VP is demanding admin access to PC to install apps - What is a good containment strategy? [duplicate]

security

Possible Duplicate:
How to convince a big boss that he does not need administrator privileges?

I'm an IT manager in a small company (40 employees). We have a decent IT security policy in place, but it is about to be circumvented.

I am in a situation where a VP is demanding admin privileges to his PC so that he can install apps without going through the typical channels.

His boss will cave, and allow this to happen.

This must not be a completely isolated occurrence; is there a good method for handling this situation?


Tell him he can have the same access that the network admins get, and then give him exactly that:

  • His standard user account. This is the account he already has. It is connected to e-mail, documents, and business apps. He uses this account for day to day work, and it will remain unchanged.
  • A separate administrator account on the machine. This account has administrator privileges, but for that machine only. It's analogous to an admin's domain admin account, or when an admin logs in as root. This account should be broken by design for day-to-day use. Do things like make sure it's not connected to e-mail or any business apps that require authentication based on the current logged-on user, or that no printers are set up for that profile. This way, he will have the proper incentives to run as a standard user most of the time. With luck, he'll forget the password and be too embarrassed to ask for recovery.

Ah... Been there, done that

Make sure you have this in writing from the big boss:

You can get admin access if you absolutely want it. But if something (no matter how trivial) gets fucked up on the PC it will be a full wipe/re-install. IT won't attempt to trouble-shoot as there is no telling what you have messed up.

Make clear how long a full re-install is going to take. And make absolutely sure that he himself is responsible for backups of any local data on the PC.

Also make sure they are aware that on any sign of network trouble (virus outbreak) his PC will be the first suspect and be subjected to a time-consuming full virus-scan from clean boot-media.

It may be worthwhile to give them a scare some week or 2 after getting admin rights: Slip a false positive in the temporary internet files. When the virus-scanner goes berserk confiscate the PC for a full virus-scan and mutter something along the lines of "I hope I can clean this... I don't really have the time for a re-install.. You do have a recent backup of your data I trust ?"

Of course: If the CEO or company owner doesn't back you on this you are screwed. Still, inform them, in writing that you consider this a major bad idea. If only for the "I told you so" opportunity when things do go wrong. (It usually will not take long for that to happen.)


Definitely get in writing to CYA!!

Email over typical scenarios of potential issues if one were to have admin rights. Common one is viruses infecting entire network, therefore leading to loss of data, business and financial implications.

Ensure the big boss agrees to this before doing anything in writing (not verbal, but in writing).

And as for containment, just ensure that no one hears of this or else they'll all want it (happened to me!). No other way around it unfortunately.


All the other suggestions are good ones.

Another one that I'd add to the list is that you, as the IT manager, would be responsible for tracking any and all software licenses correct? What assurance do you have that the VP is using a purchased license for each and every product he installs? Will he be installing "free for personal use" software on a work machine?

I'm afraid that while you should have some authority with regard to the computers, network, etc., as the IT Manager, there are people who can override that authority. This doesn't mean you can't clearly and objectively state your case and get everything in writing should your company end up "above the fold" so to speak.


Have you mentioned the whole standardized vs. non-standardized aspects of allowing this? I'd push back if I could and at the VERY least, get all of this in writing to CYA. There isn't much you can do at that level other than tout your standardization argument.

Related

After deleting log files, Ubuntu server still saying there is no space
SSH AllowUsers from particular network
Amazon EC2 t2.micro AMI taking time to execute commands
I accidentally deleted /var/log/syslog, Now rsyslog Won't Log anything
How can I have a web site automatically open up at a certain time each day [closed]
Would you recommend Windows Vista? [closed]
Is there a visual bell in Linux that works in X?
How is the filesystem of Wikipedia designed?
writing LTO-3 tapes with a LTO-4 drive
Optimum way to serve 70,000 static files (jpg)?
Hardware alternative to PfSense software Firewall/Router [closed]
Running Subversion post-commit hook as a background process