Got THE Job!! asking for advice

Hello all, I got a call the day after yesterday to offer a job as the technology platform administrator with a small company, to which I said YES!

Now the thing is they already have outsourced the IT administration to another company, but they hired me to start taking responsabilities from that other company and give them to me... It is a small company, around 45 users, they already have set up Microsoft 2003 File server, DNS, DHCP and AD, and linux mail server...

The users have all administration permission on their computers so they have a lot of pirated programs on it, and video codecs, msn access that Im thinking to revoke, they have an astaros firewall appliance which Im already trying to figure out, cuz they have it but do not use it fully...

So my point actually questions are:

Should MSN go and the codecs and all that unneeded to work programs? or should I at least leave the msn or maybe vlan instead of codecs? or definitely remove all non production software?
How should I implement this controls, right away or removing stuff slowly...??

What would be the first policy you would start to write and implement?

should the backup plans include not only files but also system on the servers and personal computers?

Its a software development company, and im thinking of implementing RBAC for access controls, right now they have a DAC implementation...

What advice other than this but out of your own experiences could you offer me...

This is a huge opportunity for me, and I want to do everything right...

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

bellhead

My best advice is to go slowly. Wait at least a couple of months before rocking any boat. Only after a couple of months of tracking work orders and tickets can you make a case to restrict their pc's. Prepare a report to the people who you report to and explain to them why you need to restrict access to certain programs or restricting rights. If you go in like a bull in the China shop, the natives will get restless and will revolt, to placate the natives someone will be sacrificed and it will be the new guy aka you. So listen to me and go slow don't rock the boat, do your job, keep your head down, develope a 2 plans one easy show this one to the person you report to. Another on what really needs to get done, show them the original plan and then all the "extras you accomplished" at your review. It's all about politics and soft skills.

Here it is....
People take this seriously and hate to have someone play policeman on them.

blargoe

Yeah, I wouldn't jump right in to locking stuff down and taking stuff away unless that's what you were hired to do. When the time is right, do your homework and present your case.

Congrats on landing the job.

qwertyiop

Just take it easy for the first few days that your there. Spend some time go through the diffrent servers and try to audit your network to find out what you have and where to find it, that goes for both software and hardware.

maumercado

Thank you guys... youre right I must take it slow, I got this job to oversee the operation of the technology platform, to be the admin, and it is way too soon for me to take such decisions...

I will then start evaluating the backup plan, tha maintenance plan and logs, and do some audit on the network...
Then Ill start thinking on writing policies and implementing them...

They are also sponsoring oracle certifications to administer the databases... so what oracle cert should I do? they have 10g and 11g oracle dbs

Any other suggestions..??

undomiel

Talk with your manager to formulate a business criteria for what should and shouldn't be there, what is allowed and what isn't, and how far you should go in locking things down. The owner might like his MSN after all.

Congratulations on the new job! I hope it turns out as a good experience for you.

JoJoCal19

Congrats on the new job. Thats very exciting and my previous job was pretty much what youre doing and I wish I was back doing that.

As others have said, dont make any changes right away. Pretty much take inventory of everything and if you think you need to make changes by restricting or taking things away, draft up a document of action and have your manager sign off on it that way you have proof that they approved the changes. Yes its true that if the new guy comes in and starts making all kinds of changes and "rocking the boat" it will cause resentment among the employees and you will start off on the wrong foot. Unless things like audio codecs and msn messenger are hurting production and your boss says to take it away, dont mess with it. If it aint broke dont fix it type of thing. Good luck with the new job

Daniel333

You are talking about "remediating a client". This is a very complicated procedure and more political than technical.

It’s very important that the people who are losing their pirated software or that the management that will have to pay for said software has “buy in” on anything your plan.
We have a 300+ pages of remediation that we would love to do for our clients, but push back and end user perception are your enemies here.

My companies’ general rule is to tackle direct user impact first. Buggy software, malware and replacing/reimaging crappy computers.

Also under user impact is developing a business continuity plan. What does a user do when their computer goes down? Keep following these lines of thinking as you design. All this has positive user impact. You become their hero.

Once you have made a name for yourself at the user and management level you can start in on licensing and security. Things management and users are not going to want to hear, as it means restricting perceived freedoms and spending money.

You are in luck though! Windows 7 is around the corner. This is perfect chance to move them into standardization and locked down desktops. Everyone is going to want a “Windows 7” computer when the time comes as you are piloting the program you can drop these computers in business unit by business unit (get familiar with the company’s org chart!) and ensure the machine is fine tuned for their uses.

Here is our general path -
User Impact
Security
Licensing
Network infrastructure
Server Infrastructure
rinse repeat… make sure to pay careful attention to your MOF and ITIL models. I know your company is small but it’s easy for project creep to set in.

anyway, way more than I willing to put in a post. But be there friendly knowledgeable tech guy first and get them to buy in. Make them think it's there idea and you'll be the hero there.

JDMurray

maumercado wrote: »

Should MSN go and the codecs and all that unneeded to work programs? or should I at least leave the msn or maybe vlan instead of codecs? or definitely remove all non production software?

How should I implement this controls, right away or removing stuff slowly...??

What would be the first policy you would start to write and implement?

should the backup plans include not only files but also system on the servers and personal computers?

Its a software development company, and im thinking of implementing RBAC for access controls, right now they have a DAC implementation...

What advice other than this but out of your own experiences could you offer me...

This is a huge opportunity for me, and I want to do everything right...

The first thing you need to do is work with the company's lawyers to discover what about your current operations can expose your company to lawsuits from customers, partners, and investors. Your primary concerns will be: 1) preventing the disclosure of private and proprietary information belonging to your company, customers, and partners, 2) determining if you are in compliance with necessary industry regulations (e.g., SOX, PCI, HIPAA), and 3) checking if your company is currently in violation with any agreements in any standing business contracts.

Start with the big picture and work your way down to what the company really needs, and the technical and operational details that you require (like policies and access controls) should become very apparent to you.

Turgon

maumercado wrote: »

Hello all, I got a call the day after yesterday to offer a job as the technology platform administrator with a small company, to which I said YES!

Now the thing is they already have outsourced the IT administration to another company, but they hired me to start taking responsabilities from that other company and give them to me... It is a small company, around 45 users, they already have set up Microsoft 2003 File server, DNS, DHCP and AD, and linux mail server...

The users have all administration permission on their computers so they have a lot of pirated programs on it, and video codecs, msn access that Im thinking to revoke, they have an astaros firewall appliance which Im already trying to figure out, cuz they have it but do not use it fully...

So my point actually questions are:

Should MSN go and the codecs and all that unneeded to work programs? or should I at least leave the msn or maybe vlan instead of codecs? or definitely remove all non production software?
How should I implement this controls, right away or removing stuff slowly...??

What would be the first policy you would start to write and implement?

should the backup plans include not only files but also system on the servers and personal computers?

Its a software development company, and im thinking of implementing RBAC for access controls, right now they have a DAC implementation...

What advice other than this but out of your own experiences could you offer me...

This is a huge opportunity for me, and I want to do everything right...

If you start locking things down before senior management have made it perfectly clear to all the users that this is how they want things done you will most probably head straight into trouble with the people working there. I have supported infrastructure that was used by developers and they often enjoy a lot of access rights to the machines they use. I think you are best off settling in for a couple of months and seeing for yourself just how much support you have from senior management for any changes you are proposing before you press on. Spend a good deal of time seeing for yourself how things hang together there and getting to know the users and how things are done around your new shop. Invest time in auditing your systems, the network (do a diagram), and spend some time on your backup and restore capabilities. Put a bunch of recommendations together after you have put some time in so you can carefully weigh up the practical as well as the technical implications of any changes you think are necessary. Certainly recommend things you feel are necessary but emphasise the reasons why, legal requirements, security, disaster recovery, efficiency etc etc. At the end of the day, you should seek approval for anything you feel needs doing and importantly plenty of backing from whoever is in charge because people will most likely winge about some changes they feel are wholly unnecessary.

As a new admin there will be differing expectations there amongst end users. Some will be hoping that you might do particular things they have been after for a while. Some will be hoping you don't do those things at all. Some will be hoping you don't change anything in particular. Others will defer everything to your assumed experience on such matters, others will be sceptical and launch missiles if you change things. Best get to know a few people to get a feel for these things.

Keeps us in a job

TravR1

Boil the frog slowely. Just tighten the belt a little here and a little there over the months. Just like governments rob peoples rights slowely to avoid a revolution.. you dont want the office revolting on you.

rwwest7

Treating adults like children and "locking down" their desktop is something I always try to avoid. At the very least, draft up a user agreement form and have everyone with computer access sign one. It should say something along the lines of not installing any illegal or pirated software, **** and all that other bad stuff.