Hi , while doing some testing it looks like end users can easily bypass EPM agent at least on windows by using other privilege delegation tools such as Make Me Admin (which is available on Github). If it is not blocked , a user can simply become a temporary admin using Make Me Admin and then stop the avecto service to bypass EPM protections.
is there a way EPM can monitor and block addition of users to local administrator group ? (This is the method used by Make Me Admin tool) .
Question
EPM Windows - tools/apps to be blocked in order to avoid bypassing EPM
Hey
EPM-W offers the Prohibit Privileged Account Management general rule which blocks users from modifying local privileged group memberships - see here for more details. I’m not 100% familiar with how Make Me Admin works so this may not be sufficient if it runs as a SYSTEM process.
However, we also provide the Agent Protection feature which prevents “admin users from tampering with the product, including stopping the services running or deleting its files from an endpoint.” - see here for more details.
looking at Make me Admin app, it requires admin rights to install, it is a normal MSI installer, once installed it adds a service that runs with local system permissions. The EPM Policy targets the logged on user not local system. So, yes a block to install is needed.
I do see Make Me Admin work around the Prohibit Privilege Account Management, which makes sense as the service is granted Local System permissions when it was allowed to install.
We can also create a rule that prevents that Local System from tampering with the privileged Groups, using Prohibit Privilege Account Management. Doing that still allows a true local admin to change the group, as that account is unaffected by policy. This could though cause some issues depending on how admin rights are removed from the client. In my case I use GPOs that is unaffected by the block for system to remove admin rights for user.
Jens Hansen wrote:
This is with a rule in place for system.
iirc, having a PPAM rule in-place for SYSTEM processes breaks LAPS functionality. As already mentioned though, we can utilize a rule to block the installation of Make Me Admin and then also use the Agent Protection feature to protect EPM-W in the event that tool does get installed.
AdamS wrote:
Jens Hansen wrote:
This is with a rule in place for system.
iirc, having a PPAM rule in-place for SYSTEM processes breaks LAPS functionality. As already mentioned though, we can utilize a rule to block the installation of Make Me Admin and then also use the Agent Protection feature to protect EPM-W in the event that tool does get installed.
You are right, I forgot about that old one in my testing. there is a reason we always recommend not creating rules for system in general.
1 person likes this
I would also recommend that you use some of the options that is around removal of admin rights.
Sample here is the Local Users and Groups from you Group policies. Another option is to use Restricted Groups. these are great for On-Prem AD.
Agent Protection does work great to prevent them using Make Me Admin to disable and uninstall the EPM Client, so a combo of Blocking installs of the app, and the launch of it, should allow you to make sure no one uses the application for the purpose.
A combo of both GPO and EPM rules should put a stopper to this.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.