|
Separate domains could be okay if they'd at least create an active directory group for developers on the plus side that allowed us to get the dev console in the browser, and gave us read-only access to the databases, but evidently, those things are a security no-no.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
The Joys of working for the DoD (if I am remembering correctly) and we have a similar setup since we deal with the US Govt, including DoD.
Separate VPN to work on the Gov stuff which cuts off all communications with the rest of the org.
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated.
|
|
|
|
|
We have a VPN to the org (from home).
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
#realJSOP wrote: 3) We have an insane program manager that has prohibited us from sucking data off the plus side and putting it onto the dev side, so we secretly backup production data, and put it onto dev one table at a time
Knowing your end customer is the DOD, I really hope this isn't what it sounds like. While room, board, and most other amenities are provided at no cost to you; Club Fed is a really lousy place to retire to. 
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
Hi all,
I quit a job cause of this kind of "unbelievable" restrictions...
If there is no solution, there is no problem !
|
|
|
|
|
Rob Philpott wrote: I'm now being exposed to the idea that you put your development, UAT and Production environments in different domains,
That sounds to me like a nightmare. Why domains? Why not have UAT and production on separate servers?
|
|
|
|
|
I think they're perceived as units isolated from each other with the expectation that provides some level of security, but its all on the same network at the end of the day. I would think a lots of threats would be at network level, not the domain but to be honest I just don't know. Having thus far only ever worked on a single domain I don't really fully understand what it achieves or tries to by spanning domains.
The closest I've been is a place where they had two physical networks, two PCs and a KVM switch on each desk "Prod" and "Dev". We couldn't get to our email on on Dev, only on prod. And on prod we couldn't get to our code. Infuriating. That place doesn't exist any longer it got taken over and sucked up into an economic black hole in 2008.
Regards,
Rob Philpott.
|
|
|
|
|
My company uses separate subdomains for production and non-production. Non-production includes dev, QA, and RC/UAT environments. The subdomains are firewalled, so that non-production cannot reach production and vice versa. They adopted Microsoft's "privileged access workstation" guidance, where each user is assigned a laptop that is completely locked down (can't install anything, etc.), and that laptop hosts a VM (hosted locally) where we can do internet & email but not much else. Additionally, each user is assigned a production VM and a non-production VM (each hosted remotely). Developers have local admin privileges on the non-production VM, but are encouraged to limit software installed on it to whatever is available in our corporate Software Center hub. None of this is terrible by itself, and all makes sense to me security-wise. but here lies the problem:
1) each device and VM needs a separate login with a distinct password
2) the PAW laptop needs to be connected to the VPN, requiring a 2fa login
3) the "productivity" VM (the locally-hosted one) needs a separate VPN connection (requiring a second 2fa login)
4) the VPN connections time out, and I often need to re-connect multiple times daily
5) all 4 Windows logins (PAW device, productivity VM, non-prod VM, prod VM) are subject to password rotation, with stringent password complexity requirements
6) all devices and VMs lock out after just 3 minutes of inactivity
6) the PAW laptop is bitlocker-ed, so you need to enter a decryption code each time you reboot (which is frequent, since updates are pushed multiple times per week)
The net result is that I spend a ridiculous proportion of my day typing in passwords, which I have no recourse but to write down because there's no way in heck I can remember umpteen different passwords that change every several weeks. By the time I've caught up on email, or responded to a chat thread with my colleagues, or finished reading a CP article, my non-prod VM has almost certainly locked out, and then after spending a little time writing code, I head over to my "productivity" VM to check something on StackOverflow and oops! It's locked out by now and I have to log in again (what was that password [checks notebook]?). It's a total productivity-killer!
|
|
|
|
|
|
That's the point where you should get a stand alone tap to start/stop timer, record the amount of time you waste each day playing stupid password games; and charge it to IT overhead on your time sheet each day.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
You could use trusts between those domains to enable your "normal" user to be able to do stuff on the developement and UAT domain, but tbh working on different domains just sucks. It adds a lot of overhead so there has to be a really good reason to go through that kind of trouble. Until now I have only seen different domains trusting each other in cases of different companies working together in some sort. I also saw people having multiple devices to work on different domains but that sucks a lot too. Imagine carrying 2 laptops with you all the time.. or in your case: 3. What you could do is set up several computers in the dev and uat domain and login on those devices via RDP using users from those respective domains. But that's all meh.
|
|
|
|
|
A long, long time ago (10+ years?) I set my personal laptop up with a work domain separate from my home domain. I don’t recall any specific problems with doing so, but I think it felt a bit clunky. I remember having to set different themes so I could tell at-a-glance which environment I was logged in to.
It’s worth a try,if only to satisfy your curiosity. 
Time is the differentiation of eternity devised by man to measure the passage of human events.
- Manly P. Hall
Mark
Just another cog in the wheel
|
|
|
|
|
We have a production domain, a dmz domain and a dev domain.
There are one way trusts so that dmz trusts prod and dev trusts prod, but not the other way.
We just use prod ids on all domains.
If a dmz or dev box is compromised, it is supposed to slow down sideways propagation into prod.
|
|
|
|
|
Proponent of drink drink ! (9)
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
Nice! 
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Will you take it in the absence of anyone else ? I ask as I can't do tomorrows
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
OK.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Proponent of
drink SUP
drink PORTER
SUPPORTER
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
I though it was apt for St Patricks Day
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
I liked it!
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
|
I'm envying you - you're doing a lot of fun stuff. I love bare metal.
GCS d--(d-) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Come on! There is no "ME" in "TEAM"!
Oh, hang on, there is ...
And an "i" in the "A-hole" ... 
Well done you! Another article in progress?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Not another article for this one, as it's just a driver for a work I've already published here.
Well now that I think on it, I may actually produce an article for the little hashtable and vector.
It's of limited utility, because most of the time the STL is available. It's only certain IoT frameworks where it can't be relied on.
To err is human. Fortune favors the monsters.
|
|
|
|
|
If it's that tiny, maybe a tip instead? May help someone struggling with a similar problem?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
