“That way you can make his life easier and he won't have to deal
with this sort of thing.” Ah, that is the perfect sort of thing for
me to say. Thanks everyone for your comments. I think
I was taking it a little personally and need to get used to “business
logic.” It means a lot to hear advice from people as knowledgeable and
experienced as this list. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] All this is good advice, but tends to
accept as fact that there is a security risk involved. You wrote, you know nothing about (and for that
reason do not trust) There are really two issues here: - your CIO is playing AD administrator,
and for dealing with that there has been lots of good advice - you don't have all the security facts,
so fear the worst consequences I'd suggest first finding out all you can
about this application and its site because it sounds like you're going to have
to deal with it for a long time. If you approach this as a control
issue--well, the CIO is in charge as others have said. If you approach it
wrong, the CIO may think you have a problem with change because this may be a
new application in your environment or something in the business has dictated
handling this in a new way. I think the real outcome you want is for
the CIO to appreciate that he should keep you informed about changes and that
you can help make them happen in a seamless and secure way. That way you
can make his life easier and he won't have to deal with this sort of thing. Good luck! AL Al Maurer
-----Original Message----- How big is your company? Do you have a
security group that doesn't report through the CIO? This is almost certainly
unacceptable corporate exposure that your CIO really doesn't have the right to
expose the company too on his own in my opinion. This is the kind of thing that
I would certainly really push up the ladder hard and would be willing to be
terminated for. However, it completely depends on your feelings on the matter.
Is it something you would quit over? If not, then it probably isn't something
you would want to be fired for and making a stink of it other than simply
reporting it to your direct manager is probably not what you want to do. In your shoes, I would consider locking
down the traffic from that address or range of addresses with ipsec or something
else under my complete control and report it to my management and security to
make a call on what the next steps were. If your company is so small that the
CIO is directly tasking you, I expect you don't have a separate security group
and you may have very very little recourse other than to talk directly to the
CIO and explain the risk he is putting the company in (he told you what to
do directly, IMO, that gives you the right to question and explain why you
think it isn't right). If he still says full speed ahead, say damn the
torpedoes and go with it OR throw up the white flag and move on to bigger and
better things. Again, if you don't have a separate security chain, it is a good
chance that you have no leverage to fight so you could never "win" so
the battle is not very appealing. Another way of looking at this is if
something bad happens, whose ass is up on the firing line? If it is mine, I
certainly would make it very clear how bad I thought this was so my rebuttal at
the time of the decision to fire or not is "I told you this was
stupid". Then again, I am very much about doing the right thing and have
enough job security that I am not overly upset about losing a crappy position. As the others said, that AD and that
company isn't yours. But, IMO, it is your job to make sure you speak up
when things are not done properly. If not, you are admitting that you were
simply hired to push buttons. Our jobs as admins is to help our
management make good decisions and recover from stupid ones as well as
implement all of them, smart or stupid. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Here’s a question for everyone: Your CIO decides it is cheaper to host an
application remotely at a site that you know nothing about (and for that reason
do not trust). He then decides on his own that he will just tell the network
guy to open port 389 to one of your production DCs without consulting, or even
mentioning it to you or anyone else that may have something to say about the
security risks. Then he asks you to create a test user account for a junior
admin to test with, and gives the remote site the username and password. What do you do? |
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
- RE: [ActiveDir] Kinda OT: Advice welcomed Douglas M. Long