MIS installation - too much to expect?
We have just had upgraded our MIS installation to a new Windows server platform and office machines. This was performed by the company responsibility for the MIS and will remain nameless as they are a big player in the education MIS sector.
The server, policies and office network were designed and built by myself. So I am particularly protective of the environment as its in its infancy.
I came from a long IT development background, much of it in international banking sector where security was paramount, and often to the point of being excessive and preventing you from doing your job without someone looking over your shoulder.
Having seen the practices of the MIS company, I am wondering if I have become paranoid with security or whether it is too much to ask for a MIS company to treat the security and reliability of an establishments IT systems with a less cavalier attitude.
Having found yesterday that they had told an end user to log into one of our servers and run a program from there, I started doing a bit of digging around to see what the result of this weeks install had left. It was a timely look as soon after I get a call asking for their trainer to know the admin password so they can 'fix' privileges on one of the office machines.
The MIS system shared its server with Exchange. So it is quite a mission critical server. I was also led to believe that it was SQL based, but soon realised that it was a set of programs up to 15 years old with a bolt on web interface.
The results of my brief investigation seem to result from the requirement of having legacy apps expecting free rein over a PC/Server.
- So I found many folders with 'all users' having full control privileges.
- I found a share on the servers, containing the schools accounts information having full control for everyone.
- The web site, appears to be internally unencrypted. So password will be passing in plain text from a forms based login. Not expecting any of our pupils to be using a sniffer, but for larger schools, it could be an issue. I'm having do so a https->http redirect on our external firewall to at least secure the site from external internet.
- Install a legacy app on a Windows 2008R2 server using software components dating back to 1997. This app was quickly removed by myself as it was installed without authorisation - they were told to install data on server and app on office machines. But instead install app on server too and when they can't get app on client to work, presumably as it didn't have required free reign over server, told the user to log into the server and run it from there.
- And today, the trainer asks for admin password so that they can give full control to all users on a office program files/mis app on PC C drive. I found that full control was not necessary and giving all mis users modify right to be sufficient.
- Residue of folders from the server installation left behind after install.
- About half a dozen folders being created at top drive level to contain the myriad of data files, backup files, program apps, third party software (eg Borland/Delphi dlls dating back to 1997 and 1998) left on server with default disk rights or everyone access.
- Expecting admin rights to be granted to office users so they can get around access issues with Borland/Delphi dll's expecting full access to machine. In the end this was achieved by a regedit fix which, in heindsight, has probably not been applied to the other machines requiring them to have 'full access' to their program files area.
Am I being over protective or would you expect better of the latest, secure software being developed and installed by a leading educational MIS company?