Greasing the Squeaky Wheels
Being paranoid about security is a good thing. For example, requiring
strong passwords, locking down the services on your machines, removing
all shared accounts, and disabling cleartext protocols make it more
difficult for a cracker to gain access to your machines and data.
Unfortunately, it also makes working on the systems less convenient for
you and your users. Implementing good security measures makes the system
harder to use; it's an unfortunate fact of life.
When you make security-conscious changes on your personal machine, the
only one impacted is you. However, if you are an administrator of
machines for many users, things get trickier. People do not like change,
any change. They want their password to be 'bunny' from now until they
retire. They want to stick with telnet because they know it, rather than
moving to ssh.
So when you determine that security changes need to be effected, how do
you get folks who will resist changes to go along with them? I find that
there are usually two methods that work well.
The first I call the carrot and stick approach. Say you want to
eliminate telnet, ftp, rcp, and rsh from your network and move to ssh
instead. You essentially start a marketing campaign, extolling their
virtues. For example, efficiency: 'ssh' requires three less keystrokes
than 'telnet', and 'ssh' replaces both telnet and rsh -- one less
command to remember. Unfortunately, if folks are used to the status quo,
it won't work. They'll probably counter that 'sftp' is longer than
'ftp'. You need to come up with other benefits of the system.
In the case of ssh, you can teach them how to leverage SSH identity
files and ssh-agent to allow them passwordless login access. They'll see
that they can ssh/scp/sftp from their desktop without typing a password
at all, and have a secure encryption connection to boot. You can sell
them on the increased speed when using compression over slower lines.
X11 forwarding will 'just work' finally. Make sure to show all the
positive aspects of the more secure solution so they realize there is
more than just a security benefit. Once enough people sign on -- the
folks who have taken the carrot -- most of the rest will grudgingly
agree. However for those last that simply cannot live without the old
ways, the higher-ups make the decision that supporting the old
environment and new simultaneously isn't going to happen, and they'll
need to live with it. The better your marketing, the less folks you piss
off this way.
The next method I call the "Scotty Solution", in honor of the famous
Star Trek engineer. Instead of smoothly transitioning our your
insecurities one by one, you go for the sledgehammer approach. Break
everything. Lock down things the way you want them to be. Turn off
telnet/etc across the board and install ssh everywhere. Lock all user
accounts with crackable passwords. Lock down the permissions of
everyone's home directories.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
