Feeds

Save us from our users

Doomsday Weekend 3: sometimes a god complex isn't a bad idea

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Sysadmin blog Many sysadmins among us certainly have a god complex. The truth is, no matter how well-prepared for a large project we try to be, we can't control our users.

I took great pride before Doomsday Weekend in typing detailed emails about the changes that users should expect to see. The documents were necessary. They helped users through the transition and were an excellent point of reference for the post-project support calls. 
But nothing can compel users to read the emails they are sent.

Those users who did had a much easier time of it. Those who didn’t were quite upset on Monday morning to discover that everything had changed. In retrospect, I should have anticipated it.

One of those angry users had the solution to this problem: in addition to the emails, I should have printed a copy so that the information they required was on hand when they walked in. Not possible in all scenarios, but it would have saved a lot of grief in this one.

Another accidental experiment involved passwords. So our users could log into their VMs Monday morning, and so IT could set up user specific elements for the new users on our network, all non-administrative users were set to the same default password. We didn’t create a complicated list of users with different pre-set passwords; we simply set everyone’s password to the same thing.

Our intentions were good; we were going to have done all the configuration and user migration before Monday, and set users to change password at first logon. We didn’t make it. We still had tweaks to do to user environments two days after the deadline had passed. After we had finally reached the end of our customisations, we told users they were free to change their passwords. We decided that we would not force this on users at next logon, because after a rough week of big changes it would be bad PR for IT. So we sent another email detailing exactly how users could change passwords, why doing so was a good idea, and asking them nicely to comply for the sake of our sanity.

As I should have anticipated, the email was left largely unread by the users.

Many of those who did read it didn’t comply. So we discovered that a truly shocking number of users, even when made aware of the risks, won’t change their passwords from the default unless we force them to do it.

Users prefer convenience over security. Perhaps the greatest clashes between IT departments and their users are over this topic. Both sides can become entrenched: users demand absolute convenience, or else they will consciously work to subvert security measures. Hardline admins demand that users pay heed to security, or they will punish them with even more exacting security measures.

The solution is probably somewhere in the middle. Users pay attention to basic security measures, such as not sharing their passwords or leaving them taped underneath the keyboard, and admins put more thought into making security simple. After this misadventure, however, my opinions are beginning to shift towards a hardline sysadmin view.

We called each user to make them change their passwords. We stayed on the phone as they changed their passwords, and listened to the same diatribe about how changing passwords every six months was too much to bear. I find their apathy towards security breathtaking. Next time I won't care about bad PR for IT. I’ll just tick the “reset password" box and be done with it. ®

5 things you didn’t know about cloud backup

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Docker kicks KVM's butt in IBM tests
Big Blue finds containers are speedy, but may not have much room to improve
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Gartner's Special Report: Should you believe the hype?
Enough hot air to carry a balloon to the Moon
Flash could be CHEAPER than SAS DISK? Come off it, NetApp
Stats analysis reckons we'll hit that point in just three years
Dell The Man shrieks: 'We've got a Bitcoin order, we've got a Bitcoin order'
$50k of PowerEdge servers? That'll be 85 coins in digi-dosh
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.