BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Organizing your PowerBroker Desktops Rules

Posted October 20, 2012    Peter McCalister

When tackling a project to remove administrator privileges from users, it is critical to understand what applications and tasks will be impacted. Some things just break or won’t function properly when users are no longer administrators. Of course, PowerBroker Desktops is designed to elevate those apps and tasks that require administrator privileges so that there is no impact on end user productivity. PowerBroker Desktops has the ability to automatically discover apps in your environment that require administrator privileges so that most of the work is done for you. During the audit, you may discover dozens of apps in your environment that require administrator privileges, but some apps may only be needed by certain departments or certain individuals. PowerBroker Desktops provides you with the most comprehensive organization capabilities to simplify the management of your rule set, and make it as easy and intuitive as managing the Windows file system.

There are several different ways to organize your policies, and due to the capabilities that PowerBroker Desktops provides, the sky is the limit on how you decide to organize your rules. In this blog post, I’ll discuss several common ways of organizing your rules.
One way to organize your rules in a flat format. All the rules are simply placed in in one Group Policy Object (GPO), linked at a high level in Active Directory (AD) and applied to everyone in the organization.

You can still use Item-Level Targeting to filter the rules to groups of users based on a number of different criteria like IP Address Range, Site, OU, hardware profile, etc. Item-Level Targeting can be applied to Collections and to individual rules as well.

The downside to this design is that it is difficult to find rules in what could be a lengthy list, and it is also makes it hard to figure out just who is getting what rules.

A better way is to use Collections to organize your rules, much like you use folders to organize your files in Windows. You can use Collections to organize your rules based on what you want them to do. To do this, you simply select the action when you configure your collection.

You can do this for each action you wish to implement, and all of the rules that you place into the collections will inherit the action from its collection.

You can take Collections even further by organizing by Role and then by Action.

collections, no action is enforced, it is simply a folder, but in the second level of collections, actions do get enforced. So, in this example, the “Sales” collection is a container that sets no action and the second level folders, like “Elevate” would enforce an action. All rules placed in the second level folder would inherit the action specified at its collection level.

Additionally, you will want to apply Item-Level Targeting at the first level collection, like “Sales” to target all child Collections and Rules to the Sales Group.

You can go even further with Collections, because there is no limit to how many Collections you can nest. Take a look at this screenshot where I am organizing based on Location, then by Role, then by Action, then by type of application:

Keep in mind that all of the Collections and rules can have Item-Level Targeting applied so that no matter complex your environment is currently organized, PowerBroker can fit.

As I mentioned earlier, the sky is the limit. With the unique organizational capabilities that Collections, Actions, and Item-Level Targeting provide, PowerBroker Desktops makes managing even the largest sets of rules easy.

Tags:
,

Leave a Reply

Additional articles

smart-rules-manager-assets

Where Passive Scanning Falls Short

Posted July 11, 2014    Morey Haber

In many sports, as in business, teams will promote a strategy to gain an edge – even if the concept is possibly flawed. Consider an American football hurry-up offense: will it cause the defense to stumble, or will it just exhaust the offense? The play has potential pros and cons, and many strategic technologies are…

Tags:
, , , , , , ,

Retina Vulnerability Audits – July 2014 Patch Tuesday

Posted July 9, 2014    BeyondTrust Research Team

The following is a list of Retina vulnerability audits for this July 2014 Patch Tuesday: MS14-037 - Cumulative Security Update for Internet Explorer (2975687) 34517 – Microsoft Internet Explorer Cumulative Security Update (2975687) MS14-038 - Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) 34518 – Microsoft Windows Journal (2975789) MS14-039 - Vulnerability in On-Screen Keyboard Could Allow…

patch-tuesday

July 2014 Patch Tuesday

Posted July 8, 2014    BeyondTrust Research Team

This July Microsoft has released six security bulletins which account for over 29 unique vulnerabilities. The most critical bulletins are MS14-037 (Internet Explorer), MS14-038 (Windows Journal)  and MS14-040 (Windows AFD). MS14-037 starts things off with another massive Internet Explorer update on the heels of MS14-035 from last month. This new Internet Explorer bulletin covers over…

Tags:
, ,