[unisog] Admin Access to Servers
Stephen J Smoogen
smooge at unm.edu
Wed Nov 15 17:18:00 GMT 2006
On Wed, 15 Nov 2006, Addam Schroll wrote:
> Our Central IT group currently has a project underway to move all
> administrative access to their critical infrastructure servers
> (databases, Active Directory, etc) onto a private management network.
> The current concept goes so far as to require each admin to carry a
> separate laptop from their normal machine in order to allow remote
> access from home or work. Unfortunately, the extra machine and
> draconian policies have the admins up in arms.
For the corporations I have worked at this was normal. The reasons for
that were putting corporate software on private hardware and similar
things. [Similar rules could be in place if state-owned resources are
not allowed to affect a private system.] In the cases where a person
would not have a reasonable expectation for having a laptop, a
specialized server would be set up that would serve out web-ssh and
allow people to log in via 2 factor using 1 time passwords.
[Cryptocard, SecureID, or a set of programs that can run on say a Palm
> I applaud the effort to try and further lock down access to the machines
> that hold the keys to the kingdom, but I'm concerned that the pendulum
> has swung to far in the security direction this time.
In the cases where say Social Security numbers or student data personal
data could be compromised.. there is a significant risk for a college to
be sued for large money these days. In the case where a school works
with data like hospitals and such.. the risk from HIPAA audit failures
could be pretty bad (Hospital shutdown is the feared result, but I doubt
that has ever been done.)
> So I'm curious what security controls, policies, or procedures others
> have in place at their institutions to protect access to critical
> infrastructure. What controls have been the most useful? How have they
> affected usability and productivity of the system administrators?
> Any feedback, direct or back to the list, would be appreciated.
Stephen Smoogen -- ITS/Linux Administrator
MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001
Phone: (505) 277-7343 Email: smooge at unm.edu
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the unisog