Privilege Management for Windows ePO Extension Administration
Privilege Management for Windows combines privilege management and application control technology in a single, lightweight agent. This scalable solution allows global organizations to eliminate admin rights across the entire business.
Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards, and trend data for auditing and compliance.
Define User Roles
Before deploying Privilege Management for Windows, you should spend time preparing suitable Workstyles for your users. Implementing least privilege may require Workstyles to be tailored to users’ roles.
The table below shows three typical user roles, but we recommend that you create roles that are tailored to your environment.
Requirement for Admin Rights
Standard Corporate User
Applications that require admin rights to function, and simple admin tasks
Flexibility to perform ad-hoc admin tasks and install software when away from the corporate network
Complex applications and diagnostic tools, advanced admin tasks and software installations
Privilege Management for Windows can cater to all types of users, including the most demanding technical users, such as system administrators and developers.
You should also educate your users on what they should expect from a least privilege experience, before transferring them to standard user accounts. This ensures that they report any problems they encounter during the process of moving to least privilege.
Contact your solution provider or BeyondTrust to gain access to templates for more complex use case scenarios.
Implement Least Privilege
The first step is to identify the applications that require admin privileges for each of the roles you’ve defined. These can fall into one of three categories:
- Known Admin Applications: You already have a definitive list of applications that require admin rights to run.
- Unknown Admin Applications: You are not sure of the applications that require admin rights to run.
- Flexible Elevation: The user requires flexibility and can’t be restricted to a list of applications.
For this category you should add the relevant applications to the Privilege Management for Windows Application Groups for the users. This automatically elevates these applications when they are launched. You can then remove admin rights from these accounts.
For this category you have two choices to help you discover the applications that require admin rights:
- Set up Privilege Management Workstyles to monitor privileged application behavior. The Privilege Management for Windows audit logs highlight all of the applications that require admin rights to run.
- Set up Privilege Management Workstyles to give the user the on-demand elevation facility, and instruct the user to use this facility for any applications that fail to run once you have taken the user’s admin rights away. The Privilege Management for Windows audit logs highlight all the applications that the user has launched with elevated rights.
You can use the audit logs to determine the relevant set of applications that you want to give admin rights to for these users.
For this category, you should set up Privilege Management Workstyles that give the user an on-demand elevation facility, which allows the user to elevate any applications from a standard user account. All elevated applications can be audited, to discourage users from making inappropriate use of this facility.
About Trellix ePolicy Orchestrator
Trellix ePO software, the foundation of the Trellix Security Management solution, unifies management of endpoints, networks, data, and compliance solutions. More than 45,000 organizations use Trellix ePO software on nearly 60 million nodes to manage security, streamline and automate compliance processes, and increase overall visibility across security management activities. With its scalable architecture, fast time to deployment, and ability to support enterprise systems, Trellix ePO software is the most advanced security management software available.
Only Trellix ePO offers:
End-to-end visibility: Get a unified view of your security posture. Drillable, drag-and-drop dashboards provide security intelligence across endpoints, data, mobile, and networks for immediate insight and faster response times.
Simplified security operations: Streamline workflows for proven efficiencies. Independent studies show ePO software helps organizations of every size streamline administrative tasks, ease audit fatigue, and reduce security management-related hardware costs.
An open, extensible architecture: Leverage your existing IT infrastructure. Trellix ePO software connects management of both Trellix and third-party security solutions to your LDAP, IT operations, and configuration management tools. LDAP Servers can be made available via the built-in registered servers in ePO.
For more information, please see Trellix ePolicy Orchestrator.
Privilege Management for Windows and Trellix
The BeyondTrust Privilege Management Reporting module uses the Privilege Management Reporting database to store Privilege Management
If you do not want to use Trellix ePO for deployment of the client package, the Privilege Management
If you do not want to use Trellix ePO for deployment of Workstyles, then you may import or export Workstyles as an XML file, and use any suitable deployment solution to deploy the XML file to a set location on each client computer.