Remote Administration of Servers and Desktops with Least Privilege

Microsoft PowerShell is an essential tool to manage and administer servers and desktops in the enterprise. As time passes, an increasing array of Microsoft Windows operating system components and Windows applications are being automated through PowerShell cmdlets. Since PowerShell has a secure remote connection capability, administrators work from their own computer to manage many remote machines. However, this efficient administrative practice requires IT Staff to have admin rights on hundreds or thousands of desktops and servers in the organization.

Avecto Privilege Guard enables granular elevation of PowerShell scripts and cmdlets over remote PowerShell sessions and interactive logons for standard user accounts. This new feature of Privilege Guard benefits from the same characteristics that made Privilege Guard popular:

  • centralized management through an intuitive policy model
  • granular control of specific PowerShell cmdlets or scripts
  • Enterprise auditing and reporting

This new enterprise-class capability is set to change perspectives on central administration controls that fail to deliver least privilege. Least privilege: it’s not just for end users!

Eliminating administrative rights for end users is a well -known best practice for improving the security posture and cost of ownership of Windows desktops and servers.

Analysts, government entities and computer security luminaries all agree that the principle of least privilege reduces malware, data leakage and system downtime. This is not a new idea – you can find references back to 1975 from luminaries like Jerome Saltzer and recent references from Bruce Schneier.

Why limit this approach to the end users? Typical end users only have access to one or a few systems and use an interactive logon session – direct or through Citrix, MSFT Remote Desktop, Xen etc.

Why ‘admin’ doesn’t mean ‘admin rights’…

Desktop and server administration staff have administrator rights across most or all of your computers. Up to this point, there’s been no effective means to manage an environment with thousands of Windows OS hosts unless you have a logon account with administrator rights. Why is this? Many legacy Microsoft tools for remote management of Windows operating systems, or application servers like Exchange or IIS, require administrator rights for their remote connection. It doesn’t matter if the user needs read-only access or read-write access – they get admin rights so the tools will work! Even if their administration role is restricted to IIS application configuration or installing authorized software – they get full local admin.

Organizations have adopted many strategies to cope with this – Privileged Identity Management (password vaults), privileged session monitoring and involved change management processes. All of these approaches leave the human with unrestricted access to the OS and do not represent least privilege. If the user abuses or misuses their privilege, you may find out later on AFTER the damage is done.

Application servers failing due to network or registry misconfiguration, desktops falling behind on patching, disabled security controls, unauthorized database connections, mishandled or stolen business data are all common on hosts when admin rights are not used carefully. Worse yet, purposeful abuse could result in stolen customer data.

The Solution

Let’s get back to the reason for this – the tools, not the task, often require the user to be a full administrator on the system. Why not use a better tool?

Privilege Guard has supported secure, granular elevation of PowerShell scripts for a couple releases now, and with release 3.8 we introduce a compelling new capability in remote PowerShell session and command elevation for standard users. This feature enables true least privilege in remotely managed desktop and server environments without any additional infrastructure.

Here’s how it enables role-based least privilege and auditing for server and desktop administration staff building on the existing, intuitive policy model of Privilege Guard:

  • Easy to use role-based enablement of remote PowerShell session for standard users. It’s possible to configure this through GPO, etc,
  • Individual block, allow or elevate control of PowerShell cmdlets
  • Auditing of every command and script executed in the remote session
  • Dashboard and drill-down reporting of every remote PowerShell task or script execution
  • Built on the proven enterprise class Avecto Privilege Guard agent and policy model

With Privilege Guard 3.8 and Remote PowerShell elevation, Avecto further builds on the capabilities that have made Privilege Guard the premier choice for Privilege Management in the enterprise.

Introducing Defendpoint

Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit