Anders Norås' blog : How to configure your development environment to develop with least privilege

posted on Monday, February 14, 2005 8:05 PM by anoras

How to configure your development environment to develop with least privilege

The most common objection developers hold against using a non-admin account is that they can’t develop software with a lesser privileged account. Standard user accounts do not have the sufficient privileges to debug applications or create web applications on Microsoft Internet Information Server. To configure your development environment correctly, you’ll need a good understanding of what privileges are required to perform different tasks. In this post I’ll provide a guide to configure your environment for least privileged development.

Most of the permissions needed to perform different tasks are already granted to different user groups defined on your computer. Members of the debugger users group are allowed to use Visual Studio .NET to debug processes, both locally and remotely. It is critical for all developers to have this permission, but it should not be granted to everyone because it can be exploited to gain elevated privileges. Members of the VS_Developers group can create new web applications on Microsoft Internet Information Server. Despite the name, membership in this group is not needed to do other Visual Studio .NET development, such as creating Windows Forms applications or similar. If you want to debug web applications on either Windows XP or Windows Server 2003, your user must be a granted the “Log on as batch job” privilege. This privilege is already granted to the IIS_WPG group on Windows Server 2003, so if you don’t have to explicitly give users this privilege if you add them to this group. Windows XP hasn’t got an equivalent to the IIS_WPG group, so you’ll have to grant users this privilege in Windows XP environment.

Below are guides to how you can configure your Windows XP or Windows Server 2003 development environment. Both guides require Visual Studio .NET to be installed on the development computer.

Windows XP (Service Pack 2)

Log on as an administrator.
If you already have a regular user account you can skip to 7
Open the control panel in category view and click “User Accounts”. When instructed to pick a control panel icon, click “User Accounts” again.
In the “User Accounts” dialog, open the “Users” pane and click “Add…”.
In the “Add New User” wizards fill in the fields in the first step and click “Next >”. On the second pane choose the “Restricted user” option and click the “Finish” button.
Change to the “Advanced” tab and click the “Advanced” button in the “Advanced user management” section.
In the “Local Users and Groups” dialog, locate and double-click your user in the “Users” folder.
In the “User Properties” dialog, open the “Member Of” tab.The user should be a member of the “Users” group, not the “Administrators” or “Power Users” groups.
Click the “Add..” button button and type in “Debugger Users; VS Developers;” in the text box below “Enter the object names to select (examples):” caption.
Click “OK” and close the “Local Users and Groups” dialog.
Open the “Local Security Policy” console.
Expand “Local Policies” and click “User Rights Assignment”
Double-click “Log on as batch job”.
From the “Log on as batch job Properties” dialog click the “Add User or Group…” button.
In the “Add User or Group” type in name of your user account.
Click “OK” and close the “Local Security Settings” console.

Windows Server 2003

Log on as an administrator.
Open the “Computer Management” console and expand “System Tools”.
If you already have a regular user account you can skip to 7
To create a new account, expand “Local Users and Groups”.
Right-click “Users” and choose “New User”.
In “New User” dialog fill in the required details and click “Create”.
Double-click your existing or new user account in the “Computer Management” console.
From the “User Properties” dialog, open the “Member Of” tab. The user should only be a member of the “Users” group, not “Administrators” or “Power Users”.
Click the “Add” button and type in “Debugger Users; VS_Developers; IIS_WPG;” in the text box below “Enter the object names to select (examples):” caption.
Click “OK” and close the “Computer Management” console.

Comments

# re: How to configure your development environment to develop with least privilege @ Monday, May 21, 2007 1:06 PM

Cool!

Aiolos

# re: How to configure your development environment to develop with least privilege @ Tuesday, May 22, 2007 4:54 AM

Cool...

Vassilios

# re: How to configure your development environment to develop with least privilege @ Tuesday, May 22, 2007 7:11 AM

Cool...

Crist

# re: How to configure your development environment to develop with least privilege @ Tuesday, May 22, 2007 9:02 AM

interesting

Aineias

# buy cyclobenzaprine @ Thursday, May 31, 2007 3:36 PM

http://acsitdom.blogdiario.com/">http://acsitdom.blogdiario.com/ buy cyclobenzaprine cyclobenzaprine cheap cyclobenzaprine http://acsitdom.blogdiario.com/">http://acsitdom.blogdiario.com/ cyclobenzaprine online buy cyclobenzaprine

buy cyclobenzaprine

# ativan online @ Thursday, May 31, 2007 3:36 PM

http://intranet.education.umn.edu/Bush/Forum/forum_posts.asp?TID=65">http://intranet.education.umn.edu/Bush/Forum/forum_posts.asp?TID=65 ativan online ativan buy ativan http://intranet.education.umn.edu/Bush/Forum/forum_posts.asp?TID=65">http://intranet.education.umn.edu/Bush/Forum/forum_posts.asp?TID=65 buy ativan ativan online

ativan online

# motorola ringtones @ Thursday, May 31, 2007 3:36 PM

http://www.csulb.edu/~d49er/lounge/messages/8970.html">http://www.csulb.edu/~d49er/lounge/messages/8970.html motorola ringtones motorola ringtones motorola ringtones http://www.csulb.edu/~d49er/lounge/messages/8970.html">http://www.csulb.edu/~d49er/lounge/messages/8970.html motorola ringtones motorola ringtones

motorola ringtones

# free samsung ringtones @ Thursday, May 31, 2007 3:36 PM

http://www.rit.edu/~idesignf/cgi-bin/ikonboard//topic.cgi?forum=5&topic=103">http://www.rit.edu/~idesignf/cgi-bin/ikonboard//topic.cgi?forum=5&topic=103 free samsung ringtones samsung ringtones samsung ringtones http://www.rit.edu/~idesignf/cgi-bin/ikonboard//topic.cgi?forum=5&topic=103">http://www.rit.edu/~idesignf/cgi-bin/ikonboard//topic.cgi?forum=5&topic=103 samsung ringtones free samsung ringtones

free samsung ringtones

# carisoprodol online @ Thursday, May 31, 2007 3:38 PM

http://shell.ce.sharif.edu/~taghi/nph-proxy.cgi/011100A/http/diving-deep.net/net/carisoprodol/n83">http://shell.ce.sharif.edu/~taghi/nph-proxy.cgi/011100A/http/diving-deep.net/net/carisoprodol/n83 carisoprodol online carisoprodol cheap carisoprodol http://shell.ce.sharif.edu/~taghi/nph-proxy.cgi/011100A/http/diving-deep.net/net/carisoprodol/n83">http://shell.ce.sharif.edu/~taghi/nph-proxy.cgi/011100A/http/diving-deep.net/net/carisoprodol/n83 cheap carisoprodol carisoprodol online

carisoprodol online

# re: How to configure your development environment to develop with least privilege @ Monday, June 04, 2007 11:39 PM

Nice...

Kharilaos

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 05, 2007 7:35 AM

Cool!

Damianos

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 05, 2007 9:35 AM

Sorry :(

Efthimios

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 06, 2007 7:36 PM

Nice

Athan

# re: How to configure your development environment to develop with least privilege @ Thursday, June 07, 2007 1:05 PM

Nice

Savas

# re: How to configure your development environment to develop with least privilege @ Thursday, June 07, 2007 3:48 PM

Cool.

Timotheos

# re: How to configure your development environment to develop with least privilege @ Friday, June 08, 2007 12:02 PM

Cool.

Nikolaos

# re: How to configure your development environment to develop with least privilege @ Friday, June 08, 2007 1:02 PM

Cool.

Hippocrates

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 1:22 AM

Nice!

Georges

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 4:39 PM

interesting

Spiro

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 6:59 PM

Nice!

Valerios

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 11:05 PM

Cool...

Charalambos

# re: How to configure your development environment to develop with least privilege @ Monday, June 11, 2007 10:04 AM

Nice

Othon

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 12, 2007 2:26 PM

Cool.

George

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 12, 2007 9:20 PM

interesting

Tasos

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 12, 2007 10:25 PM

Nice...

Moris

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 1:57 AM

Interesting...

Thrasyvoulos

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 4:19 PM

Nice...

Manos

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 4:44 PM

Nice!

Zaharias

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 10:53 PM

Nice!

Savvas

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 11:34 PM

Nice

Nathanael

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 1:22 AM

Sorry :(

Aiolos

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 3:01 AM

Nice!

Athanasios

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 5:08 AM

Cool.

Panagiotis

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 10:54 AM

Cool!

Neophytos

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 11:38 AM

Nice!

Ignatios

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 9:11 PM

Cool!

Demetrios

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 12:26 AM

Interesting...

Kosta

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 9:50 AM

Sorry :(

Zenon

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 11:06 AM

Sorry :(

Lambro

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 5:51 PM

Sorry :(

Christos

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 8:22 PM

interesting

Emmanuel

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 7:40 AM

interesting

Evenios

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 12:08 PM

Nice

Markos

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 2:09 PM

Interesting...

Alexiou

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 2:44 PM

Interesting...

Laurentios

# re: How to configure your development environment to develop with least privilege @ Sunday, June 17, 2007 7:00 AM

Nice...

Alexis

# re: How to configure your development environment to develop with least privilege @ Sunday, June 17, 2007 2:29 PM

Cool!

Evangelos

# re: How to configure your development environment to develop with least privilege @ Monday, June 18, 2007 6:01 AM

Nice!

Thanos

# re: How to configure your development environment to develop with least privilege @ Monday, June 18, 2007 6:22 PM

interesting

Georgios

# re: How to configure your development environment to develop with least privilege @ Monday, June 18, 2007 9:08 PM

Cool.

Charalampos

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 19, 2007 8:06 AM

Interesting...

Emmanouil

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 19, 2007 9:01 PM

Cool.

Emmanuel

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 20, 2007 5:27 AM

interesting

Makis

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 20, 2007 1:55 PM

Nice

Doxiadis

# re: How to configure your development environment to develop with least privilege @ Thursday, June 21, 2007 6:40 PM

Nice!

Dion

# re: How to configure your development environment to develop with least privilege @ Friday, June 22, 2007 8:05 AM

Nice...

Kypros

# re: How to configure your development environment to develop with least privilege @ Friday, June 22, 2007 10:03 PM

Nice!

Vasilis

# re: How to configure your development environment to develop with least privilege @ Friday, June 22, 2007 10:54 PM

interesting

Matthaios

# re: How to configure your development environment to develop with least privilege @ Saturday, June 23, 2007 5:10 PM

Nice

Vasilios

# re: How to configure your development environment to develop with least privilege @ Sunday, June 24, 2007 1:01 AM

Cool!

Georghios

# re: How to configure your development environment to develop with least privilege @ Sunday, June 24, 2007 9:55 AM

interesting

Savvas

# re: How to configure your development environment to develop with least privilege @ Sunday, June 24, 2007 11:47 PM

Cool.

Tassos

# re: How to configure your development environment to develop with least privilege @ Monday, June 25, 2007 10:58 AM

interesting

Constantinos

# re: How to configure your development environment to develop with least privilege @ Monday, June 25, 2007 1:07 PM

Interesting...

Athanasios

# re: How to configure your development environment to develop with least privilege @ Monday, June 25, 2007 8:47 PM

interesting

Thrasyvoulos

# re: How to configure your development environment to develop with least privilege @ Monday, June 25, 2007 11:38 PM

Cool...

Dino

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 26, 2007 2:01 AM

Interesting...

Aristotelis

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 26, 2007 8:16 AM

Cool.

Spiro

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 27, 2007 1:22 AM

Interesting...

Kypros

# re: How to configure your development environment to develop with least privilege @ Friday, June 29, 2007 11:17 AM

Nice...

Demosthenes

# re: How to configure your development environment to develop with least privilege @ Friday, June 29, 2007 11:24 PM

Sorry :(

Emmanuil

# re: How to configure your development environment to develop with least privilege @ Saturday, June 30, 2007 2:30 AM

Cool...

Prokopios

# re: How to configure your development environment to develop with least privilege @ Saturday, June 30, 2007 6:51 AM

Nice...

Skyros

# re: How to configure your development environment to develop with least privilege @ Saturday, June 30, 2007 6:31 PM

Nice...

Vassilis

# re: How to configure your development environment to develop with least privilege @ Saturday, June 30, 2007 8:43 PM

Nice!

Manolis

# re: How to configure your development environment to develop with least privilege @ Saturday, June 30, 2007 10:45 PM

Nice!

Stratis

# re: How to configure your development environment to develop with least privilege @ Sunday, July 01, 2007 3:23 AM

Nice

Arsenios

# re: How to configure your development environment to develop with least privilege @ Sunday, July 01, 2007 4:45 AM

Cool.

Drymiotes

# re: How to configure your development environment to develop with least privilege @ Sunday, July 01, 2007 9:20 AM

Cool.

Maximos

# re: How to configure your development environment to develop with least privilege @ Sunday, July 01, 2007 7:34 PM

interesting

Marko

# re: How to configure your development environment to develop with least privilege @ Tuesday, July 03, 2007 10:58 AM

Cool...

Maximos

# re: How to configure your development environment to develop with least privilege @ Tuesday, July 03, 2007 1:40 PM

Interesting...

Kostantinos

# re: How to configure your development environment to develop with least privilege @ Tuesday, July 03, 2007 4:40 PM

Nice...

Efstratios

# re: How to configure your development environment to develop with least privilege @ Tuesday, July 03, 2007 10:30 PM

Sorry :(

Aniketos

# re: How to configure your development environment to develop with least privilege @ Wednesday, July 04, 2007 5:54 AM

Sorry :(

Athones

# re: How to configure your development environment to develop with least privilege @ Wednesday, July 04, 2007 1:01 PM

Nice!

Grigorios

# re: How to configure your development environment to develop with least privilege @ Wednesday, July 04, 2007 6:55 PM

Cool!

Zenon

# re: How to configure your development environment to develop with least privilege @ Wednesday, July 04, 2007 11:53 PM

Cool.

Prokopios

# re: How to configure your development environment to develop with least privilege @ Thursday, July 05, 2007 6:00 AM

Nice!

Ambrosios

# re: How to configure your development environment to develop with least privilege @ Thursday, July 05, 2007 10:02 PM

Nice!

Gerasimos

# re: How to configure your development environment to develop with least privilege @ Monday, July 09, 2007 9:11 AM

interesting

Laurentios

# re: How to configure your development environment to develop with least privilege @ Monday, July 09, 2007 5:03 PM

Nice

Leandros

# re: How to configure your development environment to develop with least privilege @ Monday, July 09, 2007 5:14 PM

Cool!

Theodore

# re: How to configure your development environment to develop with least privilege @ Monday, July 09, 2007 10:31 PM

Cool!

Sotiris

# re: How to configure your development environment to develop with least privilege @ Tuesday, July 10, 2007 2:22 AM

Nice...

Marinos

# re: How to configure your development environment to develop with least privilege @ Tuesday, July 10, 2007 2:56 AM

Sorry :(

Anders Norås' blog

Search

Archives

Navigation

Subscribe

Resources

Currently reading

Click us!

How to configure your development environment to develop with least privilege

Comments

# re: How to configure your development environment to develop with least privilege @ Monday, May 21, 2007 1:06 PM

# re: How to configure your development environment to develop with least privilege @ Tuesday, May 22, 2007 4:54 AM

# re: How to configure your development environment to develop with least privilege @ Tuesday, May 22, 2007 7:11 AM

# re: How to configure your development environment to develop with least privilege @ Tuesday, May 22, 2007 9:02 AM

# lipitor online @ Thursday, May 31, 2007 3:32 PM

# lipitor online @ Thursday, May 31, 2007 3:32 PM

# adipex online @ Thursday, May 31, 2007 3:32 PM

# cheap paxil @ Thursday, May 31, 2007 3:36 PM

# ambien online @ Thursday, May 31, 2007 3:36 PM

# buy cyclobenzaprine @ Thursday, May 31, 2007 3:36 PM

# ativan online @ Thursday, May 31, 2007 3:36 PM

# motorola ringtones @ Thursday, May 31, 2007 3:36 PM

# free samsung ringtones @ Thursday, May 31, 2007 3:36 PM

# carisoprodol online @ Thursday, May 31, 2007 3:38 PM

# re: How to configure your development environment to develop with least privilege @ Monday, June 04, 2007 11:39 PM

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 05, 2007 7:35 AM

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 05, 2007 9:35 AM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 06, 2007 7:36 PM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 07, 2007 1:05 PM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 07, 2007 3:48 PM

# re: How to configure your development environment to develop with least privilege @ Friday, June 08, 2007 12:02 PM

# re: How to configure your development environment to develop with least privilege @ Friday, June 08, 2007 1:02 PM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 1:22 AM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 4:39 PM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 6:59 PM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 10, 2007 11:05 PM

# re: How to configure your development environment to develop with least privilege @ Monday, June 11, 2007 10:04 AM

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 12, 2007 2:26 PM

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 12, 2007 9:20 PM

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 12, 2007 10:25 PM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 1:57 AM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 4:19 PM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 4:44 PM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 10:53 PM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 13, 2007 11:34 PM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 1:22 AM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 3:01 AM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 5:08 AM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 10:54 AM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 11:38 AM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 14, 2007 9:11 PM

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 12:26 AM

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 9:50 AM

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 11:06 AM

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 5:51 PM

# re: How to configure your development environment to develop with least privilege @ Friday, June 15, 2007 8:22 PM

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 7:40 AM

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 12:08 PM

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 2:09 PM

# re: How to configure your development environment to develop with least privilege @ Saturday, June 16, 2007 2:44 PM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 17, 2007 7:00 AM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 17, 2007 2:29 PM

# re: How to configure your development environment to develop with least privilege @ Monday, June 18, 2007 6:01 AM

# re: How to configure your development environment to develop with least privilege @ Monday, June 18, 2007 6:22 PM

# re: How to configure your development environment to develop with least privilege @ Monday, June 18, 2007 9:08 PM

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 19, 2007 8:06 AM

# re: How to configure your development environment to develop with least privilege @ Tuesday, June 19, 2007 9:01 PM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 20, 2007 5:27 AM

# re: How to configure your development environment to develop with least privilege @ Wednesday, June 20, 2007 1:55 PM

# re: How to configure your development environment to develop with least privilege @ Thursday, June 21, 2007 6:40 PM

# re: How to configure your development environment to develop with least privilege @ Friday, June 22, 2007 8:05 AM

# re: How to configure your development environment to develop with least privilege @ Friday, June 22, 2007 10:03 PM

# re: How to configure your development environment to develop with least privilege @ Friday, June 22, 2007 10:54 PM

# re: How to configure your development environment to develop with least privilege @ Saturday, June 23, 2007 5:10 PM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 24, 2007 1:01 AM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 24, 2007 9:55 AM

# re: How to configure your development environment to develop with least privilege @ Sunday, June 24, 2007 11:47 PM

# re: How to configure your development environment to develop with least privilege @ Monday, June 25, 2007 10:58 AM

# re: How to configure your development environment to develop with least privilege @ Monday, June 25, 2007 1:07 PM

# re: How to configure your development environment to develop with least privilege @ Monday, June 25, 2007 8:47 PM