In this episode, we will go through my top 10 Mistakes New System Administrators make. All of these mistakes are avoidable if you are aware of them. Many of them I have learned through experience.
#1 Thinking you know it all
This is a huge mistake that new System Administrators make, especially young ones. I can say this because I have certainly been guilty of this myself. You are young and fresh out of school or maybe you got the first certification. You think that because you are younger and have used the technology your whole life that maybe you know more than the older people. Let me tell you that you probably don’t!
While I appreciate that maybe you have been exposed to certain technology. You have probably never used it in a business environment with users who may not be as tech-savvy. This is where the experience and knowledge of a more seasoned System Administrator will far surpass yours.
Really the biggest mistake you can make thinking that you know it all is not learning or taking advice. System Administrators that have been in the business a while can certainly teach you a lot you won’t learn in school. So be open and eager to learn and come in with a fresh pair of eyes.
#2 Not Communicating
Communication is huge in IT, especially in larger companies. I sadly see this mistake time and time again by new System Administrators. You have to communicate whether it is with your co-worker, your boss, or your client. When communication breaks down things get missed and downtime typically happens.
Quick story about a new System Administrator that made this mistake. He was tasked with upgrading IIS on all internal web servers. He did a very good job planning the upgrade out to minimize downtime. All of the appropriate steps were documented. But what he failed to do was discuss with developers the upgrade. So the night came and he upgraded all of the internal web servers to the newest version of IIS. The next day some internal webpages were not working. If he had discussed this upgrade with the developers he could have avoided the downtime of these internal pages. The developers would have had time to test and make any necessary changes to the pages.
#3 Using a privileged account for day to day use
This is a HUGE mistake new System Administrators make all the time. To be fair it is typically a practice already in place prior to their employment. However, if you are a new System Administrator and notice this, it should be one of the first changes you make.
Privileged accounts are user accounts that have higher level permissions. These accounts are used for managing Active Directory, Exchange, Folder Permissions, etc. This privileged account should not be used for your day to day tasks of checking email or browsing the web. Why you ask?? Well if you accidentally click on that malicious email, or go to a malicious site. It would be really bad if your computer was compromised with a privileged account. Now the attacker has additional access.
You should have a normal user account for day to day tasks like checking email or browsing the web. This account really shouldn’t even have admin permissions on your computer. This severely limits the possible compromise if you do accidentally go to a malicious web site or download a malicious attachment.
I have one account that is my day to day browsing account and my other accounts are elevated to certain degrees. Those are used when I need to make system-level changes to Exchange or Active Directory. To even take it one step further my elevated accounts are enabled with MFA (Multi-Factor Authentication). This makes it even harder for someone to compromise my elevated accounts.
#4 Not Assigning Appropriate Permissions
I know we have all been there. You are working on something important and then the CEO or someone important comes to you. “I need access to this folder” so you add them in and give them “Full Control”. Remember the rule of least privilege. Users, including CEO’s, should only be given the permissions required to do their job and nothing more. If they need access to a folder, perfect then they need read, write, and modify access, not full control. The difference is that full control now gives that CEO the ability to add and remove others permissions to the folder. So unless assigning permissions to the folder is part of the CEO’s job, then they should not have Full Access to the folder.
The “Everyone” permission is not only one of the mistakes new System Administrators make but seasoned ones as well. The everyone permission does exactly what it says. It gives everyone permissions to a folder which includes people who are not part of your domain. I have yet to come across a legit reason that internally anyone needs to access a folder that is not part of the domain. If you need everyone to have access to a resource try using the “Authenticated Users”. This group is everyone who has been authenticated to the domain. So would not allow Joe Schmoe employee who plugged his personal laptop into the network to access that resource.
#5 Not Testing Patches on Servers
Things change so fast in IT we are constantly changing up software is constantly being updated. If we don’t do our due diligence and test software patches and updates we are just setting ourselves up for downtime. Bad patches on Microsoft, Linux, MAC and third party software can crash your servers and cause you unwanted downtime. This is why we should always test our patches in a test environment before they are installed on production.
I know many businesses struggle with this because they do not have the capital to have a completely separate test environment. That really is ok because you can test patches on lower impactful servers first. So run Windows patches on an internal IIS server before you run them on your Exchange server. It isn’t a perfect comparison but at least if there is a problem you would be taking down a less impactful server.
Don’t just run Windows update and walk away. Keep good documentation of each patch that is applied and exactly when you applied it. This documentation makes it much easier to uninstall or roll back a patch that is causing a problem.
#6 Not Patching Servers
This one goes hand in hand with #5. Please be sure to always patch your servers, unless there is a very specific reason. That specific reason must be “Patch XZY breaks Software ABC running on server 123”. The reason can’t be “It may break the server”.
I am sure you see a common theme here and that technology moves very fast. Part of that is finding and fixing vulnerabilities. That is why Microsoft puts out patches and updates, to fix known vulnerabilities in their software. So by choosing not to patch your servers and workstations, you are leaving yourself open to compromise.
I see this mistake with new System Administrators who have been burned before by patches. They had a server go down because of Windows Patches and now they are timid and don’t want to install any patches for fear of more downtime. Sadly bad patches have just become part of IT. This is why you keep careful documentation on what patches are installed. This is also why you test as best you can patches before they are installed in production.
#7 Not Keeping Good Backups
This is one of the biggest mistakes a new System Administrator makes. If you want to see something kill a business quick, try losing all of your data and not have a backup. Ransomware is a very real threat and it can be thwarted with good off-site backups. Offsite backups are a copy of your backup at another location. This gives you protection against a natural disaster or a fire in your building.
Backups can be expensive and don’t see any return on the investment unless there is a problem. This is unfortunately why some companies don’t put the money into them. It can also be a very mundane not exciting task for a System Administrator. Backups are certainly somewhere you should not drop the ball because it could ruin a business.
#8 Not Monitoring Logs or Notifications
Logs and Monitoring is the pulse of everything going with your servers. You have to make sure properly monitoring is in place to alert you when a problem happens. By doing this you can be a little more proactive and potentially fix problems before users notice them. I wrote a previous post about server monitoring so check that out for some more information.
On the other side, you have to have proper logging in place so you can troubleshoot problems or investigate after an incident. Some of this is built right into Windows operating systems. Like Domain Controllers having built-in auditing for user logins. Or IIS server having built-in logging for web requests to the server.
There are however third party software that makes obtaining more logs easier. Software like SolarWinds can help log performance metrics on servers. This help greatly when troubleshooting a problem. Other software like QRadar will help you consolidate your logs in one place. This is also very helpful when troubleshooting. With all of your logs in one place, you don’t have to log into multiple servers to determine what is going on.
#9 Not removing unused accounts
As we all know users come and go as should their logins. Keeping past user logins around for no good reason not only clutters up your Active Directory environment, but it also leaves those account vulnerable to attack. User accounts should be disabled as soon as the employee leaves the company and should be deleted shortly thereafter.
Service accounts fall under this too and can actually be worse. Most service accounts have some form of elevated permissions. So these accounts remaining enabled with a non-expiring password greatly increases your attack surface. If one of these accounts were to get compromised it could go unnoticed for months if not years.
#10 Reusing Passwords
I think this goes without saying but I have to mention it. Do not reuse passwords, especially administrative passwords, like the local admin on a computer. As Systems Administrators we use a lot of different passwords for different things. So be sure to use a password manager like LastPass to help you maintain all of your passwords.
If you want to try out LastPass you can use the link I have listed but full disclosure I am an affiliate of LastPass so if you do happen to make a purchase with them I will receive a commission at no additional cost to you.
I have also found great success with a company called Thycotic. They produce a product called Secret Server which is an on-premise password manager that your entire team can use. I am currently not an affiliate of them but I have used their product quite a bit over the years. They have great features like an API where you can programmatically retrieve passwords instead of having them in your scripts. They also have the ability to automatically rotate passwords and change them.
Conclusion
Well there you have it, my top ten list of Mistakes New System Administrators Make. I would love to hear any that you have or any stories you would like to share. So please leave them in the comments or feel free to hit me up on twitter @MikeWalton1984.
If you are looking to improve your career in IT or start a career in IT check out my free eBook on building a home lab for less than $400. You can get it by going to https://400dollarlab.com.