I am netadmin/helpdesk/comp-gofer for a smallish corp. Recently the corp reorganized and brought in some "consultants" who are not very bright (but that's another post entirely).

My problem is this: one of the consultants uses AOL at home, and insists on having free access to AOL from within my corporate network. I see this as a grave breach of security and have refused until now to open the firewall to allow him access.

However, he doesn't understand the security risk despite my many explanations of why/how it is a risk. I've also given him reams of paperwork on the subject which very clearly states the problems with allowing AIM and AOL access from within a corporate network.

He's throwing his weight around, and I am 98% certain that the powers-that-be are simply going to tell me that I have to allow him the access. Since my department consists entirely of myself with nobody else in the corporation who understands anything about networking, security, firewalls, etc I'm in a bad situation.

Is there any way from within AOL to set it to forward email? I have no idea since I wouldn't touch AOL with someone else's 10-ft pole. Is there any way that I can set my Exchange server to go out and retrieve his AOL email for him? I'd much rather have it pass through my protected server than have him with an open connection to the outside world.

There's no hope in going to my boss; he is a clueless wonder in relation to computers -- took him 10 months after he started working here to wander into my office and ask me "What exactly do you do here?" He always sides against me in decisions because doesn't know dick about my job...

Give the guy his own dedicated phone line and let him connect to AOL via modem that way. Then make sure the account that he uses to sign in to your corporate network is locked down nice and tight to make sure AOL isn't going to contaminate your network. AOL is designed for home use, it is not designed for use in a corporate network environment and this compromise gives the best solution. Then if he has problems with AOL, he can call them for support instead of you!

Even with a dialup, won't that still put my network at risk? He'll be able to bring in unscanned email, and he'll certainly be dialing in to them while he has an active network connection. Perhaps ZoneAlarm on his system as well?

HA HA HA HA HA HA HA a "profesional consultant" that uses AOL Isn't that like an oxymoron?

Why doesn't he just use the aol webmail feature? Just my 0.02

I wouldnt put much faith in Zonealarm. I think of it, much like the software equivelant of laying a ring of salt around your computer, to protect it from evil. ie: its a heap of mumbo jumbo crap.

Anyway, back to the main issue at hand:

If this was me (unfortunate that it isnt) there would be no way in hell, that this would happen. No chance, no way, no how. He wants to acess his AOL mail? Fine. He can do that at home, in his own friggin time. Set him up with an Exchange account, and get *him* to call AOL support to setup some sort of mail forwarding.

My $0.2c

[quote]Originally posted by EvilCabbage:
<strong>

My $0.2c</strong><hr></blockquote>

Ok I think you'd better listen to EC because he is giving his 20cents compared to my measly 2 cents. :D ;)

just have him use the 'myaol' link off of aol.com. he'll be able to see his e-mail etc. through aol's web interface. this way you won't have to load software or punch a hole in the firewall.

EvilCabbage, I wish I was in your situation. The problem with my job is that I'm the only one employed by the corp that has any knowledge about computers, networks, security, etc.

They constantly tie my hands in regard to security; hell, they don't even have an Acceptable Use Policy for god's sake. They don't fire people who abuse their internet access. They don't restrict email use. They won't pay for software upgrades, so I'm stuck supporting 30 different applications that vary in age from 2 to 9 years old (yes, the entire accounting dept runs on a database that was written in 1993).

It's like beating my head against a brick wall. I'd have moved to another job long ago, but the job market in this area is highly depressed for IT people.

Not only that, but the person who is my boss -- the person that has to "approve" everything I do knows jack**** about computers. For god's sake, he doesn't even understand the difference between a local and a network drive.

Sorry, I'm venting...my bad. I guess I'll suggest the myaol thing (which I didn't even know existed because I stay as far away from AOHell as I can).

Thanks all.

I feel your pain. I have a couple of users, who are unfortuanately my bosses, who insist on being able to access their AOL accounts from the corporate network. They do just as storm suggested. They access their AOL email through our internet connection just using the IE browser and myAOL. I've yet to see any problems, but it does create a problem with possible viruses. I just have to watch those systems a little closer.

Virago :

If you would like a copy of an acceptable usage policy, (we've got a lot of this stuff) I would be more than happy to email you one of ours, so you can pour over it, or show it around to show how it can be implemented. It may not help right now, but they are an excellent thing to have, and if you modify it a little, perhaps it will show management how serious you are about these things :)

Drop me an email at :

cameron.jones@auriongold.com.au

if you would like a copy of some guidelines to work from.

Cheerio

Do you have any monitoring ability? if so give him the access and track his every move....He sounds to me like a typical aol idiot who can't function without his training Wheels........Gollo's right on the mail access, It works fine..Make sure your bosses know that, and that the rest of the content on aol can be found elsewhere also. The cynic in me says he wants aol specifically for non business related purposes.

Well, of course he wants it for non-business purposes. I provide every employee at this corporation with an email address. If it were business, he should logically have it sent to his business email address, correct?

What I'm pretty sure is that he is running some sort of business on the side, and that he has all that email sent to his AOL address. So basically he's working his second job while on the corporate payroll.

Oh, by the way, I got "written up" for being "uncooperative" in regards to this matter. Apparently they really don't give a sh*t about security here.

If anyone has any employment opportunity in the Kansas City area, I'll take just about anything now. I'm desperate to relieve myself of this position.

I'm sorry man, I don't blame you for wanting to bail from that situation. If someting happend tomorrow i bet theyd blame you even though you were trying to steer them in the right direction all along.......

[quote]Originally posted by Virago:
<strong>...Oh, by the way, I got "written up" for being "uncooperative" in regards to this matter. Apparently they really don't give a sh*t about security here...</strong><hr></blockquote>

Written up!?! Dude, you have to learn how to pick your battles. You saw this coming…I am quite sure that there was little surprise for you. For the rest of us, it seems unreasonable that you are subject to the torment you have described, but at least you have a paycheck.

Your first mistake was not recognizing that Everyone here hates AOL. Taking advise from a group of people compelled to offer only one perspective is bad judgment on your part. What you should have been doing was calling AOL and asked for advice from a senior network admin, not the chumps in the call center. Then take what you learn from them, and here, and formulate a responsible decision; in many cases, you still have to, “Satisfy the customer with what ever it takes to make them happy”.

Many places, even large corporations operate with AOL on the desktop with little or no security problems. Take Time Warner Cable: every desktop they have uses AOL for email. They don’t have a single Exchange server since the AOL giant acquired them. Sure there is the occasional virus, but if your PC’s and file servers are as well protected as they should be, there should not be an issue.

For the record, I dislike AOL. I think the best solution offered here was the web mail option. In essence, that is all that the AOL client offers, but with some various fun stuff users can touch and feel. All of the saved mail (minus downloads) resides on the AOL servers, so he would have been able to do everything from there. My guess is that you put up a struggle the whole way, and only latter offered the idea. At that point it was too late to deceive anyone that you really are trying to help. It also seems that he had a bit more clout that you did…in you own company. That sucks, but that is politics.

Consider this a learning lesson in management. Never lock horns with an idea, employee or contractor, just because you don’t like something. If the people in charge put money into this contractor’s pocket, and allow him to conduct personal business on their time, it is not your place to intercede! That is the bottom line.

[quote]Originally posted by Ya_know:
<strong>
“Satisfy the customer with what ever it takes to make them happy”.

</strong><hr></blockquote>

That's just it this guy isn't a customer. He's an employee.

[quote]Originally posted by Gollo:
<strong>

That's just it this guy isn't a customer. He's an employee.</strong><hr></blockquote>

Aahh, the issue is clouded. Let me make it a little clearer.

IT/IS/MIS is a service industry. This goes for outside consultants, and IT professionals working from within corporations.

You provide a means for corporations and small business to operate. You support the desktops, servers, and connections between sites; stay current with security, and adjust for new solutions offered by software and hardware vendors. You do not “decide” what these systems are used for; the business dictates that. Your only responsibility is to protect them from harm, while providing a balanced level of flexible functionality for the end users.

The short retort…we are all employees. No CEO wants to be told, “it can’t be done”. It doesn’t matter which side of the system you are on. If people demand miracles, give them a well-researched, properly protected version of what ever they want!

Oh crap oh crap oh crap oh crap

If anyone emailed me regarding the user policies, PLEASE email me again for them!

I saw some emails with a 'user policy' heading, and accidentally removed them when I went on a mass deleting spree (Im also a looong long way from my mail server, and recovery is next to impossible)

Sorry about this, to anyone that did contact me, please touch base again, and I wont be so quick with my 'delete' key this time!

Address again is : cameron.jones@auriongold.com.au

Cheers all!
-Cameron

[quote]Take Time Warner Cable: every desktop they have uses AOL for email. They don’t have a single Exchange server since the AOL giant acquired them.<hr></blockquote>

Nope, check your newspaper they stopped using AOL recently. I'll try to track down the story, I heard it on some sorta tech. news somewhere.

And if TWC can't even use it... :rolleyes:

I believe the story was posted on MSNBC (figures, two of Time Warner/AOL's biggest rivals rolled into one) :p

[quote]Originally posted by craigmodius:
<strong>

Nope, check your newspaper they stopped using AOL recently. I'll try to track down the story, I heard it on some sorta tech. news somewhere.

And if TWC can't even use it... :rolleyes: </strong><hr></blockquote>

I read it too. I can't remember if I saw it here or on the Wall Street Journal. Here's a little background on why.

<a href="http://www.nwfusion.com/columnists/2002/0218gibbs.html" target="_blank">http://www.nwfusion.com/columnists/2002/0218gibbs.html</a>

It was on Slashdot too, but the link to the MSNBC from slashdot gets you nowhere.

<a href="http://slashdot.org/article.pl?sid=02/03/22/140230&mode=thread" target="_blank">slashdot article</a>

Well, Ya-Know, pardon me for wasting your valuable time by asking for help here rather than "going to AOL and asking a senior network admin" for help.

I realize that I have only three years experience, and that I am merely self-taught, but that doesn't keep me from trying to do the best job that I can. In my opinion, that doesn't deserve being called uncooperative.

For further edification, the employee is insisting on running the AOL CLIENT AND AIM -- he say accessing "MyAOL" isn't sufficient. As far as I've been able to determine with my meager self-taught knowledge, that means opening port 5190 on my firewall.

If I'm wrong, please tell me because your knowledge is obviously so much greater than mine. I will bask in the light of your great wisdom.

Quit the bickering.

I do not believe Ya-Know was trying to offend at any way, he was making a point on the subject of IT positions withing a corporate structure, it was slightly off topic, but I believe you may be reading too much into it.

Where Ya-know says: "Your only responsibility is to protect them from harm", this is probably the best single line Ive seen in this thread.

Our job is to provide services, as best we can, without compromising the operations of the company.

Does this guy want AOL access? Yes.
Will it help him do his job better? I fail to see why.
Does it have the posibility to harm the company? Possibly. (then again, so would an exchange account, or sendmail or almost any mail account)

I, personally, am in such a position where I could easily deny such a request, but I am part of a relatively extensive IT team, and we have a great deal of corporate push. In your situation, it may be trickier, but I would still question his motives, a lot, as it all sounds very very suspect to me.

As previously stated, rules of conduct need to become more commonplace in businesses.

Virago, I am sorry that you missed my point. I was just trying to help you sort out the "hands-tied" syndrome to which you are being subjected. It doesn’t make sense that they hired you to provide the network support, but then tie your hands when you are asked to provide a service you don’t feel is in the best interest of the company. Yours was a sound judgment call, and most here would have taken the stance you attempted. However, most here have a better chance of getting the point across, where you are obligated by silly policy; policy, which correct me if I am wrong, seems to be rewritten without your knowledge, consent or approval. Face it, you are in a tough spot, and must conform a little in order to survive. That was my point.

BTW, knowing to open port 5190 on the firewall to enable AIM and AOL traffic is pretty sharp, I didn’t_know that, thank you for sharing. :D


As to this mention:
[quote]Originally posted by craigmodius:
<strong>

Nope, check your newspaper they stopped using AOL recently. I'll try to track down the story, I heard it on some sorta tech. news somewhere.

And if TWC can't even use it... :rolleyes: </strong><hr></blockquote>

This may be true for some parts of the company, but these last two weeks I was at several TWC offices, and can confirm that there is still only AOL for email in the entire SouthEast, and no project in the near or far off future has been scoped to change that service. My guess is they didn’t read the article. ;) :D

[quote]This may be true for some parts of the company, but these last two weeks I was at several TWC offices, and can confirm that there is still only AOL for email in the entire SouthEast, and no project in the near or far off future has been scoped to change that service. My guess is they didn’t read the article.<hr></blockquote>

They didn't read it becase it was probably emailed to them. hahahahahahahahahahahahahahahahahahahaha!!!

*ahem* sorry 'bout that I couldn't resist :D ;)

Give him everything he wants, put all the possible security threats in writing, give it to your manager, keep a copy, <img src="http://www.userfriendlyonline.com/editedsm.jpg" alt=" - " />

Not only would this idea be extremely unethical but also illegal. This type of message is not permitted in these forums.

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by disarm:
<strong>Give him everything he wants, put all the possible security threats in writing, give it to your manager, keep a copy, <img src="http://www.userfriendlyonline.com/editedsm.jpg" alt=" - " />

Not only would this idea be extremely unethical but also illegal. This type of message is not permitted in these forums.</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">I'm with disarm here. Warn them of what can happen with AOL and AIM installed. Provide it in writing. Then provide them a list of what can happen to their company and what it would take to repair/fix the damage(worse case scenario of course). <img src="http://www.userfriendlyonline.com/editedsm.jpg" alt=" - " />

Not only would this idea be extremely unethical but also illegal. This type of message is not permitted in these forums.

I had a similar problem a few years back when I started working here. People wanted to be able to get any type of attachements thur their email (music, progams, etc...) from various sources and we had a big problem with users gettin porn and chatting on IRC trying to pick up girls. Of course the worse ones were the higher ups who didn't know or care about security. Had my hands tied with "well do what they say" or "you're too paranoid" . Then one day, while I was gone on parental leave, we got hacked, badly, and there were a few different virii floatin in the network. My boss calls me frantically begging me to come save them. I was at home but still doing some work thru remote connections and they decided to get an outside guy to come and try to fix things (he of course being the clueless friend of an employee who thought he could use one disk with the code red fix tool on it to clean the whole network up). When I came in finally, sat down with the boss and told him nothing's getting fixed till we have certain rules in place.

The poinnt is I had alot of ammo in which to drive my case home as he sees his emplyees standing around waiting for a big network rebuild job being done. When you drive home the bottom line (ie $$$$$ cost) to anytype of corporate person, they will understand. Let them know the costs involved in a repairing a virus and hack attack, or the legal costs of someone chatting on IRC to a 14 year old from a corporate owned computer. Things are alot different now, only documents and PDF files are allowed as email attachements and there's no more IRC, Realaudio, WMP streaming, ICQ, The firewall stays the way it is and When i say something pertaining to computer operations, IT GOES.

<img src="http://www.userfriendlyonline.com/editedsm.jpg" alt=" - " />

Not only would this idea be extremely unethical but also illegal. This type of message is not permitted in these forums.

Another .02. No matter which way this goes, you've got a lot of good advice...and unfortunately Ya Know, although he offers a tough pill to swallow, has a good point.

This is actually a larger issue than just the AOL debate, this is where the learning curve for smaller companies begins. Face it, right now, your IT department is a red-headed stepchild. And for some reason, it always takes some sort of IT disaster to make the small guys wake up...pity the companies that are re- rather than pro-active.

If you remember that your job really is "give em what they want," while trying to convince them of the error of doing dangerous things, there is one thing you should do...create an absolutely safe [stand alone] machine that backs up all critical stuff.

Because, you may have to "give em what they want," knowing that it's suicide. Once you've given them your best advice, it's up to them to take it or not. All you can do is make your recovery job easier [if it comes to that!]

Other than the hassle of recovering from a major calamity [which no one likes to do], I know that it is very difficult to be the one who has taken all the time to get the network humming, only to have bow to the demands of nimrods. But, if they continue to move contrary to your advice, and if you're proven right, in the future you'll have the kind of clout that Evil Cabbage is talking about.

Hopefully all works out, but if not, and if tragedy happens, at least you can look at it as job security. If things do go awry, at least you warned them, and at least they know that you're there to rebuild.

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">
Originally posted by disarm:
Give him everything he wants, put all the possible security threats in writing, give it to your manager, keep a copy,

Not only would this idea be extremely unethical but also illegal. This type of message is not permitted in these forums.
</font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">why exactly is that unethical? or illegal?

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by morguth:
<strong> </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">
Originally posted by disarm:
Give him everything he wants, put all the possible security threats in writing, give it to your manager, keep a copy,
</font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">why exactly is that unethical? or illegal?</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">You'll notice that there's a comma after "copy", indicating text was removed when edited. Ours is not to question why... rather... bide by the rules and hope Sowulo never has to edit our posts! :D

ahh, didnt see that, nodnod, i understand now :D

*removes dust and cobwebs from the topic*

Uh.. yeah.. my comments still stand.

I guess having someone hack your network just to show them you were right all along would be the wrong thing to do. But i'd rather someone I know hack my network and not do any serious vandalism than wait until someone I don't know does just to prove my point.

Disarm : Makes me wish I could mod out comments. Stay cool, read the rules. Ta.