Security best practices--Manager access to prod servers

Hi all,
I work in a small company (about 150 people).  I manage developers here, and am the liason for the 3rd party infrastructure consulting firm/data center.  

I have not yet been given access to the production servers--supposedly under SOD rules.  So my question is, from a segregation of duties standpoint, I'm not asking for any sort of "change" access to, say the sql-server code.  However, as manager, I would really like to be able to log into the box so I can monitor performance when I get slammed with requests about performance, etc.  

I have the enough knowledge to do some preliminary troubleshooting and when my staff is either mostly gone (such as this holiday week) and the 3rd party is unresponsive (such as this holiday week), I would like to at least get the problem identified and have the actual 'doers' primed with a knowledgable diagnosis.  This isn't so much a privacy issue--I have login access to our customer-facing software product and can see customer data.

So the question boils down to this--from a "Security Best Practices" or SOD standpoint, should the IT manager have login access to his production servers (both IIS and SQL Server)?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CraigWebmasterCommented:
I don't see why you can't have monitoring access to it, but you should have no change access to it, especially if you have development capabilities.

Seeing a production site should be a necessity for your job, in theory.  However, you should have no more access than to view it, assuming you have dev. capabilities.
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
<<However, as manager, I would really like to be able to log into the box so I can monitor performance when I get slammed with requests about performance, etc.  >>
A manager is not a technical role.

<<So the question boils down to this--from a "Security Best Practices" or SOD standpoint, should the IT manager have login access to his production servers (both IIS and SQL Server)?>>
Unless they are cumulating roles as a backup DBA, no.
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
In my company, only DBA have access to DBMS boxes and administration.  We have created an emergency for our CIO (in case no DBA is available) but he is not competent to administer any of our server.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

prairie1Author Commented:
My title is that of a non-technical role, but in practice I need to be able to do first level troubleshooting.  So is what you are saying that I *could* have access and it wouldn't be a red flag on a SOX audit (or a general IT practices audit) as long as the fact was documented that I had view-access to the sql-server box?

I am in a tough spot here because of our small size, we don't always have a dba or anyone at all on-site to look and see what's going on when something crazy happens.   For example, a user complains they get a 'record locked' error.  The software we have isn't smart enough to point out which user has it locked.  It would be valuable if I could run DMV's and look for this sort of thing, and walk over to the desk of the person with an open edit and have them commit or get off the pot.   That's the sort of thing I would like to do, but I also have the need to stay compliant.  

So, bottom line, would we be in compliance if it were documented that I had the access, or is it straight out forbidden that a "manager" can look at the production box?

I'm not sure you're likely to garner a definitive answer here.  The concept of "best practices" embodies an ideal that not all companies can afford.  It will be impossible for us to know what's "right" or "best" for your organization or specific circumstance.

The notion that a manager is "not a technical role" is, in this context, overly dismissive.  Many IT managers arise from technical roles and backgrounds (note: I say "many" not "all").  From the description of the issue, it appears that A) you are  held accountable for performance and B) sufficient resources/processes are not in place to address coverage shortfalls.

You say that your lack of access is "supposedly under SOD rules".  I can't tell from your post if you are new to your role (since you aren't sure of the SOD already in place) or if you've been in place for awhile (since you've seem to have already been "burned" by lack of access/coverage).  I think your first action should be to confirm the rules and processes in place.  Secondly, if you have identified gaps in coverage, as a manager, you need to communicate these to your leadership and/or take necessary actions to act within SOD rules AND ensure IT performance.  If the SOD rules were cited by the development team, then they need to realize that they have a responsibility to performance that may not always end at 5:00 PM.

If you have sufficient resources, then you should maintain a "hands-off" approach, and focus on ensuring that sufficient processes/contingencies are in place to address any business needs.  Vacations and holidays are certainly foreseeable and should be planned accordingly.  Emergency processes need to be matched to the level of "pain" your company can afford to endure.

From a monitoring perspective, there are plenty of alternatives to server level access.  If your company is sophisticated enough and of sufficient size to maintain/enforce SOD rules, I would wonder why there aren't already monitoring systems/processes in place?  This is not typically a developer role any more than it is a manager's.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
prairie1Author Commented:
I think you've probably said it best.
And yes, I'm new to this role; and as for resources, we don't have the resources to fully staff an in-house dba and infrastructure-guy.  

The restriction was from the 3rd party infrastructure team which had recently been assigned to tighten things up and put some SOD measures in place, a few months before I got there.  The manager before me was not technical (from what I hear) so he probably never cared, or dared, to get a closer look at what was going on.

I guess if the guy before me got by without the access, I suppose I could too, but as you said, I'm held accountable for the performance and I see a way to plug a gap and that's what I intend to do.  It sounds like there's nothing 'illegal' from a SOX compliance SOD standpoint for me to have a look when things get out of hand and our hired help is offsite.
Thanks very much,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.