05: Use PolicyPak Cloud to deploy PP Least Privilege Manager rules

Why would you want people using domain joined or non-domain joined machines to have local admin rights? Is this 1998? No, and with PolicyPak Cloud and PolicyPak Least Privelege manager you can remove local admin rights, but ensure that Standard Users can do key tasks to keep doing their jobs and get into the places you need them to in the operating system.

PolicyPak: Use PolicyPak Cloud to deploy PP Least Privilege Manager rules

Hi. This is Jeremy Moskowitz. In this video, I’m going to show you how you can take your On-Prem Least Privilege Manager rules, export them, get them into PolicyPak Cloud and deliver that stuff to your non-domain-joined or your domain-joined machines.

So, just to show you my endpoint system here, he is a non-domain-joined computer. He happens to be Enterprise but PolicyPak will work with Enterprise, Home, Pro or Education.

So, let’s go start off life here and the quickest and fastest way to get going with PolicyPak Cloud is to export the stuff you’ve already done. So I’m just going to right-click the stuff I’ve already done and export as XML. Now just save it right to the desktop and I’ll call it “PPLPM-Export1”.

Now, again, I’ve already done things that you’ve seen in other videos. I’ve used SecureRun to put the smack down on malware and I’ve elevated or allowed to run different applications, based on certain conditions. I’m going to let Procmon run with elevated privileges; Camplay run with standard privileges and let iTunes get installed, as needed, with elevated privileges.

So I’ve just exported all that stuff and let’s go right to PolicyPak Cloud. If you’ve never seen PolicyPak Cloud before, it’s just like using the GPMC. It couldn’t be easier. We have special groups, kind of like OUs, where you can create your own categories for things and link XML policies to it. We also have a special group called “All” and I’m going to get started here to make this demo short and sweet.

So, what I’m going to do is click on “All”. I’m going to upload and link a new XML here. We’ve already done the work on Prem; we just exported it ten seconds ago. And I’ll call this “PPLPM: Everyone Gets” – “Everyone gets these 4 rules”. Okay? So, as soon as we join PolicyPak Cloud, everyone’s going to get these four rules instantly.

Let’s go over to our endpoints and we’ll go ahead and install the PolicyPak Cloud client. So, again, admins can do whatever they want and it’s important that an admin installs a PolicyPak Cloud client one time on that endpoint before it goes out the door. That’ll join PolicyPak Cloud and get all the rules that are in the “All” group. And, at that point, you can give that person who owns that computer standard user rights and you don’t have to worry about them running with the scissors all the time.

So, here we go. We’re now joined to PolicyPak Cloud. We’re in what’s called the special “All” group and – well, let’s see if it works. Let me go ahead and log on and “Switch user” and try this out as a standard user. Let’s see if this all worked. Now remember, a standard user couldn’t normally run Procmon. That wouldn’t work because it’s got required elevation rights. Let’s double-click it. What happens? Boom. PolicyPak Cloud has delivered that rule to this standard user.

But what about Ransomware? Can a user just double-click on Ransomware and be in the doghouse? Well, actually, no – because remember, we’re deploying that PolicyPak Least Privilege Manager secure run rule and that’s saying: Don’t allow anything that wasn’t properly installed by you, Mr. Admin. And, if we were to double-click something like NotepadP – never heard of it before. It’s going to get blocked. Or this other thing that we downloaded as a portable app. Nope, that gets shut down too.

What about Camplay? Camplay we know is a good application. Well, we have a rule for that. That rule said: Let Camplay run standard and it sure, in fact, does work. And iTunes – I’m not going to bore you with installing all of iTunes but that rule will come down also. I’ll just wait for this to finish real fast and I’ll hit cancel. But iTunes will install.

Now, let’s talk about some other things. What if they needed to go into Device Manager? Well, a standard user – it says right here: You’re logged in as a standard user and you can only view device settings in Device Manager but you must be logged in as an admin to make changes.

Well, what if I really want that user to get into Device Manager, while they’re on the road, to do things like disable and enable hardware? Well, it’s no problem. You simply create a new rule. Let’s go back over to our management station and we’ll create a new rule. We’ll just make a Control Panel policy that lets them get into Device Manager – here we go – and one click later, we’ve – we’ll go ahead and “Run with elevated privileges”; we’ll call it, “Go for Device Manager” and you just do what you did earlier: Right-click here, “Export as XML”. I’ll save it to the desktop: PPLPM Device Manager A-OK.

And we’ll go back to PolicyPak Cloud and this time, you know what I’m going to do? I’m going to put this in my “Roaming Computers” group. I’m going to upload and link a new XML here and I’m going to browse for the Device Manager A-OK file. So we’ll call this: PPLPM: Device manager A-OK.

So, Device Manager is A-OK here but only for the roaming computers. But gosh, how do I get that computer over to “Roaming Computers”? Well, I’m going to “Add or remove computers from this group”. And I’m going to find my Windows 10 computer that I’m using – there it is, right here – click “Add”. And now, that computer that I’m on over here is now part of the “Roaming Computers” group.

So, just to prove a point, I’m not pulling a fast one on you here. If I were to go again to Device Manager, I don’t have access to all of Device Manager. Okay. But if I were to now run a special command called “ppupdate” or just wait an hour, PolicyPak will automatically pull from PolicyPak Cloud, get the latest directives and we’re ready to go.

So this standard user, ten seconds ago, couldn’t get into Device Manager. Now, with the new rule linked to PolicyPak Cloud – Bingo. They’re in Device Manager. They can now do the things that they need, like disable and enable functionality and so on. It’s as simple as that.

So, to reiterate, it couldn’t be any simpler. You simply create your rules inside the Group Policy Editor, you right-click – Oops! Right-click – export to XML. Once it’s exported to XML, you upload it to PolicyPak Cloud. Once in PolicyPak Cloud, you associate it with a particular group. You just jam computers into the groups that you create and then you wait a little while and magic occurs in your endpoints.

Now you’re out of the dirty, dirty business of giving a standard user – or giving a garden-variety user, rather – on an endpoint, admin rights all the time to do whatever they want. You’re practicing Least Privilege even on your non-domain-joined machines, making that experience for those computers on the road or folks that work from home, as secure as possible but giving them exactly what they need, when they need it.

I hope this helps you out and look forward to getting you started with PolicyPak Cloud real soon. Thanks!

  • 176
  • 02-Jul-2019