With great power comes great responsibility… and risk.
In addition to being the “Leo” in Ask Leo!, I administer web servers and websites for a few friends and organizations and host email accounts on my own servers for a few others.
What I’ve come to realize over time is that in doing so, these people have placed a tremendous amount of control in my hands — more than you might imagine.
What I’ve also realized is that this isn’t uncommon. In fact, whenever you have someone manage your business’s website, server, or email, be they a friend or a hired service, you’re probably giving them much more access than you realize.
It’s often the right and even necessary thing to do.
Your sysadmin might not tell you how much power he or she really has.
Become a Patron of Ask Leo! and go ad-free!
What your sysadmin should tell you
- I can read your email
- I can impersonate you
- I can copy all your files
- I can hijack your domain
- I can shut you down
- I’m at risk, too
- I can be a partner
In defense of sysadmins everywhere
I have to start by saying I’m not implicating system administrators at all. They are the backbone of the internet. They keep the digital wheels greased and pistons lubed, making sure websites work and emails get sent 24 hours a day, seven days a week.
What I do want to make clear is just how much power you may be giving your system administrator without realizing it. I’m not saying that doing so is wrong; in many cases, it’s exactly the right thing to do.
It’s just important to realize how much access and control you’re giving your system administrator so you can make informed decisions when you’re looking for help.
Different types of sysadmins
We use the term “sysadmin” to refer to people who administer your system — but “system” is somewhat vague.
For purposes of this discussion, a sysadmin could be:
- Someone who sets up and administers your email server or email accounts.
- Someone who sets up and administers and maintains your website.
- Someone who sets up and administers your entire web or other type of server.
- Someone who sets up and administers your internet domains and DNS.
With all that in mind, here are a few things that your system administrator might not tell you.
1. “I can read your email.”
I think this surprises most folks.
If your email ever touches a system managed by your sysadmin, or if the sysadmin is the person who sets up email accounts and perhaps resets passwords for you, that person likely has the ability to read your email.
The most common scenario is hiring someone to work on your website. Say you own somerandomservice.com, and you have someone come in and build you a website there from scratch.
If you also get your email via that same domain — say your email address is firstname.lastname@example.org — then it’s possible, and I’d guess fairly common, that this person you just hired could access your email.
Letting your sysadmin have access might be a good thing.
I know having that kind of access has allowed me to quickly determine and resolve issues for my clients. I certainly don’t make a habit of reading their emails — a clear invasion of trust and privacy — but the ability to quickly swoop in and see if they’ve received the test message I just sent can be extremely helpful when tracking down a thorny issue.
If you don’t trust your system administrator to not poke around in your email, and you want your email to be on the same domain as your business website, there are technical solutions to separate the two. The problem is they are technical solutions, and if you’re not up on those technicalities, you’ll still need to trust someone to put them in place.
2. “I can impersonate you.”
With access to your email, it’s not difficult for a sysadmin to send email that is truly from your account. I’m not talking about all the ways email can be spoofed or even hacked; in many cases, a sysadmin simply has direct access to your email account.
Done properly and with malicious intent, it would be extremely difficult to prove that an email sent by your sysadmin was not actually sent by you.
Given all the ways that email can be forged and spoofed, this may not necessarily have true legal ramifications, but at a minimum, it could be embarrassing.
3. “I can copy all your files.”
This is obvious when people think about it, but people rarely think about it. When you have someone work on your website for you, they have access to everything that might be stored there, whether it’s something they’re working on or not.
That means they can copy it.
Once again, this can be a good thing depending on your sysadmin’s motives. For example, a backup is a copy.
I periodically take a complete copy of at least one client’s complete website as backup. Given how paranoid I am about backups, it’s replicated across three or four machines here at home, as well as off-site. They’re probably getting better backup than anything a web host might provide.
The risk, of course, is that should they and I ever have a falling out, I could run off with all of their content — intellectual property they’ve worked for years to create and accumulate. Who knows what I could do with it?
Of course, I won’t. Can you say the same about your sysadmin?
4. “I can hijack your domain.”
It’s not uncommon to hand off management of your domain (“somerandomservice.com” in our example) to your sysadmin. They take on the technical details of “DNS”: making sure your site can be found on the internet, the correct server is reached when people try to visit your site, and email is routed appropriately.
Quite often, with that type of access comes the ability to take actual ownership of the domain, or, at a minimum, to redirect the domain to servers and content that aren’t yours.
Having someone manage your DNS is not uncommon, as it must be done correctly for your website and email to function at all. But once again, you’re giving that person control of a critical resource.
5. “I can shut you down.”
It’s a joke I never make,1 but I’m occasionally tempted to say in jest, “Don’t piss me off — you know what I can do” to some of my clients.
And it’s true. I never, ever would, but in many cases, a sysadmin could block your email, take down your website completely, or worse. They could replace your site with less-than-desirable content, destroy your online records, and lay waste to pretty much all of your digital assets and online reputation.
They could also do something much simpler. I heard one apocryphal story of a website designer putting up derogatory statements about a client on the client’s own website because a bill had not been paid. True or not (and legal or not), it’s entirely possible, and it would not surprise me if it’s happened more than once.
6. “I’m at risk here too.”
What a lot of sysadmins don’t realize is that many of the risks I’ve listed above can be turned around to cause them trouble as well. They may not tell you this simply because they haven’t realized it themselves.
By taking on such open-ended access2 to my client’s systems, I put myself at some risk as well.
A good example is email. If I can send email that looks like it came from my client, then I could be accused of sending email that looks like it’s from my client even though I had nothing to do with it. I certainly have the means and opportunity. Regardless of who has to prove what to whom, the accusation could cause a great deal of difficulty.
Similarly, consider the backups I’ve taken of my client’s site. If for some reason I should accidentally allow those to fall into the hands of a hacker, at a minimum I’ve violated their trust.
7. “I can be your partner.”
With all of the control given to a sysadmin, it might be easy to think of them as scary people to tiptoe around so as not to annoy them in case they decide to exact costly revenge.
If that’s the relationship you have with your sysadmin, it’s time to find a new one. Now. Change your passwords (and perhaps more), and send him or her to the curb.
A good system administrator does more than configure a website or email.
A good system administrator can be a partner in helping your business grow.
That’s a role I try to play.
Ask the questions. A good sysadmin will be upfront and honest if you ask about the risks that I’ve described here and should be able to explain possible alternatives to help reduce your exposure.
A really good sysadmin will look at what you have and suggest ways to improve it — perhaps making it faster, easier to use, or less costly.
And the truly exceptional sysadmin will already have told you everything you just read.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.