Privilege Management for Windows Workstyles

Privilege Management for Windows Workstyles are used to assign Application Rules for a specific user, or group of users. The Workstyle Wizard can generate Application Rules depending on the type of Workstyle you choose.

Privilege Management Workstyle Properties

To edit the advanced properties for a Workstyle:

  1. Expand the Workstyles node and select the relevant Workstyle.

Edit the name and description of the Workstyle in the Workstyle Properties window

  1. Select ActionsWorkstyle Properties.

 

You can edit the name and description of the Workstyle here as well as disable it, if required.

Privilege Monitoring

Privilege Management for Windows can monitor the behavior of specific privileged applications and processes in Windows, a feature called privilege monitoring. Privilege monitoring is enabled as an auditing option in the properties of an Application Rule or an On-Demand Application Rule. When enabled, Privilege Management for Windows records all privileged operations performed by the application or process that would fail under a standard user account. These include file operations, registry operations, and any interactions with other components, such as Windows services.

The application must be running under a privileged account, such as an administrator or power user. Alternatively, an application could be running with elevated privileges because you have added it to the Application Rules or On-Demand Application Rules section of the Workstyle and assigned it to run with admin rights.

Privilege monitoring logs are recorded on each endpoint, and the logs can be accessed using the Privilege Management Reporting MMC snap-in. The configuration of privilege monitoring logs is applied to each Workstyle.

For more information about privilege monitoring, contact your BeyondTrust consultant.

Privilege Monitoring Events

Log Event to Application Event Log: This option will log an event to the Application event log, the first time an application performs a privileged operation.

Log Cancel Events (when user cancels message): This option raises an event when a user cancels an End User Message, either by clicking the Cancel button, Email button, or clicking a Hyperlink. The action performed by the user is available as a Policy Parameter [PG_ACTION], which can be used by the script to perform different audit actions based on the user interaction.

Privilege Monitoring Log Files

The following Privilege Monitoring options are available:

  • Log Application Activity to Log Files: The Application Summary dropdown menu controls the level of Application Activity logging in the log files. The following options are available:
    • Application Summary: This option only logs information about the application.
    • Application Summary and Activity: This option logs information about the application and unique privileged activity (Default option).
    • Application Summary and Detailed Activity: This options logs information about the application and all privileged activity.
  • Maximum Activity Records Per Process: This option determines the maximum number of records to be recorded per process (default 100).
  • Keep Application Activity Logs for: This option determines how long activity logs are kept before they are purged (default 14 days).