As a Developer and IT Pro one of the things I really hate is seeing an example install everything as Administrator, or just completely fail to use good security practices.
Therefore as a Technical Evangelist, one of the things I really strive for in the examples and content I create is to use something OTHER than Domain Admin to run my services in and so on. Though... I'm starting to rethink that based on the hideous number of hours it always cause me to lose.
Case in point, I'm working on some content for a pretty cool new product from Microsoft. And there are a lot of components that make up this product. Those components can be installed on a single machine or distributed across a number of machines.
Rather than just installing everything on a single machine, I went with the more real-world approach of doing it like people would do it in... the real world. And I created separate domain accounts for my services and so on.
And, when interacting with the tool, I'm doing it like a real users would - as I think that makes my tutorials more viable and realistic (especially when part of my job is to watch out for 'icebergs' if you will - and steer readers, viewers, whatever around those problems when they're working with these tools).
Only, I'm really getting sick of the way Microsoft makes security exponentially more and more difficult. By spreading it out over so many different control points, gateways, ACLs, and other points of interaction.
For example, while working with this project I'm on now, there's the ability to deploy my projects to a 'preview' location that's a web site. I try to push to that location, and I'm told, very bluntly, that 'deployment failed'. (Yeah... killer error message there.)
Hmmm. Let's see... there's my security context, the context of the web service I'm working with, and the context of the site I'm routing to via the WS. That also means a couple of places to put ACLs on folders.
That's tedious enough, but hey... it's all ... part of the job of using the principle of least privilege. So I go through all those possibilities and make sure the account I'm using (and the account the service is using) has the right perms on sites and folders.
No love.
Ahhh wait.. the service itself has it's own security accounts and authorization (i.e. like SQL Server). Maybe the account I'm using or the service account I'm using needs the 'Creator' perms/role?
No love.
Google? A few people reporting the same problems - and aside from the obvious suggestions of checking perms.. there's still no love.
Well... it IS a demo after all... and...just to see what's up as part of troubleshooting I make the service account an admin.
No Love.
Just to see... how'z about: Domain Admins?
Still: No Love.
Damnit! What more could you want????!!!111
Fine. Log out as CONTOSO\Mike, log back in as ADMINISTRATOR.
Love. Only... now I don't want it.
Comments