Guest: Brian Coleman, Owner, Matchstick Birmingham
Episode description
From learning the basics of technology from his mother (who holds a doctorate in computer science) at an early age to starting up his own IT consulting business, Brian Coleman has dedicated nearly his entire life to the IT field. As such, he has a very unique perspective about how much the industry has changed over the years, which includes knowledge of how the distribution of admin privileges has changed and caused organizations problems in the past.
Listen to this episode of Where’s the Any Key? to hear Brian and Ryan’s viewpoints on how admin privileges are provisioned and how this affects the organization’s overall security.
The following is a transcription of an episode of our podcast, Where’s The Any Key? Feel free to reach out with any questions you may have in response to this recording. You can find our show on Apple Podcasts, Spotify, and wherever podcasts are available.
Ryan Bacon: Welcome to Where’s the Any Key, the podcast where we talk shop about topics, tips, and trends for the modern IT admin. I’m your host, Ryan Bacon, the IT support manager at JumpCloud®.
Introducing Brian Coleman
Ryan Bacon: Alright, joining me again today is Brian Coleman. He’s the owner of Matchstick Birmingham, an up and coming IT firm in Birmingham, Alabama. Thanks for coming back on Brian.
Brian Coleman: Of course, anytime. I really like being here. Appreciate it.
Ryan: Alright. Well, we like having you. So today, we’re going to talk about something that haunts IT admins across the globe, and that is administrator privileges on endpoints.
Brian: Right. Right. For a second there I thought you were going to talk about what we’ve talked about right before recording, which was the other thing IT administrators dread, which is the call from the guy that says I might’ve poured a glass of water into my laptop. Yeah, we’ll talk about admin permissions instead.
Ryan: Alright. I mean, oh gosh, we could go on and on about liquid damage.
Brian: Yes, a liquid event as they say.
Admin Privileges – the Good, the Bad, and the Ugly
Ryan: Yeah, liquid event. But okay, so admin privileges, I think we could all agree in an ideal world, we stick to that concept of least privilege where the only people that absolutely need admin privileges have them and everybody else is just a standard user. But as we know, it’s not a perfect world, and especially in remote environments, there’s a need to… Sometimes you just have to fudge it. You just have to make somebody an admin because of a process that they need to run or any number of reasons.
Brian: In the before times way that we would deal with this, pre-pandemic, we would have a help desk or a couple of technicians at a help desk that would go and physically interact with the end-user there, type in an admin password, let this thing do whatever it was going to be, whether it was a system update or just an application that needs to do whatever and everything was fine. And you could have some certainty that your access was controlled. But today’s world is entirely different and not only can we not have the physical interaction, but we probably shouldn’t have the physical interaction for a little while longer. So we’re forced into doing things in new and different ways. And sometimes, like you say, it has to be fudged a little bit and how do you deal with that?
I have a lot of conversations with organizations where they are mandated, whether it’s because of the security framework they have to adhere to, or an internal security policy that they are not going to budge on that users can not have administrative access on their machines. And when you’re in that situation and you really can’t fudge it, like you’re saying, you’ve got to come up with some creative solutions, even if it is having those help desk guys that used to walk over to a person and type in a password, now they maybe have to get on some remote screen-share and do the same thing. But that’s highly inefficient and is prone to all sorts of problems and errors. And today, there’s not a great solution. And you’d think, 30 years into the idea of personal computers we would’ve come up with something better than what we have today, but it’s just not there yet.
Ryan: Yeah, and even with a lot of these… The thing that comes to my mind when it comes to admin privileges is like installing or updating software. In theory, a lot of software that’s out there that gets installed on the machine should update itself without any kind of interaction, but depending on how it gets installed. So say you install Slack using Homebrew, and even though in theory Slack will update itself, that’s not how it works. That slack helper tool dialogue is going to pop up and ask you for admin credentials.
Brian: Yeah. I mean, I was wondering if we were going to make it all the way to two and a half minutes into the conversation before we mentioned Slack. I’m looking at you here, Slack, you’re the one that’s causing problems especially in the Mac world. And I’ve heard, there’s obviously some ways, Slack specifically, to work through these issues. If you use the Apple app store version of Slack, the VPP version of it, you can get around some of this, because the app store has some native permissions, almost root permissions. And so it can do things via app store that you can’t do as a normal user. But, think of all the downsides of having your corporate users as part of the Apple app store. That in itself is a gigantic problem waiting to happen. So there’s some ways to get around it, but then those ways end up costing more than they give you. The squeeze isn’t worth the juice – juice isn’t worth the squeeze.
Ryan: Exactly. Right. I think about that, you have Apple Business Manager, or what is it, Apple education manager, whatever it is. The education equivalent where you can have those managed accounts, but then you’re looking at going in… Those accounts are going to be restricted to what they can do on the app store and stuff like that. But, it’s adding complexity into user provisioning because unless you’re specifically using Active Directory or something like that, you can’t do federated provisioning or anything like that on Apple Business Manager. Believe me, it’s something I brought up to our Apple rep. But I mean, you don’t have API access. You don’t have a good way of programmatically creating people and it’s not a straightforward test. You go in there, manually create it – it can’t match another Apple ID.
Brian: I mean, sorry to you, buddy, if you happen to have used that email address previously, I’ll be doomed.
Ryan: Yeah, exactly. I mean, we’re luckily a Google shop so when we run into that sort of thing, we use the plus alias on there. But then again, you have to be like, hey, this weird looking email address is what you’re going to be using to manage your account. So, yeah, like you’re saying, it’s a whole lot of complexity there.
Brian: And I have not tested this yet – I need to, I guess. One thing that I’ve had to do recently is I’ve had to use some PCC profiles to prevent users from signing in with their Apple ID on corporate Macs. The reason why is because a lot of well-intentioned users will turn on Find My Mac, and then you’re really doomed, right? Because if there’s any reason that this employee were to leave the organization under maybe not great circumstances, they can take that Apple ID with them. And that Mac is now gone. It’s useless to you.
Ryan: I was going to say, along those lines, we’ve had it before, where people would either use their old… The problem is if they use their personal ID where we had somebody leave and we go to clean up their system after they turned it in, and they were signed on their personal Apple ID and we opened it up and there were messages, there were so many things that as an IT pro, I have no desire to see. And one thing that we’ve done after that happened is when we do new hire orientation, but the IT aspect of it, we use that story. It’d be like, “Hey, you don’t do this because this happened.” And also, the other things of what happens if they’re in there and they accidentally install or save sensitive company information to their iCloud drive.
Brian: Yeah. That was another big push to limit Apple ID access. And there’s parts of that profile that seemed to allow you to just restrict certain iCloud functions. But the truth is, it’s not sticking the way we think it is, and the only way I could make that work was to basically just prevent iCloud login entirely. If you open up system preferences on a Mac with this policy, the upper right, where there should be a button that says log in, it’s not even there. Which to precisely speak to your point, someone would sign in with their personal info, kind of medium worst case is: you end up with a Mac full of their personal information, and now you have to deal with it as an IT guy. Or like I said, if they enable Find My Mac thinking it’s going to be a great idea, suddenly now you have a completely useless Mac because you can’t get into their iCloud account to release this thing, if they’re no longer working for you.
So all that being said, I’m not even sure if my restriction on using iCloud and Apple ID also would break the ability for them to load up the app store, for example. I need to go test that out because yeah, I mean, you’re right. There needs to be some solution, whether it’s an easier to manage and provision and deprovision app store clone, app store little subset, or is it some other way to control user access, user permissions and give people the ability to still do their jobs right. What we’re doing with JumpCloud now is, if someone needs to have admin rights because the Slack update helper is just annoying the crap out of them, we’ll go into the user config and temporarily give them admin rights, with the caveat of we’re going to do this manually. And we’re going to give you about 10 minutes and get the thing done, and then we’re going to knock you back down to standard like everybody else, but that’s an administrative task.
That engineer has to start the clock and then remember to go back and deal with it. And unfortunately, that’s the best thing we got right now. There’s got to be a better way though. I mean, I’m talking to all of the app developers out there. I’m talking to the Slack guys, I’m talking to the Zoom guys. There’s got to be a way to get your app to do what it needs to do without requiring all these admin permissions that if Big Sur is any indication, they’re going to get harder and harder and harder to work with.
Ryan: Exactly. Yeah. I think you touched on the real difficulty – specifically with Big Sur. I think it really started with Mojave, got worse with Catalina, and then so far it’s hit its peak with Big Sur, with really compartmentalizing tasks and really putting down that… implementing that policy of least privilege and restricting what apps can do and being like, and making it so where the user has to give permission for these sorts of things. But for the user to get permission, the user has to have permission. And it’s really like a real catch 22.
Brian: It’s a good point. The user has to be able to give themselves the permissions that they need to give themselves.
Ryan: Yeah, exactly. Yeah. So what do we do? I mean, when it comes to… I mean, you mentioned part of it, VPP, then you have other things like auto-package you could implement. I mean, getting those set up, I mean, it can be a brain ache. I mean, I will fully admit, I’ve really just dabbled in stuff like auto-package.
Brian: I mean, that’s probably going to be the way. One thing I was going to say, I’ll give a shout out to Google, right? Because Chrome works the way we expect it to. You can install Chrome in a user space and it can live there and it can update and it can do everything it needs to do. And it never once has to have admin permissions.
Ryan: It’s true. You mentioned Chrome and things like it, where it brings the dark underside of auto updates and stuff like that. Or not really the dark underside, but the problem with auto updates is they’re still reliant a lot of times on the user to take action, whether that’s to restart Chrome, whether that’s to reboot your system. I don’t know how many times I’ve been on… doing a video conference with somebody and they do a screen share. And the little icon in the upper right of Chrome is like red, it’s like: update NOW.
Brian:They’re like, oh yeah, this thing has been doing this for like a month now. I don’t know what’s wrong with this thing.
Ryan: Yeah. It’s like, I don’t want to restart Chrome because I’ll lose all my tabs, and as a habitual tab hoarder myself, I get it. But then you’re like, oh, you could recover those tabs. Don’t worry.
Brian: Yeah. Yeah. That should be a lesson that you do in IT orientation. Not only don’t put your junk out on the internet so that we’re going to find it in your iCloud account, but also go to your history tab in Chrome. It’s an amazing thing, that history tab.
Ryan: It really is. But, still it’s… that requiring user interaction. So I’m waiting for the feature in Chrome where it would be like, okay, either it’ll restart itself at… You can set it in Google Workspace or whatever to reset itself at 12:00 AM, local time… something like that, like what Windows does for its updates, when you can time Windows for it to restart.
Brian: Right. Right. And at first that idea was amazing. I was like, this is going to be so cool. Especially if you were really a heavy Window shop and you were using like SCCM or something like that. And we were like, man, this is going to be awesome. And then everyone was just turning their PCs off, like ah, come on guys.
Ryan: Oh gosh, you’re going to give me PTSD flashbacks of that SCCM.
Brian: Oh yeah? I’ve never met a person that liked it.
Ryan: I was fortunate enough that I only used it a little bit in like one job – enough to experience the pain. And like what you’re saying, there’s no good solution out there. So what there is, you have to deal with it.
Brian: Right. Right. And so here we are manually granting elevator privs for people and then going back and undoing it. When I catch 10 or 15 minutes of free time, I’m still messing with weird scripts that we can run on the backend using the command runner to make things a little bit better. But it’s always going to be something weird that we’re having to work around. And again, I mean, even if Chrome’s user interaction to require a restart is still better in my opinion than some of these other things. But I think it was a conversation we were having before where you said, even really great tools like Homebrew can get you in a weird place because you install stuff with Homebrew, and it just ends up in this nebulous nobody knows who the owner is. And no one knows what the permission is on the box itself.
Ryan: Right. Because when we image a system, we put in like an admin user that we put on every system that’s just a local admin. That’s what IT uses in case we need to access the machine – that sort of thing. And when we run an imaging script, we run it using that user and when you add a user to the system later on, that causes all sorts of weirdness with Homebrew and it’s its own set of problems.
Brian: We should definitely put something out in the Slack workspace and the JumpCloud lounge and just say, “Hey, rockstars, what is your solution for some of these?”
Ryan: Yeah, crowdsource it.
Brian: Right. Because I’ve seen a lot of great ideas in all the channels in the workspace, and some of them are really ingenious and some of them are just brute force. I know there’s a couple of guys that just run a script that downloads and installs Slack, and they run it like once a week. And so they get away from that whole update helper, because it never has to update via itself. It’s always getting pushed. And I was like that does kind of work, but the clients I have are so Slack dependent, the phone would be blowing up the first time that thing run. And it suddenly restarted slack in the middle of someone’s conversation.
Ryan: Yeah. Yeah. Oh man, sometimes those brute force methods are so tempting and sometimes they’re necessary to just do and get it done. But yeah, I’ve done the same thing, messing with the command runner, like how can I change, what have I tried… By going in and like changing the owner group of Slack to another group, and then adding the users on the system, all sorts of stuff that should work. So yeah, that’s a good idea. We’ll have to put that on the JumpCloud lounge, which by the way, the JumpCloud lounge, if any of you listeners are JumpCloud admins, is a great place to go. There’s some really smart people in there.
Brian: Yeah. I will concur. There are some incredibly smart people in there and everyone’s really looking to make the product better and help everybody else. It’s a really good community. I can highly recommend it.
Ryan: Yeah. So there’s a nice little natural plug for that. So going back to admins, I mean, you’re a managed service provider, and so that means you have a lot of various clients, not all of them, that you have physical access to all the time. So, I mean, you touched on it earlier with having some that have their own stricter security frameworks and everything like that. So how do you approach the topic of administrative rights with clients and negotiate it with them?
Approaching the Topic of Admin Rights With Clients
Brian: Yeah. It’s interesting because the conversation really can come from the complete either end of the spectrum. It can come from a conversation of let’s talk about the dangers of users having administrative rights all the time. And let’s talk about what the particular environment, this potential client or existing client is in, and then figure out a balance between their functionality because you’re going to break a little functionality if you’ve knocked someone down to a standard user. But also, the risk versus reward. You’ve got to do a little cost/benefit, work on that. And some of my clients are okay with the risk of a local user being an administrator or constant administrator because they’re in sectors of business where they don’t have to necessarily meet the security criteria that a different business would.
Now, they understand that it is inherently not best practice to do this, but they also understand that, I’m trying to get a great example, perhaps the information that this one user is dealing with on a laptop and their local administrator…maybe that information is just like lunch orders or something like this. And so, the information doesn’t need to be so well protected. And so they can step back from the security line a little bit. Now, I can hear right now, every security engineer on the planet that happens to be listening to this, is just yelling at me going, you’re an idiot because all it takes is that one user, even if it’s an admin or an intern, that’s just doing coffee orders to get something on their machine, through the abuse of administrative privileges and then the whole thing’s shot.
And I completely understand that, but the conversation isn’t necessarily about the pitfalls of this bad system that users have to have administrative privileges sometimes, it’s not about that. It’s more about how do I approach these topics with potential clients. And I mean, honestly, there’s been a few people that I’ve worked with where they just flat out said no. And they said, I want to be a local admin. This laptop that I got, I set it up myself. I’m a local admin on it, and that’s the way it’s going to be. I’m like, alright, cool. I mean, that’s your decision and let’s go with it. The other side of the spectrum is someone who has some very rigid security policies, security framework, that they have to adhere to. Either because it’s mandated on them like in a financial sector or healthcare or something like that, or they’ve just developed it in-house and that’s the kind of shop they want to run.
I’ve seen software development shops, especially in the last 10 years have gotten really, really rigid with their security practices because there’s so much potential for downtime and lost revenue – if you have either your IP stolen or you have some terrible thing come into your network because of abuse of administrative privileges. So like I said, depending upon the environment and the place that this client is in, you can work from either side. You can see that some are naturally going to start with, “I’m going to be an administrator and you’ve got to convince me otherwise,” and then some are going to start with, “no one can even say the word administrator and how do we make the enterprise run?”. And there’s a balance somewhere in the middle of it. I find that if there’s any sort of pushback, the pushback from someone that says, I’m an administrator and you can’t take that away, I can usually work that conversation until they can see, you know what, this isn’t a great idea after all, it’s a little bit more dangerous than I want to live with.
There’s the other side, it’s the guys that are… “You can’t say the administrator word”. And when I say, well, look, there’s just no way to make these things work easily, especially now in a 103% remote workforce, how do we come off that? And that’s a more difficult conversation. And that’s why earlier… I’m reaching out to you guys at Slack, man, you got to fix this… you’ve got to help me with this. So yeah, it really depends upon the organization, the sector they’re in, the management that’s there. There’s a lot of moving pieces, a lot of factors, but I think overall I’m seeing a trend where more and more people are realizing that administrative privileges are dangerous. They’re inherently dangerous.
And the concept of controlling that seems to be more and more understood and more and more adopted. And I think that the progression that macOS has taken in the last five years, like you say, Mojave, Catalina, and now Big Sur, has eased people into this idea of constantly having to prove that you are who you say you are, when you’re trying to make a change, or maybe you just can’t even make a change. I think also Windows 10 really made a big difference for the Windows footprint. And I can’t believe Windows 10 is as old as it is now. But it really did get the same feeling of there’s going to be user space. There’s going to be administrative only space. And there is a definite wall between those. It made that more digestible and it was a much easier adjustment for Windows users going to 10, in my opinion. And I mean, if you go back long enough, you’ll go back to the days of like, there was only one level of Windows user and that wasn’t administrator.
Ryan: Exactly. Oh man. Yeah. I think I could say, it’s weird when you bring up Windows and we talked about Windows, Mac, and stuff like that, where I used to be primarily a Windows person and that’s what I used. That’s what I administered and everything like that. But I’ve spent nearly three years now in a majority Mac environment. My daily driver for my work computer is Mac, and stuff like that. It’s weird that I’m more comfortable troubleshooting and working on Macs. And then when I have to face it, go to a Windows thing, I’m like, wait, how is this done again? But I agree, Windows 10 – it’s surprisingly good. And it also follows the old trope with Microsoft where every other release is a good release.
Brian: Oh my gosh. Yeah, for sure. And again, I don’t know why it’s sticking with me, I guess I was looking something up the other day, but Windows 10 also follows the old Microsoft trope of we’re not going to do anything big for maybe 15 years, right? And so when Windows 2030 comes out, whenever they’re going to release, it’s going to be a great thing I’m sure. But I think that if you were to take an enterprise, a corporate PC or a Mac user from maybe just 10 years ago, 15 years ago, and then suddenly time travel them to 2021 and show them what we’re working with, I think they’d be kind of shocked. I think there’d be a lot of questions about why is it always asking you for a password? What’s going on with this thing?
Ryan: It’s true. Like how can you deal with all of this interruption and constantly having to do this? But you look at when you put it into context, all the breaches, all the zero day attacks, everything like that, it really is necessary. And then it comes back to that saying that, I don’t like it, you could have it secure, or you could have it user-friendly, but you can’t have it both ways.
Brian: Yeah. I mean, it’s terrible phrasing, but it’s true. It really, really is. Right? And just to get philosophic, I guess, I didn’t even have this thought until now. I wonder if the real driver of culture at large getting used to the idea of security and a constant security presence came from smartphones.
Ryan: Yeah. Yeah. I can see that.
Brian: Because not only… I mean, we saw the progression of not smartphones – dumb phones to smart phones and the original smartphones had no biometric sensors in them, right? So you couldn’t do a fingerprint read on them. It was all a code – it was a four digit code at that. And over time, you started to see more and more advances because people’s lives began to live in their smartphones. And so today, with something like face ID on a new iPhone and even eventually I guess the new Macs are going to do that, we got ushered into a more secure path just from the gadgets that we were using at the time.
Ryan: Yeah. Yeah. It’s interesting you brought that up because I actually worked for T-Mobile when the original iPhone launched. So I was working for T-Mobile in the era when Blackberries were really big and everything like that. So yeah, I can see where you’re coming from with that. It really was. Smartphones led to the explosion of social media and what I’ll just call convenience apps. So mobile banking, everything like that where your life is in this little device that you carry around in your pocket or purse, and if it gets compromised, then you’re in for a world of hurt.
Brian: Right. Right. I think we should ask this. We should do a little listener poll, which is scarier? The idea of losing your phone unlocked, so a magic way that your phone can just be looked at and it unlocks for whoever took it, or losing your wallet?
Ryan: I’ve thought about that, and I mean, for me it’s tough, but I would honestly probably say losing my phone would be worse.
Brian: I 100% agree.
Ryan: Because I could call and cancel credit cards, get a new driver’s license, all that sort of stuff. But the amount of damage that could be done, if somebody had an unlocked phone, I mean… And again, it’s going into how device security has changed, where there still layers of it. Even if they get in there, they’ll either have to know my passwords or get past face ID or something like that in order to get into the applications, and then MFA and everything like that. But then again, probably the biggest thing of losing the phone is that they may have access to my email. Outside of the main phone locking, you don’t need my face ID to get into my email. And the phrase has been thrown around by our security here that email is the modern security battle space. If your email is breached, that’s the biggest problem that you’re going to have because everything’s tied into that.
Brian: Right. There’ve been a few great articles and a couple of really good podcast episodes on a security focused podcast, where they talked about the efforts that our government took to stop or degrade the IT infrastructure that a lot of these global terrorist operations were using to send a message to, propaganda, the works. And one of these articles was talking about a particular mission, where they were basically just going to wipe out the web presence of this organization in like one go. It started with, they got access to somebody’s email, and then from there it was just game on. And it wasn’t even like they got access to a phishing attempt. It sounds almost like someone stole a phone, like what you’re talking about, and they got access to his email.
And once they got access to his email, they could start resetting passwords because the password confirmation was going to go to that email. And once they got those passwords reset, then it was just, this led to this, led to this, led to this, led to this. And when I talk security with people, all the time I bring that up, I said, can you imagine a global organization that is highly focused and really wants to do, in this case, a very bad thing, but really focused on doing one thing, got taken down by one guy’s email account? And so, you’re right. I think if I would weigh the fear, I could take losing my wallet, no big deal. Right? Because what did you say, very first thing you do, you call with your phone to cancel your credit cards. And so, yeah.
I mean, it’s crazy, but yeah, I think that… To wrap it back around, we’re getting used to this idea of a more secure, but also more challenging world based upon our personal devices. And that’s been ushered into the computing environments we use as well. And so if we could just shore up some of these weird ends that make that experience less optimal than it should be and figure that out. I mean, I think that in a perfect world, there would be no reason for a user to ever need elevated privileges, just ever. But I mean, there obviously is. Today there is. So I would be super interested to hear what other people’s ideas and solutions are for this.
Ryan: Yeah, and honestly, I don’t think we’re that far away from it, because the device and app management workspace, I mean, it is such a friction point. It’s such a pain point for so many organizations and IT admins that it’s a huge market. So whoever does it and does it well, is going to come out on top. And I don’t want to make it sound like there are no solutions out there that don’t attempt it in various ways. We’ve mentioned SCCM, we’ve mentioned auto-package. Then there’s things like Monkey and that sort of stuff, and Chocolatey for Windows, and VPP. But they’re all of these disparate things you need, one thing for Windows, you need one thing for Macs, one thing for Linux. I mean, it makes it so complicated and this is… I know that here at JumpCloud with our device management, we’re looking at tackling this, but at this time we don’t have the perfect solution out there, but it’s definitely an opportunity.
Brian: Yeah. I think it’s a huge opportunity. Yeah. And you’re right. Whoever does this and does it in a nice, easy to maintain, nice clean way, is going to be a hero to a lot of IT guys. I was going to say real quick: I remember, this could still be common practice in some other organizations. I don’t see it so much today as I did maybe five or six years ago, of provisioning duplicate accounts for everybody. So you’d have your normal standard user account, and then you’d have some sort of elevated account local on your laptop that you would use for these elevated actions.
Ryan: I haven’t seen that in ages.
Brian: Yeah. That used to be the way to go. But it was in my experience even more dangerous than what we talked about previously, because nine times out of 10, you just live life as an elevated account.
Ryan: Exactly. That’s exactly what I was going to say. And the first time I ever saw that, that was my first question, if you’re going to do this, what’s going to stop them from just using it all the time? And the answer was, nothing’s going to stop them. And most people do.
Brian: I think even the best idea like that just is not nearly good enough to overcome the laziness a person can have.
Ryan: Yeah. I mean, it’s also hard to blame the person for that laziness, because it’s more like, so putting myself in their shoes – it’s like, so you’re telling me I have these two accounts. And so one account I can do 90% of my job, or even 95% of my job. This other account, I can do 100% of my job. And you’re telling me that I need to go and use this 95% one most of the time until I hit that other 5% then I can’t do that.
Brian: Right. But it’ll be fine because I’ll just make the passwords the same for both accounts.
Ryan: Yes. And it’ll be a very poorly made password.
Brian: I mean, who’s to say that password123 isn’t a good password?
Ryan: ‘Password123!’, Oh man. Yeah. As long as I’ve been in IT… And honestly, even before I’ve been in IT, as long as I’ve been working a job that involved computers, this has been an issue and yeah, you’d think that after all of this time we would have a solution, but we don’t.
Brian: That’s true.
Ryan: At least not a good all encompassing solution.
Brian: Yeah. Yeah. I bet there’s probably one way, well, like we talked about earlier, I could address my grievances with Slack by just shoving a new install of Slack at everybody every other day. But that’s still a solution, it’s just not an all encompassing nor a great solution. And you could probably do weird things with application white listing and that Carbon Black kind of thing. If that’s even a thing anymore. It’s been a while since I looked at the Carbon Black stuff. And maybe you could say, well, these certain apps, you can let them be a little bit more privileged than these other things. And you can put Slack in that pile, but that doesn’t matter because either someone’s going to take advantage of the signature that you just made to allow us to do something and they’re going to make their malware do it. Or they’re going to not keep the thing updated. And you’re just constantly having to fight that fight.
Ryan: Right. Yeah. So I think that I do like your idea of putting something into the JumpCloud workspace. I think I’ll throw it on there after we’re done here and see what people have to say. And so, oh man, I’m interested. If we get enough responses, maybe we should do a follow-up episode, and talk about some of the ideas that we do there.
Brian: That would be great.
Ryan: Oh man. So is there anything else that you wanted to bring up with this, to talk about?
Brian: Yeah, as much as I was complaining and things are a lot better than they were, just a few years ago. And one thing I guess I wanted to talk about real quick was, I shiver at the thought that this was a common practice at a few places I worked with, but I’ll just say these words, the installation instructions for this application started with first, disable gatekeeper. And all the Mac admins out there are like ah, and so I have to really put things in perspective and think back to when that was an actual thing that had to be done. And today that’s not a problem. I bet nine out of ten Mac users don’t even know what gatekeeper is, which is great. That means it’s not been a problem. And the one that does is just because we’re talking about it right now. So I think that things are way better than they were before, and then may be that’s why it’s interesting to talk about this is because we’re so close. We’re just so close.
Ryan: We are, we are. And I will say that, when we talk about those brute force methods and gatekeeper, I have been sorely tempted so many times to just on that command runner script, put that little line at the beginning to be like, oh, disable gatekeeper, install this, no prompt for the end-user. We’re good to go. But then I’m like, no, no, that is not the way to do it.
Brian: Yeah. That’s the angel and the devil on your shoulder, right? And the devil’s like, dude, I want to go home. And the angel’s like, no, stop, stop, stop. This will end up in destruction. You know this will end up in destruction.
Ryan: Yeah. You’re saving a little bit of headache now in exchange for a lot of headache later.
Brian: A whole lot more. Every time we had to do that, and thankfully I think the whole gatekeeper issue with that one application was addressed pretty quickly. It wasn’t a long amount of time that these Macs were having to go through this unfortunate thing. But every time it happened, in the back of my mind, I always thought, I hope I’m not the one that has to have that really awkward conversation with either the CEO of the company or the security chief or something like that, where you have to say, yeah, that was my Mac that caused that problem, and I don’t have enough money in my checking account to pay the ransomware bounty. So we’re just going to have to call it even, and I’ll quietly walk out the door.
Ryan: Well, it’s interesting that you bring this up because one thing where my mind goes, I’m willing to play devil’s advocate in this remote work environment – if you have a truly distributed workforce, you’re using cloud platforms for your file shares for everything like that, you’re on a VPN that doesn’t have device discovery turned on – if one machine gets infected by ransomware, the chance of it spreading is a lot lower. And it’s not like when you were in the office and everything’s open and everything’s spread, so it’s like, if that’s the case, then where’s the harm in having everyone be an admin. And I’ll say that’s a dangerous conversation, but it’s something that may come up.
Brian: Yeah. Oh yeah, you’re right. I mean, I immediately went to the same conversation, the exact same scenario, you just replaced some of the parts and you can say, well, look, I got this chunk of plutonium here and this other one’s way, far away from the first chunk, and so we’re fine. Right? And everyone goes, yeah. But why do you have plutonium? Start with that question, right? You don’t need plutonium. So yeah, that’s a conversation and I bet more than not, IT admins all over the planet right now have had that conversation with management, when that balance of usability, functionality, and security, all collided with remote working and the management said, just make the stuff work. And the security guy said, this is not the way you need to do it.
Ryan: Yeah. And it comes down to… The answer really is, is because you don’t need it.
Brian: Right. That’s privileged.
Ryan: That’s really what it is. The practice of least privileges. If you don’t need it, you shouldn’t have it.
Brian: Right. It’s interesting to me too, because… Kind of end on this, I guess, the security threats that are out there, constantly changing, like you said before. Email has turned into the new battleground for some of these bigger security problems. And there’s a lot of technology that we talked about last time that’s trying to attack things from an analytical perspective. Let’s look at signatures, let’s look at applications, let’s look at behavioral stuff. Let’s figure out what the anomalous thing is, so that we can isolate it and deal with it. It’s an immune system sort of response. Let’s look at the outsider and figure out what it is and deal with it. But that’s by nature, always going to be reactionary. I mean, you can’t react on the threat until you see that there’s a threat.
You’d have to discover it in order for you to deal with it. And even if the discovery is just based on “that’s weird, dude”. That’s a weird thing, and no real threat scale after that, you still have to recognize it. Whereas, least permissions and restricting someone to only what they need to do to get the job done and not anything more than that and nothing that they can get themselves or anyone else hurt with, is a proactive thing you can do. And it’s one of the few proactive things we can do.
Ryan: Yeah. That is so true. You could ask my team I’ll rant on about this, how I want to get us into as much of a proactive position as possible. And yeah, that’s where you want to be because you’re stopping threats before they even occur.
Brian: Right. Right. And so, nine times out of ten, 99% of the time, these big problems that we read about and they’re getting more and more headlines, whether it was that recent problem with Exchange or whether it was the last breach that happened at oh gosh, Garmin, that Garmin breach from last year is still being talked about and still being felt. It’s always going to be some stupid system had more access than it should have, or some account had more access than it should have. I mean, I understand that there’s always going to be that fringe tier of super cool, dangerous state-sponsored hacking, where it didn’t matter whether you have an administrator or not, it’s a zero day that they found themselves, but that’s that thing, right? Talking about the world that most IT guys live in, it’s going to be someone or something took advantage of an abuse of privileges and it all went down from there.
So yeah, I mean, do the right thing, be proactive, and like we’re saying, come up with temporary work-arounds, whether it’s a script or whether it’s temporarily granting someone the permissions they need to get it done and then immediately taking them away, do those things and try to encourage the application developers that you know. And if you have a friend that does code, if you have a family member that likes to write some software, tell them to figure out if their app can work without admin privileges. And if it can’t, don’t invite them to Christmas dinner until they get that thing fixed.
Closing Remarks
Ryan: There we go. Words of wisdom. That’s all the time that we have. Brian, as usual, it’s been a pleasure. I’m sure we’ll be talking to you again in the future. Thanks for coming on.
Brian: Yeah. I hope so. Yeah. Let’s see what the other people out there think. Maybe there’s an idea that is just waiting to happen, waiting to explode, and somebody out there in the workspace is going to say something about it. So, I’m looking forward to that.
Ryan: Yeah, me too. Alright. Well, have a great day.
Brian: Alright, thanks man. Bye.
Ryan: Bye! Thank you for tuning into Where’s the Any Key. If you like what you heard, please feel free to subscribe. Again, my name is Ryan Bacon. I lead IT at JumpCloud where the team here is building a cloud-based directory platform that provides frictionless, secure access to virtually any IT resource from trusted devices anywhere. You can learn more and even set up a free account today.