Overview

Granting Administrative Privileges to Standard Users

Certain Windows applications and desktop functions require local administrative privileges in order to run and function properly on a desktop or laptop. Granting Full Administrator Rights creates a less secure desktop environment and opens the door for malicious hackers and viruses, thus organizations consider granting Administrator Rights to standard users to be risky. It also breaches compliance regulations posed by the Sarbanes-Oxley Act and HIPAA. Additionally, the US Government Federal Desktop Core Configuration (USGCB/FDCC) mandate stipulates that administrative rights cannot be granted to end users and may not be made available on federal desktops and laptops.

Flexible Implementation Methodologies

Viewfinity Privilege Management can be implemented through our SaaS/Cloud platform or via your on-premise servers as a private cloud, or as an extension to Group Policy, enabling policies to be managed through the standard Group Policy Management tools.

Discover Desktops with Administrator Rights

The Viewfinity Local Admin Discovery is a free tool that allows you to discover user accounts and groups that are members of the local “Administrators” built-in user group on computers in your Windows domain. Learn more about this tool and how to download it.

How It Works

Viewfinity elevates administrative rights for certain processes or applications rather than at the user account level. When permissions are raised, the elevation is performed directly within the security token of the specific user process. The application or process is started using the current user credentials as opposed to using RUN AS which needs the Administrative account in order to raise privileges. The RUN AS method potentially introduces security risks and issues for changes that are written into current user registry.

What have the experts learned about locking down desktops? David Chernicoff, Microsoft MVP shares what he’s learned as well as knowledge shared with him regarding The Top 10 Best Practices for Locking Down Corporate PCs.

Try it now for 14 days. In four easy steps and in less than ten minutes, the software can be installed and ready for evaluation.

Need to ensure USGCB/FDCC Compliance? Download this brochure: Viewfinity FDCC Compliance: Desktop Lockdown with Flexible Privilege Management

Real-time Privilege Elevation

All elevation rules are applied in a real time and do not require users to cycle through the log on process. Viewfinity doesn't require desktops to be part of the domain or to be attached to the corporate network in order for privilege elevation policies to be delivered. Reports can be used to monitor the status of polices being applied.

ActiveX Controls

Another restriction imposed in least privilege environments is the inability for non-administrative users to install approved ActiveX controls. IT administrators may continue to operate endpoint devices in a least privileges mode and use Viewfinity Elevate Privileges to grant administrative rights for installing:

• ActiveX controls
• Signed ActiveX controls
• ActiveX controls from specific URLs
• ActiveX controls from specific Publisher and version

Printer Installations

For organizations with locked down environments, trivial end user tasks such as installing or removing printers becomes a burdensome IT support task. Viewfinity Elevate Privileges allows IT administrators to grant permissions for non-administrative users to install and remove printers. IT administrators no long need to get bogged down with requests that an end user should be able to handle without IT intervention.

61% of organizations lock down their desktops
Only 12% use a privilege management product
*Survey conducted in Dec 2009, 272 respondents

Granting Administrator Rights for Applications and Scripts

Viewfinity solves the end-user administrative privileges problem by supporting a locked down least privileges environment that allows IT administrators to have granular control over which desktops and laptops can operate with administrator rights. There is no need to jeopardize your network by granting full privileges to every user just so they can run a business application that requires administrative privileges. With Viewfinity's Elevate Privileges functionality, IT Professionals can manage and assign administrative privilege permissions to specific applications and desktop functions without granting full administrative rights. In some scenarios, administrators may need to execute scripts on the client machine. Under normal circumstances this would require administrative rights in order to run. Using Viewfinity Privilege Management, administrators can create policies that will execute scripts without needing to assign local administrator rights to the end user.

Identifying Applications that Require Administrative Rights

Our Application Admin Rights Analysis silently gathers information and monitors which applications, processes, and administrative actions will require administrative permission before users are removed from the local admin group. This information is based on end user activity and is collected over a period of time to ensure all events are captured. Once the collection and analysis is completed, policies to elevate privileges can be automatically created and prepared in advance so that when administrative rights are removed, the policies are in place to ensure a non-disruptive move to least privileges.

Here is an example of a completed Application Admin Rights Analysis presented in the Local Admin Rights Usage Statistic dashboard graph:

• Events marked in Green represent events which have been identified from user activities on previous days.
• Events marked in Red represent newly discovered events that require Admin rights.
• Readiness indicator: when the discovery bar is mostly green, the system has collected the majority of events requiring administrative permissions. This indicates you are ready to use the Viewfinity Policy Automation Approval feature and automatically build policies based on the events discovered.

Computer Management Functions

Occasionally end users may require administrator rights in order to perform PC service/management functions such as Device Management, Disk Defragmenter, Manage Services and User Accounts & Shares. With Viewfinity these tasks can be run by standard users by elevating administrator privileges to perform the specified management functions.

Support for Mobile Workers

Viewfinity does not require laptops or desktops to be part of the Active Directory domain or to be directly connected to the corporate network in order to activate policies that manage administrator privileges. As soon as the PC connects to the internet, Viewfinity delivers the policies and rules established by the IT Administrator. Once delivered, all policies continue to be enforced even while working offline.

Intelligent Reporting through Policy Auditing

Viewfinity provides detailed reporting on all administrator privilege policies, including an audit trail report that provides confirmation that a policy has been delivered and activated on endpoint devices. This includes validation of policy delivery to mobile and remote users, single or group of computers and/or for a specific application.

Viewfinity Support for Delegated Security

Viewfinity products provide delegated management control to support the needs of your various IT roles and staff members. The primary Viewfinity Administrator account has authorization to manage all computers in the organization. This primary account can create separate computer subsets based on departments, regions, and other criteria and assign management control of these subsets to specific individuals. Each subset administrator can deploy agents, apply policies, and report on computers which fall under his/her management.

Viewfinity supports two levels of system management accounts. Full control system management accounts have complete access to product features such as the ability to create, stop, start, and modify policies; deploy agents and monitor activity. Read only accounts are targeted for subset administrators which require “review only access” including activities such as viewing reports and monitoring policy and asset management reports, reviewing computer connectivity status, etc.

Running Web Applications that Require Administrative Permissions

There are instances when a website requires administrative permissions in order to operate successfully. Viewfinity provides the ability to create policies that will elevate privileges for specific URLs. Web Application policies are activated on the client PC, just like other policies. When the user browses to an elevated URL, the user will be presented with a window asking to start another browser window, which will be open with elevated privileges. Only this window has the rights to run the application requiring administrative rights.

Reducing Admin Rights for Privileged Users and other Custom Tokens

Viewfinity provides granular level control of application privileges, including the ability to create policies that will reduce permissions for Privileged Users on specific applications and tasks.

This is done through the Custom Tokens option which provides the ability to set a specific level of privileges to certain applications and processes when a policy is created. For example, when a user is logged on as an administrator, a policy can be created to reduce rights for a specific application to Standard User. By default several tokens are created: Administrator, Power User, and Standard User. In addition, custom tokens can be created.