Forcing developers under limited Windows user accounts

I'm currently in negotiations with a company as to why a machine not on a domain network and with full admin privileges is necessary for developers to work fully.

I'm looking for evidence to specifically support/contradict this e.g.

• Programs can't be run that use systems software i.e. XAMPP/WAMP, VPN software etc.
• Programs can't be installed or updated.

As a developer I always used user account for secure daily work. This can be achieved with corporate policy, because people do not like limits and it will be hard for the first time. When I implemented limited user policy, I had so little work as admin in 100 workspace office, month before it was constant virus nightmare. For some cases if people still need elevated priveleges for their tasks. I used my own version of runas that was limited to run specific applications. Take a look at http://sourceforge.net/projects/sudowin/ Also, you can untie user rights by setting Power User and playing with policy editor.

1. A developer should be in full control of their development environment. They need to be able to install, uninstall, configure and use any software that's needed to develop working code. Having a limited account means they have less control over their machine and might not be able install or run critical software.
2. Sometimes, the software a developer uses requires it to be started with admin privileges. For example, if you are developing an Azure cloud service and want to test it from your Visual Studio, you need to run Visual Studio as an administrator, or IIS will not start.
3. 99% of the software a developer needs gets at least one update they don't have yet but need. Often, such an update requires admin privileges to even install.
4. Developers are less likely than normal users to misuse their admin privileges, because they are far more computer literate and know how to handle a computer properly.

Another angle is cost: a developer that needs to ask an admin for a password every so often is a huge timesink for both the developer and the admin. And if he does not get that password, he could very well be blocked from progressing on his code.

A common reason to restrict access is that the software should be able to run on a limited account as well. this can easily be done on a virtual machine.

see also: http://security.stackexchange.com/questions/14967/risks-of-giving-developers-admin-rights-to-their-own-pcs

Developers are not system admins with good reasons. A lot of them don't know what makes a computer tick and handing out admin rights will give a lot of system admins a lot of extra work! (Speaking out of 15 years experience). Developers need full rights in the areas where they need it and nowhere else. It takes a little time to configure everything correctly, but it's certainly not impossible.

Just give your users the proper rights, put them in custom groups that have necessary rights to perform their daily tasks. I have been working as a developer in a banking environment as well where they treat security on ALL LEVELS as a top priority. The only people in the company who have full admin rights were the system admins. Unlike most companies, even top level managers (like CEO, CFO etc) are not allowed to do just whatever they please.

But again, you need to be good as a system admin and spend some time to make a good configuration for your developers so they can do their job properly without any complaints. Worst case scenario, they can always perform their tests in a controlled test environment where they might have some additional rights to evaluate what customers with full rights may experience. These test environments can even be virtual machines that have limited or no network access and are easily restoreable.