In addition to being the “Leo” in Ask Leo!, I administer web servers and websites for a few friends and organizations and host email accounts on my own servers for a few others.
What I’ve come to realize over time is that in doing so, these people have placed a tremendous amount of control in my hands – more than you might imagine.
What I’ve also realized is that this isn’t uncommon. In fact, whenever you have someone manage your business’s website, server, or email, be that person a friend or a hired service, you’re probably giving them more access than you realize.
It’s often the right, and even necessary, thing to do.
Your sysadmin might not tell you how much power he or she really has.
I will.
Become a Patron of Ask Leo! and go ad-free!
In defense of your sysadmin and sysadmins everywhere
I have to start by saying that I’m not implicating system administrators at all. They really are the backbone of the internet, keeping the digital wheels greased and pistons lubed, making sure that websites work and emails get sent 24 hours a day, seven days a week.
What I do want to make clear is just how much power you might inadvertently be giving your system administrator. I’m not even saying that doing so is wrong; in many cases, it’s exactly the right thing to do.
It’s just important to realize how much access and control you’re giving your system administrator, so you can make informed decisions when you’re looking for help.
Different types of sysadmins
We use the term “sysadmin” to refer to people who administer your system – but “system” is somewhat vague.
For purposes of this discussion, a sysadmin could be:
- Someone who sets up and administers your email server, or even just the accounts thereon.
- Someone who sets up and administers, modifies, or maintains your web site.
- Someone who sets up and administers your web or other type of server.
- Someone who sets up and administers your internet domains and DNS.
So with all that in mind, here are a few things that your system administrator might not tell you…
1. “I can read your email.”
If your email ever touches a system managed by your sysadmin, or if the sysadmin is the person who sets up new email accounts and perhaps resets passwords for you, that person very likely has the ability to read your email.
The most common scenario is that you hire someone to work on your website. Say you own somerandomservice.com, and you have someone come in and build you a website there from scratch.
If you also get your email via that same domain – say your email address is leo@somerandomservice.com – then it’s possible, and I’d guess fairly common, that this person you just hired has access to your email.
Letting your sysadmin have that access might well be a good thing.
I know that having that kind of access has allowed me to quickly determine and resolve issues for my clients. I certainly don’t make a habit of reading their emails – a clear invasion of trust and privacy – but the ability to quickly swoop in and see if they’ve received the test message that I just sent them, perhaps repeatedly, can be extremely helpful when tracking down a thorny issue.
If you don’t trust your system administrator and you want your email (leo@somerandomservice.com) to be on the same domain as your business website (somerandomservice.com), there are technical solutions to separate the two at the server level. The problem is that they are technical solutions, and if you’re not up on those technicalities, you’ll need to trust someone to put them in place.
2. “I can impersonate you.”
With access to your email, it’s not very difficult for a sysadmin to send email that is truly from your account. I’m not talking about all the ways email can be spoofed, or even hacked; in many cases, a sysadmin simply has direct access to your email account.
Done properly and with malicious intent, it would be extremely difficult to prove that an email sent by your sysadmin was not actually sent by you.
Given all the ways that email can be forged and spoofed, this may not necessarily have true legal ramifications, but at a minimum, it could be exceptionally embarrassing.
3. “I’ve copied all your files.”
This is obvious when people think about it, but people rarely think about it.
When you have someone work on your website for you, they have access to everything that might be stored there, whether it’s something they’re working on or not.
That means that they can copy it.
Once again, this can be a good thing, depending on your sysadmin’s motives.
I periodically take a complete copy of at least one client’s complete website as backup. I do this simply because I know she’s not that great at backup, and the hosting service that she’s using doesn’t offer it. In fact, given how paranoid I am about backups, it’s replicated across three or four machines here at home, and in two separate data centers off-site. She’s probably getting better backup than anything a web host might provide.
I also use what’s called “source code control” when I work on people’s web sites. Without getting into geeky details, it means that I keep a copy of not only the current website, but every change that has ever been made to it since I took over working on it.
The risk, of course, is that should she and I ever have a falling out, I could run off with all of her content – intellectual property that she’s worked for years to create and accumulate. Who knows what I could do with it?
And of course, I won’t. Can you say the same about your sysadmin?
4. “I can hijack your domain.”
It’s not uncommon to hand off the management of your domain (“somerandomservice.com” in our example) to your sysadmin. They take on the technical details of “DNS”: making sure your site can be found on the internet, the correct server is reached when people try to visit your site, and email is routed appropriately.
Quite often, with that type of access also comes the ability to take actual ownership of the domain, or, at a minimum, to redirect that domain to servers and content that isn’t yours.
Having someone manage your DNS is not uncommon, as it’s critical that it be done correctly for your website and email to function at all. But once again, you’re giving that person control of a very important and valuable resource.
5. “I can shut you down.”
It’s a joke that I never make1, but I’m occasionally tempted to say in jest, “Don’t piss me off – you know what I can do” to some of my clients.
And it’s true. I never, ever would, but in many cases, a sysadmin could block your email, take down your web site, replace it with less-than-desirable content, destroy your online records, and lay waste to pretty much all of your digital assets and online reputation.
They can take your site and your email off the internet. Completely.
They could also do something much simpler. I heard one apocryphal story of a website designer putting up derogatory statements about a client on the client’s own website because a bill had supposedly not been paid. True or not (and legal or not), it’s entirely possible, and it would not surprise me in the least if it had happened more than once.
6. “I’m at risk here too.”
What a lot of sysadmins don’t realize is that many of the risks I’ve listed above can be turned around to cause them trouble as well. They may not tell you this simply because they haven’t realized it themselves.
By taking on such open-ended access2 to my client’s systems, I actually put myself at some risk as well.
A good example is email. If I can send email that looks like it came from my client, then I could be accused of sending email that looks like it’s from my client, even though I had nothing to do with it. I certainly have the means and opportunity. Regardless of who has to prove what to whom, the accusation could cause a great deal of difficulty.
Similarly, consider the backups I’ve taken of my client’s site. If for some reason I should accidentally allow those to fall into the hands of a hacker, at a minimum I’ve violated her trust.
7. “I can be your partner.”
With all of the control given to a sysadmin, it might be easy to think of them as scary people to tip-toe around, so as not to annoy them in case they decide to extract costly revenge.
If that’s the relationship you have with your sysadmin, it’s time to find a new one. Now. Change your passwords (and perhaps more) and send him or her to the curb.
A good system administrator does more than configure a website or email.
A good system administrator can be a partner in helping your business grow.
That’s a role I try to play.
A good sysadmin will be up-front and honest if you ask about the risks that I’ve described here, and should be able to explain possible alternatives to help reduce your exposure.
A really good sysadmin will look at what you have and suggest ways to improve it- perhaps making it faster, easier to use, or less costly.
And the truly exceptional sysadmin will already have told you everything you just read.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
6. “I’m at risk here too”
…
Similarly, consider the backups I’ve taken of my client’s site. If for some reason I should accidentally allow those to fall into the hands of a hacker at a minimum I’ve violated her trust.
=====
By extension, the same thing you say about e-mail applies here. Suppose a hacker were to steal the admin login information from the client, and use that to grab a copy of everything on the website. You could be accused of being the source of the leak, just as you could be accused of being the one who sent that “embarrassing” e-mail.
=====
Thank you for pointing out this not-necessarily-complete list. Many people hear “if you don’t trust your sysadmin, replace him”, but don’t necessarily understand why. I think this list of the highlights should help get the point across.
Now that was a good read! It’s my guess 95 percent of website owners have no clue about the real power of a system admin. As usual, you laid it out effectively, simply and with great clarity.
This should be required reading for every business owner that has a website. Heck, I know a guy that has a big list that surely has hundreds, if not thousands, of business owners on it. I’ll tell him to talk about this article.
Unfortunately, all of our worlds have become so complicated and technically oriented that we do little for ourselves outside of our world of expertise. Not only Sysadmins are involved here, but also our doctors, lawyers, cpa’s, our priest, minister, rabbi or imum, our state and federal governments, our banker — just about anybody we come in contact with on a professional basis has that power if they turn evil, and we have enough wealth to make it worth their while. As they say, “There’s no such thing as a free lunch”. The more people to whom we are forced to open our lives, the bigger the risk. Miserere nobis (Have mercy on us).
Leo, you hit the nail squarely on head. But your focus on the sysadmin position is a little to narrow.
Consider the lowley computer technician who comes in occassionally to repair/replace workstations. He/she will need to have several keys to the kingdom to accomplish the work and can run away with the crown jewells as well.
There’s a dimension to this discussion that goes beyond trust. I have seen many of my customers effected by vendors that they knowingly or not trusted with aspects of their business only to have these vendors go out of business leaving them in the lurch for access to their own critical programs, website, servers, email, etc.
I think the other take away from your article should be to understand the technical aspects of your business well enough to understand just what you are trusting both your contract labor as well as your employes with.
…And having read all that about your SysAdmin, now feel free to ignore all of it completely.
Because — quite frankly — there is no Earthly you way you will ever be able to do without him.
10-Feb-2012
Have to agree with Glenn P. as you said, once we get outside of our own area of expertise, we are at the mercy of others. Including doctors, lawyers, sysadmin, etc.
My point is simply that we have no choice in the matter — it’s a “take it or leave it, my way or the highway, any-color-as-long-as-it’s-black”, Hobson’s Choice situation. It’s not that the information isn’t “important”, only that we can’t actually do anything with it (and if you think we can, Leo, you deceive yourself).
10-Feb-2012
Leo, I’m really starting to lose patience with what I perceive to be a (surprisingly) simplistic attitude on your part.
SysAdmins are not chosen by customers. They are chosen by the ISP’s.
Did I really need to say that?!
And which ISP you end up with isn’t always (or, isn’t always fully) within your control; it may depend on where you live, which company you work for, which online service(s) you subscribe to — or even which brand of computer you use or buy!
As the letter “i” said to the symbol “pi“, “Please, be rational!” :)
12-Feb-2012
Leo is right. I administer a number of websites, email, host websites (and administer some local networks – and am a “lowly computer technician). I am not associated in any way with their ISPs, and am hired – and could be fired – by my clients.
Leo, U rock.. & keep Rockin` On. Bless U. Again, love your articles, views & the HELP u give to us non-techie Mortals.
[coff] May I interrupt, here, please ?
There is an eighth thing that you probably don’t know – that is about back-ups. You can be sure(?) that the SysAdmin will set up a proper back-up system, but that back-up will be to protect *her*, not you. i.e. if there is a fire in your building and you lose “everything”, her back-up will enable her to re-create the system exactly as it was when she took the last back-up. But if *you* lose a file by mistake, do not expect her to be able to retrieve just that one file at the snap of your fingers. When working for another company, I have always kept my own back-up as well, i.e. copies of every version of all important documents.
Not sure I agree Robin. Yes, I have selfish motives for maintaining the backup system – I want to have a job after a disaster not only because I don’t want to get fired but because I need my employer to survive the event.
That said, systems are set to backup specific stuff (file servers but not local desktops/local ‘my documents’ folders) because there are limits and storage costs money. We tell people what is and what isn’t backed up and on what schedule. If staff work within the system that had been setup based on management’s allowed budget, I will recover your stuff and if I can’t, it is my fault. If staff don’t work within that system, it isn’t my fault.
You said ‘by mistake’. Yes, we all make them. If I was a web admin and I mistakenly didn’t make a personal backup – just in case, then it would be my fault. The difference between staff and techs is techs are expected to be less likely to make these particular type of mistake (backups). Instead, we are more prone to making other types of mistakes.
That said, I haven’t made a backup on my home computer since I don’t know when. I guess I just don’t want to think about backups when I switch off at the end of the work day. :)
You don’t want to think about backups after the end of a workday. This will work until the day your hard drive dies or is seriously infected with malware. Then you’ll have a lot to think about. I have EaseUS Todo on autopilot set to do monthly system image backups and daily incrementals and set to delete older backups automatically. The only time I have to think about backups is if I have a problem which can be solved by my backup. Of course, I check periodically if those backups are there and working.
I use Teamviewer to help a few friends with their computer issues. I have them give me a one time session login and not a login I can use at will. I have them sit at their computer and watch everything I do, which is is also useful for them to learn and hopefully save me from being called the next time the same problem comes up. But it’s also to prevent any suspicion that something I might have done caused them to have problems. This wouldn’t work in cases of professional support, but it’s a good way not to lose friends.
The ones who are watching you and you think are being enlightened are still clueless.
And you will still be blamed.
You know, since last week when you fixed my computer the cat has been limping. Can you please take care of that?
You’re right. One time I sat next to someone who had a computer problem and told her what to type. After that session, her computer crashed irrecoverably (it was probably her dying hardware which caused the problem in the first place) and she blamed me for sabotaging her computer. But in the majority of cases, people appreciate the transparency even if what they are viewing is opaque to them.
The “last person who touched it” rule.
Whew, I was lucky in that one. She wouldn’t let anyone lay a finger on her laptop.
Funny thing, just before coming to this article today, I was on a remote TeamViewer session helping a friend with a computer problem
I look after the computer and network infrastructure for a 15-person accounting firm. I had to sit down with the founder and explain the facts of life: once I log on as Administrator, I have access to absolutely everything. If I don’t have access to everything, I can’t fix problems that arise. And these accountants are very inventive when it comes to causing problems.
This may be beyond the scope of this article but I’m wondering if there are any professional certifications or organizations available that would let customers know that the system administrator that they are trusting is, in fact, worthy of it? Financial advisors, building contractors, plumbers and electricians, to name a few, have licensing oversight and I would think a SA would benefit from that as well.
Secondly, I think an article about what to look for in a Systems Administrator would be helpful to those of us that need to hire such a person.
Del,
I can’t say I’ve ever heard of any organization, professional or otherwise, that would provide a level of trust as would a contractor or other such trade professionals. Some fly-by-night scammers will often present themselves as being licensed and bonded, but unless you specifically ask what they’re licensed and bonded for, it’s probably nothing more than some online certification which often means little or nothing.
The best way I can think of is to get a number of references and check them thoroughly. If they have none, then give them a wide berth. If they are someone who is experienced in the field, they will have plenty of people willing to vouch for them and their expertise…not only clients, but other IT professionals as well. Leo’s a good example – people know his work and experience and freely recommend him to others for his expertise.
Jonathan
I have a small website which I manage myself. But that doesn’t get me off the hook. The web hosting company also has all of those powers. It’s run by a friend, but that could be a problem in itself as he might have more interest in reading my emails than a stranger :-)