Implementing "Least Privilege" for Endpoints

by Garrett Yamada

In "The Protection of Information in Computer Systems", two MIT researchers define the principle of least privilege like this:

"Every program and every user of the system should operate using the least set of privileges necessary to complete the job."

This principle is difficult to adhere to in academia, when higher privileges are often necessary for end users to perform their job, especially with regard to research. We've attempted to solve this problem in both our Windows and macOS environment to varying degrees of success.

There are several products in the market for "endpoint privilege management", one of which we utilize currently. What we've discovered in our use of this tool in a highly agile academic environment include several points of interest to the wider IT community:

  • No matter how many policies we may create to elevate certain binaries and runtimes, there will always be new ones
  • Utilizing software application vendors who practice good security and sign their code is important
  • Many developers provide separate applications which update their primary application, and these updater apps are often unsigned and run processes you do not expect
  • Some applications may provide no secure way to target them with a policy, which may necessitate elevation by checksum
  • Many applications start several child processes, some of which may also require elevated privleges

Hopefully, these lessons learned provide some guidance to IT pros evaluating how they should implement this principle in their environment. If you want to chat about endpoint security, come find me in the MacAdmins Slack – I'm @gyamada619.