Systems Administration Ethics

H

hokatichenci

Gawd
Joined
Oct 28, 2004
Messages
722
Just wanted to get some food for thought going here about something I've been thinking about, I've had no formal Sys Admin "training", just a lot of personal experience. I've taken a class at my University on Sociological Issues in Technology (required for a Comp Sci Degree) which has a lot of focus on ethics. So when I was doing a backup of something with the old sys admin (now researcher) we saw that one user was taking forever to copy over the network. I figured that they were improperly storing something, and started to run an initial search for illegal content (without prodding into the folders, just a simple search for commonly named illegal multimedia content. I mentioned this to the old sys admin and he mentioned that it was unethical and that I could be fired for not only doing it, but for reporting it if there was content. I can understand the reasoning for protecting the privacy of end-users, however this one user was far beyond the normal storage usage and I felt it was my duty to inspect whether the account had been hacked or large amounts of illegal activity were going on. Illegal activities over the network would result in the termination of the network port for the server, which means I would have to eventually deal with it.

So my question is this: How do you know that what you are doing is ethical and within the job description and your bounds as an administrator, or if you are the end-user how much protection do you feel you should be granted as a user? At what level would this point be placed, ie: is it ok to glance through files but not read? Is reading them alright? If it is a work environment and large amounts of personal files are stored there would it be within bounds to delete them, or notify the user/boss about them? If you have some sort of written agreement with your employeer and don't have an NDA I would love to hear what official pre-prepared paperwork looks like (most of my agreements are research biased, since I work at a University).
 
To be honest ethics don't really come into it.

The proper way of going about it is to have a written set of policies that defines the authority and responsibilities of administrators (including when and how auditing/monitoring takes place) and sets down usage regulations for users (what they can and can't use the equipment for).

And everybody signs a statement to the affect that they have read the policies.

Data handling should have it's own set of policies as well.

I think the actual law says ANY data on a company computer is company property (Licensed IP not-withstanding), so there is no privacy issue if an agent of the company authorised to monitor/audit company system usage, like say an administrator, wishes to investigate a potential problem ,after all, the law does not distinguish individuals within a company from the corporate entity, so if a user is illicitly hosting IP-infringing torrents using company equipment, the company is liable, not the user.

Like I said, all this type of stuff should be clearly defined by policy, not left to guess work.

*EDIT* Actually this is a pretty good resource for getting an idea of what sensible policy docs look like, it's more infosec focused but is pretty wide reaching and your situation is almost certainly covered.

*EDIT2* Did I say "Pretty good resource", I meant "really excellent resource", it should be required reading.
 
Users have no reasonable expectation of privacy when storing files on computers that they don't personally own. Period. This has been upheld in every single legal case regarding access to employer owned computing assets that I am aware of. I'd be in shock if someone could point to a single case where a ruling was made that protected a user's right to privacy on their employers computers.

I'm assuming since you are backing up the files, that the server you are backing up it the property of your employer. If that is the case, then by investigating the reason behind the slow backup you were performing due dilligence. But quite frankly, as a systems administrator you don't even need a reason. So long as you are executing your duties in accordance with your employer's best interests, which in this case you clearly are, then you are above reproach.

The only data that is protected is 'personal data' (i.e. name, address, social security number, etc.) that is stored by your employer for business purposes in an application, data, or file that is intended for that purpose. That is not the same as a user's "personal folder" which might contain anything from family pictures and MP3 files to games and porn and whatever else they might find interesting.

You are completely in the right, and the sysadmin who is giving advice is 100% wrong. The only way that would not be true is if your employer has a specific policy that states that you shouldn't be looking in a user's home folder for any reason. Even then, that's not a matter of law, just a matter of a ill-conceived policy. Note that having a policy such as that is more likely to get your employer in trouble since as the owner of the computing assets, they may be liable for any illegal activity that the computer is used for. Having a policy that prohibits systems administrators from monitoring their systems for illegal activity might be construed as being criminally negligent.
 
I don't go reading through peoples files but I do what I need to do to protect the integrity of my network and insure that anything on it is within the bounds of the law. Most places make the employee sign a document that tells them nothing on the network is personal. The document at my workplace states that the network administrator can and will go through files if necessary to keep the network operational. I will not go through reading peoples documents, email, etc but I will pop into a directory that is 2 gigs in size to see if there is warez, porn, etc to protect us legally. For me, it comes down to doing what I need to for my job and not talking about what I see if I see anything.
 
LittleMe said:
For me, it comes down to doing what I need to for my job and not talking about what I see if I see anything.
Click to expand...

Thats one of the best statements on the matter I've ever heard! and its true!
Look at your employers policys on the use of IT, but at the end of the day, its your job to ensure the network runs, so if it means pushing for a new policy that says you can reveiw any files suspected of being inappropriate then i would go for it!

But its VERY important you dont mouth off about the porn that Joe has in his home folder.
 
Digital-Vortex said:
Thats one of the best statements on the matter I've ever heard! and its true!
Click to expand...
That is a very accurate statement. It all boils down to this. You have access to potentially sensitive data, you need to be weary of that.
Look at your employers policys on the use of IT, but at the end of the day, its your job to ensure the network runs, so if it means pushing for a new policy that says you can reveiw any files suspected of being inappropriate then i would go for it!
Click to expand...
That exact policy should be in place anywhere there is a network for employees to use. Nothing is sacred, not even when they are off the clock. Sorry, you are allowed to use the system on your lunch hour as a benefit, not a right, and that according to rules. You break em, your ass is mine.
But its VERY important you dont mouth off about the porn that Joe has in his home folder.
Click to expand...
On the contrary, you do mouth off about it. To your boss, and you let them handle it.

A company ( or school, or any other big organization network )'s network is theirs, and it's to be used for work. End of story. Anything else your employer gives you is nice of them, but not required. As the administrator, your job is to make sure everything works and stays working. Pr0n, email, ect.. are a risk to that, and you need full access to minimize that risk.
 
Thanks for the link to InfoSec MartinX, those policies seem to give a good overall rundown of how systems should be shaped. I tried to stay very high level in my description of what happened (and also concealing the result - something that people will have to ponder about). After discussing some results with the ex-Sys Admin we came to the decision that we have two very different approaches to Sys adminning, I take the proactive measures and get involved, whereas he takes a very passive approach by considering all data 'personal' and therefore avoiding looks at it entirely. Different methods with different goals I guess. I'll keep working the way I have been, it seems to work and my boxen havn't been hacked or abused as far as I can tell utilizing these measures.

-hoka
 
Being pro-active will be your saving grace a lot. Taking care of an issue before it becomes a problem saves you so much time, drama, and most important, down time. If you are a passive admin and only take care of problems when they become a problem, I just don't see you lasting long. Now, about mouthing off. XOR is dead on. You don't say anything to anybody except your boss. It's your job to deal with the network, not the people. Whatever corrective issue they decide to make with the person based off the facts, is their choice. You just provide them with the information they need.
 
XOR != OR said:
On the contrary, you do mouth off about it. To your boss, and you let them handle it.
Click to expand...

Thats what i mean, you bring it to the attention of the appropriate people. But you dont go to the office and gossip about it to other staff.
 
What resides on a company computer is company property. As an admin it is your responsibility to keep it private however.
The legality issue occurs if you are using some sort of snoop or monitoring software. Users must be made aware that they are using a computer which is actively monitoring their activity.
 
Don't have questions about it. Setup an acceptable use policy and that's it, your done with any user complaints. This is company hardware and software and if part of your job is to find problems with either then your entitled to do that. End of story. Now going in and browsing for fun, that's another issue but the scenario as you've described there isn't a problem. But an use policy, either signed by the user, or pushed our to the screen upon logging in via AD removes any question about it. The guy who told you it was unethical needs to take some classes.
 
This is a great thread. At my work everyone knows that they can and will be monitored and that every bit of data going through our network is the company's. I found providing an active demonstration of my capabilities for monitoring and catching what empoyees are doing they tend to follow acceptable use guidlines without question. There is a level of fearing getting caught that provides a nice deterent.

In demonstrating this I also showed ways I can use it for the users benefit (finding what sites create popups and then filtering out the URL for the popup (usually causes the pop-up to not load), or other good uses). This way they trust the monitoring and me, but also understand that if they go beyond the rules they will have a high chance of getting caught.

Basically I let the users have a pretty free reign (within reason) but can take it away with a few mouse clicks.

For the record in a few cases I have been asked to actively monitor an unrulely employees computer and e-mail and read each message for non-business content. This capturing payed a big part in terminating the employee and when they tried to get unemployement benefits it allowed us to go to court and get them denied.
 
I hate to jump in late without reading any other posts (and this may have been said already) but what people do on the company network can and will be monitored. To cover a company's back just have the employee sign a paper when they are hired that they will be monitored for network abuse. There's my 2cents for the argument. Now go ahead and look at those emails! LoL
 
MartinX said:
I think the actual law says ANY data on a company computer is company property (Licensed IP not-withstanding), so there is no privacy issue if an agent of the company authorised to monitor/audit company system usage, like say an administrator, wishes to investigate a potential problem ,after all, the law does not distinguish individuals within a company from the corporate entity, so if a user is illicitly hosting IP-infringing torrents using company equipment, the company is liable, not the user.
Click to expand...

That's exactly how I understand it.

We have to manually weed through emails that get flagged in our spam filter. This usually requires reading the body of the email to determine if it's to be released or deleted. We come across plenty of personal emails being sent/received from/to the outside the company. Since our user computer policy prohibits such emails, we delete them. I'll admit, it does feel a bit dirty going through others' emails, but that's the only way we can establish the legitimacy of emails passing through our system.

And as far as I know, the law is on our side.
 
That computer is company property and as such having illegal files or porn on it can get them into hot water. If Suzie walks by his computer and sees porn then the company can be held liable for sexual harassement. Same thing goes for email.

I have heard of some companies suggesting that their users have a web based account such as Hotmail for personal email. But this seems like a good way to bypass all those carefully crafted security measures in place on the email server. Nothing like that wonderful feeling of having a firewall that some user gets around and gets a virus that brings down the whole network at 5pm on a Friday.
 
This is why you need to have an Acceptable Use Policy, and have it signed by the employee upon acceptance of the position.

For example, ours states that no personal files, non-work related information or unlicensed materials should be stored on any system. (Same for unapproved "free" software)

We don't actively audit, but if we find them, we remove them.

There really isn't an ethical issue here, as it's not someone's personal computer that you were going through.
It's company property, and you were delegated to administer and maintain it.

The same issues stand for e-mails (again providing you have that policy set in place and clearly outlined)
 
post # 67 re: POLICY

seriously, there should be an IT policy in place which includes statements about what users are generally allowed to do with their machines at work, and also a statement that
All communications systems and equipment provided for employees are the property of DOMAIN and are provided for business purposes. Incidental and occasional personal use is permitted, as long as this privilege is not abused and does not result in more than minimal impact on the system or work time.
Click to expand...
you can add to that if you want, but that is the line that says- if you're dicking around and downloading 6GB of porn i have the right to delete all of it cause you're a frickin tard. in the past i've found folders full of MP3s on the shared drive and simply moved them to my desktop. then i sent an email saying that storing that stuff on the shared drive is not allowed, and if the owner wanted their music back they could email me asking for it. you never get that email though.
 
So here is a question to add into the mix: Allowance for personal computer (ie laptops) on the network?

A lot of companies do not allow personal equipment (for obvious reasons). At our company since nearly every member of the sales staff has their own laptop, it is cheaper than providing each employee with a company laptop.

The reason I ask is that I need to figure something out, we have a new hire (management position) that is working off of a personal iBook, and he basically ignored my request to set an acceptable password and turn on the OS-X firewall. Since he is a contract-to-hire we don't plan and buying him his own computer unless we hire him at the end of contract. So, any ideas of how to handle this? Our employee handbook only covers company owned equipment so I'm probably in the wrong for even discovering what his password is.

Also how do we apply rules to vendor and customer equipment? Sometimes we have a large support team for some of our production hardware outhere and they all need network access. How should we handle this, especially if I see they computer acting like it is infected, or a security hazard?
 
-Sean Casey said:
So here is a question to add into the mix: Allowance for personal computer (ie laptops) on the network?

A lot of companies do not allow personal equipment (for obvious reasons). At our company since nearly every member of the sales staff has their own laptop, it is cheaper than providing each employee with a company laptop.

The reason I ask is that I need to figure something out, we have a new hire (management position) that is working off of a personal iBook, and he basically ignored my request to set an acceptable password and turn on the OS-X firewall. Since he is a contract-to-hire we don't plan and buying him his own computer unless we hire him at the end of contract. So, any ideas of how to handle this? Our employee handbook only covers company owned equipment so I'm probably in the wrong for even discovering what his password is.

Also how do we apply rules to vendor and customer equipment? Sometimes we have a large support team for some of our production hardware outhere and they all need network access. How should we handle this, especially if I see they computer acting like it is infected, or a security hazard?
Click to expand...


You have to write and enforce policies for each of these cases. As a supplement to your computer use policy, you need a network access policy. It is perfectly reasonable to set ground rules for guest computers on your network, including things like suitable virus protection, suitable firewall protection, suitable content (e.g. don't connect your laptop to our network if it's loaded with porn), monitoing of activity, and even naming standards and what protocols are permitted. There's nothing wrong with scanning all the clients on your private network for security purposes even if they're using their own equipment. If they are using a computer on your network it is presumably for business purposes, and if so you technically employ the computer in a manner similar to leasing. A strong network access policy is a must.
 
For the employees who use their own laptops you only have one option. Don't let them connect it to your network. Other than that, the law pretty much rules you out of doing anything to a machine they purchased and own. Especially since you're basically asking them to use their own personal equipment.

As for the equipment from vendors and customers that connect to your network; again, have them sign an AUP stating the minimum requirements that must be met before allowing them access to the network and guidelines that must be followed at all times. And state, that at anytime for any reason, access to your network can be denied.

Just don’t forget to have your AUP looked at by a lawyer. It may cost some money, but if something ever happens it will be worth it. Don’t skimp out on this part.
 
Good points... I have a new comment on that, is there perhaps some way to have them sign a "contract" that says something like:

"While your machine is connected to our network you agree to allow IT to monitor for illegal usage. IT will not look at files that are clearly marked personal or stored in the following directories *list of folders that could contain private information*, and reserves the right to terminate network access at any time. I *employee name* willingly give *company name* neccisary access to my computer to perform the aforementioned tasks"

Basically my thought on this, is monitoring netowrk traffic and if items like porn or spyware or viruses are detected then we should be able to stop it and disconnec ttheir computer.

I guess we need to check with a lawyer to clarify if data transfered on our network between a private computer and the public internet is considered ours or the computer users.

Really I've never really given much thought to any of this stuff, especially since employees have thus far been quite cooperative and willingly let me have my way with their laptops. Actually all of them let me configure and setup their laptops when they bought them... But who knows in the future what other employees may think?

I do not think a single IT course or seminary I've attended really focused on this topic.
 
You can monitor all traffic and anything they access on your network. You can scan their box and have them sign proper use agreements for the network when using personal devices but you have no control over what is on their laptop. Now, if they download porn at work to their personal laptop, it's abuse of the system. But if they have porn/warez/etc on it from home, sorry nothing you can do about it, it's not yours and belongs to them. But because it does belong to them, if you are audited and the BSA or whoever finds the stuff, it's not your problem as long as it wasn't downloaded at your site.
 
i don't agree with the above poster. let's say they brought viruses from home they downloaded while searching for kiddie porn. they are now the number 1 threat to your network. you have every right to pull the plug and not let them back on till you've deemed their computer clean and fit for access to the network. part of effectively enforcing this level of security is having them sign an agreement allowing you to scan their computer when they plug in. and once they sign off on that you DO have the right.
 
-Sean Casey said:
"While your machine is connected to our network you agree to allow IT to monitor for illegal usage. IT will not look at files that are clearly marked personal or stored in the following directories *list of folders that could contain private information*, and reserves the right to terminate network access at any time. I *employee name* willingly give *company name* neccisary access to my computer to perform the aforementioned tasks"
Click to expand...

I disagree with the part about "clearly marked personal..."

If its connected to the business network its fair game. Just because they put their virus/warez/etc in a folder marked "Personal" means nothing. If they don't want their personal data possibly accessed/scanned then they shouldn't connect it.

 
That makes sense in a logical sense, however what about a spot that offers a public internet access (IE a hotel, starbucks, etc), should the admin just be allowed to look on everyones computer because they connected? What about ISPs, I mean you made the choice to connect to their hardware, so should they be able to monitor your computer or its contents?

I think legally it would be much easy to defend if you show some regard to personal data (even if you know almost no one actually will mark their folders as personal). I mean after all there are all of these people who think RFID tags are going to track them home and send them spam mail for laundry soap when their underwear gets dirty. Or those who think red-light camera are invasion of privacy.
 
-Sean Casey said:
That makes sense in a logical sense, however what about a spot that offers a public internet access (IE a hotel, starbucks, etc), should the admin just be allowed to look on everyones computer because they connected? What about ISPs, I mean you made the choice to connect to their hardware, so should they be able to monitor your computer or its contents?
Click to expand...

There is an absolute and concrete difference between someone providing Internet Access as a service (ISP, Hotel, Hotspot, etc.) versus someone connecting to a business network with a personal computer. You really can't make a slippery slope argument to get from one to the other.

When it comes to your business network (not providing public access) there really is no room for messing around. Companies don't have to relinquish their control over their private networks one iota in order to accomodate personal computing devices. Comply or stay off the network.
 
big daddy fatsacks said:
i don't agree with the above poster. let's say they brought viruses from home they downloaded while searching for kiddie porn. they are now the number 1 threat to your network. you have every right to pull the plug and not let them back on till you've deemed their computer clean and fit for access to the network. part of effectively enforcing this level of security is having them sign an agreement allowing you to scan their computer when they plug in. and once they sign off on that you DO have the right.
Click to expand...

Viruses and such spreading to your network is a prefectly acceptable reason to cut them off. But it still gives you no right to go in a wipe the machine. It's not yours, and I'm afraid to say if you do go do it and they sue. You're SOL for touching private property. The only thing you have control over is giving them access to the network and it's resources under guidelines that must be followed. (Like, they have to have anti-virus, a firewall, etc). Nothing wrong against scanning the computer plugged into your network, but there is in touching the computer and making changes to it. If it has a virus, best you can do is disconnect it and tell them to get it removed. If they ask/want you to do it, hey thats fine.
 
LittleMe said:
Viruses and such spreading to your network is a prefectly acceptable reason to cut them off. But it still gives you no right to go in a wipe the machine. It's not yours, and I'm afraid to say if you do go do it and they sue. You're SOL for touching private property. The only thing you have control over is giving them access to the network and it's resources under guidelines that must be followed. (Like, they have to have anti-virus, a firewall, etc). Nothing wrong against scanning the computer plugged into your network, but there is in touching the computer and making changes to it. If it has a virus, best you can do is disconnect it and tell them to get it removed. If they ask/want you to do it, hey thats fine.
Click to expand...

We're mixing arguments. I don't think anyone has suggested remedial actions for guest computers other than denying them access. Have I missed a post? The OP was about business owned computers. We've been sidetracked for a little bit on guest laptops, but I think these are different arguments.
 
They are similar since they both deal directly with the title of the thread "System Administration Ethics".

Anyhow, the ISP may have been a stretch, but not so much on the public internet access, right now our business provides it to customers in our lobby through a system owned by us, but are considering providing an open access point (segreated from the rest of the network via VLAN, and ACL's). I am really curious about input on this since it would be an inexpensive added value service for customers to use their laptop while they visit and wait to meet with their sales rep, or pickup of their product.

Handling this situation in an ethical and legal manner is very much on topic.
 
-Sean Casey said:
They are similar since they both deal directly with the title of the thread "System Administration Ethics".

Anyhow, the ISP may have been a stretch, but not so much on the public internet access, right now our business provides it to customers in our lobby through a system owned by us, but are considering providing an open access point (segreated from the rest of the network via VLAN, and ACL's). I am really curious about input on this since it would be an inexpensive added value service for customers to use their laptop while they visit and wait to meet with their sales rep, or pickup of their product.

Handling this situation in an ethical and legal manner is very much on topic.
Click to expand...

Damn, that s a tough call. I guess personally I would side step the entire issue by not allowing the WIFI to begin with because it puts the company in a very difficult CYA position. You wouldn't want to make the customer fill out a AUP which prevents you from accessing their computer because it would be a pretty major inconvience and no one would use it then. If they do any of the naughty things mentioned already, the company could very well be held liable and there isn't much you can do to prevent it.

You can't secure the access and you can't leave it open either. What do you do if one of your customers steals info from another customer while in the lobby? Obviously you didn't perform the theift, but your companies network played a part in it.

Its kind of a lose/lose situation.


 
Party2go9820 said:
Damn, that s a tough call. I guess personally I would side step the entire issue by not allowing the WIFI to begin with because it puts the company in a very difficult CYA position. You wouldn't want to make the customer fill out a AUP which prevents you from accessing their computer because it would be a pretty major inconvience and no one would use it then. If they do any of the naughty things mentioned already, the company could very well be held liable and there isn't much you can do to prevent it.

You can't secure the access and you can't leave it open either. What do you do if one of your customers steals info from another customer while in the lobby? Obviously you didn't perform the theift, but your companies network played a part in it.

Its kind of a lose/lose situation.
Click to expand...

Actually not entirely true since Proxims APs can block client to client communications as long as they both are connected to the same AP.

So if Sean deploys one AP in the company's DMZ, he can provide hotspot access without worrying about client to client access.

Quoted from Proxim 700 User guide:

"Intra BSS

The wireless clients (or subscribers) that associate with a certain AP form the Basic Service Set (BSS) of a network infrastructure. By default, wireless subscribers in the same BSS can communicate with each other. However, some administrators (such as wireless public spaces) may wish to block traffic between wireless subscribers that are associated with the same AP to prevent unauthorized communication and to
conserve bandwidth. This feature enables you to prevent wireless subscribers within a BSS from exchanging traffic.

Although this feature is generally enabled in public access environments, Enterprise LAN administrators use it to conserve wireless bandwidth by limiting communication between wireless clients. For example, this feature prevents peer-to-peer file sharing or gaming over the wireless network."

HTH
 
Thanks for that post and link. I think with that, and just monitoring network traffic (not their computer) that should give us just what we need.
 
The Proxim AP's are incredbile. I have a dozen of the AP-4000 and they'll help you a ton. Just block client-client communications, then you could also setup multiple SSIDs on seperate VLANs and have a secured and non-secured open hotspot. Then you could setup a gateway box with a captive portal where they accept the AUP to access the internet.
 
By the way, I drive down the 57 every once and a while, any clues to where you work so I camp out in your parking lot for some free internet when you get it setup ;)
 
as far as i am concerned, it is my job to make sure the network runs. if it fails due to someone using it for illegal actvities then i am not doing my job.

Were i work, i am head of the IT Dep and I always have one machine running a Bandwidth Monitor which lists by the highest amount by any user on any machine.

If the go over board i will check their files to see what they are doing. That is my job, thats what i am paid to do so i will do it.

Simple :)
 
-Sean Casey said:
Anyhow, the ISP may have been a stretch, but not so much on the public internet access, right now our business provides it to customers in our lobby through a system owned by us, but are considering providing an open access point (segreated from the rest of the network via VLAN, and ACL's). I am really curious about input on this since it would be an inexpensive added value service for customers to use their laptop while they visit and wait to meet with their sales rep, or pickup of their product.
Click to expand...

I think there have been very good responses to this so far. IMO the key is in segregation. You keep the public hotspot seperate from your internal network. The ground rules for each are entirely different. The internal network is your kingdom, the public hotspot is the wilderness. You should certainly prevent computers in the hotspot from accessing one another. You also may consider content filtering at the outbound router to make sure no one is connecting to clearly illicit websites from your hotspot. You may even be justified in network scanning and shutting down any connection if you detect virus-like activities on the hotspot network. However, on a public hotspot you truly don't have the right to access the contents of someone's private computer or make any changes to it.

But then again, once they step inside and plug in to your internal network they are fair game for any type of deep scanning you feel is appropriate. Your only obligation at that point is to let them know that they in fact are on a private network and that there are acceptable use policies and network access policies in effect that will apply to them should they choose to connect. Also, your only remedial action for a guest computer even in this circumstance should be disconnection.
 
LittleMe: I actually work in Whittier. Off of Greenleaf Ave. I live in Brea.

I printed this thread out, it was a pretty good discussion with lots of good view points.
 
You must log in or register to reply here.
Back
Top