What should I do about a "misbehaving" user?

security users

What should I do about this user? The user is:

  • Downloading pornography
  • Attempting unauthorized access
  • Running hacking software
  • Sending unsolicited email
  • Installing software / tampering with the system
  • etc

This is intended as a generic answer for employee behavioral problems, a la Can you help me with my software licensing question?

I could see where acceptable use issues are a touch out of scope for SF, however it is one of those things most sysadmins will run into. I don't want to keep rewriting similar answers.


Solution 1:

When it comes down to it most of us are just systems administrators.

We might be the ones to spot bad behavior and even sometimes called upon to help resolve situations. It is not our job to police or enforce employee behavior.

That being said having strong tools at your company’s disposal to address behavior issues as they come up is critical. Once a breach of policy occurs it is a HR question on how to deal with it. Provide them your documentation and let them do their thing. Wait to provide them whatever technical support is needed.

If you are in the situation that your company does not have an AUP or it needs revision this summary reflects a lot of research. It should provide you some guidance in getting started.

A good AUP should cover the following subjects.

  • One user per ID / Password - if someone uses your account you are liable.
  • One location for each password - don't use your work password outside.
  • Handling of personally identifiable / confidential data
  • Handling of media (CD, USB stick, etc)
  • What information can be transferred and to whom
  • Session locking - your screen locks so your account can't be misused.
  • Monitoring for email, file system utilization, web access
  • Personal use of business systems
  • Legal violations (copyright, hacking attempts, etc)
  • Attempts to bypass internal security controls
  • How violations are responded to - up to and including termination and legal action

EDIT - as DKNUCKLES points out it is necessary to follow the standard chain of command for these issues. Just because I was supposed to take them straight to the head of HR doesn't mean that is what your organization does.

Solution 2:

Yes...because downloading porn is 100% safe. Running programs like metasploit won't ever crash a server. Because sending unsolicited emails won't raise question about the companies reputation and standards. And because installing unknown, third party software won't ever be malicious or cause security issues.

IMO, if I was in your shoes I would want that person gone. What happens down the line when they gets busted for something and then you're in the scope now because of the "Why didn't you report this?" aspect. Now it looks like you can't do your job. Unless you work for Vivid Entertainment I would say the unacceptable barrier was crossed long ago.

Solution 3:

I think that as long as the actions have no direct impact on the ability for you to maintain the network/connectivity, this is not an issue for a sysadmin to resolve. As the other answer indicates, this is an HR (or some such) issue.

That being said, I believe that the game changes slightly if, for instance:

  • The user's sending of unsolicited mail can cause mail queueing on your outbound mailserver
  • the unsolicited mail, delivered through your SMTPd causes your SMTPd to be blacklisted, making you have to go through the motions of "begging" forgivness from the various SBL sites
  • Hacking attempts lead to breach of AUP notices from your link provider, or worse, cause retaliation attacks that bring your network to its knees.
  • etc...

These are cases where this user's abuse of resources has a direct impact on your job, which means you can quantify this as a measureable loss of money to your employer when you tally up how much effort from you, or your team, is required to maintain his/her habits. In this case, you would have to do something about this before you wind up becoming the person made responsible for this, and you "pay for it."

Solution 4:

While the AUP suggestions are great, it is also important for the IT department to get from the HR department a clear enumeration of duties, such as what is to be reported, to whom, and when. So when you bust the boss for breaking the rules, you can refer to the policy you are bound to. Having this in your job description or policy removes from you the burden of being the tattletale: if you are legally bound to report issues, you can't be accused of doing it just because you don't like someone. If you are fired for reporting, you may be able to sue for wrongful termination if the policy demands that you report. If it's not policy, you may have no recourse.

Related

Consumer (or prosumer) SSD's vs. fast HDD in a server environment
Reverse Proxy - Remove Subdirectory
How often should I reboot Linux servers?
Acting on CP(2) by conjugation
$n^n\equiv 1\pmod M\implies n\equiv 1\pmod M$
A surprising inequality about a $\limsup$ for any sequence of positive numbers
How do I show that this function is well defined?
Separable measure space and diagonalization
Upper bound for size of topology needed to falsify a non-tautology in IPC
Spectral Sequences - John McCleary Example 1.A (First Quadrant Topological Spectral Sequence)
How do I show that O(n) is compact? [duplicate]
first derivative test to find where the function is increasing, and decreasing