There is already a lab network with its own AD. It's multiple subnets on a 10.0.0.0/21 network, whereas the production networks are a series of subnets in the 192.168.0.0/16 range - I've put a FreeBSD box with multiple NICs acting as a router between them for communication.
I'm working on putting PF on that router and getting all of the developer machines on that network. The first part of all of this, though, is getting policies in place - there are none currently. Really. Well, there is a poorly defined AUP, but it's toothless, and hasn't been reviewed since I've been here - nearly 8 years. Once I get the executives to sign off on the policies, I can implement my plans. Kurt On Wed, Sep 2, 2009 at 00:46, Ken Schaefer<k...@adopenstatic.com> wrote: > One way to get around the dev issue is to have a dedicated development > environment (e.g. hosted in VMs). They can have their own AD, and do whatever > stuff they need with elevated rights in there. But their regular PC, for > doing their regular work (e.g. writing documentation and writing emails and > whatever) they use a regular account with. And that helps the developers > understand the types of restrictions that regular users have to work under as > well. > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Wednesday, 2 September 2009 6:17 AM > To: NT System Admin Issues > Subject: Re: Local admins (was RE: MSINFO popping up) > > Thoroughly agree, and I'm finally convincing management to let us make this > happen - though our software engineers are not yet aware of it. > They'll probably end up on a firewalled subnet of their own, though, and can > do what they want with it, as I'll wash my hands of that. > > But, I'm down to two guys, and we've got a lot of work ahead of us to make > this happen. > > Kurt > > On Tue, Sep 1, 2009 at 15:00, Ben Scott<mailvor...@gmail.com> wrote: >>ÿÿ I'll chime in and agree that removing admin rights from regular >> accounts is one of the best things you can do.ÿÿ The rest of the >> computer world has been doing it for 50 years or so; it's high time >> the Windows world joined in, too. >> >> ÿ We started doing this when we started migrating from Win9X to >> 2000/XPÿÿÂ Best thing we ever did.ÿÿ The amount of trouble due to stupid >> things has dropped dramatically.ÿÿ Users can't screw up their own >> computers any more.ÿÿ We don't have "mystery software" -- no "so-and-so >> used to work here and had this program and now we need it but don't >> know where it is".ÿÿ No pollution of user PCs with crap from home or >> the Internet. ÿ The virus/malware problem is hugely mitigated by this >> alone. >> >>ÿÿ It's been some work, and it's often still a lot of work when we get a >> new application in.ÿÿ Fortunately, when someone thinks to ask IT before >> the sale, I can tell the vendor "fix your LUA bugs or we walk". >>ÿÿ Even for a small company like this, that gets results. >> >>ÿÿ Someone mentioned "he's a senior admin and I can't really justify not >> letting him have admin rights".ÿÿ I can't speak for the politics in a >> particular company, but where I work, nobody has admin rights for >> their regular account.ÿÿ NobodyÿÿÂ Not the owner, not the president, not >> meÿÿÂ I'm the IT Manager and half the IT department, and my regular >> user account has less access than a lot of other people.ÿÿ I know the >> passwords to the admin accounts, of course, but my regular account is >> a regular account. >> >> ÿ I strongly believe this should be the first tech improvement priority >> in any IT organization that isn't already there. > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
