Privilege and Session Management for Microsoft Windows

The case for Windows privilege management is overwhelming. For instance, 94% of critical vulnerabilities reported by Microsoft in 2016 can be mitigated by removing administrator rights from users. Whether hijacked by external attackers using phishing or ransomware, or simply misused by insiders, local and domain admin rights can facilitate devastating data breaches. These privileges are prized by attackers because they can afford freedom of movement and access beneath the radar of detection.

So how do you protect end users, prevent and contain data breaches, and eliminate compliance violations stemming from excessive end-user privileges – without obstructing productivity or overburdening your Help Desk?

Comprehensive Privilege Management for All Windows Systems

BeyondTrust PowerBroker for Windows is a privilege management solution that gives you unmatched visibility and control over physical and virtual desktops and servers.

  • Reduce attack surfaces by removing admin rights from end users and employing fine-grained policy controls for all privileged access, without disrupting productivity.
  • Monitor and audit sessions and user activity for unauthorized access and/or changes to files and directories.
  • Analyze behavior to detect suspicious user, account and asset activity.

Whether you need simplified least privilege enforcement, patented application control, privileged activity logging, or file integrity monitoring, PowerBroker delivers the most comprehensive Windows privilege management capabilities available.

“PowerBroker for Windows is transparent to users and allows them to do their jobs safely, without administrator rights.”  End User Support Manager, Care New England

Key Capabilities for PowerBroker for Windows

ENFORCE LEAST PRIVILEGE AND ENABLE PRODUCTIVITY

Eliminate user admin rights and grant privileges to applications and tasks, without exposing admin credentials.

MONITOR AND AUDIT BEHAVIOR

Maintain audit trails with event logging and optional session monitoring. Capture and search keystrokes and screens.

FOIL PHISHING AND RANSOMWARE

Automatically block suspicious activity with blacklisting, greylisting, and other application control capabilities.

LIMIT VULNERABLE APPLICATIONS

Scan applications for exposures at run time, and trigger alerts, enforce quarantine, reduce privileges, or prevent launch.

MONITOR FILE INTEGRITY

Ensure that system binaries, product binaries, and files have not been tampered with (optional).

SECURELY ELEVATE REMOTE HOSTS

Elevate privileges from a remote host, or use Password Safe credentials for Run-As access.

USE ANALYTICS AND REPORTING

Gain unmatched visibility into user activity with centralized analytics and reporting.

FLEXIBLE DEPLOYMENT OPTIONS

Implement on-premise software or hardware appliances, or host in Amazon Web Services and other cloud services.

INTEGRATE WITH MCAFEE EPO

Take a unified approach to endpoint security and privilege management with McAfee ePolicy Orchestrator.

Key Features for PowerBroker for Windows

LEAST PRIVILEGE FOR WINDOWS DESKTOPS AND SERVERS

  • Eliminate admin rights: prevent abuse or misuse of privileges on Windows assets
  • Ensure productivity: default all users to standard privileges, while enabling elevated privileges for specific applications and tasks without requiring administrative credentials
  • Allow admin where needed: proactively identify applications and tasks that require administrator privileges and automatically generate rules for privilege elevation
  • Elevate applications: elevate application as logged on or another user, without exposing credentials
  • Ensure productivity: default all users to standard privileges, while enabling elevated privileges for specific applications and tasks without requiring administrative credentials
  • Elevate applications: elevate applications without exposing credentials
REPORTING & ANALYTICS
  • Ensure compliance: meet internal and external compliance needs by enforcing least-privilege and monitoring privileged activities
  • Pinpoint suspicious activity: monitor Windows Event Logs for anomalies and analyze through Behavioral Analytics
  • Protect file systems: add optional file integrity monitoring to identify, and even deny, unauthorized changes
  • Maintain awareness: monitor UAC events, application rules, requested elevations, denied applications, and more
  • Record sessions: add optional session monitoring to capture screens of privileged user activity with keystroke logging to document all privileged changes to an asset
  • Understand and communicate risk: leverage an interactive, roles-based reporting and analytics console, backed by a centralized data warehouse for ongoing audits of privilege management activities
  • Maintain awareness: monitor UAC events, application rules, requested elevations, denied applications, and more

GRANULAR APPLICATION RISK MANAGEMENT

  • Application application usage: blacklist hacking tools, whitelist approved applications, and greylist applications based on rules to keep systems safe
  • Block suspicious activity: enforce restrictions on software installation, usage, and OS configuration changes
  • Leverage Vulnerability-Based Application Management: scan applications at runtime for vulnerabilities and allow, deny or alter privileges based on vulnerability severity, age, and/or regulatory violations (driven by Retina)
  • Elevate applications: elevate application as logged on or another user, without exposing credentials
  • Quarantine files: leverage BeyondInsight Clarity Threat Analytics for malware confidence reporting, enabling better risk decision-making
  • Simplify application management: rules-based approach eliminates the need to manage complex whitelists for complete application control

MAXIMUM EFFICIENCY

  • Gain control over all accounts: automatically discover and profile all Windows accounts, and quickly bring them under centralized management
  • Support one-time-passwords (OTPs): support any multi-factor solution that utilizes the RADIUS protocol for additional verification that the user is the intended recipient
  • Reduce help desk costs: lower support costs 40% or more by removing local admin rights without raising barriers to end-user productivity
  • Ease policy creation/management: set policies via AD Group Policy, BeyondInsight or McAfee ePO, with support for air-gapped systems and non-domain assets
  • Reduce help desk costs: lower support costs 40% or more by removing local admin rights without raising barriers to end-user productivity

Read the complete Data Sheet!

document
Download Now