Lock down your windows to stay safe
31:10
See how you can restrict actions on windows systems using the Privilege Manager for Windows
Learn More
Show Transcript
Hide Transcript
Hello, everybody, and welcome. My name is Holger Weihe. I'm working for the One Identity Research Department, and I'm coming today to you from the wonderful city of Berlin. I'll be hosting this session. So stay tuned for the latest news. I hope you enjoy it, so let's start. Welcome to the session, Lock down your windows to stay safe. This will be about the Privilege Manager for Windows, which will help you to secure your Windows-based systems that, even if you access it with some kind of privileged account, you will be further regulated and you will have some kind of lease privilege management system implemented.
The Safeguard Privilege Manager for Windows is based on the standard Active Directory Group Policy management system. So we will define a privilege policy that will be a group policy and it will be distributed and edited and managed like any other group policy in Active Directory, as well. It will contain application exclusion lists, it will include application allow lists, and it may offer you something that is called temporary session elevation, where you can request some kind of passcode that would allow you to run for a definite time, special applications or a set of applications.
To support you more in handling all the security and the privileged applications in your environment, it offers some kind of privileged application discovery, where it sits down in the background doing nothing, but just simply collecting information about privileged applications or applications that are run with higher privileges. So that in the end it will provide you a list where you can build your security policy upon. Once everything is configured, you even could remove all local administrators from your environment that will allow you that nobody has administrator rights on your systems, and anything is controlled via your Windows Privilege Manager policy.
To do compliance, there is an extensive set of reporting available so that you can generate reports about [INAUDIBLE] everything, what's going on in your environment based on the security policies and the restriction initiating from the Safeguard Privilege Manager for Windows. So let's see the product in action. So let's talk about the Windows Privilege Manager, we may have already seen that we can secure things on UNIX, now let's have a look on the Windows side.
I'm here back to my standard administrative workstation, and I will fire up something that is called the Privilege Manager for Windows. This is this over here. I just have to confirm that I will run the Run It with an administrative account. I am currently logged in as a standard user. And now the interface starts, and it's checking and connecting with the so-called Privilege Manager server, it's based on a database. It will use the Microsoft SQL server. It may download the express version of the Microsoft server, if you don't already have it.
If you haven't already deployed Microsoft SQL server, the configuration task can be used to configure Privilege Manager to use this database server, as well. The first thing you see here is about the interface, it is written for KACE. KACE is one of the business units of Quest, and it hasn't been rebranded to something, like Safeguard for instance. So we've going to refer here as the KACE Privilege Manager for Windows or simply as the Privilege Manager for Windows.
The first thing you have to do is about-- you have to set up this configuration for the server and the Privilege Manager. And you will be guided through the required task with a very nice [INAUDIBLE] it. First of all, you have to select the domains. And in this case, I have only one domain, it's my 1q2w tech domain. We need, then, to create a group policy object with the settings for the Privilege Manager, and we need to configure a server.
The server is something here that you see, that is the server. The server is used to collect all the data from the database server, and is then used to give you access to this group of policy configuration thing. It will be used to set up the rules and, of course, it will be used to generate reports, which is then based on the Microsoft SQL reporting services that will be part of your Microsoft SQL server that is deployed even if you install this client-server thing here, or if you use an already existing server.
So after you have selected the domains, you have to create a GPO, or you have to configure the server, whatever you think. Let's start with the configuration of the server. And I already have done this to show you something, so in this case here, this is called Win Admin, this is my local system I'm just currently connected to. So all the user-- so all the services and systematics that I used to make this Privilege Manager run, this management interface here, are deployed on my workstation. And it talks to the database that is running on a different server.
After you have done this, you can create Group Policy Objects, and I already have created one, but this is pretty much empty. So in this case here, we are going to see you can select here on the menu what are the Group Policy objects with Policy Settings, so that you can go through all the group policies on your Active Directory server to identify specific ones that have been configured to use this Policy Manager with the appropriate settings. You usually find them here in the Group Policy Objects, this is the default. Your options may differ.
I have it left to default, so it is here, P M, for my Group Policy object. And once you have opened this, or created a new one, you can link it to the appropriate place in your domain structure. I was really lazy so I just linked it to the root of the domain structure, so it will apply to all the objects and structures that are down this route. Of course, you can, or you should do different, in your real-life scenario.
Once this has been configured, the first thing you know is to create a new rule. And there are several types of settings that you have to configure if you want to do this. The first one is the Privilege Elevation Rules. This Privilege Elevation Rules will describe who is allowed to elevate what program to run with administrative or extended privileges. So for instance, if you click on the New Rule, you can then create your own rule, or you can select one of these predefined templates that are part of the product. So they will be delivered with that product.
And for instance, if you want to have the Performance Monitor or some kind of other things, you could use this. So, for instance, let's select a common rule from this list, and go for the Device Manager. Click on Next. Now you have a description, this is just by default. And the type is in here, as is in this example, is defined as the path to the executable. There are a couple of other things, you can have a folder, you can have ActiveX, you can have installers, you can have scripts, and something like that.
And, of course, there are other options to select, depending on the appropriate selection made before. So you can check the certificate, for instance, in that executable, if you can verify this just to prevent people from running unsigned or unverified, untrusted binaries. You can have a specific file version, you can have a file hash that refers to integrity. So if the hash file differs with the executable or with the file you have on your workstation or whatever this file is run, then this executable may be tampered, maybe by a virus, who knows. Or it has been somehow modified, or it has only been updated and you don't have your policies [INAUDIBLE] but doesn't matter.
If you do this, you may run it or may not run it, depends on you. But you can check multiple things to guarantee the integrity and the stability of your system. And then you can select if this is a user-centric policy or is it applied to a computer system. Let's have it here as the user policy, and click on Next to go for these various things. Here you can add additional security context from other groups from your Active Directory, under which permissions this is to be run. To make it easy, just do Administrators group.
And in the Validation Logic you can decide how the Policy Manager should decide if this is to apply to a system, to a specific version of the system, or if you go to more validation logic rules, you can now add your specific rules. So maybe, for instance, you want to have it for a dedicated user, because we have selected a user policy in the first go. So click on the OU, for user, or maybe for a specific user name, then you could say, OK, if a user belongs to a specific OU, or if you want to have a dedicated user name, or if you want to have a dedicated user group, this really depends on your security concept.
I would make it easy, and I will go for a user name. In this case, I have just to select here the plus sign. Oh, yeah, sure. The interface may not be 100% clear, at least I am just struggling a little bit with that, to be honest, but once you're getting familiar, you may get how this really works. So in this case, you just have to click on this Select button, and then you may want to select a user. I will use Alice, so check the name. Now is Alice here? And I can select Alice. And then I have to select OK.
Don't click on the plus button again, it will modify the already existing entry. So in this case, click on OK to make it available here in the logic rule. So it just says if the user is Alice, fine. Maybe you want to add another logic rule here, and you want to say, OK, maybe I want to have the computer name to make it a dedicated user on a specific computer system. So let's see what we can use here. We have our PM for Win Client. Let's check the name here on our computer, and click on OK.
So now the logic is if the user's Alice, and the computer is the PM for Win Client system, then this will apply. Looks good, looks easy, straight forward, yeah, give it a try. Click on Next. And now you can have privileges. Don't ask me what all these privileges mean. I haven't seen a very good documentation on that. I have started to check all these privileges from the Microsoft Perspective, but I'm really not an operating system programmer who really can judge on all these things. I would talk to the real experts on this.
And I think I'm pretty much convinced you will have it all in your company. So if you just go with the default, that should be, pretty much, OK. So simply select on Next, and let this be default again, and then click Finish. And now it tells me that my license will expire in a year. OK, that's fine, because this is just a demo license, not something that you have bought. If you bought something, that message will not appear.
So now you have created your first rule. This is called Device Manager, it is applied to my user, Alice, and my computer PM for Win Client, and let's check out how we can run this. First thing, before you do this, click on Save, otherwise you may hop on to your client and test it. But you will be surprised that nothing happens, because this has not been saved, so it wasn't applied already. So in this case, click on Save. But before this, we are going to check out a couple of other things.
So if you have something that allows you to run an application with dedicated-- I love this word, I'm not a native speaker, you know. So if you run this, via this rule, to define which application needs to be, or maybe a run with elevated privileges, there is, of course, the backside, as well. And this is called, here. I have already defined one here for this Deny list-- so this is Allow list, this is a Deny list.
In this case, it is Notepad Plus Plus, it's an application I've installed on my client. And this is of type Folder to the Executable, this is the folder where usually the Notepad file is installed. And my validation logic goes for a Windows 10 workstation, and it applies to all users that are logged into the computer PM for Win Client. So all these users will log into their client, are not allowed to run the Notepad Plus Plus with elevated privileges.
Or not only with elevated privileges, they are not allowed to run this executable at all, it will be completely blocked because this is a Deny list. So let's click on Finish. And then click on Save. Before we do that, let's have a look on the Advanced Policy Settings. Here you can define a couple of other things that, overall, disable or enable features. The first one is Data Collection Settings. Data Collection Settings is-- if you want to have reporting or data and something you can have some kind of log files, you need to enable the Data Collection.
And the Data Collection Settings need to have a server where this data is sent to. So in this Group Policy, you are defining, you will define for the Windows Privilege Manager agent that gets installed on the system where it should send the data into it if things are elevated, if things are blocked, and all the activity logs that should be forwarded to something, you should give it the address of your Privilege Manager server, not the database server, but where the front end lives.
OK, here it is. And then you can just click on the Validation Logic and have other things here. By the way, this is just some of the information to your server that you can have reporting. OK, finish this. The other one is the Client Deployment Settings. Of course, if you want to deploy your Privilege Manager in your environment, and if this is already using group policies of Active Directory, why not simply use the Group Policy Mechanism in Windows to deploy the software?
This is what is defined here. So in this one, it's just to say, OK, install a client when it's not there. And so even if you want to delete it, it will be instantly reinstalled so you cannot get rid of it. The other one is Self-Service Elevation Request Settings. This is something that you can request something to be run with elevated rights, if you don't have the current permission. And then it may be sent to an administrator who is responsible for granting you access, who needs to process this request, or just denied a request, that can happen, as well.
And we have a special setting, as well, here that is the Privileged Application Discovery Settings. This is something that is really useful, if you do not really know what your privileged applications in your environment really are. So you can instruct the Privilege Manager to run over a certain period of time to track which application are run with elevated privileges. And then it will generate a dedicated report that you can later look into and then start to create your rules upon these results you have received, so that you don't need to get something done, or just to look into all your systems to find out what are really the applications that need to be run with elevated rights.
So Product Manager will help you and discover these settings, as well. Once you have defined all of this, simply click on Save. That's really important, otherwise nothing is deployed, nothing is set, and, as I said, you may be surprised nothing happens on your client. Once you have done this, we're going to have a look on our client. So let's have a look here. Let me just close this one here. And close this one here. Well, maybe just simply log in from the beginning.
So you will see your log in screen. You want to log in as Alice, in my example. And I guess I have mistyped the password? No, I didn't. Yay. This says my network server is not available at the [? command ?] room. That doesn't hurt at the moment. So this is my Alice user with the standard desktop. And you see there's already the Notepad Plus Plus file available and a little bit of mail and something that works in the background, whatever.
So when I tried to execute the Notepad Plus Plus system, I double click on it, I'm going to see this error message. This is pretty hard to say, it looks like a real severe problem, but this is really caused by the Privilege Manager agent which has suppressed the start of your application because you have a Deny list. If you see here in our list, there is a Deny list, and your Notepad Plus Plus is not allowed to run for you as a user on that server. And this is exactly the case, you are Alice, you are on that server, so you're not allowed to run this Notepad Plus Plus.
So how to circumvent this? You could do the following. If it is configured, of course, this is called Self-Service Elevation. So you can click on the right here, and you see that Elevate symbol in your menu bar available. So if you click on that, it will give you that form, and you can now try to ask your administrator that they should generate-- or that they give you approval for run these applications, or they should set up appropriate rule that you were allowed to run this application.
So here-- you're going to see-- say that we say OK. I must run Notepad Plus Plus to do my job. OK, my firewall is off, not good for demo, not good for production, but good for demo. OK, so submitted. There is the capability to configure this a little bit in the policy settings of the Privilege Manager, and the address of your user is fetched from your Active Directory data. So in this case, please keep your data in your Active Directory accurate.
So let's submit it. And now you can wait until this is processed. So let's switch back to our administrator, and I am the administrator here. And I have a little nice mail icon over there. There's already one here, but I think that is an old request. Well, let's see where this is. No, this is not the current one, it's an old one. So we can simply delete it. Now the new one came in, you see it here. So let's click on that, and now it is the mail Alice just generated by raising this self-service request form. You see there is the information that I typed in, I must run Notepad Plus Plus to do my job, it's OK.
And this is just a notification that there is something to be done for me. This is nothing you can process in an email client. You need to go to the Privilege Manager server here. And to see what's really on your list, here is something that is called Self-Service Elevation Requests. If you click on that-- and you can just have a couple of filters applied or do your own, whatever you want. If you just use the default ones, that is about here, like a local filter. And if you want to modify it, you can just OK Request Application Type, Date-Time of Elevation Requests, so maybe you just want to see the requests of the late 30 days, something like this.
So it says, now, you have a request made to the reporting system to provide you any kind of elevation requested application to be run in elevation in the last 30 days. So let's click on Display Requests, and here is the request that Alice has just sent in. So it is just for the Notepad, that's the Notepad, that's the path of the process, here's the reason that was provided by Alice. That's the user name and the request date.
So to process this any further, click on the Process Request. And now you have this box here over there. This is, again, the data, and if you click on Next, you can now approve or deny the request. If you approve it, you will create a rule that will be automatically modified and filled with the appropriate values based on the request made to allow execution of that. If you just click on Deny, the request will be simply denied and nothing will happen.
So if you want to approve it, click on the Next. And, yep, I'll send the following email response to my user, if you want. That the user knows, OK, there is something being done for me at the current moment. Here we go, so just click on Finish. And, of course, you can just type in any text you want. And now you're being taken back to the Elevation Rule Wizard. And to make this happen just click on Next, then you have this one, click on Next, click on Next.
And if you see the validation logic now is automatically populated-- it's a little bit more as I have done in my Deny list-- click on Next. Click on Next. Click on next Select the policy it will be assigned to, you may have multiple of it. Click on Finish and that's it. It's automatically saving in this point, that's the difference when you do it manually. And if you go back to your policy, to check what has happened, and you click on your policy, this is the blacklist-- no, blacklist is a bad word, the Deny list.
And if you click here, there is the Self-Service Request file that has now been created from the incoming request. The thing you need to know, a Deny list overrules all Allow list entries. So to make this really happen, you just simply have to delete this one here, otherwise it will not work. So always check your a Deny list, if you are doing something, because there is-- when there is a blacklist, it will overrule it, whatever you do on the Allow list, so just check it. OK, to make it work, save it.
And now our modification has been done, so if you go back to the user, and the user is checking their email, here you'll see that the request is being approved. That is the thing I sent back as the administrator, following my Wizard. And now-- can close this-- I can just simply run this. No, I cannot run this. Why I cannot run this? This is easy, because the policy has not been refreshed.
So let's do-- what was it called? GP update force, this should be usually happening automatically after a certain time or if you log out, log in. I'll just give it a kick to speed up things. Here we go. I'll let it run now, and you'll see, now it's working. No, we don't want it. And now it's running with elevated privileges under the Administrator account.
This was just a simple example of what Privilege Manager can do for you. Of course, there are multiple options here, especially in the Reporting and so on and so on. And one of the other things I will just show you, as well, there is a Passcode Manager. And one of the features you can do is-- if you click on here and show something, and you click on this here and show Temporary Session Elevation, you can request an elevation passcode from your administrator that allows you to run each and everything for a certain time, or maybe a dedicated set of applications.
If you don't have it, you can simply request it, as you have done before. Submitted, go back to here, go to the Temporary Session Elevation Requests, see the notification, generate the report, now you have this request here, and you can then request something.
You can then create a session ticket that you can save. And then you can just give it here, in the Passcode Manager. You can now create a new one, and you can create special things. I have just preconfigured one here, and then you can send this file to the user so they can load it and execute. Straightforward, very easy.