Does a developer need local administrator rights?
-
Hello to all. I am hoping you can provide opinions based on real world experience as to whether developers need to have local administrator rights on their machines or whether they can run on lower authority and if so what the recommendations for the minimum settings to use would be? More details around the environment follow ... Our organisation is large enough to have separate systems administration and development teams. The organisation has a Standard Operationg Environment (SOE) that is used for all general office workers. Our developers currently have local administrator rights on their standard logins. Due to some recent scares with viruses coming into the network the systems administration team is making a case to management to have the developers normal login accounts run at a similar privilege level as the general office workers and either: - provide them with a second account to use to load / remove software - request that they go through the service desk to get software installed The overall environment is Windows XP with MS Office 2003, Outlook 2007 and some other tools. The development environment is .Net, C#, SQL Server 200/2005 and a variety of other tools. Over to you ... what are your thoughts?
-
Hello to all. I am hoping you can provide opinions based on real world experience as to whether developers need to have local administrator rights on their machines or whether they can run on lower authority and if so what the recommendations for the minimum settings to use would be? More details around the environment follow ... Our organisation is large enough to have separate systems administration and development teams. The organisation has a Standard Operationg Environment (SOE) that is used for all general office workers. Our developers currently have local administrator rights on their standard logins. Due to some recent scares with viruses coming into the network the systems administration team is making a case to management to have the developers normal login accounts run at a similar privilege level as the general office workers and either: - provide them with a second account to use to load / remove software - request that they go through the service desk to get software installed The overall environment is Windows XP with MS Office 2003, Outlook 2007 and some other tools. The development environment is .Net, C#, SQL Server 200/2005 and a variety of other tools. Over to you ... what are your thoughts?
Well - if you run with elevated privileges, you're kind of assuming that your applications are going to be deployed on systems that require elevated permissions. If your applications are meant to run in a lower security level then you've just made it harder for yourself to test that your application will run in the environment that you want to use.
"WPF has many lovers. It's a veritable porn star!" - Josh Smith
As Braveheart once said, "You can take our freedom but you'll never take our Hobnobs!" - Martin Hughes.
-
Well - if you run with elevated privileges, you're kind of assuming that your applications are going to be deployed on systems that require elevated permissions. If your applications are meant to run in a lower security level then you've just made it harder for yourself to test that your application will run in the environment that you want to use.
"WPF has many lovers. It's a veritable porn star!" - Josh Smith
As Braveheart once said, "You can take our freedom but you'll never take our Hobnobs!" - Martin Hughes.
Thanks for the answer. The vast majority of the applications being developed are web based. There is some middle tier components also developed using the .Net environment. We can operate on the basis that the deployments will run with appropriate security set and / or the correct impersonations being done. The appropriate security is highly unlikely to be anything like local administrator on the platforms that the application is being deployed to. In fact I suspect that it may be argued that running at lower privileges may enforce the correctness of the impersonations. So my question extends out to cover: what would break if the development tools were run on a machine where the user was not running with local administrator privileges? Conversely what setting would need to be made to allow the development tools to work correctly without having to provide local administrator rights?
-
Hello to all. I am hoping you can provide opinions based on real world experience as to whether developers need to have local administrator rights on their machines or whether they can run on lower authority and if so what the recommendations for the minimum settings to use would be? More details around the environment follow ... Our organisation is large enough to have separate systems administration and development teams. The organisation has a Standard Operationg Environment (SOE) that is used for all general office workers. Our developers currently have local administrator rights on their standard logins. Due to some recent scares with viruses coming into the network the systems administration team is making a case to management to have the developers normal login accounts run at a similar privilege level as the general office workers and either: - provide them with a second account to use to load / remove software - request that they go through the service desk to get software installed The overall environment is Windows XP with MS Office 2003, Outlook 2007 and some other tools. The development environment is .Net, C#, SQL Server 200/2005 and a variety of other tools. Over to you ... what are your thoughts?
Pete makes a good point. I can't speak specifically to web applications, as you mentioned in your other post, but I have to agree that giving admin rights would encourage bad habits. You don't, however, want to sandbox the developer too much. If you start blocking things like write access to the "Program Files" directory, you'll just have a bunch of angry geeks on your hands. The users may not need to touch that, but the developers will want to be able to test installers and such. On the other hand, if you're ONLY doing web development, a complete lockdown might be possible. It would depend on exactly what's needed to run the IDE, compile, and deploy a web app... I'm sure someone else can give a more complete answer on that subset. I would suggest, however, that you put a process in place for developers to request temporary admin access when necessary. For example, I'm a front-office developer in a large company with a separate IT support staff... I can write freely to most of the hard drive and the registry, but I can't change system or security settings, or kill admin-level processes (Such as the scheduling app they use that occasionally makes my machine unusable for 20-30 minutes)... My only major gripe is not being able to run a defrag without asking one of the IT guys first.
Proud to have finally moved to the A-Ark. Which one are you in? Developer, Author (Guardians of Xen)
-
Pete makes a good point. I can't speak specifically to web applications, as you mentioned in your other post, but I have to agree that giving admin rights would encourage bad habits. You don't, however, want to sandbox the developer too much. If you start blocking things like write access to the "Program Files" directory, you'll just have a bunch of angry geeks on your hands. The users may not need to touch that, but the developers will want to be able to test installers and such. On the other hand, if you're ONLY doing web development, a complete lockdown might be possible. It would depend on exactly what's needed to run the IDE, compile, and deploy a web app... I'm sure someone else can give a more complete answer on that subset. I would suggest, however, that you put a process in place for developers to request temporary admin access when necessary. For example, I'm a front-office developer in a large company with a separate IT support staff... I can write freely to most of the hard drive and the registry, but I can't change system or security settings, or kill admin-level processes (Such as the scheduling app they use that occasionally makes my machine unusable for 20-30 minutes)... My only major gripe is not being able to run a defrag without asking one of the IT guys first.
Proud to have finally moved to the A-Ark. Which one are you in? Developer, Author (Guardians of Xen)
Thanks for the comments. I take the point about the temporary admin access and our IT area were thinking of either: - providing the developer with a second account to use to load / remove software note: this account would not be connected to email, etc. and so could not be used full time to replace the main account - request the developer go through the service desk to get software installed note: software installation e.g. tools and other apps, is a fairly rare event in our environment Your example is interesting. Do you know if you are set up as local administrator with group policy applied over the top to restrict your access to security, etc? I look forward to other people's feedback as to minimum requirements for the IDE. :)
-
Thanks for the comments. I take the point about the temporary admin access and our IT area were thinking of either: - providing the developer with a second account to use to load / remove software note: this account would not be connected to email, etc. and so could not be used full time to replace the main account - request the developer go through the service desk to get software installed note: software installation e.g. tools and other apps, is a fairly rare event in our environment Your example is interesting. Do you know if you are set up as local administrator with group policy applied over the top to restrict your access to security, etc? I look forward to other people's feedback as to minimum requirements for the IDE. :)
No, I'm not a local admin... Hence the inability to run a defrag. I think I'm in there as a "Power User"... Hard to tell, as I can't access the users/accounts config.
Proud to have finally moved to the A-Ark. Which one are you in? Developer, Author (Guardians of Xen)
-
Hello to all. I am hoping you can provide opinions based on real world experience as to whether developers need to have local administrator rights on their machines or whether they can run on lower authority and if so what the recommendations for the minimum settings to use would be? More details around the environment follow ... Our organisation is large enough to have separate systems administration and development teams. The organisation has a Standard Operationg Environment (SOE) that is used for all general office workers. Our developers currently have local administrator rights on their standard logins. Due to some recent scares with viruses coming into the network the systems administration team is making a case to management to have the developers normal login accounts run at a similar privilege level as the general office workers and either: - provide them with a second account to use to load / remove software - request that they go through the service desk to get software installed The overall environment is Windows XP with MS Office 2003, Outlook 2007 and some other tools. The development environment is .Net, C#, SQL Server 200/2005 and a variety of other tools. Over to you ... what are your thoughts?
If you want faster development yes. Every time you put up a wall you slow down progress. Reverse the question and ask: Is it really a problem if my developer has admin access on his local machine? I mean, is it the development team that is bringing in these viruses/bad progs? Developers are usually pretty computer savvy, so sometimes I find this argument hard to swallow. Maybe anti-virus would be a better solution than locking access? If you can't think of why this would be a problem, then why put up roadblocks? Here, your suggestions are wholly adding to the cost of development, and decreasing efficiency. Are viruses that prevalent in your network? A user can be an admin on their machine and still have restricted access to other machines, and that may be a more viable solution.
-
Hello to all. I am hoping you can provide opinions based on real world experience as to whether developers need to have local administrator rights on their machines or whether they can run on lower authority and if so what the recommendations for the minimum settings to use would be? More details around the environment follow ... Our organisation is large enough to have separate systems administration and development teams. The organisation has a Standard Operationg Environment (SOE) that is used for all general office workers. Our developers currently have local administrator rights on their standard logins. Due to some recent scares with viruses coming into the network the systems administration team is making a case to management to have the developers normal login accounts run at a similar privilege level as the general office workers and either: - provide them with a second account to use to load / remove software - request that they go through the service desk to get software installed The overall environment is Windows XP with MS Office 2003, Outlook 2007 and some other tools. The development environment is .Net, C#, SQL Server 200/2005 and a variety of other tools. Over to you ... what are your thoughts?
This would really depend on how "in the weeds" your developers are getting. As a developer I find myself installing and removing applications almost every other day for integration testing and evaluating new development tools. In addition, I have occasion to stop and start services on my development box when things go haywire. Editing and removing registry entries is not uncommon as well. All of these are much easier with local admin rights. If your developers are doing simple web development (HTML, Javascript, Flash..etc) then they probably don't need admin access. However, any of the higher languages (Java, C/C++, C#, Perl...etc) I would definitely recommend admin access. One solution I have seen to your dilemma is install virtual environments. This allows the developers to create their own machines with what ever rights they want, while still controlling the actual hardware. Unfortunately, the virtual env. tends to be slower and can affect compile and testing times. My guess is that your virus scares were not on the developer boxes, they tend to be more careful than your average user. This fight is not uncommon.
modified on Thursday, January 7, 2010 10:27 AM