Privilege Management for Windows ePO Extension Administration

Privilege Management for Windows combines privilege management and application control technology in a single, lightweight agent. This scalable solution allows global organizations to eliminate admin rights across the entire business.

Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards, and trend data for auditing and compliance.

Define User Roles

Before deploying Privilege Management for Windows, you should spend time preparing suitable Workstyles for your users. Implementing least privilege may require Workstyles to be tailored to users’ roles.

The table below shows three typical user roles, but we recommend that you create roles that are tailored to your environment.

Role

Requirement for Admin Rights

Standard Corporate User

Applications that require admin rights to function, and simple admin tasks

Laptop User

Flexibility to perform ad-hoc admin tasks and install software when away from the corporate network

Technical User

Complex applications and diagnostic tools, advanced admin tasks and software installations

Privilege Management for Windows can cater to all types of users, including the most demanding technical users, such as system administrators and developers.

You should also educate your users on what they should expect from a least privilege experience, before transferring them to standard user accounts. This ensures that they report any problems they encounter during the process of moving to least privilege.

Contact your solution provider or BeyondTrust to gain access to templates for more complex use case scenarios.

Implement Least Privilege

The first step is to identify the applications that require admin privileges for each of the roles you’ve defined. These can fall into one of three categories:

  1. Known Admin Applications: You already have a definitive list of applications that require admin rights to run.
  2. Unknown Admin Applications: You are not sure of the applications that require admin rights to run.
  3. Flexible Elevation: The user requires flexibility and can’t be restricted to a list of applications.

Known Applications

For this category you should add the relevant applications to the Privilege Management for Windows Application Groups for the users. This automatically elevates these applications when they are launched. You can then remove admin rights from these accounts.

Unknown Applications

For this category you have two choices to help you discover the applications that require admin rights:

  • Set up Privilege Management Workstyles to monitor privileged application behavior. The Privilege Management for Windows audit logs highlight all of the applications that require admin rights to run.
  • Set up Privilege Management Workstyles to give the user the on-demand elevation facility, and instruct the user to use this facility for any applications that fail to run once you have taken the user’s admin rights away. The Privilege Management for Windows audit logs highlight all the applications that the user has launched with elevated rights.

You can use the audit logs to determine the relevant set of applications that you want to give admin rights to for these users.

Flexible Elevation

For this category, you should set up Privilege Management Workstyles that give the user an on-demand elevation facility, which allows the user to elevate any applications from a standard user account. All elevated applications can be audited, to discourage users from making inappropriate use of this facility.

About McAfee ePolicy Orchestrator

McAfee ePO software, the foundation of the McAfee Security Management solution, unifies management of endpoints, networks, data, and compliance solutions. More than 45,000 organizations use McAfee ePO software on nearly 60 million nodes to manage security, streamline and automate compliance processes, and increase overall visibility across security management activities. With its scalable architecture, fast time to deployment, and ability to support enterprise systems, McAfee ePO software is the most advanced security management software available.

Only McAfee ePO offers:

End-to-end visibility: Get a unified view of your security posture. Drillable, drag-and-drop dashboards provide security intelligence across endpoints, data, mobile, and networks for immediate insight and faster response times.

Simplified security operations: Streamline workflows for proven efficiencies. Independent studies show ePO software helps organizations of every size streamline administrative tasks, ease audit fatigue, and reduce security management-related hardware costs.

An open, extensible architecture: Leverage your existing IT infrastructure. McAfee ePO software connects management of both McAfee and third-party security solutions to your LDAP, IT operations, and configuration management tools. LDAP Servers can be made available via the built-in registered servers in ePO.

For more information, please see McAfee ePolicy Orchestrator.

Privilege Management for Windows and McAfee

Privilege Management for Windows is implemented as a server extension to McAfee ePolicy Orchestrator, enabling Workstyles to be managed through the ePO Policy Catalog. Granular auditing and reporting of Privilege Management for Windows activity is available using ePO integrated dashboards and query editor, as well as the reporting module.

The BeyondTrust Privilege Management Reporting module uses the Privilege Management Reporting database to store Privilege Management for Windows audit data for reporting.

Privilege Management for Windows is deployed to endpoints as a client task through the ePO System Tree.

If you do not want to use McAfee ePO for deployment of the client package, the Privilege Management for Windows client is available as a standalone MSI or executable package, which can be deployed using any suitable third-party deployment solution.

Privilege Management for Windows policies are deployed to endpoints through ePO Policy Assignments, which are automatically applied by the Privilege Management for Windows client.

If you do not want to use McAfee ePO for deployment of Workstyles, then you may import or export Workstyles as an XML file, and use any suitable deployment solution to deploy the XML file to a set location on each client computer.