Local Admin rights - debug users

[Guest]

As network administrator I disallow any non-admins local admin rights.
Recently I've had to install Visual Studio .Net (2003) and developers cannot
seem to do any compiling without being at least member of the "debug users"
group.
If I'm informed correctly this (membership of the debug users group) allows
a malicious programmer to launch any application he desires and thus actually
implies that this developer has local admin rights (which, if I add a few
more errors, he might be able to escalate to domain admin).
Can I have .Net developers working on a workstation in a domain without
making them local admin of their machine?

 

[Robert Moir]

As network administrator I disallow any non-admins local admin rights.
Recently I've had to install Visual Studio .Net (2003) and developers
cannot seem to do any compiling without being at least member of the
"debug users" group.
If I'm informed correctly this (membership of the debug users group)
allows a malicious programmer to launch any application he desires
and thus actually implies that this developer has local admin rights
(which, if I add a few more errors, he might be able to escalate to
domain admin). Can I have .Net developers working on a workstation in
a domain without making them local admin of their machine?

This is an age old debate and not easily settled in a few backward and
forward posts in a newsgroup. Whatever I tell you, someone will tell you
something different, and whatever you decide to do, your programmers will be
able to produce a lot of reasonable documentation supporting a request for
higher access rights.

I tend to give developers local admin rights on their machines based on a
strict discussion with them of the rights and responsibilities of such
access.

Considering a programmer is developing code that will either end up in a
product you sell or will be used as internal "business logic" to drive the
business that you both work for forward, I would suggest that if the
programmers cannot be trusted with local admin then they should not work for
the company. There is also another flipside to that coin which I'll let you
figure out for yourself.


--

 

[Guest]

Thanks Robert,
Some additional information however: I am administrator in a school, so you
just suggested me to make all students local admin. Surely there must be an
alternative?

 

[Robert Moir]

Thanks Robert,
Some additional information however: I am administrator in a school,
so you just suggested me to make all students local admin.

Well had you mentioned that in the orginal post, it would certainly change
my reply ;-)

Surely
there must be an alternative?

Sure - where I work, in a college, we're using Visual Studio 2005 just fine
with non-admin accounts. Also, things like Virtual PC might be suitable to
give each student a "sandbox" environment to work with.

I've got to say we looked at VS 2003 and decided that whatever Microsoft
thought their audience was for that product it certainly wasn't education;
very difficult to deploy and support and wanted rights that students just
can't have!

--

 

[Guest]

Thanks again Robert,

I'll suggest an upgrade to Visual Studio 2005. That way the admins will be
happy, the programmers will be happy and we'll only disappoint the "money
guys" when requesting new licenses.

 

[Robert Moir]

Thanks again Robert,

I'll suggest an upgrade to Visual Studio 2005. That way the admins
will be happy, the programmers will be happy and we'll only
disappoint the "money guys" when requesting new licenses.

On THAT account you might take a look at express editions of the programming
languages - if they meet your curriculum needs then the price may be
attractive to your beancounters.