Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Can Developers Work in a 'Locked-Down' Environment?

Cliff posted more than 12 years ago | from the coding-under-lock-and-key dept.

Programming 648

brad-d queries: "My company is seriously considering enforcing a SOE on all employee computers, including developers. The level of lock-down would likely include baring the Windows registry from changes (and in effect stopping the installation of new software). The goals of this SOE are to prevent users from installing unlicensed software, plus some support issues. What are others experiences with situations like this? Can a developer really work in a lock-down environment? What compromises could be made between developers and IT services? And no, Linux would be likely banned." It depends on how "locked-down" said environment is, and what the developer would be will be working on, however if the Registry is locked with no mechanism provided for the Developer to add in whatever keys are necessary, how much real developing can one do?

Sorry! There are no comments related to the filter you selected.

If this isn't an FP (-1)

Fecal Troll Matter (445929) | more than 12 years ago | (#2484813)

I am a cyborg_monkey's uncle.


I'm horny (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2484856)

Diapers are in my face, I love the smell of clean diapers. Baby powder. Then urine and fecal matter. Oh, I love wet diapers!

first post! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2484814)

auj asd asd mnk jjinmfz af e

Registry lockdown? (3, Insightful)

syates21 (78378) | more than 12 years ago | (#2484815)

If all areas of the registry are completely "locked down", I don't even think a lot of *existing* application would run, let alone installing new ones.

Re:Registry lockdown? (5, Informative)

Chuck Milam (1998) | more than 12 years ago | (#2484839)

I don't even think a lot of *existing* application would run...

Yes, I've seen this before. In a university environment I used to work in, we tried to lock down the registry...we had to make so many exceptions for various application that required full registry access to run (scary), that by the end of the semester we gave up on locking down and went back to rebuilding the systems nightly (which introduced a whole group of other messes...)

Re:Registry lockdown? (2, Interesting)

JohnHegarty (453016) | more than 12 years ago | (#2484854)

They will run... but you'll get errors all over the place. In my college the C: was read only. You could only write to d:. It was annoying, but i am sure cut down loads on the IT bill, and stoped too may mp3 servers running.

Re: What is SOE?? (5, Informative)

antidigerati (195379) | more than 12 years ago | (#2484888)

SOE = Standard Operating Environment

Just so ya know... I had to look it up ;)


Depends on What You Are Developing (0)

Anonymous Coward | more than 12 years ago | (#2484818)

I don't know how you define "real" developing, but the answer to your question depends on this definition.

If your building application software that rides on top of windows, your toast. If you are doing about anything else from 4GL web programming to sockets programming, it probably doesn't make much difference.

Hopefully, you already have installed all the tools you need. If you haven't you should purchase and install them before you lock down.

No, you can't. (4, Insightful)

dmorin (25609) | more than 12 years ago | (#2484820)

Easy question : no. My group has our own Unix boxes and our own support group for most things except DNS changes and stuff like that and we still run into inefficiencies in getting routine things done on time. We do not have administration rights for our NT desktops in the sense that we can bring in our own OS upgrades, but we do have the freedom to install new applications. I can't see it working any other way.

If whoever is thinking about making such a decision is in charge of development, then get your resume in order because if I were you I wouldn't want to work under him much longer.

Re:No, you can't. (0)

Anonymous Coward | more than 12 years ago | (#2484859)

Which brings up the point I would make -- it depends on your development staff. If you have a bunch of control freak prima donnas who get upset when they can't load their SETI screen saver, then it's not going to work. On the other hand, if you have professionals who understand why it's being done, then you will have no problems.

I leave it to the poster to decide which employees he would rather have.

Been there, done that (2)

tb3 (313150) | more than 12 years ago | (#2484930)

I worked in a place that moved from Windows 3.11 to Windows NT (but they still thought 32-bit programs were 'a passing fad'). They locked down the registry so tight you couldn't connect to a network printer. I had local admin rights for myself and my development team, but they decided that that was 'insecure'and were going to change it, but I left before they implemented that stupid policy.

Re:No, you can't. (-1)

Dead Fart Warrior (525970) | more than 12 years ago | (#2484970)

This is the worst 'AskSlashdot' yet!

My company will ban me from changing the registry, but I code stuff that changes the registry, its my job. WHAT SHOULD I DO?!?!?!

Talk to your boss, not slashdot.


FD ! (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2484823)

First developers developers developers developers post !

Trust? (3, Insightful)

Nick (109) | more than 12 years ago | (#2484824)

If you can't really trust your developers, and need some restrictions in place like that, then maybe you shouldn't have them working there in the first place?

They can't (5, Insightful)

well_jung (462688) | more than 12 years ago | (#2484827)

We faced this issue when standardizing/locking desktops during our upgrade to Win2000. The only workaround that was agreeable to both sides (developers and IT) was to allow developers to have free reign, but not to expect anything more than "We can re-image the machine" from IT when said developer screws up his machine.

If you get out a bible and swear to IT that you are willing to not ask for support when you screw shit up, they may be open to letting you be blessed.

What is SOE (0)

pagercam (309749) | more than 12 years ago | (#2484829)

What is SOE????
I work on-site at one of our companies, subcontractors, and the provided machine has extremely limited access, half the software I try to install fails for lack of privledges, others install fine, not sure what the specific differences are. (Win2K)

Re:What is SOE (1)

... James ... (33917) | more than 12 years ago | (#2484895)

Standard Operating Environment... and no it won't work. Trust me, I've tried. Developers get admin access to their own machines. COM objects and the like can not be created without that level of permission.


our freedoms (0)

Webtommy88 (515386) | more than 12 years ago | (#2484835)

Even tho this is the work place, the freedom to work on our own platforms and to customize our computers to our liking is important to 1337 h4x0r5. After all, we can spend a whole day hacking away on our boxes.

Locking down on all our computers will just make it less fun, and make me less happy. Less happy employee = Less productivity ergo less quality.

Steal your own sig!

Re:our freedoms (0)

Anonymous Coward | more than 12 years ago | (#2484858)

That's not a .sig, moron...if it were a .sig, I wouldn't see it because I have .sig lines turned off in my preferences due to excessively stupid .sig lines such as the one you stupidly tried to implement.

blah (2)

DNS-and-BIND (461968) | more than 12 years ago | (#2484838)

Sounds like the policy implementors are concentrating on making things easier for themselves, rather than making things easier for the people that do the actual work in the company.

We have there here... but worse (0)

Anonymous Coward | more than 12 years ago | (#2484840)

I the company i work for , we started with restried registry... and not there isn't any start buttons... nothing but a nal desktop.

Yes, but at a much slower rate... (4, Interesting)

Gid1 (23642) | more than 12 years ago | (#2484842)

I'm just at the end of a six-month contract to put together a PHP/MySQL/Apache based website, in a locked-down Windows 95 (!) environment with a few thousand users.

They're migrating to W2K shortly, but I put my foot down and they allowed me to wipe my box and install RedHat on it -- the only way I managed that was the fact that it was in a nice shrinkwrap box.

Well, all fine, but I get no support and I'm not allowed to put it on the network, so it's sneakernet for me. Access to the internet is done with floppies. =(

The point is that you may be able to persuade them to let you have a purely standalone machine, as long as you keep an SOE machine next to it for running Outlook =)

SOE? (1, Redundant)

SVDave (231875) | more than 12 years ago | (#2484845)

What's an "SOE"?

It would be nice if story submitters would define acronyms and initialisms before using them.

Re:SOE? (0)

Anonymous Coward | more than 12 years ago | (#2484875)

Standard Operating Environment

Re:SOE? (3, Insightful)

Gill Bates (88647) | more than 12 years ago | (#2484897)

Standard Operating Environment or
Standard Office Environment

Re:SOE? (1)

superflex (318432) | more than 12 years ago | (#2484938)

What's an "SOE"?

Shithole of Evil. :)

Sorry, couldn't help myself. Standard Operating Environment. We've got one here at work, like many others, I'm sure, but it's not rigidly enforced. The IT people can tell when you've got non-standard software installed, but there's no installation lockout. Win2k migration is coming soon, though, so that could change... :(

Re:SOE? (1)

RadioheadKid (461411) | more than 12 years ago | (#2484945)

I agree, not everyone knows every acronym, this is from (pop-up warning)
my pick is: Standard Operating Environment

Other listings:
Safe Operating Envelope
Sales Order Entry
Schedule Of Events
Secretary of Energy (sometimes seen as 'S of E')
Sega of Europe
Sequence Of Events
Special Operations Executive
Standard Option Equipment
Standards of Excellence
State-Owned Enterprise
Status Of Equipment
Sum Of Errors

Re:SOE? (1)

ComputerSlicer23 (516509) | more than 12 years ago | (#2484962)

I am not sure, but my best guess is:

Standard Operating Environment.

Hopefully some nice person will correct me because it is absolutely wrong. I have seen several people ask the question, but no one is answering. Nothing like a WAG to get corrected.

Just Ask .. (2)

Enonu (129798) | more than 12 years ago | (#2484846)

I have a list of tools that I'd consider essential to my development environment. For any new job in the future I'd get, I would just ask if I can have them installed, and tell them why. Specifically, I'd put in terms of my productivity. If I still get a solid no, then tough shit, right? They own the computers. There is no compromise.

Development Lab (3, Interesting)

ThomasMis (316423) | more than 12 years ago | (#2484847)

This is just an idea off the top of my head. But would your company be apposed to the idea of having a developers lab that would be off the corporate network. This lab would be sort of an anything goes environment, where developers could mess with things such as what ActiveX controls are installed, keys in the registry, and what component versions live on the box (anybody familiar with ".dll hell"?). If the developers screw something up, it's up to them to fix it. The IT support staff wouldn't have to be involved at all.

Where I used to work at we had something similar called the time warp lab, that had a bunch of machines running different versions of windows with different components installed. The developers could test their code on them, and when we were done, we just ghosted a new drive image onto the drive.

Depends (1)

kin_korn_karn (466864) | more than 12 years ago | (#2484848)

If you're developing Windows apps, very little can be done with you locked down like that. If you're doing Unix work, it doesn't matter since your box is basically a really powerful dumb terminal anyway. (and browser running package)

If they're worried about security, they should give each team its own subnet and firewall. 192.168.0.* is for production, and teams get 192.168.!0.* Your development servers are part of your segment only and go through a circular DMZ to get out. *shrug*

WTF is an SOE??? (1)

mjjareo (93394) | more than 12 years ago | (#2484849)

It's not on whatis.

Re:WTF is an SOE??? (1)

jamiefaye (44093) | more than 12 years ago | (#2484923)

my guess is "Standard Operating Environment".

Bad for Access users (1)

Jaycatt (530986) | more than 12 years ago | (#2484850)

Something else to consider...

At my company (WinNT network) we have a lot of MS Access database designers and spreadsheet designers who use plugins that can only be installed by someone with admin rights.

You may be setting yourself up for a lot of running around to workstations for setting up these minor things if the users don't have the ability to do so.

Why should an OS need a registry anyway? (0)

Anonymous Coward | more than 12 years ago | (#2484851)

What other OS besides Windows uses a registry?

Comments please: I don't know of another that has one.

Short answer is no (0)

Anonymous Coward | more than 12 years ago | (#2484853)

I actually tried to just set my everyday user account as a power user (under 2K) and not login consistently with admin privileges. Worked like crap - had to constantly logout/login as admin to make changes. Finally gave up and set myself as admin.

It can be done - it is just a productivity drain. And you have to have the admin password or an admin on call or else you sit and wait until they get there.

At least you can read /. until they do ;-)

Bad news! (1)

pavera (320634) | more than 12 years ago | (#2484857)

My company is also in the process of "locking down" all of the workstations. Not only is this creating a huge support bottleneck, it is also limiting productivity as many different departments use custom software solutions that do not comply with corporate "standards", and so will have to be discarded in exchange for "standard" software which does not satisfy the needs of the users. Some of these softwares require the users to have admin rights on their machines, so they are completely out of luck. It is a bad bad deal.

What can you develop on Windows w/o Registry? (2)

jamused (125583) | more than 12 years ago | (#2484862)

Since you mention locking down the Registry, you're presumably developing for Windows--but unless you're just writing ASP pages or something, you have to register whatever it is you're developing. That's the Windows model. This sounds exactly like the kind of PHB-think that turns a minor headache (license compliance on the off-chance of an audit) into a major disaster.

Fortunately, it's the kind of policy that's too stupid to stand. We had a similar thing (promulgated by memo from the CIO, rather than enforced at a technical level, though) which held for about twenty-four hours before they quietly exempted all the developers...

Locking down is necessary (-1, Troll)

Starship Trooper (523907) | more than 12 years ago | (#2484864)

I work as an IT director at a medium-sized company. At first, I had the security rather lax on all our Windows 2000 desktops, trusting that our workers and developers were smart enough to avoid messing things up. I was utterly wrong. Fairly quickly, I was being called non-stop as people had managed to screw up their systems by opening random attachments, installing tons of crapware like AIM, RealPlayer, and doing various other brain-dead things. Some of the more smug, "1337" members of our development team thought it would be neat to sneak Linux on their computer. Of course, since they had no idea how to properly set it up to behave on the network, they caused the whole NT domain to get utterly screwed up.

So, after weeks of hair-pulling, I finally locked down the goddamn machines. No installations. No WindowShade. No Instant Messengers. No Linux. This is a place of business. I'm sorry to say it, but if you want to get any work out of a business network, you need to protect users from themselves, no matter how savvy they think they are.

Re:Locking down is necessary (1)

twoflower (24166) | more than 12 years ago | (#2484929)

I'm sorry to say it, but if you want to get any work out of a business network, you need to protect users from themselves, no matter how savvy they think they are.
Nope -- if this is a problem for you, you have the wrong users, not the wrong policies.

Why do companies think they can hire at the bottom end of the wage bracket and not end up with the least-talented, least-skilled, and least-intelligent group of keyboard apes in the business? Hire good people, and this isn't a problem. Sure you have to pay them more, but their greater productivity will more than cover that.


Yes. (1)

glrotate (300695) | more than 12 years ago | (#2484865)

If you are developing your standard Client/Server App than you have no need to be dinking around with your system. It's a tool to do work with, not play games on.

If your company is still evaluating products I would recomend Novell Zenworks, by far the best product in this catagory.

real developers don't develop in windows (1)

phoey (182032) | more than 12 years ago | (#2484866)

I would defintely bring this concern to management, as developers should be the exception to the rule. When I did develop under Windows at a company, I had to install numerous applications of various versions for unit testing in my local dev. environment. I sometimes needed shareware tools that the company didn't have also.

If they made the registry read only, you would not be able to install anything, which is bullshit for a developer to have to go through.

It is bad enough the issues I deal with IT at SUN, but at least I have my Solaris environment and root access under my fingertips. I hate to see the pains developers go through with IT telling them what they can't do and management telling them how to do it.

Locking out the registry = overkill (2)

JoeShmoe (90109) | more than 12 years ago | (#2484867)

That's like write-protecting the entire drive. It's stupid and foolish.

Technically, the default in Windows NT is to allow Administrators access to the registry, but deny Users. But even then, that's talking about the System registry (HKEY_CLASSES, HKEY_LOCALMACHINE etc). They can still access their own registry hive (HKEY_CURRENTUSER). Any time they change a setting like background color or window placement (provided those rights haven't been taken away by a system policy) is saved there.

You wouldn't write protect an entire drive to keep people from messing with the Windows directory. Just block off that directory.

Likewise, the registry has the same kind of access controls. Give developers read/write access to a specific key in HKEY_LOCALMACHINE\SOFTWARE. Technically, this is where they should be storing registry settings anyway.

- JoeShmoe

Sure they can.... (0)

Anonymous Coward | more than 12 years ago | (#2484868)

We have a pseudo SOE in our environment.
IT has to do a lot more work in ensuring that rogue applications do not proliferate. I dont think we have a "hard lock down". If the company is willing to provide all the necessary tools and support for development then it is an extremely efficient environment. However consider the possibility that the IT department now has some control over what the development environment can and cannot do. Do you trust your IT department not to get power hungry and make it an inefficient environment? The IT department would most likely have to have approval on all new apps and that could be very inflexible.
You also lose some capabilities of have an exploratory environment.

it depends on what the developer needs to do .. (2)

josepha48 (13953) | more than 12 years ago | (#2484869)

In some cases I think the developer could work okay. Depends, on what apps the developer uses as some wont work if they cannot modify the registry. Think of it this way, a developer would not be able to change the setting in some of the programs if they cannot access the registry.

I know many developers that do very little outside of what they are told to do. Thus management leads the design process and the developers follow. This leads to people who are not very aware of modern technology designing a 'supposed' to be modern app. With some developers installing new apps, testing new software and doing things like that on their own they would be constantly callin IT for this and that, especially if you have a R&D group. Personally I woudl be against that as I like to install certain of my own favorite editors, icons, tools to make some things I do easier. After that I suppose IT could lock the registry, but ask yourself what does this really gain? IT should just say we support this software and if you install stuff and screw up your machine you just have to wait. In some cases it is just a matter of knowing who can be trusted to know what they are doing in Windos. Some users can install and uninstall and do as they wish and you'll never hear from them while others will be constant problems.

If they insist (2, Insightful)

dgb2n (85206) | more than 12 years ago | (#2484870)

Pester the support people. Make them come out to install every new piece of software that you need to do your job. Hold their feet to the fire for all the support you need.

Eventually they'll realize that the price they're paying in increased support calls is not worth the "security" of locking down your desktop.

I'm in just such an environment. Less than two weeks and they gave me local administrator priviledges under the table.

Management trying to send coders a message! (1)

andrewski (113600) | more than 12 years ago | (#2484871)

Unfortunately, because of the tech situation and there being a lot of out of work coders (etc) managers think the time is ripe for coders to recieve a message: that they should act, think, and work just like every other kind of worker. If you think that this isn't right, act now and insist on being able to work like you want to. Otherwise, find a different job and don't give notice. BURN YOUR BRIDGES!

Not really (0)

Anonymous Coward | more than 12 years ago | (#2484947)

This just sounds like a boneheaded IS policy. Some pinhead in IS got some bright ideas of how things should be, and is trying to stuff it down everone elses' throats. Granted this kind of stuff makes a company doomed, but depending on its size it may take a while for the ship to sink.

If mgt at that company was really after sticking it to the developers, they'd do something like institute a mandatory dress code, and enforce 9-5 business hours. They'd try to turn you into boring little bureaucrats. That doesn't seem to be the case here.

No real point in locking (1)

hatchet (528688) | more than 12 years ago | (#2484872)

If developer wants to install unlicensed software he will do so... even with enforced SOE, since developer is considered to be skilled enough to overcome such "protection". If your developer is not skilled enough to overcome this, he can be hardly called developer.

Really Hard (1)

robbyjo (315601) | more than 12 years ago | (#2484876)

It's really hard to lock down developers. Usually developers demand some degree of freedom, especially the freedom to install their own tools. No people can work without the tools they familiar with. Thus, this can be detrimental to their productivity, which in turn is a loss to the company.

The tool itself can vary across colleagues even the primary usage is the same. My colleagues complain when they use other terminals when one of the alternatives is installed. Whining for some missing quirk they love and so on. I think tools like this should be allowed provided that they have the right license for the software.

Changing Windows registry would be unrealistic. Some software even store the Most Recently Used File (MRU) inside the registry (like WinZip, MSWord). Or even the last opened directory (like GetRight). Freezing the registry would cause these software to fail. Beware.

Barring some registry might be viable, but it could have a performance hit into the terminal (i.e. by intercepting all registry-add or change calls). Think of it. Developer hates their machine bogged down for some trifling-but-annoying issues.

Doesn't work too well.. (2)

cmowire (254489) | more than 12 years ago | (#2484877)

It doesn't work too well, especially if you are developing software for the PC, to lock down developers.

Most places allow developers to disable the lock-down, and generally won't debug your machine if you screw it up, just rebuild it from scratch. Even the big guys do that.

How does an IT department suggest this? (2)

juuri (7678) | more than 12 years ago | (#2484878)

2 ways that I have seen.

One. The department is woefully underskilled and incompetent for the jobs they need to perform. In an effort to try and head off as many problems as possible they lock things down to a minimal set of known circumstances.

Two. The department is horribly understaffed. They feel the only way they can keep up is by making sure there is little different from point to point.

I firmly believe in having a COE on every machine. But I also believe that a user can and should have the right to software they feel would enhance their work experience. As an IT guy would you really know if MATHCRUN2002 helps that user or not? Make sure all users run the idea by you first and let them install it. As long as they have the understanding that is isn't supported and if something on your machine can't be fixed quickly you will return the machine to the COE.

BTW the two reasons I listed at the top are a result of poor management. Usually you end up with fascist IT directors when they have no concept of how to really run a computing environment.

Re:How does an IT department suggest this? (0)

Anonymous Coward | more than 12 years ago | (#2484968)

Three. The entire article submission is a troll, just to put the "Yes, they're banning Linux" to rile up some slashdot zealots.

Theory and Practice (1)

Hian Bosu (61229) | more than 12 years ago | (#2484879)

In theory the company I work for have locked down Unix and NT systems.

However all the development teams know the root passwords for both systems and use them freely.

IT knows about this. In fact in quietly keeps the developers supplied with passwords. They long ago worked out that giving programmers control over their own machines leads to a much quiter life.


Machine lockdowns don't work for developers (1)

Green Light (32766) | more than 12 years ago | (#2484881)

I worked in a place that tried that. They were a NT 3.51 shop, and when they started rolling out NT 4.0, they decided to do the "lockdown" thing. Nothing could be changed on the box, not even screen depth/resolution (umm, duh, we need to test the software that we are writing against different machine configurations, including screen resolutions...).
Well, that lasted all of a couple of days before each developer was given admin rights on his own box. Seems the support department got real tired of trotting out to our desks to make simple changes for us...

You won't get any work done (0)

Anonymous Coward | more than 12 years ago | (#2484882)

Looks like they don't want you to do any work while you're at work. But they're still paying you, I guess. Not a bad position to be in, at least for a while. Try to avoid your boss as much as possible, and use the time to read up on new technologies. Perhaps you can start leaving work early to write your own stuff at home.

But seriously, any company that has let its IS dept call the shots is doomed, especially if it's a technology company. At some point, you might want to start heading over to the exit door, so you can make a quick escape when the decay really starts to set in.

Depends what you're developing (1)

Anonymous DWord (466154) | more than 12 years ago | (#2484883)

Do you NEED access to the registry? Do you install that much different stuff on a daily basis? I see limiting install access as a good thing for most employees, but not necessarily developers.
I worked at a place that replaced 400 systems with WinNT from Win95, and you wouldn't believe the crap people had installed, which they expected us to put back on and support when it didn't work.
Keep in mind why a company would want to restrict write access though-
1) they don't want to get sued (pr0n, warez, etc.), and they ARE liable for what people have on their drives, and
2) users have a nasty habit of installing crap that "oh, my friend sent me this email and..." and then they boot into a BSOD every time.
That's a pain in the ass to support. If you can alleviate those fears (and as a developer, you probably know what you're doing), you'd have a better shot at not getting restricted.

Dev lockdown (1)

Kinetix303 (471831) | more than 12 years ago | (#2484884)

When I was doing dev and patch work over at Nortel a couple of years back, they did this to us as well.... we had locked down HP-UX boxen with severely limited user permissions... and doing NT development, we logged into an uber-restricted NT box by VNC. Nortel was obsessed with lockdown, and we didn't have the appropriate termissions to runs the applications that we were compiling. When it was brought up with supervisors and directors, they'd refer us to IT, which, in turn, would refer us to our supervisors and directors.

In order to ensure output, all us guys on the floor pitched in and bought ourselves a couple of development machines so that we could actually get work done... but we had to fight with provisioning for three months in order to obtain two IP addresses for them. AAAAARRRGGHHH!!!!

We did, however, manage to make it look like we were working that whole time just by answering email and voice mail and going to the occasional meeting.

In conclusion, the stock options that they offered me are now worthless, I'm out of a job, and a company that stupid had to fall hard anyway. Ah, the good old days...

No way... (1)

Quebec (35169) | more than 12 years ago | (#2484885)

If I had to work for such employer I would simply
quit. I cannot see how my job would be fun
and productive with such constraints.

If all employers would do the same I will simply
change branch of work... I remember having fun
doing some truck delivery when I was younger..

Anyway, who cares about registries? I use
real man OSes

Two possibilities (2)

CmdrTroll (412504) | more than 12 years ago | (#2484886)

I have worked in an environment like this [] and one of two things inevitably happened on each workstation:

  • Employees spend large amounts of time circumventing the access controls. Some are caught and disciplined (though very infrequently). If the systems rely on Tivoli or some other sort of automatic updating, the "free" developers often need to copy software from their co-workers so that they have (for instance) the latest version of the development environment. After the restrictions are successfully removed, the programmer can usually go for several months before having to "defend" his machine from a recovery CD or otherwise tweak it to keep the controls out. Net result: productivity goes down.
  • Or, the user learns to work within the constraints of the system. They are on a first-name basis with the administrative support staff, whose intervention is needed to change the system time or screen saver delays. Very little time is spent developing software and a lot of time is spent on trivial matters. Systems support staff all get large raises, lots of overtime, and increased budgets because of their heavier workloads, and less actual work gets done. Net result: productivity goes down.

The moral of the story is simple: programmers want to be free.


Re:Two possibilities (0)

Anonymous Coward | more than 12 years ago | (#2484961)

Programmers also don't want to write crappy vertical in-house applications. That's why they have to be paid to go in to work. Same applies to programmer's desire for freedom - you have as much freedom as you want on your home machine.

Ask for another machine. (1)

dynoman7 (188589) | more than 12 years ago | (#2484889)

We did it. Our company (project actually) locked down our "work" machines, so we asked for development or unit test machines. They said OK and we were able to take control of the system for our development needs. wOOt!

My employer can do whatever they want (1)

pigeonhed (137303) | more than 12 years ago | (#2484891)

The man who cuts the checks makes the rules. Funny how subjects like this do not come up when applying for a job. It is in the employers best interest to make your workplace efficient, if a new solution does not work they will change it.

Surprise (2)

karb (66692) | more than 12 years ago | (#2484898)

Yes, but it's no picnic.

I have worked on a system that was air-gapped for security reasons. You had to jump through hoops to bring in any software, and the process was so painful that it was rarely done.

We survived, but we didn't have as many neat tools as would be nice. We were just kind of used to it and homebrewed simple things or made do with what we had.

On the other hand, going to that sort of system from a more open system would probably damage morale, a problem not encountered by a system that's been closed since its inception.

Absolutely no. (2)

The G (7787) | more than 12 years ago | (#2484900)

Consider something simple -- automated testing. If you want automated testing to work, you need registry settings to prevent your programs from popping up dialog boxes if they take a long walk off a short pointer or some such. But those same registry settings would be completely inappropriate for real development, when you want the opportunity to pull up the debugger. There is not a single One True and Holy Registry -- you always need to tweak reg settings.

Don't worry (1)

jmu1 (183541) | more than 12 years ago | (#2484901)

That place will go down in flames due to problems related to security changes. I can't tell you how much just locking the registry down can destroy user productivity... as in the machine and all apps crash all the time. Beside the hassles it would cause the developers, everyone would suffer. I don't care what software anyone uses, if you use hacks and third-party security resources, you are looking at an even less stable platform. Believe me, I have nearly three-hundred machines that have Fortres and DeepFreeze on them. It isn't worth it. What can be done is that a user policy can be written up, tried, and then implemented that would get the user in trouble for being an idiot and fscking the machine up by installing unauthorized software on it.

The difference (1)

ghost. (85872) | more than 12 years ago | (#2484902)

My company is seriously considering enforcing a SOE on all employee computers, including developers.

In my company, there is the same sort of lockdown on all employee computers (W2K), with the exception of developers. As a developer, I am assigned a higher lever of trust not to screw up my machine, and have admin rights on it. OTOH, my W2K box is also my first-stage development server, so I have to be able to admin that box.

I guess my point is, a blanket policy that considers developers no more savvy than typical office workers seems to be shortsighted.

Self-defeating (1)

Man of E (531031) | more than 12 years ago | (#2484903)

If it turns out developers can't work in a locked-down environment, companies will notice almost immediately after they start the lockdown. If in the process of maintaining the system integrity they crave so much they end up harming productivity, they themselves will have to make the decision of whether to keep the system active.
Some companies will think the time they save on maintenance is worth the productivity blow, others will change back. Developers will pick whatever work environment suits them. Basically, nothing happens - how boring.

make one of the apps "vmware"... (2)

mj6798 (514047) | more than 12 years ago | (#2484904)

If you make one of the applications "vmware", maybe it doesn't matter that much. This could still make the company happy because the basic machines will keep on running, E-mail and web browsing keeps on working, and the virtual machines don't do anything bad when it comes to networking. Also, resetting a virtual machine to a pristine state only requires removing a file.

Unfortunately, vmware has gotten rather expensive, and plex86 [] probably isn't ready yet (please, if you can help the author of plex86 find a good job, preferably working on plex86, do so). But if you are willing to pay for Win2k and Win2k software, the cost of vmware is small in comparison.

Otherwise, you may be able to work on your own laptop...

Oh, if you are doing real-world Microsoft Windows development in Visual C++, a "locked down" environment is probably too constraining. If you are just developing algorithms in C++, or if you develop in Java, it's probably doable. But forcing people to use a specific set of tools is not exactly the way to keep developers happy.

the answer: remote application delivery (0)

Anonymous Coward | more than 12 years ago | (#2484905)

seriously, there is a real need for locking down windows desktops. developers should be building apps and then delivering them via RDP, ICA, avoid having the IT guys chase down all the in's and out's of enabling the desktops to support their apps. With remote app delivery there is a compromise. IT locks down the desktop with manadatory profiles/group security policies...developers get an "island" where they can do whatever is needed to get their funcionality built. The remote application servers can be firewalled and otherwise secured from the rest of the network. everybody wins.

Developers should not be treated as sheep... (2)

drenehtsral (29789) | more than 12 years ago | (#2484906)

Developers should not be treated as sheep. Even writing mundane input routines is a creative process, and requires a decent amount of both technical know-how and intelligence.
Would a company consider telling all their advertising and marketing people that they can sit at their drawing boards but not adjust the height, angle and lighting of their workspace? If you treat developers like idiots who can't manage their own workstations (i mean geez!), that will show through in the quality of their work and their morale.

Users != Developers (2)

Stavr0 (35032) | more than 12 years ago | (#2484907)

The goals of this SOE are to prevent users from installing unlicensed software, plus some support issues.

SOEs are fine for USERS, not for developers. Silly PHB. Such an endeavor is doomed to fail. I work at a place where an SOE in force. Development groups usually get special exception to obtain admin rights or else they couldn't even get off the ground.
The real problem is that management never thinks of implementing multiple tiers : More restrictions on Office worker types, less for development -- AND NONE FOR LABS! If you're on the group who's testing, say, WinXP(Chi-Rho) for deployment, you can't be fighting 'access denied' all day.

depends - just make it work... (0)

Anonymous Coward | more than 12 years ago | (#2484908)

That of course depends on what the heck you're developing.

If it's windows stuff, consider having some machines for development only and others for mundane productivity tasks. Perhaps leave the dev machines of the network, or on a separate net for (necessarily perhaps) flaky development work.

I'm sure they're just looking to lower support costs and make stuff a little more reliable. Keep in mind that everyone in the organization isn't a developer. And developers can also screw crap up and cost IT support dollars - though most will swear they couldn't break anything....

Divorce functions you must have for routine work (email? documents? net access?) from development work.

I've supported developers, and they often SUCK TO SUPPORT -because all assume they are computer gods. But when shit breaks they come crying to IT - and if it ain't fixed an hour later we're obviously lame IT dipshits.

We've found that it can make sense (and save money and hassles) to have more than one mode of operation.

Now this assumes an organization that could invest in some testing and development machines. If you're coding at home or you company is tiny then it doesn't fly --- but if that's the case the no one is going to lock you down anyway eh?

-dipshit IT guy

Real development (1)

blueninja (516222) | more than 12 years ago | (#2484910)

As for "real" development, I wouldn't even dream of accessing the registry from asm.. :)

No Way! (1)

bLanark (123342) | more than 12 years ago | (#2484911)

As an experienced developer under NT/2000, in C++, perl and Java, there is no way on earth that I could be productive in such an environment. It may be feasible to work, but certainly not to be productive.

Those of you who read The Register [] will be aware of the Bastard Operator From Hell (BOFH). His mission is to thwart users from actually using the computer systems. He would be in his element. Developers constantly wanting to install patches, competitive products, tools, new IDEs and utilities - any sys admin in such a role could get almost anything he wanted in bribes, when a dozen developers compete to get a myriad of different products/patches installed. A rich man indeed! (Yes, my wife is free on Saturday - if you install the netbeans 3.3 release for me.)

Sheez! To even think about it! I would never accept this, I'd work on my own laptop, then copy the work acrosss via CD-R,floppy,zip (install the drivers? No chance mate!)/external disk ~(ditto)/punched cards/IR.

There is no way I could develop software without constant access to all the machine.

Just my take, of course

Customizing envionment == good (1)

Jaeger (2722) | more than 12 years ago | (#2484914)

Speaking purely from the perspective of one who has had to deal with locked-down computers, I can say it is fairly obnoxious if one's work habits happen to differ from the One True Approved Way(tm) handed down from Those who Know Everything. Maybe I want to change my screen resolution (because my 17" really needs to be at least 1280x960, or maybe 1600x1200 is entirely too small on my 15", or whatever), maybe I want to change my keyboard layout (there are those who use other layouts [] ), or maybe I want to install vim (which claims to work nicely with Visual Studio, although I haven't tried it), or maybe I think that a bunch of ringwraiths on my desktop would be better than Approved Microsoft Blue. Maybe I want to install another browser [] instaed of the Officially Approved Browser. I don't want to have to run crying to the Approved Policy Makers every time I want to change something, and I can imagine that the Approved Policy Makers don't want me to, either. Restrictive policies may make it harder to install unlicenced or illegal software (and I can't imagine that exchanging instant messages for eight hours constitutes useful work, although occassional use should be ok -- business phones get used for personal communication as well, but everyone has one on his or her desk anyway), but they will likely cause a larger support headache, as well as making it harder for your employees to work effectivally because they can't customize their work enviornment.

Good points and bad... (2)

NetJunkie (56134) | more than 12 years ago | (#2484915)

We wouldn't lock down our development staff. It would just be too big of a burden on us and them. My support guys would constantly be running back and forth.

BUT, I can see why they'd want to do it. By far our worst offenders for installing unlicensed and non-standard software (not dev tools) are developers. And frankly, 3 out of 4 developers I meet (DEFINATELY not normal Slashdot developers) can't fix their own PC when they break it. I'm amazed at the lack of understanding on the base system...I don't mean really get in there, but just simple things a real "power user" would know.

Registry Locking is a joke. (0)

Anonymous Coward | more than 12 years ago | (#2484916)

Put this in a file, let's call it 'unlock.reg'. Double-click on it, and voila, your regedit.exe will now work.

(Or from a command line, type 'REGEDIT /S unlock.reg'... same thing.)


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rr entVersion\Policies\System]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C ur rentVersion\Policies\System]

I know that on Windows 95 and 98, this will work even if the system policy has been set to disable registry changes (as running REGEDIT /S seems to not check the policy). I guess it's to keep you from locking yourself out of the registry permanently.

There is a commercial app called 'Foolproof' that claims to lock down Windows from being modified, but it's buggy as hell and breaks Windows Explorer, making it crash constantly. I guess a hack to a hacky OS can't be expected to be all that reliable.

My company tried this. I doesn't work. (1)

Stormin (86907) | more than 12 years ago | (#2484917)

We're developing Java applications. They claimed that they couldn't support the deployed application if we all had different machines because we might do machine specific stuff. Never mind that we developed on NT and they deployed on Unix and we already had case-sensitivity issues popping up all over the place.

They never got around to actually locking the dev machines down, because there was too much backfighting when they tried. Most of the developers said that they would fix whatever problems they created. IT tried to use a management tool to push new software onto peoples machines because "people usually mess up their machines when they install their own software." The second time they used it, they ended up wiping all of the apps and registry entries off several machines. We kind of put the brakes on them using that software after that.

Since then, they've been heavilty hit by layoffs and they no longer complain when we want access to things that will only reduce their workload.

But to answer the original question, no, you can't develop anything that way.

Cygwin! (1)

jdavidb (449077) | more than 12 years ago | (#2484921)

Cygwin [] installs perfectly even if you don't have admin rights. You can even
run secure shell under it!

For Those who haven't Heard of SOE (1)

JohnHegarty (453016) | more than 12 years ago | (#2484925)

It stands for Standard Operating Environment.

Basically its a set of recommended software available for installation on a company's / school's pc's.

Eg. I can install Windows 95 and Visual C++ but not winamp.

People unclear on the concept. (2)

blair1q (305137) | more than 12 years ago | (#2484926)

Make people receiving new accounts sign an agreement that they will not upgrade their installations with unapproved software.

Fire those who fail to comply.

Then you'll still be able to do your job without having to go around unlocking registries.

"Are B-schools spending all their time on cultural diversity and takeover avoidance?"

Depends on management... (1)

basilfawlty (154213) | more than 12 years ago | (#2484932)

If you work with a small company, and it is management that is laying this down,you're probably SOL. If you work in a large company, then your immediate managers may be loathe to mess with the system. In fact, your immediate managers may realize how impossible it would be for developers to develop anything in that kind of an environment.

My company is very large. Our policy is technically like yours, but the enforcement is occasional. IS warns us that they'll be sending around a script that will be checking for BSA infractions. I make sure my system is clean. Since we're not officially allowed to have "unauthorized software" on our boxen, I make sure there isn't anything suspicious on there, even Mozilla. After the script runs, back the old software goes.

If your company is large enough, you may be able to get away with that.

SIMPLE. Backup the registry (0)

Anonymous Coward | more than 12 years ago | (#2484934)

Before the idiots show up.
Let them do their thing and leave. Pop in the NT CD. Do a reg. restore (as though you had a system failure or something).

We went through a similar situation.. (0)

Anonymous Coward | more than 12 years ago | (#2484935)

...and the lock down ended up being company wide with the exception of IT (including developers). We discovered that IT personnel were unable to function at that level.

We reviewed our security policy during that time and allowed IT to be unrestricted as long as they were periodically audited and held accountable for infractions to the policy. The down side is now IT gets audited on a fairly regular basis and much more than the rest of the company.

It did not work for us (1)

Chrome-Dragon (140684) | more than 12 years ago | (#2484936)

We had a developer come in on contract and we started him with a locked down w2k box. As the project progressed we found that even the default user levels of win2k where too restrictive to development work. He wound up as a power user, (one step below admin) which seems to be the best level as most things you need to do for development can be done at that level.

Ehh just my experiences on the mater.

Physician, heal thyself (1)

Dave21212 (256924) | more than 12 years ago | (#2484937)

I've been a professional developer for about 6 years now. My users have been subjected to everything from aggressive logon scripts, to software that actively replaces system (more than just .reg) changes (ie: Sabre) The best thing for "IT" to do with the developers (hey, aren't many of the developers PART of the IT talent ???) is to let them run free. The help(less) desks are typically useless for anything outside of the normal daily user issues anyway, so why expect the HELLdesk to support the more complex problems that we as developers encounter ? Have the developers support themselves. If a developer needs infrastructure or other support, they typically know who to call (or they can then ask the HD for who to call). Things get accomplished efficiently in an organization often times because of the personal relationships people have, not because of some pointy-headed lockdown policy that gets imposed on the team. Best of luck convincing your bosses ;) There are no famous hackers . . .

a simple solution (0)

Anonymous Coward | more than 12 years ago | (#2484939)

when nobody's looking, wipe the drive, install Linux. Use WINE for what you need for work. The type of twit who would lockdown your machine probably wouldn't know what to do with your unix login prompt, and wouldn't have the password anyhow if they did. you win. ha!

Well, you might get in a little trouble with your wageslavemaster. But it would sure be a lot of fun until they noticed.

Your sysadmin (2)

MSBob (307239) | more than 12 years ago | (#2484940)

It sounds awfully like your sysadmin is a lazy bum and can't be bother with support so (s)he's imposing these stupid rules to make his/her life easier. Resist, boycott, protest but don't let this happen. Any permissions, restrictions and access control are usually a huge pain in the ass. I'm in the opposite situation to yours. We use windows for development and Unix for staging/deployment. All unix work must be consulted with the Almighty Unix Sysadmin. The result? Nobody wants to deal with the asshole so noone bothers testing things on unix anymore and our app sucks in the production environment, all thanks to access braindead restrictions our sysadmin keeps coming up with. I think my company is fucked as a result and so is yours by the sound of it. Dust off that resume right away is the only piece of advice I can give you

Work with IT... (1)

mcdu (177440) | more than 12 years ago | (#2484944)

In our network we have this type of setup. Basically we got in good with the IT people and have become what they term "the development domain". Essentially within this domain we can do whatever we want to our machines, but we get no support from the IT group (unless it is hardware related). This has worked for us on two levels: A) We get to do all the development work we need. B) IT is kind of useless so we don't want them playing with our machines anyways.

It is a fragile relationship, but it has worked very well for us. In addition we have worked a deal that allows us Admin access on all the machines we distribute to (150+). This is a very unique relationship within the corporation, but it affords us the flexibility we need.


Use VMWare (0)

Anonymous Coward | more than 12 years ago | (#2484946)

Wouldn't it make sense to use VMWare? You could install a windows in windows, in which you can mess around all you want! Doesn't really SOLVE the problem, but moves it away so nobody can see it anymore ;)

In my experience... (1)

jdclucidly (520630) | more than 12 years ago | (#2484949)

... having no permissions for the system folder and registry (and the like) severly limit the level at which one can degub errors caused by the intercommuication between the kernel modules and your application.

On the other hand, if you want drones that do nothing but what their told... it's ideal. In this case, a project manager would likely have the appropriate access to ensure the final product is acceptable.

It's the structured heirarchy vs. social system, again. The cathedral and the bazar. Clearly, your boss has some reason that he doesn't trust your co-workers. He must also believe that the people at the top are more innovative than the people who are writting the code.

In terms of techincal considerations, there are work arounds for pretty much everything you should want to do: DDE for App to App exchange and 'INI' files for config, but you'll never be able to write a working install program without full access.

NT Admin bitches (1)

CDWert (450988) | more than 12 years ago | (#2484951)

Lemme guess , youve got some bitch of an NT (wannabe) Admin running around saying the sky is falliing were out of compliance...And managment belives it

Heres the deal , think of it this way, who makes your company money ? the admins or the develpers ?

Well if youre a MS shop (sounds like you are) the MSDN subscription you should have covers the development use of probably 75% of the stuff hes crabbing about. Other than that, depends how far down on the food chain you are there if youre one or two levels below someone who can actually make a real decision, go to them and tell them this, you have serious concerns about productivity if this is implemented, if the bottom line is what matters there this may help. Tell em point blank it a horshit managment decision by people that have no clue what they are talking about.

Someone else here has the right Idea, Ive implemented the same thing on 2 occasions, seperate development enviroments where the DEVELOPERS are the ONLY ones supporting their own system, come up with a seperate admin within that group, really pisses off the bitch NT admin, but screw him hes noting more than someone to keep the infrastructure intact, Im betting development is where your money is made, so why should he set the standard you develop by.

Get some balls, tell them NO, in my experience a company that cannot trust its employees has much deeper managment/financial issues, may be time to start looking for a job from someone that dosent tie your hands and expect equal performance.

I developed in SOE (1)

weez75 (34298) | more than 12 years ago | (#2484952)

I have developed in a SOE. It's not that bad provided you have a test lab. Besides, it's not good to test on your own PC anyway. The problem isn't the limitations on installing software but rather the bureaucratic ladder you have to climb to get approval for something new. For instance, getting a new compiler approved can be tough. If you can solve that problem with management it works out.

I'll actually endorse a SOE in some cases. It can be especially good if you have separate environments for developers but it is standard among them. It helps ensure compatibility.

Don't do it (0)

Anonymous Coward | more than 12 years ago | (#2484954)

No, this system sucks. We have some WinNT4.0 and Windows 2000 PCs in a lab at school that have this. A lot of programs simply require the ability to write to the registry sometimes. The best system I think is having applications run off a server using some form of Linux/UNIX. Our administrator is constantly coming around to the PCs to install stuff for us. It's a big pain. We have to log off, he logs into the PC, installs some software and then logs-off. Half the time he doesn't install it exactly like he was supposed to, and we have get him to do it again. It's a big waste of time for IT administrators.

Can be done (2)

scott1853 (194884) | more than 12 years ago | (#2484957)

Doing any significant development, you're not likely to need a lot of time working on registry modifications procedures, with the exception of a save settings routine in the Setup window. Actually, if you code it right you shouldn't need to create keys in the registry at all if they aren't that important. It should allow the program to continue with default behavior if the key doesn't exist, or cannot be created. Give the user a warning on errors that setting modifications couldn't be saved because you couldn't modify the registry. Chance are that some customers (if this is commercial software) may have the same restrictions. And if you're storing anything more than settings in the registry, then you're most likely storing the data in the wrong place anyways.

The only thing I can think of, is if you are doing some program protection that stores some encrypted values in the registry. I think IT will understand if thats what you're developing. But after you're done developing that, then it should just be a black box and you don't need to test it again.

And most likely you can get the keys for your software's settings to be left open. It's not unreasonable.

What a loss in productivity. (2, Informative)

wizman (116087) | more than 12 years ago | (#2484963)

It's horrible!

Where I currently work, no software can be installed, and much existing software breaks. Windows media player causes a GPF, and many enhanced websites cause the machine to hang. The registry is locked down, and I don't have rights to "program files".

Every time in the past I've needed a piece of software, it generally takes days to be installed, and the entire chain of command has to OK it. If we directly submit a request be it for software or support, it gets deleted.

This completely and utterly lowers productivity. If I need something and I need it now, it takes days or weeks to make it happen. Problems or requirements that could easily be taken care of by the user are not possible, resulting in delays and wasted time.

Plus, IT stops by once a week to add software, odbc connectors, or make other changes. Those are things I could very easily do myself. Doesn't IT have better things to do?

I'm surprised they let me add bookmarks. Don't even get me started on firewall rules.

you're just in other peoples hands (0)

Anonymous Coward | more than 12 years ago | (#2484964)

You could feel no difference at all, or it could be annoying as hell. It all comes down to being more dependant on others. When you have a problem or need something, you can't just solve it yourself. If there is tech staff available to compensate for the flexibility you lose, no problem.

But there isn't. ;)

Here we. (1)

GiMP (10923) | more than 12 years ago | (#2484966)

Here, developers and system admins build their own boxen. Most bring their own box in as well as their company box as well.

Sittin in a space of which cannot even be considered as luxurious as cubicle.. I have 2 monitors with Xwindows running Blackbox at a 2560x1024 using a 5 (fully loaded) workspaces. If I had a configuration that was any less, I would get a lot less work done. I also have a television setup mounted on top of the 2nd monitor which is occasionally used for a trinary head.

Developers and system admins like their configurations, their hardware hacks, and their toys. Let us play or give (much more) pay :)

Company Size... (1)

jfred1 (226304) | more than 12 years ago | (#2484967)

I think it depends on the size of the organization.

I have worked in a couple small organizations (<150) where IT was very easy to deal with. We were allowed "power user" to the machines and individual requests for anything else that needed full admin.

I larger organizations, it was usually agreed upon that we would seperate the devs from the global network, and the manager was held accountable for the software licenses. Then the manager (or other lead) would be the contact to IT for any network or other support issues.

Without atleast "power user" rights, I can't see that the machines would give the users a comfortable work environment. I've been known to have to uninstall and reinstall software packages 2-3 times when I did something bone-headed.

just my 2
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?