In addition to being the “Leo” in Ask Leo!, I administer web servers and websites for a few friends and organizations and host email accounts on my own servers for a few others.
What I’ve come to realize over time is that in doing so, these people have placed a tremendous amount of control in my hands – more than you might imagine.
What I’ve also realized is that this isn’t uncommon. In fact, whenever you have someone manage your business’s website, server, or email, be that person a friend or a hired service, you’re probably giving them more access than you realize.
It’s often the right, and even necessary, thing to do.
Your sysadmin might not tell you how much power he or she really has.
Become a Patron of Ask Leo! and go ad-free!
In defense of your sysadmin and sysadmins everywhere
I have to start by saying that I’m not implicating system administrators at all. They really are the backbone of the internet, keeping the digital wheels greased and pistons lubed, making sure that websites work and emails get sent 24 hours a day, seven days a week.
What I do want to make clear is just how much power you might inadvertently be giving your system administrator. I’m not even saying that doing so is wrong; in many cases, it’s exactly the right thing to do.
It’s just important to realize how much access and control you’re giving your system administrator, so you can make informed decisions when you’re looking for help.
Different types of sysadmins
We use the term “sysadmin” to refer to people who administer your system – but “system” is somewhat vague.
For purposes of this discussion, a sysadmin could be:
- Someone who sets up and administers your email server, or even just the accounts thereon.
- Someone who sets up and administers, modifies, or maintains your web site.
- Someone who sets up and administers your web or other type of server.
- Someone who sets up and administers your internet domains and DNS.
So with all that in mind, here are a few things that your system administrator might not tell you…
1. “I can read your email.”
I think this surprises most folks.
If your email ever touches a system managed by your sysadmin, or if the sysadmin is the person who sets up new email accounts and perhaps resets passwords for you, that person very likely has the ability to read your email.
The most common scenario is that you hire someone to work on your website. Say you own somerandomservice.com, and you have someone come in and build you a website there from scratch.
If you also get your email via that same domain – say your email address is firstname.lastname@example.org – then it’s possible, and I’d guess fairly common, that this person you just hired has access to your email.
Letting your sysadmin have that access might well be a good thing.
I know that having that kind of access has allowed me to quickly determine and resolve issues for my clients. I certainly don’t make a habit of reading their emails – a clear invasion of trust and privacy – but the ability to quickly swoop in and see if they’ve received the test message that I just sent them, perhaps repeatedly, can be extremely helpful when tracking down a thorny issue.
If you don’t trust your system administrator and you want your email (email@example.com) to be on the same domain as your business website (somerandomservice.com), there are technical solutions to separate the two at the server level. The problem is that they are technical solutions, and if you’re not up on those technicalities, you’ll need to trust someone to put them in place.
2. “I can impersonate you.”
With access to your email, it’s not very difficult for a sysadmin to send email that is truly from your account. I’m not talking about all the ways email can be spoofed, or even hacked; in many cases, a sysadmin simply has direct access to your email account.
Done properly and with malicious intent, it would be extremely difficult to prove that an email sent by your sysadmin was not actually sent by you.
Given all the ways that email can be forged and spoofed, this may not necessarily have true legal ramifications, but at a minimum, it could be exceptionally embarrassing.
3. “I’ve copied all your files.”
This is obvious when people think about it, but people rarely think about it.
When you have someone work on your website for you, they have access to everything that might be stored there, whether it’s something they’re working on or not.
That means that they can copy it.
Once again, this can be a good thing, depending on your sysadmin’s motives.
I periodically take a complete copy of at least one client’s complete website as backup. I do this simply because I know she’s not that great at backup, and the hosting service that she’s using doesn’t offer it. In fact, given how paranoid I am about backups, it’s replicated across three or four machines here at home, and in two separate data centers off-site. She’s probably getting better backup than anything a web host might provide.
I also use what’s called “source code control” when I work on people’s web sites. Without getting into geeky details, it means that I keep a copy of not only the current website, but every change that has ever been made to it since I took over working on it.
The risk, of course, is that should she and I ever have a falling out, I could run off with all of her content – intellectual property that she’s worked for years to create and accumulate. Who knows what I could do with it?
And of course, I won’t. Can you say the same about your sysadmin?
4. “I can hijack your domain.”
It’s not uncommon to hand off the management of your domain (“somerandomservice.com” in our example) to your sysadmin. They take on the technical details of “DNS”: making sure your site can be found on the internet, the correct server is reached when people try to visit your site, and email is routed appropriately.
Quite often, with that type of access also comes the ability to take actual ownership of the domain, or, at a minimum, to redirect that domain to servers and content that isn’t yours.
Having someone manage your DNS is not uncommon, as it’s critical that it be done correctly for your website and email to function at all. But once again, you’re giving that person control of a very important and valuable resource.
5. “I can shut you down.”
It’s a joke that I never make1, but I’m occasionally tempted to say in jest, “Don’t piss me off – you know what I can do” to some of my clients.
And it’s true. I never, ever would, but in many cases, a sysadmin could block your email, take down your web site, replace it with less-than-desirable content, destroy your online records, and lay waste to pretty much all of your digital assets and online reputation.
They can take your site and your email off the internet. Completely.
They could also do something much simpler. I heard one apocryphal story of a website designer putting up derogatory statements about a client on the client’s own website because a bill had supposedly not been paid. True or not (and legal or not), it’s entirely possible, and it would not surprise me in the least if it had happened more than once.
6. “I’m at risk here too.”
What a lot of sysadmins don’t realize is that many of the risks I’ve listed above can be turned around to cause them trouble as well. They may not tell you this simply because they haven’t realized it themselves.
By taking on such open-ended access2 to my client’s systems, I actually put myself at some risk as well.
A good example is email. If I can send email that looks like it came from my client, then I could be accused of sending email that looks like it’s from my client, even though I had nothing to do with it. I certainly have the means and opportunity. Regardless of who has to prove what to whom, the accusation could cause a great deal of difficulty.
Similarly, consider the backups I’ve taken of my client’s site. If for some reason I should accidentally allow those to fall into the hands of a hacker, at a minimum I’ve violated her trust.
7. “I can be your partner.”
With all of the control given to a sysadmin, it might be easy to think of them as scary people to tip-toe around, so as not to annoy them in case they decide to extract costly revenge.
If that’s the relationship you have with your sysadmin, it’s time to find a new one. Now. Change your passwords (and perhaps more) and send him or her to the curb.
A good system administrator does more than configure a website or email.
A good system administrator can be a partner in helping your business grow.
That’s a role I try to play.
A good sysadmin will be up-front and honest if you ask about the risks that I’ve described here, and should be able to explain possible alternatives to help reduce your exposure.
A really good sysadmin will look at what you have and suggest ways to improve it- perhaps making it faster, easier to use, or less costly.
And the truly exceptional sysadmin will already have told you everything you just read.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,