|
In public funded research the scientists hold all the power. The scientists generate the income and the scientists populate the management structure, so if a scientist decides they need something they're gonna get it. This isn't dramatically different from the corporate world, rock stars whining their way up the chain is a universal but when the whole organization is people with PhD's it turns out they all see things generally the same way so the whining is more effective. As an admin you do your best to enforce best practices but in the end keeping the research going (and by extension, keeping the grant money coming in) is going to win. And this is why everyone gets local admin. And probably unrestricted sudo on a server. Heck, we got scientists designing server rooms.
|
# ? May 15, 2023 14:30 |
|
|
# ? May 26, 2024 01:21 |
|
xzzy posted:In public funded research the scientists hold all the power. The scientists generate the income and the scientists populate the management structure, so if a scientist decides they need something they're gonna get it. This isn't dramatically different from the corporate world, rock stars whining their way up the chain is a universal but when the whole organization is people with PhD's it turns out they all see things generally the same way so the whining is more effective. As an admin you do your best to enforce best practices but in the end keeping the research going (and by extension, keeping the grant money coming in) is going to win. 100% I’m a former research scientist-turned-sysadmin and that experience (plus a very expensive and hard to obtain piece of paper that entitles me to certain honorifics) makes it easy to empathize with the needs of the scientists, and in turn makes them more patient with me when I do have to put my foot down on something. Mutual understanding and respect goes a long way
|
# ? May 15, 2023 14:45 |
SlowBloke posted:It's a solid way to get poo poo installed in ways you won't find unless you do proper analysis on machines. It has minimal pros and a lot of cons. It entirely depends on where you work and who you work with which is why it’s a group think deal imo. people who haven’t worked in places that have the appropriate controls for it in place and where it’s necessary can’t imagine it.
|
|
# ? May 15, 2023 14:47 |
|
teethgrinder posted:Which tool is this out of curiosity? this is what we use, no idea what it's like to manage https://www.remediant.com/product-remediant-secureone i am a moron posted:People make a huge deal about local admin because of IT groupthink reasons imo There used to be a lot of very good reasons to not allow local admin. it was a necessary first step in protecting your endpoints things have changed quite a bit with new endpoint management tools and modern windows, so there is no reason to be as strict about it I still wouldnt hand it out willy nilly though, most end users have no need to install their own software
|
# ? May 15, 2023 14:49 |
To be clear, no I don’t believe giving all users local admin is a good idea. But people making blanket statements about it are engaging in IT cult-ery
|
|
# ? May 15, 2023 14:51 |
|
i am a moron posted:To be clear, no I don’t believe giving all users local admin is a good idea. But people making blanket statements about it are engaging in IT cult-ery
|
# ? May 15, 2023 14:55 |
|
i am a moron posted:To be clear, no I don’t believe giving all users local admin is a good idea. But people making blanket statements about it are engaging in IT cult-ery Care to go into any detail? You can do a lot more damage with admin rights than you can with normal user rights. It's why privilege escalation exploits are bad. [edit: Didn't mean to come off as flippant in this response, but I did! I am genuinely interested in hearing how blanket statements in this come off as cargo culty. I think it's always been a "best practice" that had exceptions.] Internet Explorer fucked around with this message at 15:26 on May 15, 2023 |
# ? May 15, 2023 14:58 |
|
i am a moron posted:It entirely depends on where you work and who you work with which is why it’s a group think deal imo. people who haven’t worked in places that have the appropriate controls for it in place and where it’s necessary can’t imagine it. I work in public sector and are under the "cyber" umbrella of a nato government, it's easy to get hit as collateral. I am sure that a "normal" firm can manage it if they have a set of spherical users that won't click on weird poo poo but in a gov adjacent institution i'm seeing it as unnecessary risk. Relying on xdr automation is a tall order for us, esp since we had ransomware executing with the detection engine going all "something is happening, maybe it's bad, maybe not" and not reacting, with the sole thing stopping the malware from touching the local credential store being executed as standard user.
|
# ? May 15, 2023 15:19 |
|
Currently wondering why someone thought using an SSN in an API’s query string would be a good idea.
|
# ? May 15, 2023 15:28 |
|
How else would you reference the primary key
|
# ? May 15, 2023 15:29 |
|
App13 posted:My workplace is exclusively “kooky/zany scientists and engineers who do linear algebra in their head” and they all get local admin rights. I find this really interesting. Users can install whatever OS they want? How are the backend security systems set up to work in this scenario? Are endpoints completely unmanaged, or do you capture them and enroll in MDM as they try to access resources?
|
# ? May 15, 2023 15:31 |
|
Thanks Ants posted:How else would you reference the primary key By making passwords unique and using those as PK of course! Make sure not to store the hash value + salt but just the password as plain text. That way you can both easily search for it as well as test logging in and experience your users specific issue.
|
# ? May 15, 2023 15:35 |
|
Internet Explorer posted:I find this really interesting. Users can install whatever OS they want? How are the backend security systems set up to work in this scenario? Are endpoints completely unmanaged, or do you capture them and enroll in MDM as they try to access resources? I’ve been trying to deduce that myself honestly. The security backend is handled by an entirely separate organization from the group I’m in
|
# ? May 15, 2023 15:37 |
|
Internet Explorer posted:I find this really interesting. Users can install whatever OS they want? How are the backend security systems set up to work in this scenario? Are endpoints completely unmanaged, or do you capture them and enroll in MDM as they try to access resources? I think right now the world still has a lot of native software and licensing that can only work on the OS. If their specific organization is very heavy on web tools and does not have a lot of traditional software or traditional client work going on, I don't see a big need for controlling OS, because there are no resources the computer needs to be specially set up to access. They can just log in with a web prompt or web API agnostic of OS if their tools are set up for it right? Then if they leave the org or threaten the CEO or whatever, can't your off-boarding simply cut their account and API access rather than worrying about the endpoint so much? Again, only if their endpoint does not have traditional access such as shared drives with company data and that sort of thing. Inner Light fucked around with this message at 15:54 on May 15, 2023 |
# ? May 15, 2023 15:46 |
Internet Explorer posted:Care to go into any detail? You can do a lot more damage with admin rights than you can with normal user rights. It's why privilege escalation exploits are bad. I’m in the same boat as The Fool - I don’t provide these kinds of things to people anymore if I ever did, I’m a consumer of endpoint services. If I had to go to someone every time I needed admin it would be super annoying to do my job and negotiating it with people would be a deal breaker in terms of continuing to work anywhere. So anyone in a similar role to myself, developers, etc. because you can reflexively hate local admin but there is no way the roadblocks it places are outweighing the risks. I don’t have domain admin accounts, all my identity stuff in the cloud is behind MFA and geolocated risk stuff, infosec has a ton of poo poo on my machine, I don’t connect via VPN to any on premises services like AD/DNS. It’s a big leap from me being stupid with what I install to someone doing anything useful with it. Is it possible? Sure. But I’m not responsible for weighing the risk and peoples who’s entire job it is to do so have decided it’s fine so it’s all good imo
|
|
# ? May 15, 2023 16:18 |
|
I didn't even WANT local admin, but they couldn't figure out how to give me permission to change the IP on my network card without it
|
# ? May 15, 2023 16:24 |
|
Cyks posted:IMO that’s always an acceptable answer (as long as it isn’t a common issue you’ve seen and fixed multiple times before). I rather my techs come back after researching a few ideas instead of just wasting everybody’s time blindly clicking around. I've been told explicitly to not waste time doing research and that "sometimes we just can't fix anything" by my boss So my advice is if you think a place sounds screwy at the interview it will be so much worse than you can imagine
|
# ? May 15, 2023 16:30 |
|
LochNessMonster posted:By making passwords unique and using those as PK of course! Make sure not to store the hash value + salt but just the password as plain text. That way you can both easily search for it as well as test logging in and experience your users specific issue. I knew what you were doing and I still flinched while reading this.
|
# ? May 15, 2023 16:49 |
|
For permanent local admin I have an email convo with their department head with my boss cced in which I am totally clear about potential consequences and basically put it on them if it goes wrong. We’ll always fix but getting that in writing is the rear end cover I want.
|
# ? May 15, 2023 17:28 |
|
Inner Light posted:I think right now the world still has a lot of native software and licensing that can only work on the OS. If their specific organization is very heavy on web tools and does not have a lot of traditional software or traditional client work going on, I don't see a big need for controlling OS, because there are no resources the computer needs to be specially set up to access. They can just log in with a web prompt or web API agnostic of OS if their tools are set up for it right? Yeah, that makes sense, and I think the direction everyone is headed in. I still think about something like downloading a file containing PII from your web software. Or even something as simple as inventory. If you don't have an agent, do you track them by hand? Do you just not care at all? It's interesting that these options are out there. App13 posted:I’ve been trying to deduce that myself honestly. The security backend is handled by an entirely separate organization from the group I’m in i am a moron posted:I’m in the same boat as The Fool - I don’t provide these kinds of things to people anymore if I ever did, I’m a consumer of endpoint services. If I had to go to someone every time I needed admin it would be super annoying to do my job and negotiating it with people would be a deal breaker in terms of continuing to work anywhere. So anyone in a similar role to myself, developers, etc. because you can reflexively hate local admin but there is no way the roadblocks it places are outweighing the risks. I don’t have domain admin accounts, all my identity stuff in the cloud is behind MFA and geolocated risk stuff, infosec has a ton of poo poo on my machine, I don’t connect via VPN to any on premises services like AD/DNS. It’s a big leap from me being stupid with what I install to someone doing anything useful with it. Is it possible? Sure. But I’m not responsible for weighing the risk and peoples who’s entire job it is to do so have decided it’s fine so it’s all good imo I hear both of these, but they're really "I don't deal with that, it's someone else's problem, I'm just an end-user in this regard." Which is fine, but I think less interesting than talking about what the solutions actually looks like. I think there's something to be said about modern auth methods, but if your local machine is compromised and it dumps your password vault that's still a problem. A screen scraper or keylogger is still a problem. A rogue extension in your browser is still a problem. Something that grabs your key pairs is still a problem. I guess my point of view is saying "no one should ever have local admin ever" is a problem, like pretty much any sort of engineering blanket statement. Maybe when people speak shortly it comes off that way unnecessarily. But I don't think that's cargo culty. And if you tell me all users have local admin all the time, I am going to put a lot of thought into that requirement.
|
# ? May 15, 2023 17:31 |
|
Internet Explorer posted:Care to go into any detail? You can do a lot more damage with admin rights than you can with normal user rights. It's why privilege escalation exploits are bad. The purpose of most organizations is not avoiding cybersecurity incidents or damage. The purpose of most organizations is to make money. As in all things, local admin vs not is a tradeoff of IT expenditure and development speed versus the security gains that come with it, and it is not always going to be best practice to have unprivileged user accounts nor should it always be an IT priority to pursue. The Iron Rose fucked around with this message at 17:38 on May 15, 2023 |
# ? May 15, 2023 17:34 |
|
oh, well in that case
|
# ? May 15, 2023 17:35 |
|
skipdogg posted:Here's some advice off the top of my head. Some you may or may not agree with. Couple of pages back but thanks for posting this. Started a new gig last week, my first IT/desktop support job, and this has been how I've been going about things but it's helpful reminding myself of the first point you made. So far so good otherwise though, I think I landed in a pretty solid starter position compared to some of the horror stories I've heard. Handsome Ralph fucked around with this message at 17:45 on May 15, 2023 |
# ? May 15, 2023 17:41 |
Internet Explorer posted:oh, well in that case She’s right
|
|
# ? May 15, 2023 17:42 |
|
Internet Explorer posted:I hear both of these, but they're really "I don't deal with that, it's someone else's problem, I'm just an end-user in this regard." Which is fine, but I think less interesting than talking about what the solutions actually looks like. I think there's something to be said about modern auth methods, but if your local machine is compromised and it dumps your password vault that's still a problem. A screen scraper or keylogger is still a problem. A rogue extension in your browser is still a problem. Something that grabs your key pairs is still a problem. From a risk management perspective if an attacker has gained access to a machine we’re already in deep poo poo. Like as a nation. That’s what I tell myself in order to sleep at night.
|
# ? May 15, 2023 17:46 |
I’ve got a ridiculous compensation right now for the experience I have, and compared to my local market (current position is 100% remote for a Bay Area company, and I live in Alberta so duh), and I worry that it’ll have spoiled me if I ever try to make a change.
|
|
# ? May 15, 2023 17:48 |
|
Handsome Ralph posted:Couple of pages back but thanks for posting this. Started a new gig last week, my first IT/desktop support job, and this has been how I've been going about things but it's helpful reminding myself of the first point you made. Something else about your first couple of months, is that is when you set expectations with everyone. If you come in firing on all cylinders and going 80MPH, working 12 hours a day and all that, that's your baseline expectation that you've set with everyone. Say you get comfortable a few months down the road and dial it back to what you consider to be reasonable, people are going to think "Man Ralph is slowing down or slacking". Way better to come in and set those expectations at first, and save some reserves when needed. madmatt112 posted:I’ve got a ridiculous compensation right now for the experience I have, and compared to my local market (current position is 100% remote for a Bay Area company, and I live in Alberta so duh), and I worry that it’ll have spoiled me if I ever try to make a change. I call these silver handcuffs. I'm a bit overpaid for sure, and if I left my current gig I'd probably lose 15% total comp and some vacation. The best advice I can give you is keep your lifestyle in check. Lifestyle creep is a real thing and if you start living on assuming you'll always be making ridiculous money, and something happens it's going to be painful. I'm guilty of having some lifestyle creep and I consciously try to keep it in check now. skipdogg fucked around with this message at 17:55 on May 15, 2023 |
# ? May 15, 2023 17:52 |
|
madmatt112 posted:I’ve got a ridiculous compensation right now for the experience I have, and compared to my local market (current position is 100% remote for a Bay Area company, and I live in Alberta so duh), and I worry that it’ll have spoiled me if I ever try to make a change. Bronze/silver handcuffs are real - want to break out of corp work and into that wfh govt job world but taking a hard look at a 40% pay cut is rough. Even taking the pension into consideration vs 401king it… ouch
|
# ? May 15, 2023 17:58 |
|
Soylent Majority posted:Bronze/silver handcuffs are real - want to break out of corp work and into that wfh govt job world but taking a hard look at a 40% pay cut is rough. I don't know if it was here or the US GOV job thread or somewhere else, but they're supposedly working on increasing tech workers salaries, because the GS scale doesn't keep up with the private sector. https://federalnewsnetwork.com/pay/2023/02/opms-special-salary-rate-for-federal-it-employees-narrows-gap-with-private-sector-pay/
|
# ? May 15, 2023 18:11 |
|
No one should have admin rights except me
|
# ? May 15, 2023 18:12 |
|
Sepist posted:No one should have admin rights except me I'm at the point in my career I don't even want admin rights anymore. Can't make me do things if I don't have access
|
# ? May 15, 2023 18:15 |
|
skipdogg posted:Something else about your first couple of months, is that is when you set expectations with everyone. If you come in firing on all cylinders and going 80MPH, working 12 hours a day and all that, that's your baseline expectation that you've set with everyone. Say you get comfortable a few months down the road and dial it back to what you consider to be reasonable, people are going to think "Man Ralph is slowing down or slacking". Way better to come in and set those expectations at first, and save some reserves when needed. Good point and I'm wayyyyyyyyy ahead of you. Literally the first day I asked about how to enter in some vacation time that was agreed upon before I accepted the offer, as well as just taking my full lunch break and leaving after I've worked my full shift instead of staying longer. Manager was also pretty upfront about adjusting my schedule to my liking and taking time off for doctors appointments and stuff. Fortunately I think most of the people on my team have the same "don't over do it" mentality.
|
# ? May 15, 2023 18:15 |
|
skipdogg posted:I'm at the point in my career I don't even want admin rights anymore. Can't make me do things if I don't have access Honestly, same. But it's less "me" and more "I don't want my team owning these steaming piles of poo poo"
|
# ? May 15, 2023 18:15 |
|
nobody should have admin access, just use the built in programs
|
# ? May 15, 2023 18:32 |
|
using computers is a mistake
|
# ? May 15, 2023 18:33 |
|
vanity slug posted:using computers is a mistake Internet Explorer fucked around with this message at 19:25 on May 15, 2023 |
# ? May 15, 2023 18:35 |
|
tokin opposition posted:nobody should have admin access, just use the built in programs Unironically agree. Edge is built in and good enough for SaaSing all the things. Sorry developers but I don’t have a use for you internally anyways~
|
# ? May 15, 2023 19:09 |
|
If more than one person needs it, package the application.
|
# ? May 15, 2023 19:24 |
|
AreWeDrunkYet posted:If more than one person needs it, package the application. related, I have a rule for automation development that I call the 2x2x2 rule If a process needs to be done more than 2 times AND the process has more than 2 steps AND the work to automate will take less than 2x the cumulative labor to perform the task by hand Then it should never be done by hand again
|
# ? May 15, 2023 19:50 |
|
|
# ? May 26, 2024 01:21 |
I use the ‘Im never gonna see this poo poo again’ rule and just tell people I automated things when in fact I did not
|
|
# ? May 15, 2023 20:03 |