BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

A Use Case for File Integrity Monitoring within PowerBroker for Windows

Posted August 22, 2013    Jason Silva

As most of you are aware, PowerBroker for Windows v6 introduced File Integrity Monitoring (FIM) into the software.  For those of you who did not know this, FIM allows an Admin to specify protections over files/folders so these assets can only be modified by certain users or service accounts.  It also protects against renaming the file, which leads me to the point of this post.

Occasionally a process needs to be elevated that exists in a location your end-users can overwrite.  With a publisher rule this is OK, because if the user changed the process but gave it the same name as what existed, the publisher or hash rule wouldn’t apply.  But often times, files that get put into these locations are not signed, so a publisher rule won’t work, and hash rules can be inconvenient because you have to change them every time the file gets updated for reasons like say, a version change.  So up to now, the necessity is to build a path rule on it.  This means PowerBroker for Windows would elevate the process so long as it was in this path and had ‘this’ as a filename.  The problem here is; If a malicious user wanted to, and they had the rights, they could (as stated above) replace the would be elevated application with something else, give it the same name as what was being elevated and carry out their devious plans.

But, fear not, for we have a solution: Place a FIM policy on the file.  This prevents the user from deleting, replacing, or even renaming the file, but the Privilege Elevation rule still works because they still have Read/Execute rights to it.

So the uneasiness of elevating something like a local script, for instance, where the user has control of what actually gets executed is now removed. This is a unique feature of the PowerBroker for Windows software, and one I know PBUsers will be able to make great use of.

FIMScreenPolicy_1_shadow FIMScreenRename_2_shadow

Tags:
, , , ,

Leave a Reply

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…

pbps-blog3

7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

Tags:
, , , , ,