Privileged Endpoint Management - Managing Developer's Systems

Andy Harris

Enabling Developers Without Risk
Local administrator permissions can give any user a lot of power. But with that power comes a lot of potential risk because those users could install malware or change system settings that make them a perfect entry point for an attacker.
Osirium's Privileged Endpoint Manager (PEM) product lets organisations remove local admin rights from user's accounts without impacting productivity.
That could be disruptive for many users but developers can be the most difficult class of users to deal with. There are many reasons for this:
- They understand what they are doing, and what privileges are.
- They will be installing applications and extensions all day!
- They will have non-standard Windows installations.
- They will often use multiple systems.
Developers are usually working to tight deadlines, and there is always pressure because there is never enough developers or time. That adds to the risk. When working in a hurry, it's too easy for them to accidentally run applications with elevated privileges or not pay enough attention when searching around the Internet for some utilities to get stuff done. For example, legitimate and useful utilities are wrapped in malware installers. Last year there was a spate of sites serving Filezilla wrapped in malware droppers - which caused plenty of issues including Apple marking the real Filezilla as Malware.
A very common task for developers is installing Microsoft Visual Studio. This needs local admin rights. But as an application it is really a framework, since once installed, the developer needs to add all the extensions that match the working environment and languages they are using. Again, administrator privileges are needed. But it's not possible, usually, to allow admin rights for Visual Studio without granting the same rights on the entire workstation.
With PEM, IT can track which applications or tools are actually used by developers and can build policies to allow them to run those approved apps as administrator. The policy can ensure only the approved versions are allowed, preventing that hidden malware attack.

It's really important that the whole process is simple and doesn't get in the way of the developer getting their work done. Developers hate being slowed down by security procedures and can be very creative in avoiding any extra steps in their workflow if they feel pain.
Here's a video showing how a developer without local admin rights can install Visual Studio and extensions:
If PEM can deal with developers, it can help with any other class of user.
If you'd like to know more - please get in touch.