3

In my organization we are in the process of upgrading everyone to Windows 7.We have all of our users configured as power users. The issue we are running into is this:

Should we give developers local admin rights or only modify the files that need to be executed to run the application.

I don't want to give them full admin rights as I understand what could happen. So I would rather give them limited access so they at least can get their work done. All of the applications are installed by us and they will configure them. I was looking for any suggestions as to what I should do.
Listed below are the applications they run:

  • My Eclipse Blue
  • Websphere 6.1,7.0
  • Visual Studio 2010
  • PVCS version manager
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
mrizz10
  • 31
  • 1
  • 2
  • 3
    A similar question has been asked on several sites. I started listing them here: http://programmers.stackexchange.com/q/4596/175 Go though the links and you may find the information you're looking for – makerofthings7 Nov 19 '12 at 21:52
  • 3
    You should give them the ability to run virtual machines perhaps? That way they can develop in an development environment, and they can leave their desktop alone. – Zoredache Nov 19 '12 at 23:15
  • 1
    escalating from "power user" to "admin" is trivial. I'd either reduce them to a normal user, or make them a real admin. – CodesInChaos Nov 20 '12 at 07:41
  • What is the question? Could you edit to make it very explicit what you're asking? – MCW Nov 20 '12 at 10:58
  • What languages are you working with? Don't some debuggers (say, for C/C++) require elevated privileges? – Clockwork-Muse Nov 21 '12 at 21:08

3 Answers3

6

I am a developer doing database and web applications with no administrative rights. I thought a great injustice was being done when the policy was first implemented however I have come around to the idea because I can appreciate the security considerations.

  • chances of infecting your machine with some web exploit while you are surfing for an answer: much reduced
  • chances that the cool add on you thought would help out crashes your machine: much reduced
  • it does bring clarity to your development process. If you really need "it", then you ask for it and you have to document why you want it.
  • it helps ensure that everyone is working on the same install. A certainty that sysadmins enjoy if you have to work up a new image for a developer.
kevinskio
  • 161
  • 5
  • I've come to agree on this. Developers don't need admin rights until they can fully understand creating software that runs properly under a limited user environment. I'm fed up with software that requires admin rights for userspace configurations. – Fiasco Labs Nov 20 '12 at 15:44
  • I must disagree on this. Some developers may accept power users rights or even prefer it, but some developer will complain. A good developer has often its own tricks and habits. In this case I would give such developers admin right. This will: - Improve motivation, - Speed up development process, - Prevent developer from changing the company. – Boris Brodski Mar 21 '13 at 11:32
4

This is more of a productivity question than security. If you want the best possible security, then yes, locking down user accounts will get you that. However, locking down developer accounts will just get in their way. For example, you seem to have everything they will require provided for, but what about:

  • Preferred browsers
  • Preferred email clients
  • Preferred chat clients (if applicable)
  • Text editors
  • Other tools (grep, Python, Wireshark, etc.)

Your options here are:

  • Don't hire anyone who doesn't like your preferred tools (and lose good talent).
  • Hire those people but don't let them use their preferred tools (and lose productivity and morale).
  • Spend your time researching every tool your developers want (wasting your own time and potentially blocking your developers work until you do it).
  • Install whatever tools your developers want (making this policy pointless).

Keep in mind that these aren't general (computer illiterate) users. You're talking about treating people who write software as if they don't understand anything about computers or security. If you can't trust your developers not to install viruses on their computers, why are you trusting them to write software?

It's worth mentioning that you don't want anyone to be working as an superuser, you just want them to have access to administrator tools. So on Linux, your developers should have sudo permission, but obviously shouldn't be logged in as root. On Windows, your developers will need to be administrators, but UAC can prompt them before doing anything that requires admin access.

Brendan Long
  • 2,878
  • 1
  • 19
  • 27
  • Firefox and Chrome can be installed without admin privileges so the cat is out of the bag there. If the email client is not web based then chances are good it is a paid product which is a corporate expense and subject to oversight. It's just a balance between pain for developers and security for the organization – kevinskio Nov 23 '12 at 14:40
  • @kevinsky What makes you think most email clients are paid? The only one I know of is Outlook, and I've yet to meet someone outside of IT who uses it by choice. – Brendan Long Nov 23 '12 at 19:31
  • Most of the every day use applications that developers want such as browsers, chat and email clients can either be installed without admin privileges or are web based and do not need admin permissions. What's left are specialized tools for which you can make a case by case basis for usage and installation. – kevinskio Nov 24 '12 at 22:37
  • 1
    @kevinsky I think you're generalizing based on yourself, and not seeing what other people may want. I know I hate to use web-based tools, and the majority of programs do still install as an administrator. Handling specialized tools on a case-by-case basis is the worst situation in my mind, because it creates a situation where people won't use tools they know will enhance their productivity, because it's not worth the effort to convince IT. – Brendan Long Nov 25 '12 at 17:18
  • If you don't hire anyone new and things are automated and don't require a bazillion approvals, then you can live without admin access. On a project right now where I've spent two weeks making over 30 service now requests to get the programs I needed installed and the access required. Companies should only grant local admin for the individual machine that they are using, and not through AD groups added to the local Administrators group; that's a huge security risk. – joezen777 Jun 09 '21 at 13:39
1

I am someone that works in information security and I see a number of penetration testers break into companies because there are careless developers. This is why you would want to limit what your developers have access to. However, if you are going to have developers complain that it is a complete injustice to not have admin access to their box then A. it may not be worth keeping them or B. segment your developers to a different network.

user22328
  • 11
  • 1