BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

The Integrity of Files and Privileged Identity Management

Posted May 27, 2013    Morey Haber

The concept of privilege identity management allows for the elevation of applications and operating system functions to authoritative users based on rules and policies. While the basic context of the user does not have permissions to perform these tasks, the rules and policies in place provide a vehicle for them to operate in a privileged environment. This ensures that only that application executes with the permissions required and the rest of the users’ profile remains intact.

Unfortunately, many processes will communicate with the file system in both a user and privileged state and try to make changes that are potentially undesirable. Consider elevating an application for installation that adds files to the Windows System32 directory or a malicious process the might want to alter the InetPub directory containing your website. Both inherently contribute to baseline drift and both could lead to further trouble and unnecessary risk if permitted. Rules within privilege identity solutions are designed to control applications from a specific directory, publisher, or hash. They do not monitor the file system for changes based on users or background processes; until now.

With the introduction of PowerBroker for Windows 6.0, which will be generally available in a few weeks, BeyondTrust is introducing a brand new module for File Integrity Monitoring. This brand new feature allows users to add Rules to the new (or existing deployments) that can monitor, alert, and deny changes to directories and files based on users and groups within an environment. Below is a screen shot for a sample rule:

PIM-DefaultCricklewood

These new rules can be hosted within Group Policy or Retina CS (more to come on this exciting new way to host policies via web services), and be distributed to clients automatically to monitor what happens to persistent storage.

For example, a simple two rule combination could allow the System (or a Service Account) to make changes to the Windows directory (and all sub directories) to allow a patching solution to operate correctly but deny any members of the Users or Administrators group the ability to alter files or directories. So even if an application is elevated, it has no permissions to make unwarranted changes. A second example could be just an alert on the InetPub directory. If the website was compromised, or unauthorized changes were made to web pages, you would receive an alert in the Retina CS Threat Management Console. In addition, the viewing of all File Integrity events and reports by Asset and Rule are also available for auditing and verifying (measuring) the effectiveness of this new tool. Below is a screen shot of this data in Retina CS:

RetinaCS-data

Consider the ability to monitor and manage access to directories and files directly from within the solution. Now couple this with PowerBroker for Windows 6.0’s new Session Monitoring and you have an extremely effective tool for bringing the context of user activity into perspective within a single management console.

BeyondTrust is redefining traditional security.

PowerBroker for Windows is taking a massive leap forward with its capabilities to monitor privileged activity at every level. It is not just about elevating applications any more. It’s about what users are doing with those applications once they are elevated. We are confident this technology will change the way you think about user and asset access.

Launch a free evaluation trial now.

Tags:
, , , , ,

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…

pbps-blog3

7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

Tags:
, , , , ,