PowerBroker for Windows: Privilege and Session Management
Manage privileges and control applications on physical and virtual Microsoft® Windows desktops and servers, speeding least-privilege enforcement across all Windows assets.
Least-Privilege Management for Windows
Servers and Desktops
PowerBroker for Windows is a simple, fast and flexible solution for least-privilege management and application control on physical and virtual Microsoft Windows desktops and servers. It enables you to enforce least-privilege policies by removing administrator privileges from users, enforcing Standard User permissions, maintaining application access control, and logging privileged activities. As a result, your organization is protected against internal and external threats, including accidental or intentional misuse of privileged access.
- Rely on patented technology that elevates privileges on an as-needed basis, without exposing passwords or hampering productivity
- Enforce least-privilege access based on an application’s known vulnerabilities via patented Vulnerability-Based Application Management capabilities
- Demonstrate compliance and share progress towards meeting audit and compliance goals
- Monitor event logs and file integrity for unauthorized changes to key files and directories
- Capture keystrokes and screens when rules are triggered; with searchable playback for complete documentation of privileged activity
"PowerBroker for Windows provides a solution that is transparent to users and gives them the ability to do their jobs safely, without administrator rights."Keith Lee, End User Support Manager
Care New England
[Read the Case Study]
- LEAST-PRIVILEGE MADE SIMPLE
- Eliminate the intentional, accidental and indirect misuse of privileges on physical and virtual Microsoft Windows desktops and servers. Block prohibited applications from running and gaining access to Windows assets.
- VULNERABILITY-BASED APPLICATION MANAGEMENT (VBAM)
- Leverage patented technology to automatically scan applications for vulnerabilities at run time – triggering alerts, reducing application privileges, or preventing launch altogether based on agency or department policy.
- ACTIVITY MONITORING FOR ACCOUNTABILITY
- Ensure accountability with included Windows Event Log monitoring. Add optional file session monitoring and integrity monitoring for comprehensive auditing, reporting and change control across all privileged activity.
- ADVANCED ANALYTICS AND REPORTING
- Gain unmatched visibility into Windows user activity with centralized analytic and reporting for executives, auditors, security and operational teams.
LEAST-PRIVILEGE FOR WINDOWS DESKTOPS AND SERVERS
- Eliminate administrator rights: Prevent intentional, accidental, and indirect misuse of privileges on Windows assets.
- Block malicious activity: Enforce restrictions on software installation, usage, and OS configuration changes.
- Ensure compliance: Meet internal and external compliance needs by enforcing least-privilege and monitoring privileged activities.
- Ensure productivity: Default all users to standard privileges, while enabling elevated privileges for specific applications and tasks without requiring administrative credentials.
- Protect file systems: Add optional file integrity monitoring to identify, and even deny, unauthorized changes.
- Record sessions: Add optional session monitoring to capture screens of privileged user activity with keystroke logging to document all privileged changes to an asset.
GRANULAR APPLICATION RISK MANAGEMENT
- Control application usage: Blacklist hacking tools, whitelist approved applications, and greylist applications based on rules to keep systems safe.
- Allow Admin where needed: Proactively identify applications and tasks that require administrator privileges – and automatically generate rules for privilege elevation.
- Leverage Vulnerability-Based Application Management: Scan applications at runtime for vulnerabilities and allow, deny or alter privileges based on regulatory violations, vulnerability severity, and/or vulnerability age – based on the award-winning Retina vulnerability database.
- Simplify application management: Rules-based approach eliminates the need to manage complex whitelists with thousands of signatures for complete application control.
- Pinpoint suspicious activity: Monitor Windows Event Logs for anomalies and analyze through BeyondInsight Behavioral Analytics.
- Maintain awareness: Monitor UAC events, application rules, requested elevations, denied applications, and more.
- Ensure accountability: Add optional session monitoring for rules-based activity recording, including screenshots and searchable keystroke logs.
- Understand and communicate risk: Leverage an interactive, roles-based reporting and analytics console, backed by a centralized data warehouse for ongoing audits of privilege management activities.
BUILT FOR EFFICIENCY
- Gain control over all accounts: Automatically discover and profile all Windows accounts, and quickly bring them under centralized management.
- Ease policy creation and management: Set policies via Active Directory Group Policy or BeyondInsight Web Services, with support for air-gapped systems and non-domain assets.
- Ensure adoption and usability: Provide a modern, easy-to-use interface for end-users, plus an innovative dashboard for solution owners.
- Reduce help desk costs: Lower support costs 40% or more by removing Admin without raising barriers to end-user productivity.
PowerBroker for Windows
Download this overview document containing capabilities, highlights and competitive advantages of our PowerBroker for Windows privilege and session management for Microsoft Windows. PowerBroker for Windows is a simple, fast and flexible solution for privilege management and application control on physical and virtual Microsoft® Windows desktops and servers, helping administrators protect against both internal and external threats, including the accidental or intentional misuse of privileged access.
PowerBroker for Windows 6.6 New and Updated Features
PowerBroker for Windows version 6.6 adds several new features that add business context to security exposures and make it easy to understand, prioritize and communicate privileged access risk within the organization. This document details these features including client localization, tamper protection, IE 11 enhancements and BeyondInsight reporting.
Care New England Selects PowerBroker to Secure their Desktop Infrastructure
This case study describes how Care New England uses PowerBroker for Windows to support over 4,800 desktops and over 10,000 desktop end users, which includes over 250 applications such as Horizon.
Customer Success Story: FFVA Mutual Insurance Company
This specialty insurance provider needed to eliminate the risks to their enterprise by allowing users administrative privileges. By selecting PowerBroker for Windows with BeyondInsight, the system vulnerabilities were resolved without affecting employee productivity.
Application Control: The PowerBroker for Windows Difference
Discusses how application control solutions are designed to block the execution of unauthorized applications and how PowerBroker for Windows is the next-generation solution for application control. When integrated with Windows, application privileges are simply controlled with just a few rules.
PowerBroker for Windows: Risk Compliance
BeyondTrust has developed patent-pending technology to fuse the risk of vulnerable applications, application control, regulatory compliance, and least privilege into the next generation of endpoint security solutions. This fusion addresses the concerns of whitelisting vulnerable applications and can match application privileges and runtime operations to regulatory compliance requirements based on abstract and industry standard risk concepts.
Building a Secure and Compliant Windows Desktop
Virtually every organization is being compelled to improve client security. Auditors, regulators and business unit owners all recognize the threat unsecured desktops pose, and understand the need to comply with the myriad of regulatory and governance issues that make today’s headlines.
Challenges of Managing Privileged Access
Discusses the goals and challenges of creating a privileged access management program for your Windows desktops and servers in an enterprise environment. Privileged access is a key issue these days, especially on desktops, for which an over-privileged user can be a weapon of destruction on your internal network if they inadvertently download and install malware.
Achieve True Principle of Least Privilege for Server Administration in Microsoft Environments
As Windows grew to fill roles in larger networks, both the OS and the server products built upon it did not always evolve to include more granular permission structures for administrators. The result has been an industry that, in general, relies on fully-privileged administrator accounts to accomplish even minor administrative tasks. We know it is a poor practice, but what else can we do?
AppLocker and PBWD
AppLocker, which was introduced in Windows 7, provides powerful technology for controlling application execution for enterprises. By implementing AppLocker policy, organizations can better control what applications can install and run on desktops via White Lists and Black Lists, improving security and reducing the risk that malware poses.
From Least Privilege to Best Privilege on your Windows® Desktops
These seemingly incongruous needs often come to a head on the Windows desktop, which is the main entry point for the user into an enterprise network. In this white paper, I’ll examine this age-old struggle and help you understand how you can find the right balance with something I call "Best Privilege."
Goldie Locks and the Three Least Privileged Desktops eBook
Curious about how least privilege applies to you and your organization? Let Goldie Locks show you in this new eBook written by Microsoft MVP Derek Melber. In the story, Goldie Locks plays the role of a recent college graduate, with degrees in marketing and multimedia communications, who is just starting her position in marketing for a mid-sized IT company.
Extending the Value of Group Policy Securely & Effectively
Microsoft Group Policy MVP, Darren Mar-Elia, expertly discusses the capabilities of Group Policy with respect to security configuration, including a number of new features introduced in Windows 7 & Server 2008-R2; how policy gets delivered and the tattooing nature of security settings; the free Microsoft Security Compliance Manager tool and how it can help you define security baselines based on best-practice templates that can be exported to live GPOs; the challenges of using Group Policy as a security compliance solution, including some best practices; and how 3rd parties are leveraging and extending Group Policy as a tool for delivering new Windows security features.
Whats New in Version 6.542:05
Enhanced User Interface42:38
Part of working in IT means you put in your time “on-call.” Companies either don’t realize there is a better way to allow users to maintain administrative access to endpoints, or they remove admin rights from users but don’t account for the resulting operational inefficiencies. more
Today, we’re excited to announce new releases of both our Retina vulnerability assessment technology and the BeyondInsight risk management platform. Here’s a brief overview of what’s new in BeyondInsight. With the release of BeyondInsight v5.3, BeyondTrust solutions that come equipped with the centralized BeyondInsight management, analytics and reporting console now benefit from several additional platform... more
Application control solutions reduce IT risk by regulating which programs can be launched on desktops, servers and other assets. For instance, application control can help to prevent malware infections and minimize subsequent damage if a malware infection occurs. IT and security leaders have several technology alternatives to consider when seeking to implement application control in their... more
When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side... more
There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:... more
I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy... more
BeyondTrust recognizes that international, multilingual businesses have unique operating challenges, especially when it comes to implementing enterprise software. PowerBroker for Windows is a least-privilege solution often deployed across thousands of systems spanning multiple geographies and protecting users of diverse backgrounds. Earlier this year, PowerBroker for Windows introduces new data privacy features for EMEA and APAC,... more
Windows doesn’t make least privilege easy Enforcing least-privilege access policies on Windows has never been easy – especially given some fundamental flaws have haunted the OS since the mid-1990s. Consider the following permissions issues: Windows 95 and 98 had a logon screen and could even be joined to the domain, but users could bypass the prompt... more
Vulnerability management (VM) processes have had to evolve exponentially in recent years. Most of this evolution has occurred in terms network coverage, as scanners have moved beyond conducting sequential assessments to advanced agent, connector and credentialing technologies. However, most VM applications are still unable to provide meaningful data for prioritizing vulnerabilities in terms of real... more
One of the most talked about presentations at Microsoft TechEd was Pass-The-Hash: How Attackers Spread and How to Stop Them by Mark Russinovich and Nathan Ide of Microsoft. This presentation demonstrated how simple it is to collect hashes from one machine and leverage them to compromise the entire infrastructure. The publication of attack techniques and lack... moreSee all PowerBroker for Windows blog posts
PowerBroker for Windows is part of the BeyondInsight IT Risk Management Platform, which unifies PowerBroker privileged account management solutions with Retina CS Enterprise Vulnerability Management. Capabilities include:
- Centralized solution management and control via common dashboards
- Asset discovery, profiling and grouping
- Reporting and analytics
- Workflow and ticketing
- Data sharing between Retina and PowerBroker solutions
The result is a fusion of user and asset intelligence that allows IT and security teams to collectively reduce risk across complex environments.
Identifying, prioritizing, remediating, and mitigating
computer and network vulnerabilities.
Privileged Account Management
Managing user authorization to prevent internal data
breaches and meet compliance regulations.