How to set up secure, private Windows developer Workstation?
The Hacker News community ended up in a heated discussion about GitLab onboarding and machine management. The reason behind the brouhaha was a blanket statement stating that using Windows is prohibited on an employee workstation. The specific arguments brought feel dubious and outdated. The GitLab's onboarding and machine management document, raises some questions about the real motivation behind it.
The community speculated that the move signifies an attempt to distance GitLab from Microsoft, the owner of its biggest competitor, Github.
Of course, like any business, GitLab has every right to implement whatever policy suits its operational paradigm. We, too, run an opinionated business.
We use Windows for developer workstations. Here’s why and how we do it.
Why we Chose Windows
As a Java, JavaScript and web shop, Input Objects GmbH, the company behind Wide Angle Analytics, we rely heavily on three types of software:
- Communication & Collaboration
- Development Tooling
- Creative Suite and Digital Design
Communication and Collaboration Tools on Windows
An abundance of choice is self evident. You would be hard pressed to find a collaboration and/or communication tool that doesn’t run on Windows.
While we rely primarily on web applications, such as Element, Nextcloud and webmail-based e-mail, some key usability differences do exist.
Unlike Apple, Windows users are not threatened with warnings when sourcing applications outside the App Store. That said, we get most of the applications directly from the vendor. Signed and secure, and we control the process. On top, the Microsoft Store is growing, and more tools can be easily grabbed from there.
In terms of hardware compatibility, Windows shines bright. We can, for example use specialized hardware, and still be sure to get it going without a hassle. Often specialized hardware will work on Mac and Linux but will suffer from generic treatment.
Development Tooling
Prepare to get the hornet’s nest stabbed. Few things polarize developers more than the choice of an editor or an IDE.
Wide Angle Analytics is Scala on the backend and vue.js on the frontend. Deployed and running on Kubernetes. Our development environment is Linux.
That’s why we run VMWare Workstation on a Windows host. To avoid the penalty of the graphic interface in a VM, we use a Windows-hosted VS Code with remote development in the VM. The benefits are tremendous. We get a smooth GUI experience in Windows, with virtually no lag. VS Code with Remote-SSH projects are working great, and with the new Terminal app, we ssh into the VM to get all the console goodness.
We also get built-in security by separating the VM from the primary operating system. VMWare offers a much safer separation than Windows Subsystem for Linux (WSL).
Workstation backups and automatic snapshotting give us peace of mind that we can always recover the development environment without much fuss.
Based on our benchmarks, the performance impact is negligible without a Desktop Environment in the VM itself.
And it is cheaper! VMWare Workstation Pro ($199) combined with Windows 10 Pro ($199) and a free VS Code will run you less than an annual subscription to JetBrains IntelliJ IDEA (€599). If your laptop ships with Windows 10 Pro, that is less than half the price!
Not to mention superior support for Scala in VS Code with Metals compared to IDEA.
Creative Suite and Digital Design
Three words: Adobe Creative Cloud. It is an incredible suite of tools we just love and use daily. You can, of course, run these on MacOS. On Linux, you are not that far off with Gimp, Inkscape, Krita and web-based tools like Canva.
But we like the Adobe suite for its unparalleled power, and functionality including the benefits that come from using an industry standard as opposed to more obscure software.
The elephant in the Room: Windows Security
Often, Windows is used as a poster child of vulnerabilities and malware exposure. Whether this is due to the proliferation of Windows as a desktop environment or the platform’s security, Windows is undeniably a target. Microsoft has dedicated large efforts to stay on top of security challenges with frequent updates and security fixes.
But so is MacOS. Nowadays, you can’t even rely on Linux to be virus free. Unfortunately, malware is here to stay and plagues all platforms.
Updating software regularly, including the operating system and running some form of real-time malware detection, is a must. No matter which platform you are using.
Addressing GitLab’s concerns
“Due to Microsoft Windows’ dominance in desktop operating systems, Windows is the platform most targeted by spyware, viruses, and ransomware.”
I discussed this already. Malware is actively targeting all the platforms. The same security principles apply.
“macOS is preinstalled on Apple computers and Linux is available free of charge. To approve the use of Windows, GitLab would have to purchase Windows Professional licenses, as Windows Home Edition does not satisfy GitLab’s security guidelines.”
Buying a Windows laptop with Windows 10 Pro is nothing special. BestBuy (US) or MediaMarkt (EU) might not carry laptops with Windows Pro in-store. But go online, and the choice is abundant. A quick visit to an online store of HP or Lenovo will give you a wide range of devices that come with Windows Pro and an optional on-site warranty. No trips to the Genius Bar are necessary.
“Windows Home Edition is notoriously hard to secure.”
Windows Pro is the way to go. Nothing justifies using Windows Home on a workstation.
Conclusion
With many tools becoming browser based, Linux, Windows, and macOS are all apt to be good development machines. However, for more specialized software, Linux might not always be suitable. Still, the difference between Windows and macOS is virtually nonexistent.
We chose Windows because it suits us best. Your mileage may vary. But think for yourself.
If you do choose Windows, like we did, be sure to review privacy settings and consider trimming down telemetry with tools like ShutUp10.
Try Wide Angle Analytics!