Privilege Elevation¶
Once admin rights are removed from endpoints, users may need to run certain apps with admin rights. This can be accommodated through dynamic privilege elevation scenarios.
Note
If the configuration to enforce multi-factor authentication during privilege elevation is enabled, then the users will be required to go through the authentication steps at time of privilege elevation.
Privilege Elevation Scenarios
There are primarily three scenarios related to privilege elevation for standard users:
- Elevating privileges for applications in accordance with a control policy
- Requesting privilege elevation for new applications
- Requesting time-limited, temporary admin access
Scenario 1: Elevating privileges for applications in accordance with a control policy¶
Standard users using policies to run applications that would normally require admin rights
You can run applications with admin privilege in two ways:
1) Context Menu (Right-click the application)
2) Using Run Command (Command Prompt)
Option 1: Elevating by Right-clicking (Context Menu)
Standard users can run/use an application that would normally require administrator rights anytime on-demand by right-clicking the respective application.
The context menu of all executables (.exe files) / applications will have an option named “Run with Securden Privilege”. You need to click that to get elevated privileges. However, Start menu executables will not have this option.
When you try to open Start menu and control panel items, the UAC prompt will open and along with it, a Securden prompt will pop up. The users may simply click Proceed and elevate the executable file, provided the user is allowed to elevate the file through an application control policy.
Security Verification (one-time activity per session)
For security reasons, to ensure that it is exactly the authorized user is trying to access, Securden enforces users to go through a verification process as explained below. This is a one-time activity per session. Immediately after clicking the menu Run with Securden privilege, users will be prompted to enter the following:
-
User’s login credentials (the credentials used by the user to access the endpoint and NOT administrator credentials. If you are trying elevation as a standard user, you need to enter your login credentials).
-
Multi-factor Authentication: The users will have to complete the multi-factor authentication step that is enforced in the organization.
Option 2: Using Run Command (or) Command Prompt
You can make use of the run command prefixing the text “secudo” with the exact command.
Example: secudo cmd
Note
Every time during the first-time login to the endpoint, the users will have to authenticate once by entering their login credentials (the credentials used by them to access the endpoint).
Scenarios 2 & 3: Just-in-Time Privilege Elevation¶
Scenario 2: Requesting privilege elevation for new applications (that are not covered in policies already)
Scenario 3: Requesting time-limited, temporary full administrator access
When users need access to the applications that are not a part of a privilege elevation policy already, they can raise a request for accessing that specific application alone.
Sometimes, users might require administrator access for a temporary time period. Even in the case of granting temporary administrator access, only the applications are elevated for standard users.
However, the main difference is that there will not be any restrictions on the applications that are to be run. These two scenarios are handled through a well-defined workflow.
Users will have to raise a request and go through an approval workflow to get elevation privileges. Administrators will review the request and grant privilege elevation. There are provisions for granting auto approvals to smoothen the workflow. This was explained in the policies section earlier.
Raising Elevation Requests
Requests to access a specific application or to get time-limited, temporary administrator access can be raised in two ways:
-
Using Securden Tray Icon
-
By logging in to Securden web-interface
Option 1: Using Securden Tray Icon
Once you install Securden agents on endpoints, Securden tray icon will be visible on all endpoints and servers.
When you click the tray icon, two options will be displayed. The option ‘Request Admin Privilege’ pertains to raising a request to access to gain elevated rights. When you click that, you will see the following popup:
You will see two options,
To raise a request for admin access to a specific application
In this case, you need to browse and select the application to be run with admin privilege. Once you submit, your administrator will review the request and approve.
To raise a request for time-limited administrator access
In this case, you need to specify when do you require access. Once you submit, your administrator will review the request and approve.
You can check the approval status of your request by clicking the option View approval status.
Option 2: Through Self-Service Portal
The second option is to login to web-interface and raise the request. To do this, navigate to Privileges >> Request Privilege tab in the GUI to perform this). End users will directly see the self-service request portal upon logging in to the product.
This option will come in handy to get elevated privileges for applications in domain members using your account. You can request elevated privileges in any of the domain members for your account.
Gaining Privilege Elevation
The process to run applications with elevated privileges is the same as the one explained for Scenario 1 above.
Monitor Changes to Domain Admin Group¶
Manipulating a domain administrator group could make the organization susceptible to security risks. You can create a scheduled task to get notified if there is any modification to the domain administrator groups. When new members get added to or removed from the domain administrator groups, you will get notified about the change.
Navigate to Admin >> Security >> Domain Administrator Groups to perform this action.
