The concept of privilege identity management allows for the elevation of applications and operating system functions to authoritative users based on rules and policies. While the basic context of the user does not have permissions to perform these tasks, the rules and policies in place provide a vehicle for them to operate in a privileged environment. This ensures that only that application executes with the permissions required and the rest of the users’ profile remains intact.
Unfortunately, many processes will communicate with the file system in both a user and privileged state and try to make changes that are potentially undesirable. Consider elevating an application for installation that adds files to the Windows System32 directory or a malicious process the might want to alter the InetPub directory containing your website. Both inherently contribute to baseline drift and both could lead to further trouble and unnecessary risk if permitted. Rules within privilege identity solutions are designed to control applications from a specific directory, publisher, or hash. They do not monitor the file system for changes based on users or background processes; until now.
With the introduction of PowerBroker for Windows 6.0, which will be generally available in a few weeks, BeyondTrust is introducing a brand new module for File Integrity Monitoring. This brand new feature allows users to add Rules to the new (or existing deployments) that can monitor, alert, and deny changes to directories and files based on users and groups within an environment. Below is a screen shot for a sample rule:
These new rules can be hosted within Group Policy or Retina CS (more to come on this exciting new way to host policies via web services), and be distributed to clients automatically to monitor what happens to persistent storage.
For example, a simple two rule combination could allow the System (or a Service Account) to make changes to the Windows directory (and all sub directories) to allow a patching solution to operate correctly but deny any members of the Users or Administrators group the ability to alter files or directories. So even if an application is elevated, it has no permissions to make unwarranted changes. A second example could be just an alert on the InetPub directory. If the website was compromised, or unauthorized changes were made to web pages, you would receive an alert in the Retina CS Threat Management Console. In addition, the viewing of all File Integrity events and reports by Asset and Rule are also available for auditing and verifying (measuring) the effectiveness of this new tool. Below is a screen shot of this data in Retina CS:
Consider the ability to monitor and manage access to directories and files directly from within the solution. Now couple this with PowerBroker for Windows 6.0′s new Session Monitoring and you have an extremely effective tool for bringing the context of user activity into perspective within a single management console.
BeyondTrust is redefining traditional security.
PowerBroker for Windows is taking a massive leap forward with its capabilities to monitor privileged activity at every level. It is not just about elevating applications any more. It’s about what users are doing with those applications once they are elevated. We are confident this technology will change the way you think about user and asset access.