Absolute power

How do you tell someone that they shouldn't have administrator privileges, and why this is the case?

I was faced with the issue of explaining to a friend and colleague why I was unhappy about them having a copy of the domain administrator password. This was made more difficult by the fact that the rest of the room was listening in. In essence, it's one of those things that is either obvious, or very difficult to explain, and I'm very much afraid that I made a mess of it.

Although I said it wasn't a question of trust, however you look at it this is what it reduces to. But it's not personal trust - I know that no-one in our organisation would do anything to damage the system or to cause any problems. It's trust in the system itself. We need confidence that we know what is installed, what is happening and how things are configured. And when you get more than one person with the ability to make the sort of changes involved in administrator privileges, you get a dilution of that confidence. Spread that level of ability around too far, and you can guarantee that mistakes and errors will happen.

Things will get changed without record; files will go missing,and no-one will remember removing them; applications will appear and downloads run that no-one can take responsibility for. At least when the admin account is restricted, the responsibility for these sort of changes is equally restricted and it increases the likelihood of getting problems fixed. And not insignificantly, when things do get broken, it's clear that the responsibility for fixing them lies with whoever broke them in the first place: much easier to establish, agree and accept that when it's a select group - preferably one person.

Equally, there's the argument that getting the day job done should not mean having to use admin access. One of the most common traps is to live in the admin account when a much more restricted account will do. That message at least I think is well understood, with nobody suggesting that it's acceptable or desirable.

Finally, there's the question of culture and policy - which ought to be closely linked. A company may have a policy of restricting access, but if that policy is clearly ignored in the company culture, it will lead to increased laxity in observing other precautions. If 80% of the staff have admin access, why not let the other 20% have it as well? They may be called upon to act in whatever scenario was used to justify the original release of the information, and so would argue that general access be permitted. But I believe quite strongly that the only proactive approach that should be followed here is to plan for that eventual possibility that privilege enhancement may be required, only granting that enhancement when the circumstances demand it. There's no need for the password or any other privileged information to proliferate in advance of the need (and it must be a "need", not simply a matter of convenience. Nearly every situation that can be envisaged which could be handled by admin access can also be managed with alternate, lesser privileges). Identifying and implementing mechanisms to answer these questions is part of policy management, and this is an area where continuous communication is essential - if we understand the requirements, we can perhaps provide answers in advance of the occurence. So the company culture must encourage feedback and relaxed exploration of these issues, in order that all parties are comfortable with the conclusions. Only when this is achieved can successful and mutually acceptable policies be agreed.

If power corrupts, what hope is there for the omnipotent system administrator? I'm glad that I have friends who can bring me back to earth, as happened today. I really had to think about this, and will re-visit the question with the rest of the team until we're all happy.