Windows 10’s Next Update Will Give You More Freedom To Upgrade...

0 views
Skip to first unread message
Message has been deleted

Evagret Homestead

unread,
Jul 10, 2024, 3:14:56 PM7/10/24
to konnnidoca

A very frustrating aspect of the job is the IT security policy. As developers we need access to the latest and greatest tools to get the job done - we know what we're doing. However, we are restricted to a version of Windows with administrator passwords required for any small changes. We follow some ISO standard for security, specifically 27001, from what I can gather.

The most important thing to note here is: we all use VMs anyway to get around this! We tend to work on Ubuntu (Linux is awesome for development), or even in a Windows VM to install something that requires admin privileges on the host computer. 8GB ram isn't that much when you're doing VM stuff all the time.

Windows 10s next update will give you more freedom to upgrade...


DOWNLOAD ::: https://imgfil.com/2yM1Pp



How can I put forward a good case for more freedom on the IT security policy for developers? Explicitly meaning complete access to the base OS instead of doing everything through a VM (which we can use to install dodgy applications if we wanted to anyway)?

In one case a guy who sat next to me received a new computer because his old one simply died. He was able to log into it but couldn't install visual studio. So, he put a work order into IT and they performed the install.

Then, he had to put a work order in so that he could get it hooked up to our version control system. Another work order to have MS Office installed. Yet another one to get access to the sharepoint sites we used (locked down by MAC address). Time spent thus far: 3 weeks.

Once all of that was done... he couldn't debug the web app. VS required admin privileges to run the debugger. He also couldn't configure IIS locally (locked down). He put in two more work orders to fix this. The local admin access one was rejected outright a week later because developers were now prohibited from that. IT did show up and configure IIS...however he didn't have rights to push anything into the website directories so this was useless.

Every day he spoke to his boss about his lack of ability to do any part of his job. Every day that boss spoke to his boss, who would then fire an email to the IT Director. This went on for months. He did bring his own laptop in, but the company had a strict policy against plugging them up to the network.

The sad thing is that the rest of our small project team had local admin access. This guy even had it on his original machine. It was simply a policy put in place by a new IT director, which was approved by the CTO.

The company was a rather large one with close to 1,000 .Net developers. Due to normal turn over, everyone being hired in quickly found that they were unable to do any work. Some stayed determined to wait it out, some left. After around 4 months the IT Director was fired (for something completely unrelated) and his replacement (promoted from within) immediately changed that policy.

As to your specific situation, all you can do is have a nice talk with your manager about the ludicrous nature of the policy while submitting your requests to the appropriate people and then do the best you can. Some people can work in such silly environments; others find that happiness lay elsewhere.

"We follow some ISO standard for security, specifically 27001, from what I can gather" These are generally a pain in the ass requiring much box ticking. Your IT department is probably doing what they are supposed to be doing, and getting in their face about it isn't going to help any. In fact, even looking at the wikipedia makes it clear that its pedantic by design, and I thankfully am not reading through the whole thing for an answer.

If you're going to have to ask for changes, consider that the decision is probably made higher up, and possibly by less technical folk. You're probably going to have to work out the right person and way to ask, and its as much a political as much as a technical decision.

Any IDE or application updates
Less likely - you're probably going to have to go through corporate to do this. You might be able to talk a sympathetic IT department into letting you test updates for them before a wider deployment tho

Any new installations what-so-ever
Nuh huh. NOT happening. Eventually you end up with a lot of tribbles unmanaged anarchic systems, with no central management. You might be able to talk them into letting you have some test systems, but building and deploying your own as needed is unlikely.

In a sense you're going to have to convince management that the changes you need are essential to get things running. You're probably also going to need to handle politics, and compliance, and so on. Its not going to be easy.

1) The Company has a strict policy, IT has to handle all these things - even for developers. They know it's a pain, but they have to have it this way. You'll be asking for a lot of passwords, unless...

2) The Company has a strict policy and can't/won't change, but developers tend to do whatever they want anyway. A senior tech once asked me what I used for a given task, and I told him, and he responded, "You developers...you just can't use the approved program list, can you?" - with a knowing smile.

This is often referred to as "covert" or "black bag" operations, where everyone uses what they want and management knows, and people just don't say anything or particularly care as long as you don't come complaining when something goes wrong (and you don't screw up anything for anyone else). The downside here, by the way, is sometimes political games are played and if anything goes wrong you can get chewed on even if your tools/software/workstation had nothing to do with it - especially if you are junior ("if any of your team is captured or killed the Secretary will disavow all knowledge").

3) The Company has a strict policy...and knows about you pesky developer types, and grants you local admin privileges on your own machines, or even sets up unmanaged virtual machines you can use to run your tools without screwing up their workstations and making them reinstall an image when you inevitably blow the thing up.

We all say we know what we are doing, and we all end up blowing up an OS install at one point or another. "I'm pretty sure manually installing an alpha version of the wrong driver and editing the registry to make the process go faster didn't cause a problem...cough..."

Especially when the company doesn't have a ton of new hires into your department regularly, or if your dev department is just a small edge-case for what IT does in a day, sometimes people just forget how to handle things and they have no checklist for dev installs.

4) The Company has things the way they are for a reason and they do not, or can not, change because you dislike it and it seems unproductive. You end up just having to put up with it, though the good news is usually it dies down once you get everything setup and you rarely need to call for a password anymore.

Sometimes you also get very good at using software that doesn't require admin privileges, or...see #2 above. Sometimes it's just a downside of tough policies, secure infrastructure, bad management, or the nature of bureaucracy...the upside is often that you don't really need to worry about any of it and when the next big security vulnerability pops up and it's revealed the NSA is actually The Missing Butler (gasp!), it's not your problem. You just do your job, or have a visiting hour while IT scrambles to patch and reboot all workstations, secure in the knowledge that it's "Not My Problem". This may or may not suite your style of work and personality, but different environments for different folk!

If you do decide to ask/push for an exception to security policies, you should be aware of the very likely possibility, suggested by the very fact that you're asking, that you are one of the people the policy is for, not someone special who should be exempt from it. What guarantee do you have that the drivers, tools, etc. you're downloading and installing are non-malicious? They very well could contain code designed to impede or slow down your company's operations, leak private information and trade secrets, etc.

If they do turn out to be malicious, what kind of audit trail are you keeping to determine where the malicious code was introduced? Was it original in the version of the driver/tool provided by the vendor? Was it injected via a MITM attack? Internal or external to your organization? Was it just a virus you picked up carrying the software around on your personal USB stick? Etc.

Taking care of all of these concerns is the job of an IT security department/policy, which is in place because the company wants to be able to hire people (like you) who are qualified in their own field (development) but who are either unqualified, or unable to dedicate half of their time, to rigorous attention to security.

If you still do want to go for it, you should make an effort to understand why these issues matter and convey that understanding to the decision makers you need to convince. You should also be prepared to do the kind of record keeping work that the IT department would be doing if you weren't going around them.

One thing to consider is that you are new to the job so you need more stuff to install or set up than your colleagues. It may be that over time as your dev environment stabilizes, you will have less such issues. This may be one reason why your colleagues are more willing to accept the status quo.

If this is not the case, the basic question is, why security policy is defined so. Does your company have special security requirements, like a bank, or an organization dealing with classified or sensitive (personal) information? In this case they aren't likely to change their security policy for a relative minority of their employees. Still it may be worth a try, but make sure you do it in a way which doesn't harm your reputation and future career prospects.

So instead of telling about your personal frustration, focus on the business aspect of the problem. Being blocked in your work costs hard money to the company. Can you quantify how many hours you (and your dev colleagues) have been held up on average per week / month by these regulations? That gives management an estimation of lost productivity, which can be monetized if multiplied by the average hourly cost of a developer. If this gives a high enough figure, management may take notice and act on it.

7fc3f7cf58
Reply all
Reply to author
Forward
0 new messages