mailing list archives
Securing Development in a production environment
From: Anthony Cogan <anthony.cogan () thinkunix com>
Date: Thu, 30 Aug 2007 10:49:57 -0500
We have a number of issues over the past year where developers were
running FTP servers, anonymous file shares (with confidential data
and no ACL's) and other very insecure methods.
Their workstations are in the process of being replaced and are being
provided a locked down (least privilege user) environment. A small
vocal group says they can not work this way and MUST have local
administrative rights to their box. They have been provided virtual
machines running W2k03 Server joined to our production domain (yeah,
I said that right).
I am more familiar with the UNIX world and no developer EVER had
local administrative rights, even on developments boxes, so I am
looking for feedback from the group on how you provide an environment
for your developers while maintaining security.
I have had a couple of ideas, I look forward to some of yours...
Developers have a 100% locked down environment other than their
development tools, when they need to test their MSI or package
installs, they take their "package" into a small development section
that would be VLAN'd off the production network. This way they could
develop on their own box, wrap up their packages into their
installation format, not require any admin privileges and just do a
quick walk over to test their packaging installation methodologies.
Have a development server that all the developers would do final
builds and package tests on. This may require two servers, one for
building and one for package installation testing, but nothing that
VM's couldn't handle. They would use TS to access the box, which
again would be VLAN'd off the production network with the exception
Is there a way that you can tell windows just a specific name of
packages and/or packages to install with a normal user account? ie:
Allow users of a certain OU to install software with the name of
"Developer Software 1" -> "Developer Software 10"? This way, we
would have limited access and they couldn't install FTP services,
create file shares, but still install their test packages...
- Securing Development in a production environment Anthony Cogan (Aug 30)