BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

A Use Case for File Integrity Monitoring within PowerBroker for Windows

Posted August 22, 2013    Jason Silva

As most of you are aware, PowerBroker for Windows v6 introduced File Integrity Monitoring (FIM) into the software.  For those of you who did not know this, FIM allows an Admin to specify protections over files/folders so these assets can only be modified by certain users or service accounts.  It also protects against renaming the file, which leads me to the point of this post.

Occasionally a process needs to be elevated that exists in a location your end-users can overwrite.  With a publisher rule this is OK, because if the user changed the process but gave it the same name as what existed, the publisher or hash rule wouldn’t apply.  But often times, files that get put into these locations are not signed, so a publisher rule won’t work, and hash rules can be inconvenient because you have to change them every time the file gets updated for reasons like say, a version change.  So up to now, the necessity is to build a path rule on it.  This means PowerBroker for Windows would elevate the process so long as it was in this path and had ‘this’ as a filename.  The problem here is; If a malicious user wanted to, and they had the rights, they could (as stated above) replace the would be elevated application with something else, give it the same name as what was being elevated and carry out their devious plans.

But, fear not, for we have a solution: Place a FIM policy on the file.  This prevents the user from deleting, replacing, or even renaming the file, but the Privilege Elevation rule still works because they still have Read/Execute rights to it.

So the uneasiness of elevating something like a local script, for instance, where the user has control of what actually gets executed is now removed. This is a unique feature of the PowerBroker for Windows software, and one I know PBUsers will be able to make great use of.

FIMScreenPolicy_1_shadow FIMScreenRename_2_shadow

Tags:
, , , ,

Leave a Reply

One Response to “A Use Case for File Integrity Monitoring within PowerBroker for Windows”

  1. Abhi Kumar

    Nice piece of information on file integrity monitoring.Great post!!

    October 20, 2014 3:05:04, Reply

Additional articles

ovum-research

New Analyst SWOT Assessment Identifies Key Strengths of PowerBroker

Posted November 24, 2014    Scott Lang

Following on the heels of the Gartner PAM market guide and Frost & Sullivan review of Password Safe comes a new analyst review of our BeyondInsight and PowerBroker platforms, a SWOT assessment of BeyondTrust written by Ovum. Ovum’s honest and thorough review of BeyondTrust indicates that we are delivering, “…an integrated, one-stop approach to PAM….

Tags:
, , ,

Patented Windows privilege management brings you unmatched benefits

Posted November 24, 2014    Scott Lang

We are pleased to announce that BeyondTrust has been granted a new U.S. Patent (No. 8,850,549) for privilege management, validating our approach to helping our customers achieve least privilege in Windows environments. The methods and systems that we employ for controlling access to resources and privileges per process are unique to BeyondTrust PowerBroker for Windows….

Tags:
6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,