I need some help with control over access to the server. I have a problem with a user (manager) who is in charge of the accounting software. Every time a new update comes, I find the day after she performed the upgrade (she knows the administrator password -- that is how it was when I started working here), and the installation is done on the server.
How can I make sure that this particular software has been updated, and how can I tell if she downloaded any updates? All the software is in one location in a folder on the server. A few times I had to fix some of the issues resulting from the installation, and many times in the past I got accused of some problems on the network which were a direct results of her installing software on the server.
Oh this is technically simple, at least the access control issue, though you need to be prepared for some push back. First, the "Administrator" account should be off limits. It should have a complex password only known to the person in charge of servers (you?) and perhaps one other for backup, or it should be stored in a safe place, say a safe or locked drawer. Those who require administrator access should have an account that is given membership in the Administrators group or, where possible, a group that does not have full administrative privileges but does have what they require. Each individual should have their own account for this purpose and another ordinary user account for reading e-mail and other things. If you do this, then this user will no longer have administrative access.
If the software needs regular updating, then you need a procedure for doing so. Sounds like she learned about it. But you should be testing it and doing it, or at least she should only be doing it in your presence (she could have an account for this purpose, but only for this purpose, and the password could be changed each time she needs it, i.e. she notifies you when she needs to upgrade, you set the password and tell her. When the deed is done, you set the password to something complex that she doesn't know). There are many solutions here. The issue is you need a policy and a procedure that everyone can live with, and you need someone in management (your boss?) who has the authority to approve the policy and procedures.
First address the administrator account issue. It's easy to explain, and you can point to best practices as outlined by many security people, by Microsoft and even by your own U.S. government organizations. As part of this, a small part, address the issue of how to get applications upgraded other than the OS. If users or data owners should be in control, they must share that control with IT, as their actions can affect the entire company. If you do this right, get management approval and involve her department, you can avoid the pushback or at least deal with it in the planning and policy/procedure writing stage. If you just make changes, look out, that is not usually a job career enhancement activity. Good luck!
This was first published in December 2004