BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

A Use Case for File Integrity Monitoring within PowerBroker for Windows

Posted August 22, 2013    Jason Silva

As most of you are aware, PowerBroker for Windows v6 introduced File Integrity Monitoring (FIM) into the software.  For those of you who did not know this, FIM allows an Admin to specify protections over files/folders so these assets can only be modified by certain users or service accounts.  It also protects against renaming the file, which leads me to the point of this post.

Occasionally a process needs to be elevated that exists in a location your end-users can overwrite.  With a publisher rule this is OK, because if the user changed the process but gave it the same name as what existed, the publisher or hash rule wouldn’t apply.  But often times, files that get put into these locations are not signed, so a publisher rule won’t work, and hash rules can be inconvenient because you have to change them every time the file gets updated for reasons like say, a version change.  So up to now, the necessity is to build a path rule on it.  This means PowerBroker for Windows would elevate the process so long as it was in this path and had ‘this’ as a filename.  The problem here is; If a malicious user wanted to, and they had the rights, they could (as stated above) replace the would be elevated application with something else, give it the same name as what was being elevated and carry out their devious plans.

But, fear not, for we have a solution: Place a FIM policy on the file.  This prevents the user from deleting, replacing, or even renaming the file, but the Privilege Elevation rule still works because they still have Read/Execute rights to it.

So the uneasiness of elevating something like a local script, for instance, where the user has control of what actually gets executed is now removed. This is a unique feature of the PowerBroker for Windows software, and one I know PBUsers will be able to make great use of.

FIMScreenPolicy_1_shadow FIMScreenRename_2_shadow

Tags:
, , , ,

Leave a Reply

One Response to “A Use Case for File Integrity Monitoring within PowerBroker for Windows”

  1. Abhi Kumar

    Nice piece of information on file integrity monitoring.Great post!!

    October 20, 2014 3:05:04, Reply

Additional articles

VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

Tags:
, , , ,
dave-shackleford-headshot

Privileged Passwords: The Bane of Security Professionals Everywhere

Posted February 19, 2015    Dave Shackleford

Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound…

Tags:
, , ,
Privileged Account Management Process

In Vulnerability Management, Process is King

Posted February 18, 2015    Morey Haber

You have a vulnerability scanner, but where’s your process? Most organizations are rightly concerned about possible vulnerabilities in their systems, applications, networked devices, and other digital assets and infrastructure components. Identifying vulnerabilities is indeed important, and most security professionals have some kind of scanning solution in place. But what is most essential to understand is…

Tags:
, , , , ,