Help, my IT team has no admin access to their own systems

This article is briiliant! :D

What I want to know is did the bloke state he "fixed" it as soon as he did so, or wait a few hours? Was he even getting paid an hourly rate?

What about other systems? I doubt everything was AD integrated and that it was all left unlocked ready to go.

"...

I used to be the IT Manager for my company many years ago. I insisted that all admin passwords had to be printed off, placed in a sealed envelope and securely stored. Got taken out for a beer a couple of years afterwards by my successor - that strategy had saved his bacon when someone responsible for managing a critical system left the company without doing a proper hand-over..."

There should always be at least one break glass account per system where the accounts are stored offline, in a secure place (fire safe, for example, or some equivalent even if it's digital).

Shades of The Lone Jedi...

For those of us of a certain age!

A former employer allowed their drawing office to source new CAD systems without consulting IT (me!) Fine, they were NT-4 boxes but this was prior to AD so it didn't really make a lot of difference. My only involvement was dragging the delivery van out of the mud after they'd decided to drive up to a window and pass the boxes through that rather than take them 30 feet further through reception (I did have a Range Rover at the time - see the fuel bills!)

Several months after they'd decided they didn't need an IT manager and made me redundant I had a call, "Do you know the admin password for the CAD machines?"

I took great delight in pointing out that they hadn't involved IT in the purchase/installation and hadn't given us the passwords therefore I couldn't help. My suspicion is that the vendor had never actually told anyone what the passwords were but that wasn't my problem.

At my current employers there is an encrypted spreadsheet on a backed up server folder with two senior people having the key to decrypt it, just in case.

Well, sometimes knowing how to fix something in one minute is a results of 20 years experience. So, charging for one minute of your time should factor your experience too. That's why I won't feel that bad for overcharging customers.

I left a company once because the new management decided I was no longer needed

A couple of months later the manager tracked my down by phone at my new job, "err you wouldn't happen to know the admin password would you, we've lost it."

I did remember it, and I remembered where it was written on a post-it, but I let them squirm for a few days whilst I "tired to remember"

That's around £1,500 ($1,980) in today's money

£1800....

£1900...

£2000....

Cost of living these days....

Admin access

In a previous job in the early 2000's, where I was IT Manager (and I was also 50% of the IT team), I was made redundant, partly enabled by underhand reassigning of roles. We had an internal meeting where the organisation chart was displayed. I pointed out that they had me down in the wrong role, but it was brushed over - I should have seen the signs...

Anyway, on the day they called me down to tell me I was redundant, they asked someone else to revoke my admin rights and changed the admin password. I was allowed to go back to my desk for the rest of the day to copy off my personal files from my computer. As I had been logged in the whole time, I still had full admin rights and could have done anything, but obviously didn't do any damage. I did copy off a few customer directories from a server so that I could make direct contact with them after the event and actually did some work for many of them.

A few months later, after the redundancy period was up, I received a call asking for the password for a specific system. I told them what my rates were for consultancy and they never bothered me again. They lost many knowledgeable developers due to the way those of us who were made redundant were treated and eventually went bust.

Many years ago I got a call from an account I used to work on. They'd had some recommendation to reduce the number of enterprise adminsistrators they had, and use one time access to the built in admin account, using some app they'd been sold. So they removed everyone's admin access, and then realised they didn't know the Admin account password to get the ball rolling. So they called, as me and a couple of colleagues had promoted the first domain controllers back in the day and asked if I knew the Directory Services Restore Mode password,... which, luckily I had ingrained in my memory (and that we had lodged somewhere safe, but our jobs were outsourced, people left offices, safes were disposed of, etc). So they had to roll back their AD to before the fudge-up.

Sometimes it just falls into your lap

Only a few weeks after joining a large US RDBMS company in the late 1980s (based in Bracknell), I was told I was needed to visit a large customer site the next day where they were having severe performance problems with their VAX based database. I spent as much time as I could cramming text books and performance tuning notes before being flown up to Manchester and getting a cab to their office, while inwardly panicking the whole time.

I was met by the data manager and shown to a VT terminal logged onto the machine. Within seconds I found their system disk was over 99% full and having a couple of years VAX/VMS system management experience this was a smoking gun with a red hot barrel.

I breathed out, looked up, and thanked the almighty for this "Get out of Jail free card". I cleaned everything up and wrote the client a 4 page report on maintaining their system performance.

I'm told he later waved this in the face of his DEC support team saying this was the level of support he was failing to get from them, and how great we were in comparison. A great start to my new job, but it was a bit lucky!

A fellow post-graduate student, years ago, was given a very well paid commission to get a piece of software running on the departmental VAX. It came as FORTRAN source code, and although it compiled it didn't do what it should. He looked at the source and spotted lots of lines beginning with "D", which readers will recall are debug lines which are treated by a compiler flag as comments or not.

So he compiled again /DLINES, and everything worked fine. Ten minutes' work, paid for three days.

I'm a little bit worried

that only one poster here appears to have heard of a break-glass account.

Once spent the pre-pizza portion of an evening doing something like this at a company where the admins were getting a bit too up themselves and the manager had me and another friend in to regain control of things. I dealt with the Windows and NetWare boxen, he did the various Unix flavours. I think the admins were read the riot act the next morning and behaved a bit better thereafter.

Ah the laying of hands

Worked as a contractor providing hardware support for a small to mid-sized University. One day get a ticket that one of the library staff's computer won't boot and is beeping at them. I make my way over to the computer to find someone had left a book sitting on the spacebar, so the BIOS was complaining about a stuck key. Moved the book, rebooted the computer, all was well with the world.

Back in the 90s I was once asked

To help break into a server. I was consulting for the company on a six month contract dealing with migration to new EMC Symmetrix arrays, but my resume did state I knew HP-UX very well. The guy who dealt with that server had left in a pretty acrimonious way - frog marched out by security back before that became the standard way everyone gets laid off - and no one could access it. They told me they'd tried swapping out the boot drive with a similar system but it wouldn't boot, they tried putting its boot drive on another system and modifying /etc/passwd, but it still asked for a password, so they were stumped. They had tried some other stuff too, apparently one then two and eventually their whole Unix server team had taken a crack at it over the course of 3 1/2 days with no luck.

I walked up to the machine which was helpfully already running and sitting the firmware prompt, ran a command to check the boot path and recognized it had mirrored boot drives, so when it tried to boot the default read drive must not have been the one they edited /etc/passwd on. I ran a command to manually boot from the other drive, logged in as root with no password, and told them they had a split mirror in an unknown state because of what they'd done so they need to manually re-mirror to the active drive. Took less than 30 seconds from the time I arrived, I mumbled something about "let me know if you still have issues, gotta get back to what I was doing" as I walked away.

The next morning the guy in charge of all the server and desktop teams (the manager I was working for on this gig was in charge of telco, networking & storage, so I had barely talked to this guy) walks up to me and thanks me for helping out his team. He says "I talked to John [my "manager"] and he said you should fill out a separate timesheet to submit to me for your hours working on this, so he doesn't get billed for it". I was a little confused, and kind of stammered and he said "don't worry, it will be at the same rate". I finally get out "but it only took me a few seconds, do you want me to bill you a full hour for that?" and then he was a little confused and stammered. I explained what I did, and he said his guys had only told him I fixed it for them, not how long it took, and he just assumed it had taken a long time given how much time his team had already spent on it.

I caught up with John later that day and told him about the strange exchange I had. He started laughing when I explained to him how little I'd done to solve their big issue and said not to worry about the other timesheet. I thought about filling out a timesheet for an hour to the other manager anyway just to be a smartass, but he was a pretty nice guy who was just steered wrong by his people so I decided against it.

Been there, loved wearing the t-shirt

I had a similar experience - desperate call from a client of a client of a friend whose SQL Server cluster I'd set up but which had died ... when he did a DIY data centre move. This was 1pm on Sunday, and it had to be up by the wee small hours of Monday.

Two-hour drive to London. Server said "No storage connected". Moved the SCSI connectors for the RAID array from the server's SCSI adaptors to the server's RAID adaptors. Booted, Server said: "Ah, I see you've hooked up some storage, but it's not connected properly". Moved SCSI cable from server A to server B, and from server B to server A. Booted. Server said: "Ah, that looks familiar - would you like me to start up?". Told it "Y". Two-hour drive home. Wrote and emailed four-figure bill. Massively relieved client of a client of a friend paid it promptly and was super-grateful, which was lovely.

I bet Dan didn't see much of that thousand

Timely public bug

Once upon a time, we were subcontracted to a subcontractor to a Major Defense Agency with Big Computers.

Said MDAwBC had lost the root password -- their policy was change it every 30 days, don't write it down, and don't forget it.

So the subcontractor phoned and asked us for the password (no way, it was 3 months later); did we "accidently' leave a backdoor (no way, the account list was audited as part of acceptance); did we have any fzcking clue how to get them out of a jam????

Well, actually, did you read El Reg that morning?

https://www.theregister.com/2014/09/24/bash_shell_vuln/

They hung up, and never even phoned back with a thank-you.

Wasted opportunity

Anyone THAT stupid and THAT incompetent (and I'm talking about the senior management of the outfit who trashed the original I.T. team, not the current IT staff) should really have had a hefty stupid tax added to their bill. OP could probably have extended their stay a day or two, at least.

I mean, what would the BOFH have done?

I used this hack many years ago when arriving at acustomer where no one knew an admin password!

C:\> cd \winnt\system32

C:\winnt\system32> copy logon.scr logon.scr.old

C:\winnt\system32> del logon.scr

C:\winnt\system32> copy cmd.exe logon.scr

Now log off the machine, logon.scr is the screen saver that will kick in after 15 minutes of not touching the keyboard/mouse at the logon screen. Wait 15-20 minutes and a DOS prompt with FULL SYSTEM rights will pop up, then just to

C:\> net user administrator <newpassword>

and then log in with the new account.

A Timely On-Call

I woke up Saturday morning and discovered I couldn't access my own blog (or any other sites I host) - either view it or access the Wordpress dashboard. I was getting a timeout. I assumed it was a server outage.

This was overshadowed ever so slightly by the paranoid thought that my posting of the Arnold Schwarzenegger address to the Russian people concerning Ukraine, and several comments about Putin might have upset someone, even though Russia is blocked due to repeated attempts at hacking over the years from there.

Then I realised my traffic was still there, just not from my home network IP address.

I later discovered I could access it normally if I used VPN, but again not from my home IP address. I also realised that Uptime Robot had stopped logging at 1.30am Saturday morning, so it can't get access either.

I did all the usual stuff - power cycling everything, flushing and renewing DNS, and so on. My IP is whitelisted in my security software, and since I could log in via VPN I obviously wasn't blocked as a user/admin in Wordpress.

Having started wondering where the hell to start, I concluded it just had to be a server/host issue. IONOS have pretty much (i.e. definitely) admitted they have a situation, but they haven't bloody fixed it. And tonight, after being on hold for ten minutes while the agent had a word with the backroom, I was cut off (end of working day, I guess, but they won't admit to that when I call tomorrow), the problem persists.

Been In The Same Boat

I was once sent out to a new client because the company had sacked their previous admin but didn't have the admin password. It was a small shop and this was back in the NT 4 days and the client was running SBS 4.5 server. Before I cracked open the "server" to attach the servers hard drive to another NT4 machine so I could copy off the SAM and run lohptcrack against it, I tried connecting to MS SQL. To my astonishment I connected to MS SQL as sa with a blank password. As SQL 7 was running as the system account on the PDC a quick couple of sql statements & I had a new account with domain admin rights on the network and was in after only being on site for 15 minutes.

Disloyalty begets disloyalty

He did that ALL wrong. A company so morally decrepit and hard-wired-for-stupidity that they laid off their entire IT staff should be made to pay through the nose. I'd have dragged the "account recovery" out over several months. Not because I'm greedy, but because I like to think of myself as an IT-based batman, dispensing karmic justice through my keyboard and my invoicing software.

SQL Server injection to rescue

Once I was involved in a similar situation in a clients place. They had forgotten their AD Admin password on a production web & db cluster. Luckily this was before SQL Server the patches from Microsoft after a well-known attack had been applied. I simply executed an ASP page with 'poison' SQL query to execute, CMD.EXE with a parameter to run "net user username password /add" and then another command to add to the global admin. Voilla.

Then, dutifully I executed the Microsoft patch on all the server for SQL Injection and instutionalised a process with the developers to sanitize all their HTML inputs.

Useless service desk manager.

Sounds similar to a situation I was part of. I was network manager (Novell) for a company. Following best practise the "admin" account was not used, I delegated all rights and had a superuser role for my administration account. The "admin" account had a strong password which had been written down, put in an envelope in a locked box, and stored in the company safe "just in case".

Anyhow the company hired a service desk manager, who insisted the service manager and network manager (me) report to him. I wasn't consulted and this was effectively a demotion so immediately found a new job and resigned.

The service desk manager insisted that the help desk team needed the network "admin" account password, I held my ground and explained that they had all the rights necessary. On my last day I handed everything over, including the admin account and explained to the service desk manager that he should use it to add himself and whoever he wanted superuser role then change the admin password and put it back in the safe.

Rather than doing that he just gave the admin account to all the help desk team, after about a month they had managed to lock the admin account and because he hadn't added anybody to the superuser role, nobody could reset it.

This caused major problems and in the end they had to get Novell in to reset the admin account. Shortly after the helpdesk manager and the IT director were sacked.

Drag it out

Personally I would of enjoyed a very nice week long exercise at 1k a day to fix this issue.

Good job that Windows 2003 Server was unlocked otherwise, it could have taken a good 30 minutes to get that domain admin account password reset

Lasers in a grill factory

Roughly 18 years ago at my previous job, a customer (large charcoal grill manufacturer) located in Georgia, USA calls to complain that their safety laser area sensor is broken and picking up things that aren't there. The sensor was used to make sure all humans and other impediments were clear of the area before a large welding jig moved at the start of the grill assembly line. I worked for the sensor manufacturer in New Jersey. Grill company is told that they will be responsible for $1000 per day plus expenses if I determine that the problem is on their end and not a failure of our product. The following week, a couple hours on an airplane from Newark to Atlanta, followed by a 2 hour drive in the rental car gets me to the front door. Just inside, 8 managers and maintenance staffers are staring at a laptop showing a realtime 2D map of what the sensor "sees". I watch the laptop and the jig for 3 minutes, then ask one of the "watchers" to place his finger on the laptop screen where the "false" trigger is showing up. 5 minutes later, the line is stopped for the scheduled morning coffee break and I can approach the equipment. I knock some welding slag off the end of the rig with my finger and ask the designated watcher if that matches what the "failure" they witnessed. They had recently changed to cheaper imported steel (creating more slag) and cut back on how often they cleaned the machine, never realizing that a sensitive laser sensor might receive a reflection from shiny falling metal shavings. I politely waited an hour before calling my boss and telling him to get the invoice ready. My return flight wasn't scheduled until the next afternoon, so I enjoyed my dinner and hotel room that night!