Developer environment

Posted on 2012-08-27
Last Modified: 2012-09-11
Hello everyone.  I have a problem I think...

We have a new employee who has started with us and is very set in their ways.  

They are the new manager of the developer department for us.  I will from now on refer to this person as (DEV BOSS) and these developers that work under this person as (DEVELOPERS).  They all work with various versions of Visual studio, sql and sourcesafe among other things.  

A Developer decided they needed to leave the company and take another job elsewhere.  Per IT Policy We disable AD credentials Backup their My Documents Folder and leave their account disabled.  When this DEVELOPER left and went to turn in their laptop the DEV BOSS asked for their username and password for windows.  This is obviously a big no no.  I am militant in my enforcement of our password policies, there is no reason in a proper IT environment for user credentials to be shared as far as I am concerned.  Any company that takes security seriously affirms this.  

The employee correctly said No I can't give you my password see IT.  Which this individual did.  The DEV BOSS tried to make the case that they needed the former DEVELOPERS user password because the programmer had "set up a development environment" on the laptop and did not want to have to recreate it from scratch and lose all this persons work, the only way to avoid this is to continue using a username and password for an employee who has left the company.  This I won't budge on.  

I have to know, in companies much bigger than mine, when you have a developer work on their own laptop and set up an environment for testing (whatever that means) And that user leaves and the hardware gets reassigned Don't you format the laptop and start from scratch?  I need to make room for the new users profile and am cool with just deleting the user specific profile not messing with any program files.  

I've given the new user the same rights on the machine and our network the old user had.

This should in theory leave whatever this user is talking about alone.  I realize this is a poor description of the problem I am having but that's because i don't use VS or anything these programmers use and am having difficulty grasping what the DEV BOSS is complaining about.  I fully disbelieve (especially after consulting with other IT companies as well on this) That #1 There is never ever a reason for someone to know someone elses password even after they leave. #2 Microsoft developer software really isnt as dumb as this DEV BOSS is letting on.  

  I hate delaing with stuff like this especially when someone who comes from a company that had way more relaxed policies than we do INSISTS that they must get their way and circumvent our policies.  

How do you all setup developer laptops?

Is this DEV BOSS full of it?  Or have I made some real deadly assumptions here?
Question by:LWDud
    LVL 8

    Assisted Solution

    Firstly I admire your desire to stick with the principles of good security, however I think in this case the DEV BOSS has a pretty good argument for getting access to this developer account.

    There is nothing secret about a developer account, if the user has left the company then their entire profile, data, emails etc etc is company property and their successor should be granted access to it.  Just reset the password and give the DEV BOSS access.

    I can tell you that if often takes about a week of downtime to correctly configure and install the entire software development stack. Due to the complexity of the configuration required.

    For exmaple I have IIS, SQL Server, Oracle, mySql, Eclipse and lots of other really heavy tools on my machine. Many of these take a full day to install and configure correctly. We are toying with the idea of a developer standard operating environment (SOE), a base image we can use to short circuit the week of downtime if developer pc needs to be rebuilt.

    The user profile isn't that sensitive, nor is the account, if you are worried about revealing this ex-employees password then reset if to something else.  Also MS development tools use My Documents/Visual Studio [Version]/Projects/ as the default location for development projects. So deleting the user profile may have deleted the work.

    Author Comment

    Ah, interesting.  Worst case perhaps I can restore the local my documents folder which was redirected to a file server and backed up.  

    My reason for standing my ground on the pw poliy is that this particular developer used to be part of the IT department and as we grew the department had to be split up and this account SHOULD have been reconfigured on the spot with the right permissions no matter the cost, but as they were a trustworthy individual with years of loyalty to back it up we let this one case slide.  

    It was far easier to say ok welcome to the developer group forget you have the IT permissions (not ideal I know but I do not want the mess to propigate beyond the employee when they left) you had.  Unfortunatly again this user had way more permissions than a regular developer should have had and the new DEV BOSS managed to wipe out the production environment their first week on site!  Giving those credentials would not contain the mess this person could create to simply this laptop.  

    DEV BOSS was given their documents, email and whatnot so they did have access to all that.  

    I was trying to maintain the integrity of our log files.  When a user leaves the company there is no reason we should see the username pop up again except for the occasional here and there, exceptions being clearly documented.  This individual would have kept this going indefinitly.  

    I do regret accidentally creating a tremendous amount of work for an already really stressed out employee but if I didn't touch any of the installed programs (save google toolbar) and not one file in the users local profile had been modified or accessed (according to NTFS) since this developer left months ago was this really such a blunder?

    Not to go all teenager with my vocabulary here but Really? Not touching any of the program files directory blew up an environment the DEV BOSS shouldnt have been able to access this whole time while the account remained disabled?

    Author Comment

    Also I typo'd my original question it should be  I fully *believe* (especially after consulting with other IT companies as well on this) That #1 There is never ever a reason for someone to know someone elses password even after they leave. #2 Microsoft developer software really isnt as dumb as this DEV BOSS is letting on.
    LVL 69

    Accepted Solution

    DEV BOSS screwed up - he should never have permitted anyone to set up a situation where the development environment can only run on one person's machine.  This is a classic violation of business continuity, and you should be able to bring in higher management to back you up on this.  If the company values their future, they should do it right and always make sure there is limited risk exposure to critical events, including people leaving.  Otherwise, they are promoting job security unintentionally.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Lithium-ion batteries area cornerstone of today's portable electronic devices, and even though they are relied upon heavily, their chemistry and origin are not of common knowledge. This article is about a device on which every smartphone, laptop, an…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now