Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Do I Give IT a Login On Our Dept. Server?

CmdrTaco posted more than 3 years ago | from the would-they-give-one-to-you dept.

Medicine 1307

jddorian writes "I am head of a clinical division at an academic hospital (not Radiology, but similarly tech oriented). My fellow faculty (a dozen or so) want to switch from a paper calendar to electronic (night and weekend on-call schedule). Most have an iPhone or similar, so I envisaged a CalDAV server. The Hospital IT department doesn't offer any iPhone compatible calendar tool, so I bought (with my cash) a tiny server, installed BSD and OpenLDAP for accounts, and installed and configured DAViCal. After I tested it out, I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain. I'm happy to allow any scan, to ensure it has no security issues, but I'd rather not let anyone else have a login account. What do the readers of Slashdot think? Should I give IT a login account on a server that is not owned or managed by them?"

Sorry! There are no comments related to the filter you selected.

FUCKIN' A !! (-1)

Anonymous Coward | more than 3 years ago | (#35856280)

What's the A part again ??

In my corporate environment.... (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35856290)

.... you'd be breaking network and security policies up the wazoo by plugging your own server into the network, much less having a machine that IT couldn't manage and audit.

Re:In my corporate environment.... (1)

Qzukk (229616) | more than 3 years ago | (#35856372)

Yeah. Scanning it for vulnerabilities doesn't answer the question of whether your server is intentionally malicious.

If the calendar is externally available (just not in an iPhone friendly format) then perhaps you can get a compromise with IT to jack your server in a port outside the firewall.

Re:In my corporate environment.... (5, Insightful)

Ferzerp (83619) | more than 3 years ago | (#35856434)

I think the real question should be should IT shut down any network port they see your rogue equipment connected to.

Hint: the answer is yes

Re:In my corporate environment.... (3, Insightful)

Zyrkyr (594993) | more than 3 years ago | (#35856560)

Right. You aren't required to give them a user account on your machine, but they're not required to open a firewall port for you either...

This entire post is stupid (1)

Anonymous Coward | more than 3 years ago | (#35856294)

You bought a server, with your own money, and connected it to your corporate network. Now the corporate IT people want a login to it, and you think it's OK to say no? Yeah okay.

Fuck no (-1)

Anonymous Coward | more than 3 years ago | (#35856296)

They didn't buy it, they don't maintain it, they don't use it. Let them scan it and check everything over, but don't give them login credentials.

Unfortunately it's just another IT department with a God complex.

Re:Fuck no (4, Insightful)

h4rr4r (612664) | more than 3 years ago | (#35856412)

They can also not provide it a network port. When the server gets pwned it will be IT people blame.

Re:Fuck no (1)

$RANDOMLUSER (804576) | more than 3 years ago | (#35856424)

Can I plug my packet sniffer box onto your network?

Idiot.

Yes (0)

Anonymous Coward | more than 3 years ago | (#35856298)

Secure the machine against privilege escalation attacks, and give IT an unprivileged SSH login. Why not?

Re:Yes (1)

after.fallout.34t98e (1908288) | more than 3 years ago | (#35856338)

Chrooted into a jail that they can do almost nothing from (perhaps get version numbers from a few tools).

they may want to remote admin it aka WSUS / AV /. (0)

Anonymous Coward | more than 3 years ago | (#35856300)

they may want to remote admin it with things like WSUS / AV and other tools.

Re:they may want to remote admin it aka WSUS / AV (2)

michrech (468134) | more than 3 years ago | (#35856558)

WSUS / etc won't do much good for a Linux server...

I dunno (5, Insightful)

EvanED (569694) | more than 3 years ago | (#35856302)

But instead of asking "should I give IT a login account on a server that is not owned or managed by them?" perhaps you should ask "should I give IT a login account on a server that is on their network?"

It becomes a lot less clear in that formulation, huh?

Re:I dunno (1)

b0bby (201198) | more than 3 years ago | (#35856486)

Especially since you're asking for an external port for the thing.

Re:I dunno (0)

Anonymous Coward | more than 3 years ago | (#35856514)

Removing bad moderation.

Obvious question from their perspective (5, Insightful)

tomalpha (746163) | more than 3 years ago | (#35856304)

Why does a server that is not owned or managed by the IT department exist inside the firewall?

In my workplace that's a sacking offence.

Re:Obvious question from their perspective (0)

Anonymous Coward | more than 3 years ago | (#35856360)

^ This. Be happy they even let you keep the damn thing.

Re:Obvious question from their perspective (0)

Anonymous Coward | more than 3 years ago | (#35856394)

Yeah, in the place I work the submitter would be able to pickup that computer at the security desk when they escorted him out of the building.

Re:Obvious question from their perspective (4, Insightful)

shentino (1139071) | more than 3 years ago | (#35856420)

Also, this is a hospital.

Wouldn't this also be a HIPAA violation?

Re:Obvious question from their perspective (1)

Anonymous Coward | more than 3 years ago | (#35856502)

Only if it contains data pertinent to HIPAA rules.

Employee schedules are not pertinent.

Re:Obvious question from their perspective (1)

allenw (33234) | more than 3 years ago | (#35856574)

Even if the schedule is "Tuesday-9am: Give trach to Mrs. Lattimer"?

Re:Obvious question from their perspective (1)

Fujisawa Sensei (207127) | more than 3 years ago | (#35856548)

We have a winner!

Re:Obvious question from their perspective (1)

sribe (304414) | more than 3 years ago | (#35856556)

Wouldn't this also be a HIPAA violation?

Did you even think before you wrote that? Exactly which part of a "night and weekend on-call schedule" do you think will contain private health information?

Yes (0)

Anonymous Coward | more than 3 years ago | (#35856308)

Yes, you are operating on their network and should supply a login so they can at least see what is going on. You may let them scan, but you could be hiding anything on that server. Also, they would simply not be providing due diligence if they let an independently managed server on their network that they cannot access.

Ask? (2, Insightful)

gazbo (517111) | more than 3 years ago | (#35856310)

Have you asked him why he wants a shell? If not, why the hell not? And if so, why haven't you told us?

Which hospital? (1)

Anonymous Coward | more than 3 years ago | (#35856312)

Please tell us which hospital this is for.
I want to make sure I never go there.

Doing it wrong (5, Insightful)

dzr0001 (1053034) | more than 3 years ago | (#35856316)

You shouldn't be deploying rogue hardware that is not company owned at any place of business let alone a hospital. Have you even considered the compliance ramifications?

Yes. (0)

Anonymous Coward | more than 3 years ago | (#35856320)

Yes.

Yes, you should. (0)

Anonymous Coward | more than 3 years ago | (#35856322)

Essentially you are setting up a sandbox in someone else's backyard. When your users have a problem with your new setup, you better believe they will be calling IT at least occasionally. In this case it's just resource scheduling, so security is not really an issue here. Avoid the headache and oblige the request.

Wait, what? (5, Insightful)

0100010001010011 (652467) | more than 3 years ago | (#35856324)

You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?

You may not think that IT owns or manages your server, but they do own or manage the network. Imagine if some guy from IT came down to you and wanted to start looking through radiology records. I'm sure you'd ask him if it was ok to look over his shoulder every now and again before you gave him full access.

Re:Wait, what? (0)

Anonymous Coward | more than 3 years ago | (#35856444)

You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?

From the summary: The Hospital IT department doesn't offer any iPhone compatible calendar tool

Sounds like he and his colleagues want something quite reasonable and the idiots in IT don't offer it. Folks, when the doctor says "I'd like to join the rest of you in the 21st century now," you let him. And if you don't let him, he goes off and does something goofy like this. Guess who's fault it is.

Re:Wait, what? (1)

CarsonChittom (2025388) | more than 3 years ago | (#35856564)

You're asking them to open ports and you're "taken aback" for them asking for an account? They ARE the IT department.... did you even bother asking them if they had the capability of doing what you wanted before you reinvented the wheel?

From the summary: The Hospital IT department doesn't offer any iPhone compatible calendar tool

Sounds like he and his colleagues want something quite reasonable and the idiots in IT don't offer it.

Not offering it and not having the capability to offer it are two different things. There was no indication as to whether he'd asked IT "Hey, you don't have this now, but could you add it for us?" Which is what he should have done.

Competely reasonable (1)

msauve (701917) | more than 3 years ago | (#35856328)

You want to put a server on the network, complete with special firewall rules to support it? Yes, it's reasonable for IT to want some access to it.

Tell them to reimburse you (1, Interesting)

kimvette (919543) | more than 3 years ago | (#35856332)

Tell them that the second they reimburse you for the server they can not only get a login, but they can become responsible for its maintenance and security and they had better be sure it has a solid uptime. That only seems reasonable. :-)

Re:Tell them to reimburse you (4, Insightful)

h4rr4r (612664) | more than 3 years ago | (#35856478)

Sounds great. He can have access to the network switch port and the firewall opened up as soon as that transaction is complete. The Hospital IT should have switched off the network port the second they heard of this machine. Well really the network ports should just not all be on to begin with.

Yes (1)

O('_')O_Bush (1162487) | more than 3 years ago | (#35856334)

It's their job to manage security and the infrastructure. At a minimum, you gain a second set of eyes and hopefully expertise in hardening the server against the outside world. The last thing they want is your box to be a big gaping hole in their system.

If IT doesn't need root access, then he probably just wants it there to review the OS/changes to make sure that it won't break anything. Also, if it goes down, IT can help you get it back up or raise it when you're not available.

Really, I don't know why you *wouldn't* give IT a non-root account... but then again, you know what they say about doctors/academia and their egos.

Yes (3, Insightful)

geek (5680) | more than 3 years ago | (#35856336)

If you're hit by a car tomorrow and die you want someone else to be able to pick up the work and go forward. Once upon a time I had a VP I worked for at an ISP put me and the other head of the IT department on a plane with him to LA. The three of us were the only ones with access to the entire companies systems. I mentioned to him, if the plane went down, the company would probably be dead within a week. He just laughed it off.

That said, your IT department are the best ones to handle this. I doubt the hospital is paying you to play tech nerd, I'm sure you have other work you should be doing. The IT guys are PAID to do this and are screened carefully (at least I hope so) by management to be trustworthy in doing it.

It sounds to me more like you're looking for job security by being the only one with keys to the castle.

The DO own the network (0)

Anonymous Coward | more than 3 years ago | (#35856340)

Your IT department seems to be operating within the bounds of reason. At the company I work for it is against corporate policy to allow anything on the network that is not managed by corporate IT. If we're willing to provide a box with network access, or even moreso if the box needs to actually be visible from the outside... We've got to be able to confirm patch status and compliant security policy, which requires the ability to login and check such things. I'm actually rather surprised that the demand was not for an admin account.

No way (0)

Anonymous Coward | more than 3 years ago | (#35856342)

You probably have more pull than the IT goon anyway. As an EE (RF/Microwave) constantly battling the IT roadblocks, I have come to the conclusion it is not about service & support. They want power and control.

Re:No way (1)

giantism_strikes (1887188) | more than 3 years ago | (#35856480)

It is about service and support. However, it's also about security and best practices. If some non-IT person is expecting to throw stuff on the network, then it has to be evaluated by the proper people. The only power and control we want is to be able to keep our network safe. It's our butts on the line when someone manages to hack into the network and get to medical data that has privacy laws associated with it. You wouldn't want us throwing medical equipment at you haven't had the chance to evaluate.

Re:No way (2)

mikkelm (1000451) | more than 3 years ago | (#35856518)

Of course they want "power and control." If you were held responsible and accountable for a system, reasonably or not, then you would want "power and control" over it as well.

Responsibilities, Duties, and Areas (0)

Anonymous Coward | more than 3 years ago | (#35856344)

Making a change to the network infrastructure was not your job, rather, it sounds like it was the IT department's job, and you didn't step on his toes, you dropped a high-tonnage anvil on them. I'd say the tech is reacting very well to your intrusion and breach of work etiquette. Work with him if you want something productive to happen.

Your Risk (1)

giantism_strikes (1887188) | more than 3 years ago | (#35856346)

If you don't want IT to have access to your server, then don't come crying when something "doesn't work".

Hmm (2)

jav1231 (539129) | more than 3 years ago | (#35856350)

Let me tell you how this goes down in most corporations. If you don't, their security dept. simply won't give you what you want. They're likely to shut you out anyway. If you take it up the chain then you're calling attention to the fact that you have a non-hospital entity on the company network. This is/was a bad career move. You might get away with it and many do for some time. Given that you're running BSD is a plus as you're not as likely to propagate a virus. Unfortunately for you, IT already knows. So if you choose not to give them a login you might find yourself without an IP address. Or worse, without a job.

Not a dumb question (2)

$RANDOMLUSER (804576) | more than 3 years ago | (#35856352)

Asking what port 8443 is for wasn't a stupid question - if it's not in /etc/services, it's not a standard port number. As for giving him an account, look up "chroot jail". Problem solved.

Their business, their rules. (4, Insightful)

rotide (1015173) | more than 3 years ago | (#35856354)

You are operating a server, behind the firewall, on their infrastructure, in their facility. You, (un)fortunately, don't make the rules. What you're doing sounds great and the lengths you've gone to make it happen are commendable. But I can't imagine any decent business being run while allowing any employee to run any server they want behind their firewalls without at least some oversight. You're going to have to follow their rules, sorry.

Well (1)

ShooterNeo (555040) | more than 3 years ago | (#35856358)

Yes. The simplest is to give the tech an account with limited privileges, let him log on and look around, and then when you have this server up and running, reduce the privileges on his account further so that he can't interfere with anything.

But here's bigger factors you should worry about : think longer term. There's a chance that your hacked together server will be in use for the next 10-20+ years. Just how things go. Make sure to make an image file of the final configuration of the server onto a DVD or something and tape it to the server, with a text file on the disk and hand written instructions how to restore from this image. Make sure to save the newegg receipt with the exact hardware configuration of the server. I hope you used a passively cooled cpu, a solid state disk, and a good quality power supply.

Absolutely (0)

Anonymous Coward | more than 3 years ago | (#35856364)

IT is responsible for network issues, including ones created by a server that was setup by someone not qualified to do so.
In our organization, you wouldn't even have been allowed to attach "personal" servers to the network, period.

Take it up the chain (1)

necro81 (917438) | more than 3 years ago | (#35856366)

Feel free to take this up the chain of command. Both you and IT probably have valid arguments, and you should have a chance to duke it out to higher-ups. But at the end of the day, both sides will need to abide by whatever decision. To do otherwise would risk firing. If you don't like the decision that comes down ("Yes, IT must be given login access if you have this server"), you can simply tell your clients (the docs and allied health staff you serve) that you can't provide the calendar feature they asked for, and tell them to take it up the chain if they don't like it.

In other words: be the advocate for yourself and your clients, but don't try to be the judge as well, because you're likely to get stomped on by those who are the judges, deserved or not.

Why does he want access? (2)

codegen (103601) | more than 3 years ago | (#35856374)

You say he doesn't want root access, only an account. Maybe he has an iPhone and is also stymied by the IT department's lack of support for CalDAV.

No (0)

Anonymous Coward | more than 3 years ago | (#35856378)

As a person doing IT at one of the larger Universities in the US, the answer is most assuredly NO!

There is no valid reason what-so-ever that a 'tech' managing the FW needs an account on your machine.

Re:No (1)

Wyatt Earp (1029) | more than 3 years ago | (#35856492)

HIPAA is a very valid reason.

Re:No (2)

$RANDOMLUSER (804576) | more than 3 years ago | (#35856542)

Meaning that you're from the only kind of IT department in the world that allows any clueless asshole (students) to connect to your network. Meanwhile this guy works at a hospital where stuff like HIPPA means that if IT policies aren't carried out properly, IT people lose their jobs.

Give them a minimal account (1)

johnjaydk (584895) | more than 3 years ago | (#35856380)

Play nice with them. Consider yourself lucky they didn't go ape-shit.

Give them a nice minimal account that doesn't have access to anything. That way you can show that your shit is tight. If they start demanding more then start playing hardball.

HIPAA? (1)

MisterFuRR (311169) | more than 3 years ago | (#35856382)

Bringing in your own resources from home - while a novel idea, creates alot of headaches. From the Accounting department on down to the IT dept. What is your dept going to do if you leave? What is the refresh cycle on your little "server"? What happens when the PS dies and the box goes down? Who is going to back it up, and rotate the tapes? Who is the security point of contact for HIPAA? Is it within HIPAA scope? Sometimes, especially in the world of retarded litigation -- it is best to ask questions before apologizing...

They probably need to verify HIPAA compliance (1)

orionpi (318587) | more than 3 years ago | (#35856384)

Given HIPAA standards I'm suprised they are just asking for a user account. An unknown public server at a medical facility is a definite risk, and IT is probably very aware of HIPAA standards. Then again, they probably don't think twice when installing the latest version of whatever commercial software they use that makes outgoing TCP connections from "license compliance".

RTFP (Read the Foolish Policies) (5, Interesting)

cbelt3 (741637) | more than 3 years ago | (#35856386)

What you've done would cause any professional IT group to get out the hot tar, feathers, and rail. Or at least come into your office and ask you politely to remove the damn server from their facility. And never do this again. You must have missed all the security briefings, the issues with HIPPA, and whatnot when you were looking at systems. What you've done is to create a 'rogue system'.

Imagine one of your kids sets up a server in your house. You don't understand it, you don't know if it's happily sniffing network traffic to steal passwords so pizza can be ordered using your credit cards, serving up pr0n, or just running minecraft. Would you willy nilly allow the kids to open a port on your firewall without the ability to audit what they're doing ?

Of course not.

Personally I'm amazed that they only asked for an account on your little server. I would have gone over and watched while you removed it from the facility and put in in your car.

Have you read your acceptable use policy? (2)

ekimminau (775300) | more than 3 years ago | (#35856388)

Does it sit on an IT managed network? Connected to IT managed switches? Does it use IT managed/owned internet access? Did you get approval from IT to connect a server to their managed network and deploy an unapproved service from them before plugging it into the IT managed network?

Im willing to bet the answer to all of the above is "no". You should be prepared for the WWE type smackdown. You should also re-read the Acceptable use policy for your enterprise/organization and you should very politely offer them watever access they desire to allow your unauthorized service on their managed network.

My ,02.

Yes (1)

Leebert (1694) | more than 3 years ago | (#35856396)

Several issues here.

1.) You're storing organizational data on a non-organizationally owned IT device. For that reason alone, they should say "no". (What guarantee do they have that you won't take your machine with you when you quit/get fired, and the data with it?)
2.) Your machine is on their network. They are responsible for what happens on that machine. Your machine could potentially be used to escalate placement of an attacker to the rest of their network.
3.) Even if you leave your machine after you quit/get fired, do you really believe that someone left behind will know how to maintain a BSD machine running OpenLDAP? Or that they NEED to maintain the machine?

Be GLAD they aren't asking for the root password. It's their network, it's their neck, and it's fair for them to have access to check up on you every now and then.

(I'd concede some of the above points if your job role was explicitly systems administration, but it doesn't seem to be the case in your description.)

leave them out (0)

Anonymous Coward | more than 3 years ago | (#35856398)

no they will try and dominate it you'r better off running it on your own

maybe (1)

phantomfive (622387) | more than 3 years ago | (#35856400)

It's pretty dicey to say it's not owned by them. While technically it might belong to you, and you might be able to prove it after an expensive lawsuit, in general it's not a good idea to mix your own stuff with company's stuff. If you bought it for use by the company, being possessive of it will not help you much.

Do you trust your IT group? Did you ask them why they want a login on your box? Do you have any reason not to trust them? Because they do have a reason to not trust you, and that is, lots of employees do weird random things. It makes sense that they want to be able to check stuff out on the box. If it doesn't hurt you, then there's no reason to not allow it. BSD was designed with multi-user security in mind, after all.

There is a bigger problem (3, Insightful)

GlennC (96879) | more than 3 years ago | (#35856402)

If you are able to put a server on the hospital's network and have it working without IT approval (apparently), then I'd say the hospital has a bigger problem.

Never mind the fact that IT is unable or unwilling to support the tools that you and your team need to do their jobs.

Scrubs? (0)

UninformedCoward (1738488) | more than 3 years ago | (#35856404)

Wait! jddorian?! Like JD, John Dorian, from the show Scrubs? I love that show!

What were you thinking? (1)

CarsonChittom (2025388) | more than 3 years ago | (#35856408)

Here's a better question: why are you bypassing the IT department for your IT needs? You say that "The Hospital IT department doesn't offer any iPhone compatible calendar tool," but you don't say anything about, y'know, going through proper channels to address your needs. What happens when you get tired of troubleshooting Dr. Monkeyface's problems getting his iPhone to sync? What happens when the hard drive on your personally-purchased server dies from lupus? This is a thoroughly bad idea.

Go through IT. It might take longer, but when it breaks, there are people whose actual job it is to fix it.

First Psot!1 (0)

Anonymous Coward | more than 3 years ago | (#35856416)

Haha!

Easy solution (0)

Anonymous Coward | more than 3 years ago | (#35856418)

I've been in this situation multiple times before, and it's quite simple: What constitutes a greater portion of the infrastructure? Your server, or their equipment? If you're not the majority owner, you don't get to make the decisions. If they don't get root, you don't get your server.

Surprised (0)

Anonymous Coward | more than 3 years ago | (#35856422)

I'm surprised they aren't demanding that they have admin access. Having one-off servers that are not standardized to the rest of the infrastructure can cause real headaches. What happens if you leave, and someone else in your department must manage the server? Even if it the setup is documented that doesn't mean your replacement would be sufficiently savvy enough to perform upgrades or customizations. I would hand the design over to them and make them manage it. This way you can concentrate your time on other things.

Give in (subversively) (1)

haemish (28576) | more than 3 years ago | (#35856426)

It's a game. Get over it. Give him an account that has zero privileges. And set it up to log whatever he does. 99% chance that he only logs in once and does nothing more than peer around for a minute. 1% chance of interesting :-)

A better question (1)

OverlordQ (264228) | more than 3 years ago | (#35856428)

is if IT should even allow it on the network.

Yes (0)

Anonymous Coward | more than 3 years ago | (#35856432)

The server is on their network, so of course they may want access to it. Even if it's not managed or owned by them it uses their resources. Otherwise they have full right to ask you to disconnect it and unplug it.

HIPAA? (0)

Anonymous Coward | more than 3 years ago | (#35856436)

If you are in the US then what you have there is a HIPAA violation. You could be fired, fined and have other nasty things happen to you in addition to that.

Bad Romance (1)

aquabats (1985346) | more than 3 years ago | (#35856448)

Why would they even let it int the firewall? I suggest having your employer repay you for your mini server and then letting IT go to town. Its a huge issue if its your property in their network/firewall. Speaking from an Auditors POV its a huge no no. Make them buy there own and junk it up as they may.

Hospital Patient Security (0)

Anonymous Coward | more than 3 years ago | (#35856450)

I think you need to consider what data might pass over this server and consider that it's not company owned. There are so many laws right off the bat that you broke in sticking rogue hardware in with accordance to laws such as HIPPA... My thought, remove the hardware and beg for your job... and don't allow such things to happen again. Oh, take an IT security class centered around computer ethics and hospital background.

It's not your server (1)

SydShamino (547793) | more than 3 years ago | (#35856452)

It doesn't matter that you bought the server with your own cash. It's located at your business and being used for a business purpose. It's a business server. Having you A) claim ownership of the machine and B) resist anyone else having access of any sort should make your business very, very nervous about you.

What would you try to do if you quit or were fired? Would you pull the plug and take it home? Would you donate it to them at that time, making sure to give IT the password? What if you are hit by a truck (and your colleagues can't save you)?

You need to do two things:
1) Start talking to IT. It's great that they will let you manage the server and even maintain exclusive root access, but you should develop a transition plan (either to move the service to an existing IT server, or to transition maintenance of your machine to IT in the event you leave).
2) Put in an expense report and be paid for the hardware you bought. That way the ownership of the physical hardware will be clearly established (as theirs) and you won't be sued or arrested when you try to walk out the door with it later.

Yes, it's just scheduling software (for now), but seriously, if you proceed down the path you've chosen, all I see in your future is Terry Childs.

if the roles were reversed.... (1)

barchibald (207846) | more than 3 years ago | (#35856454)

would you let a device that you couldn't administer onto a network you were responsible for?

Probably not. Its a reasonable request. Maybe you can trade with said IT guy and see if he's designed any surgical devices he'd like to see get some action :)

Give up the password (0)

Anonymous Coward | more than 3 years ago | (#35856456)

It is on the hospital network and the IT department is responsible for everything on that network. The act of you placing your own machine on that network makes them responsible for it. The fact that they didn't immediately shut it down when they found out about it shows that they may be a lot easier to work with than you might think. It could also show that they are not very good at what they do. Either way, they have every right to demand the password or cut you off from the network. It's not your job on the line if something happens regarding the machine, but theirs.

HIPAA (1)

Wyatt Earp (1029) | more than 3 years ago | (#35856458)

For people saying no, under the HIPAA, the IT department has to have access and make sure it's secure if it connects to their network.

Ummmm .... (1)

gstoddart (321705) | more than 3 years ago | (#35856464)

I emailed IT to ask to allow port 8443 through the hospital firewall to this server. The tech (after asking what port 8443 was for), said he would unblock the port after I provide him with a login account on the machine (though 'I don't need root access'). I was taken aback, and after considering it, I am still leaning toward opposing this request, possibly taking this up the chain.

This sounds stupid ... you understand you need to ask IT for permissions to open up a port, but you don't want to allow them access to your machine. Well, why should they allow you access to their network? The poster doesn't elaborate on why he feels IT shouldn't be able to access the machine -- especially since they accept they don't need root.

If you don't trust them with access to the information, you already have bigger problems in that your IT department can probably access all sorts of private information.

Just because you're head of a clinical division, why do you have any expectation of being able to put un-verified machines onto the hospital network? IT has a responsibility to the hospital as a whole, and not just your department. Certainly not if you're talking about punching holes through the firewall.

At a very minimum, they need to be sure that you're not opening up some great big hole in the overall security. Why should you be allowed to connect a machine to their network without some involvement from them?

People going around insisting on installing machines without oversight and adhering to the rules are generally people you need to be very leery of in any organization -- because they insist the rules don't apply to them, and they try very hard to circumvent policies which are in place for a damned good reason.

I see your choices as waiting until they provide you with a solution, or working with them to allow you to install your own solution. Insisting they open up the firewall and then insist they shouldn't be able to access the machine ... well, that's just rather short sighted.

Matter of responsibility (1)

technoviper (595945) | more than 3 years ago | (#35856466)

As an IT manager myself, I'd have to say this is a very reasonable request. Firstly most places wouldnt allow you to run your own server on the network, so I'd say your IT team is being quite generous. The responsibility for the network and its security is the IT departments, should a hacker break in and steal personal records who would be blamed ? In an environment like a hospital which is subject to numerous government IT regulations (at least in the UK and US) having a non secure system is a massive liability, it would immediately cause an audit to fail.

Yes. Here's why. (2)

wcrowe (94389) | more than 3 years ago | (#35856474)

..."Should I give IT a login account on a server that is not owned or managed by them?"...

You mean not owned and managed by them right now. However, someday down the road, when you are gone, IT will have to manage the damn thing. The company I work for made a mistake many years ago by allowing every user to have Microsoft Access installed on their machines. A lot of power users went wild creating Access databases for their own purposes. Naturally, over time, two things happened: 1) The databases grew in size and complexity. 2) The company began to depend on them and link the information in them to each other. Very quickly, all these databases became IT's responsibility to manage, especially when the pinheads who designed them got promoted to their particular level of incompetence, or left the company. It has been very tedious getting the data away from these god-awful Access databases, and re-designed and normalized into proper SQL Server or DB2 databases.

Yes, IT should have access to your server. They'll have to manage it eventually anyway.

Potential issues (0)

Anonymous Coward | more than 3 years ago | (#35856482)

Is the IT department liable for any patient information that may be sent out to the Iphones? Possibly John Doe has a surgery scheduled on tuesday...

That is what scares the hell out of most hospital IT staff (know from being on the IT side)

I say give them access, or better yet, run it up the chain that they get Exchange to support mobile devices ( I believe Iphone supports exchange now...)

and then start the push to get tablets (android or ipad) and run the citrix client on them to connect to the citrix network. You lose the Ipad and no patient info is lost. that is awesome. no real security problem from lost devices.

You're breaking HIPAA! (0)

Anonymous Coward | more than 3 years ago | (#35856488)

IT needs access to the server to keep control of their network. This is not a matter of them being BOFH and trying to get access to your server, it's a mandatory requirement for them to be somewhat HIPAA compliant (true HIPAA compliance would require them to install the server in the first place and manage it).

They're trying to avoid getting fired, not to annoy you. Check out http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

Well, speaking as someone who works for IT (1)

Sycraft-fu (314770) | more than 3 years ago | (#35856490)

We find that, by far, the most problems come from systems not managed by US. I don't mean problems of a trivial nature, I mean shit getting virused or hacked. Most non-sysadmin types are not as good at administering systems as they think they are. Now I don't blame them, not only is it complex but they have other things on their plate, but it does happen.

That your IT department it willing to entertain your request tells me they are probably a reasonably good IT department, the kind that works with users to provide what they need not the No you can't have it," kind. In that case, you probably should give them want they want because they are looking to protect you from yourselves.

I know that you probably view yourself as really smart, and indeed you may be really smart, however you may well not be as good at this sort of thing as you think. Also even if you are, you may not give it the attention it needs. You set it up and then turn your attention back to your regular job duties, letting it languish.

Also you might want to work with IT lest you find that they simply say "no". In some environments, that is an option. They can just flat out deny your request to run your own stuff and that is that. If you work with them, maybe they work with you. If you don't maybe they use the nuclear option and just say "You can't have it, sorry."

Central management is coming (1)

Fractal Dice (696349) | more than 3 years ago | (#35856498)

This is the polite first step in absorbing a server into central management. First IT gets an unprivilaged account, then they will ask to have a standard scanning tool be installed that requires root access, then a recommendation to move all priviliaged users to sudo root access and allow IT to do some basic tasks for you, then some process will be added to notify IT when you are making changes to the server and then slowly your authority and access to change your server will be diminished until you are a regular user of an IT server.

I'm not judging centralized IT vs local responsibility, just saying that these are the signposts to watch for as it happens.

Provide Root, or get stuffer (1)

topham (32406) | more than 3 years ago | (#35856500)

If it were my network you would either provide IT with root access, or it would be physically removed from the network permanently.
If you were to do such again and firing you was not an option I would revoke your access to all network resources.

Rogue users in a hospital environment (where privacy regulations have teeth) are not to be tolerated.

If I were IT... (0)

Anonymous Coward | more than 3 years ago | (#35856510)

I'd be reporting you "up the chain" for deploying a server on the hospital network without telling IT about it.

Is this a fake question? Give him a login and be glad you're not being sacked.

Why not use a free service? (0)

Anonymous Coward | more than 3 years ago | (#35856512)

Why host it yourself? Just use a free service, such as this [google.com] ?

I don't don't know about other IT departments, but (1)

polaris20 (893532) | more than 3 years ago | (#35856516)

My current IT department, in addition to every IT department I've worked with in the last ten years, would be pretty damn pissed that you took it upon yourself to set up your own server and stick it on a network we're responsible for, to the point of our jobs being on the line. So yeah, give them the password. Then explain to the accounting department and purchasing department why you didn't go through the proper channels there, either.

I think IT shouldn't open the port on the firewall (0)

Anonymous Coward | more than 3 years ago | (#35856520)

If a machine is on the hospital's network, it should be managed by them. Who's going to audit it for HIPPA Compliance? I'm surprised they even said yes (especially with the non-root account qualifier.)

You're asking for trouble. If the machine is hacked, and your patients information gets exposed, then who's responsible? You? The hospital? And then if that machine is used as a staging area for the rest of the hospital, forget about it.

It's just a really bad idea, overall.

Your IT department is hired to do a job (0)

Anonymous Coward | more than 3 years ago | (#35856522)

It sounds like one or both of the following are true:

1) Your IT department is not doing their job.
2) You are way out of line with what you are trying to do.

In reality, if you wanted a collaborative calendar, even though you may be technically capable of setting one up yourself, the appropriate course of action would be to submit a request to your IT department, and assuming your request was approved by management the IT department should set something up for you. Your IT folks are paid to do a job. Would you want IT to spec and purchase a centrifuge for you to do blood work? No, you wouldn't.

If one of the users where I work brought in their own tiny server and tried to hook it up to our network, there would be hell to pay to our CIO. In the end, we would set up what they needed, but users bringing their own home-brew IT solution into work is totally unacceptable.

In a word... (1)

s0litaire (1205168) | more than 3 years ago | (#35856526)

"YES" give them limited access. (you can always remove the account after they have done the scan)

Otherwise you're opening yourself to a multimillion $ law suit if there is ANY breach of the system due to your server being on the network.

If you let them check it over then subsequently there's a breach, then it's the hospitals problem.

Absolutely (1)

pavon (30274) | more than 3 years ago | (#35856528)

Look, you just introduced a foreign object onto their network and on top of that want an exception to the firewall. While you may be competent enough to run that server, how do they know that, and why should they take your word for it? You could be introducing a serious security breach in their systems, you could be violating HIPAA regulations that you don't even know about. Think of the other computer lackeys that you have worked with over the years and whether you would blindly trust them? You can't completely verify the security of a system by external scans, let alone compliance with any auditing requirements or other regulations.

Keeping the hospital network secure is IT's responsibility, and the least you can do is let them look at how you have configured your machine. Besides if you have permissions setup correctly then there should be no harm giving them non-privileged login account anyway, right? Stop being so damn possessive about something that isn't even in your legitimate realm of authority.

Definately (0)

Anonymous Coward | more than 3 years ago | (#35856532)

Definately, I manage an airlines infrastructure and anything plugged in I should havs access. Computers and devices not controlled by the responsible IT is a violation of our network security... I would go further and have it shutdown untill it was "approved".... These things are a great way to encourage Trojans and malware

Better question (0)

Anonymous Coward | more than 3 years ago | (#35856544)

In any sane working environment IT would simply take away your server and your boss would be asking why you were no longer happy working here. Since this hasn't happened I think you should thank your local IT guy and give them whatever the heck they want. They're treating you better than you deserve.

Should I? (0)

Anonymous Coward | more than 3 years ago | (#35856546)

You're call. Their call whether you get your firewall hole.

Take it up the chain. Great way to get the whole thing framed as a 'rogue system' running on personal assets. If the IT staff takes enough offense at your belligerence they'll frame it as a HIPAA compliance problem and shut you down.

We're talking about a calendar tool here; why should such a system need to be isolated from IT? Not demanding root seems particularly reasonable.

Depends on your institution's P&P (1)

sstamps (39313) | more than 3 years ago | (#35856552)

(Policies and Procedures)

If your institution has them, you probably should get to know them before plunking down your hard earned money. I worked for a large company years ago where that kind of behavior got people fired, including some corporate execs who insisted on doing the very thing you are doing.

Chances are, if the IT department has any mandate from higher-ups to protect the network there, you're going to have to jump through whatever hoops they require. In that case, just be glad that they're allowing you to use something you bought with your own money rather than telling you to use it as an expensive doorstop. If they screw it up, then go have a long chat with the head of IT and whoever gives them their clout, financially and otherwise.

My 2 cents (0)

Anonymous Coward | more than 3 years ago | (#35856562)

Give him the username / password and give him root access..
If the server gets compromised and it brings down the whole network.. It's going to be his job on the line, not yours.. They're going to go after him for opening up the port and they're going to go after him for allowing rogue hardware on the network that he doesn't have access to or can control..

He's in IT, let him do his job.. Give him the username/password or get that server off his network immediately..

Your box / Their Network (1)

kenholm3 (1400969) | more than 3 years ago | (#35856568)

In reading over this, it seems harsh. It is not my intent to be harsh. I get to deal with this type of interaction fairly regularly where I work. I think it is an opportunity to talk openly about some of the struggles IT has with providing responsive, responsible support to our customers.

A couple of observations:

* You're right: The server is not owned or managed by them
* You bought something and put it in place without explicitly consulting IT
* The box is going to travel on a network that ~is~ owned by IT
* There are lots of other nodes on that network that may be affected by yours
* You're asking IT to support something they were unable to plan for

You're not an ordinary Joe if you're installing/connecting all those pieces of the puzzle. However, it's a bit presumptuous to think IT needs to conform to your personal requests without prior knowledge of your intent. As for running it up the chain, you may tread lightly. My current CIO would smack the request down pretty quickly and would probably demand that you remove your unauthorized IT device from ~his~ network.

Looking forward to reading some of the other responses.

Dammit, jddorian... (1)

errxn (108621) | more than 3 years ago | (#35856570)

...You're a doctor, not a network engineer.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?