July 22, 2019 · Tips

Implementing "Least Privilege" for Endpoints

In "The Protection of Information in Computer Systems", two MIT researchers define the principle of least privilege like this:

"Every program and every user of the system should operate using the least set of privileges necessary to complete the job."

This principle is difficult to adhere to in academia, when higher privileges are often necessary for end users to perform their job, especially with regard to research. We've attempted to solve this problem in both our Windows and macOS environment to varying degrees of success.

There are several products in the market for "endpoint privilege management", one of which we utilize currently. What we've discovered in our use of this tool in a highly agile academic environment include several points of interest to the wider IT community:

Hopefully, these lessons learned provide some guidance to IT pros evaluating how they should implement this principle in their environment. If you want to chat about endpoint security, come find me in the MacAdmins Slack – I'm @gyamada619.