02: Admin Approval setup

Learn how to set up Admin Approval mode.

Least Privilege Manager: admin approval setup

Hi. This is Jeremy Moskowitz. In this video, I’m going to show you how you’re going to set up PolicyPak shared secrets for admin approval mode.

Just to set the stage here, admin approval mode will change the dialog box from a standard dialog to a prompting dialog box that enables you to share a challenge code and a response code from a user out in the field where you don’t have a rule already set in place.

To set this up, it’s really easy to do. We’re going to go and start off by creating a shared secret where your computers are. You can have different secrets for different gaggles of computers. For instance, you’re “East Sales Desktops” can have one shared secret. You’re “East Sales Laptops” can have a shared secret. You can have a different shared secret for your “West Sales Desktops” or your “West Sales Laptops.” For this demonstration, all my computers are hanging out in “East Sales Desktops.”

I’m going to “Create a GPO in this domain, and link it here” here and call this “PP Shared Secret PPLPM Demo 1.” Once you create the GPO and click “Edit” here, the first thing to do is to set up admin approval mode and set a shared secret. This happens on computer side, “PolicyPak/Least Privilege Manager.” Right click, “Add” and select “New Admin Approval Policy.”

When you do, you have a couple things to configure. The first one is to turn it on. This is “Admin Approval State: Enabled.” This is going to actually perform the work. We’re going to do “Secret Key” last. While we’re here, we might as well set up a “Custom message” like “Always call the Fabrikam Help Desk at 800-555-1212.”

This last guy is for “Installers,” and we will detect installers. If we detect that it’s an installer, we will then also show the prompt. I’m going to not set this up right now, but you can set it up if you want to and it will increase the amount of times that a user would see the prompt. I’m not going to do that now.

We’ll go ahead and click on “Secret Key.” Here is where you can either “Derive from Password” you currently have or rather you want to type in a word like hello1 or something like that, and that will produce this “Key.” Or you can “Generate Random.” I’m going to “Generate Random” here, and then I’m going to “Copy” that. Then I have to store this in “Notepad” to then give to people who I’m going to allow to generate these keys.

This is an important secret, and let me show you where it’s stored a couple different ways. If I go ahead and click “OK” here, it’s stored in the GPO. But I want to show you a couple things here, which is that it’s pretty secure. What we’ll do is we’ll go ahead and close this out.

What we’re going to do in order to make it even more secure is remove “Authenticated Users” who could read the contents of the GPO. Even though that secret is not actually stored directly here, it’s encrypted again, I’m going to “Remove” “Authenticated Users” and I’m going to “Add” in a group that contains my computers. I’ve already done this. I’ve got a group called my “Sales Desktops.” My “Sales Desktops” contain “Members” and those members are computers. So we’re saying that only computers can read the secret.

If I were to go into it as a standard user and try to read the secret, I won’t be allowed to. I’ll prove that right here. If I go to “\dc2016SYSVOL,” domain name, “Policies,” the last modified policy is the one that would contain the secret here. Let me go ahead and double click it. See? I’m not able to get in as a standard user. Only the computer can read that shared secret. The user can’t read that shared secret. Even if he did, it’s encrypted and he can’t do anything with it anyway. But this is just kind of an extra special suggestion.

Now that we’ve established a shared secret, that’s all there is to it. We’ll go over to our endpoint. We’ll go ahead and run GP Update (“gpupdate”) here and give this a minute to finish up, and then we’ll see what happens. All right, now that that’s done, we’ll close this out and let’s see if it works.

For “PowerPointViewer,” if we were to just double click it, it has the shield icon, we’ve got the “Request Code” here. Wait a second. We never set up the admin part. What we’ll do is we’ll go back over here and we’ll set up the actual admin part.

Here under “PolicyPak Extras” is the “PolicyPak LPM Admin Approval Tool.” When you set it up the very first time, it’s going to ask you for your “Secret Key.” Remember, we stored it in “Notepad.” We’ll go ahead and take the item here that we’ve got, the secret. We’ll store it here. We’ll also encrypt it with a “Password” which we’ll store here.

You can also “Save Secret Key in Registry” or not if you want to, but it’s “Encrypted Securely.” You can also say even after I get back into the tool, I never want to be able to the secret key ever again (“Forbidden to view secret key from previous version”). That gives you an additional level of security if you want to do that. I’m not going to do that. I’ll go ahead and “Create.”

All right, so now I’m storing that, and the “Admin Approval Tool” is ready to go. In fact, the next time you run the Admin Approval Tool, you don’t get prompted for that first time stuff. So watch this. I’m going to go ahead and say goodbye to the key. That’s it. I know I’m good. I’m ready to go because now it’s stored encrypted in the registry. Now I can just type in my “Password” here and “Load” it up, and now I’m ready to rock and accept a “Request Code.”

So let’s go back as the user. The user has already run a program that requires a “Request Code.” They read it to you over the phone. You then type it in here. You can then specify the “Reason.” You can specify how many “Uses.” You can specify when it “Expires.”

Then you read the “Response Code” to them over the phone, and they type it in “Response Code.” By the way, here’s the “Additional Info” message here: “Always call the Fabrikam Help Desk at 800-555-1212.” We’ll go ahead and click “OK.”

That’s it. You’ve set up admin approval mode. It’s very, very simple to do. It only took me a couple minutes to get it started, and you’re off to the races. We have a little bit more about admin approval mode in the manual, but this gets you set up about 95% of the way.

With that in mind, if you’re ready to get started, we’re here to help.

Thanks so very much, and we’ll talk to you soon.

  • 192
  • 02-Jul-2019