High Security
-
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
Having local admin (i.e. on your dev machine) is usually enough. As far as the database goes, you can install one on your own machine for testing, and in production you'd probably only need access to an account with read/insert/update permissions (and have the DB admin create the tables for the application).
-
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
Being an admin on your development machine is pretty much a requirement. Though, I'd look at using IISExpress rather than the version built in to the OS. It runs in a regular process rather than a service account, so you don't have the same permissions issues. The configuration files are in your user directory instead of in the system directory for example. I do all my sql development locally and make changes with sql scripts that I add to our build scripts, and wouldn't do it any other way if I could avoid it. I don't need any special sql permissions to make that work. If the security team is concerned about you having admin rights on your development machine, you might want to look at having them setup a special locked down development network so the development machines can be isolated from the regular business systems.
Curvature of the Mind now with 3D
-
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
Not sure how much of this applies, since I do thick-client dev, not IIS... My current company is more locked-down than any I've worked for in the past. No write access to most of our own hard drives, and no execution from the directories we CAN write to, with a couple exceptions. (I had to get an exception made so I could develop locally - Visual Studio doesn't behave well when its intellisense cache files are on a network drive)... But VS development can be done without admin access, or even poweruser access. The MSSQL DB is on a different machine, and I'm just DB owner there... Well, I'm admin on that box now, for other reasons, but that's a recent change. Worked fine before that. Of course, IIS might change things... I haven't worked with that since the 90s.
Proud to have finally moved to the A-Ark. Which one are you in?
Author of the Guardians Saga (Sci-Fi/Fantasy novels) -
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
High Security == Low Productivity Get them to buy you a powerful box and set up a VM on it to which you have full and complete control. Mwahahaha! Marc
My Blog
The Relationship Oriented Programming IDE
Melody's Amazon Herb Site -
Not sure how much of this applies, since I do thick-client dev, not IIS... My current company is more locked-down than any I've worked for in the past. No write access to most of our own hard drives, and no execution from the directories we CAN write to, with a couple exceptions. (I had to get an exception made so I could develop locally - Visual Studio doesn't behave well when its intellisense cache files are on a network drive)... But VS development can be done without admin access, or even poweruser access. The MSSQL DB is on a different machine, and I'm just DB owner there... Well, I'm admin on that box now, for other reasons, but that's a recent change. Worked fine before that. Of course, IIS might change things... I haven't worked with that since the 90s.
Proud to have finally moved to the A-Ark. Which one are you in?
Author of the Guardians Saga (Sci-Fi/Fantasy novels) -
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
You have to convince the IT dept to give you local admin rights on your own machine. I used to work on a base, and we had to pass an system admin exam in order to get this permissions. However, we still didn't have rights to run IIS Manager on our dev boxes. I feel your pain.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997 -
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
I don't do that Web stuff. I'm currently doing database work for a huge financial company, so yes things are locked down pretty well.
Jasmine2501 wrote:
need to be an admin on my machine for that
Most likely.
Jasmine2501 wrote:
don't I need admin access in the database *server*
Probably not, but perhaps DBO.
Jasmine2501 wrote:
Do you turn off UAC
No, not even at home. At my last assigment things were locked down even more. We had no direct access to the database; there were tools that allowed us to create tables in dev, but any changes or when moving to test and prod required a DBA to review the SQL statements. We also had to remote into VMs to do development.
-
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
-
Only within his own little universe. :-D The only time I've had domain-wide privileges in a Windows environment was when I was part of a very small IT department and was often the only one in the office and someone had to be able to reset passwords. :sigh:
-
Impossible... there's stuff around here I don't have clearance for. I can be admin on my machine, but network privs need to be tight.
-
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
Thanks for all the insights guys... I'm really looking for a list of specific things, like the running IIS web sites example. Sounds like there's not a whole lot you are blocked from... that is good. One of the things I'm doing here is working to establish processes for this kind of thing. I'm a fan of the "must be on build server/ source control to get into production" but not a big fan of "deployments are not done by developers" - the IT department doesn't even have Visual Studio on my machine yet after a week of working here, so I'm not sure I trust them to install mission critical software on servers. And they gave me a Core 2 Duo... :thumbsdown:
-
NO NO ABSOLUTELY NOT, never and I mean never give a developer unlimited access to network drive or production servers. Bloody dangerous bastards are developers, they try and "fix" things. I like to have admin in the developer domain but am not interested in the production environment, that is for the support team! As for the database, dbo on the developer, script only on UAT and no access to the production server!
Never underestimate the power of human stupidity RAH
-
I have a new job, where security is more than an afterthought... IT has our machines locked down pretty well. Now, I'm not looking to get around the security, as I think it is quite important and I agree with many of the policies I've encountered so far. So, please keep this discussion about appropriate security measures and no hacking... Here is my issue: I don't know what is appropriate in terms of security for a developer's machine (because I've always had domain god accounts). That is, what is the minimum level of access required to be productive as a "mainly Microsoft" developer. I'll be using Visual Studio to develop web sites, create databases and DB objects. I think I need to be an admin on my machine for that? Also, don't I need admin access in the database *server* if I want to create databases? I've encountered problems in the past when trying to develop IIS web sites on my machine without the ability to run VS in administrator mode. Does that mean I absolutely need to be the admin on this machine or what? If you work in a high security environment, let me know, what are your setups? Do you turn off UAC, do you have admin rights, and what specifically can't you do with certain settings? I know about the "you can't run IIS web site projects without admin rights" problem, and am looking for a list of other problems I might encounter with restricted access as a MS developer. I'm like, maybe, the first MS dev in this company - but it's a big aerospace company that you have probably heard of... some things around here are classified, so I can't demand total network god access, I need to know what is appropriate.
Jasmine2501 wrote:
but it's a big aerospace company that you have probably heard of... some things around here are classified
You should have lead with that. Milsec requires more stringent policies. For example in terms of admin access to a box, it can allow the right to install software and normally that should be restricted.
-
Jasmine2501 wrote:
but it's a big aerospace company that you have probably heard of... some things around here are classified
You should have lead with that. Milsec requires more stringent policies. For example in terms of admin access to a box, it can allow the right to install software and normally that should be restricted.
Lol, yeah maybe... I'm working mostly on unclassified stuff though.
