We have just had upgraded our MIS installation to a new Windows server platform and office machines. This was performed by the company responsibility for the MIS and will remain nameless as they are a big player in the education MIS sector.
The server, policies and office network were designed and built by myself. So I am particularly protective of the environment as its in its infancy.
I came from a long IT development background, much of it in international banking sector where security was paramount, and often to the point of being excessive and preventing you from doing your job without someone looking over your shoulder.
Having seen the practices of the MIS company, I am wondering if I have become paranoid with security or whether it is too much to ask for a MIS company to treat the security and reliability of an establishments IT systems with a less cavalier attitude.
Having found yesterday that they had told an end user to log into one of our servers and run a program from there, I started doing a bit of digging around to see what the result of this weeks install had left. It was a timely look as soon after I get a call asking for their trainer to know the admin password so they can 'fix' privileges on one of the office machines.
The MIS system shared its server with Exchange. So it is quite a mission critical server. I was also led to believe that it was SQL based, but soon realised that it was a set of programs up to 15 years old with a bolt on web interface.
The results of my brief investigation seem to result from the requirement of having legacy apps expecting free rein over a PC/Server.
So I found many folders with 'all users' having full control privileges.
I found a share on the servers, containing the schools accounts information having full control for everyone.
The web site, appears to be internally unencrypted. So password will be passing in plain text from a forms based login. Not expecting any of our pupils to be using a sniffer, but for larger schools, it could be an issue. I'm having do so a https->http redirect on our external firewall to at least secure the site from external internet.
Install a legacy app on a Windows 2008R2 server using software components dating back to 1997. This app was quickly removed by myself as it was installed without authorisation - they were told to install data on server and app on office machines. But instead install app on server too and when they can't get app on client to work, presumably as it didn't have required free reign over server, told the user to log into the server and run it from there.
And today, the trainer asks for admin password so that they can give full control to all users on a office program files/mis app on PC C drive. I found that full control was not necessary and giving all mis users modify right to be sufficient.
Residue of folders from the server installation left behind after install.
About half a dozen folders being created at top drive level to contain the myriad of data files, backup files, program apps, third party software (eg Borland/Delphi dlls dating back to 1997 and 1998) left on server with default disk rights or everyone access.
Expecting admin rights to be granted to office users so they can get around access issues with Borland/Delphi dll's expecting full access to machine. In the end this was achieved by a regedit fix which, in heindsight, has probably not been applied to the other machines requiring them to have 'full access' to their program files area.
Am I being over protective or would you expect better of the latest, secure software being developed and installed by a leading educational MIS company?
Last edited by ianh64; 23rd July 2010 at 02:56 PM.
Definitely would expect better, especially since you manage the server are you not liable for any data loss that occurs due to security breaches?
Infact I would be expecting more companies to start converting applications where possible to server side web based solutions (php,asp to name a couple) with matching databases (MS-SQL,mySQL,Oracle, etc) where possible which the changing climate of desktop systems (cloud solutions, portability, terminal services to name a few reasons (I know you don't need web based for them, but it makes the interface alot nicer and easier to manage)).
I don't think it's a lot to ask at all to have your MIS conform to modern security standards. Old systems with bolt on web interfaces are always going to have a tougher time getting these things right, especially in such a mammoth application as an MIS.
What MIS are you using ianh64? Why the hell would anyone put SQL and Exchange together?!? Nuts!!
Not everyone has mega bucks to implement best practice when the new server was forced on them by the need to upgrade their MIS system with the prior version being unsupported due to its age (it was quite ironic to find that their old unsupported system was based on same technology as the backend of their new system). We have got one physical server, its a one box solution, but its a small school and the spec is more than adequate for the school needs, except redundancy, although an extra few GB of RAM would be nice what with running a couple of VM's But the school knows the risks and don't have the funds to do anything about it so will take the hit if the servers (physical or virtual) goes offline for a few days whilst server and data are restored.
I think the school have done exceptionally well with a server budget (hardware, install, licenses, backup, install) of about £3k which is a little more than the annual cost of the MIS upgrade forced on them and really should have taken last year and couldn't because we could not afford to buy the server needed to run it. The cost of server over 5 years is offset by losing the annual unix server contract that creaked everytime an email was received, hence the need to upgrade the email system too.
ianh64... so what MIS or is that a secret. Borland\Delphi bit sounds like FMS. I know FMS is a bit of a nightmare, but I wouldn't say it insecure. Just requires a bit more love and care to set it up correctly. Assuming it is SIMS, I'm sure Capita would be interested in comments. They are after all a Microsoft partner and SIMS is approved Windows 7 software.
Originally Posted by ianh64
Not everyone has mega bucks to implement best practice when the new server was forced on them by the need to upgrade their MIS system with the prior version being unsupported due to its age
I agree. Small schools can't afford to get enough hardware for the software they are required to run. But why would you want Exchange locally when you have less then 30 staff users? You can get it hosted by your LA or such, or use Google Apps or something.
Having done the private (R&D dev & security wiz)->public sector thing myself this is a persistently frustrating world where I want better, but experience says you don't get it and a few years in I just sigh a lot now. I assume vendors get away with it because Average School Tech[tm] doesn't seem to know much about development, or security beyond desktop lockdown issues and anti-malware .... they're not being challenged on these issues by enough of their customers ... they don't have to be any better to get their dosh.
I was hoping the Age of Austerity might make things a bit more Darwinian and have at least some improving effect here, but I suspect that's wishful thinking.
They are after all a Microsoft partner
And that guarantees what?
Last edited by PiqueABoo; 23rd July 2010 at 08:33 PM.
Im not going to mention the MIS company as I have criticised their practices on a public forum. Its possible that they are in a different sector than you are in so are not so widely known to you, but it is not one of the companies that you mention. My criticisms are not not meant to be a name and shame exercise, but a guide to what are reasonable expectations in this sector and at this price point. At the cost of the product, I personally think that my expectations are justified, but as I said, I was a very senior developer and technical consultant in the banking sector where getting things right and secure for the environment was a given and a strict process was followed, so my expectations are high. But I've also done media and broadcast sectors where things were a bit less stringent - just trying to gauge what to expect as its my first foray into the schools environment. I'm not saying that this is what we paid, as installation was bundled in with the total cost along with training days, but based on their, and other companies man day install costs of in excess of £700, I would expect a job better than I could do, not a cobbled together, well it doesn't work so give full access to everyone rather than track down the issue. To say they got the school by the short and curlies is an understatement, effectively saying that their old system is no longer supported and the only way of getting a supported product is to upgrade to new modern web package at twice the cost - then find its 40% sql/web based, 60% late 1990's technology such as dbase/delphi.
Use of Exchange was a pre requisite by the school wanting to follow industry, it's cheap, relatively low ongoing costs (antispam/virus and smtp failover), and relatively easy to provide. Don't see the issue with giving them what they wanted even if 70% of the look and feel could be achieved with what they already have using Outlook, imap/unix server. But they wanted industry standard, which includes Outlook, owa, calenders, contact lists etc and better spam controls. Maybe there are other solutions, but Exchange just does what they expect it to and what they didn't realise they wanted until they used it such as shared mailboxes and active sync. I don't see any need for doing it any different. Plus its an extra tick box on my CV
PS. Companies parent is a Microsoft Gold Partner. Obviously don't listen to what their parents recommend.
Last edited by ianh64; 23rd July 2010 at 10:11 PM.
Got as far as I wanted/needed to get so decided to jump and retrain in a different career. But got involved with my sons school and helping them with their IT and technical things is much more interesting even if it is mostly voluntary.
I would expect better, but also I would expect not to get that betterness expected previously
You should be able to discuss with the company what they are doing and expect them to tell you what they do, and for them to meet your security requirements or explain why they can't. Perhaps the issue is you are only volunteering and they see that they can do what they want and bodge it.
All you can do is keep pushing for another server, even a desktop to act as a server. Or run in a VM so at least it's sandboxed to a degree (or are you doing that anyway? I wasn't sure).
It's better that it's slow but safe than faster with the risk of massive failure.
Ok. I have had an infuriating week and their standard response is full control, user access control off and local admin rights for the users. They basically (reading between the lines) said they if we didn't do that, they weren't going to support the product.
So, what alternatives are there to Double First/Hebron/DuPre/Engage (all same company/Product)? Major issues with accounts and payroll, but Engage MIS system also causing problems without relaxing permissions and that is their latest and greatest system.
Its going to be a big loss for them. The school was looking at moving to DuPre for their telephone system when their current contract expired.
Final straw today was support email asking for use access control to be disabled so get the product working only to find that they had already done it. I guess that I should have been standing over them when they were tinkering with the system.
I audited my server this morning to see exactly what shares and file permissions that they had left us with:
9 Shares, of which 4 had share and file permissions as everyone full control. Of the remaining, 2 also had everyone share and file as full control, but I had spotted these and removed everyone and just added a security group containing the relevant users, one of these contained the payroll data! Also found a spurious share also containing payroll data with everyone with read share and file access.
8 top level folders, of which all had everyone full control until I went through moving many of these to the relevant security group and tightening the access to modify or read/execute as required.
They cannot claim compatibility issues with Windows 7 since they had quoted us for the office and server machines which included Windows 7 Pro/Server SBS 2008. We purchased Windows 7 with the Dell PCs and went Server 2008R2 elsewhere.
The irony of this is that we were forced to upgrade by Hebron UK stopping support of their MIS sub system that was falling apart at the seams and now they refuse to support the old and new products unless we revert to 1990's security levels.
Last edited by ianh64; 5th August 2010 at 08:35 PM.