Help desk technicians within a company are the first line of defensive for a new project or system problem. Most of the time, they are informed and trained that users will be getting a new piece of security software. The solution, in this case, is called Privileged Identity Management (PIM) and is designed to manage authenticated permissions on their workstations. The technology provides administrative rights to applications and operating systems features that require administrative privileges and allows their normal daily job functions to occur as a standard user.
The most frequent questions we hear at BeyondTrust from help desk technician’s are “why are you removing administrator permissions from the end users?” and “How will I support these users when things do not operate like before?”. The answers to these are very simple. As an end user administrative permissions are designed to have complete and unrestricted control of the operating system and applications. In reality, only a subset is ever needed and the excessive permissions can lead to a gaping security hole for malware, configuration issues, and advanced persistent threats. Unfortunately as a help desk technician, you experience these problems all too often. As the solution is deployed, your clients will begin to login as a standard user, and the PIM solution will give them administrative authority to applications and operating system features they need for daily operations. Your role as a help desk technician will be to assist where the escalation rules are missing (or not working) to cover functions that users need for daily business operations.
It is important to understand that there are several reasons your organization is adopting the solution. First, like many businesses, commercial and government identities have regulatory controls that stipulate security controls on sensitive data, personal information, and applications. Your business is no different. Auditors periodically may visit your business and review security procedures, policies, and verify the employees and contractors do not have excessive access to systems and data. Tools like PowerBroker satisfy their requirements by placing a control on permissions while allowing elevation of privileges to personnel when appropriate.
One other consideration is directly related to security and malware. Malware is a superset term that encompasses all forms of malicious programs from viruses, spyware, and ransom-ware all the way through Advanced Persistent Threats (APT). Statistics show that a very large portion of malware infects computers simply based on the user having administrative access to the host. If this access is removed, the malware and its infection are thwarted. As help desk technicians, this burden should be significantly reduced from your daily support calls due to the removal of administrative privileges from your clients. As you have seen, antivirus solutions alone are not up to the latest challenges. To mitigate these threats, the most common denominator for malware is being restricted; its ability to access administrator privileges on the workstations you support.
As with any technology rollout, there are bound to be a few bumps along the way. Remember when you had your first look at the latest version of Windows? Finding where to locate common function was frustrating to many, but it only took a little while to realize it was the same thing but in a different location. PIM is the same way. Your client’s programs and applications will operate the same way, but in some circumstances may request that the end user complete a quick text box explaining why they are using a program or operating system feature. This may sound like an unnecessary step but if they are installing software or administering a phone system or database, management and auditors tend to want to know when and why. These are all part of security best practices and regulatory compliance.
One of the common questions you will receive is that some programs (and operating system features) that worked before no longer function. This is the bump in the road that as a help desk technician you will need to resolve. These may be applications, for which rules have yet to be created for applications that require administrative permissions to run or applications that have been explicitly denied from operating due to their inherent risk or potential threat they represent to the organization. A simple discussion with the end user, justification for the application or feature, and following established procedures for information technology administrators to create a rule will rectify this type of problem. If the application is rarely ever used, or one time only, then the Challenge Response Passcode feature of PowerBroker for Windowscan provide temporary relief until decisions about a permanent rule are made.
All in all, this project is designed to increase the security of desktops and servers, prohibit common malware from infecting assets, aid in regulatory compliance, and track when sensitive applications are being executed throughout your organization. The process involves changing the way end users login into their computer but is designed to not affect daily job functions. If anything, you will notice end users will have systems that run better because common flaws that can occur as an administrator will simply be avoided.
Securing privileges are crucial to the security and operational well-being of your organization. It is being implemented to provide a safer, more standardized computing environment that can be managed better by the help desk, administrators, and information technology teams. The Help Desk is crucial in making this type of project a success and the benefits it offers. For more information, please visit BeyondTrust.
The most frequent questions we hear at BeyondTrust from help desk technician’s are “why are you removing administrator permissions from the end users?” and “How will I support these users when things do not operate like before?”. The answers to these are very simple. As an end user administrative permissions are designed to have complete and unrestricted control of the operating system and applications. In reality, only a subset is ever needed and the excessive permissions can lead to a gaping security hole for malware, configuration issues, and advanced persistent threats. Unfortunately as a help desk technician, you experience these problems all too often. As the solution is deployed, your clients will begin to login as a standard user, and the PIM solution will give them administrative authority to applications and operating system features they need for daily operations. Your role as a help desk technician will be to assist where the escalation rules are missing (or not working) to cover functions that users need for daily business operations.
It is important to understand that there are several reasons your organization is adopting the solution. First, like many businesses, commercial and government identities have regulatory controls that stipulate security controls on sensitive data, personal information, and applications. Your business is no different. Auditors periodically may visit your business and review security procedures, policies, and verify the employees and contractors do not have excessive access to systems and data. Tools like PowerBroker satisfy their requirements by placing a control on permissions while allowing elevation of privileges to personnel when appropriate.
One other consideration is directly related to security and malware. Malware is a superset term that encompasses all forms of malicious programs from viruses, spyware, and ransom-ware all the way through Advanced Persistent Threats (APT). Statistics show that a very large portion of malware infects computers simply based on the user having administrative access to the host. If this access is removed, the malware and its infection are thwarted. As help desk technicians, this burden should be significantly reduced from your daily support calls due to the removal of administrative privileges from your clients. As you have seen, antivirus solutions alone are not up to the latest challenges. To mitigate these threats, the most common denominator for malware is being restricted; its ability to access administrator privileges on the workstations you support.
As with any technology rollout, there are bound to be a few bumps along the way. Remember when you had your first look at the latest version of Windows? Finding where to locate common function was frustrating to many, but it only took a little while to realize it was the same thing but in a different location. PIM is the same way. Your client’s programs and applications will operate the same way, but in some circumstances may request that the end user complete a quick text box explaining why they are using a program or operating system feature. This may sound like an unnecessary step but if they are installing software or administering a phone system or database, management and auditors tend to want to know when and why. These are all part of security best practices and regulatory compliance.
One of the common questions you will receive is that some programs (and operating system features) that worked before no longer function. This is the bump in the road that as a help desk technician you will need to resolve. These may be applications, for which rules have yet to be created for applications that require administrative permissions to run or applications that have been explicitly denied from operating due to their inherent risk or potential threat they represent to the organization. A simple discussion with the end user, justification for the application or feature, and following established procedures for information technology administrators to create a rule will rectify this type of problem. If the application is rarely ever used, or one time only, then the Challenge Response Passcode feature of PowerBroker for Windowscan provide temporary relief until decisions about a permanent rule are made.
All in all, this project is designed to increase the security of desktops and servers, prohibit common malware from infecting assets, aid in regulatory compliance, and track when sensitive applications are being executed throughout your organization. The process involves changing the way end users login into their computer but is designed to not affect daily job functions. If anything, you will notice end users will have systems that run better because common flaws that can occur as an administrator will simply be avoided.
Securing privileges are crucial to the security and operational well-being of your organization. It is being implemented to provide a safer, more standardized computing environment that can be managed better by the help desk, administrators, and information technology teams. The Help Desk is crucial in making this type of project a success and the benefits it offers. For more information, please visit BeyondTrust.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.