My pick would be (1), and the reasons for elevation need to be documented fully.
Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Hill [mailto:[email protected]] Sent: Thursday, June 17, 2010 11:34 PM To: NT System Admin Issues Subject: RE: Handling Developers So which scenario would you pick? Scenario 1:- Desktop with normal MOE plus any additional apps they need (Visual Studio etc) No local admin rights (but elevation permitted) Normal GPO's applied Scenario 2:- Desktop with normal MOE No local admin rights (but elevation permitted) Normal GPO's applied VM with development tools No local admin rights (but elevation permitted) No gpo's applied From: Sherry Abercrombie [mailto:[email protected]] Sent: Friday, 18 June 2010 1:27 PM To: NT System Admin Issues Subject: Re: Handling Developers Developers at my former workplace used to have those kind of rights until one turned off the anti-virus on his pc and then checked his pop email account. We had to send everyone home for the afternoon while we battled Klez. All workstations were manually checked and his was the only one that had it.....the next day some major policy changes were implemented with full sign off from upper management. Just ask the question of what is it worth to the company to lose a half a day of work because you can't contain a viral outbreak on your network? We had to shutdown every server, unplug the network cable, bring it up with a Klez cleaning boot disk, and then shut it back down until we got all the servers done. Everything was back up and functioning normally about an hour before start of business the next day. On Thu, Jun 17, 2010 at 10:08 PM, Gary Whitten <[email protected]> wrote: Generally a no-win in my experience but get any decisions overriding your better judgment in writing, in case things go south. ________________________________ From: James Hill [mailto:[email protected]] Sent: Thursday, June 17, 2010 9:42 PM To: NT System Admin Issues Subject: Handling Developers I'd love some feedback on what kind of infrastructure is provide for Developers in your environment. My experience has been that developers often feel the need to have full blown admin rights and no gpo's and no AV applied to them etc. They always expect to have the latest and greatest hardware as well. The problem is that they often don't have the full understanding of the rest of the environment so giving them admin rights has ended up with them creating other issues for themselves (suddenly their outlook doesn't work etc). I think the best approach is to provide a normal SOE/MOE desktop and then have them use a VM purely for development work. The VM has no gpo's applied but does have anti-virus and admin right are only permitted by elevation (rather than running as admin). What is the best practice these days? Obviously it will depend on the size of the environment etc. We are 1000+ user shop across multiple locations and have the benefit of good vmware and hardware environments. This issue is causing me a lot of pain at the moment with increasing heat directed at me. Any suggestions would be greatly appreciated! James. -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
