I know from my experience of deploying privilege management in global organizations that people think it’s going to be hard. Every organization is facing an endpoint security balancing act. On one hand employees, and their endpoints, need to be secure. But on the other hand, many employees require a free and flexible operating environment.

The paradox that exists between these two polar opposites is what organizations most struggle with, and it’s why projects get delayed or avoided. IT and security professionals hear removal of admin rights and allow listing and believe it’s going to be too difficult – but it seriously doesn’t have to be...

Think of security as a sliding scale

Let’s consider zero to be least secure and 10 to be the security ideal. With a simple and smart approach to its deployment, Defendpoint can enable an organization to significantly move up the security scale, quickly and easily, without impeding usability.

If we take a closer look at the security scale, position zero would result in the following:

  1. Everyone is given local administrator privileges
  2. All unknown applications are allowed to run
  3. All unknown content, emails, downloads and the like are able to be opened, with full access to the endpoint
  4. Ransomware and malicious payloads are able to embed deep into the system

At the other end of the scale, position 10 would result in:

  1. Everyone running with standard user privileges
  2. Applications requiring elevated privileges have custom-built privilege tokens applied, granting only the required privileges.
  3. Only approved line-of-business applications are allowed to run and are specifically identified
  4. Unknown and untrusted applications and content are automatically blocked

I see many organizations allowing a significant percentage of their users to log onto their endpoints as local administrators. If you allow this you are effectively at level zero. Corporate policies can be bypassed; security software can be disabled and users can run and install what they like. Removing admin rights can mitigate 94% of vulnerabilities on a Windows endpoint!

Everybody wants to get their security dial turned all the way up to 10 and Defendpoint can get you there. However, it’s important that we make sure the user experience isn’t hindered during this journey. If our desktops are secured to the extent that users can’t do their jobs, there will be resistance and typically the project will fail.

Defendpoint is a turnkey solution

We need to find the right balance between user freedom and security and that’s where Avecto’s expertise with Defendpoint comes in. We’ve used years of experience in policy config to develop an “out of the box” deployment experience with our brand new Quick Start policy. This approach significantly moves your organization up the security scale, getting to a 7 overnight and then working with you on fine-tuning.

We achieve this by:

  1. Enabling all users to run with standard user rights
  2. Automatically detecting applications requiring admin rights and elevating them if they’re safe applications
  3. Automatically approving line-of-business applications
  4. Providing gated access to user-introduced applications that may have a valid business use
  5. Automatically blocking potentially malicious user-introduced applications: users will be asked for varying levels of secure justification based on an application’s risk profile
  6. Empowering the user to self-elevate applications that they need

This allows your end users to continue to work uninterrupted, but with significantly less risk. If the user introduces unknown/untrusted applications, they can be blocked or asked for secure justification.

The Quick Start policy provides three workstyles out of the box: low flexibility, medium flexibility, and high flexibility. These have been developed from our experiences deploying to over 8 million endpoints and are designed to cater to the majority of implementation use cases.

Defendpoint’s enterprise reporting capabilities with trend analysis gather accurate user behavior data, identifying which applications have run with elevated privileges, which are executing from within the user’s profile area, and which applications are being installed. This data allows you to further turn the dial closer to 10, while maintaining a positive end-user experience.

See how Avecto's Quick Start policy can offer you the best time-to-value in privilege management:


For more information on how to achieve admin rights removal in your organization, you can check out my book, The Endpoint Security Paradox, available on Amazon <click here>

Read the press release announcing Defendpoint v5.0, now featuring the brand new Quick Start policy to make it quicker and easier than ever to achieve overnight success.

Andrew Avanessian,

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In: