Greasing the Squeaky Wheels

Being paranoid about security is a good thing. For example, requiring
strong passwords, locking down the services on your machines, removing
all shared accounts, and disabling cleartext protocols make it more
difficult for a cracker to gain access to your machines and data.
Unfortunately, it also makes working on the systems less convenient for
you and your users. Implementing good security measures makes the system
harder to use; it's an unfortunate fact of life.

When you make security-conscious changes on your personal machine, the
only one impacted is you. However, if you are an administrator of
machines for many users, things get trickier. People do not like change,
any change. They want their password to be 'bunny' from now until they
retire. They want to stick with telnet because they know it, rather than
moving to ssh.

So when you determine that security changes need to be effected, how do
you get folks who will resist changes to go along with them? I find that
there are usually two methods that work well.

The first I call the carrot and stick approach. Say you want to
eliminate telnet, ftp, rcp, and rsh from your network and move to ssh
instead. You essentially start a marketing campaign, extolling their
virtues. For example, efficiency: 'ssh' requires three less keystrokes
than 'telnet', and 'ssh' replaces both telnet and rsh -- one less
command to remember. Unfortunately, if folks are used to the status quo,
it won't work. They'll probably counter that 'sftp' is longer than
'ftp'. You need to come up with other benefits of the system.

In the case of ssh, you can teach them how to leverage SSH identity
files and ssh-agent to allow them passwordless login access. They'll see
that they can ssh/scp/sftp from their desktop without typing a password
at all, and have a secure encryption connection to boot. You can sell
them on the increased speed when using compression over slower lines.
X11 forwarding will 'just work' finally. Make sure to show all the
positive aspects of the more secure solution so they realize there is
more than just a security benefit. Once enough people sign on -- the
folks who have taken the carrot -- most of the rest will grudgingly
agree. However for those last that simply cannot live without the old
ways, the higher-ups make the decision that supporting the old
environment and new simultaneously isn't going to happen, and they'll
need to live with it. The better your marketing, the less folks you piss
off this way.

The next method I call the "Scotty Solution", in honor of the famous
Star Trek engineer. Instead of smoothly transitioning our your
insecurities one by one, you go for the sledgehammer approach. Break
everything. Lock down things the way you want them to be. Turn off
telnet/etc across the board and install ssh everywhere. Lock all user
accounts with crackable passwords. Lock down the permissions of
everyone's home directories.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine