In a previous blog post, Andy Harris described how Software Developers are highly dependent on having local admin rights. He focused on the need to be able to run Visual Studio with elevated permissions as VS usually has many developer tool plug-ins active and local admin rights are needed to update those plug-ins. Other developer tasks such as starting and stopping Windows Services or changing network configuration, such as IP addresses, also need admin rights.
In a new video (see below), one of our senior developers, Scott, discusses (and shows) how he works without local admin rights on his workstation. As we see in the video, he depends on many tools and services in addition to VS. For example, many Osirium tools are delivered in Docker images, so he often needs to install and update Docker. There are many other tools in regular use including PowerShell and Python that need to be updated and configured quite regularly.
He can do all this because he has Privileged Endpoint Management (PEM) installed which lets him perform all the admin tasks he needs.
Traditionally, Developers have been granted local admin rights so they're not constantly calling the IT help desk when they need to update a tool. As Stuart, a senior IT admin at Osirium agrees, Developers have a good case for needing Local Admin rights to get their work done. But it's better to understand exactly what the developers need elevated rights want to achieve with those rights and grant specific authorisations rather than blanket and uncontrolled access to admin rights.
As Scott says, when the developers were first informed they were to lose their local admin rights, they were very concerned they'd have to raise lots of help desk tickets and wait for them to be addressed. But, happily, he admins that has not been the case.
Besides being able to run specific, approved applications with admin rights via PEM, Scott is an example of a senior staffer that has been granted permission to elevate his Windows session when he needs it. That gives him maximum flexibility, but IT retain control as the self-elevation is recorded in the PEM audit logs.
If you'd like to learn more, or get a personal demo of Privileged Endpoint Management, please get in touch.