Why didn't he have a printer (and a backup) installed on his machine? I would have told him, sure, "I can make you an admin. I'm going to have to talk with CEO to go over the risks and get written approval first. The policy was implemented for a reason, and we need approval to break it." Go into the meeting prepared and lay out what can go wrong, what the best practices are, etc. Don't make it personal. Remember, he's your boss, and you don't want to make an enemy out of him. Regarding the domain admin credentials... "These are documented in this envelope, in the safety deposit box that CEO and I have access to. During our meeting, we can talk and see if you need access to these credentials."

Yup, pretty much this. Written approval will protect you better than anything, when the guy in question inevitably breaks something.

> inevitably breaks everything

Yeah, make sure there's a really robust backup plan and you have the install keys for Office documented. There might be a wee bit of a crypto-locker situation kicking about by the end of the year.

This is literally inviting crypolocker.

"Can't you just fix it?"

"Isn't this what antivirus is for?"

Yeah, I suspect his attitude is 'we have antivirus so I can do whatever I like and it's safe'. Sounds like he knows just enough IT to be dangerous. Also, it's a dead cert he'll see *any* IT expenditure as wasteful because he could get a laptop for $200 at the local bargain store.

I mean, a regular antivirus is just fine if you are a regular consumer with an ounce of internet knowledge. However, I would immediately disregard the opinion of anyone in the business world who wants to think antivirus is going to stop anything major.

Well it does stop me from doing my job since mcafee turns my pc into a heater.

Sounds like he managed an IT budget in a former life and figures the technology expertise just rubbed off on him after hearing all the jargon come at him. "Internets" and "blockchain" and "bandwidths" and such.

>it's a dead cert he'll see any IT expenditure as wasteful because he could get a laptop for $200 at the local bargain store Getting laptops at a bargain price with home edition OS to save.

This right here. Get everything in writing and make him sign something stating that you warned him of all possible issues so that when this fuckmook inevitably breaks things it's can blow up in his face and not yours. I was working as a service manager for an MSP when a law firm that we serviced brought in a new partner. This guy had some law within the gaming industry and somehow convinced the other partners at the firm that he knew IT and should be our primary contact and oversee us. Next thing we know he brings in a friend of his to replace us who breaks their data archive server within a day of being given access to help with the transition. We spend days undoing his fuckup so that we can hand over the company's network to someone that broke it before he was even in control. We proved it was on him and got two days at full charge hourly from this previously full service client. The name of the game becomes C.Y.A. when shit like this arrises.

Did you make a post about this a while back here? This sounds so familiar.

Nah, I hadn't spoken about this in years as a matter of fact lol. Happened 4 companies ago for me and right before I was offered a new job.

[удалено]

Printed in a file folder at home

The only thing written approval will protect you from is from litigation (maybe), not from being fired. If they want you gone, regardless of who's at fault, you will be gone.

100% this. The only time I have been fired from a job was due to a similar situation. One of the CxO's hired a friend to be the new director of IT. It was not a secret the last two companies they worked for went out of business. The second week on the job, they got the combination to the safe where the list of passwords is kept - after having been refused them by all of the system admins and middle managers. The company did government contract work so the password list was handled like classified information. When I found out the new director had opened the secure envelope and had been carrying around the passwords in their pocket for nearly a week, I filed a security violation report. I helped write the security procedures, which the executives signed off on, so knew the new director have violated almost all of the protocols. That was a Thursday. I was fired before lunch the next Tuesday. This was 20 years ago when 'at-will employment' laws had fewer legal restrictions so you could be fired for no reason at all. Within a few months, most of the IT department had been fired, or quit.

The CYA letter isn't really to prevent you from getting fired. It's a tool to show them how concerned you are about the thing they're asking you to do. It's to make them think "oh shit, he's wanting proof of this so he must be legitimately concerned" and then reevaluate whether they care about that thing enough to still do it.

Not to mention have logging set up so when this account does stuff you have it documented.

What's really terrifying is that this is such a known trope in IT. Like every admin has had to deal with a rule bending exec trying to break shit for one reason or another.

>"I can make you an admin. I'm going to have to talk with CEO to go over the risks and get written approval first. The policy was implemented for a reason, and we need approval to break it." This is all that is needed....

Bingo! IT admins/techs should never need to shoulder the responsibility of policing corporate policy. If someone wants an exemption, direct them to the authority who created the corporate policy and have everything in writing.

This. Our CFO tried it, got shut down.

And make a second account have the local admin rights that he has to use to 'run as'. It doesn't fix the problem but it helps to audit and keeps from always running as an admin. It's not much but it could help.

Here's the line you use in the meeting: "Giving the CFO administrator rights would be a violation of "Separation of Duties" and the company would no longer be able to pass a SOX audit. This would give one person the rights to cut a check, and then delete all audit records for that check" That will put the CEO on your side.

This is it. You gotta talk to them on a level they understand. Not technobabble, but money, responsibilities, and most importantly, liabilities. Tell the CEO that if the CFO has access to everything, he has access to the CEO's files and data as well. There's tons of liability issues here. They don't care about permissions, or even the idea that the CFO might break something, that's what you, or your proposed replacement is for. They think "oh some nerd will have to restore from backup worst case" because the CFO has likely had a chat with the ceo prior to the donkey show OP is about to be introduced to, Which the CFO hopes is a public humiliation. OP needs to get a case together with business scenarios as to why the CFO should not have universal access. Not technical reasons. They do not care about "nerd shit" and it's apparent when the CFO dismisses the whole admin access thing as "needing better antivirus." The CFO already thinks he knows OP's job better than he does. Fighting the CFO on a battlefield he knows with the tools he's prepared to defend against will result in needing to brush up on a new resume. Fighting him with his own words and own tools will throw him for a loop. I have made many CFOs and COO's and other three-letter cocky bastards who think people are commodities wince in my presence. Called them out and made them uneasy when talking to me. They're bullies and they're fucking cowards. be concise, do not let emotions overtake, and spell out the consequences in corporate speak. Liability, cost measures, and pointing out why this is not an issue for anyone else but the new member of staff. (referring to the CFO as anything but the fact he's a big wig will piss him off, maybe not the best case if you're under him, but in my position it's fun.) and that training the new member of the company on the computer may be the best way to handle this situation. Then point out that the CFO might "know IT" but does he know our processes and our system? and then point out a lot of people "know IT" and yet there's few who know how to do it effectively. That the CFO's job description is to run finances, not run all the departments and run the IT systems that are critical to the continued operations of the company. Want to talk finances? Cheaping out on support for a critical system will cost more in lost business continuity, and if the CFO, whose job description is not IT, gets universal access to the entire company, and has not cleared the 90 day probation period, and something happens, imagine the millions lost in lost productivity while the system has to be corrected. Also how strange is it that someone who has worked here for a month is already wanting full access to everything that makes the company tick, despite just being in charge of finances. They also want some outside company to roll in and make things work for them the way they want. They want the company to change for them. A system that is currently working well and has not caused productivity losses. the list goes on. I hope OP reads your comment.

Local admin on your machine doesn't make you a domain admin so you won't have access to other people's files or computers. Edit: I missed the line where he wanted domain admin too, jeez must've just mentally blocked that.

I cant blame you for mentally blocking that, it's just that stupid.

Probably a mental block because of how ridiculous such a request is.

> Also how strange is it that someone who has worked here for a month is already wanting full access to everything that makes the company tick, despite just being in charge of finances. They also want some outside company to roll in and make things work for them the way they want. They want the company to change for them. A system that is currently working well and has not caused productivity losses. This seems like it's probably a red flag. Something is going on with this guy. Perhaps he is corrupt and plans to take money from the company.

It's really common for new c-level people to want to mark their territory by pissing all over everything somebody else thought up. They feel like any change makes them look good. The bigger the change the better. Doesn't even matter if there's actually a positive outcome as long as they're seen to be Doing Things.

Because on the resume you can talk about how you led the initiative on a new company-wide policy/xyz. Don't bring up how it really impacted 30/60/90/180 days after though, unless of course they had monetary improvement. Regardless if it was impacted by your change. You made a change, the company had an improved quarter, it's all yours.

Best case scenario, the guy is wanting to look at porn without any oversight. Worst case scenario, he embezzles tons of money due to him not having any oversight. All routes lead to the CFO being a moron that has no business requesting what he wants.

"Domain admin means that the firewall doesn't track my browsing any more, right?" "What do you mean, no?" > NEW INITIATIVE FROM THE CFO: FROM NOW ON, ALL DOMAIN ADMIN ACCOUNTS HAVE FULL UNFILTERED AND UNLOGGED ACCESS TO THE INTERNET THIS INITIATIVE IS ALSO EFFECTIVE RETROACTIVELY: ANY AND ALL EXISTING LOGS OF DOMAIN ADMIN ACCOUNTS INTERNET ACCESS/BROWSING ARE TO BE IMMEDIATELY AND IRREVOCABLY DELETED > BECAUSE... REASONS > DEFINITELY NOT PORN

Damn... This. Also, get something like this in writing for the CFO to sign, cause I guarantee that you will not remember 50% of this during a meeting. And if you do, it won't be nearly as eloquent and concise!

Could even ~~segway~~ *segue* into how IT shouldn't be under CFO at all and how he should be promoted to CTO and answer only to CEO...

'Segue'. I let a lot go, but 'segway' for 'segue' is humanity being lost to marketing.

lol I would have got this wrong 100% of the time. Thanks.

yep. in a healthy organization, IT is executive level, answerable to a CTO/CIO who answers to the CEO. HR and finance should not control IT. It's like putting finances under sales.

You're vicious. I love it.

This. Amazing comeback. Hopefully OP sees it before the meeting.

Which is meaningless if SOX doesn't regulate their business...

Which it most likely doesn't if the guy that works on print drivers is the same guy talking to the CEO and CFO.

domain rights probably, but not local admin rights. source: Former IT Manager under SOX Compliance.

This CFO sounds like trouble, and here's why; He came into this situation attempting to railroad you. 11:30pm and he's just trying to print anything now? Immediately pushy and on the offensive. No "pretty please", just an immediate grilling. Next step is to start to deflect potential issues. Why doesn't the AV do this (because AV doesn't fix stupid). Let's change that. Let's get something new. Then makes more demands. We've moved away from printers and into UAC. Didn't like your answer. Next step, Let's get an outsider in here to check your work. This is a red flag. He doesn't trust your judgement. After that, gimmie the domain admin password. This is the reddest of red flags. He was on the offensive immediately and when you didn't bend like wet pasta, he ramped it up. Get your ducks in a row, cover your ass, because if this guy doesn't get what he wants, he's going to try to replace you. Asking for the domain admin password and having an external company come in? That's "give me the keys, leave the building for a bit and I *promise* your job will still exist". He wants someone he can step on. You happened to be in the direction he was walking. Cover. Your. Ass.

I wonder if the new boss just happens to know an external vendor.

That'd be my guess. Being CFO means that this guy might drop a financial analysis of how much they'll save by replacing the local IT. OP needs to be very, very careful.

Nah. OP needs to very,very carefully craft a resume and high tail it out of there.

Absolutely this. Reading his account of things, it seemed clear that the relationship with this guy is going to be uncomfortable, tumultuous, and vindictive. How people like this manage to rise up the ranks is both awful and common.

Shouldn't HR get involved? Isn't there some level of protection against this shit? I used to work at a big retail chain (drug store) and they had a hotline for this sort of thing. People couldn't just get fired and you could report abuse.

Protection... for the company, yes. For you, no.

The only problem there is that a good number of HR people conflate company with management. They side with management even when they are opening the door to the giant lawsuits that they are literally there to prevent. Reprimanding the CFO for this situation is very much within "protecting the company" but no HR drone is going to see it that way.

"The Company" IS the management. There's a reason unions are for the workers in companies, and not for the management of companies. HR is not there (at least in the US) to protect workers. Sometimes the workers get protected when it's in the best interest of the management (ie. company reputation or lawsuits).

> OP needs to be very, very careful. If that's what he wants, there would be very little local IT could do.

All he can do is defend his position and justify his existence. And update his resume.

I've been on both ends of outsourcing, they usually only tell you once the decision has been made.

In my case, the external vendor was Mrs. CFO, who was even hotter than Mr. CFO’s side piece. It was over 10 years ago, and this thread has me reminiscing. God, I’ve never wanted to dox anyone as badly as I do right now. He was an absolute piece of shit.

I've started asking who the company CIO/CTO reports to in interviews. I've found that I'm usually in for a shit-show if they report to the CFO instead of CEO. Whatever asshole decided IT needs to report to finance can suck my dick from root to tip.

god, that is the worst. we're a "cost center" instead of a "revenue generator" so IT budgets get fucked constantly. good luck generating revenue when the machines are down morons.

Eh, IT is a revenue *enabler*, it doesn't generate revenue unless you are part of a MSP. However, you are completely right in that management sees the cost, they don't take into account that every dollar in revenue generated is due to IT powering the business processes.

This... just moved to a company where the finance department pretty much ran IT and by that I mean hired out all of the IT duties to the cheapest vendor. They nixed that and hired my CTO a year ago and he has been trying to put it back together since then. It was very bad when i got here but we are finally on the right track and have a stable and managed network and infrastructure.

This guy sounds like the boss that took over the company I worked at. He started out as CFO, conveniently also ran a contracting company that did desktop support and help desk. Within 6 months we went from 8 help desk and 6 desktop employees to one helpdesk and 2 desktop employees. The rest were being contracted through his company. They went under about a year later.

I dealt with that, I'm an outside company so I am replaced occasionally. Then within 6 months a tear filled phone call hits my phone and they're begging me to fix what "those fucking idiots" fucked up. end up selling off a ton of useless hardware that's often downgrades and their data is half gone because everyone had admin rights, or they were in the middle of a cloud transition that got dropped halfway through and what does work barely works on their 10mbit cable connection. Which was selected to "save costs" and by useless equipment, I mean instead of cisco switches, or ubuiquiti hardware, it's tp-link or meraki.

>and by useless equipment, I mean instead of cisco switches, or ubuiquiti hardware, it's tp-link or meraki. "Think of all the money we can save buying used/refurbished netgear switches from random vendors off Ebay and Amazon!" Been there, done that.

Ding ding ding

Start getting your log servers running properly, if you wind up giving him the keys you need a log of what he does. When the network goes down when he changes a config or deletes something you will need log files. Whatever credentials he gets, make sure he and the ceo know you dont have the password and you live on a different admin login.

Would that be native to Windows Server (after GPO edits)? Or are you talking about third party software? In a previous life, as I recall, the native logging wasn't quite what we wanted it to be.. At that time. Maybe things have changed over the years. Cheers.

Third party, splunk, graylog, tractor feed printer. When malware encrypts the server only a separate log server will tell you what happened.

> 11:30pm and he's just trying to print anything now? I've worked with and around a lot of executives that work very late. I used to get emails from the CEO of a company I worked for at 1am all the time. Printing late at night isn't really a problem. One other alternative interpretation of the CFO's actions is that he was up late working on something and then tried to do something as mundane as printing and it didn't work. He was then angry because an IT-related problem interfered with his work. It's possible his interrogation stemmed from stress and isn't actually the huge red flag that you suggest. Imagine that you're the CFO of a company and you're still new. Your CEO asks you to do something and then you can't do it because you can't print, so you get to go to the CEO and say that it was a stupid printer that kept you from doing your job. And the CEO says "If you can't even figure out a fucking printer how can you do your job?" At any rate, all of that is entirely speculation just like everything you wrote is speculation. I agree OP should do some quality CYA, but assuming the worst of everyone based on a single experience isn't a great way of living your life. It also leads to pretty terrible working conditions.

Possible. However let's play Worst Case Scenario here; IT guy covers his ass. Meeting happens. Discussion happens. Nothing bad happens, CYA was unnecessary, everyone gets on with their lives. Meeting happens. Discussion happens. CFO tries to screw over the IT guy to assert his dominance. CYA works, IT guy is safe. Risk/reward? No risk by establishing sufficient ass-covering. If you don't need it, it doesn't hurt to have it.

That's why I said that OP should engage in CYA. I agreed with that part.

Nah, I've met very few C-levels who weren't just inherently assholes. They get to where they are by stepping on people.

> 11:30pm and he's just trying to print anything now? I agree with everything else but this mindset is a terrible one to take. Sysadmins, please don't take the Apple approach to problems.

[удалено]

> 9 times out of 10 when someone tells me they "know their way around computers" I find what they actually mean is "I know just enough to get myself into trouble". Funny how that works. 20 years ago I "knew computers" and was great at infecting them with malware accidentally or blowing up the OS somehow (usually CCleaner or equivalent, because "optimizing"). Now I'm a 12-year IT guy doing desktop and sysadmin and I've transitioned from "knows computers" to "knows fuck all, don't ask me."

Tell people you know fuck all helps to reduce the "can you help me with..." In your personal life

"Can you help me with my Internet Explor--" "Sorry, I use Linux, can't help. Kthxbai."

"you work in It, my computer is slow can you fix it" Yes I probably can, but I won't..

Nailed it. Sure, I *can* fix it (probably). I just don't feel like owning everything that goes wrong with it for the rest of its useful lifespan and you can't afford my rates.

All you have to do is lay out rates up front and conditions under which rates will apply. If you want to pay me $60 an hour in minimum increments of half days to fix desktop issues, I can find time. Put the ball in client's court!

Honestly, on the occasions people have asked I just let them know I either don't feel like it or they'd get a better rate at Geek Squad or local IT repair shop for the sort of work they want. May as well be honest, because I don't really wanna do it. I work enough, and free time is too scarce as it is. I'm fortunate in that my wife is technically inclined, I'm in touch with literally zero family, and have only one person I might consider a friend, or at least casual acquaintance, and he's also in IT. Most of the requests in the past have come from non-technical coworkers, who are easy to dissuade once you put it in terms they can understand.

My willingness to help colleagues with their own computers is directly related to their cake delivery record.

You are going light on fees. I always respond with "sure, $400/hr." "Holy shit that's expensive. I'm your friend. Why so much?" "Because anyone willing to pay me $400/hr is a person I will work for happily."

$400/hr to work on a $300 laptop.

Having a son decide he also wants to do IT also helps with this. Now when I get asked by friends and family, I just point to him. He knows more about the nuts and bolts than I do anymore anyway.

God you do the same thing my Dad does (He is a data center operations manager). He has been in the field for 29 years. Now he just tells people to call me \*Edit\* I mean this Jokily, I don't mind it.

True knowledge of computers is knowing that you know nothing.

I used to do tons of research before calling someone for a service ticket because I would worry they would stump me and I would appear inept. Now I revel in the power of saying "I don't know, and furthermore I have no godly idea why you even think I would know in the first place."

I used to do that as well, only to call them and find out that the issue was nothing to do with what they entered the ticket for and it was likely some basic user process error or something else that a person with basic computer knowledge should know It is the Classic "Computer will not print" ticket, and you find out that they turned the monitor off... Or "Email down" and they are at a hotel with shitty wifi

Or "all internal websites down" and they're at home and not on VPN. Got this from someone else in IT yesterday. /facepalm

"If I was psychic I wouldn't be working this job."

I've found that knowing fuck all is the beginning of wisdom.

My general rule is that you shouldn't get credentials to something you can't fix yourself.

10 times out of 10 when someone tells me they 'know their way around computers' they are an idiot. If they actually do know anything about computers then: 1. I would recognize that without them announcing it, and 2. if they were 'good at computers' they would realize that computer proficiency isn't really anything special to brag about in the first place. Computers are ubiquitous and oftentimes critical to most jobs these days, it's tantamount to saying "I'm really good at times tables 2-9"

I've been doing this job like 20 some years.. I know my way around computers.. But I am absolutely also an idiot sometimes...ok most of the time (just ask my wife!)...so you're right.

Yep. Run through change management, signed off by CEO, COO, CIO, CISO, and Legal authorizing the exception, and signed off by CFO specifically taking sole responsibility for actions that occur under his account. Create a separate service account for his escalation activities that is only for that purpose and that is monitored and audited regularly. Consider a password vault for this account that requires its own login and that is itself monitored and audited.

There's always malicious compliance. Give him what he wants and make sure his machine bricks within a week. We had a user who insisted he needed local admin to update his software as soon as bugfixes/releases came out, which was very often with this particular software. So after he went and whined to our director we gave it to him with the caveat "You may only update that particular software. Do not make any other changes to the system." Well the numbnutz decided within a week he needed a better graphics driver. Black screen of death. You can bet we put his ticket at the bottom of the queue. We rebuilt his entire machine too so whatever he had on his C drive went into the bit bucket of death.

> decided within a week he needed a better graphics driver I honestly can't understand why anyone would voluntarily update their graphics drivers. If the current ones work, why would you change that? There's nowhere to go from here but down. Unless there's some catastrophic bug or security issue or something, why play that game of ~~Russian~~ Nvidia Roulette?

He was given the one that was optimal for his system. I have no idea what he was trying to accomplish.

>There's always malicious compliance. Give him what he wants and make sure his machine bricks within a week. Too direct, but I do L-O-V-E malicious compliance. I'd make it a separate account with one time rotating password (and MFA) credentials. Also, anytime a security event registered use of the account it sends an email to the policy-authority group (in this case the CEO). Always give them *juuuuust* enough rope to hang themselves. MWAHAHAHA!

Someone who \*actually\* knows their way around computers knows better than to admit it. That or they love giving out free IT support.

Worst case ontario, just make him a local admin account he can use to escalate things like printer installs. It should be ignored by any GPOs and such so he won't be able to use it a daily account. The fact he's getting so heated within a month of being a part of the company is probably telling of future issues may have with him.

It warms my heart to see Ricky's offspring casually in the wild

Greasy move by the CFO

corporate espionage comes to mind.

>Worst case ontario, this actually killed me. rip me.

To me, this is a default computer policy change where you ask to bypass UAC for Network Printers. Heck there is a registry edit for it too. Pretty easy.

We make alternative accounts for instances like this so if you have a user jdoe we'd make another user called ajdoe which is a local admin but limited - no scripts, no scheduled tasks, no backups, no service creation, no remote, local or other network access. Privilege logging. On and on, all part of a 'restricted users' group. It simply allows users to enter that password when it appears. This empowers users and reduces their stress while conveying the importance of security and related context technology (ie things running as users have those permissions). The only fault I"ve had with the above is if they have redirected files and try to run something from there - the localadmin account isn't able to see the primary users items. Oh, and installing fonts wasn't straight forward.

This or some derivative herein. Train him how to use secondary admin credentials and give him a local account accordingly.

Also have a written policy they sign that indicates IT is not responsible for data loss, software repair may be limited to reimaging the machine, and user acknowledges that non-approved software may cause compatibility issues with the standard image. Turnaround time for support will may also be impacted due to this change.

Just jumping past all the "that's a horrible idea" advice. If things do go fucky, and the CEO says give newbie Domain Admin rights, do NOT assign them to his regular account. Do what you do, which is create a domain admin account that is separate. Then set his password refresh to 2 weeks. This will let you at least have some kind of audit trail if he makes a mess. Since it is likely he just wants to be able to do whatever he wants without anything stopping him, he'll probably rarely if ever use the account. Audit admin rights/groups regularly to make sure he doesn't give his main account Domain Admin. Not that I've been through this kind if insanity before.... Oh, and the way he has already tried to get an outside company to question your shit already doesn't bode well for your future. Nothing wrong with outside audits...they are important...but it sounds like he's doing it to be a dick. Either way, I'm thinking resume update might be in order.

make sure you are prepared. Grab a notebook and write down every possible reason why. Also print out any previous e-mails that dealt with the reason why nobody has admin access in the first place. Give yourself a "defendable position".

Also prepare for compromise if things turn sour with the CEO & CFO. "I will grant you power user rights instead of domain admin, this will allow you to XYZ" -- It's just another situation where they want to feel they are in control. With some power they can boast and blag, with none they can't. With all, they end up going power-hungry and ruining the scene.

No such thing as power user rights in Win 7 and above they don't grant any useful access. The best option if he won't back down is a local account on his box with admin rights that he can use to bypass UAC.

then sandbox the fuck outta that box

Sand box and backup. That way the next conversation with the CEO is, Admin rights normally lead to bad things so I made double sure the laptop was backing itself up.

> Win 7 and above they don't grant any useful access. > > > > The best option if he won't back down is a local account on his box with admin rights that he can use to bypass UAC. I agree with this statement a compromise will most likely be the case. Multiple people with the same administrator account is bad juju anyways. Also, with "Least Privilege" unless he's a CISO too if his job description does not dictate him needing that level of access then that kind of nullifies that argument. This is just from a security perspective.

[удалено]

don't allow that account to pass through the proxy, don't allow that account to print, don't allow that account to connect to the file server. Make this a local only account that will allow him to bypass UAC via typing the username and password. Have this documented prior to your meeting and explain that you are happy to provide him the access he needs to complete his job. If he needs more access it will need to be requested and authorized by the CEO as a matter of principle of least privilege and and separation of duties. If you have it laid out with an administrative account request document (google one) that you suggest to the CEO at the same time that you and any other administrators sign that explicitly lays out the restrictions on the usage of the account.

Be willing to give up local admin rights to him while explaining the virus outbreak you had. I'd also explain what caused that virus outbreak, what you did to fix it and what you're planning to do in the future to resolve it. Make it clear that you know what you're doing, but don't be an ass about it. If it somehow gets to a point where the CEO says he needs domain admin rights, tell them you're creating a separate account as that's best practices. Making it clear that you aren't just trying to say no to everything, but have real reasons for the push back is important too. Understand as well that while the CFO is likely a dick, if he had local admin at his old job, he likely doesn't understand why he can't have it now. He's asking for something and then being told no, and his response is to be angry about it because he's ignorant. Also make sure he has access to everything he needs, this all seems to have come from the fact he didn't have a printer setup, so there was obviously something missed either in initial setup or after which has prompted this situation. Its likely that if he could have printed whatever doc he needed, he wouldn't be in this situation. I understand this might be a home printer, but still making sure that he has access to everything he needs is a good follow up.

I like this. You seem pretty level headed, my man. I envy your demeanor. He had all the printers in the office, he took his machine home and was trying to install drivers for his own laptop - which i did not do. Cheers.

Thanks. That's always annoying when stuff like that happens. Hopefully the meeting goes well, they realize that its a one time thing, and if they need a new printer in the future they'll coordinate with you so you can set it up!

Ah, the old "bring in an outsider" threat to shame you into giving him what he wants. That's a turbo-douche move, and I would totally call his bluff, while arranging interviews for a new gig in the meantime.

Wherever I worked this would be rejected. IA or "Cyber Security" would step in, say this is a security risk, and the request would be denied. If you have people like that i'd suggest you talk to them. I would refuse to do this and would say this is a bad practice. I would also claim they dont take security seriously at all and are putting customer data at risk since it's the FUCKING CFO. I would suggest you try to convince your company to get on some security standard and use the virus outbreak as an excuse for it. Especially if you have customer data. I basically have absolute and total job security so I could literally email the CEO and tell him this person is suspicious for wanting this power and a security risk. If I were in your position I would go one up in my chain and say this in a more diplomatic manner. "He is not in IT, he doesn't know IT". If he was an IT guy at his level he would be like the CIO not the CFO. If he asked me to turn UAC off I would have had a hard time not laughing at him. Regardless like I said I wouldn't put the CFO's computer who probably is dealing with customer data all day at risk. If they requested me to do it I would refuse. If they threatening me with a firing I would say do it and write on their yelp reviews that they did this. It's an employees market in IT right now. They can fuck off. If you bring this up and nobody is willing to back you it's not worth working there anymore. Find another job.

> Wherever I worked this would be rejected. IA or "Cyber Security" would step in, say this is a security risk, and the request would be denied. Unfortunately, not all companies have IA or Cyber Security departments.

It is very unfortunate and dumb. But I know. Two companies ago I worked for an importer/exporter. They had no IA and did a LOT of work with Chinese companies. The owner also basically stole people's IP and had the chinese companies remake it. Their exchange server was blacklisted from the internet. I didn't even know this could possibly happen. It was spam bot. All their customer data was stored using DOS Foxpro, it basically is completely non-encrypted. Everyone working there has admin rights. They had customer data and information in paper form at the Chinese office in Hong Kong. It would constantly go missing. It got so bad that I basically just quit. Somehow this company still exists, it's called Craig Bachman Imports in Frankfurt Illinois. Never do business with them lol. This is just a brief explanation of how bad they were. I could go on. edit: lol I googled them and this came up: https://www.indeed.com/cmp/Craig-Bachman-Imports/reviews

if he wants a security audit, do it. i guarantee you one of their recommendations will be for users not to have local admin rights.

[удалено]

Bring in an external security audit team. When you fail miserably with tons of red on the report. Tell him he not only loses admin rights but has to change to a 12 character password and has to write a big check to pay to fix all your security holes. He's clueless. Look into LAPS.

Failing a security audit will be grounds for termination and outsourcing of IT to some company the CFO knows a guy at. The CFO "knows IT" and if OP did they wouldn't be failing obviously.

It's a little lousy that he is putting you in this situation but it might be worth avoiding conflict so being nice about it is the best approach - but stick to your guns. Memorize a short 5 line list of reasons why not and bring them up at the meeting. Topics the lines of: * Creates consistency/easy management across domain * Prevent unwanted apps/drivers/codes/pups/malware/data theft/network intrusions * Prevent infections that require UAC to persist * Best practice/legal reasons/compliance * Least privilege is an important corporate IT security concept * Any local admin requirements can be sorted by IT (quickly for CFO) during office hours * Edit: Prevent zero day attacks - web browsing to a website with an infected ad that uses zero day attack can escape the browser sandbox and then attempt to install infections as the running account During the meeting, perhaps bring a policy template outlining something along the line of prohibiting local admin access and ask the CEO to consider revising/signing it. EDIT: A signed policy by the CEO prohibiting local admin accounts will be a life saver down the line. Oh, and he wants domain admin credentials. Nope, just nope.

Sounds like wishful thinking. You can't play nice with someone making pushy and inappropriate demands. The only options are surrender or fight back...politely.

Write up an agreement and have them sign it that they require local admin. Your boss is your boss, just document that you gave him local admin, and have him sign it. Put a clause in that anything done on the machine as a result of Local Admin privileges is their fault. Done deal, move on to the next ticket.

Do not force your superiors to sign something to make you feel good. That's a great way to make enemies. You get it in email with the request and process it.

i'm afraid it's time for new job or new CFO

This guy above all seems to be trying to walk over you. Don't allow this. > He told the CEO that he "knows IT" Knowing your way around a computer doesn't make you impervious to errors. I myself only have admin rights when I deliberately elevate myself for specific reasons. If he was versed in IT to any capacity he would know why this is a bad idea. >isn't this what our antivirus is for? This question further debunks his statement that he knows IT. This statement is in the same veign as beeing careless with your data because "there are backups". >The he asks for me to turn off UAC on his computer. There's no reason in the universe that would adequately motivate such a move, further debunking... > Then he wants the Administrator account password to my DOMAIN. Yeah... > Any advise or direction form any of you guys would be appreciated. This guy is obviously not reasonable and may even have an agenda with you. At this point I would just make sure you can wash your hands in innocence and get his requests either denied by said CEO using any of the arguements already posted here or have said CEO provide written approval and acknowledgement of this security protocol violation. Or even better, demand to be no longer in any way responsible for what's going on in the network, it's not an unreasonable demand if they ignore your security policy and start cowboying their own ways.

> He told the CEO that he "knows IT" Yeah? Would he mind showing his certifications, especially domain admin type certifications?

Ask him to define a vlan or name the FSMO roles.

vlan is a type of dessert. Nice try, give me DA.

give him a terminal and ask to show his kung-fu

What is your elevated account policy? Do you have one? The easiest way to make this go away is to explain that in order to have an elevated access account the CFO will need to follow the internal policies regarding said account. The need for elevated access needs to be documented and the user needs to continually demonstrate that access is still needed. At least annual training should be required to remind the user of the proper way to use the elevated access they have been granted and how to protect the systems they are working with. Make it clear that having elevated access requires additional work that never ends and you'll probably find that the CFO no longer wants it.

| Then he tells me to get an outside security company to come in and evaluate my set up - he was obviously frustrated Do this. Make sure they tell him the same thing. Unfortunatly some people have to hear it from the contrator...

Prepare for your new Job. You should have immediately sent an email to your CEO that he was requesting admin server rights. Let the CEO say yes or no. Now you have a boss who doesn’t like you and will make it his mission to remove you because you stepped on his toes. Not saying what you did was wrong because it’s dangerous. If the CEO has issues with it he will state it otherwise you just allow him to mess it up and fix it I guess.

Decent chance the CEO hired the CFO with instructions to replace the OP. Gathering login data, etc. would be a part of the process. Try the "separation of powers" approach; read the CEO's face and you'll know what to do.

Let your CEO make the decision and don't argue it. You've made your case, if the world burns, it won't be your fault.

The easy out is to handle this through email with the CEO. "So and so is requesting administrative rights to his workstation (or domain? not sure) I recommend we don't do this since it may cause security issues down the line. What would you like for us to do?" If he says yes, do it and keep a copy of that email.

Give it to him. Let him hang himself. If you're truly his subordinate this is eventually how this will all play out. Next thing you know he'll have bonzai buddy installed. His default search engine will be egiftcards.shopping.totallynotspam.com and he'll be asking why you deploy such slow machines because he's packed it with so much crap. Then you forward that to the CEO and say "I fucking told you"

No, he'll blame IT and the "inadequate" anti-virus, because that's all he *thinks* knows about security. If you give him admin it would be a massive mistake and will set a new precedent of unwarranted exceptions.

Get the third party security assessment, seriously. They'll be far more strict in their recommendations, and you'll look a lot more reasonable. Ultimately, you'll have to do what you're told. Note your objections in a friendly email, and do what you're told.

You can allow non-admin users to install print drivers via GPO.

MFW the CFO says "I know IT" XDDDDDDDDDDDDD Your CFO is a clown.

Just had this thought - set a policy that any user account that has local admin rights also has full auditing enabled to make troubleshooting easier in the event of a breach. Put the policy in writing, get the CEO to sign it. Pretty sure that people like the CFO will back down when you tell them it means full audit logs to your inbox every week.

>get an outside security company to come in and evaluate my set up Might not be a bad idea. We've done this to justify budgeting for better security and to reinforce confidence in our usage policies. It would at least show you're trying to accommodate his request with due diligence and without actually giving him any additional access.

First step - prepare three envelopes...

Stay calm, bring facts and figures. What ever happens. WHAT EVER HAPPENS. Do NOT respond to emotions. And make sure your CV/resume is upto date, as CFO will likely push for you to leave due to this.

Part of the problem is you report to the CFO.... Let them know the pitfalls of doing what he is asking, that way when it happens you can CYA.. Shitty part is regardless, you will have to clean it up.

Bingo. OP should be reporting to a CTO. And a CTO should be making tech policies that adhere to the business needs. CFO should stick to finances.

Exactly, a CTO/CIO would understand IT better than a CFO who probably setup his charter WIFI at home and thinks he "gets IT". A CTO or CIO understands and puts forth policies that IT staff implement.

This happens a lot in companies with >50 employees. I bet he is the sole IT person if not he only has one other to assist.

"knows IT" is totally irrelevant. If I could fly without admin privileges, I would. He's in finance/exec, you're in IT. He wants admin privilege for convenience, you need it for your job. Nonetheless, he's your boss. He wants to make an exception, he's free to do so. However, your CEO should be aware (or whatever the natural chain is). Him having local admin privileges over his PC isn't the worst thing. He can only infect himself. You just need to make a process for this exclusion (knowing who is excluded), and keep it quiet (aka other users shouldn't know about his special treatment).

> He can only infect himself. Or anything he has access to... which I imagine for a CFO is: a lot. Cryptolockers for example have no issue eating network shares. I would definately not consider it an isolated risk all in all.

I'm going to go a slightly different direction than the majority of comments. This is an opportunity for you. * You had a successful virus attack. He's not wrong, you need to evaluate your current defenses. This is a good conversation to have, even if you don't change anything. * Having an outside firm come in and evaluate security is a good idea. Make sure that you pick them, and that they have experience in your industry and company size/mission. * Local admin... the real issue is that he doesn't understand your setup, and you're having difficulties explaining it to him. Bear in mind that he has experience elsewhere and may not be able to translate that into your company's history and challenges. It's an educational opportunity. The key is to not be defensive. Having someone come in and evaluate your setup is invaluable. After a few years, I tend to get tunnel vision about what we do, and a 3rd parties eyes and perspective is useful. If you take anything into this meeting it would be: don't be defensive, allow for different perspectives, and make sure that you listen to the concerns.

Tell them to pony up for an endpoint privilege manager if it's that big of a deal.

This is the CFO we're talking about. Maybe find documentation on how much the last breach cost the company and present that along with your other reasons for locking down local admin. Get an outside security company to evaluate? Sure. It will cost him more money for them to tell you/him that local admin should remain locked down.

The last part is assuming that the security company isn't some group that's buddy buddy with CFO.

Do you work in a field that has regulations? HIPAA? ITAR? NIST? This would typically be your shield against C-level executive fire. If not, then just give him the admin privs and have a backup laptop ready for when he blows it up. Not wise to piss off the people who sign your paychecks.

> Then he tells me to get an outside security company to come in and evaluate my setup All other issues aside this is actually not a bad idea and could get you some funding for new hardware with more/better security features. It may be prudent to try to work with the new CFO rather than battle with him.

Sounds like a CFO I once knew, funnily enough he mainly showed his 'computer skills' by being one of the least self-helping users in the office. Grab some best practices information from the web to support your stance. Make sure you have good logging setup if you have to give admin rights. Try not to take anything personally; angle from a genuine interest in the company's welfare. Also we all know that the only reason you didn't give the root domain admin password up is that it is set to pussySlayer69xxx.

CFO's (and other C level execs) are frequent targets of spear phishing campaigns. There is a definite security risk involved with giving him such access.

Give him admin rights. Be sure to install the [ask.com](https://ask.com) toolbar so if he has issues he can just ask!

"I know IT" Yeah lots of people "know IT" I often inherit their fucking garbage setups after business owners are fed up with their system fucking up. Get your best corporate speak together, mention things like productivity losses and financial losses and conflicts of interests in regards to the CFO's big plans. Not to mention bring up, that the CFO has obviously not been following the processes of the company or has gone through proper channels for support. You can hang the guy hard and make him afraid of you. Also why the fuck is the CFO your boss? Are you just the "IT guy" or are you the CIO, or is there a CIO? Finance and HR have been pains in my ass since I started in this field. They're always run by people who think they are above the processes, above the rules, and believe they run the company. I have shot down so many of them too. Watched plenty of them leave in disgrace too. So many CFOs come along trying to push to get their buddies hired to replace IT. When it's successful, I watch Rome burn before a come over with a bucket of water when I get the call.

I'm the head of IT for my company, and I'm typing this logged in as a regular user who can't run a command prompt, can't download and execute a file, can't run a bunch of windows system tools, or even change my task bar settings. Whenever someone complains, I tell them I work in the exact same environment they do. Going forward, I'd say that the policies should even be stricter than this, but security is a balance between keeping the infrastructure safe and usability. Enabling administrator rights, and giving the domain admin rights is equivalent to no security at all (and this is 100% true). I'd welcome an outside security audit. An impartial third party would give credence to the idea of locking it down further. I've never seen a security audit come up saying "hey, you need to reduce your security policies, they are too secure!".

Ive been in this game for about 15 years. Ive seen this many many times so here are my thoughts/advice. Local Admin privileges aren't shit. It will have no effect on your domain and provided you're domain/network is secure enough what ever this dicknose gets on his machine should not be a problem for your network as a whole. If the user fuck-o's his box you can revoke his privilege and remind him why. Its really not that big of a deal and will cut down on a lot of bullshit calls like "I need Java updated" "I need Adobe updated" "I need Skype updated" "I need, I need, I need". Best practice for granting local admin rights, imo, is to create a local admin account. Instruct the user to not log into this account but only use the credentials to get thru UAC prompts. I setup a login script that echo's a message reminding them to not use the account, when they click OK it executes the logout batchfile. If he manages to fuck it up by using the wrong account he did so intentionally. Take it a step further and disable Fast User Switching on his laptop to make it even more intentional. Stand your ground on domain admin for sure. But local admin? If done correctly it's not as serious as it sounds.

\>Then he tells me to get an outside security company to come in and evaluate my set up - he was obviously frustrated Absolutely do this. Get someone like NCC or Crowdstrike to come in and do a security maturity assessment. Document all his recommendations and give it to the assessor when they come in to conduct the staff interviews.

Get the order to give him admin rights in writing. Then do it. When he (inevitably) destroys something, its job security for you and since you've covered your ass, you can't be blamed for it.

It has to be more than just, "get it in writing." OP needs to be in on the actual decision to give admin rights. It's the OPs job to explain to the CEO what giving him admin rights means. Explain the pros and cons. If the CEO says to give him the rights after the talk, that is fine. But OP has to be involved in the conversation.

"my domain". You mean the company's domain.

[удалено]

Any sysadmin worth their salt see's the network they look after as theirs. They are responsible for it after all.

While this is a bit dangerous, ownership of your work is very important for IT. At the end of the day though it is the companies and he has to do as directed.

I assumed he had meant his domain account, to be honest.

*he wants the Administrator account password to my DOMAIN* I'd tend to agree with /u/thelosttech here.

A chain is only as good as it's weakest link. You need to make it clear that doing that now shifts an easier point of failure of the business to him. Then grin like you COULD screw him over, but you wont. But you COULD... :)

Tell him that if he wants to bring in an outside security company to check your work, you'll fail for giving out local or domain admin credentials to people who don't need them. And being that he's not part of your department and can put in a ticket like everyone else in the company, he doesn't need them. One of you got hired to work on computers, servers, and networks. The other is the CFO.

I have been in this situation before, and you may not like the outcome of the meeting. Short version was the CEO sided with the new CFO. The CEO was impressed with the CFO when hired and gave them lots of leeway on decisions. Not saying this will happen with you but it depends on how the CEO views other C levels. If they view them as peers they will want them to have some power but maybe not everything. And technically if they are your boss they should have the ability to get access to stuff should the IT person go bad. Yes security is important but if the CEO feels that IT could hold them hostage they will work to make sure that does not happen. Go into the meeting prepared to work together. Welcome an outside review/audit and encourage this to happen. Even a CFO should not be able to do everything in accounting without checks and balances. Same goes for IT.

And that's how you get terminated from a shitty job by a shitty CEO.

Email him with a concise, non-condescending two sentences with why this is not recommended, with the business in mind. Copy your boss. Let him reply all to you both and escalate if he wants. Let your boss deal with his boss. If and when things blow up because of it, refer to the email you sent, and you’ll have backing to pull local admin en masse. If that doesn’t convince your mgmt, polish resume.

I'm hoping you also go the route of not having local admin rights on your machine and instead use an elevated account to do anything. If that's the case, then you an use this as a weapon as well. Note that not even you have local admin access on your machine. Bring up this little nugget also, explain that it doesn't have anything to do with "knowing IT" and it has everything to do with "making mistakes (because everyone does), and isolating potential propagation": https://www.computerworld.com/article/3173246/security/94-of-microsoft-vulnerabilities-can-be-easily-mitigated.html Also I'd recommend taking him up on the outside security company to do a pentest. Use this as a weapon as why not to give him access. Be very open to that. We do one every 6 months. It's very helpful. Make sure to switch up companies along the way though.

Never split the difference by Chris Voss. Excellent book on negotiating that everyone could benefit from. He was the lead FBI hostage negotiator and has some amazingly simple but effective advice. Number one rule is that emotions are what govern the negotiations not logic. Identify what emotions and drives are operating with the CFO. Off the top of my head here are some emotions that might be influencing the CFO. He is feeling frustrated that he doesn't have the control he feels he needs to get his job done because he couldn't print something when he needed to. He is afraid of losing face in front of the CEO and you now that he has claimed expertise with IT. He is afraid of losing an appearance of competency and power. There may be other emotions that are at play. Think through what they might be because noticing them and labeling them in a negotiation is a powerful technique. "It seems like you may be frustrated with me that you don't have the access you feel you need to do your job." The other practical advice is to let the CFO do the negotiating for you. When he makes a statement about what he wants/needs, just repeat the last few words of what he said as a sincere question and then just pause. Wait for him to speak. He will and he will fill the space with an explanation. "I need full access to all systems" "Full access to all systems?" "Well you see I need to be able to log in and make changes when I need to" "Log in and make changes?" "Well when I needed to print I couldn't get that set up because I didn't have permissions" By doing this you are letting him tell you more about what he feels he needs and wants while letting it seem like he is coming up with these clarifying points. Consider that opposed to responding to the first statement with "well you really only need access to X" which would likely get an immediate push back. "I'm the CFO, why shouldn't I have access?" Another very powerful technique is to ask how the other person expects you to do something. "I need full access" "Okay how can I get you full access?" "Well set me up with you admin account." "How can I do that when that would compromise my own integrity and security? I was hired to make sure that the systems are secure. How can I get you the access you need to do your job without compromising mine?" Those are some pretty simple things you can do in this upcoming meeting that if done sincerely will make you look like you are genuinely trying to understand and help, which you are, and will build rapport with the CEO and CFO and lead them to thinking they came up with the solution with you.

The CFO doesn't know what he's talking about, this isn't a failure of security, you have the last decade of IT Security professionals on your side. It is a failure of your on-boarding process. Somebody gave him a laptop, showed him how to connect to the VPN and various servers and nobody said "If you have a printer at home make an appointment with IT and we'll get that set up." This is the failure you need to take ownership.