Endpoint Privilege Management - Use Cases

Case 1: Application Elevation

Enabling standard users to run specific applications that would normally require administrator rights

Assume that a user in your department would usually run a list of applications and processes requiring administrator rights to install, run, and update. When local administrator rights are removed, and the user is made a standard user, the applications cannot be run.

Securden enables the user (with just standard user rights) to run all those applications without any hassles.

Securden administrator can create a policy marking the list of applications as trusted and permit the user to run those applications on a specific computer or multiple computers. The Securden agent installed on the end-user machine elevates the applications for that standard user.

The user can use/run the applications in one of four ways:

Double-clicking the Application (Users with admin privileges can double-click and directly open the application.) Users who do not have admin privileges will be given the option to request access - either to a specific application, or temporary full admin access.
Clicking Run as Administrator (This opens up the UAC prompt, and a Securden dialog will pop up alongside the UAC prompt.
From the Context Menu (Right-click the application and ‘Run with Securden privilege’) Using this dialog, users can elevate privileges.) This lets users run the selected application based on control policies defined by the administrator.
Using Run Command (Command Prompt with prefixing the word ‘secudo’)
The elevation of privileges is based on the control policies in place. If a policy does not exist for the application, the user can place a privilege elevation request and access the application on approval.
While local administrator rights stand removed, user experience is not compromised, and productivity is not impacted.

Case 2: Installing/Running New Applications

Allowing standard users to install/run new applications that require administrator privileges

Business needs might demand users to install new applications on their systems. For example, a developer (with standard user rights) might be required to install a remote meeting application. In the absence of administrator privileges, the user will not be able to install and run the application.

Securden provides a self-service portal using which users can raise a request for permission to run the new application. They will have to specify a reason justifying the need for permission. Securden administrators will review the request and will either add the new application to the trusted applications list or grant one-time permission to install/use the application depending on the specific circumstances and organizational requirements. All these activities follow a well-defined workflow.

Once the Securden agent is deployed on endpoints, the Securden tray icon would be visible on all endpoints and servers.

Users will have to click the tray icon and select the option ‘Request Admin Access’ to raise a request to access a specific application.

They need to browse and select the application that is to be installed/run with admin privilege. After submission, the administrator will review the request and grant approval. There are provisions to configure automatic approvals whenever required. In such cases, the users will get instant approvals for their requests.

Case 3: Fully Controlled, Temporary Administrator Access

Granting time-limited, fully controlled and comprehensively audited temporary administrator access to standard users

Quite often, certain users might have to carry out multiple tasks that require broader administrative privileges. Granting uncontrolled, unmonitored full administrator access will defeat the principle of least privileges.

Securden offers a robust way to handle this critical requirement. Users can raise a request for administrator rights for a short time. They will have to provide a reason to justify access needs. Securden administrators will review the request and grant time-limited administrator privileges for the user.

The standard user will be able to perform all tasks that require administrator privileges, but everything will happen under full controls and audits. At the end of the approved usage period, the temporary administrator privilege will be automatically revoked. All processes and applications elevated during that period will be terminated. All activities done by the user are captured as audit trails.

There are options to request approval well in advance to carry out planned tasks. For certain users, automatic approvals can be configured.

Application Control Policies EPM Use Case

Case 4: Policy Based Application Control

Define and control which applications can be run by end-users. Prevent users from running unapproved or malicious applications

When users possess local administrator privileges, they tend to install unapproved software for personal use. Such software could be malicious and open the doors for hackers. The endpoint may be compromised and attackers can move laterally across the network.

Securden Endpoint Privilege Manager removes local administrator rights from endpoints, thus preventing users from installing or using unapproved software.

While removing local administrator rights prevents the use of unapproved software, Securden ensures that the user experience and productivity are not affected. Administrators can define policies that enable standard users to run the applications needed for their work absolutely without any hassles.

Case 5: Offline Scenarios

Ensuring the least privilege and application controls even when the endpoint is offline

Users might often work from home, be on the field, move out of the office LAN, or not be connected to the internet. If local administrator rights are removed without taking care of these scenarios, it will lead to frustration for the end-users and result in productivity loss.

Securden handles offline scenarios in such a way that the least privileges are enforced, just like in online scenarios.

The application control policies created by the administrators are cached by the Securden agent in the endpoints. In offline scenarios, the agent takes care of enforcing the recently cached policy. Users will not face any difficulty in running the required applications.

Scenario 1: Application control policies have been created for the required applications

The Securden agent in the endpoints caches the application control policies created by the administrators. In offline scenarios, the agent enforces the recently cached policy. Users will not face any difficulty in running the whitelisted applications. At the same time, the blacklisted applications will not be accessible by the user at any cost.

Scenario 2: No application control policies have been created for the required applications

If the endpoint is offline, and the user needs to run an application that has not been whitelisted or blacklisted using a control policy, they can use the offline access codes feature.

Administrators can allow users to generate a specified number of offline codes when they are connected to the server and store them for future use. When the user is offline and needs to elevate an application, they can use one of the generated codes and elevate privileges.

Alternatively, the administrator can generate an offline code specific to an endpoint and share it with the user when required.

Scenario 3: The user needs to elevate multiple applications while offline

If the endpoint is offline, and the user needs to run/install multiple applications that are not whitelisted using an application control policy, the user can use an offline code to gain temporary full admin access. Administrators can choose to not allow end users to use offline access codes to gain full administrator privileges.

All activities performed while offline will be audited by the agent locally. Once connectivity is re-established with the endpoint privilege management server, the activities will be populated in the audit trails.This ensures that users are held accountable for their actions, even when out of network connectivity.

Case 6: Visibility on Administrator Rights

Enabling enterprises to readily know who all have administrator rights across the enterprise

When enforcing least privilege across the enterprise, it is necessary to have visibility on the list of computers where local administrator accounts are present. Sometimes, new computers may be added with administrator accounts or even new administrator accounts may be created on existing computers. It is necessary to have complete visibility on this.

Securden identifies and tracks the list of users and groups that are part of the local admin group on computers in the domain and presents a report providing complete visibility.

Case 7: Compliance Mandates

Demonstrate compliance to IT and industry regulations that mandate least privilege enforcement

Regulations such as PCI-DSS, SOX, HIPAA, NIST, ISO, GDPR, NERC-CIP, and others lay stress on the enforcement of the principle of least privilege across the organization to prevent intentional or unintentional damages to sensitive corporate IT infrastructure.

Securden removes local administrator rights across endpoints and servers and enforces strict controls on application usage, thereby preventing attacks by malware.

Securden provides a report on the least privilege enforcement scenario, which helps organizations demonstrate compliance during audits.

Case 8: Elevating Windows Control Panel Items

Elevation of Windows applications like control panel items and other system programs

Users may need to make changes to windows control panel items, system programs, and configurations - something as simple as changing date and time configurations on a user system. This could be vital to the user for carrying out tasks on their machine.

You can allow the elevation of such Windows system programs. The windows items should be added in Securden with their unique class ID attribute, which helps the Securden agent to identify the item and manage its privileges.

Users can request access to modify/run such items. These panel items can be added as applications.

Example: Allow users to change the IP address of a network adapter

To elevate the users to perform this task – they would need elevated access to the Windows item that relates to network connections. This unique attribute can be added as an application and users can be given access to it. This allows them to change the IP address of the network adapter.

Case 9:Troubleshooting on Remote Endpoints

Login to remote endpoints for installing software, updating firmware, and general troubleshooting

Technicians frequently login to user machines for troubleshooting issues, installing and updating apps, drivers, and configure system settings. Logging in using admin account credentials on user machines can increase the risk of credential theft and privilege misuse.

Securden Endpoint Privilege Manager allows your technicians to remotely sign-in on user machines and carry out their tasks in compliance with the principle of least privilege. The technicians are logged in with standard user privileges. They can optionally elevate their privilege temporarily by using the Securden Agent tray icon.

Securden currently supports attended and unattended remote assist sessions for technicians. Policy based approach provides control over which endpoints each technician is allowed to connect to. Granular policy controls help restrict access to sensitive applications and processes within each remote machine.

Additionally, technicians can create a temporary session link using which the end user initiates a remote assist session. Multiple technicians can join the session to fix issues, all in compliance with the principle of least privilege.

Remote Sessions For Troubleshooting Using EPM

Policies For Controlling Browser Extensions

Case 10: Restricting Browser Extensions

Control which browser extensions users can install on their browser through allowlisting and blocklisting

Many malicious or compromised extensions can read login forms, capture credentials, access session cookies and tokens, and inject scripts into web pages. This is especially dangerous for SaaS-heavy environments, SSO deployments, privileged admin accounts, and remote workforces

Browser extensions often require permissions to read inputs on web pages, access the clipboard, view download history, and access to the file system. This can expose personally identifiable information (PII), financial data, source code, internal documents, and cached passwords.

Many regulatory bodies like HIPAA, PCI DSS, ISO 27001, and GDPR recommend limiting uncontrolled data flows.

Securden Endpoint Privilege Manager allows the IT admins to allowlist and blocklist browser extensions based on the extension ID. The policy can be associated with specific users and user groups inside the organization to granularly enforce the policy.

Allowlisting and blocklisting browser extension helps the organization by

Preventing shadow IT
Prevent data exfiltration
Prevent credential theft and session hijacking
Demonstrate compliance with regulations
Improve browser stability and performance

Case 11: Blocklisting URLs on Browsers

Prevent piracy sites, and other malicious websites through URL blocklisting

To prevent users from visiting malicious websites like illegal betting websites and piracy linked domains, you can use URL blocklisting in Securden Endpoint Privilege Manager. You can create policies that block users from visiting associated URLs.

URL blocklisting in Securden EPM uses regex-based pattern matching to identify and prevent access to websites. Regex based identification provides you the freedom to block specific URLs or broadly blocklist all URLs that contain associated words.

URL blocklisting protects endpoints from

Prevent drive-by malware downloads
Restricts unauthorized downloads
Reduces phishing threat
Secures internet access

Ticketing System Integration For Managing Requests Centrally

Case 12: Managing Privilege Elevation Requests Using ITSM Solutions

Manage admin access requests using your ticketing system by integrating your ITSM solution with EPM and routing all requests to your IT helpdesk software

The IT helpdesk team might prefer having a unified dashboard to manage all the requests they get. Having multiple point solutions to manage can be cumbersome, and some time-sensitive and important requests might get overlooked.

All privilege elevation requests and application access requests raised by users on their machines can be forwarded to your service desk application/ticketing system. Securden Endpoint Privilege Manager integrates with Jira, Zendesk, ServiceNow, Solarwinds, GLPI, Manage Engine Service Desk Plus, and FreshDesk out-of-the-box.

You can connect your ITSM solutions with Securden EPM and receive all privilege elevation and application access requests as tickets in your service desk application.

The helpdesk admin or designated approver can approve or reject the request directly from the ticketing system. The permissions will be granted or denied accordingly.

Case 13: Blocking USB and Removable Storage Devices

Prevent malware and data theft caused by usage of unauthorized removable media on user endpoints by blocking the USB port

Restricting users from plugging in unauthorized removable storage devices (pendrives) on their endpoints has a multitude of benefits. It helps:

Prevent malware introduction
Prevent exfiltration of sensitive data
Prevent users from bypassing security measures

USB drives are notoriously used to run portable applications, infiltrate air-gapped systems, and propagate ransomware on offline devices.

Blocking the USB port on endpoints can help reduce these risks. Securden Endpoint Privilege Manager addresses this use case by disabling USB ports on endpoints in a single click. Once the agents are deployed on endpoints, the USB port can be disabled and enabled as and when required.

Script Execution Policy Control Admin Rights

Case 14: Restricting Script Execution

Define and control which scripts can be executed with or without admin rights on user endpoints through granular script execution policies

In modern environments, attackers increasingly use scripts rather than traditional malware because scripts are trusted, flexible, and often ignored by users.

Intruders now leverage tools like Powershell, Batch scripts (.bat), VB Scripts (.vbs), Python (.py), Java Scripts, and shell commands to download malware, disable security tools like EDR, steal credentials, move laterally, and create backdoors to ensure persistence.

Attackers resort to methods like living off the land (LOTL) attacks by abusing existing and trusted applications like Powershell, WMI, csscript/wsscript, rundll32, and python interpreters on endpoints.
Using scripts, anyone can play around system configurations, registry edits, create services, install malicious/vulnerable drivers, create firewall exceptions, and create scheduled tasks.
Ransomware and malware attacks often start with script execution that downloads payloads, disable backups, stop security services, and encrypt files.

However, most IT automation workflows depend on scripts. Internal teams use scripts for Software deployment, system configuration, user provisioning, and routine maintenance tasks.

Script execution policies in Securden Endpoint Privilege Manager help you control which scripts can be run by specific users on their machines. You can also enforce the principle of least privilege for script execution.

Enforcing least privilege on script execution is ensuring scripts run with only the minimum permissions required instead of inheriting full user or administrator rights. This reduces the risk of malware execution, credential abuse, lateral movement, and unauthorized system changes.

Case 15: Enforcing Multi-Factor Authentication for Privilege Elevation

Verify identity through multi-factor authentication before allowing privilege elevation through policies and request-release workflow

In the era of remote work and hybrid environments, the risk of device theft, identity misues, session hijacking, and unsecure home networks, verifying the user's identity before granting admin rights or application elevation privileges is important.

In case of field workers where you cannot ensure the right person is sitting behind the screen, enforcing an additional trust layer through MFA is recommended.

Multi-factor authentication helps ensure that

The right person is operating the endpoint
The privilege elevation is intentional

With the incidence of credential-based attacks on the rise, verifying identity through password-based authentication is risky and often not enough.

Using Securden Endpoint Privilege Manager, you can enforce multi-factor authentication for privilege elevation.

Every time a user tries to elevate privilege using policy granted permissions or through the self-service portal, the Securden agent promptly enforces an additional layer of authentication. Securden currently supports OTPs, push notifications, and authenticator apps as the MFA method.

Case 16: Allowing Software Upgrades for Standard Users

Allow auto-upgrades for applications by creating privilege elevation policies for updater files of specific applications

Removing admin rights from endpoints can interrupt auto-updates for certain applications. Organizations fear that they might be running older versions of software having known vulnerabilities.

Using the policy engine in Securden Endpoint Privilege Manager, you can ensure trusted applications can automatically update when required.

To allow auto-updates for trusted applications,

Add the updater executable to the application repository.
Create a privilege elevation policy for this executable.
Select the computers and users for whom this policy is applicable.
Enforce the policy by saving the changes.

Now, the updater will be able to run with admin rights, and the application will be automatically updated without any hiccups.

Use cases on managing administrator privileges and controlling applications on endpoints