*>>One argument was that with their previous and larger employer they did what they wished. Hence why I am after as much opinion from other professionals that I can get.*
I always take the opportunity to remind people who are stuck in the past, that they are free to leave and try to find it. Things change. Even if their previous situation was legitimate, threats change, risks increase and new tactics have to be employed. OTOH, you've mentioned that they're still using VB6, so my whole argument is undermined (or my point is proved). They need to be able to work, yes. But, not at the expense of the rest of the org that also needs to work. *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp <http://www.wisestamp.com/email-install> On Fri, Jun 18, 2010 at 8:05 AM, James Hill <[email protected]>wrote: > Thanks Andrew. > > I have considered your approaches in the past. I think my frustrations > have clouded my thoughts somewhat. > > At the moment they have the ability to run as and elevation as they know > the local admin password. But of course complain about having to type it > in. > > One argument was that with their previous and larger employer they did what > they wished. Hence why I am after as much opinion from other professionals > that I can get. > > > > ----- Reply message ----- > From: "Andrew S. Baker" <[email protected]> > Date: Fri, Jun 18, 2010 8:44 pm > Subject: Handling Developers > > To: "NT System Admin Issues" <[email protected]> > > James, > > I would recommend that you provide them a normal desktop with the > appropriate controls in place, and a VM environment for development (whether > on their local machines or on a shared hosting server). The VM > environment should allow them more rights -- as close to full admin as you > feel comfortable with, so you don't have to babysit all of the configuration > changes they will need to pursue as part of their daily work (depends on > the type of development/developers). > > More importantly, you will want to officially and publicly set up an SLA > for how you will handle problems in both areas. > > To the extent that their systems are managed as the rest of the > organization, you can expect that malware and other issues will be > considerably diminished, and you can promise the same level of high service > to dealing with their problems. > > Similarly, to the extent that any of the environments they have (like the > VM environment) has lax controls, or grants them significant permissions, > they should expect that you will be more discretionary in your response time > for their problems. In a previous location, I had some developers who > continued to get their laptops infected despite their claims that "they > weren't doing anything" on them. Of course, they had admin control. I gave > them two options: > > 1. Keep your admin control, but your laptop gets addressed at our > convenience > 2. Relinquish that control, and you get the same response time as > everyone else > > Two of them opted for #2 immediately, and had no subsequent issues. > > One of them stayed with option #1, had two more issues for which he was > treated as a step-child of the red-headed variety, and when he complained, > we simply put him in the second bucket, from which he no longer caused any > problems. > > The last one also opted for bucket #2, but exercised considerable > caution, and only suffered one more minor infection which we dealt with at > our convenience -- but he respected that. We had no more problems from him > either. > > BTW, AV is not optional for any of the environments, although the degree > of control they might be given over scan times and other configuration might > vary from one environment to another. > > You may want to start tracking the time you spend on the developers vs the > rest of the organization to build your case for the disparity in response > time. You can also recommend to the development community that if they > will fund at least 50% of a resource for support, you'll be happy > to facilitate more flexibility for them with a semi-dedicated support > person. That puts the onus of justifying the operational costs of their > methodology on them, rather than on you and your team. > > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > Signature powered by WiseStamp <http://www.wisestamp.com/email-install> > > > On Thu, Jun 17, 2010 at 11:33 PM, James Hill <[email protected] > > wrote: > >> So which scenario would you pick? >> >> >> >> Scenario 1:- >> >> >> >> Desktop with normal MOE plus any additional apps they need (Visual Studio >> etc) >> >> No local admin rights (but elevation permitted) >> >> Normal GPO’s applied >> >> >> >> Scenario 2:- >> >> >> >> Desktop with normal MOE >> >> No local admin rights (but elevation permitted) >> >> Normal GPO’s applied >> >> >> >> VM with development tools >> >> No local admin rights (but elevation permitted) >> >> No gpo’s applied >> >> >> >> *From:* Sherry Abercrombie [mailto:[email protected]] >> *Sent:* Friday, 18 June 2010 1:27 PM >> >> *To:* NT System Admin Issues >> *Subject:* Re: Handling Developers >> >> >> >> Developers at my former workplace used to have those kind of rights until >> one turned off the anti-virus on his pc and then checked his pop email >> account. We had to send everyone home for the afternoon while we battled >> Klez. All workstations were manually checked and his was the only one that >> had it.....the next day some major policy changes were implemented with full >> sign off from upper management. Just ask the question of what is it worth >> to the company to lose a half a day of work because you can't contain a >> viral outbreak on your network? We had to shutdown every server, unplug the >> network cable, bring it up with a Klez cleaning boot disk, and then shut it >> back down until we got all the servers done. Everything was back up and >> functioning normally about an hour before start of business the next day. >> >> On Thu, Jun 17, 2010 at 10:08 PM, Gary Whitten < >> [email protected]> wrote: >> >> Generally a no-win in my experience but get any decisions overriding your >> better judgment in writing, in case things go south. >> >> >> ------------------------------ >> >> *From:* James Hill [mailto:[email protected]] >> *Sent:* Thursday, June 17, 2010 9:42 PM >> *To:* NT System Admin Issues >> *Subject:* Handling Developers >> >> I’d love some feedback on what kind of infrastructure is provide for >> Developers in your environment. >> >> >> >> My experience has been that developers often feel the need to have full >> blown admin rights and no gpo’s and no AV applied to them etc. They always >> expect to have the latest and greatest hardware as well. >> >> >> >> The problem is that they often don’t have the full understanding of the >> rest of the environment so giving them admin rights has ended up with them >> creating other issues for themselves (suddenly their outlook doesn’t work >> etc). >> >> >> >> I think the best approach is to provide a normal SOE/MOE desktop and then >> have them use a VM purely for development work. The VM has no gpo’s applied >> but does have anti-virus and admin right are only permitted by elevation >> (rather than running as admin). >> >> >> >> What is the best practice these days? Obviously it will depend on the >> size of the environment etc. We are 1000+ user shop across multiple >> locations and have the benefit of good vmware and hardware environments. >> >> >> >> This issue is causing me a lot of pain at the moment with increasing heat >> directed at me. Any suggestions would be greatly appreciated! >> >> >> >> James. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> Sherry Abercrombie >> >> "Any sufficiently advanced technology is indistinguishable from magic." >> Arthur C. Clarke >> >> >> >> >> >> >> >> >> >> > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
