Allowing programmers to be local administrator permissions at work

Hi

I am part of a small software team inside a large ish company, so the company is not set up to cater for programmers.

I am in discussions with IT about users being local administrars on their own computers. This is generally useful, and necessary for some things (mounting drives in docker for example).

It are understandably not keen, as it causes them a security headache.

I am looking for examples of programmers who work at companies that do allow this.

If this is you, please leave a message! Ideally include anything that is done to tackle the increased security risk.

Thanks

Cedd

I work at a large global company with more than 10k employees. Our tech-to-non-tech ratio of maybe 1-9 (very vague guess).

Developers have root privileges on their work stations and the IT department runs jamf to remotely administer all machines.

This is not a security issue for us - the bigger risk is human error, for example: putting passwords on post it notes, publishing API keys on GitHub, falling for social engineering attacks. Not that these things have happened at my company, but these are the more likely risks.
I’m not sure if that helps your argument.
:confused:

I’ve heard that people work around those problems by bringing their own machines - surely a bad solution, but it might be a temporary workaround until you find a proper solution.
:confused:

Production infrastructure is a different story though. There your company should follow the principle of least privilege, use ephemeral keys, employ 0-shared architectures etc.

Not a very conclusive answer, I hope it helps anyways.

When I worked for a major security software vendor, we all had admin on our local machines, though laptops did have to run a standard system image in order to be able to connect to the VPN, and that image included AV software, full disk encryption, and other goodies. None of that stuff could be disabled easily since those parts were locked down by group policies. Before then at another shop, you didn’t get local admin access normally, but it was given to pretty much anyone who specifically asked for it, and engineers got it by default (as in the root password, since sudo wasn’t a thing yet).

Lock things down properly (not always easy), and non-technical users won’t know or care. Do that with a programmer’s system, and they’ll waste their expensive time trying to hack around it, or worse, do all their dev on an unofficial box so now all your source is on a machine that you don’t have any control over.

Thanks both. It sounds like you are both in favour of programmers being administrators of their own machines, and that you don’t have many security concerns about this.

I think our IT worry that if a virus gets on to our machines it will be able to do more damage, but as long as our access to the rest of the infrastructure is restricted / uses different credentials then the damage should be limited to just one machine, which can just be rebuilt

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.