RE: Application Admins with Local Admin on Servers

["Petter Bruland" <pbruland () fcglv com>]

I'd look into setting up a small scale replica using either VMWare or
VirtualServer, and that's where the developer can do his or her work. 

The hard thing is to do this legally, as it can/will require quite a few
licenses if you want to do it right, not to mention hardware. With this
you can prevent any serious / easy to detect development bugs from
happening on the production server that could easily be fixed on the
"test" server.
Once the application development is complete, it can be installed on the
production server by an administrator.

But again, it all depends on the size of your server farm/network as
well as budgets.

Here we are using an external developer, who is creating custom
workflows for us. After they are tested on his external system, they
will be deployed on our VMWare sandbox server for our own testing before
we deploy it to the production server.

-Petter



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Megan Kielman
Sent: Monday, July 09, 2007 7:15 PM
To: security-basics () securityfocus com
Subject: Application Admins with Local Admin on Servers

System Administrators -

I am trying to get a feel for what other companies do with regard to
application developers needing local admin privileges on servers. I am
specifically working in a Windows environment but believe that the same
principles would apply in any environment. Here are my questions:

Do you grant admin privileges to application developers?
If not, do you grant them specific access or do you take care of the
work for them?

I do understand that it is a violation of separation of duties to allow
application developers to have local admin or root on systems, I am
simply try to get an idea of what the rest of the community does in
practice.

Thanks!