Share this post: Sysadmins are the unsung heroes that support millions of users and organizations around the world. They are the first to respond to any issue. They are the keepers and keeper of the keys. Even with many years of experience, mere humans can make silly mistakes that can lead directly to big problems at work.
In my previous career, you were there, and I am grateful for all you did. This post is dedicated to all current and potential sysadmins in an effort to improve what we do. Let’s look at some common security errors system administrators make.
Let me start with one I made in my previous job. It was a silly mistake that I now regret. But I thought I was going to be in it with my boss back then!
Do not just click through a wizard
When I was young and bright, I was an IT pro just starting out. I was working as a network administrator in a local company. I was asked to add a person to the enterprise admins group to perform a task. These requests are common as a network administrator, and I have done them many times before.
It’s the end. I’m rushing through the wizard to get this person the access they need as quickly as possible. I completed it and then left for the day. The next morning arrived. It turned out that I had done nothing but make the person the only user in the enterprise admin group. The wizard gives you the option to add someone to your existing group membership or replace the existing list. I clicked on the latter while I was rushing through all the prompts.
People yelled at me for not having the access I needed. My boss was puzzled as to why all overnight services had failed, and no backups were created. It was a nightmare! These situations are known as an RGE in IT. It is a resume-generating event.
We were able to resolve most of the issues and I was not fired. However, I learned a hard lesson about how to not speed through wizards even though I have done them millions upon millions of times.
Everyone an admin
If you have ever worked or heard of an office where the previous administrator had granted every user administrator-level permissions, please raise your hand. This is more common than you might think, especially in small businesses where it is often an IT department of one. After handling hundreds upon hundreds of requests for access, permissions to install this, and managing the network and systems, the admin gives in and becomes an administrator. This poses a serious security risk to your business. Administrator access can give them access to data that they shouldn’t have and the ability to make configuration modifications they shouldn’t.
Sharing is not caring
To make life easier, administrators should make everyone an administrator. Another common mistake is to share administrator accounts. How many administrators in your organization have the root password or default administrator? Although it may seem like six admins are needed, there is a huge difference between creating an administrator account and giving the root password to someone. Many times, people will say they need administrative access to access a specific resource or task. When creating or delegating an admin account, we can be more specific about permissions. We also lose accountability when we share admin passwords. How do you find out who the default admin account is? You should always try to adhere to the principle of least privilege. This means that accounts are only granted the permissions they need to do their job. You should not share the root account with other administrators.
Not following password best practices
We will break this down into several segments, as improper password management can be a major problem that could cost your company millions.
When users leave the company, especially IT employees, make sure to reset passwords. Disgruntled employees could cause serious damage to your company if they have admin access after they leave.
Recycling passwords. It’s okay to stop. Use different passwords for different systems. If you breach one system, you are vulnerable to all other systems that use the same password. Users shouldn’t share the same passwords across networks.
Do not set up multi-factor authentication if it isn’t already. MFA can make you and your users less susceptible to phishing scams. It’s not easy, and you will need to deal with people who resist change, but it can save your life.