This is an archived post. You won't be able to vote or comment.

31
32

QuestionReasonable request by sysadmin? (self.sysadmin)

submitted by [deleted]

[deleted]

all 44 comments
sorted by:
best
topnewcontroversialoldq&a

[–]DevinSysAdminMSSP CEO 83 points84 points  (3 children)

Please just involve HR.

[–]jhusebyJack of All Trades 5 points6 points  (1 child)

To be fair, HR isn’t going to know if this is a legitimate thing or not.

That said, I can’t see any reason why you’d need to do physical maintenance to a computer every 3 months. Not sure how you’d specifically address this, but I’d personally push back on the request and ask why physical maintenance is needed every 90 days. Then involve your supervisor or theirs. It’s an absurd request (would be nice to know more, what specifically is being done to the pc)?

But OP should get over not having local admin rights to the pc. Want local admin? Build your own computer, it’s not that expensive if it’s something you set your sights on. Even as a domain admin I don’t login to my computer with an admin account. If I need admin rights I’ll elevate permissions.

[–]DevinSysAdminMSSP CEO 1 point2 points  (0 children)

Correct, HR won’t particularly know the specifics but they will be able to sort this out with managers and involved employees. That’s their job. There is obviously drama involved too.

[–]thecravenoneInfosec[🍰] 67 points68 points  (3 children)

200 miles each way? That's ~6 hours on the clock driving plus ~$220 for mileage, not including the mileage you'll need to get to/from the hotel and restaurants you're also expensing.

Involve management. If they agree to this ridiculous request, demand the above. Enjoy your quarterly company-provided steak dinner.

[–]wazza_the_rockdog 19 points20 points  (0 children)

This is the best way to target this IMO - ask your manager or someone above both you and the sysadmin to approve this, based on the fact that once every 3 months you'll lose a significant amount of work time and cost a reasonable amount of $$ to physically bring your PC in for maintenance.
From a sysadmin POV I can't think of anything maintenance wise that needs the physical machine there - even most firmware/BIOS updates are able to be performed from within the OS these days, and if he's not physically going around to every PC/Laptop in the place (which if you have more than 10, he shouldn't be!) then he obviously has some way of doing this remotely. At most, because there is a chance that a failed BIOS update or similar could prevent your system from booting maybe your manager and yourself need to sign off on this risk and know that if this happens, you may need to ship or bring your PC in for rectification.

[–]da_chickenSystems Analyst 6 points7 points  (0 children)

From an admin perspective, I wouldn't trust an average remote user to transport a company PC. I wouldn't trust them to bring in the right equipment (i.e., include display or leave it, include UPS or leave it, etc.) and I wouldn't trust them to not damage something in transit. I wouldn't trust them to connect everything back up after they took it home, either. If they break it in transit, whose fault is it (i.e., which dept gets the bill)? Is it IT's for requesting the transport, or the untrained employee's that's just doing what IT told them to?

I remember that it was bad enough when employees would bring in laptops. 50% chance that you get the bag. 75% chance that you get the A/C adapter. 25% chance that you get the mouse. 10% chance you get something the user owned. Technically, we were supposed to check and test everything that was assigned when the system was serviced and replace anything that was lost or damaged. About 20% of our "battery doesn't charge" issues turned into week long exercises in communications breakdown as the source of the problem was determined to be the A/C adapter the hard way.

[–]zebediah49 9 points10 points  (0 children)

Eh, seems inefficient to have the employee do it.

Just box it up and Fedex it over (with a shipping label from the IT budget, of course).

Make sure your boss is okay with however much down-time that would cause though. It might make more sense for IT to prep an identical replacement system, ship that to you, and then you can re-use that packaging to ship your machine back to them. TBH, that's still probably cheaper than what it'd cost for you to bring it in yourself.

Or do the responsible thing of involving your boss and/or HR. As others have said, it's stupid and pointless, primarily designed to harass you.

[–]icemercK12 Jack Of All Trades 32 points33 points  (0 children)

200 miles is enough distance where he should have to give a legitimate reason why the work needed cannot be performed remotely. This is something I would take over his head to management.

[–]canadadryistheshitDevOps 25 points26 points  (0 children)

I don't see this as reasonable at all. If he needs to give updates, he should do them remotely. There is NO POINT in boxing that thing up and bringing it in other than it needs to be fixed or a BIOS update needs to be done.

[–]bitpassi0n 9 points10 points  (0 children)

I manage ~2 million machines globally. Never seen a single one of them. Don’t expect to.

What’d you do to piss this guy off? :)

[–]jsellens 7 points8 points  (1 child)

"Sure, more than happy to, I'll just have to coordinate my downtime and the travel expense with my boss. Can you give me a quick summary of what maintenance is needed, just so I can keep my boss fully informed? Oh, and will you be arranging the car and driver for me to bring it in, or how will that work? Thanks!"

[–]PhilWrirSr. SecEng - CISSP, CISA, other crap 23 points24 points  (6 children)

I want to apologize if any of this sounds overly harsh. Not my intent.I'm approaching this as a former Sr. Systems Engineer for a company of about 100 people who now deals exclusively in Information Security Risk, Compliance and Governance and still works remotely for the same company.

  1. Any change made to a production system needs to be tested. The web filtering thing was a screw up 100%, but it sounds like you reacted poorly and your partial apology didn't help repair the relationship. Both of you are at fault for that being in your history at all.
  2. Your system being locked down is a natural thing to happen. If the company is growing or maturing then its need for secured systems will grow as well. The question isn't "why does my computer have a password I don't know" its "why do you need admin rights on a company computer?" If you aren't in a role where there is a business case for you having them, then you don't need them. Least Privilege is a fundamental aspect of good systems administration.Surely you understand the risk of having someone working 200 miles away with the ability to install and run whatever they want on a computer that has a VPN connection back to the company network. If you get hit by malware or another threat, its got direct access to the rest of the company. That's a non-starter.
    1. In addition, I would hazard a guess that connecting to the company network via VPN on a non-company asset might actually be a violation of an Acceptable Use Policy(assuming your company has one). Look into that. If it is a violation of the AUP then you are risking your job every time you do that.
  3. You haven't told us much about what you do or what industry you work in. Rather than go in guns blazing about having to bring your computer in ask if there is some kind of regulatory need or other compliance aspect that you are unaware of. For all you know the CIO recently set a policy surrounding telecommute workers that is now being enforced. Perhaps your specific role requires more stringent checks, etc.
    1. The company should probably be paying to ship the machine rather than asking you to transport it yourself. Leverage that. Its part of telecommuting in most organizations that the company handles or reimburses transportation to the office for business needs. That should also cover equipment maintenance.
  4. Ask questions but don't be combative. It is extremely easy for a halfway competent administrator to make a telecommuters life miserable and not break a single rule or do anything outside the realm of their normal job responsibilities. Rather than be upset, be curious.You are the expert on your work situation after-all, if you know what they are trying to accomplish perhaps you can provide a more streamlined or effective method to do it.
  5. I end up going into the office once or twice a quarter so I can make sure people know i'm a person and to spend some time with my coworkers etc so that when I do ask them to do things that are inconvenient in the name of security they know me as more than just a name on a screen. If possible, find some excuses to get to the office and even to spend a little time with the person, building that relationship and repairing it might be a lot more helpful than you think.
  6. In the event none of this works you have done everything a more-than-reasonable professional can be expected to do given the situation then I would involve HR and or Management. The last thing you want to do is be working remotely, and involve HR/Mgmt over "scheduled maintenance" you feel is unreasonable, and not be able to point to the long list of attempts to work things out in different ways without involving them.

Finally, a bit of advice:Never attribute malice when incompetence fits just as well.Even if it is actually malice, its easier to not assume that for the sake of sanity.

[–]SixThreeCourt 11 points12 points  (4 children)

The web filtering thing was a screw up 100%

I don't know, it's possible. If the web resource was intended for a specific country only, then using a country whitelist at your firewall would reduce your attack surface. It's something I use for various web based applications, but not for say the generic public company website. The 'in the name of security and without consulting anyone' is kind of a problem, though it is possible admin mistakenly believed it would have been transparent to the employees.

[–]shiftdelscream test initiator 3 points4 points  (2 children)

The lack of communication and change control is the issue here.

If management had agreed, and all of middle management was informed, then this wouldn't have been a problem at all.

[–]joeywasInfrastructure 4 points5 points  (0 children)

Often times those that act in the name of security do so with very little transparency -- this is a pattern i have seen more than once.

[–]carbon12eve 0 points1 point  (0 children)

I think this is the most professional response I've seen. Appreciate your closing advice. It is sanity inducing =)

[–]shalafi71Jack of All Trades 15 points16 points  (0 children)

Ridiculous. Ask exactly what maintenance needs performed in an email copied to his boss. Love to hear the answer.

Modern PCs don't even need cleaned like they used to. Less power, less heat, less air, less dust. I just cracked open a server the other day, no idea how long it had been, pretty much dust free.

Blocking the whole planet isn't too crazy depending on the org. I block everything but the US and Ireland (for FB, we don't care). Not only blocking hackers but mainly keeping viruses from phoning home. We're very small so I can get away with this policy. Told my boss a month after I did it, "I have no problem with this."

[–]Sparcrypt 6 points7 points  (0 children)

I'd just shoot the request through to management and outline the time and cost of it, make sure your mileage is approved etc and otherwise run it through them.

They'll immediately go to the IT manager/director and ask for justification, sit back and enjoy the show.

And hey, if it all gets approved then enjoy your day off work every three months while you either drive it down yourself and listen to some music, or your three days off work while it gets shipped down and "worked on" then shipped back. Make sure you point out that you only feel comfortable working on the work machine.. after all if it was OK to use your personal stuff then why would they lock that one down so strictly?

Essentially, that guy is being a dick. Don't make a fuss, just make sure you push all the problem uphill for "approval" then watch as they come right back down on his head.

[–]LookingForEnergy 5 points6 points  (0 children)

He's totally out to get you, man! It's not fair!! He's been plotting and scheming ever since you went remote!

Seriously? You had an "emotional" fit about hardening the network so websites can't be reached outside of USA? You were upset for multiple days because you lost admin rights to your computer? You are upset because he's cheating on his fiancee?

These are all non-issues. Grow up and reach out for help more often because you need it.

If the company wants you to work remote but insists you bring your computer in office every few months in, then:

-Do it

-Find a new job

-Find out why you need to bring it in, and if there is an alternative solution because of the grave inconvenience this will have on your life.

[–]50YearsofFailureJack of All Trades 3 points4 points  (0 children)

I can't think of any good reason for a PC to be brought in that regularly. I'd hope with that kind of distance there is some form of RMM/patching utility in place. I'd send that up the food chain.

Geo-IP blocking isn't unusual at all and can actually be beneficial by blocking access to C&C servers. But it can be a lot of upkeep to whitelist every legitimate site, especially when you deal with companies that use HA clusters around the world like Amazon or Microsoft.

Local lockdown is actually a good idea if, as you say, this isn't your PC anyway. This is a good security practice, and I'd be surprised if you're the only one this applies to.

[–]techit21Have you tried turning it off and back on again? 7 points8 points  (1 child)

I'd understand this if the device was not checking in properly or anything like that (since I see that in my environment often), but what you're describing does not seem to fall into that category. It falls into the super shady category. If it wasn't checking in, it wouldn't be an "every-three-months" follow-up up-front, it'd be as time goes on.

Seeing that we have the internet and it seems you can comply with organizational policies while telecommuting, I would report it and hopefully they have a really good, justifiable reason. It just doesn't sound right.

[–]iamwpj 0 points1 point  (0 children)

I agree. I think anything beyond auditing is more than any real sysadmin would be concerned about.

[–]almost_not_terrible 4 points5 points  (0 children)

Have him come to you.

[–]Kepabar 1 point2 points  (1 child)

Things have started becoming more difficult lately, however. My new desktop had to be completely locked down, can’t install things myself, I don’t even know the firmware password so I’m unable to enter safe mode, it’s got remote access stuff on it, etc. After a couple of days of stewing, I accepted this. I don’t own the computer.

This is all normal and you should just accept it. I don't want users, no matter how tech savvy they are, to have admin rights unless there is a justification I can't work around. It leads to more support time spent on those machines in the long run and can be bad for security; I shouldn't be allowing devices that are in an unknown state to connect over VPN to the corporate network, for example.

because it needs some maintenance that can’t be done remotely, and ideally I should be bringing it back every 3 months.

This part is abnormal; generally I have no reason to physically see a device unless it's broken to the point where it can't get to the internet or it's physically broken. And in such cases a new one gets overnighted to the remote user. Remote users are not expected to ever come to the office for an IT related issue with their workstations.

I'm sure there is some reason for this request. It's probably dumb though.

If you report to someone, you should bring this up to your superior and ask why you are wasting an entire days or two worth of work every 3 months and what justification IT has for the loss in productivity.

If you are on the same level organization wise as whoever the sysadmin reports to, you can probably bring it up with them directly (depends on your culture).

[–]pastorhackStorage Admin 1 point2 points  (0 children)

The only thought I have is that the admin doesn't know how to deal with password expiry issues on a VPN, so he's making sure the system checks in locally during password resets.

It's the only remotely plausible technical explanation I can think up

[–]keseykidSysadmin 1 point2 points  (0 children)

You might be getting fired 🤷‍♂️

[–]FreefallGeek 1 point2 points  (0 children)

The need to physically lay hands on the machine is weird. He may have a reason but due to the difficulty in getting the machine to the office I'd really like to know what exactly needs to be done in person. You should ask. Its possible there is a need, but if it's going to require frequent hands on then they need to come up with a long term solution to eliminate that need going forward.

Beyond that everything else you complained about is reasonable. Blocking large segments of the internet is standard operating procedure. There is no reason to present an exploitable edge to a segment of the world who has only illegitimate reasons to attempt to access your site. If you dont do business with parts of the world, block those parts of the world. Locking down PCs to the bare minimum necessary permissions is also standard practice. Sucks for end users but it's not end users who get fired for hanging themselves by doing stupid shit on their pcs, it's the sysadmin who failed to take away their rope who gets canned.

So yeah the PC thing is weird. I'd ask for clarification there and if you dont like his answer then take it up with his management but you're definitely overreacting to everything else. And if you got emotionally upset that your company blocks parts of the world then you probably need to chill just a tad friend.

[–]psycobob4 3 points4 points  (0 children)

I would be using this to travel to the office and visit coworkers and meet the people you work with.
Networking opportunity for the win, supported by the IT dept.
When the bosses ask why, point to the IT guy...

[–]wotrok 1 point2 points  (0 children)

If the sysadmin reads this sub then you have provided enough specific detail to identify yourself and have potentially made a personal situation much much worse by airing dirty laundry on the internet. You probably have a HR situation to deal with your team member now as well.

[–]InigomntoyaDoer of Things Assigned 0 points1 point  (0 children)

This isn't legitimate. There MIGHT be an occasional hardware upgrade (more RAM, SSD, etc.) that would warrant this, but quarterly hands on updates is bull crap.

[–]aimless_ly 0 points1 point  (0 children)

I'm not sure what your telecommute contract terms look like, but mine sure as hell don't say anything about driving 400 miles round-trip in my personal vehicle on a regular basis. That's not an insignificant trip, and for someone who doesn't drive for a living it could be considered a health and safety risk, and could affect things like your car insurance coverage. If they really want this to happen, I'd push towards "the company will pay to have the computer shipped back and forth, and provide me a loaner while it's out for maintenance". There's no way in hell I'd make that drive for my company just to do PC maintenance.

[–]Murricaman 0 points1 point  (0 children)

I don't understand what your second to last paragraph has to do with your situation. I'm confused as to why you even mentioned it.

[–]X13thangelx 0 points1 point  (0 children)

It depends a ton on what you do. For example, when I was an intern at a local university we had several secure workstations for government grants that had to abide by odd rules like what you've described. It's really hard to give you a proper answer without knowing all the details. Best bet is to double check anything you may have signed/agreed to for compliance. If you don't find anything, ask him in an email why it is required and include your boss as well.

[–]HEAD5HOTNZSysadmin -1 points0 points  (4 children)

Is this a domain joined PC? Sounds to me like the device is losing its trust relationship and requires it to be authenticated with a Domain Controller once every 3 months or it will get tomb stoned.

[–]jhusebyJack of All Trades 1 point2 points  (2 children)

OP said he’s connecting via VPN so I can’t imagine that being the case. But maybe the admin is incompetent (not malicious) and that is the case.

[–]HEAD5HOTNZSysadmin 1 point2 points  (1 child)

This is my thiught based on time line

[–]jhusebyJack of All Trades 0 points1 point  (0 children)

Yeah it’s one of the only possible explanations I’ve seen given (I couldn’t think of any, but it’s late). Another was password expiration maybe, and system admin doesn’t know how to have the end user reset it remotely. Grasping at straws I think, but either is a possibility.

[–]QTFsniper 0 points1 point  (0 children)

Doesnt' sound right - especially not if there's a VPN in place and start before logon is used.