Deployment Phase¶
The deployment phase of Securden Endpoint Privilege Manager involves onboarding users and computers, deploying Securden agents on endpoints, creating control policies to automate privilege elevation, and removing admin rights from endpoints. Ensure you follow the checklist below.
Backend Database Server¶
| Step | Description |
|---|---|
| Choose backend database server (PostgreSQL or MS SQL) | Between PostgreSQL, and MS SQL, decide which backend database server you wish to make use of for the Endpoint Privilege Manager. You can make use of the bundled PostgreSQL database when starting out and migrate to MS SQL whenever you want. While both options are supported and highly scalable, deciding early on will eliminate unnecessary migration later. |
Mandatory Settings¶
| Step | Description |
|---|---|
| Encryption Key | When you apply the registered license key, you will be prompted to move the installation encryption key to a location other than the installation folder. This is to ensure that the encrypted data and the encryption key are not kept together. Follow the instructions on the interface to complete this step. |
| Mail Server Settings | Securden Endpoint Privilege Manager sends various emails to users and admins. To facilitate this, the mail server settings must be configured. You can choose between using OAuth or basic authentication for this purpose. If you choose to proceed with OAuth, Securden readily integrates with Outlook and Gmail. Navigate to Admin >> General >> Mail Server Settings to configure this. |
| Proxy Server Settings | If your organization makes use of a proxy server to regulate internet traffic, configure the proxy server for details here to facilitate Securden to connect to the internet. Navigate to Admin >> General >> Proxy Server Settings in the GUI to perform this step. Internet connectivity is required if you want to use the Secure Remote Assist capability. |
| Server Connectivity Settings | This setting is to specify how the Agents connect to the Securden web interface from endpoints and the name with which the client machines identify the Securden server host. Navigate to Admin >> General >> Securden Server Connectivity in the GUI to perform this step. |
Computer Onboarding and Management¶
| Step | Description |
|---|---|
| Integration with Directories | You can integrate with Active Directory, Entra ID, and Google Workspace for onboarding your computers and computer groups. You can keep the groups in Securden in continuous synchronization with your directories. |
| Deploying the Securden Agent | You can deploy the Securden Agent on endpoints through one of the following methods. - Direct installation - GPO, SCCM - Intune, PDQ Once installed, the Securden Agent will automatically fetch the device details and display that on your Computers tab. |
| Agent Mode | Set the agent mode to ‘Learning’ by navigating to Computers -> Actions -> Switch Agent Mode. The agent would observe user behavior and provide insights for streamlined policy creation. |
| Assigning Device Owners | Go to Admin -> Configurations and set the option named Discovery of Device Owners to Discover Device Owners. You can exercise options that grants automatic approval to requests raised by device owners to reduce IT helpdesk burden. |
User Onboarding and Management¶
After the agent has been deployed into endpoints, the agents will fetch the local user accounts from the endpoints automatically. You can add domain users or add native users for accessing the EPM web interface.
| Step | Description |
|---|---|
| Onboarding Domain Users | Once you have integrated with Active Directory or Microsoft Entra ID, you can onboard them into Securden by navigating to Users -> Add. |
| Assigning Roles to Users | Onboarded users must have clearly demarcated responsibilities and associated permissions within the Endpoint Privilege Manager. You can assign roles from Users -> Actions -> Change Role. You can choose from the default roles or create custom roles with specific powers. Go to Admin -> Custom User Role to create new user roles. |
| Delete the default Securden Administrator account | By default, the EPM comes with a built-in administrator account. You may replace that account with a locally created administrator account of your own. Use this account to serve emergency access scenarios. |
| Enforce Two-factor Authentication | You can enforce two-factor authentication for users to login to the Securden interface and for elevating privileges. You can configure 2FA by navigating to Admin -> Two Factor Authentication. You can navigate to Admin -> Configurations and enforce MFA for elevating privileges. |
| Configure SSO | You can integrate with SAML compliant solutions to provide SSO experience to users when they try to login to Securden. Navigate to Admin -> SAML SSO to configure single-sign-on. |
Privilege Management and Application Control¶
| Step | Description |
|---|---|
| Application Repository | Once the Securden agent is installed on endpoints, the agent will observe the apps being run with admin rights and import them into Securden. You can find the list of apps discovered by the agent along with a set of built-in apps in the Applications Tab. You can manually add apps by defining attributes like file name, publisher details, file path, or a combination of attributes. These attributes are used by the agent to identify the application during privilege elevation. So, it is recommended to be very accurate when defining them. |
| Policies for Privilege Elevation | You can create policies that allow specific users to elevate specific apps automatically. Ensure that you create policies to address all routine requirements of all teams to avoid a pile of requests and helpdesk tickets requesting admin rights. You can explore the built-in policies that grant teams the permission to elevate apps they would need the permission to run as admin. |
| Approval Workflow for On Demand Privileges | You can enforce multiple levels of approval for gaining privileges. Ensure you designate specific approvers for teams to delegate the responsibility and reduce helpdesk burden. |
| Application Control | You can create application allowlists and blocklists to control which applications users and user groups can run. These policies don’t grant admin privileges to users, even for specific apps. The apps will run with the same privileges as the user. |
| Automatic Approval Policies | You can configure automatic approvals for requests raised by certain users/groups or for device owners alone. You can use these policies for developers and similar users who need to install and run apps/scripts with admin rights to accomplish their tasks and fulfill their duties. |
| Technician Access Policies | Ensure you have created policies for your technicians to help them provide troubleshooting and technician support securely without using admin account credentials. Allow technicians to sign up using standard user accounts and elevate specific applications/files when required using the Securden Agent. |
Integrations¶
| Step | Description |
|---|---|
| Ticketing System and ITSM | Securden tightly integrates with ITSM solutions to support approval/rejection of requests directly from the Ticketing System. Navigate to Admin -> Integrations -> Ticketing Systems and ITSM to configure this. |
| SIEM for Centralized Monitoring | You can integrate Securden with SIEM solutions and send syslog data for centralized monitoring. Navigate to Admin -> Integrations -> Syslog for SIEM to configure this. |
Miscellaneous¶
| Step | Description |
|---|---|
| Notifications | You can enable alerts for specific Windows events by navigating to Admin -> Notify Windows Events and check all the events you want to trigger alerts upon occurrence. For example, you can configure alerts when a new admin account is created on endpoints during temporary admin access. Similarly, you can configure alerts for events within the Securden interface. You can explore this further using the options available under Admin -> Notifications. |
| Redundancy Measures | You can configure periodic backups of the Securden database and configure high availability servers from Admin -> High Availability to ensure that least privilege is enforced even in unforeseen circumstances. |
| API Access to Securden | You can make use of API tokens for programmatic access to the Endpoint Privilege Manager. You can use these APIs to fetch and manage active requests, manage applications, manage policies, and much more. |
| Customizing the Web Interface | You can change the language of the web interface, switch the Securden logo with your own, customize email templates, choose the theme of the interface among other options. You can explore these from Admin -> Customization. |
