8

This does not involve me directly. However a friend believes her files are being tampered with and/or deleted by the only Windows domain admin there. (She has since kept backups) This started after she put in a complaint about him for misconduct (I'm being vague here as not to identify the person).

What exactly can one do to protect themselves both proactivly (in security and legal sense) and what to do if that administrator attempts to frame her for some sort of misconduct. eg surfing porn at work.

The obvious suggestion would be to bring her own laptop, and advise her workplace that she wants her domain account disabled. But it doesn't end there, all internet traffic must go through a proxy/cache cluster where the credentials are sent in the clear. (This was the case when I was at a similar place many years ago, hence why I know)

And to access other shared files on the network she would need a domain account anyway.

John C
  • 1,207
  • 2
  • 11
  • 15
Steven
  • 257
  • 2
  • 4

4 Answers4

11

As tempting as it may be to try to use tools to defend herself (i.e. using personal equipment) or to catch the rogue admin in the act (logging, file integrity monitoring, etc.) many organizations have policies prohibiting these activities.

Your friend should be careful not to compromise her own integrity in response to this individual's actions. This is not a technology problem. In fact, it's one of the rare situations where removing the threat (the rogue admin) is easier than trying to defend against it. Most organizations should have a policy that protects employees from retaliation when they raise a concern.

My advice for your friend would be to formally report the concern to a manager, HR, etc. A forensic investigation should quickly reveal what the admin has been doing and would likely result in him/her being fired.

Dan
  • 206
  • 2
  • 4
  • 2
    Spot on. If this is accurate, then it is clearly a personal problem that can not be solved by purely technical means. – this.josh Oct 30 '11 at 05:48
  • 2
    However, if the company is small (as evidenced by a single Windows domain Administrator) they may not have good or choerent corporate policy. And D.W. is correct that domain administrators are typically trusted personel and would tend to have the benefit of doubt over your friend. Before filing another complaint, be prepared for the (potentially bad) consequences. – this.josh Oct 30 '11 at 06:26
  • document these complaint(s) if he/they do try to oust you, your prior documented are you're only protection or evidence of retaliation in a wrongful termination suit. – Zeb Oct 31 '11 at 02:01
3

Call Human Resources. Now.

If she believes that there is a potential that the admin is retaliating against her because of the complaint, then she has a duty to call human resources and report it. They will perform an investigation, look through the admin's behaviour, and see if there is anything to it. Be honest, and accurate, about your suspicious. At the end of the day, there is no punishment for filing a good-faith (i.e. honest and accurate) complaint. Don't taint it with blame words, explain carefully what has been happening, and discuss that the power to do those things lies in the admin's hands.

At the VERY least, her complaint will have been registered and filed, which will protect her from being fired. She should also file a copy of her report, as well as the company's response to it, preferably with a lawyer.

System Admins' have a lot of power in an office, and a lot of that power comes from knowing the systems inside and out, including how to make someone look like they have done wrong. If you are trying to play the security game as an amateur, all you can do is be beaten, and beaten hard, kiddy porn hard. Trying to play their game, when you are not an expert, is a fast way to get beaten, and probably fired. If you can't play the game at their level, play a different game.

There is a reason there is a regular series of stories about the B@stard Operator From Hell. Don't play the cyber security game, play a game you can win.

Mike

MToecker
  • 686
  • 4
  • 13
2

It is not possible to defend against a malicious domain administrator through purely technical means, and you should not even try.

I would view such accusations with skepticism; I've seen people get paranoid and start making assumptions and throwing out accusations without evidence. I would personally be reluctant to report these accusations to the company, and if this were my friend, I would probably counsel them to say nothing (unless your friend has pretty compelling evidence). I think it is too easy for this to escalate and for the company to make the problem go away by firing your friend and leaving the domain administrator in place.

Instead, I would avoid storing any personal files or data on work devices, and avoid doing any personal web surfing or other activities from work machines or work networks. It may be inconvenient, but if you truly believe the administrator is malicious and messing with you, that's the price of things.

+1 to @Dan for pointing out that this is primarily a social problem, not a technological problem. Administrators hold positions of trust. It is a property of these positions that, if the person is not trustworthy, they can abuse this position of trust. These issues must be addressed through social institutions.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    It may be possible to defend against a malicious domain administrator, but not through purely technical means. To do so you would need to thoroughly understand the power structure of your company, have the right allies, and be willing to risk being fired for cause. Even with what seems clearly superior allies and evidence you might loose badly. – this.josh Oct 30 '11 at 05:59
  • Thank you, @this.josh. I agree. I've edited my answer accordingly. – D.W. Oct 30 '11 at 07:00
2

What exactly can one do to protect themselves both proactivly (in security and legal sense) and what to do if that administrator attempts to frame her for some sort of misconduct.

Make an escape plan. Update your resume, work your contacts, and find what openings there are at other companies. It may seem cowardily, but retreat is an attempt to pretect something of value from further damage.

Find your friends. Who you know that works in physical proximity and could be used as a witness to your activities. Who you know higher up in your department or division that has power or political capital within your company.

Find the admin's other victims. If he is malicious, chances are he has annoyed others. Finding enough people who have been victims of his maliciousness may convince an otherwise incredulous higher-up.

Comply entirely with company policy even if it is stupid. If you find you are unable to comply because it compromises your ability to work, bring the issue to the appropriate person urgently. Be polite but firm until you have piece of paper with an exemption or rule change with the person's signature on it. Do not foolishly assume that the number or severity of policy infractions matter. A single infraction on a rule that is never enforced may be enough for dismissal.

Do Not Bring Your Own Laptop! Especially if this is unusal behavior for you or other people at the company. Do not bring in anything that could be used to record, photograph, copy, store, etc. This means no cell phones, no iPods, no MP3 players, no portable game devies, no USB thumb drives, no SD cards, etc. If the admin is capable of planting evidence, he may be able to persuade a company represantative that you are planning to steal company data. Even if you have no company data on your devices, the threat of attempted theft may make ordinary devices seem suspicious. However having no devices capable of copying or recording this data, nullifies this type of allegation.

Unless it is necessary for your work, do not take work home, do not take any papers, equipment, or supplies belonging to the company out of the building.

Whenever practical work with someone else, preferabily a friend. The only way to counteract technical evidence is with human evidence. Keep track of the time and make whoever you are with aware of it as well. Any technical evidence against your will be timestamped, you need a human witness to be able to provide counterevidence of the same time period. Not necessarily the exact time, but something along the like of "From 10:00 to 10:15 Ann was editing a document, not surfing the web."

Make friends in high places. If your do not know, find out exactly who has the ability to fire/dismiss/let-go of employees. Try to present yourself positively to as many of those people as you can.

this.josh
  • 8,843
  • 2
  • 29
  • 51