BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

The Integrity of Files and Privileged Identity Management

Posted May 27, 2013    Morey Haber

The concept of privilege identity management allows for the elevation of applications and operating system functions to authoritative users based on rules and policies. While the basic context of the user does not have permissions to perform these tasks, the rules and policies in place provide a vehicle for them to operate in a privileged environment. This ensures that only that application executes with the permissions required and the rest of the users’ profile remains intact.

Unfortunately, many processes will communicate with the file system in both a user and privileged state and try to make changes that are potentially undesirable. Consider elevating an application for installation that adds files to the Windows System32 directory or a malicious process the might want to alter the InetPub directory containing your website. Both inherently contribute to baseline drift and both could lead to further trouble and unnecessary risk if permitted. Rules within privilege identity solutions are designed to control applications from a specific directory, publisher, or hash. They do not monitor the file system for changes based on users or background processes; until now.

With the introduction of PowerBroker for Windows 6.0, which will be generally available in a few weeks, BeyondTrust is introducing a brand new module for File Integrity Monitoring. This brand new feature allows users to add Rules to the new (or existing deployments) that can monitor, alert, and deny changes to directories and files based on users and groups within an environment. Below is a screen shot for a sample rule:

PIM-DefaultCricklewood

These new rules can be hosted within Group Policy or Retina CS (more to come on this exciting new way to host policies via web services), and be distributed to clients automatically to monitor what happens to persistent storage.

For example, a simple two rule combination could allow the System (or a Service Account) to make changes to the Windows directory (and all sub directories) to allow a patching solution to operate correctly but deny any members of the Users or Administrators group the ability to alter files or directories. So even if an application is elevated, it has no permissions to make unwarranted changes. A second example could be just an alert on the InetPub directory. If the website was compromised, or unauthorized changes were made to web pages, you would receive an alert in the Retina CS Threat Management Console. In addition, the viewing of all File Integrity events and reports by Asset and Rule are also available for auditing and verifying (measuring) the effectiveness of this new tool. Below is a screen shot of this data in Retina CS:

RetinaCS-data

Consider the ability to monitor and manage access to directories and files directly from within the solution. Now couple this with PowerBroker for Windows 6.0’s new Session Monitoring and you have an extremely effective tool for bringing the context of user activity into perspective within a single management console.

BeyondTrust is redefining traditional security.

PowerBroker for Windows is taking a massive leap forward with its capabilities to monitor privileged activity at every level. It is not just about elevating applications any more. It’s about what users are doing with those applications once they are elevated. We are confident this technology will change the way you think about user and asset access.

Launch a free evaluation trial now.

Tags:
, , , , ,

Additional articles

Patented Windows privilege management brings you unmatched benefits

Posted November 24, 2014    Scott Lang

We are pleased to announce that BeyondTrust has been granted a new U.S. Patent (No. 8,850,549) for privilege management, validating our approach to helping our customers achieve least privilege in Windows environments. The methods and systems that we employ for controlling access to resources and privileges per process are unique to BeyondTrust PowerBroker for Windows….

Tags:
6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,
Password Game Show

Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Posted November 20, 2014    Scott Lang

How do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices…

Tags:
, , , , , ,