Security Basics mailing list archives
Re: Application Admins with Local Admin on Servers
From: "Yousef Syed" <yousef.syed () gmail com>
Date: Wed, 11 Jul 2007 20:46:55 +0100
Hi Megan, Just grant the developers SUDO access to the build area to upload their files to. From there, they can run a build script (Ant/Make). Wrap everything else with Policy and Procedure. I've seen this approach used at various large banks. Much as developers love to be root on everything - simply because it allows them to make all the necessary fixes to the environment that is necessary - they must not be allowed to do that outside a build environment. Ideally, once they've setup a stable build environment, they should provide IQ and OQ documentation to the various Test and Live environments' Admins. The Admins for those environments should simply follow the IQ/OQ documents as appropriate in setting up their relevant environments (Application Server/Database Server and any other dependant system). Once these deployments have been practiced in the various test environments for each test phase, following the IQ for the final live environment deployment should be second nature. Remember, System Test isn't just used to test the application fullfills its requirements, but that the applications is also serviceable/maintainable during it's lifetime. ys -- Yousef Syed CISSP "To ask a question is to show ignorance; not to ask a question, means you remain ignorant" - Japanese Proverb On 10/07/07, Megan Kielman <megan.kielman () gmail com> wrote:
System Administrators - I am trying to get a feel for what other companies do with regard to application developers needing local admin privileges on servers. I am specifically working in a Windows environment but believe that the same principles would apply in any environment. Here are my questions: Do you grant admin privileges to application developers? If not, do you grant them specific access or do you take care of the work for them? I do understand that it is a violation of separation of duties to allow application developers to have local admin or root on systems, I am simply try to get an idea of what the rest of the community does in practice. Thanks!
Current thread:
- Application Admins with Local Admin on Servers Megan Kielman (Jul 11)
- Re: Application Admins with Local Admin on Servers Malcolm Heath (Jul 11)
- Re: Application Admins with Local Admin on Servers Ansgar -59cobalt- Wiechers (Jul 11)
- RE: Application Admins with Local Admin on Servers Petter Bruland (Jul 11)
- Re: Application Admins with Local Admin on Servers Yousef Syed (Jul 11)
- Re: Application Admins with Local Admin on Servers Adam Pal (Jul 11)
- Re: Application Admins with Local Admin on Servers Joseph Brown (Jul 12)
- <Possible follow-ups>
- Re: Application Admins with Local Admin on Servers levinson_k (Jul 11)
- Re: Application Admins with Local Admin on Servers krymson (Jul 13)