BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

The Integrity of Files and Privileged Identity Management

Post by Morey Haber May 27, 2013

The concept of privilege identity management allows for the elevation of applications and operating system functions to authoritative users based on rules and policies. While the basic context of the user does not have permissions to perform these tasks, the rules and policies in place provide a vehicle for them to operate in a privileged environment. This ensures that only that application executes with the permissions required and the rest of the users’ profile remains intact.

Unfortunately, many processes will communicate with the file system in both a user and privileged state and try to make changes that are potentially undesirable. Consider elevating an application for installation that adds files to the Windows System32 directory or a malicious process the might want to alter the InetPub directory containing your website. Both inherently contribute to baseline drift and both could lead to further trouble and unnecessary risk if permitted. Rules within privilege identity solutions are designed to control applications from a specific directory, publisher, or hash. They do not monitor the file system for changes based on users or background processes; until now.

With the introduction of PowerBroker for Windows 6.0, which will be generally available in a few weeks, BeyondTrust is introducing a brand new module for File Integrity Monitoring. This brand new feature allows users to add Rules to the new (or existing deployments) that can monitor, alert, and deny changes to directories and files based on users and groups within an environment. Below is a screen shot for a sample rule:

PIM-DefaultCricklewood

These new rules can be hosted within Group Policy or Retina CS (more to come on this exciting new way to host policies via web services), and be distributed to clients automatically to monitor what happens to persistent storage.

For example, a simple two rule combination could allow the System (or a Service Account) to make changes to the Windows directory (and all sub directories) to allow a patching solution to operate correctly but deny any members of the Users or Administrators group the ability to alter files or directories. So even if an application is elevated, it has no permissions to make unwarranted changes. A second example could be just an alert on the InetPub directory. If the website was compromised, or unauthorized changes were made to web pages, you would receive an alert in the Retina CS Threat Management Console. In addition, the viewing of all File Integrity events and reports by Asset and Rule are also available for auditing and verifying (measuring) the effectiveness of this new tool. Below is a screen shot of this data in Retina CS:

RetinaCS-data

Consider the ability to monitor and manage access to directories and files directly from within the solution. Now couple this with PowerBroker for Windows 6.0′s new Session Monitoring and you have an extremely effective tool for bringing the context of user activity into perspective within a single management console.

BeyondTrust is redefining traditional security.

PowerBroker for Windows is taking a massive leap forward with its capabilities to monitor privileged activity at every level. It is not just about elevating applications any more. It’s about what users are doing with those applications once they are elevated. We are confident this technology will change the way you think about user and asset access.

Launch a free evaluation trial now.

Tags:
, , , , ,

Additional articles

BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,
insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,