Change Management 1.1 - Standard vs Admin Accounts

Ben Greiner -

Executive Summary

  • Simple security and process changes can save your office time and money.
  • The primary change we’re recommending is to provide users with Standard accounts. (We run our own systems using Standard accounts, Apple recommends this, and this is how nearly ALL Windows users operate.)
  • The goal is to provide a methodology for our clients and Forget Computers to more easily work together to track technology changes, reduce unexpected downtime and avoid unnecessary additional work fees.
  • Designate primary and secondary contacts to be responsible for signing off on changes in your office.

 

What is Change Management?

Change Management is simply a process to manage change. The Visible Ops Handbook illustrates the growth stages of Change Management in the following way (see below). Most offices are currently in stage 1 or 2. Our goal is to help our clients reach stage 7.

Growth Stages of Change Management

  1. Oblivious to Change
    Did the switch just reboot?
  2. Aware of Change
    Who just rebooted the switch?
  3. Announcing Change
    I’m rebooting the switch. Let me know if that will cause a problem.
  4. Authorizing Change
    I need to reboot the switch. Who needs to authorize this?
  5. Scheduling Change
    When is the next maintenance window? I’d like to reboot the switch during that time.
  6. Verifying Change
    Looking at the fault manager logs, I can see that the switch rebooted as scheduled.
  7. Managing Change
    Let’s schedule the switch to reboot in week 45 so we can do the maintenance upgrade and reboot at the same time.


Why is Change Management Important?

Forget Computers has been supporting Mac users since 1998. Over the years we’ve helped resolve thousands of issues (over 15,000 in the past 2 years). From our perspective many of these issues could have been avoided.

Surveys performed and commissioned by the Information Technology Process Institute have found that on average 80% of unplanned downtime is self-inflicted, while the remainder is caused by technology failures and disasters. Additionally they found that 80% of the time spent resolving the unplanned downtime was determining what had changed.

This research validates our experience and makes it clear that for us to ignore Change Management would be a disservice to our clients. 

Apple Agrees

Apple’s most recent PDF document, Security Configuration For Mac OS X Version 10.6 Snow Leopard, states the following on pages 118 – 119:

When you log in to Mac OS X, you use a Standard or administrator account. The main difference is that Mac OS X provides safety mechanisms to prevent Standard users from editing key preferences, or from performing actions critical to computer security.

Unless you need administrator access for specific system maintenance tasks that cannot be accomplished by authenticating with the administrator’s account while logged in as a normal user, always log in as a Standard user. Log out of the administrator account when you are not using the computer as an administrator. Never browse the web or check email while logged in to an administrator’s account.

If you are logged in as an administrator, you are granted privileges and abilities that you might not need. For example, you can potentially modify system preferences without being required to authenticate. This authentication bypasses a security safeguard that prevents malicious or accidental modification of system preferences.


How To Get Started

We anticipate there may be some who will challenge our recommendation. However, we believe there are few, if any, valid reasons not to embrace Change Management. A good analogy from The Visible Ops Handbook is, “Like brakes on a car, Change Management allows you to go faster.”

Managing change on the honor system has proven to not be enough. Proper change monitoring must be in place to “trust, but verify.” The steps to achieve Change Management, as outlined in The Visible Ops Handbook, are as follows:

  1. Reduce or Eliminate Access.  We will accomplish a most of this by providing users with Standard accounts.
  2. Document the New Change Policy.  Although variations amongst offices may exist, the basic policy is simple:

    All technology changes are to be mutually approved by client and Forget Computers. Forget Computers will facilitate the request for change and get authorization from the primary or secondary client contact. (We require two sign-offs from our team and we encourage two sign-offs from client teams, however we will only work to obtain authorization from one contact.)

  3. Notify Stakeholders. Share this document with your staff or summarize with the following statement:

    We have worked with Forget Computers to improve our office security and better manage technology changes. Our goal is to reduce downtime, control costs and improve security throughout the office. If you need to make ANY technology related changes please contact PRIMARY or SECONDARY CONTACT, or reach out to Forget Computers.
     
  4. Reinforce the Process. Make sure that people are aware of the process and reinforce it constantly. Build a culture of Change Management awareness.


Conclusion

Change Management is a significant step forward in the evolutionary maturation of a Mac office. As our clients become ready to take this step, we are prepared to support them. 

Although Change Management is an ongoing campaign of education and awareness there are three basic steps required to get things started:

  1. Confirm, or designate, a primary and secondary contact for us to consult with when authorizing changes.
  2. Provide users with Standard accounts and create one administrator account that is known only by the primary and secondary contact in your office. (We can do this for you.)
  3. Encourage a culture of Change Management awareness in your office. All technology related changes are mutually approved by your office and Forget Computers.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk