How to configure your development environment to develop with least privilege

The most common objection developers hold against using a non-admin account is that they can't develop software with a lesser privileged account. Standard user accounts do not have the sufficient privileges to debug applications or create web applications on Microsoft Internet Information Server. To configure your development environment correctly, you'll need a good understanding of what privileges are required to perform different tasks. In this post I'll provide a guide to configure your environment for least privileged development.


Most of the permissions needed to perform different tasks are already granted to different user groups defined on your computer. Members of the debugger users group are allowed to use Visual Studio .NET to debug processes, both locally and remotely. It is critical for all developers to have this permission, but it should not be granted to everyone because it can be exploited to gain elevated privileges. Members of the VS_Developers group can create new web applications on Microsoft Internet Information Server. Despite the name, membership in this group is not needed to do other Visual Studio .NET development, such as creating Windows Forms applications or similar. If you want to debug web applications on either Windows XP or Windows Server 2003, your user must be a granted the "Log on as batch job" privilege. This privilege is already granted to the IIS_WPG group on Windows Server 2003, so if you don't have to explicitly give users this privilege if you add them to this group. Windows XP hasn't got an equivalent to the IIS_WPG group, so you'll have to grant users this privilege in Windows XP environment.


Below are guides to how you can configure your Windows XP or Windows Server 2003 development environment. Both guides require Visual Studio .NET to be installed on the development computer.


Windows XP (Service Pack 2)

  1. Log on as an administrator.
  2. If you already have a regular user account you can skip to 7
  3. Open the control panel in category view and click "User Accounts". When instructed to pick a control panel icon, click "User Accounts" again.
  4. In the "User Accounts" dialog, open the "Users" pane and click "Add…".
  5. In the "Add New User" wizards fill in the fields in the first step and click "Next >". On the second pane choose the "Restricted user" option and click the "Finish" button.
  6. Change to the "Advanced" tab and click the "Advanced" button in the "Advanced user management" section.
  7. In the "Local Users and Groups" dialog, locate and double-click your user in the "Users" folder.
  8. In the "User Properties" dialog, open the "Member Of" tab.The user should be a member of the "Users" group, not the "Administrators" or "Power Users" groups.
  9. Click the "Add.." button button and type in "Debugger Users; VS Developers;" in the text box below "Enter the object names to select (examples):" caption.
  10. Click "OK" and close the "Local Users and Groups" dialog.
  11. Open the "Local Security Policy" console.
  12. Expand "Local Policies" and click "User Rights Assignment"
  13. Double-click "Log on as batch job".
  14. From the "Log on as batch job Properties" dialog click the "Add User or Group…" button.
  15. In the "Add User or Group" type in name of your user account.
  16. Click "OK" and close the "Local Security Settings" console.

Windows Server 2003

  1. Log on as an administrator.
  2. Open the "Computer Management" console and expand "System Tools".
  3. If you already have a regular user account you can skip to 7
  4. To create a new account, expand "Local Users and Groups".
  5. Right-click "Users" and choose "New User".
  6. In "New User" dialog fill in the required details and click "Create".
  7. Double-click your existing or new user account in the "Computer Management" console.
  8. From the "User Properties" dialog, open the "Member Of" tab. The user should only be a member of the "Users" group, not "Administrators" or "Power Users".
  9. Click the "Add" button and type in "Debugger Users; VS_Developers; IIS_WPG;" in the text box below "Enter the object names to select (examples):" caption.
  10. Click "OK" and close the "Computer Management" console.

Technorati :

你可能感兴趣的:(Environment)