Questions

Answer for:

RDP for Administration Ethics or Code of Conduct

Message 3 of 4

View entire thread
+
0 Votes
ssquitiere

gechurch:

Thanks for the feedback. Trust me, I haven't given up. I praise them when they do good, admonish them when they do wrong, and provide constructive criticism for them the whole way through. I've talked to their management, and we even have a special liaison with this company, but despite my attempts to help them continually improve, they repeatedly err and disappoint.

Of course, there are deeper problems. I have one of those jobs with all the responsibility, but none of the authority, and in times when this vendor has seriously erred (and there have been many), my management will side with the vendor despite the findings of their own analysts. I would warrant to say that I have been reprimanded more often for vendor product failures and vendor support/development team screw-ups than the vendor's staff has.

I spoke with the team lead for this vendor's product support unit which most recently erred today. I know her well, and she agreed with me. Their most recent err, has spurred her to schedule a refresher in-service regarding the professional protocol of remote administration. (Note: We had this same exact discussion about 1.5 years ago). In the short-term, I can't ask for much more, but history has shown time and again that their memories are short. To follow your suggestions, I guess I should ask her manager that in the long term this becomes a regular in-service topic, perhaps quarterly, and is also expanded to all other product line groups.

As far as your final questions, can we really leave them? No, not without significant monetary investment to replace the 5 major line of business software products, which populate 25% of our servers (~20 machines), exist on nearly all our desktops, and consume >90% of our storage (I'd estimate a migration cost of at least $1M). All of these products are proprietary healthcare related software, so shopping out the support wouldn't work either. And yes, I push to move away from their products at every opportunity, as with the exception of us meeting requirements for meaningful use stage 1 certification, I don't see how they have helped us grow our business. However, despite their poor track record with us, which our management will acknowledge, it is quickly ignored because of the level of existing entrenchment and some other short term need, for which the vendor ends up selling us something else that doesn't function as advertised.

As far as going the technical regulation route, I suggested this 2.5 years ago, and it largely got shot down with the exception of one server on which I have a 1-session per user and a 15 minute idle time restriction. The only reason I was able to push this through internally is because the vendor session abuse on this machine was delaying the business office from submitting billing statements, and thus having a direct negative effect on cashflow. The main complication with going this route though, is account management. Almost all of the servers I have on which pieces of these 5 products run use specific user accounts to run services and execute scripts that tie into services and scripts on other machines, and require administrative rights. This also gives them the power to do wrong, as they use these same accounts to execute their remote sessions, though I have tried to explain to them before how this is not a good security practice. I even changed all of these passwords once, due to a security breach, and they gave me **** about enough of them for such a long time that most of them are back to the defaults this vendor uses for all their customers (as well as didn't update their support records when I notified them of this such that every product update for 1.5 years that went bad they'd find a way to blame this pwd change for the failure - oh, again, my management didn't support me sufficiently on this). So, can I leave these accounts with their permissions and not break the apps, but also prevent them from being used for RDP....yes, but not without significant changes. Following that change, I'd then have to create either a single shared account for them to use, or one per vendor staffer (for which I'm sure they'd never tell me when these could be terminated). However, I will consider your suggestion regarding desktop background, as we already do utilize bginfo on all of our machines such that they can be readily identified when working on multiple remotes.

Am i annoyed? Absolutely, but I got over being annoyed that it exists a long time ago, and am simply annoyed that it still exists despite repeated efforts to change, improve, and grow together. Again, thank you for the additional ideas to employ in this campaign. I hope they shake some of the stale from the situation.

Sincerely,
Steve