You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

08: Least Privilege Manager and SecureRun Implementation Best Practices

Least Privilege Manager is powerful tool to manage local admin rights and elevate only the permissions users need. To reduce the risk of disrupting the user’s ability to work, a little pre-implementation work needs to be completed and tested. The following out-lines the tools we provide to help accomplish that task.

Global Settings

The Global Settings (GS) or Auditing policy, when linked to an endpoint, can be configured to create an Event log entry on the endpoint each time an application is run that needs to be elevated, was elevated, or when it would have been blocked by SecureRun because it is untrusted. These Event log entries can be later analyzed by IT and policies created from these entries. GS does not interact with any applications on the endpoint so it can safely be distributed to as many endpoints as you see fit.

Using Global Settings Policy -> https://kb.policypak.com/kb/article/630-use-discovery-to-know-what-rules-to-make-as-you-transition-from-local-admin-rights/

Using the Global Settings audit events to create LPM Policies -> https://kb.policypak.com/kb/article/1007-auto-create-policy-from-global-audit-event/

Auto Rules Generator

Another option for discovering applications and/or scripts that would be blocked or require elevation is the LPM Auto-Rule Generator Tool. This tool can be found in the PolicyPak ISO/ZIP file within the \PolicyPak Extras\ folder. This utility is run on an endpoint and will analyze the local applications and/or scripts to discover which ones would need to be elevated to run, or be allowed to run through SecureRun. It will create the required allow and elevate policies and it can also create polcies to block applications that would otherwise be automatically allowed.

Using the Auto-Rules Generator Tool -> https://kb.policypak.com/kb/article/177-auto-rules-generator-tool-with-securerun/

Post-installation Options 

It is always best practice to start with a small test group and gradually expand to larger groups and eventually the entire organization as all the 'bugs' are worked out with your policies. However, once you have started your implementation, there are a couple of features below that may be implemented to further ease the transition.

Admin Approval

Instead of an outright denial, the end-user is presented with a request code. When given to an administrator a response code can be created to allow the process to run. This can allow in-frequent or new processes to be run without a specific rule being created -> https://kb.policypak.com/kb/article/191-01-admin-approval-demo/

Self Elevation

Given to trusted users only, this allows the end-user to run applications despite not having a specific policy. You can be specific to whom this is allowed, and for what types of files. As well, each time this is invoked, it is logged in the event log along with the option of requiring the user's justification for running the process -> https://kb.policypak.com/kb/article/194-self-elevate/

  • 1182
  • 03-Feb-2022
  • 268 Views