Jay Butler, Senior Technical Consultant
In our last dramatic episode, Jimmy created some avoidable strife for himself and his esteemed network users. Since then, a newfound skepticism for change has permeated his judicious being. All kidding aside, Jimmy has used his past mistakes in developing an excellent change management methodology. Management values his ability to uncover the details ahead of time before unnecessary costs ensue. Recently, he facilitated the replacement of an outdated MDaemon email server in favor of their network service provider’s managed solution.
The executive branch of the organization had long desired the broad spectrum of benefits Exchange 2007 could bring. Jimmy had engaged his methodology and presented the topic a couple of times. He favored the change and never missed an opportunity to lament, “Well, if we had Exchange”, but management deemed the up front cost too excessive.
When Jimmy learned of his network provider’s managed solution his senses perked up. The managed solution had the same features as an internal Exchange 2007 server for a significantly lower up front cost; moreover, it included email encryption, antivirus, spam filtering, and mobile access as a package. He gathered all the details and presented the solution to the Technology Committee, where it was ultimately approved by upper management. Because the solution is new, Jimmy expects a few problems. It would be unrealistic not to, but he has full confidence in his network provider’s prompt response. He knows the solution was developed using a strict design methodology and thoroughly evaluated using live beta implementations.
Jimmy’s methodology for change control has saved his institution thousands of dollars and untold difficulties, drawing attention from upper management. They appreciate his straightforward approach in evaluating why a change is desired. His discovery and evaluation of implementation options has made judicious use of a limited IT budget. The extra work he puts in to test and train has meant smooth transitions with minimal disruption to normal business activity. Recent upper management changes have opened opportunity for advancement and Jimmy has been asked to take over a newly defined technical operations management position.
To perform at his best in the new role, Jimmy requests an assistant, so he can dedicate more of his time to operational strategy. Management approves and Jimmy leads an interview process to find the right candidate. He picks a young career changer with a personality well matched to the corporate culture, but with technical skill limited to basic Windows administration. Perfect he thought. He needs someone to perform common user administration, to confirm patch levels, backups and antivirus status, to interact directly with his users and with external technical support. Jimmy plans to spend a significant amount of time molding his young assistant for the first six months.
Internal control is part of Jimmy’s change management methodology. He has taken great lengths to restrict who can access the network, particularly administrator level access. His methodology states that user access must be matched with job function and technical prowess when it comes to administration. Since Gillian is new and lacks technical expertise, her account should be limited to protect network integrity. He has already reduced administrator level user accounts to himself and his primary network support provider.
No predefined solution exists, so Jimmy plans to start with limiting Gillian’s group membership to domain users because it allows domain login privileges only, nothing more. Custom groups including Regular Users rather than built-in groups such as Domain Users have been expertly combined to limit directory access permissions using the principle of least privilege. As such, Gillian won’t have access to any network data by default. Building on the principle of least privilege, Jimmy plans to explore additional methods for granting Gillian’s account the minimum access required for the duties she will perform.
He will look into the Windows Delegate Control function used for granting only specific changes such as resetting passwords. He hopes to limit server login to the Utility and NAS servers only, where most of Gillian’s duties will be performed. Built-in domain groups such as Server Operators and Backup Operators may also be useful. Jimmy ponders the idea of restricting Gillian’s server console logins altogether by installing tools like the AdminPak directly to her PC.
Who knows how Jimmy will fair in this latest endeavor to restrict Gillian based on the principle of least privilege. Building sound change management controls is no easy task. It will require some trial and error and the patience to build a solution from the solid principles that motivate him. Jimmy will need to gather Microsoft documentation and draw on other sources like technical forums and books for this current project.