Best practices for security for developers deploying web apps to I

TheMSsForum.com: The Microsoft Software Forum

I'm looking for information on best practices (and least privilege security)
for developers that are deploying ASP web applications to an IIS 6 server.

We would like to know if our developers need to have administrator
privileges on our productions web servers, to do these tasks.

The applications are written in a mix of vb6, .net 1.1 and .net 2.0.

What permissions should these developers have, and are there any white
papers or best practices guidelines for how to set them up?
Top

Re: Best practices for security for developers deploying web apps to I by Ken

Ken
Wed Apr 30 01:30:11 CDT 2008

I suppose my first question would be - why are developers deploying apps to
your IIS servers? Shouldn't they be handing the necessary changes to your
operations team for deployment?

Stuff like uploading .NET pages and assemblies doesn't require elevated
privileges, but registering COM components probably will.

Perhaps your developers should create an MSI or similar package, and then
you can use SMS or similar to deploy the changes into production.

Cheers
Ken

"jwsmart" <jwsmart@discussions.microsoft.com> wrote in message
news:07EF5B99-3B83-49CD-9FD6-958126F12B84@microsoft.com...
> I'm looking for information on best practices (and least privilege
> security)
> for developers that are deploying ASP web applications to an IIS 6 server.
>
> We would like to know if our developers need to have administrator
> privileges on our productions web servers, to do these tasks.
>
> The applications are written in a mix of vb6, .net 1.1 and .net 2.0.
>
> What permissions should these developers have, and are there any white
> papers or best practices guidelines for how to set them up?
>

Top

Re: Best practices for security for developers deploying web apps by jwsmart

jwsmart
Wed Apr 30 10:30:01 CDT 2008

Ken, Thanks for your response.

The reality is that these developers are deploying the applications to
production servers because they had that ability in the past, when our IT
group was very small (and unable to meet the needs of the develpment team).
Their other contention is that it would take up too much of their time to
hand off these other changes to somone else to deploy.

If we assume that the developers must have the capability to deploy
applications directly to the server, is there some sort of best practices
guide?
Or is it simply best practice that developers should not have special access
to these machines at all, and that the systems administrator should be doing
the deployments?

Thanks,

-Will Smart

"Ken Schaefer" wrote:

> I suppose my first question would be - why are developers deploying apps to
> your IIS servers? Shouldn't they be handing the necessary changes to your
> operations team for deployment?
>
> Stuff like uploading .NET pages and assemblies doesn't require elevated
> privileges, but registering COM components probably will.
>
> Perhaps your developers should create an MSI or similar package, and then
> you can use SMS or similar to deploy the changes into production.
>
> Cheers
> Ken
>
> "jwsmart" <jwsmart@discussions.microsoft.com> wrote in message
> news:07EF5B99-3B83-49CD-9FD6-958126F12B84@microsoft.com...
> > I'm looking for information on best practices (and least privilege
> > security)
> > for developers that are deploying ASP web applications to an IIS 6 server.
> >
> > We would like to know if our developers need to have administrator
> > privileges on our productions web servers, to do these tasks.
> >
> > The applications are written in a mix of vb6, .net 1.1 and .net 2.0.
> >
> > What permissions should these developers have, and are there any white
> > papers or best practices guidelines for how to set them up?
> >
>
>
Top

Re: Best practices for security for developers deploying web apps by Ken

Ken
Mon May 05 20:45:52 CDT 2008

Hi,

It's very difficult to say what exactly you should be doing in your
situation. That depends on the size of the organisation, the cost of
implementation and so on.

With very small organisations, it usually not necessary to have too many
processes - interpersonal communication is good enough to handle most
situations. However as the organisation gets larger and more complex,
processes are required to ensure that (a) documentation is maintained and
that (b) there is some "source of truth" about the state of the environment.
Good ops management involves moving from one known state to another known
state. This facilitates troubleshooting (you know exactly what changed, and
by who) and rollback (you can move back to your previous state). And that
generally requires a documented set of processes for making changes to the
environment.

You might want to look at MOF (Microsoft Operations Framework) or ITIL if
you need some ideas about how to structure your environment to allow good
support/operations.

Cheers
Ken



"jwsmart" <jwsmart@discussions.microsoft.com> wrote in message
news:03064B01-9C9C-48C6-B10A-91780EE15C76@microsoft.com...
> Ken, Thanks for your response.
>
> The reality is that these developers are deploying the applications to
> production servers because they had that ability in the past, when our IT
> group was very small (and unable to meet the needs of the develpment
> team).
> Their other contention is that it would take up too much of their time to
> hand off these other changes to somone else to deploy.
>
> If we assume that the developers must have the capability to deploy
> applications directly to the server, is there some sort of best practices
> guide?
> Or is it simply best practice that developers should not have special
> access
> to these machines at all, and that the systems administrator should be
> doing
> the deployments?
>
> Thanks,
>
> -Will Smart
>
> "Ken Schaefer" wrote:
>
>> I suppose my first question would be - why are developers deploying apps
>> to
>> your IIS servers? Shouldn't they be handing the necessary changes to your
>> operations team for deployment?
>>
>> Stuff like uploading .NET pages and assemblies doesn't require elevated
>> privileges, but registering COM components probably will.
>>
>> Perhaps your developers should create an MSI or similar package, and then
>> you can use SMS or similar to deploy the changes into production.
>>
>> Cheers
>> Ken
>>
>> "jwsmart" <jwsmart@discussions.microsoft.com> wrote in message
>> news:07EF5B99-3B83-49CD-9FD6-958126F12B84@microsoft.com...
>> > I'm looking for information on best practices (and least privilege
>> > security)
>> > for developers that are deploying ASP web applications to an IIS 6
>> > server.
>> >
>> > We would like to know if our developers need to have administrator
>> > privileges on our productions web servers, to do these tasks.
>> >
>> > The applications are written in a mix of vb6, .net 1.1 and .net 2.0.
>> >
>> > What permissions should these developers have, and are there any white
>> > papers or best practices guidelines for how to set them up?
>> >
>>
>>

Top

Re: Best practices for security for developers deploying web apps by David

David
Mon May 05 22:19:02 CDT 2008

I agree with Ken.

The contention about it taking up too much time to "hand off" for
deployment is pretty much hogwash. As soon as the deployment needs to
happen more than once, or duplicated on another server, having
documented/automated setup is required. Otherwise, as Ken notes, there
is no way for the OPS team to move from one known state to another --
it'd require the developer's involvement. It is at this time that the
developer should realize that documentation and providing setup
actually SAVES everyone's time, including the developer's, in the long
run.

The only reasons for this handoff to not be documented are:
1. The deployment on the server is never changing
2. The developer does not want to be responsible for the changes

There are times where this handoff is not necessary, such as in a
start-up environment where the next deployment change tends to be
drastic enough that a hand-off is waste of time, or if the developer
is allowed to be irresponsible.

Also, you need to be aware that when people "share" responsibility
over a resource, it tends to result in no-one being responsible
because no one is in charge. You can certainly give your developers
administrative privileges, but then you also need to make them
responsible for their change AS WELL AS its side-effect changes to
others. I am sure that developers want the former and no
responsibility for the latter, but they can't have their cake and eat
it too. It makes no sense to have a web server administrator be
responsible to integrate all the developer's changes and for the
developers to have free reign to do whatever. Of course, the
developers can complain that they are being bottlenecked by the web
server administrator, and that's when you realize that you really need
a pre-production test server that the developers can be Administrators
and integrate all their changes, runs website-wide admittance tests to
prove everything works, then Web server administrator takes all the
integrated results on the pre-production test server and apply it to
Production. This way, it is clear what the developers and the web
server administrator are responsible for, and no bottlenecks.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Apr 30, 8:30=A0am, jwsmart <jwsm...@discussions.microsoft.com> wrote:
> Ken, Thanks for your response.
>
> The reality is that these developers are deploying the applications to
> production servers because they had that ability in the past, when our IT
> group was very small (and unable to meet the needs of the develpment team)=
. =A0
> Their other contention is that it would take up too much of their time to
> hand off these other changes to somone else to deploy. =A0
>
> If we assume that the developers must have the capability to deploy
> applications directly to the server, is there some sort of best practices
> guide?
> Or is it simply best practice that developers should not have special acce=
ss
> to these machines at all, and that the systems administrator should be doi=
ng
> the deployments?
>
> Thanks,
>
> -Will Smart
>
>
>
> "Ken Schaefer" wrote:
> > I suppose my first question would be - why are developers deploying apps=
to
> > your IIS servers? Shouldn't they be handing the necessary changes to you=
r
> > operations team for deployment?
>
> > Stuff like uploading .NET pages and assemblies doesn't require elevated
> > privileges, but registering COM components probably will.
>
> > Perhaps your developers should create an MSI or similar package, and the=
n
> > you can use SMS or similar to deploy the changes into production.
>
> > Cheers
> > Ken
>
> > "jwsmart" <jwsm...@discussions.microsoft.com> wrote in message
> >news:07EF5B99-3B83-49CD-9FD6-958126F12B84@microsoft.com...
> > > I'm looking for information on best practices (and least privilege
> > > security)
> > > for developers that are deploying ASP web applications to an IIS 6 ser=
ver.
>
> > > We would like to know if our developers need to have administrator
> > > privileges on our productions web servers, to do these tasks.
>
> > > The applications are written in a mix of vb6, .net 1.1 and .net 2.0.
>
> > > What permissions should these developers have, and are there any white=

> > > papers or best practices guidelines for how to set them up?- Hide quot=
ed text -
>
> - Show quoted text -

Top