Monday, 15 July 2013

How to know if you are a bad sysadmin

Just about every sysadmin I have met have one thing in common: they all think they are awesome at their job. However, rarely (well IMHO anyway) is this correct. Most will be quite offended if I have something to say to them about their ineptness. So I have created a short self-evaluation questionnaire that you can use to find out just how bad (or good) you are at your job. If you are a "good" sysadmin, you should score very low on this questionnaire and at least recognise the issues that exist. If you don't understand the reasons for these questions: It's time to either take steps to remedy these issues or do the rest of us a favour and leave the industry forever.

1. Do I ever have to ask my users for their passwords?

No sysadmin should ever need to know a users password. You should have procedures in place and methodologies and/or technologies to ensure this is not necessary - ever.

A corollary to this is that password resets should be immediately be followed by a forced password expiration. All end-user passwords should be rotated at regular intervals with duplicates not allowed.

2. Do I ever use the enterprise Administrator password?

The administrator or root password should never been used except on standalone systems. All administrators should have their own administrator password separate from their usual login. An extension to this is that all administrative activity should be logged.

3. Do I physically have to go to a users workstation?
For anything other than doing physical work, this should be unnecessary. You should actually have more capability through remote access than sitting at their desk.

4. Do I never conduct trial restores from Backup?

Just because your backup software says "successful backup" it does not necessarily follow you will be able to restore data from it. Check regularly, so you become familiar with the process. At least once every six months do a complete trial disaster recovery for one of your servers. Time yourself, try to beat that time.

5. Do I have to manually setup workstations for new users?

A new user should need only login with their password to get:

 - All their software
 - Their drive mappings
 - Their printers

There is simply no need for a sysadmin to get involved in this process. It should all be automated.

6. Do I use statically mapped drives?

This should never be required. Scripting should take care of all contingencies.

7. Do I use user-based file system rights/permissions?

These are close to impossible to administer. If you have user-based permissions for anything beyond services and home directories, chances are your file system security is non-existent.

8. Do I allow direct access to the Internet?

This is a serious security issue. Access to the internet for ANY protocol should be via the DMZ using proxied or relayed access. No exceptions.

9. Do I use 'Same as xxx user' when creating new user accounts?

This is not only lazy it is insecure and leads to non-repeatable actions. The new accounts will usually have way too many permissions - many of which you will be unable to explain the reason for.

10. Am I unable to name any new technology that I have trialled in the last six months?

Good sysadmins spend significant time on system development. This includes trialling new technologies as they are released to determine the relevance in your environment.

No comments:

Post a Comment