Privilege Discovery Mode
The Privilege Discovery Mode is accessed from the Configuration navigation button, Privilege Discovery Mode node and provides the functionality to monitor endpoints in order to identify applications that use administrative privileges. A web service is used to collect the data and relay that data to the Privilege Discovery Results work area in the Application Control Console. The data listed in the reports can be used to simplify the creation of an appropriate Application Control configuration and to produce reports.
Privilege Discovery Mode is intended for use during a discovery or pilot phase, so a maximum of 500 endpoints is recommended, depending on hardware specifications.
In this section:
- Web Services
- Configure Privilege Discovery
- Configure Privilege Discovery Mode
- Configure Privilege Discovery Advanced Settings
Application Manager Web Services are installed on any selected machine as part of the Application Control installation. It is a lightweight component that does not require typical server tools such as IIS or SQL Server. Although Application Manager Web Services installs without any need to configure it, the default configuration can be amended using HttpCfg or Netsh tools. When installed, the Service runs in the background when Privilege Discovery is configured and monitors client endpoint activity tracking details such as the applications that use administrative rights, the names of users using the application, and the name of the endpoint it was launched from.
The results of the tracking are displayed in the Applications Manager Console using the Privilege Discovery Results work areas and they can be used to generate reports and create Application Control configurations.
For more information, see Web Services Configuration.
Configure Privilege Discovery
Privileges Discovery is configured using the Privileges Discovery Mode node accessed from the Configuration button in the navigation pane and is activated by selecting Enable Privileges Discovery Mode.
The Privileges Discovery Mode work area contains:
Setup - Use the Setup area to determine the server name and location for the Application Control Agent to contact the Service. You can also choose when data collection is to finish by selecting the date and time from the End Time field.
It is recommended that the time period is set far enough ahead to maximise the number of applications captured and therefore, improve control of administrative rights used on your network.
- Endpoints - Allows you to specify the endpoints from which the data is collected. To specify endpoints from individual deployment groups or work groups, right-click in the Endpoint area and select Add Endpoint.
- Advanced Button - Use the Advanced button to configure the Privileges Discovery advanced features. These include configuring the communication port to be used by the Privileges Discovery Mode and the frequency by which the collected data is fed back to the Application Manager Web Service.
The Privilege Discovery Mode ribbon allows you to add or remove endpoints when the Privilege Discovery Mode node is selected in the Configuration navigation pane. Use the Add Endpoint button to specify an endpoint to collect data from. The Remove Endpoints option provides you with the facility to remove a highlighted endpoint so that it will no longer be monitored.
Configure Privilege Discovery Mode
- Select the Configuration navigation button.
- Select the Privilege Discovery Mode node.
In the work area, select Enable Privilege Discovery Mode.
The Privilege Discovery Mode options becomes available.
- In the Server name field, select the ellipsis (...) to browse for the Application Control Web Server to be used. The name of the server can also be entered manually into the field.
- In the End Time field, specify the date and time that the server will stop gathering application information.
- To specify particular
endpoints to be monitored, right-click in the Privilege Discovery work
area and do one of the following:
- Select Browse Deployment Group to locate the deployment group to be monitored.
- Select Browse Domain/Workgroup to locate the domain or specific workgroup to be monitored. If no endpoints are added to the work area, data will be collected from every configured endpoint.
- If required, advanced settings can be configured using the Advanced button.
- Save the configuration.
Configure Privilege Discovery Advanced Settings
Advanced settings are optional and allow you to configure Privilege Discovery further by providing the facility to specify the types of connection and the specific communication ports. You can also choose how often the Application Control Agent updates the Analysis Server with the gathered data by entering the time in minutes.
In the Privilege Discovery Mode work area, select the Advanced button.
The Privilege Discovery Advanced Setup dialog displays.
- Select one of the following
options to send data from the endpoint to the Analysis service:
- HTTP - Select this to use the standard application protocol and enter the port number you require.
- HTTPS - Select this to use the secure application protocol and enter the port number you require.
Data is sent from the Analysis Server to the console via SOAP, which uses HTTP.
- To amend the time by which the agent is to update the Application Manager Web Server, enter or select the time in the Update Every field. The default setting is 60 minutes.
- Click OK.
Begin gathering the privilege discovery information by deploying the configuration to each of your endpoints.