01: Kill Local Admin Rights (Run applications with Least Privilege)
Don’t run with Local Admin rights. Instead, use PolicyPakLeast Privilege Managerto remove local admin rights, and elevate applications only as needed. See this video for a quick demonstration on how to enforce the practice of Least Privilege and get back your endpoint security for Windows machines.
### PPLPM: Run applications without local admin rights
Hi. This is Jeremy Moskowitz, former Group Policy MVP and founder of PolicyPak software. And in this series of videos, I’m going to show you how you can get out of the dirty business of running with local admin rights. Now, the thing is we all have this problem because you’ve got applications. It could be a school app or a business app that, even as a standard user, won’t run unless you make the user a local admin. And that’s terrible news. That’s what we’re going to show you in this first video.
In other videos, I’m going to show you how you can enable users to install applications, like in this case, iTunes won’t install unless they are an admin. I’m going to show you how to get out of that, just to prove a point. iTunes will not install because no admin rights. What about applications? Like, I don’t know, I downloaded this goofy thing off the internet called Note Pad 2 Portable. I don’t know, is it good? Is it evil? Can a user run it? Yes, they can because there’s nothing saying that they can’t run it.
So what I’m going to show you in this series of videos is – the first thing in this video is how to run applications that could be a school or a business app that require UAC prompts. In other videos, I’m going to show you how you can block threats that could be naughty or unknown. And in another video, I’m going to show you how you can provide users the ability to install their own software. So let’s get started.
Like I said, I’m just a standard user. I try to run Process Monitor or some application, this could be a school or business app, that gives the UAC prompt. And what you want to do is leave them with regular standard user rights – and just to prove a point, if I go to – who am I here – I’m just a standard guy, East Sales User 1. You want to leave them with standard user rights, but you want to elevate just this one application.
So here in Group Policy, for all of my East Sales users, I want to do PPLPM for Lease Privilege Manager GPO settings or something like that. So we’ll call these “settings” or “rules”. We’ll click “edit”. We’ll dive down under “user side PolicyPak”. Go to “lease privilege manager”, right-click, add “new executable policy”. There’s a handful of ways to do this. I’m going to go with the quickest, simplest way. It’s called the simple rule. And I’m going to use the condition called “hash”, which is a fingerprint of the file. I’m saying only let this version of Process Monitor run. And how do you get that version of Process Monitor? Well, I have a copy on my machine here so I’m going to select it as my reference file here. So, “apps to manage” and “Process Monitor” and, boom, now I’ve got the digital fingerprint of the file. I click “next”. My action is run with elevated privileges. There’s some other fancy stuff we could do, but I’m just going to run with elevated privileges, give it a note called “letprocmonrun” and that’s all there is to it. Boom, locked and loaded.
All I’m going to do now is run, as a standard user, run GP Update. Of course, Group Policy would run the next time the user logs on or if they log onto a new machine. All we’re doing, PolicyPak is providing the magic. And you can use Group Policy or if you use another utility like SECM or InTune or Altiris or something, you can use that to deliver the magic that PolicyPak provides.
Let’s go ahead and close this out. Let’s see, does our application that required UAC rights run now? We’ll double-click it and it sure does. So just like that, we’re able to elevate portions of the operating system and applications. So just to prove a point here, we never said that iTunes was okay so we’re not elevating the whole thing; we’re not suddenly making them admin rights and running with the scissors all the time. They try to go to this UAC prompt and, boom, they don’t get access to that. If they try to go back to say, right-click here, and go to “system”, they are a standard user, try to go to “system protection” here, they don’t get access to that.
The point of the story is, you’re giving them the least privilege rights they need in order to get the job done. And with PolicyPak Lease Privilege Manager, we are able to do that. We’re able to block unknown threats, like this Note Pad thing, which I don’t know what the heck it is, and also give users the ability to install applications. And I’ll show you those other things in my next video.
Thanks so much for watching. And if you’re looking to get a trial, just get in touch. Thanks. Talk to you soon.