Securden Windows Privilege Manager is a software product that can help you gain control of local admin privileges across your entire Windows environment. The software can step right in and immediately start to remove local admin privileges and manage passwords for all domain accounts through a simple-to-follow process and easy-to-use tools.

So how does it work? Securden discovers endpoints, servers, and users in the network all from an easy-to-understand web dashboard. You can import accounts from Active Directory, local server accounts, and others like SQL. You can push agents to endpoints all through the console with relative ease. The agent then steps in and handles the elevation of privileges going forward. All users can then run as standard users, and they can request time-limited privileges to run applications, commands, and other activities whenever required.

Administrators can review privilege requests and grant approval on a case-by-case basis in advance or set auto approvals for certain privileges. Securden adds a "Run with Securden Privilege" option in the menu for users to gain admin rights. There's also an option for apps and commands that do not interact with the Windows GUI.

Administrators have full control over the elevation process and can revoke permissions anytime as needed. At the end of the approved time, Securden will automatically terminate all the applications opened with admin privileges. It can notify users when elevated session permissions will expire shortly before the end of an approved time limit. Additionally, Securden can report on the activities a user executes during an elevated session.

In addition to all of this, Securden can act as a password vault and enforce password policies with advanced features such as randomizing passwords at periodic intervals and automatically taking care of propagating the changes across dependencies as well.

So let's dive in and take look at some of the features in depth.

Installation ^

Installation is a breeze because Securden comes with everything bundled and does not require installation of any specific software separately. Securden is self-contained in one installer file. The requirements to run the tool are not excessive, but these are minimums, and you'll want to throw more resources at this tool so it runs efficiently.

  • Hardware: 4 GB RAM, 2 GB hard disk space
  • Operating systems: Windows Server (2008 R2, 2012, 2012 R2, 2016), Windows 8, or Windows 10
  • Database: PostgreSQL bundled with the product; supports MS SQL Server 2008 and above
  • Web interface: IE 10 and above, Chrome, Firefox, and Safari

I downloaded the tool, read the included quick start guide (which is very clear and easy to follow), and then installed the tool with the defaults. Five minutes later, I was up and running with a local web server installed and configured.

Default website after install

Default website after install

After logging into the console, it immediately presented me with a "getting started page" that was super easy to understand and navigate.

Getting started web page

Getting started web page

The first thing Securden recommends is to discover users, groups, and endpoints. So that's what I did. In my lab, I'm running three servers, one acting as a domain controller (DC) and two members servers all running Server 2012 R2 and patched up to this month. We can target the discovery process toward a group, an organizational unit (OU), specific nodes, user accounts, or group accounts. The screen capture below is my search for any folders named "users." It's probably not immediately obvious, but Securden can import many different kinds of accounts, such as local accounts, SQL accounts, domain accounts, and Azure accounts.

Searching for specific groups

Searching for specific groups

After performing a few look-ups and importing the data, my discovery summary showed the following results:

Imported objects

Imported objects

After importing data, you need to organize it. Securden does this by creating folders. You then can apply settings and policies to those folders. I found this effortless in my small test domain. The folders are useful for setting password change frequency on a large scale for different account groups, reporting, and for sharing config access among Securden users.

Password policy per folder

Password policy per folder

I mentioned earlier that Securden can manage many different account types. One interesting feature is that you can create password policies and apply them to different account types. For example, you can require that all Azure accounts have 25-character passwords and different forms of complexity. You can then assign a different policy for Windows domain users and another for SQL Server accounts. The part I found really interesting is that the "types" of accounts are totally configurable, which means you can create your own "types" and assign policies to each type as you wish.

Configure password policies

Configure password policies

Account types

Account types

Assign password policies to different account types ^

Once we've organized our accounts and assigned password policies to the various account types, Securden can start rotating passwords automatically behind the scenes. It can record the new passwords in its database for safekeeping based on the frequency we prescribed per folder.

Managing service accounts ^

Securden can also manage the accounts and associated passwords for things like services, scheduled tasks, and IIS app pools controlled by an "account," meaning a username and password. One interesting aspect of Securden's account management is that it can handle dependencies. So for example, whenever the password of a domain account changes, Securden takes care of propagating the change across all dependencies that also use that account. This way, you can always have complete visibility and control over service accounts and dependencies.

Privilege management ^

I have spent a lot of time on setup and password management, but probably the most powerful piece of the Securden software suite is the ability to remove local admin privileges in bulk from many accounts. We can use the software console to remove admin privileges for everyone, or you can choose which accounts to remove admin access for individually.

If you have a large number of accounts you wish to remove access for, you can also use group policy to do the work for you. However, you can't use GPOs to remove access for local accounts and application accounts like in SQL.

For Securden to remove access to local accounts and elevate privileges for applications, you need to deploy agents. Just like earlier, the console makes it dead simple to browse for nodes and push agents to those nodes. I pushed agents to two servers, and the installs were lightning quick. Deploying agents is literally a button click and you're done!

Deploying agents to nodes

Deploying agents to nodes

The software also has robust reporting features. For example, maybe you want to see a report of all nodes that have an account with local admin access. The term "Reports" is a bit of a misnomer because the reports are really dashboards that are dynamic and interactive as opposed to static page reports. These reports are rich with detail and graphics, and all of them allow you to drill down deeper into each report.

Rich interactive dashboards

Rich interactive dashboards

Main dashboard

Main dashboard

Once you've removed existing admin access from PCs or servers and installed the agent, the process to gain administrative access is very simple. Users without admin access will have a new prompt in their right-click menu called "Run with Securden privilege." They can select that menu option, and the software will send an email to the Securden admins requesting elevated access.

Elevating privileges for non admins

Elevating privileges for non admins

The admin then approves the request, which then generates an email back to the user who requested access. It includes an access code the user can now enter to get elevated access for a period of time. Users can also go to a self-service portal to preselect admin access for a particular application.

Securden allows you to deploy a secondary server with a few clicks to which users can connect to get uninterrupted access, in the event of the primary server going down.

Summary ^

I have taken you through a very brief tour of the Securden privilege management tool. If I had to describe this software to a friend, I would say this software can control local admin privileges on all the nodes in your network and you can configure the software in just a few hours!

The software itself has a super-clean interface and is easy to understand. The included documentation was a little thin at times but was surely adequate to get me started. Moreover, the software is pretty slick, and it is fairly intuitive to figure out how to configure most of the features without consulting the manual every two minutes.

Overall, this product is well done and fairly simple to use considering the complexity possibilities involved with removing local admin rights across a domain full of computers. I literally set up this software in my test domain in just a few hours. Installing this product in a larger environment should not take much more time and effort than what I spent setting this software up for demonstration. If you are struggling with local admin accounts on PCs and servers, this product is definitely worth a look.

Subscribe to 4sysops newsletter!

Securden offers a 30-day free trial.

+4
avatar
4 Comments
  1. Thank  you Mike for this article. It is an interesting product with nice features ( i.e. ability to remove local admin privileges in bulk from many accounts and detailed reporting).

    +2

    • Author

      The challenge of reviewing a product like this and keeping the review concise enough for readers to enjoy reading while figuring out what to write about and what not to cover.

      The short version is that I was impressed with the product enough that I would want to take look at the software. The product is pretty deep in functionality and I really just scratched the surface on what it can do and how well it works.

      My recommendation to anyone who reads this article and is curious about this product is to call the vendor and ask for a product demo. I say this because that's a really good way to get a high-level overview of the product strengths in a short amount of time.

      If the product still interests you, download the product and do a proof of concept in your test lab. This tool has so much capability that it's hard to really appreciate how it works through a medium length blog post. With that being said, I really tried hard to give readers an idea of what to expect when setting up and testing this tool.

       

      +3

  2. Prashant 3 years ago

    How does this fair in comparison to "Thycotic Secret Server"?

    0

  3. khalil 9 months ago

    This products looks great, but I am concern of one think , as it is installed on a windows server , how it can secure itself , in PAM solution the first question is that how secure the product is and then how it can secure the rest of environment.

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account