Jump to content

Workplace Blues


sud0nick

Recommended Posts

Just venting about workplace woes as a server admin.

So, I'm supposed to test a new service on a system that is run by another organization. I have no admin rights on my desktop or on this service. I only have admin rights on my own servers and nothing else. So, I need the hosts file updated on my system to point to the new service (can't use the IP only because links are hardcoded in places using the FQDN which would resolve to the old IP) and since I don't have the rights I need the helpdesk to do it for me. I am now 45 minutes into this and my hosts file has not been updated. After explaining where to find the hosts file to the guy on the phone and being put on hold for 15-20 minutes he comes back and says he isn't sure if he is allowed to do that. It took him 45 minutes to come to this conclusion!!!

The guy actually told me "let me find out where we keep our hosts file". I think I should just go home for the day.

Link to comment
Share on other sites

Haha at least he's not so easily social engineered. Take solace in that? Or maybe take it to the next level and social engineer the shit out of him? "Wayne, this is Bruce from Corporate, I'm going to need you to comply with Mr. Sud0nick's requests immediately. He's on a time sensitive project and needs access ASAP! CHOP CHOP WAYNE!".

I'm kidding of course, but hopefully the idea of it will cheer you up a bit?

If nothing else, theres always pineapples to hack around with :)

telot

Link to comment
Share on other sites

Bruce...Wayne...I've been watching too much batman. Shit.

telot

Link to comment
Share on other sites

Haha at least he's not so easily social engineered. Take solace in that?

lol, yeah but he acted like a skeptical web client. I presented my TLS cert to him, he checked with the CA, the CA said all was good but then he still didn't trust me. I finally got him to say it was okay to modify my hosts file but he still hasn't remoted in to the machine and modified it.

As I was writing this he called and said he finally did it, like 2-3 hours later. I was skeptical myself because he said "I modified the hosts file, at least where I think it's at", lol. I'm not confident in his abilities but it looks like Google helped him find the right file.

Link to comment
Share on other sites

  • 2 weeks later...

On 1 february the network and security guys here are going to deny network access to all machines that aren't in the AD domain.

I've been looking into how I'm supposed to adhere to this policy from my Linux box and it would appear that I need to configure samba to be part of my login pipeline and then login to my laptop using my domain credentials. Now I'm pretty sure I have PAM on here, so I might be able to make this work, but I don't see the value. I do see considerable risk.

The general idea is that my machine's MAC gets whitelisted when I AD-login on the network from it. So, why can't I just spin up a virtual, do NAT networking and login to the domain from there to whitelist my MAC while I can just go about my work? Or mount a fileshare using my domain creds and thus prove I am who I say I am? (well, because I'd auto-mount and place the creds in a plain text file in /etc like I have already, but still...) That way I can just continue getting work done.You know, the stuff I'm supposed to be doing here rather than get pissed at an admin for getting in the way of things....

Interesting fact is that I've already found that I can use the public WIFI in the building for most everything I need and if I have to commit something I can just VPN in (using my domain creds and a texted one-time passcode) and do it from there.This would be similar (no, actually, identical) to working from home. Except I'll be physically at my place of work.

I get the 'their machine, their rules' mumbo, but to me this is NOT their machine. I differ from the norm to increase my productivity. I'm vastly, *VASTLY* more secure and security-aware than most of the brain-dead zombies working here. How is this going to improve my security? All I see is the prospect of me needing to run a service as root and potentially providing the drooling inbred admin who couldn't exit a vim session for the life of him access to MY machine. FUCK. THAT.

Edited by cooper
Link to comment
Share on other sites

On 1 february the network and security guys here are going to deny network access to all machines that aren't in the AD domain.

Are they doing this via 802.1x? If so then you don't necessarily need to add your machine to the domain you as you may be able to use wpa supplicant to handle the authentication. You would still need to authenticate to the domain at some point though (unless your IT are allowing certificate authentication and give you a certificate for your machine)

Link to comment
Share on other sites

Had a.... chat. With the network guy that was supposed to know about this (spoiler: he didn't) but from what he said what you're saying is pretty much correct. I would need a client cert of sorts and communicate with the network in a way quite similar to what we'd need to use for the secured wifi. If that's all it takes, this is going to be a breeze.

And indeed I would still need to log in to stuff with my domain account as opposed to having some single sign-on bullshit going on. I actually *WANT* it to work without SSO as a kind of mitigation should I somehow forget to lock my desktop or otherwise lose control of my device.

Another workspace gripe of mine is that our mail server is exchange (of course) and they're too cheap/stupid/unwilling to install the IMAP plugin so my only way to access my mail at work is via OWA or an app on my phone. OWA already sucks because I'm not allowed to access dangerous attachments like XML files or zip files with an xml file in them which any java developer can tell you are things you rarely encounter. :angry: So anyway, they decided to put this server behind a VPN login which times you out after 15 seconds of inactivity and if you login it redirects you to a non-existant page on OWA. It's frustrating because, again, there's no explanation why they're doing it. Worse, if you access OWA over the internet, you go straight to the OWA login and your sessions last the normal time (30 mins I think). In other words, the system reacts more leniently to you when you come in over the friendly and much more secure internet. *WHY?!?*

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...