Endpoint Privilege Management

Introduction

Endpoint Central's Privilege Management empowers admins to control user access based on roles and responsibilities. Features like privilege elevation and delegation enable temporary and delegated access without full administrative privileges. By enforcing policies and auditing, organizations can ensure compliance and minimize security risks. Follow the best practices guide for efficient privilege delegation.

While principle of least privilege (POLP) is recognized as crucial, its implementation can be complex. Endpoint Central's Endpoint Privilege Management simplifies POLP implementation by balancing security and productivity. This involves restricting unnecessary admin rights to authorized individuals and providing standard users with alternative methods to perform elevated tasks without compromising security.

Create Privileged Application List

The applications can be run with elevated privileges in the following ways:

  • Self elevation of applications: Administrators have the option to allow users to elevate their user privileges by providing a justification. The provided justification will be logged, and this capability can be configured for specific applications or all allowlisted applications.

    Self Elevation

  • Elevation to all allowed applications: The custom groups associated to the Privileged Application List during policy deployment will be allowed to self-elevate their privileges to all allowlisted applications.

    Elevation for Allowed Applications

  • Elevation to specific applications: The groups associated to the Privileged Application List during policy deployment will be allowed to self-elevate their privileges to all the applications selected.

    Elevation for Specific Applications

  • Auto Elevation: The associated groups will be allowed to automatically run applications with elevated privileges.

    Auto Elevation

Configuring Privilege Management

The Privilege Management policy is used to control usage of local admin accounts by allowing standard users to self-elevate their privileges to specific applications.

  • Login to the Endpoint Central web console and navigate to App Ctrl -> Privilege Management.
  • To allow the self elevation of applications, enable the toggle for Enable users to elevate applications manually.
  • To configure elevated privileges for all allowed applications or specific applications, enable the Configure specific application to run with elevated privileges to create a list of applications that need administrator level access to run.
  • The applications can be automatically elevated by enabling the Auto Elevation option.
  • After this list creation is done, you can navigate to the Policy Deployment tab and choose the Custom Group with the user-devices that require privileged access to those applications. After completion, click Yes to Associate the Privileged Application List to the chosen custom group.

    Associate Privileged Application List

  • The user-devices in the associated custom group can attain privileged access to those applications by right clicking on the application's exe and choosing 'Run as ManageEngine'.

Revoking Application Privileges

Deleting the policies created after fulfilling the requirements can prevent the misuse of the elevated privileges.

Delete Application Group

Removal of Admin Rights

Removing admin rights in Endpoint Central restricts administrative privileges for certain users or groups when it comes to managing applications on the endpoint devices. This enhances security by preventing unauthorized installation, modification, or removal of applications, and reduces the risk of malware infections and other vulnerabilities.

By selecting a computer and clicking on Remove Local Admin, all Local Admin Accounts in it will be removed except for the ones retained in the Exclusion Policy. Policies to retain certain admin accounts globally can be created from the Exclusion Policy tab. The sysadmin can choose to retain only their account, the built-in administrator account, or any other account depending on their needs. Once all unnecessary local admin accounts are removed, the sysadmin can proceed to create a Privileged Application List. This list can then be associated with custom groups of user devices that will then enable select users to run these applications as administrators, even if they are granted only standard user privileges. Here is how you can leverage the Remove Admin Rights feature to eliminate a huge section of your attack surface:

  • Identify and Analyze the admin accounts: Assessing the distribution of local admin accounts across your network is crucial to identify the security vulnerabilities. The Admin Rights Summary tab displays the list of local admin accounts that correspond to the discovered computers, allowing you to analyze and minimize unnecessary privileges. The Local Admin Count shows the number of local admin accounts on each computer.
  • Remediation: After determining the local admin accounts to be removed or retained, you can manually delete them or configure automatic removal. To prevent accounts from being deleted, include them in the Exclusion policy.

Exclusion Policy

The Exclusion Policy tab allows you to create global policies that protect certain admin accounts. These accounts will be retained on all computers where they are found. The sysadmin can decide to protect only their account, the built-in administrator account, or any other account based on their requirements.

Exclusion Policy

Manual Removal of Admin Rights

Once the exclusion policy is finalized, the sysadmin can remove the remaining unnecessary accounts either manually or automatically. To manually delete these accounts, go to the Admin Rights Summary tab, choose the computers you want to modify, and click 'Remove Local Admin'. All local admin accounts on those computers will be deleted, except for those retained by the exclusion policy.

Manual Removal of Admin Rights

Automatic Removal of Admin Rights

Checking the Enable Automatic Removal box will immediately remove all other admin accounts from the computer groups selected.

Automatic Removal of Admin Rights

If you have any further questions, please refer to our Frequently Asked Questions section for more information.