None of it has to be complicated, it is because people want to make it complicated, and make computers some magical box.
Lets firs talk about removing root privileges on personal workstations or laptops. This is pointless. Anything that might be bad for root to do on a single user system is going to be just as bad running as a user. The second you allow any custom code to run as a user on any system you should treat it as potentially compromised -- adding root in to the mix really does not change things -- on a single user system. Worried about root user getting access to some customer data on the system? To bad, if the data was on the system it is more than likely the user level account (windows or linux for that matter) had access to the data therefor any intruder will also have access, just at the user level. The same goes for just about any other issue you can run in to. Am I suggesting running things as root? No, because there really is no need for most things -- at the same time if your developer needs to have root level access so they can test or work with technologies that require it when deployed to production then it really should be a non issue for sysadmins. The problem is sysadmins are mostly scared to be outed for doing nothing for most organizations these days. These sort of power sweeps are often used to justify big budgets and teams of people who tell you to "reboot" when it does not work right. There is also a bit if power hungry attitude associated with it too.
You state that Linux makes it harder, I can't see how and you did not show me anything convincing. Bold statements without any details into facts can just be tossed into the trash can as far as I am concerned.
Now lets talk about citrix. How does that help? All that does is move any real or perceived problem to a different system. If any of these VMs get accessed by bad actors they will still be able to own any of the information on them that the user had access too.
In any case I did not really come here to argue any of this, your comment is just sort of out of place with relation to what I said.
If you can't trust your employees don't hire them, or just pay them and tell them to sit in a dark room so they can't hurt anything.
Your first comment was on point. It's a massive hassle to manage the many environments that come with a hundred thousand computers.
The last poster has zero argument and is just ignoring the problem. Go setup a thousand printers for ten thousand employees in a hundred locations. They all have to work flawlessly and on all OS.
Lets firs talk about removing root privileges on personal workstations or laptops. This is pointless. Anything that might be bad for root to do on a single user system is going to be just as bad running as a user. The second you allow any custom code to run as a user on any system you should treat it as potentially compromised -- adding root in to the mix really does not change things -- on a single user system. Worried about root user getting access to some customer data on the system? To bad, if the data was on the system it is more than likely the user level account (windows or linux for that matter) had access to the data therefor any intruder will also have access, just at the user level. The same goes for just about any other issue you can run in to. Am I suggesting running things as root? No, because there really is no need for most things -- at the same time if your developer needs to have root level access so they can test or work with technologies that require it when deployed to production then it really should be a non issue for sysadmins. The problem is sysadmins are mostly scared to be outed for doing nothing for most organizations these days. These sort of power sweeps are often used to justify big budgets and teams of people who tell you to "reboot" when it does not work right. There is also a bit if power hungry attitude associated with it too.
You state that Linux makes it harder, I can't see how and you did not show me anything convincing. Bold statements without any details into facts can just be tossed into the trash can as far as I am concerned.
Now lets talk about citrix. How does that help? All that does is move any real or perceived problem to a different system. If any of these VMs get accessed by bad actors they will still be able to own any of the information on them that the user had access too.
In any case I did not really come here to argue any of this, your comment is just sort of out of place with relation to what I said.
If you can't trust your employees don't hire them, or just pay them and tell them to sit in a dark room so they can't hurt anything.