Privilege Management
In this section:
- About Privilege Management
- Privilege Management vs Run As
- Technology
- Benefits of Privilege Management
About Privilege Management
Privilege Management enables enterprise IT departments to reduce access control privileges on a per user, group, application, or business rule basis. It ensures users have only the rights they need to fulfill their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, and improving security and productivity.
With Privilege Management, access to applications and tasks is managed dynamically by managing user privileges on demand, in response to user actions. For example, administrator privileges can be applied to a named application or Control Panel component for a particular user or user group by either elevating the privileges of a standard user to an administrator level, or dropping the privileges of an administrator to that of a standard user account.
Privilege Management allows you to create reusable privilege management policies that can be associated with rule sets and can elevate or restrict access to files, folders, drives, file hashes, and supported Control Panel components specific to an operating system.
Privilege Management allows you to apply the principle of least privilege. This principle requires that users are provided the minimum privileges to do their job, without giving the user full administrator privileges. The experience is seamless to the user.
Common Tasks that Require Administrative Privileges
In order to fulfill their roles, users may need to perform a number of tasks that need administrative privileges. A solution must be provided to allow these tasks to be performed; otherwise the user must fulfill their role without accomplishing these specific tasks. These tasks can include:
- Installing printers
- Installing certain hardware
- Installing particular applications
- Operating applications that require administrative privileges
- Changing system time
- Running legacy applications
Privilege management allows the user to perform these tasks by elevating a user to have specific administrative privileges.
Privilege Management vs Run As
Many users, particularly knowledge workers, use the Run As command to run applications. Users can perform their daily tasks running with least privilege but can also, as required, use the Run As command to elevate their credentials, thus performing a task under the context of a different user. This, however, requires that a user has two accounts: one for least privileges and one for elevation.
A common problem when using Run As is allowing the administrative password to become known throughout an organization. For example, an administrator may communicate the administrator password to a user to enable them to use the Run As command to fix a problem with their computer. Unfortunately, the password commonly gets passed around, causing unforeseen security risks.
An additional problem with Run As is how software actually interacts with it. Run As executes an application or process under the context of a different user. Therefore, that application or process does not have access to the correct HKEY_CURRENT_USER hive in the registry.
This hive is where all the profile data is stored and is protected space. So the application or process running under the context of a different user cannot read or write to this source, causing some applications to not function. Running under the context of a different user can also cause problems reading and writing to a network share. This is because network shares are based on the account under the context you are running. So your local account and the Run As account may not have the same access to resources.
Run As and UAC
Some operating systems have features that allow a user to run applications or processes without administrative privileges. These are the Run As command and User Account Control (UAC).
Although these features do allow users to run without administrative privileges, they still require the user to have access to an administrator account to perform administrative tasks. Unfortunately, this limitation means these features are more appropriate for administrators. It enables them to log on as a standard user and use the administrator account to perform administrative tasks only.
Because the user must provide the credentials for a local administrator to use Run As and UAC, this creates a number of concerns. For example:
- A user with access to an administrator account must be trusted not to abuse these privileges.
- Applications running with administrative privileges are now running under the context of a different user. This can cause problems, for example, these particular applications do not have access to the actual user’s profile or network shares, as stated in the Privilege Management vs. Run As section.
- Two passwords are required. One for the standard account and one for the administrator account. The user must remember both. Security required for one account is challenging, and for two accounts more so.
Technology
In a Microsoft Windows computing environment, as part of the application launch process, when an execution request is made, the application requests a security token as part of the application launch approval process. This token details the rights and permissions given to the application and these rights can be used to interact with the operating system or other applications.
When Privilege Management is configured to manage an application, the security token that is requested is dynamically modified to have permissions elevated or restricted, thus allowing the application to be run or blocked.
- The User Rights Management mechanism handles process startup requests as follows:
- A User Rights Policy is defined in the configuration rule and applies to applications or components.
- The Application list can include files, folders, signatures or application groups.
- The Components list can include Control Panel components.
- When a process is created by the launch of an application or other executable, the Application Control hook intercepts the process and queries the Application Control agent whether elevated or restricted rights are required to run the process.
- The agent confirms whether the configuration assigns elevated or restricted rights and if required, the agent requests a modified user token from the Windows Local Security Authority (LSA).
- The hook receives the modified user token from the Windows LSA granting the necessary privileges. Otherwise, the process runs with the existing user token according to the definitions of the normal user rights.
Benefits of Privilege Management
The main benefits of Privilege Management are:
- Elevation of User Privileges for Running Applications - Use Privilege Management to specify the applications to be run with administrative credentials. The user does not have administrative credentials but is able to run the application.
- Elevation of User Privileges for Running Control Panel Applets - Many roaming users need to do various tasks that need administrative privileges. For example, to install printers, to change network and firewall settings, change the time and date, and to add and remove programs. All of these tasks require certain components to run as administrator. Use Privilege Management to elevate privileges for individual components so that the non-administrative standard user can make the changes to perform their role.
- Reducing Privileges to Restrict Application Privileges - By default, users have certain administration credentials, but are enforced to run specific application as a non-administrator. By running certain applications as an administrator, for example, Internet Explorer, the user is able to change many undesirable settings, install applications and potentially open up the desktop to the Internet. Use Privilege Management to restrict an administrator level user from running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop.
- Reducing Privileges to Restrict Access to System Settings - Use Privilege Management to give a higher level system administrator the ability to stop an administrative user from altering settings that they should not change, for example, firewalls and certain services. Use Privilege Management to reduce administrative privileges for certain processes. Although the user has administrative privileges, the system administrator retains control of the environment.
Related Topics
Configuration Settings Privilege Management