PrivilegeManagementforWindows 22.5 AdministrationGuide

[Pages:191]Privilege Management for Windows 22.5

Administration Guide

?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:8/31/2022

PRIVILEGE MANAGEMENT FOR WINDOWS 22.5 ADMINISTRATION GUIDE

Table of Contents

Privilege Management for Windows Administration

6

Define User Roles

6

Implement Least Privilege

6

Install, Uninstall, and Upgrade Privilege Management for Windows

8

Requirements

8

Frequently Asked Questions

9

Install the Privilege Management Policy Editor

10

Install Privilege Management for Windows

11

Upgrade Privilege Management for Windows

17

Privilege Management Reporting Console

23

Sign Privilege Management for Windows Settings

26

Privilege Management for Windows Installation Mode Parameters

26

Create a PFX File for Use With Privilege Management for Windows

28

Use MakeCert to Generate Your Certificate

29

Microsoft Certificate Services

31

Issue and Distribute the Certificate

33

Create and Edit Signed Settings

34

Behavior when Policy Certificate Verification Fails

36

Manual Deployment of Privilege Management for Windows

37

Prerequisites

37

Disable ePO Mode

37

Launch the Privilege Management Policy Editor

38

Navigate the Policy Editor

38

Automatic Save

39

Policies and Templates

40

Users

40

Policies

40

Edit Group Policy

40

Privilege Management Settings

41

Privilege Management for Windows Activity Viewer

45

Response Code Generator

47

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

2 TC: 8/31/2022

PRIVILEGE MANAGEMENT FOR WINDOWS 22.5 ADMINISTRATION GUIDE

Templates

48

Windows QuickStart

49

Discovery

56

Server Roles

57

Trusted App Protection (TAP)

58

Privilege Management for Windows Policies for Windows

64

Policy Administration

65

Workstyles

67

Create Workstyles

69

Workstyle Summary

71

Application Rules

73

Power Rules

76

Manage Scripts

80

On-Demand Application Rules

85

Content Rules

89

Built-in Groups

91

Trusted Application DLL Protection

92

General Rules

94

Filters

96

Account Filters

97

Computer Filters

98

Time Range Filters

99

Expiry Filter

100

WMI (Windows Management information) Filters

101

Application Groups

102

Application Definitions

104

Insert ActiveX Controls

111

Insert Batch Files

112

Insert COM Classes

113

Insert Control Panel Applets

115

Insert Executables

117

Insert Installer Packages

119

Insert Privilege Management Policy Editor Snap-ins

121

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

3 TC: 8/31/2022

PRIVILEGE MANAGEMENT FOR WINDOWS 22.5 ADMINISTRATION GUIDE

Insert PowerShell Scripts

122

Insert Registry Settings

127

Insert Remote PowerShell Commands

128

Insert Remote PowerShell Scripts

129

Insert Uninstaller (MSI or EXE)

131

Insert Windows Services

133

Insert Windows Store Applications

135

Insert Windows Scripts

136

Insert Applications from Templates

137

Insert Applications from Running Processes

139

Insert Applications from Events

140

Content Groups

141

Messages

144

Create Messages

145

Set ActiveX Message Text

147

Multifactor Authentication using an Identity Provider

148

Message Name and Description

151

Message Design

152

Challenge/Response Authorization

157

Message Text

160

Custom Tokens

163

ServiceNow User Request Integration

167

Deploy Privilege Management for Windows Policy

169

Group Policy Management

169

Standalone Management

172

PowerShell Management

172

Webserver Management

173

Configuration Precedence

175

Deployment Methods

176

Audits and Reports

178

Events

178

Audit with Custom Scripts

180

Regular Expressions Syntax

182

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

4 TC: 8/31/2022

PRIVILEGE MANAGEMENT FOR WINDOWS 22.5 ADMINISTRATION GUIDE

Database Sizing and Resource Consumption

184

Data Retention Considerations

184

Database Sizing

184

Troubleshoot

188

Resultant Set of Policy

188

Group Policy Modeling

189

Group Policy Results

189

Check Privilege Management for Windows is Installed and Functioning

189

Check Settings are Deployed

190

Check Privilege Management for Windows is Licensed

190

Check Workstyle Precedence

190

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

5 TC: 8/31/2022

PRIVILEGE MANAGEMENT FOR WINDOWS 22.5 ADMINISTRATION GUIDE

Privilege Management for Windows Administration

Privilege Management for Windows combines privilege management and application control technology in a single lightweight agent. This scalable solution allows global organizations to eliminate admin rights across the entire business.

Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards, and trend data for auditing and compliance.

Define User Roles

Before deploying Privilege Management for Windows, you should prepare suitable Workstyles for your users. Implementing least privilege may require Workstyles to be tailored to users' roles.

The table below shows three typical user roles, but we recommend you create roles that are tailored to your environment.

Role Standard Corporate User Laptop User Technical User

Requirement for Admin Rights Applications that require admin rights to function, and simple admin tasks. Flexibility to perform ad hoc admin tasks and install software when away from the corporate network. Complex applications and diagnostic tools, advanced admin tasks, and software installations.

Privilege Management for Windows can cater to all types of users, including the most demanding technical users, such as system administrators and developers.

You should also educate users on what to expect from a least privilege experience, before transferring them to standard user accounts. This ensures they will report any problems encountered during the process of moving to least privilege.

Note: Contact your solution provider or BeyondTrust, to gain access to templates to cater to more complex use case scenarios.

Implement Least Privilege

The first step is to identify the applications that require admin privileges for each of the roles you've defined. These can fall into one of three categories:

1. Known Admin Applications: You already have a definitive list of applications that require admin rights to run. 2. Unknown Admin Applications: You are not sure of the applications that require admin rights to run. 3. Flexible Elevation: The user requires flexibility and can't be restricted to a list of applications.

Known Applications

For this category, you should add the relevant applications to the Privilege Management for Windows Application Groups for the users, which automatically elevates these applications when they are launched. You can then remove admin rights from these users.

Unknown Applications

For this category, you have two choices to help you discover the applications that require admin rights:

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

6 TC: 8/31/2022

PRIVILEGE MANAGEMENT FOR WINDOWS 22.5 ADMINISTRATION GUIDE

1. Windows specific: Set up Privilege Management for Windows Workstyles to monitor privileged application behavior. The Privilege Management for Windows audit logs highlight all of the applications that require admin rights to run.

2. Set up Privilege Management for Windows Workstyles to give the user the on-demand elevation facility, and instruct the user to use this facility for any applications that fail to run after you take the user's admin rights away. The Privilege Management for Windows audit logs highlight all the applications that the user has launched with elevated rights.

You can use the audit logs to determine the relevant set of applications you want to give admin rights to for these users.

For more information, please see the following: l "Workstyle Properties" on page 67 l "On-Demand Application Rules" on page 85 l "Application Rules" on page 73

Flexible Elevation

For this category, you should set up Privilege Management for Windows Workstyles that give the user an on-demand elevation facility, which allows the user to elevate any applications from a standard user account. All elevated applications can be audited, to discourage users from making inappropriate use of this facility.

For more information, please see "On-Demand Application Rules" on page 85.

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

7 TC: 8/31/2022

PRIVILEGE MANAGEMENT FOR WINDOWS 22.5 ADMINISTRATION GUIDE

Install, Uninstall, and Upgrade Privilege Management for Windows

Requirements

For more information about the installation requirements, please see Privilege Management Release Notes at .

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

8 TC: 8/31/2022

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download