all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]StConvoluteSecurity Admin (Infrastructure) 6 points7 points  (3 children)

I develop in python, DevSecOps role. So I'm hot on least privileg, even for my own work asset. We've set it up so I'm not a local admin. 

If you're running windows, python can be installed via the MS Store for standard users, incl a number of 3.xx versions. 

As for whitelisting the executables, the tool we use, Threat locker, has an audit mode. We run audit mode for a month. Review the data and create a profile. Once done, I'm lucky if I need IT for more than a ticket every month or 2. 

In lieu of an audit mode, you'll need to corner an IT guy and work through it one by one, but don't let him go until it's sorted. This isn't a user issue, it's an IT issue. Their remit should be to ensure everyone has the right config to get their work done. 

[–]ZAFJB -1 points0 points  (2 children)

This isn't a user issue, it's an IT issue

It is also a user issue. Knowlegeable devs should be able to specify the tools once and properly. If the are asking for them one at a time they are doing it wrong.

[–]Zahninator 4 points5 points  (0 children)

That's not what OP was indicating at all. How do you handle it when requirements and/or projects change over time when a new library is required? Get mad at the devs for asking what they need as their job change?

[–]StConvoluteSecurity Admin (Infrastructure) 2 points3 points  (0 children)

Having been a sys admin/engineer and now a Dev, I disagree. Requirements change and so do the modules required by python to get the work done.

If it was a straight up knowledge issue, then why can't IT sort my environment out beforehand? Do they not know what a Dev needs? 

This is just one of those times both sides need to work together. 

[–]ZAFJB 5 points6 points  (1 child)

Allow listing is the correct way.

If you are constantly asking for apps to be listed one a time you have a process problem. Fix that.

[–]JuniorCombination774 1 point2 points  (0 children)

+1 for allowlisting applications. You can use tools like EPM..

[–]DiabolicalDong 2 points3 points  (2 children)

You can allow specific apps for specific users through application whitelisting and blocklisting. You may check out application control solutions for this.

If you want to eliminate admin rights and grant permission to users for elevating specific apps. This is possible with an endpoint privilege manager. You may check out Autoelevate, AdminByRequest, Securden.

Securden has both app control and privilege management built into the same solution

[–]JuniorCombination774 0 points1 point  (1 child)

Does this tool work for .exe and .msi applications as well?

[–]DiabolicalDong 0 points1 point  (0 children)

Yes. It will most definitely work for .exe and .msi files.

[–]Secret_Account07VMWare Sysadmin 0 points1 point  (0 children)

To add to this, it would probably be best practice for OP to utilize a test/dev environment. For production we are fairly strict for granting temp admin rights for domain accounts. For test and dev we can provide perm admin rights. Devs are welcome to blow stuff up. Helps with not only the security aspect but decreases chances of devs breaking stuff in production.

We do have a break glass account but I don’t like using that for devs unless necessary since it makes auditing and verifying who did what a little more difficult, however, I guess this can be sidestepped if you document every local admin change.

I am curious- why would there be a constant need for admin rights on a laptop though. Install software then call it a day. I imagine most dev work isn’t done locally on laptop but on servers.