Security Basics: Re: Application Admins with Local Admin on Servers

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-07-09 Megan Kielman wrote:
> I am trying to get a feel for what other companies do with regard to
> application developers needing local admin privileges on servers. I am
> specifically working in a Windows environment but believe that the
> same principles would apply in any environment. Here are my questions:
>
> Do you grant admin privileges to application developers?
On production servers? No.

Developer workstations are located in a separate network segment, and
each developer has admin privileges on his own workstation. I addition
to that there are servers for testing purposes in the developers'
network segment. Developers have admin privileges on these servers, too.
The transition developer server -> production server is done by system
administrators, with the assistence of the respective developer(s)
whenever needed.

> If not, do you grant them specific access or do you take care of the
> work for them?
No.

> I do understand that it is a violation of separation of duties to
> allow application developers to have local admin or root on systems, I
> am simply try to get an idea of what the rest of the community does in
> practice.
Properly separate the duties.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq