Results 1 to 15 of 15
  1. #1

    Datacentre - give away admin rights ?

    Strange security situation ! A customer is moving their entire Win2K structure (about 50 servers in 1 AD) into a managed datacentre although they will continue to maintain everything from OS up including service packs and of course their application set. The datacenter staff will ensure the machines ping respond and do backups but not much else. The customer owns the hardware and software.

    Datacentre people are insisting that all their staff (almost 100 around the world) have full admin rights to all machines. I have advised customer that Datacenter staff should just have a policy applied to give them rights to backup data but no more although customer would give them rights on need basis if required. Datacenter people say that isn't possible and nobody else does it that way !

    Is this normal ? What would you guys do ? I've told my customer that based on my experience and training he shouldn't conceed admin rights to so many people - so of course he has asked me to work out a solution !

    Assuming I'm right (!) what I could really use is a sort of "best practice" white paper that the customer can take to the datacenter people, anyone seen such a thing anywhere ?

    Thanks,


    DC

  2. #2
    Join Date
    Apr 2002
    Location
    West Yorkshire
    Posts
    1,357
    I am not sure on this one to be honest... giving admin rights to 100 people seems a little extreme to me.

    I would wait for some more precise information from others as I am not 100% sure.
    -- Matthew

  3. #3
    Join Date
    Apr 2004
    Posts
    338
    Giving them admin rights to the AD seems a little much, but might be one of those required things for them. Only question I have.....

    Are they asking for 100+ users to be created all with admin rights? or one user like domain\DCStaff?

  4. #4
    >>Are they asking for 100+ users to be created all with admin >>rights? or one user like domain\DCStaff?

    Both in a way, we are running in a development mode at the moment and they have created individual accounts in the admin group with full domain admin rights for 100 users (physically in 3 datacentres around the world) which is meant to be for accountability but only 4 or so users are active and most of the time these guys just log in as administrator so accountability is not working too well !

    DC

  5. #5
    I would ask them to clearly explain, to your liking, why this is required. Depending on how managed their services are, this could be justified but only for one or two administration accounts.
    Advanced Forum Hosting
    http://www.boardnation.com
    Easily build a community today!

  6. #6
    Join Date
    Apr 2004
    Posts
    338
    Well I would recommend doing what daveman suggested. I wish I was going to be around longer today to see what they reply with.

    In my opinion. They would not need administrative access. Maybe on the machines themselves but not a full blown admin account for the domain(s). Data security is a huge issue and giving them sole admin rights over your domain can be a very bad thing. Not that they have bad employees, but to me the risk would seem to high.

    Giving them limited admin rights by creating a usergroup + and forming a strict group policy. Keep peopele from accessing information they have no need to access. The ability of changing ownership rights on folders/files on a business server is nothing I would allow to anyone outside my own company.

  7. #7
    Join Date
    Jul 2003
    Location
    Connecticut
    Posts
    3,038
    No way. We make it very clear to all of the DC's that under no circumstances are they to login to our machines without prior consent. After you have a clueless tech format one of your machines because he thought you were someone else you will understand.

    If they need access they can pick up the phone.

  8. #8
    Join Date
    Mar 2001
    Location
    London, England
    Posts
    334

    Re: Datacentre - give away admin rights ?

    Originally posted by davidcha
    Datacentre people are insisting that all their staff (almost 100 around the world) have full admin rights to all machines.
    Crikey.. i'd seriously recommend against that... a huge proportion of attacks come from within. It sounds to me like someone has their wires crossed or the DC don't really know what they are doing.

    Under no circumstances (that i can think of) would 100 different people need access to an admin account... for a start how on earth would you audit that... there would be no way of aportioning blame when they mess up. Better to assign them user accounts that don't have admin rights of any sort and only delegate the permissions that are absolutely necessary for each of them to do their jobs.
    Mark Castle
    Secura Hosting Ltd
    www.capitalethernet.co.uk
    My views are my own and not those of my company.

  9. #9
    Join Date
    Jul 2003
    Location
    Connecticut
    Posts
    3,038
    If they only need to access the machines for backups then you can start there. I doubt it takes 100 people to backup your equipment.

    I would as others suggested get on the phone and have them explain exactly why this needs to happen. Afterall it is your equipment bottom line is you say who gets access to it. If they absolutly need access I'm sure one user account will suffice.

  10. #10
    100 staff is too many. I would imagine most of them do not plan to stay in the company forever.

    Create an admin account with limited rights, using sudo or a hardened kernel with ACL such as Grsecurity.

    At the most, you would just give up the ability for them to manage your server, but I don't think that's the case.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  11. #11
    Join Date
    Apr 2004
    Posts
    338
    Grsecurity + Win2k?

  12. #12
    Ah. My mistake. Missed the word w2k in the original post. Apologies.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  13. #13
    Guys, thanks, all confirming my view but I'm in a battle with a datacenter provider who have slick sales and marketing and a non-technical customer who has "bought the dream !"

    I need ammunition ! Despite an hour Googling I haven't found the document I need that I'm sure must exist. Ideally it would be authoured by MS or some other "big name" company and would talk about what WE know to be best practices in datacenter security.

    DC

  14. #14
    Here's your documentation right here. Your can quote me.

    "A datacenter in no way shape or form needs to add 200 users to gain administrative access to a server. Its a major security issue." - T7702

    Cheers,

    T7702

  15. #15
    Join Date
    Feb 2003
    Location
    Detroit
    Posts
    836
    The customer is always right. If you don't want them in, then they have NO business in your machines. If they need access to perform tasks related to service they are offering, they should be able to justify the need clearly to you. Bottom line, they are your machines. You are paying them for service, they are working for you.

    If that is their policy, find another datacenter.
    managedway
    WE BUILD CLOUDS

    Cloud Computing | Fiber Optic Internet | Colocation

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •