Re: Application Admins with Local Admin on Servers



There are pretty much just two reasons for giving anyone Windows admin accounts:

1. The person needs to be able to manage system/user accounts; or
2. General laziness and lack of time, knowledge or concern for security.

It is almost always possible to grant non-administrators sufficient permissions to the file system, registry and OS rights (such as debug) without needing to grant full admin privileges. It is true that it sometimes takes a little time to figure out what rights are missing, and it's true that someone with such privileges in Windows could escalate their privileges to admin.

I think you'll find a pretty even mix of answers. Some environments give in and grant developers admin privileges, while others forbid it. Some environments give them increased privileges over development test servers or workstations, but the sysadmins retain control over the production servers. Some rely on IT policy and detection rather than preventative technical controls, e.g. someone can technically make a forbidden change, but it will hopefully be detected and reprimanded. As with much in security, there is no one answer that is best or correct for everyone, it depends on your individual security needs and tolerance for different kinds of risk.

I think there actually is some difference between Windows and non-Windows environments here. With non-Windows environments like Linux, I believe it is easier and more common to grant users non-root privileges, to grant privileges granularly just to the necessary objects, and to require users to always use runas equivalents (su or sudo) only sporadically. With Windows, it is sometimes necessary to allow users to have more local privileges that affect other local users and objects than you would normally want them to have.

kind regards,
Karl Levinson
http://securityadmin.info