Network Administrators: Why We Make Harsh Rules

by The Piano Guy

I've been thinking about writing another article for 2600 for quite some time.  I didn't, however, because from at least some of your readers' perspectives, I'm on the "other side of the line."  I am the guy-in "management" who deals with folks that break the "network rules."

I finally got inspired to write this article based on a letter from Luke in 22:3.  Luke, like many letter writers, was the "kid in school" who did "just a little hacking" that got paraded down to the principal's office and suspended.  What irked me enough that I decided to write this article is the immature SOB of a systems administrator who teased him.  That bothered me a lot, since being that immature can't do anything but leave a bad taste with Luke.  Lesser men would get revenge.  I'm seeking peace though understanding.

I felt I needed to explain to those of you who don't get it how come network rules exist, and make it clear that we (i.e., management) aren't all out to get you.  Instead, we are more concerned about covering ourselves and making sure that all network users can get what they need from the network, when they need it.

I work for a nonprofit that is a daughter agency to a larger nonprofit.  One of the sister agencies has a brilliant man who provides our network connectivity and security.  He also does this for several other of the daughter agencies.  He sets the rules and I enforce them.  We're all on the same big network.

For people who absolutely have to do stuff that isn't within these rather strict rules, we have some computers in a library that are hooked up through a different network where security isn't nearly as tight.  Then again, they are a few computers and they aren't all part of a domain.  The general public has access to these computers, so my users can do what they want, on break, in our library.

To sum up, we have a lot of policies that restrict the use of the network to a great degree.  However, if anyone needs to do something for business-related purposes, we find a way for them to do what they need.  Either we change a rule, or we give them particular permission "forever" or for a distinct window of time.  If you're on the "business side" of the network there are strict rules.

These rules are as follows:

1. Use the network for business purposes only.
2. No one hooks up other devices to the network without permission (i.e., laptops, PDAs, thumb drives, wireless peripherals, etc.).
3. No one installs their own software or does installs besides me.
4. No one connects to personal email, either through a software client (i.e., Outlook Express) or through a web interface.
5. No one uses chat software.
6. No one uses file sharing software (i.e., Kazaa).
7. No use of Internet radio or downloading of music or video files, unless related strictly for work purposes.
8. No copyright infringement.
9. No attempting to circumvent the current security systems or hacking.
10. We make it clear that we offer no expectation of privacy on our network.
11. All executable and ZIP files are blocked at the firewall.

Some of that may seem reasonable to some of you, and some of that may seem way over the top.

There is a reason for each rule, however.  Explaining the reason may make it bother you less when you encounter one or more of the rules in your daily lives as employees or students.

First, we are understaffed.

It is all I can do to do my day job without having to chase down viruses too.  That, and any virus that hits one of my machines could easily hit all of the machines in the network.  As an example, Sircam was certainly very good at jumping from machine to machine.  One user making a bad move can infect literally hundreds of computers, requiring hundreds of staff hours to clean up the mess.  It could literally cost six-figures worth of labor and lost revenue to recover from one user's mistake.  So we set policies and hardware in place that make sure that that one user isn't likely to make a mistake.

As an aside, when I use "virus" in this article, feel free to plug in Trojan, ad-ware, spyware scumware, or worm, or what have you.

Second, we are under budgeted.

We are non-profit in every sense of the word.  It would be great if we had the money to buy more bandwidth, more staff, and better protection, but we just don't.

Third, while most of the users are bright people, some of them have trouble finding the on/off switch.  I have to support them regardless, so the rules exist to cover us for the lowest common denominator.

For these reasons, we insist that the network be used for business purposes only.  Users going to business-only related websites reduces significantly the chances of them coming across a virus, and it does reduce our bandwidth usage.  If someone is doing something personal and not causing a problem, we probably aren't going to even notice.  If they are causing a problem, we need to be able to tell them to stop, and have policy on our side.

By restricting connections of PDAs, laptops, and thumb drives to our network, we prevent yet another vector of viruses onto the network.  Yes, there are people who do use thumb drives and PDAs and laptops.  The PDAs we approve are not Internet-capable.  Laptops have current anti-virus software (and I check this to make sure they keep their subscriptions and definitions current).  Thumb drives are brought to me to be scanned for viruses before being connected to the broader network.  Or, maybe they are not.  If a thumb drive is not brought to me, is connected, and the network is infected, then at least we have grounds to terminate the employee.

The restriction against bringing in one's own software for install is threefold.

First, someone downloading software doesn't know that it is virus-free.  Second, if someone wants to bring in a program from home that they want to use in both places, that is a violation of copyright law, which puts our agency at risk for fines.  Third, if it's on one of my machines, then I have to support it.  That may be a hassle (because the program might be horrible), and it may interfere with other software on the computer.

I just don't have time to chase down these kinds of problems.  It is better if a user needs something that we find an agency-wide solution for the problem, even if it is only one person that needs to do it.  Sometimes many people have to do the same thing.  I can better support it if they all use the same method and tool.  This helps keep standards too, so everyone is doing something in an efficient way that doesn't mangle the network.

Not bringing in email from outside or using chat software is simply the prevention of a virus vector.  Reduced use of bandwidth is an added benefit, but it pales in comparison to not getting a virus on the network.

Not using Kazaa and its ilk covers us for bandwidth, virus prevention, and copyright infringement.

Not downloading media files saves us from copyright infringement.  Our marketing department does bring media files onto campus, and we do use them.  They are intimately aware of the copyright laws, and call legal when they are not sure.  It is their job to not get us into trouble by infringement, however, and they do their job very well.

Not using Internet radio is strictly a bandwidth issue.  I will listen to our public radio station via the web, but only on a weekend when we're closed and none of the other agencies are open.  At that time of the week, no one cares.  If, however, I were dumb enough to do this during the week, I'd hear from my users how slow everything is running, and could I do something about it.  This is one of those "if you're not causing a problem, no one cares" policies.

Not hacking is expected for a few reasons.

First, hacking can break things.  This increases my workload and, as I said, I already am overworked.  Second, the hacker isn't doing the work they are paid to do if they are hacking.  Third, if someone is hacking, it is usually to do something they know we wouldn't approve of.  Remember that any work-related task is allowed, and rule exceptions do occur if simply asked.  Lastly, hacking makes security holes.  If I don't find this hole, and someone falls into it unwittingly, then we could get a virus.

As an example, a hacker who no longer works for us did hack, and left a security hole in a user's computer (they shared the same workstation).  That other user was in with their child on the weekend working.  When that other user went to the bathroom, their child decided to check their email.  The virus downloading part didn't occur this time, but it sure could have.  Logs showed the access, which is the only way we even knew we had a problem.  It's kind of like the hacker removed a manhole cover and a blind man fell down the hole.  Had the hacker not removed the cover, there would not have been the injury potential in the first place.  The excuse of "I'll put everything back" doesn't cut it because no one is infallible.  One miss and the "manhole cover" has been removed.

We offer no guarantee of privacy on the network.  This is to cover ourselves legally if we have to investigate someone's use of our system.  It also covers us if we're hacked.  As an example, I have a user who used to insist on doing her banking online at work on her breaks.  She doesn't own a computer at home.  I've explained to her that this ties up a lot of security resources (encryption will do that), but she didn't stop.  I then explained that if we're ever hacked, that her bank account information is stored on the computer, and that we can't be responsible if her account gets drained.  That stopped her.

Lastly, we block all executable files and ZIP files at the firewall.

In our line of work, no one should be sending executable files to us.  As for ZIP files, it is not possible for us to scan a password-protected ZIP file for viruses.  We blocked all ZIP files, and did not install programs to handle ZIP files on most of the clients (we're running Windows 2000, not XP).

If someone needs to get something via ZIP, we ask the person sending it to rename the extension.  Then it comes through.  Someone sending a virus isn't going to do that.  My users who have a need to receive ZIP files ask for them to be renamed, get them, rename them back, and scan them before opening.  These are my "bright bulb" users.  As a result, I've never had a problem with a ZIP file virus.

In essence, we have these rules to protect us from network damage, and to make sure that everyone can do what they need to do when they need to do it.

The rules are not to punish hackers.  They are to make sure that hackers don't accidentally punish other users.