Depends somewhat on the development they're doing. I have a set of engineers who develop software for communication systems (I'm being deliberately vague here), and it's a mixture of hardware and software developed in house and OEMed.
One of their favorite tricks is to put a second NIC in their desktops and hang our hardware off of it, or to hang our hardware off of a small switch (5 or 8 port dlink/linksys/whatever) and start talking to it. Inevitably, the traffic generated starts crowding our bandwidth, or hammering on the inside of our firewall, or stealing a legitimate network address such that operations for *somebody* on our network is fubared until I get is sorted. In the 8 years I've been with this firm, I've had ample opportunity to demonstrate my network problem solving skills. Kurt On Fri, Jun 18, 2010 at 20:54, David Lum <[email protected]> wrote: > The question I posed to our development manager: > > Q. Do developers here do development on the same machines they do their > other job functions (e-mail, Internet, etc) or do they have separate > systems? > > A. Yes, all our Java developers use the same machine for development as they > do for email, Internet, etc. There are a few exceptions for developers that > use Apple or Linux computers; as they tend to jump onto a Windows terminal > server at times (for scheduling meetings in Outlook, using HPQC, etc). But > other than that, they all use their own machines for development; in fact > these are really the only machines powerful enough (because of RAM mostly) > to run the development IDE (IntelliJ Idea) that most of our Java folks use > > What I also know without asking is they are all local admins. They *do* have > AV and patching, should I be concerned or just let 'em do their work? > > Dave > > ________________________________ > From: James Hill [[email protected]] > Sent: Friday, June 18, 2010 5:03 PM > To: NT System Admin Issues > Subject: RE: Handling Developers > > And I agree with you Brian. > > > > Nothing that is in place is hindering the job from being done. Everything > that is REQUIRED is available. It’s just that there seems to be this > culture where Devs want no policies, no AV, no patches, but then will > complain when things don’t “just work” for them and expect instant service. > > > > I’m all about providing good service as these people are also my customers. > But any decent IT Professional knows to focus on the requirements. The > needs rather than the wants. This is part of what we are hired for! > > > > > > > > > > From: Brian Desmond [mailto:[email protected]] > Sent: Saturday, 19 June 2010 1:07 AM > To: NT System Admin Issues > Subject: RE: Handling Developers > > > > I assume by elevation you mean the UAC prompt? That seems reasonable to me. > > > > My thought on this whole thread is that IT’s job is to enable the business > (in this case your app dev group) and if you’re putting restrictions on them > to satisfy some checkbox in every trade rag this month and making the jobs > of your customers harder you’re ultimately failing. > > > > Personally I typically operate on a you break it you buy it model with folks > who are technologically capable and have requirements like this. I don’t > really care what they do with their machines as long as they meet minimum > spec (e.g. a/v, SCCM, etc) but if they screw it up they get to fix it. Put > your image up as a chunked up bootable ISO on a HTTP/SMB share somewhere and > let them fix it themselves. This is pretty common. > > > > Thanks, > > Brian Desmond > > [email protected] > > > > c - 312.731.3132 > > > > > > From: Ziots, Edward [mailto:[email protected]] > Sent: Friday, June 18, 2010 8:00 AM > To: NT System Admin Issues > Subject: RE: Handling Developers > > > > My pick would be (1), and the reasons for elevation need to be documented > fully. > > > > Z > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > From: James Hill [mailto:[email protected]] > Sent: Thursday, June 17, 2010 11:34 PM > To: NT System Admin Issues > Subject: RE: Handling Developers > > > > So which scenario would you pick? > > > > Scenario 1:- > > > > Desktop with normal MOE plus any additional apps they need (Visual Studio > etc) > > No local admin rights (but elevation permitted) > > Normal GPO’s applied > > > > Scenario 2:- > > > > Desktop with normal MOE > > No local admin rights (but elevation permitted) > > Normal GPO’s applied > > > > VM with development tools > > No local admin rights (but elevation permitted) > > No gpo’s applied > > > > From: Sherry Abercrombie [mailto:[email protected]] > Sent: Friday, 18 June 2010 1:27 PM > To: NT System Admin Issues > Subject: Re: Handling Developers > > > > Developers at my former workplace used to have those kind of rights until > one turned off the anti-virus on his pc and then checked his pop email > account. We had to send everyone home for the afternoon while we battled > Klez. All workstations were manually checked and his was the only one that > had it.....the next day some major policy changes were implemented with full > sign off from upper management. Just ask the question of what is it worth > to the company to lose a half a day of work because you can't contain a > viral outbreak on your network? We had to shutdown every server, unplug the > network cable, bring it up with a Klez cleaning boot disk, and then shut it > back down until we got all the servers done. Everything was back up and > functioning normally about an hour before start of business the next day. > > On Thu, Jun 17, 2010 at 10:08 PM, Gary Whitten > <[email protected]> wrote: > > Generally a no-win in my experience but get any decisions overriding your > better judgment in writing, in case things go south. > > > > ________________________________ > > From: James Hill [mailto:[email protected]] > Sent: Thursday, June 17, 2010 9:42 PM > To: NT System Admin Issues > Subject: Handling Developers > > I’d love some feedback on what kind of infrastructure is provide for > Developers in your environment. > > > > My experience has been that developers often feel the need to have full > blown admin rights and no gpo’s and no AV applied to them etc. They always > expect to have the latest and greatest hardware as well. > > > > The problem is that they often don’t have the full understanding of the rest > of the environment so giving them admin rights has ended up with them > creating other issues for themselves (suddenly their outlook doesn’t work > etc). > > > > I think the best approach is to provide a normal SOE/MOE desktop and then > have them use a VM purely for development work. The VM has no gpo’s applied > but does have anti-virus and admin right are only permitted by elevation > (rather than running as admin). > > > > What is the best practice these days? Obviously it will depend on the size > of the environment etc. We are 1000+ user shop across multiple locations > and have the benefit of good vmware and hardware environments. > > > > This issue is causing me a lot of pain at the moment with increasing heat > directed at me. Any suggestions would be greatly appreciated! > > > > James. > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
