In any vertical, in any IT environment, and within an organization, developers, quality assurance, and programmers typically require administrative rights in to compile code, test software installations, and bind applications with other tools and leverage applications themselves that just need elevated rights just to operate. The nature of the work requires elevated privileges. In many organizations, elevated privileges are the last hold out for the removal of local administrative rights, secondary administrative accounts, and inclusion in any DevOps processes. These excuses are valid but there are seamless ways to actually remove administrator rights for developers on Windows and macOS without actually giving users administrator or root credentials.
For more information on how to remove administrative rights for teams download, The Guide to Endpoint Privilege Management.
Why do developers need admin rights?
So, why do developers require administrative writes? Here are some examples:
- Application development tools like Visual Studio and XCode need administrative rights to compile the code.
- Third party add-ons and plugins for development tools require administrative rights to operate and perform specific functions like creating or using certificates.
- The installation or removal of software typically requires administrative rights on Windows or a Mac for testing an application.
- Any third-party extensions, drivers, or modifications to key system files, including the Windows registry requires administrative privileges
- Kernel extensions on MacOS and Accessibility Functions used as workarounds (for functions like right-click menus) need administrative rights to enable.
The list goes on and on. Luckily there is a solution that can solve all of these problems and allow organizations to remove administrative privileges on both Windows and macOS. BeyondTrust's Endpoint Privilege Management solution is designed to enable the least privilege model for any application and any user persona that may exist within your environment — including developers.
How BeyondTrust Manages Privileged Access for DevOps
BeyondTrust customers use our Endpoint Privilege Management solution to control and monitor admin access to developers and other DevOps team members. Our solution:
- Allows for the local elevation on an application, not the user, and child processes to have the proper privileges required for the development or testing of an application.
- Implements rules providing the ability for specific applications by path, publisher, hash, or other criteria to execute as an administrator for testing, debugging, installation, or software removal. These tasks can be performed by a developer, programmer, or quality assurance personnel to maintain a secure workflow or even instantiate a DevOps process.
- Integrates into our Password Safe product to seamlessly retrieve credentials and apply them using a “RunAs” command. This enables secure use of remote administrative credentials when needed for network authentication. This occurs without the end user’s visibility to elevate the application and allows it to operate with real domain credentials, with any privileges, to satisfy use cases where local elevation alone is not sufficient.
Developers do not need to be the last hold out for administrator rights within your organization. As my team classically states, “we drink our own champagne” (BeyondTrust developers do not have administrative rights to develop our own solutions). In fact, there are only a few rules in total that have been created to successfully remove privileges and allow them to work efficiently using the least privilege model.
With a few more rules to cover your unique development requirements, BeyondTrust can help your organization remove the last holdout of administrative rights on the desktop. BeyondTrust Endpoint Privilege Management can help reduce risk by removing admin rights where they are used the most.
For more information on how to remove administrative rights for developers, programmers, and quality assurance download our Guide to Endpoint Privilege Management.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
