Sys Admins Beware!

This is one of my favorite topics: IT people having total access to the network.  Study notes link between IT sabotage, work behavior is a great reminder that even Systems and Network Administrators should only have access on a "need to know" basis.  "...86% of those who committed cybercrimes held technical positions and 90% had system administrator or privileged system access."

One of the things we've done over the last year or two is tighten up access controls specifically for Systems Administrators.  Active Directory 2003 doesn't seem to give as granular control as we would like to have.  I would be interested in hearing from anyone who is using a third-party tool on top of AD that allows for finer controls.  The way we do it now is to create a "security group" and add specific IT people to those groups.  Those groups have access to particular areas of the network. 

While I've never had anyone who worked for me actually sabotage the network, there have been many cases of abuse of power, as I call it.  I came to the conclusion that IT people are a curious lot and they, by nature, venture into the unknown.  I am not sure this is a personality trait or some other abnormality that comes with the territory.  I personally have never breached the confidence or abused the powers invested in me.  I make it clear to my people that "snooping" will not be tolerated. 

One of the things on my endless TO DO list is to write an Acceptable Use Policy for Network and Systems Administrators.  After the policy is in place, or before as in my case, tighten up those access controls based on need to know.  If someone has to have too much access in order to do his or her, then maybe the job needs a little restructuring.  There always are, of course, the network gods.  Those who must have total access.  They should be the trusted and the few.  The next step is to get enough logging in place so that you have an audit trail.  If an Admin steps out of line, you've got proof and you can do something about it.