First off, let me thank everyone for their input. I was very surprised at
the number of responses I got, I imagine that this is a hot button for most
people.
Let me make a few things clear;
The programmer had EVERYTHING he needed to do his job. Everything.
basically he's doing ASP and some VB development. So about all he needs is
Visual Studio, Visio, Office, Crystal reports, etc etc. Basic stuff. If
there was ever a program that he needed, we were always willing to install
it, and even procure it if we didn't have it. We have been VERY reasonable.
What became NOT OK, was when he began to bring stuff in from home (license
issues) and downloading a bunch of stuff off the internet (license +
security issues), without even the notice to the IT staff of what was being
installed. Our policy was very clear, if you install non-authorized
software, you get a new image. Now, we've been flexible in our policy, and
if they've installed something and it didn't break their computer, so long
as there wasn't a legal issue, we'd OK it. The problem here is that he
broke his computer by installing something that he did not receive
authorization to install, or even bothered to notify IT that he was
installing it.
To cover his own ass, he called Dell FIRST, before notifying us of any
problems. It wasn't until Dell said to 'reinstall the OS' that he came to
us. When we went down to fix it, we found that we couldn't log in because
he had changed the local admin password, and refused to give it to us. It
was at this point that we had no choice but to fix his machine and lock it
down. Again, giving him all the tools he needs, AND even willing to install
any software he feels is necessary. That's it. We're not unreasonable by
any means.
As for the servers, he has his own development server that he can do
whatever he wants with. If he breaks it, no problem, we rebuild it. BUT,
we gave him a little too much leeway on production servers resulting in a
particular program going awry and sending 1,000 copies of an e-mail to over
1,500 people. That was our fault and we've been stricter on what he does to
development servers.
I think the problem is that he's always worked in organizations where he's
the 'programmer/analyst', so he's handled both programming and systems. I
don't think he likes the fact that he no longer handles system. Tough
shi**, I say. He has never given us a good reason for wanting the admin
password back, other than the fact that he doesn't like the fact that he's
locked out when he's been used to having full control.
As many people pointed out, this is in fact a VERY political situation.
It's ugly, and it sucks that it's been given the life-span that it's had.
It should have never been an issue, policies are in place, he and his
supervisor have mearly chosen to ignore them.
The responses all of you have given have really helped, really. I wanted to
make sure that I wasn't being unreasonable, or had unjustifiable
expectations. I now see that I am not alone, and in fact, I've been WAY too
lenient. So thank you all for your responses and support. This will help
me in my discussions with my boss, and HR, and hopefully in discussions with
his supervisors.
Having said all that, the reality is that HR just wants to make everyone
happy and not be the bad guy, and all the other supervisors are trying to
avoid this, it's really a hopeless case for me. And I do think,
unfortunately, that the result will be that I will have to move on because I
don't see this as a battle that I will win.
Thanks again!
-Jesus
p.s.- For those that have asked, if there are any developments, I'll keep
you posted.
-----Original Message-----
From: Eric Johnson [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 09, 2000 7:21 PM
To: Jesus Gonzalez; [EMAIL PROTECTED]
Subject: Re: [OT] L0pht crack policy
On 9 Jun 00, at 12:27, Jesus Gonzalez wrote:
> Hi All,
> please excuse this message since it's a bit off topic, but I could use
your
> expert opinions to give me some backup.
>
> There is a programmer in our company who seems to think that he is above
all
> of our policies and procedures. Yes, he is a new guy but has endeared
> himself to his manager (as the Director of IT, I report to someone else
> entirely). He's continusouly installing applications on his machine and
the
> servers because he says he needs them, even though policy clearly states
> that only IT is allowed to install authorized applications on all
> workstations, and certainly the servers.
It would be interesting to know specifically what applications you
are talking about. Did he ask for IT to install them and be refused?
For what it's worth, I think a developer should be in control of his
own workstation(s). And servers, too. If the organization can afford
it, he should have his own setup so that if something goes wrong
during testing, it doesn't affect the production machines. And if he
also has to support the production machines in any way (such as
track down bugs if/when they arise), he should have all the access
he needs to those, too.
> He even changed the local admin
> password and refused to give it to us, and he's password protected his
bios.
> That stunt earned him a fresh image and a CMOS clear and OUR password in
the
> bios.
What caused him to change local admin password? If he just did it
for no good reason, that's one thing. But maybe he didn't want
someone else screwing up the way he had it set up.
> So we finally had no choice but to lock his system down (a Win2K box) and
> not give him the local admin password so he can't install anything.
Is your staff standing by to install what he needs when he needs it?
> Naturally we were well aware of programs like l0phtcrack and others to
break
> the admin password, but never though he'd resort to it. Sure enough, he's
> downloaded it, and while he's been out of town, he's yet to use it. He's
> also downloaded the Win2K high encryption pack, my guess is that he
intends
> to crack and change the local admin password, then install the HE pack in
> hopes of preventing us from doing what he just did (can you say REimage).
> It's stupid, I know. And I can't believe I'm having this battle.
When it gets to that point, it's time to find another job.
It's hard to tell from this post what's really going on. It could be
that the guy just wants to control everything or it could be that the
guy wants control over his own environment.
But you haven't told us much at all.
Eric Johnson
--------------------
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
