BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

The Integrity of Files and Privileged Identity Management

Post by Morey Haber May 27, 2013

The concept of privilege identity management allows for the elevation of applications and operating system functions to authoritative users based on rules and policies. While the basic context of the user does not have permissions to perform these tasks, the rules and policies in place provide a vehicle for them to operate in a privileged environment. This ensures that only that application executes with the permissions required and the rest of the users’ profile remains intact.

Unfortunately, many processes will communicate with the file system in both a user and privileged state and try to make changes that are potentially undesirable. Consider elevating an application for installation that adds files to the Windows System32 directory or a malicious process the might want to alter the InetPub directory containing your website. Both inherently contribute to baseline drift and both could lead to further trouble and unnecessary risk if permitted. Rules within privilege identity solutions are designed to control applications from a specific directory, publisher, or hash. They do not monitor the file system for changes based on users or background processes; until now.

With the introduction of PowerBroker for Windows 6.0, which will be generally available in a few weeks, BeyondTrust is introducing a brand new module for File Integrity Monitoring. This brand new feature allows users to add Rules to the new (or existing deployments) that can monitor, alert, and deny changes to directories and files based on users and groups within an environment. Below is a screen shot for a sample rule:

PIM-DefaultCricklewood

These new rules can be hosted within Group Policy or Retina CS (more to come on this exciting new way to host policies via web services), and be distributed to clients automatically to monitor what happens to persistent storage.

For example, a simple two rule combination could allow the System (or a Service Account) to make changes to the Windows directory (and all sub directories) to allow a patching solution to operate correctly but deny any members of the Users or Administrators group the ability to alter files or directories. So even if an application is elevated, it has no permissions to make unwarranted changes. A second example could be just an alert on the InetPub directory. If the website was compromised, or unauthorized changes were made to web pages, you would receive an alert in the Retina CS Threat Management Console. In addition, the viewing of all File Integrity events and reports by Asset and Rule are also available for auditing and verifying (measuring) the effectiveness of this new tool. Below is a screen shot of this data in Retina CS:

RetinaCS-data

Consider the ability to monitor and manage access to directories and files directly from within the solution. Now couple this with PowerBroker for Windows 6.0′s new Session Monitoring and you have an extremely effective tool for bringing the context of user activity into perspective within a single management console.

BeyondTrust is redefining traditional security.

PowerBroker for Windows is taking a massive leap forward with its capabilities to monitor privileged activity at every level. It is not just about elevating applications any more. It’s about what users are doing with those applications once they are elevated. We are confident this technology will change the way you think about user and asset access.

Launch a free evaluation trial now.

Tags:
, , , , ,

Additional articles

April VEF Participant Wins a Apple iPad mini

Every month we host our Vulnerability Expert Forum (VEF) webinar. This is a time where our experts share valuable insight regarding new vulnerabilities that are discovered and the actions that need to be taken as a result. It’s a quick way to get up to speed on current potential risks to your organization and a way to…

Post by Qui Cao April 24, 2014
smart rules manager for vulnerabilities - v2

A New Way of Looking at Vulnerabilities in Your Environment

Assets, users, vulnerabilities and exploits; all are common themes in my posts on BeyondInsight. With BeyondInsight v5.1, we unveiled a new way to view exploitable assets. Sure, most vulnerability management solutions link vulnerability data to exploit information, allowing tools like NeXpose and QualysGuard to list an asset, its vulnerabilities, and any related exploits. BeyondInsight does…

Post by Morey Haber April 23, 2014
Tags:
, , , , ,
smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
Tags:
, , , , , ,