RE: [ActiveDir] Kinda OT: Advice welcomed

[al_maurer]

Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat

All this is good advice, but tends to accept as fact that there is a security risk involved.  You wrote,   you know nothing about (and for that reason do not trust)   There are really two issues here:   - your CIO is playing AD administrator, and for dealing with that there has been lots of good advice - you don't have all the security facts, so fear the worst consequences   I'd suggest first finding out all you can about this application and its site because it sounds like you're going to have to deal with it for a long time.  If you approach this as a control issue--well, the CIO is in charge as others have said.  If you approach it wrong, the CIO may think you have a problem with change because this may be a new application in your environment or something in the business has dictated handling this in a new way.   I think the real outcome you want is for the CIO to appreciate that he should keep you informed about changes and that you can help make them happen in a seamless and secure way.  That way you can make his life easier and he won't have to deal with this sort of thing.   Good luck!   AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com ---------------------------------------------- Better Administration through Active Directory -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe Sent: Saturday, August 20, 2005 8:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kinda OT: Advice welcomed How big is your company? Do you have a security group that doesn't report through the CIO? This is almost certainly unacceptable corporate exposure that your CIO really doesn't have the right to expose the company too on his own in my opinion. This is the kind of thing that I would certainly really push up the ladder hard and would be willing to be terminated for. However, it completely depends on your feelings on the matter. Is it something you would quit over? If not, then it probably isn't something you would want to be fired for and making a stink of it other than simply reporting it to your direct manager is probably not what you want to do.   In your shoes, I would consider locking down the traffic from that address or range of addresses with ipsec or something else under my complete control and report it to my management and security to make a call on what the next steps were. If your company is so small that the CIO is directly tasking you, I expect you don't have a separate security group and you may have very very little recourse other than to talk directly to the CIO and explain the risk he is putting the company in (he told you what to do directly, IMO, that gives you the right to question and explain why you think it isn't right). If he still says full speed ahead, say damn the torpedoes and go with it OR throw up the white flag and move on to bigger and better things. Again, if you don't have a separate security chain, it is a good chance that you have no leverage to fight so you could never "win" so the battle is not very appealing.   Another way of looking at this is if something bad happens, whose ass is up on the firing line? If it is mine, I certainly would make it very clear how bad I thought this was so my rebuttal at the time of the decision to fire or not is "I told you this was stupid". Then again, I am very much about doing the right thing and have enough job security that I am not overly upset about losing a crappy position.   As the others said, that AD and that company isn't yours. But, IMO, it is your job to make sure you speak up when things are not done properly. If not, you are admitting that you were simply hired to push buttons. Our jobs as admins is to help our management make good decisions and recover from stupid ones as well as implement all of them, smart or stupid.  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, August 19, 2005 11:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kinda OT: Advice welcomed Here’s a question for everyone:   Your CIO decides it is cheaper to host an application remotely at a site that you know nothing about (and for that reason do not trust). He then decides on his own that he will just tell the network guy to open port 389 to one of your production DCs without consulting, or even mentioning it to you or anyone else that may have something to say about the security risks. Then he asks you to create a test user account for a junior admin to test with, and gives the remote site the username and password.   What do you do?