A Use Case for File Integrity Monitoring within PowerBroker for Windows

Jason Silva, August 22nd, 2013

As most of you are aware, PowerBroker for Windows v6 introduced File Integrity Monitoring (FIM) into the software.  For those of you who did not know this, FIM allows an Admin to specify protections over files/folders so these assets can only be modified by certain users or service accounts.  It also protects against renaming the file, which leads me to the point of this post.

Occasionally a process needs to be elevated that exists in a location your end-users can overwrite.  With a publisher rule this is OK, because if the user changed the process but gave it the same name as what existed, the publisher or hash rule wouldn’t apply.  But often times, files that get put into these locations are not signed, so a publisher rule won’t work, and hash rules can be inconvenient because you have to change them every time the file gets updated for reasons like say, a version change.  So up to now, the necessity is to build a path rule on it.  This means PowerBroker for Windows would elevate the process so long as it was in this path and had ‘this’ as a filename.  The problem here is; If a malicious user wanted to, and they had the rights, they could (as stated above) replace the would be elevated application with something else, give it the same name as what was being elevated and carry out their devious plans.

But, fear not, for we have a solution: Place a FIM policy on the file.  This prevents the user from deleting, replacing, or even renaming the file, but the Privilege Elevation rule still works because they still have Read/Execute rights to it.

So the uneasiness of elevating something like a local script, for instance, where the user has control of what actually gets executed is now removed. This is a unique feature of the PowerBroker for Windows software, and one I know PBUsers will be able to make great use of.

FIMScreenPolicy_1_shadow FIMScreenRename_2_shadow