Security Basics mailing list archives
Re: Application Admins with Local Admin on Servers
From: "Malcolm Heath" <malcolmpdx () gmail com>
Date: Wed, 11 Jul 2007 12:26:35 -0700
It comes down to a risk assessment, I think. How confident are you that the developers won't abuse the privilege, and how confident are you that some other threat agent wouldn't be able to leverage it (say via malware, or otherwise breaking their account) and thus get administrative access "for free"? Practically, there are a number of different ways to address this. I would prefer providing application developers a lab, either with no network connectivity, a limited in-lab network, or (worst) a highly firewalled situation that lets them remote into the machines they will use for development. With adequate firewalls, and a good IDS and extrusion monitoring on the lab perimeter, that is a reasonably secure way to do it. An alternate methodology would be to grant them limited admin privs on specific machines; I'm not a windows expert, but I believe that you can do some of this with policy configurations on Windows. On UNIX, you can use sudo or third party products to limit access. Both these put the onus on the admins to manage the access correctly, and make sure it is kept secure. Malcolm Heath On 7/9/07, Megan Kielman <megan.kielman () gmail com> wrote:
System Administrators - I am trying to get a feel for what other companies do with regard to application developers needing local admin privileges on servers. I am specifically working in a Windows environment but believe that the same principles would apply in any environment. Here are my questions: Do you grant admin privileges to application developers? If not, do you grant them specific access or do you take care of the work for them? I do understand that it is a violation of separation of duties to allow application developers to have local admin or root on systems, I am simply try to get an idea of what the rest of the community does in practice. Thanks!
Current thread:
- Application Admins with Local Admin on Servers Megan Kielman (Jul 11)
- Re: Application Admins with Local Admin on Servers Malcolm Heath (Jul 11)
- Re: Application Admins with Local Admin on Servers Ansgar -59cobalt- Wiechers (Jul 11)
- RE: Application Admins with Local Admin on Servers Petter Bruland (Jul 11)
- Re: Application Admins with Local Admin on Servers Yousef Syed (Jul 11)
- Re: Application Admins with Local Admin on Servers Adam Pal (Jul 11)
- Re: Application Admins with Local Admin on Servers Joseph Brown (Jul 12)
- <Possible follow-ups>
- Re: Application Admins with Local Admin on Servers levinson_k (Jul 11)
- Re: Application Admins with Local Admin on Servers krymson (Jul 13)