If you tell enough stories, perhaps the moral will show up.



Strange email a few days ago -- a casual note from one of the Exchange admins asking me to approve enabling a batch of accounts. Rather than just refuse it out of hand, I took a look at the list -- to find a mixed bag of service accounts and shared mailboxes.

For why? Well it appeared that they had been having difficulty archiving some boxes and noticed that the affected accounts were all disabled. Proof of a good reason? No. Plenty of other boxes are disabled -- our leavers process depends on archiving the boxes of disabled users, and shared box accounts are permanently disabled by policy.

I don't know how this will turn out, but it won't be fixed by the enable flag. I don't care, as the lesson I want to draw is a little different. Superstition in IT is one of the greatest impediments to security rectification.

If I had let that request go -- after all, what do I know about Exchange? and even if I was right, they might have learned something -- If I had followed a cautious "support the admins where you can" rule, a new superstitious belief would have been created. "If there's an archive problem, make sure the mailbox is enabled". And those boxes would never be disabled again -- after all, who goes looking for trouble? And we would have acquired a vast new list of unmanaged accounts for no purpose at all.

When I started, my first rectification was to get rid of the shared domain admin account. It was easy enough to issue DAs to colleagues who needed them, but the next stage, removing the shared account, was much harder. It was protected by superstition. Apparently, all sorts of stuff would break if I canned it or changed the password, it had been tried once and bad things happened, though nobody could remember what.

Now, that risk was real, given the usage of the account, but I knew the possibilities. It wasn't the replication account, it wasn't used to build images, and there were no services running under it (that one took a script to prove). So after a good deal of fruitless argument, I just did it -- our change control was weaker then. Nothing broke then and I suspect that what broke in the past was co-incidence

The point is that people who are out of their depth, even just a few inches, will clutch at the first turd that comes bobbing by, and once clutched, they'll never let it go. It's not a moral fault, it's a feature of human psychology, and no doubt in the wild it has survival value.

In Windows security, most people are just slightly out of their depth, even though it's pretty simple (apart from ACL inheritance, obviously.) Even though they could reach the truth with just a little effort, they don't. Instead they seize whatever comes first -- co-incidence or just wrong observation -- and their survivalist mind starts building superstition. It's my job to knock it down and I do. I don't like pretending to be authoritative, even though I took the training. But in a case like this, it's the only way forward. I declined the request, explained my reason as far as I could without accusing the team of crass irrationality, and left it at that. We'll see.

No comments: