Hi Guys:
I lease a dedicated server. The company I leased this from insists that I give them my admin password to the server. They say its for them to monitor security. I know they have been in my server several times. They have e-mailed me about four times in the month. Granted its been with tips and suggestions, but this makes me uncomfortable. Is this normal practice? Is this not in itself a breach of security? I need your help and input.

Queensoul

Queensoul,

That's a pretty common requirement, although when they set up the server they should have given themselves their own admin password and not requested yours.

It's kind of like renting an apartment from someone, your landlord has a key to your apartment and the right to enter your apartment under whatever terms are set in your lease.

1) If you are leasing a server from someone, they are still legally the owner of that server and can be held responsible for whatever appears on it.

2) If the server is root-compromised, it needs to be taken off the network immediately, no if's and's or but's about it. It's an emergency. A root-compromised server is like combination of a time-bomb and a doorway into the network. They then need to perform a root-compromise recovery on the server.

3) If a warez or other illegal site is set up on the server, that needs to be shut down ASAP for legal and financial reasons. Warez sites use up a lot of bandwidth, and software piracy is against the law.

4) If they find you are violating the TOS, and there are copyrighted files, kiddie or other pr0n sites, or whatnot on the server, they are within their rights to remove them.

Originally posted by Phoenix
Queensoul,

That's a pretty common requirement, although when they set up the server they should have given themselves their own admin password and not requested yours.



Yes - this is normal for our dedicated servers. The host does not tell us the admin or root passwords, they simply give you an account with equivalent priviledges. they do get upset if you change the password but otherwise, it is useful for them since they can quickly log in in times of emergency.

This is more organised than them allowing you to change your admin/root password and them asking for it !

thanks guys. I guess I understand, since I really like them. But take for instance today, i had over 6 people in the office designing and uploading stuff. All of a sudden no one could get into the server. Not through telnet or ftp. Our admin password was no longer accessible. I sent email through another service, and they responded that they were WORKING on the server. Could they not have informed me ahead of time? I have to pay all these people time and a half for standing around on a Sunday.

Queen

Yep - this is bad. I get this with some of my hosting or ISPs. They fail to inform you that they will be working on a server. Some are good but others do not run a proper database containing list of all customers and contacts and what type of customer they are so they cannot send out targeted emails warning those people if a particular server or service is going down for maintenance. Well, they will learn in due course !