In any vertical, in any IT environment, and within an organization, developers, quality assurance, and programmers typically require administrative rights in order to compile code, test software installations, and bind applications with other tools and leverage applications themselves that just need elevated rights just to operate. The nature of the work requires elevated privileges, and in many organizations, they are the last hold out for the removal of local administrative rights, secondary administrative accounts, and inclusion in any DevOps processes. These excuses are valid but there are seamless ways to actually remove administrator rights for developers on Windows and MacOS without actually giving users administrator or root credentials.
For more information on how to remove administrative rights for teams download our latest white paper, The CISO’s Guide to Managing Risk for Privileged Access & Credentials in Windows Environments get it now
So, technically speaking, why do developers need administrative rights?
- Application development tools like Visual Studio and XCode need administrative rights to compile the code.
- Third party add-ons and plugins for development tools require administrative rights to operate and perform specific functions like creating or using certificates.
- The installation or removal of software typically requires administrative rights on Windows or a Mac for testing an application.
- Any third-party extensions, drivers, or modifications to key system files, including the Windows registry requires administrative privileges
- Kernel extensions on MacOS and Accessibility Functions used as workarounds (for functions like right-click menus) need administrative rights to enable.
The list goes on and on. Luckily there is a solution that can solve all of these problems and allow organizations to remove administrative privileges on both Windows and MacOS. BeyondTrust's PowerBroker for Windows and PowerBroker for Mac are designed to provide the least privilege model for any application and any user persona that may exist within your environment — including developers.
Here's how the PowerBroker Endpoint Least Privilege solutions accomplish these goals:
- PowerBroker allows for the local elevation on an application, not the user, and child processes to have the proper privileges required for the development or testing of an application.
- PowerBroker rules provide the ability for specific applications by path, publisher, hash, or other criteria to execute as an administrator for testing, debugging, installation, or software removal. These tasks can be performed by a developer, programmer, or quality assurance personnel to maintain a secure workflow or even instantiate a DevOps process.
- When remote administrative credentials are needed for network authentication, PowerBroker for Windows integrates into PowerBroker Password Safe to seamlessly retrieve credentials and apply them using a “RunAs” command. This occurs without the end user’s visibility to elevate the application and allows it to operate with real domain credentials, with any privileges, to satisfy use cases where local elevation alone is not sufficient.
Developers do not need to be the last hold out for administrator rights within your organization. As my team classically states, “we drink our own champagne” (BeyondTrust developers do not have administrative rights to develop our own solutions). In fact, there are only a few rules in total that have been created to successfully remove privileges and allow them to work efficiently using the least privilege model. For example, the screenshot below covers Microsoft Visual Studio.
With a few more rules to cover your unique development requirements, BeyondTrust can help your organization remove the last holdout of administrative rights on the desktop. PowerBroker for Windows and PowerBroker for Mac can help reduce risk by removing admin rights where they are used the most.
For more information on how to remove administrative rights for developers, programmers, and quality assurance download our latest white paper, The CISO’s Guide to Managing Risk for Privileged Access & Credentials in Windows Environments.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
