Leveraging EPM for elevation logs

Hey @MikeK  , enabling this feature in a application group will surely give you the difference which component of the application and is running with admin privileges or not.

But in order to find which applications are running as admin or not. There are default Application groups created in the Quickstart policy by Beyondtrust that allows you to define which applications are running with admin privileges and  whom with “Run as administrator” behavior.

These Default groups will surely give you the difference to find the application with admin behavior , Run as administrator behavior and passive as well.

Hey @MikeK,

There is probably a bit to unpack here, before we want to start suggesting specific solutions. 

First is for us to understand whether these users you are trying to monitor are currently working as standard users or do they still have admin accounts they are either logging in with, or which they are using for the ‘Run as’ action? 

Assuming they are (or maybe were) working under an EPM policy, have you deployed our standard ‘QuickStart’ template and if so which workstyle do these users typically fall under?  Also, how long have you had EPM deployed for?

Finally, where you get getting this push back from users that EPM is “getting in the way”, have they given you examples of the impact?

Whilst Akshay’s suggestion can be useful to understand the privilege requirements of applications, and may be a mechanism we could consider using - it may not be the easiest or most effective path forward.

Hi @Akshay Sharma - These are all in essentially using wildcards for file names, code base, publisher, ect. I had looked at these initially when starting down this journey, but I was curious if that is what other customers have leveraged, or if they came up with their own method to track those use case elevations.

Hi @Paul - To provide the additional clarity, these are users who have local admin rights on the machines (unfortunately). Some of these user’s absolutely refused to have EPM installed (A battle that I will win over time when I enable agent protection, and they can’t uninstall it ever :D ) 

My organization has had EPM installed for a few years, though it was unfortunately just slapped in to replace local admin rights with giving everyone the ability to elevate applications. I was hired to take over the maturation of the product and help to push it forward into a High. Medium, Low flex standpoint. However, I need to start to get an understanding of the individuals' usage that are constantly leveraging an exception process so that I can take those applications into consideration.

The few that have provided examples of EPM getting in the way I have been able to negate and prove its not actually EPM, or when it is, it's that EPM was mis-configured in a way that was causing the issue to start with.

I’ve never really had to worry about what others are elevating as former companies were very strict with what applications you could even elevate and 99% of the employees had zero need to elevate applications.

Hi @MikeK, sorry for the delayed follow-up!

As you can probably imagine, the challenges you describe aren’t new or unique - but they tend not to all come all at once. However, you do have the advantage of your previous experience, so you know what is possible. 

If you can engage with your more challenging users (even a small group) and work with them on meeting their requirements, that can be a powerful way of handling objectives which might come from other - “if I can meet the exacting requirements of that team/user, we can certainly solve for yours”. 

If you can move the user to be a standard user I think you would find a lot of value in the ‘QuickStart’ template (if you aren’t currently using that), as it will help you isolate privilege exceptions based upon their characteristics. You can then isolate those events in the analytics system and use that to drive your policy forward - you can do that without presenting any user messaging, but equally you can prompt for user feedback to help capture whether their activity is a one-off or is more of a routine operation. 

Trying to monitor true administrators using EPM is possible, but it is challenging for several reasons - so whilst it might be better for the end-users, it creates a lot more work for you and likely isn’t scalable due to the analysis workload it will create for you (there is plenty of false positive data which gets produced because of how UAC handles certain applications). 

Hope that’s helpful!

Hi Mike.

Have you ever considered using Password Safe in your environment?

The EPM Client and Password Safe can integrate and allow some of those “pesky” users to run an application with a true admin account, but in the context of a Vaulted account from Password Safe which they are never going to see the password on. Loads of other options with EPM and PWS integration.

I would love to hear why you had to grant Admin rights back?

Privilege Monitoring is legacy and gives some false positive, it was used to build a policy from scratch, which the QS policy has for sure resolved.

Jens

Hey @MikeK, you’ve already had some great suggestions and feedback, I wanted to chime in and let you know we are working on a feature called JIT Admin. This will give users you specify the ability to request local admin via PM Cloud or your ITSM and you can then grant them temporary admin rights. Although not as good as removing admin completely it should still mean you can reduce the attack surface and give the users what they need (or what they think they need). What do you think?

I assume this group you are talking about are devs? I’m interested to know what reasons they give for deleting EPM and whether you think they are valid?

Hi @James Allan would you be able to share tentative timelines for this feature availability in PM Cloud. Also, will this have only-approval based workflow or it will be configurable (e.g. in cases where user has to be added as  JIT admin immediately we can temporarily move them to a computer Group or user based policy where they get this access with Password authentication). This may not be the ideal setting from security standpoint but can provide some time for IT/Sec teams to troubleshoot and tune EPM policies at the same time allow user to proceed with their task. These users currently have admin rights. Some use cases involve custom-built apps that may not behave in a standard way , but Availability of these systems and the said apps/processes is paramount vs user being temporary or even permanent admins

My organization just went live with Password Safe around April and are still working towards further implementations. As for why we have had to give admin rights back is due to several legacy applications using things like .Net 3.5 installation (really the only app I haven’t been able to get to function correctly with EPM, yet...) I’ve been pushing my organization into changing how things are handled and challenging constantly why things are being done a certain way to push them into further considerations for several other things, like expanding Password Safe usage as an example, and a further zero trust with EPM. Lots of moving parts and I am unfortunately the only resource the company has for EPM.

@James Allan  I look forward to seeing how the JIT Admin will be done. I know the user group has my information and knows I am always eager to test out concepts and provide feedback. Its possibly something I may have already had an early peak into, and if not I’m sure they will reach out accordingly. :)

And yes its the dev team that I have noticed constantly deleting EPM from their machines. I’m working on Agent protection to stop this and right now I have a running deployment through MS configuration manager with EPM Client and Adapter as required installations. We are working on getting a hybrid setup with Intune where I will be having that package moved over to the Intune side to ensure the application is on their machines.  I’m really just trying to get insight into what they are elevating so that I can work towards resolving their issues, however, getting them to communicate with me has been a challenge over the past 6 months. Like BT, my organization has different branches of development, some of which don’t talk outside of their circles :D