We work on XP Pro workstations and use Visual Studio 2008 & 2010 to develop winforms, web and web services against local IIS and SQL Express instances.
We currently have local admin rights on our main machine account. The proposal is to move to a low rights account for our amin login but to have another local account with local admin rights that we then use to elevate where needed.
Are there any issues developing and debugging under this setup that would affect developer productivity?
From experience you can't install things like NUnit in your reduced priviledge account - that shouldn't be a problem for you as you can just type in the details of your higher priviledged account (it was a problem for us as we didn't have that). Also you'll need to do a similar thing if you're firing up services / IIS, etc. Again as you have it to hand it shouldn't be a problem.
My conclusion was that you could develop as a non-admin as long as you know the admin password - but if you don't know the admin password, you are going to be in for a very frustrating time!
Related
Original question here:
Windows Authentication doesn't work with IIS Express 10
At my workplace, we do development on a production network, meaning we have a regular, restricted account and an "admin" account, which has greater rights. We recently had a hardware refresh where we went from Windows 7 to Windows 10, and VS 2013 to VS 2017.
Under the old system, I could log in with my regular account, run VS 2013 as my admin account, and I was able to build and run my web application just fine in Firefox.
This does not work under Windows 10. When I try running VS 2017 under my admin account while logged into my regular account, windows authentication fails, giving me either 401.1 or 401.2 errors. The only way I have been able to get everything working is to log into my admin account and run it from there. This isn't the preferred way to do things. So, is there any way to do what I want to do in Windows 10 and VS 2017?
I want to run BizTalk server 2010 on windows 7. Problem is my company’s management does not want to give local administrator rights to developers. Can I perform BizTalk operations (like start/stop/create/ delete host and host instances, publish website on IIS, deploy services, import/export MSI and bindings, create SSO and BRE entries, etc) without local administrator rights.
I also need to work on ESB toolkit.
I want to confirm that, due to the absence of local administrator rights, would I stuck or be in trouble at any stage of BizTalk service live cycle ? and is there any way around to overcome those issues ?
Thank you,
Best answer: Can they provision a VM of Windows Server 2008 R2 for you where you can be a local Administrator and run BizTalk Server? Even the most security conscious environments I've been in allow this.
To address your specific question: No, you don't need to have local Administrator, but...there are a number of tasks during BizTalk DEV that require a very high level of privilege on the system, such as creating and managing Services, deploying/installing applications, managing the Global Assemble Cache and probably a few more.
So, by the time you get all the system rights to do these, you're pretty close to being a local Administrator anyway.
Either way, a VM is still the preferable option. Technically, it doesn't even have to be joined to a Domain so you'd really be in a sandbox.
I've been developing in VS 2005 on an XP machine for the past 3 years. We're now getting new PCs with Windows 7. What I've noticed is my setup projects require admin rights to run. This is a problem for me because no users (including me) have admin rights, only helpdesk support staff.
I'd like to run my Windows installer setup projects without admin rights- is that possible?
Also, I'd like to continue to create installer files that users without admin rights can run. Is that possible, or will all my setups now need to be installed by someone with admin rights?
I've looked into ClickOnce deployment, but I don't have a web server available for installations.
Also, I've looked into digital certificates, but I have no budget. Is there a way to get a certificate for free? All my applications are for internal use, and I understand these security issues are for web applications.
Is free deployment of internal applications no longer supported?
Thanks for your input,
-Beth
It is possible to run Windows Installer setup without admin rights. Look at Single Package Authoring article for an overview how to create a package that support that. You can also prepare a package that will run only in non-admin mode. Note however, you will not be able to write to Program Files and other system-protected areas when installer runs in non-admin mode.
You can use self-signed certificate to add digital signature to whatever you want. The only thing is that this certificate will not be trusted by default. However, it's not issue when used internally: it can be installed as trusted on machines where it's required. See makecert.exe and signcode.exe tools.
What needs to happen before we can open Web Application Projects hosted in IIS7 with Visual Studio 2008 without running as Administrator? Are we talking about waiting for the next version of Visual Studio? Are there any existing workarounds?
I think it's implied by the above, but this pertains to Vista.
Thanks.
Never is a bad option - pretty much all other development I can do as a non-admin. Its not as if the code under IIS requires admin rights either.
I'd like to see an IISAdmin group which grants a developer's user account permission to manage IIS without granting full adminstrator privileges to the entire PC.
My guess is never. I think admin rights will always be needed to change websites and virtual directories in IIS.
We have been given the directive to make sure that when we develop we are running out of the administrator and poweruser groups to prevent security holes. What are the steps to take to make this possible, but still be able to debug, code, and install when needed?
We develop ASP.NET as well as VB.NET applications.
Thanks!
Brooke Jackson
I have been developing a web application in a team of 5+ developers using ASP.NET 2.0 using Visual C# 2005 and Visual Web Developer 2005 for 6+ months. It was an internal application for our client and was targeted at Internet Explorer 6.0. I have been always using a non-administrator account on my machine and have never run into any problems. Specifically, I have not experienced any problems with debugging. Right now I am switching to a Visual Studio 2008 and I hope everything will work just as it does now.
I am using a laptop for development. A the same time I am moving around and connecting to the internet in different places and I use my admin account only when necessary. I really believe that running an admin account for every day tasks is the single greatest security threat, just because it is so common.
Beware, there seems to be a lot of issues with running VS as non-admin.
Seems silly to me. Run VS as admin/power-user locally with whatever minimal rights you need on the network for publishing to the users and whatnot.
Just makes sure that the applications you CREATE with VS still work without those extra rights.
Use Vista, and take advantage or UAC, because that's UAC allows you to do. You can give VS full rights when needed, and the application/website limited rights.
I'm running VS2008 on Vista with UAC enabled. I've only had one issue worth mentioning.
I occasionally have weird file permission issues when I've run VS with elevated privileges then later run it without them. VS won't be able to delete the old build files, but if I delete them from Explorer its fine. Again, this only happens when switching between elevated and non-elevated permissions.