Privilege Management for Development Teams

Morey Haber, Chief Technology Officer
July 12th, 2018

In any vertical, in any IT environment, and within an organization, developers, quality assurance, and programmers typically require administrative rights in order to compile code, test software installations, and bind applications with other tools and leverage applications themselves that just need elevated rights just to operate. The nature of the work requires elevated privileges, and in many organizations, they are the last hold out for the removal of local administrative rights, secondary administrative accounts, and inclusion in any DevOps processes. These excuses are valid but there are seamless ways to actually removal administrator rights for developers on Windows and MacOS without actually giving users administrator or root credentials.

For more information on how to remove administrative rights for teams download our latest white paper, The CISO’s Guide to Managing Risk for Privileged Access & Credentials in Windows Environments
get it now

So, technically speaking, why do developers need administrative rights?

  • Application development tools like Visual Studio and XCode need administrative rights to compile the code.
  • Third party add-ons and plugins for development tools require administrative rights to operate and perform specific functions like creating or using certificates.
  • The installation or removal of software typically requires administrative rights on Windows or a Mac for testing an application.
  • Any third-party extensions, drivers, or modifications to key system files, including the Windows registry requires administrative privileges
  • Kernel extensions on MacOS and Accessibility Functions used as workarounds (for functions like right-click menus) need administrative rights to enable.

The list goes on and on. Luckily there is a solution that can solve all of these problems and allow organizations to remove administrative privileges on both Windows and MacOS. BeyondTrust’s PowerBroker for Windows and PowerBroker for Mac are designed to provide the least privilege model for any application and any user persona that may exist within your environment — including developers.

Here’s how the PowerBroker Endpoint Least Privilege solutions accomplish these goals:

  • PowerBroker allows for the local elevation on an application, not the user, and child processes to have the proper privileges required for the development or testing of an application.
  • PowerBroker rules provide the ability for specific applications by path, publisher, hash, or other criteria to execute as an administrator for testing, debugging, installation, or software removal. These tasks can be performed by a developer, programmer, or quality assurance personnel to maintain a secure workflow or even instantiate a DevOps process.
  • When remote administrative credentials are needed for network authentication, PowerBroker for Windows integrates into PowerBroker Password Safe to seamlessly retrieve credentials and apply them using a “RunAs” command. This occurs without the end user’s visibility to elevate the application and allows it to operate with real domain credentials, with any privileges, to satisfy use cases where local elevation alone is not sufficient.

Developers do not need to be the last hold out for administrator rights within your organization. As my team classically states, “we drink our own champagne” (BeyondTrust developers do not have administrative rights to develop our own solutions). In fact, there are only a few rules in total that have been created to successfully remove privileges and allow them to work efficiently using the least privilege model. For example, the screenshot below covers Microsoft Visual Studio.

With a few more rules to cover your unique development requirements, BeyondTrust can help your organization remove the last holdout of administrative rights on the desktop. PowerBroker for Windows and PowerBroker for Mac can help reduce risk by removing admin rights where they are used the most.

For more information on how to remove administrative rights for developers, programmers, and quality assurance download our latest white paper, The CISO’s Guide to Managing Risk for Privileged Access & Credentials in Windows Environments.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.