Feeds

Save us from our users

Doomsday Weekend 3: sometimes a god complex isn't a bad idea

  • alert
  • submit to reddit

Mobile application security vulnerability report

Sysadmin blog Many sysadmins among us certainly have a god complex. The truth is, no matter how well-prepared for a large project we try to be, we can't control our users.

I took great pride before Doomsday Weekend in typing detailed emails about the changes that users should expect to see. The documents were necessary. They helped users through the transition and were an excellent point of reference for the post-project support calls. 
But nothing can compel users to read the emails they are sent.

Those users who did had a much easier time of it. Those who didn’t were quite upset on Monday morning to discover that everything had changed. In retrospect, I should have anticipated it.

One of those angry users had the solution to this problem: in addition to the emails, I should have printed a copy so that the information they required was on hand when they walked in. Not possible in all scenarios, but it would have saved a lot of grief in this one.

Another accidental experiment involved passwords. So our users could log into their VMs Monday morning, and so IT could set up user specific elements for the new users on our network, all non-administrative users were set to the same default password. We didn’t create a complicated list of users with different pre-set passwords; we simply set everyone’s password to the same thing.

Our intentions were good; we were going to have done all the configuration and user migration before Monday, and set users to change password at first logon. We didn’t make it. We still had tweaks to do to user environments two days after the deadline had passed. After we had finally reached the end of our customisations, we told users they were free to change their passwords. We decided that we would not force this on users at next logon, because after a rough week of big changes it would be bad PR for IT. So we sent another email detailing exactly how users could change passwords, why doing so was a good idea, and asking them nicely to comply for the sake of our sanity.

As I should have anticipated, the email was left largely unread by the users.

Many of those who did read it didn’t comply. So we discovered that a truly shocking number of users, even when made aware of the risks, won’t change their passwords from the default unless we force them to do it.

Users prefer convenience over security. Perhaps the greatest clashes between IT departments and their users are over this topic. Both sides can become entrenched: users demand absolute convenience, or else they will consciously work to subvert security measures. Hardline admins demand that users pay heed to security, or they will punish them with even more exacting security measures.

The solution is probably somewhere in the middle. Users pay attention to basic security measures, such as not sharing their passwords or leaving them taped underneath the keyboard, and admins put more thought into making security simple. After this misadventure, however, my opinions are beginning to shift towards a hardline sysadmin view.

We called each user to make them change their passwords. We stayed on the phone as they changed their passwords, and listened to the same diatribe about how changing passwords every six months was too much to bear. I find their apathy towards security breathtaking. Next time I won't care about bad PR for IT. I’ll just tick the “reset password" box and be done with it. ®

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
THUD! WD plonks down SIX TERABYTE 'consumer NAS' fatboy
Now that's a LOT of porn or pirated movies. Or, you know, other consumer stuff
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
FLAPE – the next BIG THING in storage
Find cold data with flash, transmit it from tape
Seagate chances ARM with NAS boxes for the SOHO crowd
There's an Atom-powered offering, too
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.