|
Posted by Bad Beagle on April 25, 2007, 11:47 am
If you were Registered and logged in, you could reply and use other advanced thread options
I am wondering if anyone can share their experiences or recommendations for
accomadating developers on a production network with security in mind.
Basically they want to run SQL and IIS on their workstations with default
installations. They have full admin on their workstations.
This of course makes the security admins nervous but what are the options.
|
|
Posted by Phillip Windell on April 25, 2007, 12:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
They might write better software if they aren't Local Admins because they could
see first hand the effects of the software and how well it would run in a secure
environment. They write stuff,...it runs on their machines,...they think it is
fine,...no consideration for the fact that it may have only run on a machine
where the user is a local Admin. Every good programmer knows you need to test &
develope software in the same conditions that it is expected to be used under.
The best thing to do is make their account normal users locally,...they just
have then know the credentials for the Local Admin that they can log in using it
only when they really need to. Their own personal account does not *really*
have to be a local Admin.
Having them on a separate subnet might be a *mild* benefit, but not much. If
these machines are domain members there is very little that you can block at the
LAN Router that isn't just going to needlessly break everything. Everything you
need to allow for things to work correctly is also going to be the same things
the threats will use, so there really isn't much advantage.
The best thing to keep users in line is not a technical solution, it is the
human to human approach,...such as public user beatings in the back parking lot
and stuff like that.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------
>I am wondering if anyone can share their experiences or recommendations for
>accomadating developers on a production network with security in mind.
>
> Basically they want to run SQL and IIS on their workstations with default
> installations. They have full admin on their workstations.
>
> This of course makes the security admins nervous but what are the options.
|
|
Posted by Ken Zhao [MSFT] on April 26, 2007, 1:39 am
If you were Registered and logged in, you could reply and use other advanced thread options
Thank you for using newsgroup!
Thanks Phillip Windell for your kindly experience sharing.
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Subject: Re: General Recommendations
| Date: Wed, 25 Apr 2007 11:36:40 -0500
| Lines: 43
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
| X-RFC2646: Format=Flowed; Response
| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: wandtv-host13.decatur.hansoninfosys.com 209.16.209.141
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.security:2919
| X-Tomcat-NG: microsoft.public.security
|
| They might write better software if they aren't Local Admins because they
could
| see first hand the effects of the software and how well it would run in a
secure
| environment. They write stuff,...it runs on their machines,...they
think it is
| fine,...no consideration for the fact that it may have only run on a
machine
| where the user is a local Admin. Every good programmer knows you need to
test &
| develope software in the same conditions that it is expected to be used
under.
|
| The best thing to do is make their account normal users locally,...they
just
| have then know the credentials for the Local Admin that they can log in
using it
| only when they really need to. Their own personal account does not
*really*
| have to be a local Admin.
|
| Having them on a separate subnet might be a *mild* benefit, but not much.
If
| these machines are domain members there is very little that you can block
at the
| LAN Router that isn't just going to needlessly break everything.
Everything you
| need to allow for things to work correctly is also going to be the same
things
| the threats will use, so there really isn't much advantage.
|
| The best thing to keep users in line is not a technical solution, it is
the
| human to human approach,...such as public user beatings in the back
parking lot
| and stuff like that.
|
| --
| Phillip Windell
| www.wandtv.com
|
| The views expressed, are my own and not those of my employer, or
Microsoft, or
| anyone else associated with me, including my cats.
| -----------------------------------------------------
|
|
|
| >I am wondering if anyone can share their experiences or recommendations
for
| >accomadating developers on a production network with security in mind.
| >
| > Basically they want to run SQL and IIS on their workstations with
default
| > installations. They have full admin on their workstations.
| >
| > This of course makes the security admins nervous but what are the
options.
|
|
|
|
|
Posted by Ken Zhao [MSFT] on May 3, 2007, 4:36 am
If you were Registered and logged in, you could reply and use other advanced thread options
I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know.
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| X-Tomcat-ID: 87644340
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: v-kzhao@online.microsoft.com ("Ken Zhao [MSFT]")
| Organization: Microsoft
| Date: Thu, 26 Apr 2007 05:39:31 GMT
| Subject: Re: General Recommendations
| X-Tomcat-NG: microsoft.public.security
| Newsgroups: microsoft.public.security
| Lines: 90
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.security:2929
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Hello Bad,
|
| Thank you for using newsgroup!
|
| Thanks Phillip Windell for your kindly experience sharing.
|
| Thanks & Regards,
|
| Ken Zhao
|
| Microsoft Online Support
| Microsoft Global Technical Support Center
|
| Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
| ====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ====================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
|
|
|
| --------------------
| | Subject: Re: General Recommendations
| | Date: Wed, 25 Apr 2007 11:36:40 -0500
| | Lines: 43
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
| | X-RFC2646: Format=Flowed; Response
| | Newsgroups: microsoft.public.security
| | NNTP-Posting-Host: wandtv-host13.decatur.hansoninfosys.com
209.16.209.141
| | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.security:2919
| | X-Tomcat-NG: microsoft.public.security
| |
| | They might write better software if they aren't Local Admins because
they
| could
| | see first hand the effects of the software and how well it would run in
a
| secure
| | environment. They write stuff,...it runs on their machines,...they
| think it is
| | fine,...no consideration for the fact that it may have only run on a
| machine
| | where the user is a local Admin. Every good programmer knows you need
to
| test &
| | develope software in the same conditions that it is expected to be used
| under.
| |
| | The best thing to do is make their account normal users locally,...they
| just
| | have then know the credentials for the Local Admin that they can log in
| using it
| | only when they really need to. Their own personal account does not
| *really*
| | have to be a local Admin.
| |
| | Having them on a separate subnet might be a *mild* benefit, but not
much.
| If
| | these machines are domain members there is very little that you can
block
| at the
| | LAN Router that isn't just going to needlessly break everything.
| Everything you
| | need to allow for things to work correctly is also going to be the same
| things
| | the threats will use, so there really isn't much advantage.
| |
| | The best thing to keep users in line is not a technical solution, it is
| the
| | human to human approach,...such as public user beatings in the back
| parking lot
| | and stuff like that.
| |
| | --
| | Phillip Windell
| | www.wandtv.com
| |
| | The views expressed, are my own and not those of my employer, or
| Microsoft, or
| | anyone else associated with me, including my cats.
| | -----------------------------------------------------
| |
| |
| |
| | >I am wondering if anyone can share their experiences or
recommendations
| for
| | >accomadating developers on a production network with security in mind.
| | >
| | > Basically they want to run SQL and IIS on their workstations with
| default
| | > installations. They have full admin on their workstations.
| | >
| | > This of course makes the security admins nervous but what are the
| options.
| |
| |
| |
|
|
|
|
Posted by S. Pidgorny on April 26, 2007, 6:46 am
If you were Registered and logged in, you could reply and use other advanced thread options
If you have compensating controls for the risk (being malware exposure) -
you can either just give them local admin, or give them a separate account
(for runas).
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
>I am wondering if anyone can share their experiences or recommendations for
>accomadating developers on a production network with security in mind.
>
> Basically they want to run SQL and IIS on their workstations with default
> installations. They have full admin on their workstations.
>
> This of course makes the security admins nervous but what are the options.
>
|
| Similar Threads | Posted | | Recommendations for 'Anonymous Surfing' | January 27, 2006, 10:08 am |
| Microsoft Attempts to Quash OSS Recommendations | September 1, 2006, 6:26 pm |
| Recommendations for use of Policy CA in small PKI solutions | December 18, 2007, 7:06 am |
| File xfer from DMZ to internal network - Any recommendations? | October 15, 2008, 3:32 pm |
| RE: General PKI Question | July 8, 2005, 9:07 am |
| General VPN question | January 5, 2006, 4:35 am |
| General Recommendation | November 8, 2006, 10:33 am |
| General EFS Question | November 17, 2006, 10:16 am |
| IE6 and OE6 security in general | March 7, 2007, 4:16 pm |
| AVG 7/8 - general story | April 24, 2008, 12:21 pm |
|
XML site map