VP is demanding admin access to PC to install apps - What is a good containment strategy?

Question

Possible Duplicate:
How to convince a big boss that he does not need administrator privileges?

I'm an IT manager in a small company (40 employees). We have a decent IT security policy in place, but it is about to be circumvented.

I am in a situation where a VP is demanding admin privileges to his PC so that he can install apps without going through the typical channels.

His boss will cave, and allow this to happen.

This must not be a completely isolated occurrence; is there a good method for handling this situation?

Who is responsible for license management in your organization? — Zoredache, Feb 02 '12 at 18:24
That is my responsibility, so I'll have to monitor what he installs. I'll still have access to the machine... but what a pain. — IT53273, Feb 02 '12 at 18:49

Joel Coel · Accepted Answer · 2018-03-07T17:55:38.133

Tell him he can have the same access that the network admins get, and then give him exactly that:

His standard user account. This is the account he already has. It is connected to e-mail, documents, and business apps. He uses this account for day to day work, and it will remain unchanged.
A separate administrator account on the machine. This account has administrator privileges, but for that machine only. It's analogous to an admin's domain admin account, or when an admin logs in as root. This account should be broken by design for day-to-day use. Do things like make sure it's not connected to e-mail or any business apps that require authentication based on the current logged-on user, or that no printers are set up for that profile. This way, he will have the proper incentives to run as a standard user most of the time. With luck, he'll forget the password and be too embarrassed to ask for recovery.

This is a great idea in theory - the user may complain heavily enough about it that you might get pushed to do it the wrong way though. "Just make it work the way I want" can carry a lot of clout from VPs in small companies. — mfinni, Feb 02 '12 at 15:53

score 4 · Answer 2 · answered Feb 02 '12 at 15:35

Ah... Been there, done that

Make sure you have this in writing from the big boss:

You can get admin access if you absolutely want it. But if something (no matter how trivial) gets fucked up on the PC it will be a full wipe/re-install. IT won't attempt to trouble-shoot as there is no telling what you have messed up.

Make clear how long a full re-install is going to take. And make absolutely sure that he himself is responsible for backups of any local data on the PC.

Also make sure they are aware that on any sign of network trouble (virus outbreak) his PC will be the first suspect and be subjected to a time-consuming full virus-scan from clean boot-media.

It may be worthwhile to give them a scare some week or 2 after getting admin rights: Slip a false positive in the temporary internet files. When the virus-scanner goes berserk confiscate the PC for a full virus-scan and mutter something along the lines of "I hope I can clean this... I don't really have the time for a re-install.. You do have a recent backup of your data I trust ?"

Of course: If the CEO or company owner doesn't back you on this you are screwed. Still, inform them, in writing that you consider this a major bad idea. If only for the "I told you so" opportunity when things do go wrong. (It usually will not take long for that to happen.)

OK answer, but (-) remove the "slip a false positive and harass the user" advice, that's just obnoxious "sysadmin from hell" behavior; and (+) add something about clearly defining some policies about what's truly not allowed. For example, no routes or tunnels no non-firewalled network. — Liudvikas Bukys, Feb 02 '12 at 16:48
Sorry, but I had to downvote for the "false positive" scam. Lying is not professional. — Peter, Feb 02 '12 at 18:29
You don't have to tell me it's unethical, but I still feel I had to mention it. I had to do this twice to people who were really running major risks with a company laptop full of sensitive data and refused to listen to advice. (One of them let her 15 year old son use it for LAN-parties in the weekend.) I let both sweat for several hours fearing they lost all data on the laptop. They I returned the laptop and spend at least an hour educating them on proper computer use, while the fear was still fresh. The day after I confessed and apologized. They were pissed, but the message had sunk in. — Tonny, Feb 02 '12 at 22:01
Perhaps rephrasing as "drills" and implementing a policy to implement drills at your discretion would work in some organizations. — IT53273, Feb 02 '12 at 23:14

score 2 · Answer 3 · answered Feb 02 '12 at 14:59

Definitely get in writing to CYA!!

Email over typical scenarios of potential issues if one were to have admin rights. Common one is viruses infecting entire network, therefore leading to loss of data, business and financial implications.

Ensure the big boss agrees to this before doing anything in writing (not verbal, but in writing).

And as for containment, just ensure that no one hears of this or else they'll all want it (happened to me!). No other way around it unfortunately.

score 2 · Answer 4 · answered Feb 02 '12 at 15:43

All the other suggestions are good ones.

Another one that I'd add to the list is that you, as the IT manager, would be responsible for tracking any and all software licenses correct? What assurance do you have that the VP is using a purchased license for each and every product he installs? Will he be installing "free for personal use" software on a work machine?

I'm afraid that while you should have some authority with regard to the computers, network, etc., as the IT Manager, there are people who can override that authority. This doesn't mean you can't clearly and objectively state your case and get everything in writing should your company end up "above the fold" so to speak.

score 1 · Answer 5 · answered Feb 02 '12 at 14:52

Have you mentioned the whole standardized vs. non-standardized aspects of allowing this? I'd push back if I could and at the VERY least, get all of this in writing to CYA. There isn't much you can do at that level other than tout your standardization argument.

score 1 · Answer 6 · answered Feb 02 '12 at 19:21

What does your IT security policy say about this? Is giving a VP administrator permissions on a PC covered and permitted by the policy? If not then the VP and his boss (and your boss?) are asking you to act in violation of it. This cannot end well for you.

If you cave and give the VP what he wants you have violated the company's policy, which in itself is bad enough. But also any problems that can and will arise from this will be your fault, no matter what you get in writing and no matter how often you get to say "I told you so."

If you don't cave and instead comply with the policy you will anger the higher-ups and that may cost you in the future as well.

I don't know your company or any background but generally in a situation like this you are basically either screwed and should find yourself another job where (reasonable) policies are adhered to, or you should convince your VPs boss that this is not the way to handle things. Policies exist for a reason and must not be violated on the whim of a higher-up.

VP is demanding admin access to PC to install apps - What is a good containment strategy?

6 Answers6