Endpoint Privilege Management for Windows ePO Extension Administration

Endpoint Privilege Management for Windows combines privilege management and application control technology in a single, lightweight agent. This scalable solution allows global organizations to eliminate admin rights across the entire business.

Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards, and trend data for auditing and compliance.

Define User Roles

Before deploying Endpoint Privilege Management for Windows, you should spend time preparing suitable Workstyles for your users. Implementing least privilege may require Workstyles to be tailored to users’ roles.

The table below shows three typical user roles, but we recommend that you create roles that are tailored to your environment.

Role	Requirement for Admin Rights
Standard Corporate User	Applications that require admin rights to function, and simple admin tasks
Laptop User	Flexibility to perform ad-hoc admin tasks and install software when away from the corporate network
Technical User	Complex applications and diagnostic tools, advanced admin tasks and software installations

Endpoint Privilege Management for Windows can cater to all types of users, including the most demanding technical users, such as system administrators and developers.

You should also educate your users on what they should expect from a least privilege experience, before transferring them to standard user accounts. This ensures that they report any problems they encounter during the process of moving to least privilege.

Contact your solution provider or BeyondTrust to gain access to templates for more complex use case scenarios.

Implement Least Privilege

The first step is to identify the applications that require admin privileges for each of the roles you’ve defined. These can fall into one of three categories:

1. Known Admin Applications: You already have a definitive list of applications that require admin rights to run.
2. Unknown Admin Applications: You are not sure of the applications that require admin rights to run.
3. Flexible Elevation: The user requires flexibility and can’t be restricted to a list of applications.

Known Applications

For this category you should add the relevant applications to the Endpoint Privilege Management for Windows Application Groups for the users. This automatically elevates these applications when they are launched. You can then remove admin rights from these accounts.

Unknown Applications

For this category you have two choices to help you discover the applications that require admin rights:

• Set up Endpoint Privilege Management Workstyles to monitor privileged application behavior. The Endpoint Privilege Management for Windows audit logs highlight all of the applications that require admin rights to run.
• Set up Endpoint Privilege Management Workstyles to give the user the on-demand elevation facility, and instruct the user to use this facility for any applications that fail to run once you have taken the user’s admin rights away. The Endpoint Privilege Management for Windows audit logs highlight all the applications that the user has launched with elevated rights.

You can use the audit logs to determine the relevant set of applications that you want to give admin rights to for these users.

Flexible Elevation

For this category, you should set up Endpoint Privilege Management Workstyles that give the user an on-demand elevation facility, which allows the user to elevate any applications from a standard user account. All elevated applications can be audited, to discourage users from making inappropriate use of this facility.

About Trellix ePolicy Orchestrator

Trellix ePO software, the foundation of the Trellix Security Management solution, unifies management of endpoints, networks, data, and compliance solutions. More than 45,000 organizations use Trellix ePO software on nearly 60 million nodes to manage security, streamline and automate compliance processes, and increase overall visibility across security management activities. With its scalable architecture, fast time to deployment, and ability to support enterprise systems, Trellix ePO software is the most advanced security management software available.

Only Trellix ePO offers:

End-to-end visibility: Get a unified view of your security posture. Drillable, drag-and-drop dashboards provide security intelligence across endpoints, data, mobile, and networks for immediate insight and faster response times.

Simplified security operations: Streamline workflows for proven efficiencies. Independent studies show ePO software helps organizations of every size streamline administrative tasks, ease audit fatigue, and reduce security management-related hardware costs.

An open, extensible architecture: Leverage your existing IT infrastructure. Trellix ePO software connects management of both Trellix and third-party security solutions to your LDAP, IT operations, and configuration management tools. LDAP Servers can be made available via the built-in registered servers in ePO.

For more information, see Trellix ePolicy Orchestrator.

Endpoint Privilege Management for Windows and Trellix

Endpoint Privilege Management for Windows is implemented as a server extension to Trellix ePolicy Orchestrator, enabling Workstyles to be managed through the ePO Policy Catalog. Granular auditing and reporting of Endpoint Privilege Management for Windows activity is available using ePO integrated dashboards and query editor, as well as the reporting module.

The BeyondTrust Endpoint Privilege Management Reporting module uses the Endpoint Privilege Management Reporting database to store Endpoint Privilege Management for Windows audit data for reporting.

Endpoint Privilege Management for Windows is deployed to endpoints as a client task through the ePO System Tree.

If you do not want to use Trellix ePO for deployment of the client package, the Endpoint Privilege Management for Windows client is available as a standalone MSI or executable package, which can be deployed using any suitable third-party deployment solution.

Endpoint Privilege Management for Windows policies are deployed to endpoints through ePO Policy Assignments, which are automatically applied by the Endpoint Privilege Management for Windows client.

If you do not want to use Trellix ePO for deployment of Workstyles, then you may import or export Workstyles as an XML file, and use any suitable deployment solution to deploy the XML file to a set location on each client computer.

BeyondTrust Endpoint Privilege Management App

Starting in version 23.10, we are updating and enhancing the policy editing and reporting experience for our Endpoint Privilege Management for Windows and Mac solution deployed via Trellix ePolicy Orchestrator (ePO). This new experience will mean policy editing and reporting will happen outside of the ePO extension and will instead be delivered via a new Electron-based application called the BeyondTrust Endpoint Privilege Management App, published by BeyondTrust.