Top 5 most overrated habits in IT

If you have worked in IT for any length of time, you will have heard or seen the IT teams you work with applying certain strategies that you might wonder about. Are they really a good idea? Surely they know what they are doing? Well, quite often the answer is no and no. There’s probably a long list of bad habits or common myths you know but I’ve whittled a list down to just five. Ready? Here goes:

  1. Disabling IPv6
  2. Disabling objects (user accounts) in AD
  3. RDP’ing to Servers
  4. Installing Office on Servers
  5. Having people in both Enterprise Admins and Domain Admins at the same time.

Disabling IPv6

IPv6 has been around for years. For many companies it’s the elephant in the room, sat quietly munching on peanuts, watching people work. It’s actually been working alongside IPv4, like the grey man, not being noticed. That does not mean it’s a waste or that it’s interfering with anything. Far from it, it’s the opposite. It has been making things work. And yet many people get it into their heads that having 2 IP schemes is bad so they decide to disable IPv6. That’s a very bad idea.

Microsoft recommend configuring the network stack to “prefer” IPv4 and leave IPv6 alone.

Disabling objects

Whether a company fires staff, they quite or just go on long sabbaticals never to return, the response of IT teams is to disable the account. And then they walk away. All this does is increase the risk of being hacked. How? If you have just ten user accounts and disable one an attacker can re-enable the account and no-one will bat an eyelid. No alert will trigger, no alarm will ring, and no email will be sent. An attacker who has to create their own “evil user” will do all those things. Existing user accounts have no protections or auditing and worse still, will often still be members of all the AD groups they had to start with.  

This means the more accounts you disable and never delete, the greater the risk you instil, because the chances of being caught are lower.

Then there’s the licensing. You might not like this, but Microsoft’s license policy charges per user object. They don’t care whether it’s enabled or disabled – the price is per object (i.e. user account).

I have to confess I don’t get the logic of “keeping accounts just in case”. In case of what? If Joe User was sacked you don’t want him back. If he quit in disgust, he ain’t coming back. Ever. So that leaves the only scenario that you need to access the files that only Joe User had access to. That’s not a valid reason. Not by a long a way.

RDP’ing

Remote Desktop is a kind of magic. It’s seductive, I know. I’ve used it and enjoyed the ease of use. But then something happened. One day I was working, and someone bumped me off the connection. I then found that the maximum number of RDP connections is 2. Two! I checked and it’s not a mistake. Two is all you get. So why is that?

It’s simple really: those RDP connections are there for emergency use only. There’s two in case one person is unavailable there’s another account to get in.

Why the fuss? Well RDP is a target for hackers. It’s a weak point and hackers can and do attack it. The stats on RDP attacks are scary. It’s risky enough to rely on it in on-prem environments but now remote working is common, opening RDP over the internet is nothing short of bonkers.

My suggested fix: Block it completely. If you brick up the RDP door so no-one at all can get in, then the problem is fixed.

Microsoft designed the OS to be managed remotely through other routes: RSAT (the Remote Admin Toolkit) or PowerShell and more recently Windows Admin Center (WAC). You can install all of them on client OSes back to Windows 7. That’s a huge clue right there. WAC and PowerShell are the modern ways and are far more flexible.

Install things on Servers

This is a favourite bug-bear I’ve seen. Some people install Office on their file servers or admin boxes. Or maybe unlicensed copies on WinRAR. What? It’s not free, forever? No – you have 40 days and then you uninstall it.

WinRAR license statement

Who cares? Well, it’s those pesky bad-hats again. They apart from a domain with 2000 disabled user accounts all ripe for enabling so they can wander around for months, they love things that need patching. The more apps you install, the more patches you need. You’re just giving yourself extra work and increasing the risk exposure of the business. 

Super Admins

Finally, we get to my favourite. It’s the Super-super admins. The people who add themselves to the Enterprise administrator group and then domain admin group and the schema admin group. Feel the power.

The mentally is the “more admin I have the better I can get things done”. It reminds me of first-person shooters or action films where the hero is armed with a hand-gun and carries a shotgun, knives, grenades, a rocket launcher, sniper rifle, automatic rifle, knuckle-dusters, compass, cuddly toy and the most dangerous thing known to man, a 6-stud Lego brick.

The truth is that it’s not big or clever. Far from it, they put themselves and everyone at risk. They are far more likely to shoot themselves in the foot with all that power. I’ve literally seen it happen. Twice. The only surprise was that the guilty parties were not reprimanded and busted down to user-only access.

 

 

By deployboy

A Welshman, living in England married to a Brazilian, I am a Microsoft evangelist on all things related to both OS deployment and configuration management. I hope to entertain and educate in equal measure to give something back to the IT community.