Securing Development in a production environment

We have a number of issues over the past year where developers were running FTP servers, anonymous file shares (with confidential data and no ACL's) and other very insecure methods.

Their workstations are in the process of being replaced and are being provided a locked down (least privilege user) environment. A small vocal group says they can not work this way and MUST have local administrative rights to their box. They have been provided virtual machines running W2k03 Server joined to our production domain (yeah, I said that right).

I am more familiar with the UNIX world and no developer EVER had local administrative rights, even on developments boxes, so I am looking for feedback from the group on how you provide an environment for your developers while maintaining security.

I have had a couple of ideas, I look forward to some of yours...

Idea 1)
Developers have a 100% locked down environment other than their development tools, when they need to test their MSI or package installs, they take their "package" into a small development section that would be VLAN'd off the production network. This way they could develop on their own box, wrap up their packages into their installation format, not require any admin privileges and just do a quick walk over to test their packaging installation methodologies.

Idea 2)
Have a development server that all the developers would do final builds and package tests on. This may require two servers, one for building and one for package installation testing, but nothing that VM's couldn't handle. They would use TS to access the box, which again would be VLAN'd off the production network with the exception of RDP.

Idea 3)
Is there a way that you can tell windows just a specific name of packages and/or packages to install with a normal user account? ie: Allow users of a certain OU to install software with the name of "Developer Software 1" -> "Developer Software 10"? This way, we would have limited access and they couldn't install FTP services, create file shares, but still install their test packages...

Idea 4+)
??????

Relevant Pages

  • Re: Need security advice from Admins at Software Development companies
    ... Generally No. Install the full package for them - complete then safe keep ... Every package to be acquired needs justification - purpose, budget, on going ... > Also we have IT and not the developers install even the in-house packages. ... Your devs should take pride in corporate responsibility in that the have ...
    (microsoft.public.security)
  • RE: New Users Learning FreeBSD
    ... There will all ways to the party line drawn between the developers ... and config while the users wany automated no question asked install. ... branch for the user community. ... Subject: New Users Learning FreeBSD ...
    (freebsd-questions)
  • Re: Securing Development in a production environment
    ... I am surprised that developers do what you just have described. ... I would force them (through security policy) to work as ... they take their "package" into a small development section ... packages and/or packages to install with a normal user account? ...
    (Security-Basics)
  • Re: branding debian releases
    ... those distros is to help the developers do what needs to be done to get ... packages into good shape and get releases out. ... and also distros like `server' and `workstation' and so on?" ... Install them. ...
    (Debian-User)
  • Re: Is FreeBSD ready for desktop (Mozilla Flash)
    ... To that end, I will happily support Windows developers, ... it doesn't hurt the expert woh wants to use the config files. ... install this automatically when required for a webpage I think this can ... Just shouting that flash is a very useless piece of software is too ...
    (comp.unix.bsd.freebsd.misc)