Network Administrators: Rules Rationale
by The Piano Guy
When I wrote my article Network Administrators: Why We Make Harsh Rules (22:4), my purpose was to explain what seemed like, to some, capricious rules that some network administrators hand down.
I did it in reaction to a student (Luke) who ran afoul of the rules and was being taunted by a stupid and unprofessional network administrator. I wrote the article with a bit of fear and trepidation.
Though I didn't think this was what I was doing in reality, I felt like I might be perceived as "the other side," rather like Hamas writing into the Jewish News to explain their actions.
The next issue had an attack letter implying that my article was stupid and that I should just stop whining and "do my job."
The editor of 2600 challenged the letter's author, explained why I wrote it, and why they published it. Frankly, I thought a former employee of ours sent in the letter.
I write like I talk, he reads and writes for this magazine, and he's certainly smart enough to figure out that I authored the original article. If my hunch is right, the man is stunningly brilliant with computers. He certainly had more technical skills than most, including me. He didn't, however, work in my department, didn't like me, and I don't know why he was fired, other than to know that I had nothing to do with it.
Three months later, kaigeX wrote a thoughtful rebuttal article. Though he took me to task, he mostly agreed with more than half of the rules that the other system administrator handed down for me to enforce. A well-reasoned response deserves a well-reasoned rebuttal. To clear the air, I'm going to review the points he made about the points in my article. If you can't follow all of this, do remember that 2600 does sell back issues.
His interpretation of my rules was in essence "we make harsh rules to make our lives easier and/or to protect ourselves."
He didn't think this was legitimate. I don't exactly agree with his interpretation. If I had to boil this down, I would say that we make harsh rules to keep the network usable for all people so they can get their jobs done and to protect the employer (owner of the network) from massive expenses in repairs and/or from legal action from outside entities.
Do note that I'm not offering "so they can manage their personal lives better (i.e., checking your Gmail or doing your banking online)."
The purpose for providing computers in the first place is to facilitate work. That's why the owners pay for the network, and for me to run it. When put that way, the emphasis changes.
He didn't think that our library computers were secured at all, thus unfit for use by him. I don't think that's what I said, and I'm certain that's not what I meant. They are secured. They are on a different network (good question to ask, kaigeX). They aren't as restricted and are perfectly useful for web mail when employees are on break.
He thinks the "hard rules" cause a loss of productivity. The opposite is true. So is my emphasis. In fact, it is my job to find ways to improve processes to make people's work easier. Sometimes that means writing a Crystal Report or some SQL code. Sometimes that means buying, installing, and supporting specialized software on a user's computer. And yes, sometimes that means opening up services on the network just for a certain department. Whatever it is, it is my job to serve.
Now, if I'm constantly chasing down viruses and/ or spyware, dealing with user complaints about how slow the network is, or spending time in depositions answering questions about copyright infringement by one of my users, I won't have time to find new efficiencies, let alone implement them.
The comment I made that bothered kaigeX the most was that if someone broke a rule and it didn't cause a problem, then we probably weren't going to even notice. He somehow makes the leap that we expect people are going to have to break the rules to get their jobs done, so we set the expectations high knowing the people aren't going to follow them. Maybe kaigeX has never had to deal with a legal department.
Surely he can use some clarification about how and why I do things. The purpose of the network is so people can get their work done. Everything we do derives from that basic premise. No one ever has to break a rule to get his or her job done - period.
This is so true that if something comes up requiring a user to break a rule to get their job done, we either find a different way or change the rule, which covers Number 9 (no hacking). This also covers Number 2 (no one connects devices without permission) because if they need it for their job they have permission.
It covers Number 3 (no one installs their own software) and Number 8 (no copyright infringement). If they need it, we buy it for them so we're legal, and support it.
Unlike where kaigeX has been, we are 100 percent legally licensed for everything. In fact, that was the main reason why my predecessor was fired - he didn't see a need to be 100 percent legal. And peripherally, it covers Number 5 (no chat software). We encourage people to use their mail clients as if they are chat clients. It's almost as fast and this leaves an audit trail for them to refer to later (in their Sent Items).
Further, we try to strike a balance between being a police state and being open to lawsuits. We could strictly enforce Number 1 (business use only) and Number 10 (no expectation of privacy), but that would be highly stupid and counterproductive. It would take a lot of time and resources, and it would irk people to no end.
However, let's say that someone does something really stupid, like surf for kiddy porn while at work (which happened where I was employed in 1991). We need legal grounds to look for it if we suspect something, or handle it if we find it by accident. We also need legal protection so we can terminate this employee without being sued by them. In this extreme example, a law was broken. So heaven forbid it if ever happens to us, we would need legal protection to turn in evidence against them to the police.
Onto other points.
kaigeX's disagreement with my Number 4 (no outside email clients) goes against productivity for work and also puts my network at risk. It also causes political problems in the workplace.
My Brilliant Former Coworker (BFC) is more than smart enough not to bring in viruses via his outside email usage, but his Ignorant Department Director (IDD), two management levels above him, is computer stupid. If BFC has the "right" to check his email, how am I going to deny this to IDD? If I do deny it, what's to prevent IDD from demanding that BFC set this up for him, even if I've said not to? Nothing. Also, if BFC sets it up, I have no way to block attachments from coming in for IDD to open up (a workaround that kaigeX suggested), taking my network and the workstations on it to DOA.
Remember folks, I didn't write these rules. I was handed these rules to enforce, and I do. I also have to follow them, if not for safety reasons, then for political reasons. If I broke a rule I am supposed to enforce and did serious damage to the network as a result, the person they hired to replace me would be the one to clean it up.
Lastly, I've always held the perspective that one thing worse than a hypocrite is being one.
More or less, kaigeX agreed with every other point I made. He didn't necessarily like that he had to agree with me, but apparently it didn't occur to him that I don't necessarily like to have to take a position either.
Lastly, kaigeX made one blatant factual error. He feels that I am at risk because of my Windows 2000 workstations not getting security patches. Go to support.microsoft.com/lifecycle/?p1=7274 and support.microsoft.com/gp/lifecycle (unless Micro$oft changes the pages). They make clear that security patches are provided through 7/13/2010. By that date all of my 2000 machines will be long retired, and my employer will probably have a combination of XP Professional and whatever is newer than that for the desktop.
Shouts out to kaigeX (for a reasoned rebuttal) and the anonymous network administrator who both set these rules we're discussing and taught me a lot over the last years of working with him.
