Re: Application Admins with Local Admin on Servers

["Malcolm Heath" <malcolmpdx () gmail com>]

It comes down to a risk assessment, I think.  How confident are you
that the developers won't abuse the privilege, and how confident are
you that some other threat agent wouldn't be able to leverage it (say
via malware, or otherwise breaking their account) and thus get
administrative access "for free"?

Practically, there are a number of different ways to address this.  I
would prefer providing application developers a lab, either with no
network connectivity, a limited in-lab network, or (worst) a highly
firewalled situation that lets them remote into the machines they will
use for development.

With adequate firewalls, and a good IDS and extrusion monitoring on
the lab perimeter, that is a reasonably secure way to do it.

An alternate methodology would be to grant them limited admin privs on
specific machines; I'm not a windows expert, but I believe that you
can do some of this with policy configurations on Windows.  On UNIX,
you can use sudo or third party products to limit access. Both these
put the onus on the admins to manage the access correctly, and make
sure it is kept secure.

Malcolm Heath

On 7/9/07, Megan Kielman <megan.kielman () gmail com> wrote:
> System Administrators -
>
> I am trying to get a feel for what other companies do with regard to
> application developers needing local admin privileges on servers. I am
> specifically working in a Windows environment but believe that the
> same principles would apply in any environment. Here are my questions:
>
> Do you grant admin privileges to application developers?
> If not, do you grant them specific access or do you take care of the
> work for them?
>
> I do understand that it is a violation of separation of duties to
> allow application developers to have local admin or root on systems, I
> am simply try to get an idea of what the rest of the community does in
> practice.
>
> Thanks!