Endpoint Central's Privilege Management empowers admins to control user access based on roles and responsibilities. Features like privilege elevation and delegation enable temporary and delegated access without full administrative privileges. By enforcing policies and auditing, organizations can ensure compliance and minimize security risks. Follow the best practices guide for efficient privilege delegation.
While principle of least privilege (POLP) is recognized as crucial, its implementation can be complex. Endpoint Central's Endpoint Privilege Management simplifies POLP implementation by balancing security and productivity. This involves restricting unnecessary admin rights to authorized individuals and providing standard users with alternative methods to perform elevated tasks without compromising security.
The applications can be run with elevated privileges in the following ways:
The Privilege Management policy is used to control usage of local admin accounts by allowing standard users to self-elevate their privileges to specific applications.
Deleting the policies created after fulfilling the requirements can prevent the misuse of the elevated privileges.
Removing admin rights in Endpoint Central restricts administrative privileges for certain users or groups when it comes to managing applications on the endpoint devices. This enhances security by preventing unauthorized installation, modification, or removal of applications, and reduces the risk of malware infections and other vulnerabilities.
By selecting a computer and clicking on Remove Local Admin, all Local Admin Accounts in it will be removed except for the ones retained in the Exclusion Policy. Policies to retain certain admin accounts globally can be created from the Exclusion Policy tab. The sysadmin can choose to retain only their account, the built-in administrator account, or any other account depending on their needs. Once all unnecessary local admin accounts are removed, the sysadmin can proceed to create a Privileged Application List. This list can then be associated with custom groups of user devices that will then enable select users to run these applications as administrators, even if they are granted only standard user privileges. Here is how you can leverage the Remove Admin Rights feature to eliminate a huge section of your attack surface:
The Exclusion Policy tab allows you to create global policies that protect certain admin accounts. These accounts will be retained on all computers where they are found. The sysadmin can decide to protect only their account, the built-in administrator account, or any other account based on their requirements.
Once the exclusion policy is finalized, the sysadmin can remove the remaining unnecessary accounts either manually or automatically. To manually delete these accounts, go to the Admin Rights Summary tab, choose the computers you want to modify, and click 'Remove Local Admin'. All local admin accounts on those computers will be deleted, except for those retained by the exclusion policy.
Checking the Enable Automatic Removal box will immediately remove all other admin accounts from the computer groups selected.
If you have any further questions, please refer to our Frequently Asked Questions section for more information.