What should I do about a "misbehaving" user?

Question

What should I do about this user? The user is:

• Downloading pornography
• Attempting unauthorized access
• Running hacking software
• Sending unsolicited email
• Installing software / tampering with the system
• etc

This is intended as a generic answer for employee behavioral problems, a la Can you help me with my software licensing question?

I could see where acceptable use issues are a touch out of scope for SF, however it is one of those things most sysadmins will run into. I don't want to keep rewriting similar answers.

Answer 1

When it comes down to it most of us are just systems administrators.

We might be the ones to spot bad behavior and even sometimes called upon to help resolve situations. It is not our job to police or enforce employee behavior.

That being said having strong tools at your company’s disposal to address behavior issues as they come up is critical. Once a breach of policy occurs it is a HR question on how to deal with it. Provide them your documentation and let them do their thing. Wait to provide them whatever technical support is needed.

If you are in the situation that your company does not have an AUP or it needs revision this summary reflects a lot of research. It should provide you some guidance in getting started.

A good AUP should cover the following subjects.

• One user per ID / Password - if someone uses your account you are liable.
• One location for each password - don't use your work password outside.
• Handling of personally identifiable / confidential data
• Handling of media (CD, USB stick, etc)
• What information can be transferred and to whom
• Session locking - your screen locks so your account can't be misused.
• Monitoring for email, file system utilization, web access
• Personal use of business systems
• Legal violations (copyright, hacking attempts, etc)
• Attempts to bypass internal security controls
• How violations are responded to - up to and including termination and legal action

EDIT - as DKNUCKLES points out it is necessary to follow the standard chain of command for these issues. Just because I was supposed to take them straight to the head of HR doesn't mean that is what your organization does.

Answer 2

Yes...because downloading porn is 100% safe. Running programs like metasploit won't ever crash a server. Because sending unsolicited emails won't raise question about the companies reputation and standards. And because installing unknown, third party software won't ever be malicious or cause security issues.

IMO, if I was in your shoes I would want that person gone. What happens down the line when they gets busted for something and then you're in the scope now because of the "Why didn't you report this?" aspect. Now it looks like you can't do your job. Unless you work for Vivid Entertainment I would say the unacceptable barrier was crossed long ago.

Answer 3

I think that as long as the actions have no direct impact on the ability for you to maintain the network/connectivity, this is not an issue for a sysadmin to resolve. As the other answer indicates, this is an HR (or some such) issue.

That being said, I believe that the game changes slightly if, for instance:

• The user's sending of unsolicited mail can cause mail queueing on your outbound mailserver
• the unsolicited mail, delivered through your SMTPd causes your SMTPd to be blacklisted, making you have to go through the motions of "begging" forgivness from the various SBL sites
• Hacking attempts lead to breach of AUP notices from your link provider, or worse, cause retaliation attacks that bring your network to its knees.
• etc...

These are cases where this user's abuse of resources has a direct impact on your job, which means you can quantify this as a measureable loss of money to your employer when you tally up how much effort from you, or your team, is required to maintain his/her habits. In this case, you would have to do something about this before you wind up becoming the person made responsible for this, and you "pay for it."

Answer 4

While the AUP suggestions are great, it is also important for the IT department to get from the HR department a clear enumeration of duties, such as what is to be reported, to whom, and when. So when you bust the boss for breaking the rules, you can refer to the policy you are bound to. Having this in your job description or policy removes from you the burden of being the tattletale: if you are legally bound to report issues, you can't be accused of doing it just because you don't like someone. If you are fired for reporting, you may be able to sue for wrongful termination if the policy demands that you report. If it's not policy, you may have no recourse.

Answer 5

If you're a SysAdmin the onus is on you to inform the proper parties about the activities that are going on. At the end of the day, it's YOUR network and you're the one responsible for it's upkeep and optimization. I think in the instance of things like adult material, you can turn a blind eye. I mean we all have better things to do than condemn someone for that. Perhaps a professional courtesy saying something along the lines of "I don't care but management may frown upon that". Now if the traffic is illegal or detrimental to your network, then that's another story.

If you come across this behavior and dont report it, then be prepared to deal with the following questions asking you why you didn't notify anyone; saying you didn't know about it looks REALLY bad on you. After all, it is your job to maintain that network and those systems.

I agree that timbringham has the right idea with the AUP. That said, bring it up to your superior and ask them what the next course of action should be. They'll likely want some sort of documentation and proof that the illegal / AUP violation activity occurred so be prepared to provide them with logs / screen shots / whatever. Regardless of what the AUP says, people should have enough common sense to know they shouldn't be doing inappropriate things on company networks.

Answer 6

Since you are in charge of the integrity of the network (well I assume that part) I would raise that issue with upper management based these points

• Attempting unauthorized access
• Running hacking software
• Sending unsolicited email

Playing the "this could get us into legal problems" (read this could cost money to the company).

Then, when ask to investigate a bit further, you can raise the pornography thing...that should nail it.

Answer 7

You are only helping him, by pointing out some serious issues!!! It does affect productivity and seems like his mind is wandering. I would have a casual chat and let him know ... that its not good, if he wants to watch porn he can do it at his home. Running hacking software is causing more headaches and disturbing others also when you send unsolicited emails.

No need to take it with the upper management, because he should know his mistake and that you gave him a chance to check himself.

This is totally wrong ----- ironic I am posting this from my office!

Answer 8

Downloading pornography - just tell him face to face to stop doing that. tell him that if he wants to do that, get a cellular wireless network to do it on and dont use the business network.

Attempting unauthorized access - nothing wrong with trying. basically he is exposing problems in the network that the system admin didn't catch.

Running hacking software - thats ok also. there can be legitimate reasons for doing this, the most common of which is for "the learning experience". maybe this employee really wants to understand his environment better.

Sending unsolicited email - make the email log public so that everyone in the company can see who sends emails to what address. you can do this with a bash script cron.weekly job if your a system admin with a little skill.

Installing software / tampering with the system - remove their account or reduce their priveledges on the system without telling them. if they need access, let them ask.