Securden Windows Privilege Manager: Remove local admin rights, enforce least privilege

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• Automate offline servicing of Windows images with the PowerShell module OSDBuilder - Wed, Sep 15 2021
• Enroll Windows 10 machines in Microsoft Intune and manage them using the MDM interface - Thu, Sep 2 2021
• Securden's new Unified Privileged Access Management - Mon, Aug 30 2021

In a previous review of Securden Privileged Account Manager (PAM), we took a look at how the solution helps you discover, consolidate, protect, and automate the management of all privileged account passwords, and keys. It enables controlling, monitoring, and auditing administrative access to critical IT assets.

In this review we look at the complementary product, Windows Privilege Manager (WPM), a solution for enforcing least privilege across your organization by eliminating administrative rights and elevating applications for standard users. The product offers another feature by which end-users can request time-limited full admin access to install/run the applications that are not handled by automated elevation policies.

WPM includes the following features:

• Removal of admin privileges – You can completely remove local admin rights from users on Windows endpoints and enforce least privilege without impacting operational efficiency.
• Control applications – Whitelist trusted applications and prevent the use of unapproved applications. This allows you granular control over which applications are allowed to run.
• Discover applications – Automatically discover applications that require elevated privileges across the enterprise.
• Elevate applications on demand – With the WPM policies, you can elevate applications for standard users whenever required. This model allows the elevation of applications and not users.
• Local admin analysis – With WPM, you can track and identify users and groups that are part of the local admin group of computers in the domain.
• Grant temporary admin rights – WPM enables granting temporary admin rights for a limited period of time, as well as automatically revoking those rights after the time expires. It also offers full auditing of the activities involved

Licensing ^

WPM licensing is based on the number of endpoints and servers in your environment. Given these numbers, Securden can work up a quote for your particular environment.

Installation ^

The installation of Securden WPM is a straightforward process. I tested it on a Windows Server 2019 machine that is a domain-joined member server. The process is what you would expect from an easy Windows installation package. There are only a couple of configuration options.

There are a few tasks you need to complete to configure Securden for your environment. Most of these initial tasks include importing information from your Active Directory domain. This includes:

User-related tasks

1. Importing users and assigning roles
2. Adding users to groups
3. Configuring user synchronization with your Active Directory identity source

Privilege management and application control

1. Discover computers
2. Configure synchronization of computers in Active Directory
3. Install Securden agents
4. Add applications automatically and/or manually
5. Define application control policies
6. Remove admin rights
7. Elevate privileges

Discover computers and install the Securden agent

To begin controlling your Windows endpoints with a Securden policy, add the computers you want to control with Securden. Securden provides a quick, easy Active Directory domain search that lets you scope down to the specific OUs from which you want to import computer accounts.

Browse AD OU tree to select OUs granularly as a discovery source

To carry out privilege escalation and delegation tasks, you need to install a single lightweight Securden agent.  The agent handles elevating applications and processes for standard users.

Deploying the agent is quite simple. Securden provides automated push installations of the agent by means of a freely available tool – PsExec. All you have to do is download the PsExec executable file and place it in the tools folder of the Securden server. After pushing the agent to the server, you will see the status of the agent, version, and connected time. You can also reinstall or remove it anytime.

Securden agent successfully installed

Now that we have the computer(s) added and the agents installed, we need to import users to the Securden system. After that, we can start building application control policies.

Import users from Active Directory for applying application policies

Elevating privileges for a non-admin user ^

One common use case that WPM helps with is elevating non-admin users for whitelisted applications. Let's look at creating a sanctioned application and then assigning this to a policy for elevation. As a common application, the PowerShell Administrator session may be needed for certain users. Let's configure it for elevation.

But first, let's see what happens for a normal user that tries to elevate to a PowerShell Administrator prompt.

Elevation prompt reappears

We could make this user a Local Administrator on the Windows Server. However, this would be giving way too many privileges simply to launch an application.

With WPM, this issue is easy to resolve. Using WPM as a proxy of sorts, we can elevate the privileges for this application rather than the user.

First, we add the application to be elevated.

Adding Windows PowerShell as a whitelisted application in WPM

After you have created a whitelisted application that you want to elevate, you can then create an application policy to tie to the application. As you will see below, you can configure:

• The application
• Which computers to associate the policy to
• Which users to associate the policy to

For a quick test, I will simply define all computers and users.

Defining an application policy in WPM

Use the Run with Securden privilege for PowerShell

The Securden Authentication dialog box is displayed only once for a logon session. After you enter the password, the application is launched.

Enter your password in the Securden Authentication dialog box

Click Yes in the Windows PowerShell dialog box

After you click yes, the PowerShell Administrator prompt is launched. Keep in mind this is for a non-admin user who, under regular circumstances, is unable to elevate permissions without either another privileged user account to “runas” or unnecessarily assigning rights to users who don't need them, just to allow running specific programs.

PowerShell Administrator prompt is launched for a non admin user using Securden

In this use case, we dealt with manual addition of the application. Securden offers automatic discovery of the applications too. This is done by the Securden agent installed on the endpoints.

This is one among many great use cases for the WPM. Additionally, there is good reporting built into the WPM system that allows querying your environment for:

• Privilege management trails
• User activity
• Local administrator accounts

Have you ever had the need to remove privileges from all your endpoints in bulk, maybe for a specific user? WPM allows you to do this easily with the Remove Admin Rights feature. With this feature, you can choose to remove all users from the Local Administrators group on all endpoints, or you can choose specific users and computers.

Remove admin privileges in bulk from endpoints with WPM

You can also easily view and audit the local administrators on any of your computers in your environment, by clicking the endpoint listed under Computers and then clicking Local Administrators. From this interface, you can also remove users on an ad hoc basis from the Local Administrators group.

The Securden Computers feature enables viewing local administrators easily

Self-service admin privilege requests ^

A really neat feature with the WPM is the ability for an end-user to raise self-service requests for time-limited full admin access or for amin access to a specific application alone. Once the request is raised, by default it goes to all the configured Securden administrators for approval to be granted.

Users can raise this request in two ways:

• Through Securden Tray Icon
• Through Self-service Portal in the Web-Interface

Once the Securden agent is installed on the endpoint, the tray icon will appear.

Alternatively, users can make use of the self-service portal in the GUI.

Raising a self service request for admin privileges

Impressions and thoughts ^

After having used the PAM, I had pretty high expectations for the WPM. For the specific use case of controlling which applications are escalated in your environment, as opposed to simply handing out administrator rights when they aren't truly needed, this solution really shines.

The feature that provides end-users a self-service mechanism to request time-limited admin privileges is a really nice way to support the mindset of least privilege most of the time, yet have an easy way to escalate when needed for limited periods of time.

The only downside for me is the use of an agent on your endpoints. Agents require management and troubleshooting from time to time, which adds to the administrative burden. However, with the great functionality that is provided by WPM and the fact that much of the administrative burden related to privilege escalation is automated by the system, the agent overhead is definitely offset and surpassed.

The combination of WPM and PAM offers a complete solution from Securden that allows totally managing, securing, auditing, and reporting on privileges in your organization. Be sure to check out a trial download of WPM here.

+2