I need to convince my internal IT department to give my new team of developers admin rights to our own PCs. They seem to think this will create some security risk to the network.
Can anyone explain why this would be?
What are the risks?
What do IT departments usually set up for developers who need ability to install software on their PCs?
Accounts with administrative privileges, and the programs that run under those accounts, have or can get access to all files in the system. If the user of that account accidentally causes malware to run, the malware can damage more under an administrative account than a standard account. Users under standard accounts can also be prevented from making changes that are harmful, dangerous, or out of standard. Most malware these days tries to move data over the Internet, which can affect network performance, if it isn’t an antivirus scam.
However, from a security standpoint, you’ve already given it all away by allowing physical access (unless you have some specialized hardware), which you must do for the developers to do their job. The user can boot from a live CD or USB device and access any files on the hard drive, and then perform any operations over the network they want.
“Network” security should be taken care of by network security devices at least one step “inside” the edge, i.e. switches, ASA firewalls, etc. End devices can help with network security but shouldn’t be totally responsible for it.
If you want the developers to be able to install software, they’ll need admin rights. One possible thing that can be done is isolate developers on their own logical (or even physical) network, where if any trouble arises it cannot affect the rest of the company. If the developers are valuable enough to the company it might even be beneficial to give them their own Internet connection.
Basically, every right given to any user in the network can endanger it in different ways.
While normal users wouldn’t know what to do with administrative rights apart from installing mini games and click virus links, it doesn’t mean that only beginners can do something wrong.
A lot of (semi) experienced people in IT Administration THINK they would never catch a virus, never install something dangerous, never do something harmful, but they might be careless about it. Apart from doing something without intention, if programmers who actually DO know what they can do do have malicious intent, they can do even more harm.
Not that anything HAS to happen, and I’m not saying everyone has would-be-criminals in their team, but in general, the less rights are given to people, the less can go wrong.
Edit: I just realized my answer was somewhat incomplete: As I am not sure what your developers need it for I can’t give a concise answer. Some companies (like one I am in) have tools where you can request local administrative rights for a certain amount of time, which can be limited by the administrators. I think they only thing you really can do is list why exactly they need administrative rights and why they can’t do their job without them, and hope they see the light.