Having actively worked as a contract developer at a base that uses the AF Standard Desktop, I can tell you a few things.
1: and most important. Don't fight it and don't do what the first person suggested "and let them choke on it". That is absolutely the wrong attitude. The military/government is fighting lack of funding, overstretched resources and a blossoming technology footprint that they don't understand. The steps they are taking may not be perfect, but they are under attack and we need to be helping, not hindering.
OK, that off my chest.
2: You need to look at creating (and I know this is hard with funding the way it is) a local development lab. Every base that I have worked at has an isolated network segement that you can get on that has external access, that is isolated from the main gov network. You basically have your work PC for e-mail, reports etc.. that is on the protected network. But, you develop in your small lab. I've had a lab be 2 PCs tucked under my desk that were going to be returned during a tech refresh. In other words, be creative with making yourself a development machine +servers that are NOT restricted. Those machines are just not allowed to be connected to the main lan segment.
3: Get the distributions of the desktop configurations. Part of your testing needs to be deploying/running on these configurations. Again, these configurations are not meant for development boxes. They are meant to be the machines the people use for day to day gov work.
4: If you are working on web solutions, be very aware of the restrictions on adding trusted sites, ActiveX components, certs, certain types of script execution that the configuration won't allow. Especially if you are trying to embed widgets/portlets/utils that require communications outside the deployed application domain.
5: Above all remember that very few of the people you work for understand the technology they are asking you to implement. They know they want function X but they want you to follow draconian security rule Y while achieving it. What that usually means is that the "grab some open source lib or plugin and go" is not an option. But, that is exactly what your managers think you are going to do because of the buzz around rapid development.
In summary, it's a mess out there. Try to help solve the problem.
虽然带来不便,但这项政策并没有真正削弱我们的能力。 我们结合了 Java、C++(MS Visual C++ 和 GNU/C++)、VB 6.0 和一些 Web 开发。 对于我们所做的少量 Web 开发,我们有一个远程开发盒,我们可以通过 RDP 进行测试。 再次,有点不便,但这并没有阻止我们完成工作。
While I've never been through the FDCC process, I once worked for a U.S. defense contractor who's policy was that no one had local administrative access to their machines. In addition, flash drives and CD-ROMs were disabled (if you wanted to listen to music on CDs, you had to have a personal CD player with headphones).
If you needed software installed you had to put in a work order. Someone would show up at your desk with the install media, login to a local admin account, and let you install the software (the reasoning being that you knew what to install better than they did). Surprisingly, the turnaround was pretty quick, usually around 1/2 an hour.
While an inconvenience, this policy didn't really cripple us. We were doing a combination of Java, C++ (MS Visual C++ and GNU/C++), VB 6.0 and some web development. For what little web development we did, we had a remote dev box we would RDP into for testing. Again, a bit of an inconvenience, but it didn't stop us from getting our jobs done.
Without ever having had the problem, today I'd probably try a virtualising solution to run these tools.
Or, as a friend of mine once opined: "Follow the process until They choke on it." In this case this'd probably mean calling the helpdesk each time you needed to have a modification to your local IIS config or you'd needed one of the powertools started.
据我所知,FDCC 只是作为推荐的安全基线。 我会推迟您所需的权限,看看他们能提供什么来满足您的要求。 我不会说我需要成为本地管理员,而是列出您需要能够做的事情,并让他们提出一个可行的解决方案(这可能是让您管理您的计算机或虚拟机) )。 您需要能够在 Visual Studio 中运行调试器,运行本地 Web 服务器 (Cassini),按计划安装开发工具的补丁/更新,...
我最近使用 SCCM 迁移到“半托管”环境从本地更新存储库定期安装补丁。 我自己就是这样做的,但这对企业来说效率稍高,而且让安全办公室很高兴。 我确实让他们把我和其他开发人员放在一个特殊的集合中,以便我们可以在需要时阻止重大更改(IE7 怎么可能是安全更新?)。 没什么问题,只是现在我需要手动更新 Windows Defender,因为我更新它的频率比托管集合中的更新频率更高! 显然,这并不像你的情况那么极端,但我认为这部分是因为我能够为我的工作需要做的事情提供案例,这些事情需要更多的本地控制。
来自 NIST 关于保护 WinXP 的常见问题解答。
我应该更改基线设置吗? 鉴于宽
操作和技术上的变化
经营任何主要业务的考虑因素
企业,适当的是
需要进行一些局部更改
为基线和
相关设置(有数百个
设置、无数的应用程序、
以及多样化的业务功能
Windows XP 系统支持,此
应该是预期的)。 当然,使用
谨慎行事并做出良好判断
更改安全设置。
始终在
先精心挑选试机
并记录实施的设置。
From what I can tell FDCC is only intended to be a recommended security baseline. I'd give some push back on the privileges that you require and see what they can come up with to accommodate your request. Instead of saying I need to be a local administrator, I'd list the things that you need to be able to do and let them come up with a solution that works (which will likely to be to let you administer your machine or a VM). You need to be able to run the debugger in Visual Studio, run a local web server (Cassini), install patches/updates to your dev tools on your schedule, ...
I recently moved to a "semi-managed" environment with SCCM that gets patches installed on a regular basis from a local update repository. I was doing this myself, but this is marginally more efficient for the enterprise and it makes the security office happy. I did get them to put me, and the other developers, in a special collection so that we could block breaking changes if needed (how could IE7 be a security update?). Not much broke except that now I need to update Windows Defender manually since I updated it more frequently than they do in the managed collection! It wasn't as extreme as your case, obviously, but I think that is, in part, due to the fact that I was able to present the case for things that I needed to do for my job that required more local control.
From the NIST FAQ on Securing WinXP.
Should I make changes to the baseline settings? Given the wide
variation in operational and technical
considerations for operating any major
enterprise, it is appropriate that
some local changes will need to be
made to the baseline and the
associated settings (with hundreds of
settings, a myriad of applications,
and the variety of business functions
supported by Windows XP Systems, this
should be expected). Of course, use
caution and good judgment in making
changes to the security settings.
Always test the settings on a
carefully selected test machine first
and document the implemented settings.
This is quite common within financial institutions. I personally treat this as a game to see how much software I can run on my PC without any admin rights or sending requests to the support group.
So far I have done pretty well I have only sent one software install request which was for "Rational Software Architect" ('cos I need the plugins from the "official" release). Apart from that I have perl, php, python, apache all up and running. In addition I have jetty server, maven, winscp, putty, vim and a several other tools running quite happlily on my desktop.
So it shouldnt really bother you that much, and, even though I am one of the worst offenders when it comes to installing unofficial software I would recommend "no admin rights" to any shop remotly interested in securing their applications and networks.
One common practice is to give developers an "official" locked down PC on which they can run the official applications and do their eMail admin etc. and a bare bones development workstation to which they have admin rights.
没有对工作站的本地管理访问权限肯定是一个痛苦的事情。 当我在大学的一个学术部门担任网络开发人员时,我不得不处理这个问题。 每次我需要安装某些东西(例如 Visual Studio 或 Dreamweaver)时,我都必须向计算服务提出请求。
Not having local administrative access to your workstation is a pain in the rear for sure. I had to deal with that while I was working for my university as a web developer in one of the academic departments. Every time I needed something installed such as Visual Studio or Dreamweaver I had to make a request to Computing Services.
发布评论
评论(6)
我曾在使用 AF 标准桌面的基地积极担任合约开发人员,因此我可以告诉您一些事情。
1:最重要的是。 不要反抗,也不要按照第一个人的建议去做“让他们窒息”。 这绝对是错误的态度。 军队/政府正在与资金匮乏、资源过度紧张以及他们不了解的蓬勃发展的技术足迹作斗争。 他们采取的步骤可能并不完美,但他们正受到攻击,我们需要提供帮助,而不是阻碍。
好吧,那是我的心声。
2:你需要考虑创建一个本地开发实验室(我知道以目前的方式提供资金很难做到这一点)。 我工作过的每个基地都有一个独立的网络段,您可以访问该网络段,该网络段具有外部访问权限,与主政府网络隔离。 基本上,您的工作电脑位于受保护的网络上,用于发送电子邮件、报告等。 但是,你是在你的小实验室里开发的。 我的实验室里有两台电脑藏在我的办公桌下,这些电脑将在技术更新期间归还。 换句话说,发挥创意,让自己成为一台不受限制的开发机器+服务器。 这些机器不允许连接到主 LAN 网段。
3:获取桌面配置的分布。 您的部分测试需要在这些配置上部署/运行。 再次强调,这些配置不适用于开发盒。 它们应该成为人们日常政府工作所使用的机器。
4:如果您正在开发 Web 解决方案,请务必注意添加受信任站点、ActiveX 组件、证书以及配置不允许的某些类型的脚本执行的限制。 特别是当您尝试嵌入需要在已部署的应用程序域之外进行通信的小部件/portlet/utils 时。
5:最重要的是要记住,你的下属中很少有人了解他们要求你实施的技术。 他们知道他们想要功能 X,但他们希望您在实现它时遵循严格的安全规则 Y。 这通常意味着“获取一些开源库或插件并继续”不是一个选项。 但是,由于围绕快速发展的热议,这正是您的经理认为您要做的事情。
总而言之,那里一团糟。 尝试帮助解决问题。
Having actively worked as a contract developer at a base that uses the AF Standard Desktop, I can tell you a few things.
1: and most important. Don't fight it and don't do what the first person suggested "and let them choke on it". That is absolutely the wrong attitude. The military/government is fighting lack of funding, overstretched resources and a blossoming technology footprint that they don't understand. The steps they are taking may not be perfect, but they are under attack and we need to be helping, not hindering.
OK, that off my chest.
2: You need to look at creating (and I know this is hard with funding the way it is) a local development lab. Every base that I have worked at has an isolated network segement that you can get on that has external access, that is isolated from the main gov network. You basically have your work PC for e-mail, reports etc.. that is on the protected network. But, you develop in your small lab. I've had a lab be 2 PCs tucked under my desk that were going to be returned during a tech refresh. In other words, be creative with making yourself a development machine +servers that are NOT restricted. Those machines are just not allowed to be connected to the main lan segment.
3: Get the distributions of the desktop configurations. Part of your testing needs to be deploying/running on these configurations. Again, these configurations are not meant for development boxes. They are meant to be the machines the people use for day to day gov work.
4: If you are working on web solutions, be very aware of the restrictions on adding trusted sites, ActiveX components, certs, certain types of script execution that the configuration won't allow. Especially if you are trying to embed widgets/portlets/utils that require communications outside the deployed application domain.
5: Above all remember that very few of the people you work for understand the technology they are asking you to implement. They know they want function X but they want you to follow draconian security rule Y while achieving it. What that usually means is that the "grab some open source lib or plugin and go" is not an option. But, that is exactly what your managers think you are going to do because of the buzz around rapid development.
In summary, it's a mess out there. Try to help solve the problem.
虽然我从未经历过 FDCC 流程,但我曾经为一家美国国防承包商工作,该承包商的政策是任何人都没有对其机器的本地管理访问权限。 此外,闪存驱动器和CD-ROM被禁用(如果你想听CD上的音乐,你必须有一个带耳机的个人CD播放器)。
如果您需要安装软件,则必须提交工作订单。 有人会拿着安装介质出现在您的办公桌前,登录到本地管理员帐户,然后让您安装软件(原因是您比他们更知道要安装什么)。 令人惊讶的是,周转速度非常快,通常约为 1/2 小时。
虽然带来不便,但这项政策并没有真正削弱我们的能力。 我们结合了 Java、C++(MS Visual C++ 和 GNU/C++)、VB 6.0 和一些 Web 开发。 对于我们所做的少量 Web 开发,我们有一个远程开发盒,我们可以通过 RDP 进行测试。 再次,有点不便,但这并没有阻止我们完成工作。
While I've never been through the FDCC process, I once worked for a U.S. defense contractor who's policy was that no one had local administrative access to their machines. In addition, flash drives and CD-ROMs were disabled (if you wanted to listen to music on CDs, you had to have a personal CD player with headphones).
If you needed software installed you had to put in a work order. Someone would show up at your desk with the install media, login to a local admin account, and let you install the software (the reasoning being that you knew what to install better than they did). Surprisingly, the turnaround was pretty quick, usually around 1/2 an hour.
While an inconvenience, this policy didn't really cripple us. We were doing a combination of Java, C++ (MS Visual C++ and GNU/C++), VB 6.0 and some web development. For what little web development we did, we had a remote dev box we would RDP into for testing. Again, a bit of an inconvenience, but it didn't stop us from getting our jobs done.
如果没有遇到过这个问题,今天我可能会尝试虚拟化解决方案来运行这些工具。
或者,正如我的一位朋友曾经说过的:“遵循这个过程,直到他们窒息为止。” 在这种情况下,这可能意味着每次您需要修改本地 IIS 配置或者需要启动其中一个强力工具时,都需要致电帮助台。
Without ever having had the problem, today I'd probably try a virtualising solution to run these tools.
Or, as a friend of mine once opined: "Follow the process until They choke on it." In this case this'd probably mean calling the helpdesk each time you needed to have a modification to your local IIS config or you'd needed one of the powertools started.
据我所知,FDCC 只是作为推荐的安全基线。 我会推迟您所需的权限,看看他们能提供什么来满足您的要求。 我不会说我需要成为本地管理员,而是列出您需要能够做的事情,并让他们提出一个可行的解决方案(这可能是让您管理您的计算机或虚拟机) )。 您需要能够在 Visual Studio 中运行调试器,运行本地 Web 服务器 (Cassini),按计划安装开发工具的补丁/更新,...
我最近使用 SCCM 迁移到“半托管”环境从本地更新存储库定期安装补丁。 我自己就是这样做的,但这对企业来说效率稍高,而且让安全办公室很高兴。 我确实让他们把我和其他开发人员放在一个特殊的集合中,以便我们可以在需要时阻止重大更改(IE7 怎么可能是安全更新?)。 没什么问题,只是现在我需要手动更新 Windows Defender,因为我更新它的频率比托管集合中的更新频率更高! 显然,这并不像你的情况那么极端,但我认为这部分是因为我能够为我的工作需要做的事情提供案例,这些事情需要更多的本地控制。
来自 NIST 关于保护 WinXP 的常见问题解答。
From what I can tell FDCC is only intended to be a recommended security baseline. I'd give some push back on the privileges that you require and see what they can come up with to accommodate your request. Instead of saying I need to be a local administrator, I'd list the things that you need to be able to do and let them come up with a solution that works (which will likely to be to let you administer your machine or a VM). You need to be able to run the debugger in Visual Studio, run a local web server (Cassini), install patches/updates to your dev tools on your schedule, ...
I recently moved to a "semi-managed" environment with SCCM that gets patches installed on a regular basis from a local update repository. I was doing this myself, but this is marginally more efficient for the enterprise and it makes the security office happy. I did get them to put me, and the other developers, in a special collection so that we could block breaking changes if needed (how could IE7 be a security update?). Not much broke except that now I need to update Windows Defender manually since I updated it more frequently than they do in the managed collection! It wasn't as extreme as your case, obviously, but I think that is, in part, due to the fact that I was able to present the case for things that I needed to do for my job that required more local control.
From the NIST FAQ on Securing WinXP.
这在金融机构中很常见。 我个人将其视为一个游戏,看看我可以在我的电脑上运行多少软件,而无需任何管理员权限或向支持小组发送请求。
到目前为止,我做得很好,我只发送了一个针对“Rational Software Architect”的软件安装请求(因为我需要“官方”版本的插件)。 除此之外,我已经启动并运行了 perl、php、python、apache。 此外,我的桌面上还有 jetty 服务器、maven、winscp、putty、vim 和其他几个运行得很好的工具。
因此,它不应该真正困扰您那么多,而且,尽管在安装非官方软件方面我是最严重的罪犯之一,但我会向任何对保护其应用程序和网络安全感兴趣的商店推荐“无管理员权限”。
一种常见的做法是为开发人员提供一台“官方”锁定的 PC,他们可以在其上运行官方应用程序并进行电子邮件管理等,以及一个他们拥有管理权限的基本开发工作站。
This is quite common within financial institutions. I personally treat this as a game to see how much software I can run on my PC without any admin rights or sending requests to the support group.
So far I have done pretty well I have only sent one software install request which was for "Rational Software Architect" ('cos I need the plugins from the "official" release). Apart from that I have perl, php, python, apache all up and running. In addition I have jetty server, maven, winscp, putty, vim and a several other tools running quite happlily on my desktop.
So it shouldnt really bother you that much, and, even though I am one of the worst offenders when it comes to installing unofficial software I would recommend "no admin rights" to any shop remotly interested in securing their applications and networks.
One common practice is to give developers an "official" locked down PC on which they can run the official applications and do their eMail admin etc. and a bare bones development workstation to which they have admin rights.
没有对工作站的本地管理访问权限肯定是一个痛苦的事情。 当我在大学的一个学术部门担任网络开发人员时,我不得不处理这个问题。 每次我需要安装某些东西(例如 Visual Studio 或 Dreamweaver)时,我都必须向计算服务提出请求。
Not having local administrative access to your workstation is a pain in the rear for sure. I had to deal with that while I was working for my university as a web developer in one of the academic departments. Every time I needed something installed such as Visual Studio or Dreamweaver I had to make a request to Computing Services.