Hello and welcome to a new blog post series covering Endpoint Privilege Management (EPM) and the challenges (and benefits) related to managing user privileges. Over the next several weeks, I’ll be covering various aspects of what we at Set Solutions have learned evaluating and deploying EPM products to address this exact issue. Topics will include:
- What is EPM?
- What should I know before shopping for a solution?
- What are some of the evaluation criteria?
- Should I do a proof-of-concept and how?
Introduction
A question CISOs bring to us frequently is, “how can I revoke local administrator rights from my users without severely impacting their job?” If your organization is struggling with this challenge, please be assured that you are not alone. There are ways to lock down end-user workstations without them lining up outside your office with pitchforks and torches.
Before digging into the topic, though, let’s go through a quick level set.
What is “administrative access” and why is it a problem for Information Security teams?
All operating systems, be it Windows, Linux or Mac OS X, have the concept of administrative access. Depending on the operating system, users with this level of access may have different names such as Administrator, Super-User or Root. In short, this allows the user to bypass and/or disable most if not all security mechanisms in the operating system, granting them the “keys to the kingdom”. This is a prime target for malware and other attacks.
If administrative access is so dangerous, why shouldn’t I just revoke it?
While the nuclear option is certainly attractive, there are legitimate business needs for “admin rights” (poorly-written applications, help desk staff needing to install software, a server administrator troubleshooting an issue, a VIP installing iTunes, etc.). Taking away admin privileges without considering the repercussions will lead to ineffective users, upset VIPs, stressed out help desk staff, and hamstrung desktop/server administrators. Essentially, the quickest way to get the masses lined up outside your office is to get between what they need to do and what they can do.
Fine, so how do I address this problem without taking a long walk off a short plank?
There are several solutions, both commercial and built-in, to provide more granular control than just a blatant “no more admin access” edict. These products by their very nature are highly complex and have very deep hooks into the operating system they’re tied to. They are designed to only grant administrative rights to a user under very specific circumstances and only for as long as they’re necessary.
It should be emphasized that implementation of an EPM solution is not just a “run setup and click through the installation wizard” deployment. Considerable up-front research along with cooperation from IT administrative staff and executive buy-in are all mandatory parts of a successful implementation. Leveraging a commercial product over OS built-in controls will mitigate some of the legwork but at the end of the day, an EPM solution is no substitute for good administrative control.
Okay, so where do I go from here?
That’s a great question! In my next blog post, I’ll be covering:
- How do Endpoint Privilege Management solutions work?
- What do I need to know about my environment to deploy one?
- What are some of the capabilities of solutions designed to address this challenge?
I’m looking forward to working through this topic with you. In the meantime, if you need help with this topic right now, please feel free to contact us for assistance.
***
This blog was written by Brett Wyer, Senior Solutions Architect, at Set Solutions.