Seek and destroy privilege creep with DesktopNow
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
In this Blog, I’ll discuss how AppSense can help with tightening security on your endpoints using Insight and Application Manager.
Many admins are familiar with the term ‘Privilege creep’ which is defined as the gradual relaxation of security boundaries for end users over time. This is often the result of legitimate actions performed by sysadmins in order to facilitate the end user’s job function, but which are not subsequently tightened once that function is complete, resulting in greater-than-required access and therefore presenting an elevated vulnerability cross-section.
One aspect (and arguably the pinnacle) of ‘privilege creep’ is when end users are made local administrators of their endpoint. This of course puts them at high risk of malware infection even while performing legitimate activities (For example, accessing a line-of-business website which has been hijacked with malicious code). Once infected, the user’s endpoint could then be used by a malicious third party to facilitate further propagation, data theft or sabotage.
When formulating a plan to mitigate this vulnerability by revoking local administrative privileges, it’s essential to be armed with the following information:
- Which applications are being used?
- Which Windows components requiring elevation are being used?
- Which endpoints have local administrator accounts?
AppSense Insight can provide this information via pre-canned reports (which are also downloadable as CSV for further manipulation and advanced analysis). This helps with understanding the scope of the issue, and is also useful for ongoing security compliance audits.
The next step is to ensure that end users are not adversely impacted by any removal of admin privileges or accounts. An AppSense Application Manager configuration can be built, by referencing the Insight reports in order to whitelist and elevate (where required) just the applications and components the user needs to do their job effectively. End users requiring access to unapproved software can of course use Application Manager’s Policy Access Request feature.
The final step is to ensure that the ‘built-in Administrators’ groups on the endpoints are ‘cleansed’ so that they only contain approved administrative accounts and not the end user’s. Microsoft provide a Group Policy setting for this under Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. (See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc957640(v=technet.10) for further information.) This could also be configured via an AppSense Environment Manager custom actions if required.
I hope this has been useful – thank you for reading!