One of the things I hear often said, and something I subscribe to as well, is the idea that a lot of technical knowledge in the world of IT has a very short shelf life. When interviewing candidates, we really tend to focus on what they've done in the last few years when considering their technical skill sets. As a practitioner, I start feeling a little stale on my knowledge if I don't touch an area of IT for awhile. That's not to say that anything beyond 3 years of experience is worthless though, because the value of good experience isn't really in technical skill. What you should be paying those IT greybeards for is their presumed ability to see patterns and discern bad decisions before they are made. That's a skill of it's own, and a muscle that needs to get some exercise by being allowed the opportunity to voice an opinion and have it feel valued.
A recent real-life example that recently occurred illustrates this well:
A vendor is working on upgrading an application that is delivered in a traditional 3-tier (client > app > db) architecture. After troubleshooting an issue for several hours, one of their senior developers reached out to one of our network administrators asking for half a dozen changes to their service account and computer accounts for the DB servers in Active Directory. Buried in their (mostly) reasonable requests was this:
On a domain controller, please set the Kerberos Delegation to "Trust this computer/user for delegation to any service (Kerberos only)".
Now, back in the Windows 2000 days, this option was just called "Account is trusted for delegation" or "Trust computer for delegation" and it was considered just fine and dandy to click it if the situation required it. An admin whose technical skill is dated to that era will know exactly how to perform the requested action. A knowledgeable one from that era might even know what this action does with regards to ST and TGT tokens. But an experienced admin, regardless of their technical skill or knowledge of Kerberos, will see a red flag in the options that are now presented:
Three options for delegation |
Even without an understanding of what those three options do, or even what delegation or Kerberos are, an experienced admin should be able to easily tell you which is most secure and which is least secure., because they've seen the words "trust" and "any" used in a thousand other contexts. An experienced admin should care about security, because they've had to clean up the mess when someone else didn't. An experienced admin should not defer these types of decisions to a vendor, because they've been burned by them before. An experienced admin should know better than to take the path of least resistance just to make something work.
No comments:
Post a Comment