Viewfinity elevates administrative rights for certain processes or applications rather than at the user account level. When permissions are raised, the elevation is performed directly within the security token of the specific user process. The application or process is started using the current user credentials as opposed to using RUN AS which needs the Administrative account in order to raise privileges. The RUN AS method potentially introduces security risks and issues for changes that are written into current user registry. What have the experts learned about locking down desktops? David Chernicoff, Microsoft MVP shares what he’s learned as well as knowledge shared with him regarding The Top 10 Best Practices for Locking Down Corporate PCs.

Try it now for 14 days. Need to ensure USGCB/FDCC Compliance? Download this brochure: Viewfinity FDCC Compliance: Desktop Lockdown with Flexible Privilege Management

All elevation rules are applied in a real time and do not require users to cycle through the log on process. Viewfinity doesn't require desktops to be part of the domain or to be attached to the corporate network in order for privilege elevation policies to be delivered. Reports can be used to monitor the status of polices being applied.

Another restriction imposed in least privilege environments is the inability for non-administrative users to install approved ActiveX controls. IT administrators may continue to operate endpoint devices in a least privileges mode and use Viewfinity Elevate Privileges to grant administrative rights for installing:

• ActiveX controls
• Signed ActiveX controls
• ActiveX controls from specific URLs
• ActiveX controls from specific Publisher and version

For organizations with locked down environments, trivial end user tasks such as installing or removing printers becomes a burdensome IT support task. Viewfinity Elevate Privileges allows IT administrators to grant permissions for non-administrative users to install and remove printers. IT administrators no long need to get bogged down with requests that an end user should be able to handle without IT intervention.

Viewfinity offers a unique capability which extends the traditional application and task privilege management policies to control permissions by granting or denying permissions on files, folders, shares, and registry keys from a centralized management console. A typical use case would be if you are supporting a group of power users who frequently require the ability to update certain files which require administrative access. You can simply manage privileged access to this data for a specific group of PCs or user accounts. No need to connect to any of the PCs remotely or to write scripts.

With Viewfinity's Elevate Privileges functionality, IT Professionals can manage and assign administrative privilege permissions to specific applications and desktop functions without granting full administrative rights. In some scenarios, administrators may need to execute scripts on the client machine. Under normal circumstances this would require administrative rights in order to run. Using Viewfinity Privilege Management, administrators can create policies that will execute scripts without needing to assign local administrator rights to the end user.

Our Application Admin Rights Analysis silently gathers information and monitors which applications, processes, and administrative actions will require administrative permission before users are removed from the local admin group. This information is based on end user activity and is collected over a period of time to ensure all events are captured. Once the collection and analysis is completed, policies to elevate privileges can be automatically created and prepared in advance so that when administrative rights are removed, the policies are in place to ensure a non-disruptive move to least privileges.

Here is an example of a completed Application Admin Rights Analysis presented in the Local Admin Rights Usage Statistic dashboard graph:

• Events marked in Green represent events which have been repeatedly identified based on user activities on previous days which are now “flagged” and categorized for policy elevation.
• Events marked in Red represent newly discovered events that require Admin rights.
• Readiness indicator: when the discovery bar is mostly green, the system has collected the majority of events requiring administrative permissions. This indicates you are ready to use the Viewfinity Policy Automation Approval feature and automatically build policies based on the events discovered.

Occasionally end users may require administrator rights in order to perform PC service/management functions such as Device Management, Disk Defragmenter, Manage Services and User Accounts & Shares. With Viewfinity these tasks can be run by standard users by elevating administrator privileges to perform the specified management functions.

Viewfinity does not require laptops or desktops to be part of the Active Directory domain or to be directly connected to the corporate network in order to activate policies that manage administrator privileges. As soon as the PC connects to the internet, Viewfinity delivers the policies and rules established by the IT Administrator. Once delivered, all policies continue to be enforced even while working offline.

Viewfinity provides detailed reporting on all administrator privilege policies, including an audit trail report that provides confirmation that a policy has been delivered and activated on endpoint devices. This includes validation of policy delivery to mobile and remote users, single or group of computers and/or for a specific application.

Viewfinity products provide delegated management control to support the needs of your various IT roles and staff members. The primary Viewfinity Administrator account has authorization to manage all computers in the organization. This primary account can create separate computer subsets based on departments, regions, and other criteria and assign management control of these subsets to specific individuals. Each subset administrator can deploy agents, apply policies, and report on computers which fall under his/her management.

Viewfinity supports two levels of system management accounts. Full control system management accounts have complete access to product features such as the ability to create, stop, start, and modify policies; deploy agents and monitor activity. Read only accounts are targeted for subset administrators which require “review only access” including activities such as viewing reports and monitoring policy and asset management reports, reviewing computer connectivity status, etc.

There are instances when a website requires administrative permissions in order to operate successfully. Viewfinity provides the ability to create policies that will elevate privileges for specific URLs. Web Application policies are activated on the client PC, just like other policies. When the user browses to an elevated URL, the user will be presented with a window asking to start another browser window, which will be open with elevated privileges. Only this window has the rights to run the application requiring administrative rights.

Viewfinity provides granular level control of application privileges, including the ability to create policies that will reduce permissions for Privileged Users on specific applications and tasks.

This is done through the Custom Tokens option which provides the ability to set a specific level of privileges to certain applications and processes when a policy is created. For example, when a user is logged on as an administrator, a policy can be created to reduce rights for a specific application to Standard User. By default several tokens are created: Administrator, Power User, and Standard User. In addition, custom tokens can be created.

Flexible Implementation Methodologies

Viewfinity Privilege Management can be implemented through our SaaS/Cloud platform or via your on-premise servers as a private cloud, or as an extension to Group Policy, enabling policies to be managed through the standard Group Policy Management tools.

Discover Desktops with Administrator Rights

The Viewfinity Local Admin Discovery is a free tool that allows you to discover user accounts and groups that are members of the local “Administrators” built-in user group on computers in your Windows domain. Learn more about this tool and how to download it.