Privilege Management
Sectona WPM allows System Administrators to group together Applications that will be elevated as required, provided they meet one or more of the following set of criteria.
Applications that originate from a trusted source, such as Software Distributor, Updater, Network Location, Installation Package Publisher or applications that belong to a specific Product or are installed by a specific User/Group, a designated user or user group (for example, a member of the IT staff who can resolve End-user requests), trusted to perform maintenance operations on End-user Computers.
Trusted Sources permit approved Applications to run and enable an organization to create a tightly monitored environment, in compliance with the Least Privilege principle. This is done by defining most End-users as Standard Users while temporarily elevating the permission level of specific processes, allowing them to "execute" approved Applications.
This section contains:
Managing EPM Libraries
Sectona EPM offers full visibility of your desktop/server environment by continuously monitoring regular Applications that can be executed in standard user context. EPM also provides detailed information with regard to which Applications require administrative rights. This information can help making decisions about the divisions of your organization that should be granted different rights on desktops. The justifications for elevating user privileges, either per Application or by granting administrative rights, can vary by individual user or a group of users. Even within the same division, a hierarchy of employees may exist and the rights can differ. The types of Application supported in WPM are:
Application EXE
WindowsInstaller MSI
ManagementConsole MSC
PowerShellScript PS1
VBScript VBS
BatchFile BAT
Adding a library into EPM
To add a library in EPM, follow the steps given below:
Login to Setona as an administrator
Switch to PAM to EPM by clicking on the symbol and selecting End Point Management (EPM) from the drop-down list
Go to Policy→ Application Library → +Add Application
Provide the required details:
Application Name: Provide the name of the application
Description: Provide a suitable description
Application Type: select the type of the application from the drop-down list
Publisher Name: Specify the publisher name of the application
Digital Signatory: Specify the Digital Signature of the application
File Name: Specify the executable file name
File Directory: Specify the path of the executable file
Hash Values SHA256: Specify the Hash values if provided during the application
Make sure to tick the Active checkbox and click on Save.
Updating a library in EPM
If you want to update/change library details, you can click on the library's name, and a form will appear. Make the necessary changes. Click on the Update button. This action will update your library.
Deactivating a library in EPM
To deactivate a library, follow the given steps:
Login to EPM as an administrator
Go to Policy→ Application Library
Click on the library you want to deactivate
Uncheck the Active button
Click on Save
You can again activate the library by checking the Active button and saving the configuration.
Deleting a library in EPM
To delete a library, follow the given steps:
Login to EPM as an administrator
Go to Policy→ Application Library
Click on the library you want to delete
Click on the Delete button
A pop-up will appear on the screen for confirmation, click Yes and this will delete the library from the EPM
Please note that you can't access deleted libraries as this active deletes the data permanently.
Managing AD Group Policies
Developing a clear understanding of the applications that are being executed on your desktops and servers is a significant factor, contributing to the success of establishing Application Control and Privilege Management within your environment. EPM silently monitors the activity of End-users related to unhandled Applications. Monitoring is a critical step before applying any restrictions, such as applying the Block policy or blocking execution, and before making decision about granting administrative rights to Applications.
The most efficient way to application control is to create policies for well-known trusted sources. This reduces the number of polices that you need to create
Adding an AD group policy
To add an AD group policy in EPM, follow the below steps:
Login to Setona as an administrator
Switch to PAM to EPM by clicking on the symbol and selecting End Point Management (EPM) from the drop-down list
Go to Policy→ AD Group Policies → +Add AD Group Policy
Provide the required details:
Policy Name: Provide a unique name for the policy
Description: Provide a suitable description
Directory Store: Select the Directory Store from the drop-down list
Directory Group: Browse the list of Directory Groups by clicking on the Browse button and select the Directory Group
Learning Mode: If set to Active then EPM will not check the policy configuration and it will directly elevate the application under the local admin rights for selected AD group policy. If learning mode is set to Inactive then EPM will check the policy configuration and elevate the application only if there is a corresponding policy for the said application.
Make sure to tick the Active checkbox and click on Save.
Updating an AD group policy
If you want to update/change policy details, you can click on the action button and select the Edit option. A form will appear. Make the necessary changes. Click on the Update button. This action will update your policy.
You can monitor the changes made to AD Group Policy by clicking on the :Action_button: button of respective policy and selecting View Trail option.
Mapping Applications to AD group policy
To map one or more applications to the AD group policy, follow the given steps:
Login to EPM as an administrator
Go to Policy→ AD Group Policies
Click on the "policy" to which you want to map the applications
Click on the +Add Application button, and a form will appear
Select the Elevation Type from the drop-down list:
Elevate with Local Admin Rights: User can access the application using the local admin rights
None: User can ask for the access of the application using workflow request
Elevation Not Allowed: User cannot access the application via Sectona
Blacklist: The use of the application will be completely denied to the user
Select the applications on which you want to apply the rules
Make sure to tick the Active checkbox and click on Save.
Deactivating Applications from AD group policy
To deactivate a AD group policy, follow the given steps:
Login to EPM as an administrator
Go to Policy→ AD Group Policies
Click on the policy you want to deactivate
Uncheck the Active button
Click on Save
You can again activate the policy by checking the Active button and saving the configuration.
Deleting an Application from AD group policy
To delete a policy, follow the given steps:
Login to EPM as an administrator
Go to Policy→ AD Group Policies
Click on the policy you want to delete
Click on the Delete button
A pop-up will appear on the screen for confirmation, click Yes and this will delete the policy from the EPM
Please note that you can't access deleted policies as this active deletes the data permanently.