Privilege Management

Sectona WPM allows System Administrators to group together Applications that will be elevated as required, provided they meet one or more of the following set of criteria.

Applications that originate from a trusted source, such as Software Distributor, Updater, Network Location, Installation Package Publisher or applications that belong to a specific Product or are installed by a specific User/Group, a designated user or user group (for example, a member of the IT staff who can resolve End-user requests), trusted to perform maintenance operations on End-user Computers.

Trusted Sources permit approved Applications to run and enable an organization to create a tightly monitored environment, in compliance with the Least Privilege principle. This is done by defining most End-users as Standard Users while temporarily elevating the permission level of specific processes, allowing them to "execute" approved Applications.

This section contains:

• Managing EPM Libraries

• Managing AD Group Policies

Managing EPM Libraries

Sectona EPM offers full visibility of your desktop/server environment by continuously monitoring regular Applications that can be executed in standard user context. EPM also provides detailed information with regard to which Applications require administrative rights. This information can help making decisions about the divisions of your organization that should be granted different rights on desktops. The justifications for elevating user privileges, either per Application or by granting administrative rights, can vary by individual user or a group of users. Even within the same division, a hierarchy of employees may exist and the rights can differ. The types of Application supported in WPM are:

• Application EXE

• WindowsInstaller MSI

• ManagementConsole MSC

• PowerShellScript PS1

• VBScript VBS

• BatchFile BAT

Adding a library into EPM

To add a library in EPM, follow the steps given below:

• Login to Setona as an administrator

• Switch to PAM to EPM by clicking on the symbol and selecting End Point Management (EPM) from the drop-down list

• Go to Policy→ Application Library → +Add Application

• Provide the required details:

  • Application Name: Provide the name of the application

  • Description: Provide a suitable description

  • Application Type: select the type of the application from the drop-down list

  • Publisher Name: Specify the publisher name of the application

  • Digital Signatory: Specify the Digital Signature of the application

  • File Name: Specify the executable file name

  • File Directory: Specify the path of the executable file

  • Hash Values SHA256: Specify the Hash values if provided during the application

• Make sure to tick the Active checkbox and click on Save.

Updating a library in EPM

If you want to update/change library details, you can click on the library's name, and a form will appear. Make the necessary changes. Click on the Update button. This action will update your library.

Deactivating a library in EPM

To deactivate a library, follow the given steps:

• Login to EPM as an administrator

• Go to Policy→ Application Library

• Click on the library you want to deactivate

• Uncheck the Active button

• Click on Save 

You can again activate the library by checking the Active button and saving the configuration.

Deleting a library in EPM

To delete a library, follow the given steps:

• Login to EPM as an administrator

• Go to Policy→ Application Library

• Click on the library you want to delete

• Click on the Delete button

• A pop-up will appear on the screen for confirmation, click Yes and this will delete the library from the EPM

Please note that you can't access deleted libraries as this active deletes the data permanently.

Managing AD Group Policies

Developing a clear understanding of the applications that are being executed on your desktops and servers is a significant factor, contributing to the success of establishing Application Control and Privilege Management within your environment. EPM silently monitors the activity of End-users related to unhandled Applications. Monitoring is a critical step before applying any restrictions, such as applying the Block policy or blocking execution, and before making decision about granting administrative rights to Applications.

The most efficient way to application control is to create policies for well-known trusted sources. This reduces the number of polices that you need to create

Adding an AD group policy

To add an AD group policy in EPM, follow the below steps:

• Login to Setona as an administrator

• Switch to PAM to EPM by clicking on the symbol and selecting End Point Management (EPM) from the drop-down list

• Go to Policy→ AD Group Policies → +Add AD Group Policy

• Provide the required details:

  1. Policy Name: Provide a unique name for the policy

  2. Description: Provide a suitable description

  3. Directory Store: Select the Directory Store from the drop-down list

  4. Directory Group: Browse the list of Directory Groups by clicking on the Browse button and select the Directory Group

  5. Learning Mode: If set to Active then EPM will not check the policy configuration and it will directly elevate the application under the local admin rights for selected AD group policy. If learning mode is set to Inactive then EPM will check the policy configuration and elevate the application only if there is a corresponding policy for the said application.

• Make sure to tick the Active checkbox and click on Save.

Updating an AD group policy

If you want to update/change policy details, you can click on the action button and select the Edit option. A form will appear. Make the necessary changes. Click on the Update button. This action will update your policy.

You can monitor the changes made to AD Group Policy by clicking on the :Action_button: button of respective policy and selecting View Trail option.

Mapping Applications to AD group policy

To map one or more applications to the AD group policy, follow the given steps:

• Login to EPM as an administrator

• Go to Policy→ AD Group Policies

• Click on the "policy" to which you want to map the applications

• Click on the +Add Application button, and a form will appear

• Select the Elevation Type from the drop-down list:

  • Elevate with Local Admin Rights: User can access the application using the local admin rights

  • None: User can ask for the access of the application using workflow request

  • Elevation Not Allowed: User cannot access the application via Sectona

  • Blacklist: The use of the application will be completely denied to the user

• Select the applications on which you want to apply the rules

• Make sure to tick the Active checkbox and click on Save.

Deactivating Applications from AD group policy

To deactivate a AD group policy, follow the given steps:

• Login to EPM as an administrator

• Go to Policy→ AD Group Policies

• Click on the policy you want to deactivate

• Uncheck the Active button

• Click on Save 

You can again activate the policy by checking the Active button and saving the configuration.

Deleting an Application from AD group policy

To delete a policy, follow the given steps:

• Login to EPM as an administrator

• Go to Policy→ AD Group Policies

• Click on the policy you want to delete

• Click on the Delete button

• A pop-up will appear on the screen for confirmation, click Yes and this will delete the policy from the EPM

Please note that you can't access deleted policies as this active deletes the data permanently.