Skip to content

What are the Recommended Methods for Efficient Endpoint Privilege Management?

Once admin rights are removed, users would be able to elevate applications through policies that are in force. If they need to access an application that is not covered through policies, then they might raise a privilege elevation request with the EPM administrator.

To best streamline privilege management, we recommend the following settings and procedures.

1) Assigning Designated Approvers

By default, whenever end users raise requests, the administrators in EPM are alerted through email. Only these users can approve or reject the request. However, in large enterprises a select few people cannot make a decision on these issues for hundreds and thousands of users.

Securden allows you to designate an approver for individual users and groups. Once designated, these approvers will be alerted and will be able to approve and reject the request.

This feature can be used to replicate the organizational structure in a team, where managers can manage their team members’ requests. You have the option to retain the team hierarchy from AD when importing users. Go to Configurations page in the Admin tab, locate and enable Retain Approval Hierarchy.

2) Creating Policies from Requests

Whenever end users raise requests to gain access to an app or run them with admin rights or gain temporary admin rights for themselves, the administrator who approves or rejects the request has the option to create a policy for the request.

What this means is that if gone through with, any future requests would be automatically handled for this application. You can add the app to an existing policy or create a new policy for this application.

This simple step would eliminate the repetitive process of raising a request and approving it. However, from a security standpoint, this measure must only be reserved for applications that have been repeatedly featured in requests.

3) Restricting Time for Elevated Access

When raising a request, the end users specify the time parameters providing information on how long they need elevated access. You can restrict the maximum permissible duration that a user can raise a request from the Configurations page in the Admin tab.

Whenever the administrator or designated approver is approving the request, they can set a time limit they see fit for the task at hand. If the user needs admin rights for installing a simple tool and has placed a request for five hours, the approver can and is encouraged to limit the time to 30 minutes or an hour accordingly.

4) Enforcing Multi-factor Authentication for Privilege Elevation

You have the option to enforce multi-factor authentication for gaining elevated access, starting technician access, and gaining application access. You can configure MFA methods from the admin console and enforce MFA from the configurations page.

It is recommended to enforce MFA for privilege elevation for added security. You need to enforce MFA for request-based privilege elevation and policy-based privilege elevation separately from the configuration page.

5) Limiting Login Attempts to Web-Interface

You can enforce a limit on the maximum number of unsuccessful login attempts a user is allowed to make. You can also enable captcha verification after a certain number of unsuccessful attempts.

Upon reaching the maximum number of unsuccessful login attempts, you have the option to configure temporary account lockout. It is recommended to enforce this for security reasons.

This prevents unauthorized access to the endpoint privilege manager interface.

6) Time Limit for Technician Access

To prevent usage of domain admin credentials on endpoints, Securden provides technician access provisions that help technicians gain temporary admin rights when they login using their own standard user account on endpoints.

You can enforce a time limit of each technician access session by navigating to Admin >> Configurations and locating Restrict Time Limit for Technician Access.

7) Remove New Admin Users

When users gain temporary local admin rights, they can potentially create a user account and make it a member of the local administrator group. You can configure the Securden Agent to monitor the local admin group and remove new admin user accounts created by end users.

Navigate to Admin >> Configurations and locate Remove New Admin Users. Enforce this configuration to automatically delete the newly created account.

Securden Help Assistant
What's next?
Request a Demo Get a Price Quote
Thank you message

Thanks for sharing your details.
We will be in touch with you shortly.

Thanks for sharing your details.
We will be in touch with you shortly.