With a background in computer science and graphic design, Sophie is a passionate writer and communicator of all things technical.
Hailing from New Zealand, she provides documentation and research, commentary, and analysis on current cybersecurity topics at Fasttrack Software.
The Problem with Privileged Access
Whether you’ve got 25 endpoints or 25,000 in your organization, every local administrator account presents a weak spot. With admin access comes a significant degree of power; users can do just about anything on the endpoint – things which can affect other users and the wider network. This is often necessary for trusted users such as IT admins or developers, but if privileged access is obtained by a bad actor… you’ve got problems. Lateral movement, privilege escalation, undetected presence, exfiltration of data, and installation / execution of malicious software become very real possibilities once a hacker has administrative access.
The solution is to prevent hackers from gaining privileged access, and a sure-fire way to do that is to lockdown your local admin accounts so that only trusted users have admin access.
It sounds simple, but removing local admin rights is a tricky minefield to navigate. Revoking your users’ admin rights is essentially taking away a tool that they had before, and probably used on a daily basis. Doing so will likely be met with great offence, outrage, and some strongly worded emails. Then there’s the effect on user productivity and resources. Standard users are unable to perform even simple installations of trusted software, and it will fall on Help Desk personnel to attend to every frivolous beck and call.
Finding a balance between security and user productivity when it comes to locking down local admin rights requires a special tool – and that’s where we come in.
Admin By Request is a Privileged Access Management (PAM) solution based on the Principle of Least Privilege; the idea that all users should operate as standard user, only gaining elevated privileges on an as-needed, Just-In-Time basis, rather than having admin access by default.
How It Works
The solution is installed on endpoints and managed via the online User Portal. From here, privileges can be granted to specific users or groups, and revoked from others. All settings can be tailored to meet your organization’s specific needs, be that a focus on security (i.e., tighter restrictions) or a focus on productivity (more lenient settings). Whatever your focus, the primary function of Admin By Request is to revoke local admin rights, while still allowing users to gain privileged access as required using the self-service application on their device.
The way this is done is with the Requests feature. Users can Request to either run a single application as admin, or have a temporary administrator session, during which time they can undertake several administrative tasks. These Requests are sent to the User Portal along with details of the Request (i.e., what and why) to be approved or denied.
When users are granted their requested access, the Auditlog page in the User Portal records all privileged activity undertaken during the session, such as software installations and applications run.
Other pages within the User Portal include the Inventory, which collects information about all of your devices such as location, installed applications, and operating systems, and the Reports page, which can be used to generate and categorize key pieces of data.
Other key features include:
- Machine Learning – Instead of Pre-Approving a huge number of applications ahead of time, let this feature build the list for you - as the applications are being used.
- AI Approvals – Allow our Artificial Intelligence engine to decide which applications are safe to be auto-approved for you.
- Device Owner – Set the predominant user of a device as the ‘owner’ and lock it down to that user if desired.
- Break Glass Account (LAPS replacement) – Create a new, temporary, one-time-use Administrator account on an endpoint, which Audits all elevated activity and terminates within a pre-defined amount of time or on log out.
- Events and Alerting – Set up Alerts to trigger for certain Events, such as suspicious activity or administrator logins.
- Clean Up Local Admins – View and manage all local admin accounts from a single place, with the ability to remove / restore individual local admins or entire groups in one click.
- Malware Scanning – Scan and detect suspicious files using the 35+ anti-malware engines comprising OPSAWAT’s MetaDefender Cloud API.
You can integrate Admin By Request with a range of existing workflow and security software tools, such as ServiceNow, Slack, Microsoft Sentinel, and Power BI. We also integrate with the SCIM protocol to allow provisioning of users from your existing IdP (i.e., Azure AD or Okta). Admin By Request offers all core features in versions for Windows, macOS, and Linux OSs.