BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Group Policy Delegation and PowerBroker Desktops

Posted November 10, 2011    Peter McCalister

Group Policy provides powerful controls over desktop configuration, and it includes full delegation capabilities to allow network administrators to delegate Group Policy configuration tasks to others. Since Group Policy has so many powerful capabilities, it is critical to delegate certain tasks to other network administrators, without giving them Domain Admin rights or full edit rights over the entire Group Policy Object (GPO).

PowerBroker Desktops is implemented as a Group Policy extension, and management of PowerBroker Desktops can be delegated to specific individuals, without giving them full edit rights over the entire GPO and all of its settings. To do this, you simply need to deploy Group Policy settings to the users who will be managing PowerBroker Desktops settings. First, you will need to delegate access to the GPO itself to give a user edit rights. This is done on the Delegation tab inside of the Group Policy Management Console as shown below.

shot1

Once you have given the user the ability to edit the GPO, you can restrict the views that the user has inside of the GPO by disabling settings within the Administrative Templates of the Group Policy that will be applied to the delegated user. These settings will restrict what the user can see when editing a GPO. This is important because if a user has full edit rights to a GPO, they can change any setting within it. To restrict the Group Policy Editor, simply disable the following settings, found in the following location: User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once the delegated user has received these policy settings, they will only be able to edit PowerBroker Desktops policy, assuming that the PowerBroker Desktops snap-in extension has been installed on their machine.

Alternatively, you may wish to prevent other network administrators from changing PowerBroker Desktop settings. In this case, you can disable the settings that display the PowerBroker Desktop snap-in extension. These can be found in the following location inside the Group Policy: User Configuration\Administrative Templates\BeyondTrust\PBWD\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once configured, network administrators who have access to GPOs with PowerBroker Desktops policies within them will not be able to view or edit the policies, but they will still be able to manage native Group Policy settings.

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,