Use cases on managing administrator privileges and controlling applications on endpoints

Securden Windows Privilege Manager helps enforce the least privilege across the organization by removing administrator rights on endpoints. It helps standard users use/run the applications that would normally require administrator rights. The following are some typical use case scenarios.

Case 1: Application Elevation

Enabling standard users to run specific applications that would normally require administrator rights

Assume that a user in your department would be usually running a list of applications and processes that would require administrator rights to install, run, and update. When local administrator rights are removed and the user is made a standard user, the applications cannot be run.

Securden enables the user (with just standard user rights) to run all those applications without any hassles.

Securden administrator can create a policy marking the list of applications as trusted and permit the user to run those applications on a specific computer or multiple computers. The Securden agent installed on the end-user machine takes care of elevating the applications for that standard user.

The user can use/run the applications in one of the three ways:

  • Context Menu (Right-click the application and ‘Run with Securden privilege’)
  • Using Run Command (Command Prompt with prefixing the word ‘secudo’)
  • Double-clicking the Application (This option will be available only if the administrator has decided to allow)

While local administrator rights stand removed, user experience is not compromised and productivity is not impacted.

Case 2: Installing/Running New Applications

Allowing standard users to install/run new applications that require administrator privileges

Business needs might demand users to install new applications on their systems. For example, a developer (with standard user rights) might be required to install a remote meeting application. In the absence of administrator privileges, the user will not be able to install and run the application.

Securden provides a self-service portal using which users can raise a request for permission to run the new application. They will have to specify a reason justifying the need for permission. Securden administrators will review the request and will either add the new application to the trusted applications list or grant one-time permission to install/use the application depending on the specific circumstances and organizational requirements. All these activities follow a well-defined workflow.

Once the Securden agent is deployed on endpoints, the Securden tray icon would be visible on all endpoints and servers.

Users will have to click the tray icon and select the option ‘Request Admin Access’ to raise a request to access a specific application.

They need to browse and select the application that is to be installed/run with admin privilege. After submission, the administrator will review the request and grant approval. There are provisions to configure automatic approvals whenever required. In such cases, the users will get instant approvals for their requests.

Case 3: Fully Controlled, Temporary Administrator Access

Granting time-limited, fully controlled and comprehensively audited temporary administrator access to standard users

Quite often, certain users might have to carry out multiple tasks that require broader administrative privileges. Granting uncontrolled, unmonitored full administrator access will defeat the principle of least privileges.

Securden offers a robust way to handle this critical requirement. Users can raise a request for administrator rights for a short time. They will have to provide a reason to justify access needs. Securden administrators will review the request and grant time-limited administrator privileges for the user.

The standard user will be able to perform all tasks that require administrator privileges, but everything will happen under full controls and audits. At the end of the approved usage period, the temporary administrator privilege will be automatically revoked. All processes and applications elevated during that period will be terminated. All activities done by the user are captured as audit trails.

There are options to request approval well in advance to carry out planned tasks. For certain users, automatic approvals can be configured.

Case 4: Application Control

Define and control which applications can be run by end-users. Prevent users from running unapproved or malicious applications

When users possess local administrator privileges, they tend to install unapproved software for personal use. Such software could be malicious and open the doors for hackers. The endpoint may be compromised and attackers can move laterally across the network.

Securden Windows Privilege Manager removes local administrator rights from endpoints, thus preventing users from installing or using unapproved software.

While removing local administrator rights prevents the use of unapproved software, Securden ensures that the user experience and productivity are not affected. Administrators can define policies that enable standard users to run the applications needed for their work absolutely without any hassles.

Case 5: Offline Scenarios

Ensuring the least privilege and application controls even when the endpoint is offline

Users might often be working from home or moving out of the LAN or may not be connected to the internet. If local administrator rights are removed without taking care of these scenarios, it will lead to frustration for the end-users and result in productivity loss.

Securden handles the offline scenarios in such a way that the least privileges are enforced as in online scenarios.

The application control policies created by the administrators are cached by the Securden agent in the endpoints. In offline scenarios, the agent takes care of enforcing the recently cached policy. Users will not face any difficulty in running the required applications.

Case 6: Visibility on Administrator Rights

Enabling enterprises to readily know who all have administrator rights across the enterprise

When enforcing least privilege across the enterprise, it is necessary to have visibility on the list of computers where local administrator accounts are present. Sometimes, new computers may be added with administrator accounts or even new administrator accounts may be created on existing computers. It is necessary to have complete visibility on this.

Securden identifies and tracks the list of users and groups that are part of the local admin group on computers in the domain and presents a report providing complete visibility.

Case 7: Compliance Mandates

Demonstrate compliance to IT and industry regulations that mandate least privilege enforcement

Regulations such as PCI-DSS, SOX, HIPAA, NIST, ISO, GDPR, NERC-CIP, and others lay stress on the enforcement of the principle of least privilege across the organization to prevent intentional or unintentional damages to sensitive corporate IT infrastructure.

Securden removes local administrator rights across endpoints and servers and enforces strict controls on application usage, thereby preventing attacks by malware.

Securden provides a report on the least privilege enforcement scenario, which helps organizations demonstrate compliance during audits.