With great power comes great responsibility… and risk.
In addition to being the “Leo” in Ask Leo!, I administer web servers and websites for a few friends and organizations and host email accounts on my own servers for a few others.
What I’ve come to realize over time is that in doing so, these people have placed a tremendous amount of control in my hands — more than you might imagine.
What I’ve also realized is that this isn’t uncommon. In fact, whenever you have someone manage your business’s website, server, or email, be they a friend or a hired service, you’re probably giving them much more access than you realize.
It’s often the right and even necessary thing to do.
Your sysadmin might not tell you how much power he or she really has.
I will.
Become a Patron of Ask Leo! and go ad-free!
What your sysadmin should tell you
- I can read your email
- I can impersonate you
- I can copy all your files
- I can hijack your domain
- I can shut you down
- I’m at risk, too
- I can be a partner
In defense of sysadmins everywhere
I have to start by saying I’m not implicating system administrators at all. They are the backbone of the internet. They keep the digital wheels greased and pistons lubed, making sure websites work and emails get sent 24 hours a day, seven days a week.
What I do want to make clear is just how much power you may be giving your system administrator without realizing it. I’m not saying that doing so is wrong; in many cases, it’s exactly the right thing to do.
It’s just important to realize how much access and control you’re giving your system administrator so you can make informed decisions when you’re looking for help.
Different types of sysadmins
We use the term “sysadmin” to refer to people who administer your system — but “system” is somewhat vague.
For purposes of this discussion, a sysadmin could be:
- Someone who sets up and administers your email server or email accounts.
- Someone who sets up and administers and maintains your website.
- Someone who sets up and administers your entire web or other type of server.
- Someone who sets up and administers your internet domains and DNS.
With all that in mind, here are a few things that your system administrator might not tell you.
1. “I can read your email.”
I think this surprises most folks.
If your email ever touches a system managed by your sysadmin, or if the sysadmin is the person who sets up email accounts and perhaps resets passwords for you, that person likely has the ability to read your email.
The most common scenario is hiring someone to work on your website. Say you own somerandomservice.com, and you have someone come in and build you a website there from scratch.
If you also get your email via that same domain — say your email address is leo@somerandomservice.com — then it’s possible, and I’d guess fairly common, that this person you just hired could access your email.
Letting your sysadmin have access might be a good thing.
I know having that kind of access has allowed me to quickly determine and resolve issues for my clients. I certainly don’t make a habit of reading their emails — a clear invasion of trust and privacy — but the ability to quickly swoop in and see if they’ve received the test message I just sent can be extremely helpful when tracking down a thorny issue.
If you don’t trust your system administrator to not poke around in your email, and you want your email to be on the same domain as your business website, there are technical solutions to separate the two. The problem is they are technical solutions, and if you’re not up on those technicalities, you’ll still need to trust someone to put them in place.
2. “I can impersonate you.”
With access to your email, it’s not difficult for a sysadmin to send email that is truly from your account. I’m not talking about all the ways email can be spoofed or even hacked; in many cases, a sysadmin simply has direct access to your email account.
Done properly and with malicious intent, it would be extremely difficult to prove that an email sent by your sysadmin was not actually sent by you.
Given all the ways that email can be forged and spoofed, this may not necessarily have true legal ramifications, but at a minimum, it could be embarrassing.
3. “I can copy all your files.”
This is obvious when people think about it, but people rarely think about it. When you have someone work on your website for you, they have access to everything that might be stored there, whether it’s something they’re working on or not.
That means they can copy it.
Once again, this can be a good thing depending on your sysadmin’s motives. For example, a backup is a copy.
I periodically take a complete copy of at least one client’s complete website as backup. Given how paranoid I am about backups, it’s replicated across three or four machines here at home, as well as off-site. They’re probably getting better backup than anything a web host might provide.
The risk, of course, is that should they and I ever have a falling out, I could run off with all of their content — intellectual property they’ve worked for years to create and accumulate. Who knows what I could do with it?
Of course, I won’t. Can you say the same about your sysadmin?
4. “I can hijack your domain.”
It’s not uncommon to hand off management of your domain (“somerandomservice.com” in our example) to your sysadmin. They take on the technical details of “DNS”: making sure your site can be found on the internet, the correct server is reached when people try to visit your site, and email is routed appropriately.
Quite often, with that type of access comes the ability to take actual ownership of the domain, or, at a minimum, to redirect the domain to servers and content that aren’t yours.
Having someone manage your DNS is not uncommon, as it must be done correctly for your website and email to function at all. But once again, you’re giving that person control of a critical resource.
5. “I can shut you down.”
It’s a joke I never make,1 but I’m occasionally tempted to say in jest, “Don’t piss me off — you know what I can do” to some of my clients.
And it’s true. I never, ever would, but in many cases, a sysadmin could block your email, take down your website completely, or worse. They could replace your site with less-than-desirable content, destroy your online records, and lay waste to pretty much all of your digital assets and online reputation.
They could also do something much simpler. I heard one apocryphal story of a website designer putting up derogatory statements about a client on the client’s own website because a bill had not been paid. True or not (and legal or not), it’s entirely possible, and it would not surprise me if it’s happened more than once.
6. “I’m at risk here too.”
What a lot of sysadmins don’t realize is that many of the risks I’ve listed above can be turned around to cause them trouble as well. They may not tell you this simply because they haven’t realized it themselves.
By taking on such open-ended access2 to my client’s systems, I put myself at some risk as well.
A good example is email. If I can send email that looks like it came from my client, then I could be accused of sending email that looks like it’s from my client even though I had nothing to do with it. I certainly have the means and opportunity. Regardless of who has to prove what to whom, the accusation could cause a great deal of difficulty.
Similarly, consider the backups I’ve taken of my client’s site. If for some reason I should accidentally allow those to fall into the hands of a hacker, at a minimum I’ve violated their trust.
7. “I can be your partner.”
With all of the control given to a sysadmin, it might be easy to think of them as scary people to tiptoe around so as not to annoy them in case they decide to exact costly revenge.
If that’s the relationship you have with your sysadmin, it’s time to find a new one. Now. Change your passwords (and perhaps more), and send him or her to the curb.
A good system administrator does more than configure a website or email.
A good system administrator can be a partner in helping your business grow.
That’s a role I try to play.
Do this
Ask the questions. A good sysadmin will be upfront and honest if you ask about the risks that I’ve described here and should be able to explain possible alternatives to help reduce your exposure.
A really good sysadmin will look at what you have and suggest ways to improve it — perhaps making it faster, easier to use, or less costly.
And the truly exceptional sysadmin will already have told you everything you just read.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
6. “I’m at risk here too”
…
Similarly, consider the backups I’ve taken of my client’s site. If for some reason I should accidentally allow those to fall into the hands of a hacker at a minimum I’ve violated her trust.
=====
By extension, the same thing you say about e-mail applies here. Suppose a hacker were to steal the admin login information from the client, and use that to grab a copy of everything on the website. You could be accused of being the source of the leak, just as you could be accused of being the one who sent that “embarrassing” e-mail.
=====
Thank you for pointing out this not-necessarily-complete list. Many people hear “if you don’t trust your sysadmin, replace him”, but don’t necessarily understand why. I think this list of the highlights should help get the point across.
Now that was a good read! It’s my guess 95 percent of website owners have no clue about the real power of a system admin. As usual, you laid it out effectively, simply and with great clarity.
This should be required reading for every business owner that has a website. Heck, I know a guy that has a big list that surely has hundreds, if not thousands, of business owners on it. I’ll tell him to talk about this article.
Unfortunately, all of our worlds have become so complicated and technically oriented that we do little for ourselves outside of our world of expertise. Not only Sysadmins are involved here, but also our doctors, lawyers, cpa’s, our priest, minister, rabbi or imum, our state and federal governments, our banker — just about anybody we come in contact with on a professional basis has that power if they turn evil, and we have enough wealth to make it worth their while. As they say, “There’s no such thing as a free lunch”. The more people to whom we are forced to open our lives, the bigger the risk. Miserere nobis (Have mercy on us).
Leo, you hit the nail squarely on head. But your focus on the sysadmin position is a little to narrow.
Consider the lowley computer technician who comes in occassionally to repair/replace workstations. He/she will need to have several keys to the kingdom to accomplish the work and can run away with the crown jewells as well.
There’s a dimension to this discussion that goes beyond trust. I have seen many of my customers effected by vendors that they knowingly or not trusted with aspects of their business only to have these vendors go out of business leaving them in the lurch for access to their own critical programs, website, servers, email, etc.
I think the other take away from your article should be to understand the technical aspects of your business well enough to understand just what you are trusting both your contract labor as well as your employes with.
…And having read all that about your SysAdmin, now feel free to ignore all of it completely.
Because — quite frankly — there is no Earthly you way you will ever be able to do without him.
10-Feb-2012
Have to agree with Glenn P. as you said, once we get outside of our own area of expertise, we are at the mercy of others. Including doctors, lawyers, sysadmin, etc.
My point is simply that we have no choice in the matter — it’s a “take it or leave it, my way or the highway, any-color-as-long-as-it’s-black”, Hobson’s Choice situation. It’s not that the information isn’t “important”, only that we can’t actually do anything with it (and if you think we can, Leo, you deceive yourself).
10-Feb-2012
Leo, I’m really starting to lose patience with what I perceive to be a (surprisingly) simplistic attitude on your part.
SysAdmins are not chosen by customers. They are chosen by the ISP’s.
Did I really need to say that?!
And which ISP you end up with isn’t always (or, isn’t always fully) within your control; it may depend on where you live, which company you work for, which online service(s) you subscribe to — or even which brand of computer you use or buy!
As the letter “i” said to the symbol “pi“, “Please, be rational!” :)
12-Feb-2012
Leo is right. I administer a number of websites, email, host websites (and administer some local networks – and am a “lowly computer technician). I am not associated in any way with their ISPs, and am hired – and could be fired – by my clients.
Leo, U rock.. & keep Rockin` On. Bless U. Again, love your articles, views & the HELP u give to us non-techie Mortals.
[coff] May I interrupt, here, please ?
There is an eighth thing that you probably don’t know – that is about back-ups. You can be sure(?) that the SysAdmin will set up a proper back-up system, but that back-up will be to protect *her*, not you. i.e. if there is a fire in your building and you lose “everything”, her back-up will enable her to re-create the system exactly as it was when she took the last back-up. But if *you* lose a file by mistake, do not expect her to be able to retrieve just that one file at the snap of your fingers. When working for another company, I have always kept my own back-up as well, i.e. copies of every version of all important documents.
Not sure I agree Robin. Yes, I have selfish motives for maintaining the backup system – I want to have a job after a disaster not only because I don’t want to get fired but because I need my employer to survive the event.
That said, systems are set to backup specific stuff (file servers but not local desktops/local ‘my documents’ folders) because there are limits and storage costs money. We tell people what is and what isn’t backed up and on what schedule. If staff work within the system that had been setup based on management’s allowed budget, I will recover your stuff and if I can’t, it is my fault. If staff don’t work within that system, it isn’t my fault.
You said ‘by mistake’. Yes, we all make them. If I was a web admin and I mistakenly didn’t make a personal backup – just in case, then it would be my fault. The difference between staff and techs is techs are expected to be less likely to make these particular type of mistake (backups). Instead, we are more prone to making other types of mistakes.
That said, I haven’t made a backup on my home computer since I don’t know when. I guess I just don’t want to think about backups when I switch off at the end of the work day. :)
You don’t want to think about backups after the end of a workday. This will work until the day your hard drive dies or is seriously infected with malware. Then you’ll have a lot to think about. I have EaseUS Todo on autopilot set to do monthly system image backups and daily incrementals and set to delete older backups automatically. The only time I have to think about backups is if I have a problem which can be solved by my backup. Of course, I check periodically if those backups are there and working.
I use Teamviewer to help a few friends with their computer issues. I have them give me a one time session login and not a login I can use at will. I have them sit at their computer and watch everything I do, which is is also useful for them to learn and hopefully save me from being called the next time the same problem comes up. But it’s also to prevent any suspicion that something I might have done caused them to have problems. This wouldn’t work in cases of professional support, but it’s a good way not to lose friends.
The ones who are watching you and you think are being enlightened are still clueless.
And you will still be blamed.
You know, since last week when you fixed my computer the cat has been limping. Can you please take care of that?
You’re right. One time I sat next to someone who had a computer problem and told her what to type. After that session, her computer crashed irrecoverably (it was probably her dying hardware which caused the problem in the first place) and she blamed me for sabotaging her computer. But in the majority of cases, people appreciate the transparency even if what they are viewing is opaque to them.
The “last person who touched it” rule.
Whew, I was lucky in that one. She wouldn’t let anyone lay a finger on her laptop.
Funny thing, just before coming to this article today, I was on a remote TeamViewer session helping a friend with a computer problem
I look after the computer and network infrastructure for a 15-person accounting firm. I had to sit down with the founder and explain the facts of life: once I log on as Administrator, I have access to absolutely everything. If I don’t have access to everything, I can’t fix problems that arise. And these accountants are very inventive when it comes to causing problems.
This may be beyond the scope of this article but I’m wondering if there are any professional certifications or organizations available that would let customers know that the system administrator that they are trusting is, in fact, worthy of it? Financial advisors, building contractors, plumbers and electricians, to name a few, have licensing oversight and I would think a SA would benefit from that as well.
Secondly, I think an article about what to look for in a Systems Administrator would be helpful to those of us that need to hire such a person.
Del,
I can’t say I’ve ever heard of any organization, professional or otherwise, that would provide a level of trust as would a contractor or other such trade professionals. Some fly-by-night scammers will often present themselves as being licensed and bonded, but unless you specifically ask what they’re licensed and bonded for, it’s probably nothing more than some online certification which often means little or nothing.
The best way I can think of is to get a number of references and check them thoroughly. If they have none, then give them a wide berth. If they are someone who is experienced in the field, they will have plenty of people willing to vouch for them and their expertise…not only clients, but other IT professionals as well. Leo’s a good example – people know his work and experience and freely recommend him to others for his expertise.
Jonathan
I have a small website which I manage myself. But that doesn’t get me off the hook. The web hosting company also has all of those powers. It’s run by a friend, but that could be a problem in itself as he might have more interest in reading my emails than a stranger :-)
Regarding that “reading emails” thing… Remember the olden days when all correspondence was written with pen and ink? The saying back then was “don’t put into writing anything you wouldn’t want the public to read.” After all, letters could be stolen right out of that locked desk drawer.
I’m constantly amazed at how many people in the modern world have forgotten that advice. Especially considering that “the cloud” is just a way of saying “a computer in an unknown location, administered by a stranger, whose skill level cannot be verified.”
How do I know that people back in the olden days payed attention to that advice? Well, I can’t say for sure that they did. But if they didn’t, then none of the juicy bits ever made in into any of my high school history books.
I suspect that for most AskLeo readers the sysadmin role is done by the reader himself or herself (i.e. the computer owner). Most often you encounter a “sysadmin” in the work environment. If you work for a fairly large company there will be a sysadmin department with several administrators. Within a company it’s best to make friends with them, typically befriend at least one of the sysadmin team members. That way you’ll get faster service if you have problems and there will be less of a chance of them using their “powers” against you. Actually there is a very little chance of a sysadmin deliberately acting to hurt an employee unless the sysadmin is outright a crook or there is personal animosity.
If you have a small business and hire someone as a sysadmin, or hire a company to do your sysadmin, you the business owner do have the power to oversee, control or fire the sysadmin. In other words, you can’t turn over the keys to your business to the hired sysadmin and trust everything they do. That’s doing due diligence on your part.
If your sysadmin is your ISP, especially if they own your modem and router, you’re out of luck. They’ll do what they want.
The main problems a sysadmin does aren’t while they are working. It’s after they’ve been fired or quit. They can set up a back door when they are working for you and take advantage of it after they leave. They can be stealthy enough to go undetected.
I am a sysadmin. I am a little suspicious when co-workers try to befriend me. With the exception of my supervisor and then my colleagues in my department, all of my co-workers receive the less speed of support.