BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

A Use Case for File Integrity Monitoring within PowerBroker for Windows

Posted August 22, 2013    Jason Silva

As most of you are aware, PowerBroker for Windows v6 introduced File Integrity Monitoring (FIM) into the software.  For those of you who did not know this, FIM allows an Admin to specify protections over files/folders so these assets can only be modified by certain users or service accounts.  It also protects against renaming the file, which leads me to the point of this post.

Occasionally a process needs to be elevated that exists in a location your end-users can overwrite.  With a publisher rule this is OK, because if the user changed the process but gave it the same name as what existed, the publisher or hash rule wouldn’t apply.  But often times, files that get put into these locations are not signed, so a publisher rule won’t work, and hash rules can be inconvenient because you have to change them every time the file gets updated for reasons like say, a version change.  So up to now, the necessity is to build a path rule on it.  This means PowerBroker for Windows would elevate the process so long as it was in this path and had ‘this’ as a filename.  The problem here is; If a malicious user wanted to, and they had the rights, they could (as stated above) replace the would be elevated application with something else, give it the same name as what was being elevated and carry out their devious plans.

But, fear not, for we have a solution: Place a FIM policy on the file.  This prevents the user from deleting, replacing, or even renaming the file, but the Privilege Elevation rule still works because they still have Read/Execute rights to it.

So the uneasiness of elevating something like a local script, for instance, where the user has control of what actually gets executed is now removed. This is a unique feature of the PowerBroker for Windows software, and one I know PBUsers will be able to make great use of.

FIMScreenPolicy_1_shadow FIMScreenRename_2_shadow

Tags:
, , , ,

Leave a Reply

Additional articles

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,
PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,
PowerBroker for Windows tamper protection

PowerBroker for Windows 6.6 Tamper Protection

Posted July 18, 2014    Morey Haber

I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy…

Tags:
, ,