?

Log in

No account? Create an account
Gavin Greig [userpic]

Developers: Nobody Special

January 12th, 2007 (09:44 pm)
current location: KY16 8SX

It was nice to be able to feel a little virtuous this morning when I read Tales from the Crypto, where Alun was complaining - justifiably - that too may software developers run with local Adminstrator privileges. Although we may be (OK, we are) sinners in other respects, none of the developers at work run as Administrator any more, and this trend is now being picked up by the rest of the organisation, rather than the other way round.

I gave up running as Admin a little over two years ago, and though it took a while to convince anyone to join me, the rest of the development department took the plunge about a year back. Now, with us as guinea pigs to show that it's possible, the IT department is planning to push it out to the rest of the organisation.

This order of doing things is at least in part due to the small family company of a decade ago gradually becoming a medium-sized business; so we're developing a more corporate approach, rather than having had it ingrained for years.

I'm glad that this is one aspect of security where we're doing better now. Many of us will have been used to being lowly users when using computers at university. It's not so hard to go back. It'll help to protect your computer whoever you may be, on whatever platform, and if you're a developer - especially if you're a developer - it will help you to write better-behaved software.

Comments

Posted by: Scotty (scottymcleod)
Posted at: January 13th, 2007 07:17 pm (UTC)

Use of Admin rights and directly running as Admin is just plain one of the worst aspects of managing a Windows environment - note I did not say Windows.

Given the history of where Windows has come from, 16 bit single user in Window pre workgroup days, I have great sympathy for the users and developers including Microsoft’s that have grown up in the ecosystem.

Linux copying so much from UNIX including the idea of Root and multiple users has not had to deal with the legacy issues we are only now finally seeing dealt with in the Windows user space.

Microsoft since the introduction of NT have had an answer with multiple users and varying rights grantable but been their own worst enemy by not only some of the choices about what is an Admin right and what users should be either able to do or be allowed to do by policy application.

For very justifiable reasons historically users have been annoyed by the out of the box experience all the way to XP; changing time zone, power settings, writing to CD/DVD burners etc.

As someone who uses his own machines as a user and utilises various techniques for Admin access when required I find the experience not nearly as bad as I often see the situation stated but I do not run software that requires Admin access without good reason which organisations do not always have the chance to do for legacy or commercial reasons. Almost all of the blame for needing Admin access can be attributed to badly written software applications or dumb design decisions like the time zone and power settings in the OS. They are in my experience 80/20 and if more developers would follow the example you folks have this would change for the better quickly.

Vista whatever you think of it is trying to make this better with UAC. As someone who has used this OS for over two years as his daily, normal OS with all the associated chances to learn I know better than most it is not perfect but given history/legacy and security to balance they have got it better.

My experience has been that most of those complaining loudly about being prompted for credentials are used to running as Admin and the risks that brings or just like to shout about something.

Will stop now as this looks way to long for a comment and could easily become bait for those with trenchant views of the ability of Microsoft to produce anything of note.

Posted by: Scotty (scottymcleod)
Posted at: January 13th, 2007 07:20 pm (UTC)

Should clarify the first paragraph

For those like me who have to manage large Windows deployments access to local Admin rights are a very common request and the most serious pain because of the security implications and loss of control of the resulting machines.

Personally I seldom if ever need to run as Admin on Windows XP except for burning CD’s for which Run As works very nicely.

Posted by: Gavin Greig (ggreig)
Posted at: January 14th, 2007 12:12 am (UTC)
Rune

I find the experience not nearly as bad as I often see the situation stated

That seems to be the common experience in my (admittedly limited) circle. People think "how can I possibly manage without Admin privileges" then find it's not so bad as they'd expected.

My experience has been that most of those complaining loudly about being prompted for credentials are used to running as Admin and the risks that brings or just like to shout about something.

I'm inclined to agree. Yes, there are some significant annoyances, and you've mentioned several of them, but most of the things you need to do most of the time can still be done perfectly adequately without Admin privileges.

3 Read Comments