|
Domain admin rights here - got my fingers in just about every pot. Things get done fast as a result but it is a lot of responsibility.
To provide perspective maybe suggest that they spend a few days using one of their big, important Excel workbooks with cell-level password protection on every cell. My guess is they would crack in a few hours
|
|
|
|
|
Easiest way to get around this to the possible satisfaction of all concerned is to have one or more VMs (Hyper-v is the dogs doodads)with full admin rights - so you can do what you want) but not connected to the office network.
Now you use your 'real' machine for office interactions and you VM for pretty much everything else, safe in the knowledge it is isolated.
PooperPig - Coming Soon
|
|
|
|
|
I have full admin rights on my development laptop, but on the server not so much. Which makes installing and deploying new apps quite annoying.
Just the other day I was asked to migrate an existing web application on to a new web server, but of course I wasn't going to be given admin rights. So of course I couldn't even open the IIS Manager. I wonder what they will say when I need to create a PFX for the SSL?
There is a point where infrastructure has to start accepting that software engineers are admins.
-Wynter
|
|
|
|
|
Suzanne,
It will be different for different companies. I have been on both sides.
My philosophy is that we pay too much for the developers time to waste it.
At one company, they would make you sign a letter saying if a threat came through your computer,
then you absorb the financial responsibility. I was there when that employee had to pay to have their computer cleaned. Luckily nothing was stolen or spread across the network.
Finally, I would consider setting up a VM you develop on, and letting it have admin rights, but limiting its network ability. Especially when working on drivers, etc.
BTW, this is what we do now. All development is done inside of VMs we control the inside of. The companies control what the VM can do. It makes it easier to use outside consultants as well. Very little setup time.
|
|
|
|
|
I work at a huge (250k employees) company - we get admin rights if/when we ask. I feel your pain. And I don't know the solution.
|
|
|
|
|
I primarily write Windows Services, so admin rights are a necessity. That said, I am rarely in the office, and usually work from home (I go into the office perhaps 5-7 days a year), so I have my own development machines, my own testing servers, Hyper-V servers for virtual clients, etc...
My home-office dev machines are MUCH more capable and better maintained than our office desktops.
Working as a developer, I can't imagine not having local admin permissions.
|
|
|
|
|
I've been fighting this battle for many years, in many jobs. I am tired of it. I have gone through the machinations of "Proving" I need it, but really, it's just ridiculous. This is a timely topic for me, as my work has once again, decided to launch yet another Developers dont need admin" campaign. I am so tired of the battle, that I am willing to just sit and let the project timeline go bust, rather than make any huge effort to make them "come over and see". The Problem is usually rooted to a Developer, website, Architect, or Network Admin... who sells them the "bill of goods", which immediately casts suspcision "So they have been fooling us all this time?". Once that hook is set, the game is done, and it breaks the whole development group down. <loop>. Do I need admin "All the time"? no, don't be silly.. but when I do need it, I need it. You want to insert (x) hours for me to get it, thats gonna add up to significant time. Also - we have 120GB SSD's, that they load 100 GB of stuff on, leaving us barely enough space for VS. Then they issue us external drives to compensate, but we also have a "NO USB Drives allowed monitor", so we have to "request" permission to "Mount the drive".
Where there's smoke, there's a Blue Screen of death.
|
|
|
|
|
Wow, that sounds like a great way to secure the box, but I do agree with you that software developers generally need more free access to their box to get their jobs done efficiently.
Since you can't change IT, to make the pain on you less, you can probably use the scheduled tasks feature to make a way to launch the device manager as that privileged user without having to go through the UAC annoyance (nor the trouble of entering the account's password). See here[^] (it also works on Win8). You can pin that task to your start menu so its convenient. That's what I've done for the occasional times I need to run VS as admin.
Think of it as a poor man's low security sudo for Window.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
|
|
|
|
|
stgagnon wrote: Imagine how convenient that is when debugging a driver or a driver-related problem?
You work on driver related issues most of the time? If yes then this would be a problem and it should be addressed at the management level.
stgagnon wrote: I can't believe that this is the only way to solve the "security threat"
It isn't. A competent proactive IT department can sequester different departments and individuals to provide more secure zones.
And at least for what I work on, neither me nor any other developer 'works' on the production network. Annoying for the individual developers when something infects the developer network but it has absolutely no impact on the production systems.
|
|
|
|
|
My development computer has Windows Server on it, so that I can fully test things before moving to the production server. I do web development using IIS, and that requires Visual Studio be in Administrator mode when I open it. The computer is an extra computer that I asked for, and I installed Windows Server on it myself, using a copy that I downloaded from my MSDN account. I do not use it for email, although I do use it to browse development sites for code samples. At first, it wasn't even connected to the office domain. Actually, we don't have a separate admin for our production web server. My boss and I are the admins as well as the developers. It is one of the pleasures of working in a small office.
|
|
|
|
|
|
"But by 10:10 AM, to everyone’s relief, the birdbrains over at animal services managed to capture and subdue the chicken, placing it where all escapees end up: the back seat of a squad car."
|
|
|
|
|
It is amazing no one took the free lunch for a ride any sooner.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
|
If you put tomato sauce on your burger, do you need to ketchup with the times?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
What a zinger!
veni bibi saltavi
|
|
|
|
|
You relish these thoughts don't you.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
It's exactly these kind of thoughts that can get you into a pickle.
/ravi
|
|
|
|
|
Dill they really?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
I have to condiment you on asking that question.
/ravi
|
|
|
|
|
Mayo have all the sauce you need
|
|
|
|
|
I tried in vain for 40 minutes to make a pun with mayo but I couldn't mustard any idea
Geek code v 3.12 {
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- r++>+++ y+++*
Weapons extension: ma- k++ F+2 X
}
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
|
|
|
|
|
Trying to make a pun with mayo can bring you to your naise.
/ravi
|
|
|
|
|
Lettuce try and keep mayo out of it.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
I was about to give mayo a dressing down.
/ravi
|
|
|
|