Privilege management in Application Control empowers administrators to control user access based on roles and responsibilities. This includes features like privilege elevation and delegation, allowing for temporary and delegated access without full administrative privileges. By enforcing privilege policies and auditing, organizations can ensure compliance, track privileged activities, and prevent unauthorized access. Removing excessive administrator rights can further minimize security risks and maintain a secure IT environment. To delegate efficient usage of application privileges, follow the best practices guide.
While organizations recognize the importance of the principle of least privilege (POLP), they often hesitate due to its complexities. Balancing security and productivity can be challenging, especially when relying on multiple external tools. Application Control's Endpoint Privilege Management feature provides a seamless solution for implementing POLP without compromising business operations.Implementing the principle of least privilege involves two key components: restricting unnecessary admin rights to authorized individuals and providing standard users with alternative methods to perform elevated tasks without compromising security.
The applications can be run with elevated privileges in the following ways:
The Privilege Management policy is used to control usage of local admin accounts by allowing standard users to self-elevate their privileges to specific applications.
Deleting the policies created after fulfilling the requirements can prevent the misuse of the elevated privileges.
Removing admin rights in Endpoint Central helps to revoke or restrict administrative privileges for certain users or groups when it comes to managing applications on the endpoint devices. By restricting admin privileges for specific users or groups, you can enhance security and reduce the risk of malware infections and other vulnerabilities. When you remove admin rights for a user or a group, it means they will no longer have the authority to install, modify, or remove applications on the endpoint devices.
By selecting a computer and clicking on Remove Local Admin, all Local Admin Accounts in it will be removed except for the ones retained in the Exclusion Policy. Policies to retain certain admin accounts globally can be created from the Exclusion Policy tab. The sysadmin can choose to retain only their account, the built-in administrator account, or any other account depending on their needs. Once all unnecessary local admin accounts are removed, the sysadmin can proceed to create a Privileged Application List. This list can then be associated with custom groups of user devices that will then enable select users to run these applications as administrators, even if they are granted only standard user privileges. Here is how you can leverage the Remove Admin Rights feature to eliminate a huge section of your attack surface:
The Exclusion Policy tab allows you to create global policies that protect certain admin accounts. These accounts will be retained on all computers where they are found. The sysadmin can decide to protect only their account, the built-in administrator account, or any other account based on their requirements.
Once the exclusion policy is finalized, the sysadmin can remove the remaining unnecessary accounts either manually or automatically. To manually delete these accounts, go to the Admin Rights Summary tab, choose the computers you want to modify, and click 'Remove Local Admin'. All local admin accounts on those computers will be deleted, except for those retained by the exclusion policy.
Checking the Enable Automatic Removal box will immediately remove all other admin accounts from the computer groups selected.
If you have any further questions, please refer to our Frequently Asked Questions section for more information.