce of course, but in the end, you need to be the one calling the shots. ________________________________________
Check out

http://www.security-forums.com

 

[SamBones]

Fire the bum! He doesn't have what it takes to be a consultant!

The purpose of a Sysadmin is to "enable, enable, enable". The more things people can do easily, the more empowered the business is. If people have to BEG for basic access and rights, you are choking the business and hindering it.

The consultant's attitude is a power trip. His putting you down in front of your boss is a power trip. His snow job of technical terms for no apparent reason other than to make him sound like the techno king he wants to be is a power trip.

This is also usually a sign of even more dangerous things. Someone that is that big of a control freak is the type of person that leaves logic bombs and other cr*p like that. I've met this type too many times in the past. Fire the bum or get the bum fired!

Power to the people!!!

 

[Dollie]

Thanks so much for all of your opinions! I'm glad to hear that "deny, deny, deny" isn't always the proper attitude of a system administrator. Security is important, but strangling your users isn't what security should be.

SamBones said, "The purpose of a Sysadmin is to "enable, enable, enable". The more things people can do easily, the more empowered the business is. If people have to BEG for basic access and rights, you are choking the business and hindering it." This has always been my view of things. Keeping my servers safe from outside attacks is one thing, but to get paranoid about my 15 or so users and start putting the throttle on what they can accomplish isn't keeping the business safe.

Unfortunately, the consultant is still tied to our business as we are dealing with his company on other IT issues, but he himself will not be stepping back in here and pulling his little act again.

Sorry if I brought this up in the wrong forum, but I'm glad I found like-minded people!

 

[AjayM]

I agree with SamBones, part of the SA job is to make things easier for all the other employee's, empower them as mentioned. Giving them what they need to do their jobs more effeciently.
Now where your power tripping consultant went wrong is that the security admin's job is to deny, deny, deny...and damn the results, but the network is safe. Obviously there has to be a line drawn somewhere. But cutting off access to the sources of information (like Yahoo/Google/etc) is just plain out and out stupid, cutting off access so your virus software can't get updates is assinine at best (and I'm being really nice here) did the consultant cut off your email as well (since most virus's these days come through email, it would be nice to have current definitions), I could go on but you get the picture.
Fire him, and do it quick. It's guys like him that give consultants a bad name, he's the kind of guy that nobody would hire because of his "attitude" so he went free-lance, he knows a bunch of fancy terms and can talk the talk so now he can "preys" on small business's like the one you work for knowing that there isn't likely to be highly technical people there.

Andrew

 

[ststokes]

I have to agree with the basic theme here too. The job of the sysadmin is to run the systems in a way that they actually help people and let them get there jobs done. If you become such a pain in the a** that people start going up, over and around you then you will soon be looking at unemployment. Deny, deny, deny is not the right answer, but neither is allow, allow, allow. Sometimes people will really need things that you don't agree with and you have to accept that. Very often a choice will have to be made between functionality and security and it is your job to make sure that people understand the risks involved. If the risk is acceptable to them, then you need to do it. Just make sure they now the risks.

As for the "consultant", tell him to go back home to the wife that beats his a** every night and never come back. You hire consultants to come in to "help you". The ones with the God complexes are nothing but a pain. If he is not helping then give him the boot. There will be twenty more standing in line for your business.

 

[Dollie]

I just HAD to post this update...

After the Slammer worm hit many SQL servers this last weekend, I rushed into the office Monday morning to ensure that our systems had not been hit. I was concerned because on the news they kept stating that sysadmins had not done their job properly if their system was hit. Well, I was assured by my servers and firewall that I was doing my job.


Guess who DIDN'T do their job? Guess who's entire network was hit?


OK, so it was hard to not point and laugh....

 

[iSeriesCodePoet]

LOL. Poor... Poor Micro$oft!!! iSeriesCodePoet
IBM iSeries (AS/400) Programmer

 

[Dollie]

Actually, it was Mr. Deny-Deny-Deny-All-To-Keep-My-System-Safe that got hit pretty good (main SQL server, he's a webhost), but the fact that Microsoft got hit had me rolling laughing!

 

[Pyrowe]

well, for people like mr.deny-deny-deny i keep a baseball bat behind my office door for people like that, and a dark alleyway nearby...more likr mr. knob-knob-knob...ah well, just had toget that out...

 

[PcLinuxGuru]

Well here's my $.02 worth....

I'm a sysadmin and I only do that for people I don't like My normal attitutude is first making sure everyone can do their normal job. Then making them happy so they will leave me alone and not talk to me If my boss says he has no problem with IM's then the employees can use them. If he says block them then I block them. Of course I make sure they all know why I did it so they will not beg, scream, yell, etc... at me but at my boss.

Visit

http://www.pcbench.homelinux.net:81/

 

[karmic]

Anybody mind the "consultants" point of view???

That kind of attitude does NOT belong in the IT world with consultants, but many system admins have that ego too... I deal with that stubbornness daily and am always the one offering up the "burden of proof" to say that they need more security. Many companies are opting out of the full time "system administrator" and bringing in consultants because it is cheaper and yes, we are a dime a dozen.

I take the "deny" stance most times, always will. I talk to the clients to find out what they really need, what they have to lose and how much liability they have if they happen to get hacked. Less is better. Some employees will always break the rules, surf p*rn and run kazaa any chance they get. Yes, company policies do work but not all the time.

My "butt" is on the line whenever some new security hole pops up or a new virus hits the market and I take security very seriously. Business networks are just that, for business. Not for personal surfing, not for getting music, not for personal pleasure. If one employee downloads a virus, it can and most times will, spread throughout the entire network and have disasterous results in the end.
When the smoke clears, the one question that always remains is "what could we have done to avoid this??". I give bills to clients with "insecure networks" totalling in the thousands of dollars, that doesn't include their downtime, or information lost. Unfortunately it usually takes something big to happen before the realization comes...

When it comes to the consultant you're dealing with, yes, deal with him any way you can... He probably knows what he's talking about but the attitude sucks.
~ The day I think I know it all, i'm changing careers ~

 

[AjayM]

I'd say the original mentioned consultant knew very little about what it takes to be a sys admin and even less about security, basically the guy has no business charging for his knowledge and skills. The guy denied access to getting virus definitions as the best example of incompetence. I'd like to hear this guy explain network security without using one of your final lines of defense against virus/worms/trojans. Let alone denying access to basic websites (Yahoo/Google) that do help people do their jobs, especially for research. These are the types of people that give consultants a bad name.

There is very fine line between to much security and to little security, it's the System/security admin's job to find out where that line is. Just going by a "deny, deny, deny" type strategy may make you secure, but what's the point of having an internet connection if nobody is allowed to use it for anything?

Andrew

 

[billalger]

There are many good points here. Before I add my 2 cents worth let me tell you about my self. I have over 15 years in the sys admin world. I have been admin on IBM and Honeywell mainframes (ancient history). I have spent the last 12 years supporting HP and SUN systems. I move just over a month ago into the Security world. Ok, Enough about me. Now to the issue.

From my experience, here is what I believe is the items sys admin's need to look at and in what order:
1) Safety. This means good backups and a good recovery plan.
2) Functionallity. Can your users get the job done?
3) Performance. The faster the better, (this may result in cookies and lunch from users).
4) Security. I found the besdt practice is to shut down one or two items at a time and test. There is less impact to the users and a faster recovery. If the programmers are willing you can restructure the programming to work with the security. Most programs written over a year or two ago were great with security but have since been 'hacked'.
5) Education. I used to set up classes on how the system worked and tought any who wanted to attend 2 times a month.
6) Relationship. You must meet and greet your users. By talking with them they will get to know you and notice you are not some machine or a mushroom in a dark corner. If you let them know you want to listen and work with them they will be a little more responsive and a little more forgiving.

I have worked for several contracting companies. Most have a code of ethics. It you contact the company and discuss this issue with their rep. Talk with your manager and voice a concern for the morale and welfare of you and the users as well as the continued ability of the company to function. There are tens of thousands of consultants out there. I recommend looking for another one, if possible.

I hope this helps.

 

[Dollie]

I've found overall that 99% of the consultants I've come into contact with are fantastic people. This one that I've had to deal with could be described as "hyper-agressive". After a discussion where he was trying to get me to transfer all our domain registrations to one company to make his life easier so he could make himself tech contact (he's our web host as well), he started screaming about how our sites were on HIS servers and HIS dns. I put the phone down, and when I heard his voice fade, I picked it back up, asked if he was finished, and told him if he spoke to me like that one more time that I would every single bit of our business out. *It didn't even phase him.* He said that I just need to let him handle things.

I'm tired of being patted on my head and told that the boys will just take care of things for me. (Have I mentioned how frustrating it is being female in a G.O.B. IT world?)

I guess this guy is the antithesis of what most consultants are. I'm glad he's not something that the industry holds in high regard!