Thanks Andrew. I have considered your approaches in the past. I think my frustrations have clouded my thoughts somewhat.
At the moment they have the ability to run as and elevation as they know the local admin password. But of course complain about having to type it in. One argument was that with their previous and larger employer they did what they wished. Hence why I am after as much opinion from other professionals that I can get. ----- Reply message ----- From: "Andrew S. Baker" <[email protected]> Date: Fri, Jun 18, 2010 8:44 pm Subject: Handling Developers To: "NT System Admin Issues" <[email protected]> James, I would recommend that you provide them a normal desktop with the appropriate controls in place, and a VM environment for development (whether on their local machines or on a shared hosting server). The VM environment should allow them more rights -- as close to full admin as you feel comfortable with, so you don't have to babysit all of the configuration changes they will need to pursue as part of their daily work (depends on the type of development/developers). More importantly, you will want to officially and publicly set up an SLA for how you will handle problems in both areas. To the extent that their systems are managed as the rest of the organization, you can expect that malware and other issues will be considerably diminished, and you can promise the same level of high service to dealing with their problems. Similarly, to the extent that any of the environments they have (like the VM environment) has lax controls, or grants them significant permissions, they should expect that you will be more discretionary in your response time for their problems. In a previous location, I had some developers who continued to get their laptops infected despite their claims that "they weren't doing anything" on them. Of course, they had admin control. I gave them two options: 1. Keep your admin control, but your laptop gets addressed at our convenience 2. Relinquish that control, and you get the same response time as everyone else Two of them opted for #2 immediately, and had no subsequent issues. One of them stayed with option #1, had two more issues for which he was treated as a step-child of the red-headed variety, and when he complained, we simply put him in the second bucket, from which he no longer caused any problems. The last one also opted for bucket #2, but exercised considerable caution, and only suffered one more minor infection which we dealt with at our convenience -- but he respected that. We had no more problems from him either. BTW, AV is not optional for any of the environments, although the degree of control they might be given over scan times and other configuration might vary from one environment to another. You may want to start tracking the time you spend on the developers vs the rest of the organization to build your case for the disparity in response time. You can also recommend to the development community that if they will fund at least 50% of a resource for support, you'll be happy to facilitate more flexibility for them with a semi-dedicated support person. That puts the onus of justifying the operational costs of their methodology on them, rather than on you and your team. ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by WiseStamp<http://www.wisestamp.com/email-install> On Thu, Jun 17, 2010 at 11:33 PM, James Hill <[email protected]<mailto:[email protected]>> wrote: So which scenario would you pick? Scenario 1:- Desktop with normal MOE plus any additional apps they need (Visual Studio etc) No local admin rights (but elevation permitted) Normal GPO’s applied Scenario 2:- Desktop with normal MOE No local admin rights (but elevation permitted) Normal GPO’s applied VM with development tools No local admin rights (but elevation permitted) No gpo’s applied From: Sherry Abercrombie [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, 18 June 2010 1:27 PM To: NT System Admin Issues Subject: Re: Handling Developers Developers at my former workplace used to have those kind of rights until one turned off the anti-virus on his pc and then checked his pop email account. We had to send everyone home for the afternoon while we battled Klez. All workstations were manually checked and his was the only one that had it.....the next day some major policy changes were implemented with full sign off from upper management. Just ask the question of what is it worth to the company to lose a half a day of work because you can't contain a viral outbreak on your network? We had to shutdown every server, unplug the network cable, bring it up with a Klez cleaning boot disk, and then shut it back down until we got all the servers done. Everything was back up and functioning normally about an hour before start of business the next day. On Thu, Jun 17, 2010 at 10:08 PM, Gary Whitten <[email protected]<mailto:[email protected]>> wrote: Generally a no-win in my experience but get any decisions overriding your better judgment in writing, in case things go south. ________________________________ From: James Hill [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, June 17, 2010 9:42 PM To: NT System Admin Issues Subject: Handling Developers I’d love some feedback on what kind of infrastructure is provide for Developers in your environment. My experience has been that developers often feel the need to have full blown admin rights and no gpo’s and no AV applied to them etc. They always expect to have the latest and greatest hardware as well. The problem is that they often don’t have the full understanding of the rest of the environment so giving them admin rights has ended up with them creating other issues for themselves (suddenly their outlook doesn’t work etc). I think the best approach is to provide a normal SOE/MOE desktop and then have them use a VM purely for development work. The VM has no gpo’s applied but does have anti-virus and admin right are only permitted by elevation (rather than running as admin). What is the best practice these days? Obviously it will depend on the size of the environment etc. We are 1000+ user shop across multiple locations and have the benefit of good vmware and hardware environments. This issue is causing me a lot of pain at the moment with increasing heat directed at me. Any suggestions would be greatly appreciated! James. -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
