Wednesday, July 07, 2004

Running as a local admin - who cares?

There has been a fair bit of hype over the last couple of years about developers not running as local admins. The push has been so successful (from a PR perspective at least) that not running as a local admin has been elevated into the same political correctness stratosphere as aplogising to indigenous populations, vegetarianism, and Michael Moore films.

Before tackling the issue head-on, it is worth stepping back a bit, and looking what achieving good security is all about. Security is an exercise is risk management, and the end goal is all about beating the bad guys at a minimal cost. Accepting some risk is OK - we do it all the time in our real life. Not carrying all your credit cards is more secure, but nearly all of us do it because the risk of being mugged and someone making effective use of all those credit cards is low. We could have our machine disconnected from the network except when we absolutely need a network resource, but this would be a pain, and the risk of being passively compromised on a corporate network is pretty low.

As a developer, not running as a local admin has two aspects - avoiding risk, and writing better software that doesn't need to run as a local admin. Both arguments don't cut it for me.

The risk aspect doesn't make a lot of sense. Firewalls and virus scanners deal with the risk of viruses quite adequately for me. I understand enough about what is and isn't risky behaviour to deal with it. I actually think the reverse proposition gives you better security - when you are engaging in risky activity such as browsing less-than-reputable websites or installing untrusted shareware, use a VMWare or Virtual PC session that you throw out when your done (kudos to Mark Brindle for this practice.) If you're a developer, and you can't work out what behaviour is risky, you're a mug - try a different game, or get some training.

The better software aspect has some merit to it, but if you don't fully understand what you're doing, it can give you a false sense of security. Take event sources - you need to be a local admin to create these, but not to use them. I've watched developers not running as local admin, and their first reaction to "funny" behaviour is to try the same action as a local admin. In the event source creation scenario, the code will now work because the event source can be created, and when they switch back out of local admin, the code will now work. I would argue that a developer's machine is so atypical of an average PC or server, trying to get a feel for security and configuration bugs that a user will experience in mostly a waste of time. Not always, but mostly.

If you have successfully moved to a lifestyle of a non-local admin developer, I admire your patience, and hope you find the trade-offs worthwhile. Please continue as is - I'm not here to tell you to switch back. But don't be too righteous pushing your views down the throats of others.


Post a Comment

<< Home