Endpoint Privilege Management for Windows Administration

Endpoint Privilege Management for Windows combines privilege management and application control technology in a single lightweight agent. This scalable solution allows global organizations to eliminate admin rights across the entire business.

Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards, and trend data for auditing and compliance.

Define User Roles

Before deploying Endpoint Privilege Management for Windows, you should prepare suitable Workstyles for your users. Implementing least privilege may require Workstyles to be tailored to users’ roles.

The table below shows three typical user roles, but we recommend you create roles that are tailored to your environment.

Role

Requirement for Admin Rights

Standard Corporate User

Applications that require admin rights to function, and simple admin tasks.

Laptop User

Flexibility to perform ad hoc admin tasks and install software when away from the corporate network.

Technical User

Complex applications and diagnostic tools, advanced admin tasks, and software installations.

Endpoint Privilege Management for Windows can cater to all types of users, including the most demanding technical users, such as system administrators and developers.

You should also educate users on what to expect from a least privilege experience, before transferring them to standard user accounts. This ensures they will report any problems encountered during the process of moving to least privilege.

Contact your solution provider or BeyondTrust, to gain access to templates to cater to more complex use case scenarios.

Implement Least Privilege

The first step is to identify the applications that require admin privileges for each of the roles you’ve defined. These can fall into one of three categories:

  1. Known Admin Applications: You already have a definitive list of applications that require admin rights to run.
  2. Unknown Admin Applications: You are not sure of the applications that require admin rights to run.
  3. Flexible Elevation: The user requires flexibility and can’t be restricted to a list of applications.

Known Applications

For this category, you should add the relevant applications to the Endpoint Privilege Management for Windows Application Groups for the users, which automatically elevates these applications when they are launched. You can then remove admin rights from these users.

Unknown Applications

For this category, you have two choices to help you discover the applications that require admin rights:

  1. Windows specific: Set up Endpoint Privilege Management for Windows Workstyles to monitor privileged application behavior. The Endpoint Privilege Management for Windows audit logs highlight all of the applications that require admin rights to run.
  2. Set up Endpoint Privilege Management for Windows Workstyles to give the user the on-demand elevation facility, and instruct the user to use this facility for any applications that fail to run after you take the user’s admin rights away. The Endpoint Privilege Management for Windows audit logs highlight all the applications that the user has launched with elevated rights.

You can use the audit logs to determine the relevant set of applications you want to give admin rights to for these users.

For more information, see the following:

Flexible Elevation

For this category, you should set up Endpoint Privilege Management for Windows Workstyles that give the user an on-demand elevation facility, which allows the user to elevate any applications from a standard user account. All elevated applications can be audited, to discourage users from making inappropriate use of this facility.

For more information, see On-Demand Application Rules.