Viewfinity can automatically aggregate privilege policies based on similar user needs so the number of policies that need to be created and managed are reduced by an order of magnitude. The product intelligently scans a Windows environment and identifies common user privilege needs across the organization. This is done by automatically detecting attempts to use/install applications or tasks requiring administrator rights. These events for elevated privilege needs are aggregated and a single policy is created that can be used across the organization or for a collective group of users.

While 90-95% of your privilege management needs and policies will be established and implemented well ahead of time, for those exceptions, and there are always exceptions, Viewfinity offers a method for IT administrators to streamline privilege elevation requests from end users. Once the applications requiring administrator rights have been discovered using our Applications Rights Analysis and Automatic Policy Aggregation process, we provide two automated methods for handling ad-hoc requests. For users, groups or applications that require more control over which privilege elevation requests should be authorized, we provide a workflow authorization option to create the appropriate policy and approval the privilege elevation request on the fly. For power users or those who are often working remotely, we have an on-demand option that allows for self-elevation to handle one-off requests. Self-elevation or policy automation via authorization workflow is highly configurable and can be enabled by user, group, or by type of request.

For those organizations who have not yet removed administrator rights, we help you prepare for this switch over and establish policies to accommodate user needs. Our Application Admin Rights Analysis silently gathers information and monitors which applications, processes, and administrative actions will require administrative permission before users are removed from the local admin group. This information is based on end user activity and is collected over a period of time to ensure all events are captured. Once the collection and analysis is completed, policies to elevate privileges can be automatically created and prepared in advance so that when administrative rights are removed, the policies are in place to ensure a non-disruptive move to least privileges.

Here is an example of a completed Application Admin Rights Analysis presented in the Local Admin Rights Usage Statistic dashboard graph:

• Events marked in Green represent events which have been repeatedly identified based on user activities on previous days which are now “flagged” and categorized for policy elevation.
• Events marked in Red represent newly discovered events that require Admin rights.
• Readiness indicator: when the discovery bar is mostly green, the system has collected the majority of events requiring administrative permissions. This indicates you are ready to use the Viewfinity Policy Automation Approval feature and automatically build policies based on the events discovered.

Viewfinity’s Policy Automation is the automatic detection and capture of the need for elevated permissions, combined with the ability to create the appropriate policy and authorize the privilege elevation request on the fly. IT Administrators have the option of allowing standard users to self-elevate permissions when they’re needed, or, they can require the user to use an automated workflow approval process to request the elevated permissions. Automating the privilege elevation request process and creating the appropriate policies on-the-fly saves a great deal of time for both the IT Administrator and end-user.

Selectively elevates rights only for those applications that truly require administrative rights. This option is used when a company wants to elevate all applications signed by a specific software publisher that require administrative rights but not those applications which do not require elevated rights. For example, Microsoft’s Notepad does not require admin rights so Viewfinity would not elevate privileges for Notepad – it would remain locked down. Another example of this “only as required” technique can be applied for elevating all applications signed by Google which require admin rights such as browser toolbars, and eliminating exposure to the security risk loophole that occurs when elevate permissions are granted to an application that does not require them, such as the Google browser.

On-demand Self-Elevation of User Permissions
Administrators can create flexible Self Elevation policies that allow users to start specific actions that required elevated permissions, such as installations, application launches, administrative actions, Active X controls. This allows the end-user to install a particular application or perform a task that requires elevated permissions on-demand, with no approval required. You can elect to replace the Windows UAC dialog box with a customized Viewfinity dialog box so the user can enter a business justification for using this particular application. This enhanced feature is particularly helpful for audit trails and compliance reporting.

Approval Required For Requests to Elevate Permissions
When an end-user tries to run a particular application or perform a task that requires elevated permissions, the Viewfinity Agent automatically detects this and opens a dialog box where the user can enter his business justification for using this particular application.

The Viewfinity agent routes the request to the IT Administrator via the Viewfinity Console, or by way of a report or an email. The IT Administrator can approve and activate the policy and elevate the privilege on the fly. Prior to approval, the IT Administrator can review the business justification provided by the end user as well as information about applications or task from the computer/user that initiated the request. Information related to Applications, ActiveX, Administrative Task, Scripts, etc. is automatically collected during the Policy Automation process. Policies are automatically created without manual intervention. End users receive email notification when the policy has been created.

Policy Automation Modes:

Administrator: Silent discovery of applications and process requiring administrative rights. In this mode clients have local administrative rights and the Viewfinity agent performs discovery and then transfers events from multiple PCs to Viewfinity Policy Automation Console. This method is used to collect statistics on which applications require admin rights before the rights are removed.

Standard User: Discovery of applications and processes requiring administrative rights on computers where users are not local administrators. This method can be used after admin rights are removed for ongoing policy events monitoring after default policies were established. Optionally, “Ask for Justification” option can be enabled to prompt users to provide reason why elevated access is required.