Use cases on managing administrator privileges and controlling applications on endpoints

Securden Endpoint Privilege Manager helps enforce the least privilege across the organization by removing administrator rights on endpoints. It helps standard users use/run the applications that would normally require administrator rights. The following are some typical use case scenarios.

Case 1: Application Elevation

Enabling standard users to run specific applications that would normally require administrator rights

Assume that a user in your department would usually run a list of applications and processes requiring administrator rights to install, run, and update. When local administrator rights are removed, and the user is made a standard user, the applications cannot be run.

Securden enables the user (with just standard user rights) to run all those applications without any hassles.

Securden administrator can create a policy marking the list of applications as trusted and permit the user to run those applications on a specific computer or multiple computers. The Securden agent installed on the end-user machine elevates the applications for that standard user.

The user can use/run the applications in one of four ways:

  1. Double-clicking the Application (Users with admin privileges can double-click and directly open the application.) Users who do not have admin privileges will be given the option to request access - either to a specific application, or temporary full admin access.
  2. Clicking Run as Administrator (This opens up the UAC prompt, and a Securden dialog will pop up alongside the UAC prompt.
  3. From the Context Menu (Right-click the application and ‘Run with Securden privilege’) Using this dialog, users can elevate privileges.) This lets users run the selected application based on control policies defined by the administrator.
  4. Using Run Command (Command Prompt with prefixing the word ‘secudo’)
    The elevation of privileges is based on the control policies in place. If a policy does not exist for the application, the user can place a privilege elevation request and access the application on approval.
    While local administrator rights stand removed, user experience is not compromised, and productivity is not impacted.
Run with Securden Privilege Secudo
WPM Approval Status Request for Application Approval

Case 2: Installing/Running New Applications

Allowing standard users to install/run new applications that require administrator privileges

Business needs might demand users to install new applications on their systems. For example, a developer (with standard user rights) might be required to install a remote meeting application. In the absence of administrator privileges, the user will not be able to install and run the application.

Securden provides a self-service portal using which users can raise a request for permission to run the new application. They will have to specify a reason justifying the need for permission. Securden administrators will review the request and will either add the new application to the trusted applications list or grant one-time permission to install/use the application depending on the specific circumstances and organizational requirements. All these activities follow a well-defined workflow.

Once the Securden agent is deployed on endpoints, the Securden tray icon would be visible on all endpoints and servers.

Security Tray Icon

Users will have to click the tray icon and select the option ‘Request Admin Access’ to raise a request to access a specific application.

They need to browse and select the application that is to be installed/run with admin privilege. After submission, the administrator will review the request and grant approval. There are provisions to configure automatic approvals whenever required. In such cases, the users will get instant approvals for their requests.

Case 3: Fully Controlled, Temporary Administrator Access

Granting time-limited, fully controlled and comprehensively audited temporary administrator access to standard users

Quite often, certain users might have to carry out multiple tasks that require broader administrative privileges. Granting uncontrolled, unmonitored full administrator access will defeat the principle of least privileges.

Securden offers a robust way to handle this critical requirement. Users can raise a request for administrator rights for a short time. They will have to provide a reason to justify access needs. Securden administrators will review the request and grant time-limited administrator privileges for the user.

The standard user will be able to perform all tasks that require administrator privileges, but everything will happen under full controls and audits. At the end of the approved usage period, the temporary administrator privilege will be automatically revoked. All processes and applications elevated during that period will be terminated. All activities done by the user are captured as audit trails.

There are options to request approval well in advance to carry out planned tasks. For certain users, automatic approvals can be configured.

EPM Approval
Requested Admin Privilege

Case 4: Policy Based Application Control

Define and control which applications can be run by end-users. Prevent users from running unapproved or malicious applications

When users possess local administrator privileges, they tend to install unapproved software for personal use. Such software could be malicious and open the doors for hackers. The endpoint may be compromised and attackers can move laterally across the network.

Securden Endpoint Privilege Manager removes local administrator rights from endpoints, thus preventing users from installing or using unapproved software.

While removing local administrator rights prevents the use of unapproved software, Securden ensures that the user experience and productivity are not affected. Administrators can define policies that enable standard users to run the applications needed for their work absolutely without any hassles.

Case 5: Offline Scenarios

Ensuring the least privilege and application controls even when the endpoint is offline

Users might often work from home, be on the field, move out of the office LAN, or not be connected to the internet. If local administrator rights are removed without taking care of these scenarios, it will lead to frustration for the end-users and result in productivity loss.

Securden handles offline scenarios in such a way that the least privileges are enforced, just like in online scenarios.

The application control policies created by the administrators are cached by the Securden agent in the endpoints. In offline scenarios, the agent takes care of enforcing the recently cached policy. Users will not face any difficulty in running the required applications.

Scenario 1: Application control policies have been created for the required applications

The Securden agent in the endpoints caches the application control policies created by the administrators. In offline scenarios, the agent enforces the recently cached policy. Users will not face any difficulty in running the whitelisted applications. At the same time, the blacklisted applications will not be accessible by the user at any cost.

Scenario 2: No application control policies have been created for the required applications

If the endpoint is offline, and the user needs to run an application that has not been whitelisted or blacklisted using a control policy, they can use the offline access codes feature.

Administrators can allow users to generate a specified number of offline codes when they are connected to the server and store them for future use. When the user is offline and needs to elevate an application, they can use one of the generated codes and elevate privileges.

Alternatively, the administrator can generate an offline code specific to an endpoint and share it with the user when required.

Scenario 3: The user needs to elevate multiple applications while offline

If the endpoint is offline, and the user needs to run/install multiple applications that are not whitelisted using an application control policy, the user can use an offline code to gain temporary full admin access. Administrators can choose to not allow end users to use offline access codes to gain full administrator privileges.

All activities performed while offline will be audited by the agent locally. Once connectivity is re-established with the endpoint privilege management server, the activities will be populated in the audit trails.This ensures that users are held accountable for their actions, even when out of network connectivity.

Securden Appplication Policies Securden Appplication Policies
Local Administrator Account Report

Case 6: Visibility on Administrator Rights

Enabling enterprises to readily know who all have administrator rights across the enterprise

When enforcing least privilege across the enterprise, it is necessary to have visibility on the list of computers where local administrator accounts are present. Sometimes, new computers may be added with administrator accounts or even new administrator accounts may be created on existing computers. It is necessary to have complete visibility on this.

Securden identifies and tracks the list of users and groups that are part of the local admin group on computers in the domain and presents a report providing complete visibility.

Case 7: Compliance Mandates

Demonstrate compliance to IT and industry regulations that mandate least privilege enforcement

Regulations such as PCI-DSS, SOX, HIPAA, NIST, ISO, GDPR, NERC-CIP, and others lay stress on the enforcement of the principle of least privilege across the organization to prevent intentional or unintentional damages to sensitive corporate IT infrastructure.

Securden removes local administrator rights across endpoints and servers and enforces strict controls on application usage, thereby preventing attacks by malware.

Securden provides a report on the least privilege enforcement scenario, which helps organizations demonstrate compliance during audits.

Securden Activity Reports

Case 8: Elevating Windows Control Panel Items

Elevation of Windows applications like control panel items and other system programs

Users may need to make changes to windows control panel items, system programs, and configurations - something as simple as changing date and time configurations on a user system. This could be vital to the user for carrying out tasks on their machine.

You can allow the elevation of such Windows system programs. The windows items should be added in Securden with their unique class ID attribute, which helps the Securden agent to identify the item and manage its privileges.

Users can request access to modify/run such items. These panel items can be added as applications.

Example: Allow users to change the IP address of a network adapter

To elevate the users to perform this task – they would need elevated access to the Windows item that relates to network connections. This unique attribute can be added as an application and users can be given access to it. This allows them to change the IP address of the network adapter.

Securden Activity Reports