[unisog] Admin Access to Servers

Stephen J Smoogen smooge at unm.edu
Wed Nov 15 17:18:00 GMT 2006


On Wed, 15 Nov 2006, Addam Schroll wrote:

> Our Central IT group currently has a project underway to move all
> administrative access to their critical infrastructure servers
> (databases, Active Directory, etc) onto a private management network.
>
> The current concept goes so far as to require each admin to carry a
> separate laptop from their normal machine in order to allow remote
> access from home or work.  Unfortunately, the extra machine and
> draconian policies have the admins up in arms.
>

For the corporations I have worked at this was normal. The reasons for 
that were putting corporate software on private hardware and similar 
things. [Similar rules could be in place if state-owned resources are 
not allowed to affect a private system.] In the cases where a person 
would not have a reasonable expectation for having a laptop, a 
specialized server would be set up that would serve out web-ssh and 
allow people to log in via 2 factor using 1 time passwords. 
[Cryptocard, SecureID, or a set of programs that can run on say a Palm 
Pilot]

> I applaud the effort to try and further lock down access to the machines
> that hold the keys to the kingdom, but I'm concerned that the pendulum
> has swung to far in the security direction this time.
>

In the cases where say Social Security numbers or student data personal 
data could be compromised.. there is a significant risk for a college to 
be sued for large money these days. In the case where a school works 
with data like hospitals and such.. the risk from HIPAA audit failures 
could be pretty bad (Hospital shutdown is the feared result, but I doubt 
that has ever been done.)


> So I'm curious what security controls, policies, or procedures others
> have in place at their institutions to protect access to critical
> infrastructure.  What controls have been the most useful?  How have they
> affected usability and productivity of the system administrators?
>
> Any feedback, direct or back to the list, would be appreciated.
>
> Addam
>
>

-- 
Stephen Smoogen -- ITS/Linux Administrator
   MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
   Phone: (505) 277-7343  Email: smooge at unm.edu
  How far that little candle throws his beams! So shines a good deed
  in a naughty world. = Shakespeare. "The Merchant of Venice"


More information about the unisog mailing list