Re: Application Admins with Local Admin on Servers

[levinson_k () securityadmin info]

There are pretty much just two reasons for giving anyone Windows admin accounts:

1. The person needs to be able to manage system/user accounts; or
2. General laziness and lack of time, knowledge or concern for security.

It is almost always possible to grant non-administrators sufficient permissions to the file system, registry and OS 
rights (such as debug) without needing to grant full admin privileges.  It is true that it sometimes takes a little 
time to figure out what rights are missing, and it's true that someone with such privileges in Windows could escalate 
their privileges to admin.  

I think you'll find a pretty even mix of answers.  Some environments give in and grant developers admin privileges, 
while others forbid it.  Some environments give them increased privileges over development test servers or 
workstations, but the sysadmins retain control over the production servers.  Some rely on IT policy and detection 
rather than preventative technical controls, e.g. someone can technically make a forbidden change, but it will 
hopefully be detected and reprimanded.  As with much in security, there is no one answer that is best or correct for 
everyone, it depends on your individual security needs and tolerance for different kinds of risk.

I think there actually is some difference between Windows and non-Windows environments here.  With non-Windows 
environments like Linux, I believe it is easier and more common to grant users non-root privileges, to grant privileges 
granularly just to the necessary objects, and to require users to always use runas equivalents (su or sudo) only 
sporadically.  With Windows, it is sometimes necessary to allow users to have more local privileges that affect other 
local users and objects than you would normally want them to have.

kind regards,
Karl Levinson
http://securityadmin.info