PrivilegeManagementforWindows 22.7 AdministrationGuide - BeyondTrust

Privilege Management for Windows 23.3 Administration Guide

?2003-2023 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:4/25/2023

PRIVILEGE MANAGEMENT FOR WINDOWS 23.3 ADMINISTRATION GUIDE

Table of Contents

Privilege Management for Windows Administration

11

Define User Roles

11

Implement Least Privilege

11

Known Applications

11

Unknown Applications

11

Flexible Elevation

12

Install, Uninstall, and Upgrade Privilege Management for Windows

13

Requirements

13

Frequently Asked Questions

13

Can I Install the 32-bit Client on a 64-bit Endpoint?

13

Can I Install the 32-bit Privilege Management Policy Editor on a 64-bit Endpoint?

13

Do I Need to Install the Privilege Management for Windows and the Privilege

Management Policy Editor Together?

13

What Distribution Mechanisms Do You Support?

13

What is the Update Priority for Privilege Management GPO Edition?

13

Can Different Versions of the Agent Coexist?

14

Install the Privilege Management Policy Editor

15

Install Privilege Management for Windows

16

Client Packages

16

Unattended Client Deployment

17

Configure an Alternate Event Log Location

17

Set the Event Log Location Using the Installer

18

Change the Event Log Location in Windows Registry

18

Set Up Agent Protection

18

Generate Key Pairs

18

Enable Agent Protection

19

Disable Agent Protection Temporarily on One Endpoint

19

Disable Agent Protection on all Endpoints

20

Agent Protection Utility Usage and Options

20

Upgrade Privilege Management for Windows

22

Use Policy Precedence in a Migration Scenario

22

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2023 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

2 TC: 4/25/2023

PRIVILEGE MANAGEMENT FOR WINDOWS 23.3 ADMINISTRATION GUIDE

Recommended Steps

23

Privilege Management Reporting Console

28

Auditing Report

28

Privilege Monitoring Report

29

Diagnose Connection Problems

30

Sign Privilege Management for Windows Settings

31

Privilege Management for Windows Installation Mode Parameters

31

Create a PFX File for Use With Privilege Management for Windows

33

Use MakeCert to Generate Your Certificate

34

Use Certificate Template in a Certificate Request

34

Microsoft Certificate Services

36

Create a Privilege Management for Windows Configuration Certificate Template

36

Issue and Distribute the Certificate

38

Issue the Certificate

38

Distribute Public Keys

38

Create and Edit Signed Settings

39

Behavior when Policy Certificate Verification Fails

41

Manual Deployment of Privilege Management for Windows

42

Prerequisites

42

Disable ePO Mode

42

Launch the Privilege Management Policy Editor

43

Navigate the Policy Editor

43

Automatic Save

44

Policies and Templates

45

Users

45

Policies

45

Edit Group Policy

45

Privilege Management Settings

46

Create

46

Delete

47

Export

47

Import

47

Import Template

47

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2023 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

3 TC: 4/25/2023

PRIVILEGE MANAGEMENT FOR WINDOWS 23.3 ADMINISTRATION GUIDE

Digitally Sign

47

Save Report

48

Set Challenge/Response Shared Key

48

Show Hidden Groups

48

View

48

License

48

HTML Report

48

Response Code Generator

50

Templates

51

Windows QuickStart

52

Windows QuickStart Policy Summary

54

Windows Workstyles

54

Windows Application Groups

57

Windows Messages

58

Windows Custom Token

58

Customize the Windows QuickStart Policy

58

Discovery

59

Server Roles

60

Trusted App Protection (TAP)

61

Trusted Application Protection Policies Summary

61

Trusted Application Protection Precedence

63

Modify the Trusted Application Protection Policies

63

Trusted Application Protection Reporting

64

Trusted Application Protection Block List

65

Use Advanced Parent Tracking

65

Privilege Management for Windows Policies for Windows

67

Policy Administration

68

Advanced Agent Settings

68

Windows Policy Configuration Precedence

68

Workstyles

70

Workstyle Properties

70

Privilege Monitoring

70

Privilege Monitoring Events

71

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2023 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

4 TC: 4/25/2023

PRIVILEGE MANAGEMENT FOR WINDOWS 23.3 ADMINISTRATION GUIDE

Privilege Monitoring Log Files

71

Create Workstyles

72

Disable/Enable Workstyles

73

Workstyle Precedence

73

Workstyle Summary

74

Overview

74

Application Rules

76

Insert an Application Rule

76

Application Rule Precedence

78

Power Rules

79

Power Rules Additional Guidance

80

Manage Scripts

83

Rule Scripts

83

Manage Rule Scripts

83

Import a Rule Script

84

Add a Settings File

84

Export a Rule Script

85

Delete a Rule Script

85

Audit Scripts

85

Manage Audit Scripts

86

Create an Audit Script

86

Import an Audit Script

86

Export an Audit Script

87

Delete an Audit Script

87

On-Demand Application Rules

88

Enable and Configure On-Demand Integration

88

Windows Modern UI

88

Windows Classic Shell

88

Manage Languages

89

Create an On-Demand Rule

89

Content Rules

92

Insert a Content Rule

92

Built-in Groups

94

SALES: contact SUPPORT: support DOCUMENTATION: docs ?2003-2023 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

5 TC: 4/25/2023

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download