BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Privilege Identity Management – A Help Desk Perspective

Posted October 12, 2012    Morey Haber

Help desk technicians within a company are the first line of defensive for a new project or system problem. Most of the time, they are informed and trained that users will be getting a new piece of security software. The solution, in this case, is called Privileged Identity Management (PIM) and is designed to manage authenticated permissions on their workstations. The technology provides administrative rights to applications and operating systems features that require administrative privileges and allows their normal daily job functions to occur as a standard user.



The most frequent questions we hear at BeyondTrust from help desk technician’s are “why are you removing administrator permissions from the end users?” and “How will I support these users when things do not operate like before?”. The answers to these are very simple. As an end user administrative permissions are designed to have complete and unrestricted control of the operating system and applications. In reality, only a subset is ever needed and the excessive permissions can lead to a gaping security hole for malware, configuration issues, and advanced persistent threats. Unfortunately as a help desk technician, you experience these problems all too often. As the solution is deployed, your clients will begin to login as a standard user, and the PIM solution will give them administrative authority to applications and operating system features they need for daily operations. Your role as a help desk technician will be to assist where the escalation rules are missing (or not working) to cover functions that users need for daily business operations.

It is important to understand that there are several reasons your organization is adopting the solution. First, like many businesses, commercial and government identities have regulatory controls that stipulate security controls on sensitive data, personal information, and applications. Your business is no different. Auditors periodically may visit your business and review security procedures, policies, and verify the employees and contractors do not have excessive access to systems and data. Tools like PowerBroker satisfy their requirements by placing a control on permissions while allowing elevation of privileges to personnel when appropriate.

One other consideration is directly related to security and malware. Malware is a superset term that encompasses all forms of malicious programs from viruses, spyware, and ransom-ware all the way through Advanced Persistent Threats (APT). Statistics show that a very large portion of malware infects computers simply based on the user having administrative access to the host. If this access is removed, the malware and its infection are thwarted. As help desk technicians, this burden should be significantly reduced from your daily support calls due to the removal of administrative privileges from your clients. As you have seen, antivirus solutions alone are not up to the latest challenges. To mitigate these threats, the most common denominator for malware is being restricted; its ability to access administrator privileges on the workstations you support.

As with any technology rollout, there are bound to be a few bumps along the way. Remember when you had your first look at the latest version of Windows? Finding where to locate common function was frustrating to many, but it only took a little while to realize it was the same thing but in a different location. PIM is the same way. Your client’s programs and applications will operate the same way, but in some circumstances may request that the end user complete a quick text box explaining why they are using a program or operating system feature. This may sound like an unnecessary step but if they are installing software or administering a phone system or database, management and auditors tend to want to know when and why. These are all part of security best practices and regulatory compliance.

One of the common questions you will receive is that some programs (and operating system features) that worked before no longer function. This is the bump in the road that as a help desk technician you will need to resolve. These may be applications, for which rules have yet to be created for applications that require administrative permissions to run or applications that have been explicitly denied from operating due to their inherent risk or potential threat they represent to the organization.  A simple discussion with the end user, justification for the application or feature, and following established procedures for information technology administrators to create a rule will rectify this type of problem. If the application is rarely ever used, or one time only, then the Challenge Response Passcode feature of PowerBroker for Windowscan provide temporary relief until decisions about a permanent rule are made.

All in all, this project is designed to increase the security of desktops and servers, prohibit common malware from infecting assets, aid in regulatory compliance, and track when sensitive applications are being executed throughout your organization. The process involves changing the way end users login into their computer but is designed to not affect daily job functions. If anything, you will notice end users will have systems that run better because common flaws that can occur as an administrator will simply be avoided.

Securing privileges are crucial to the security and operational well-being of your organization. It is being implemented to provide a safer, more standardized computing environment that can be managed better by the help desk, administrators, and information technology teams. The Help Desk is crucial in making this type of project a success and the benefits it offers. For more information, please visit BeyondTrust.

Tags:
, , , , , , , ,

Additional articles

powerbroker-for-mac-diagram-small

PowerBroker for Mac: A Least-Privileged Apple a Day…

Posted July 27, 2015    Jason Silva

BeyondTrust PowerBroker for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS X to perform administrative tasks successfully without entering elevated credentials.

Tags:
, ,
PrivilegedAccountManagement

On Demand Webinar – Now is the time for Privileged Account Management

Posted July 24, 2015    BeyondTrust Software

In this webinar, SANS Instructor and Founder of Voodoo Security, Dave Shackleford, will revisit several hacking and breach scenarios that involved privileged accounts, and use these as examples while discussing tools and tactics to get this problem under control once and for all.

Tags:
, ,
dave-shackleford-headshot

Privileged Account Management: The Time is Now

Posted July 22, 2015    Dave Shackleford

There’s plenty of problems we don’t have great options for in InfoSec today. Malware is a pain point that keeps evolving rapidly. 0-day exploits are tough to prepare for. Privileged account management? We got this. We know the root causes, we know how it manifests, we know how to get it under control effectively, and there are great technology solutions that are enterprise-class.

Tags:
, ,