Contributor:
Kris Zentek
September 20th, 2011

Signing policies in Privilege Guard 2.8

Privilege Guard 2.8 (Edit: now Defendpoint) introduces the ability to digitally sign policies using a certificate from a PFX file. This ensures that the policies deployed to a client have been published by a trusted source and are genuine. A unique Object Identifier (OID) is used to verify that policies have been signed with an authorized certificate.

Digitally Sign Policy menu option

Signing policies from within the Management Console

Sign Policy Wizard

Use an exported PFX file to sign a Privilege Guard policy

Delegated Policy Management
Signing policies is achieved through the Privilege Guard Management Console from the right click menu on the ‘Privilege Guard Policies’. Any policies that have previously been signed cannot be edited unless you know the PFX password. This prevents any other domain or local administrators from adding or implementing unwanted policy settings, either within Active Directory or on the local endpoints.

Sign Policy Password Verification

Password must be entered before editing a signed policy

Cached Policy Assurance
The signatures embedded into deployed policies verify that policies stored in the local cache have not been tampered with, adding an extra layer of security on endpoints.

Three Modes of Operation
The Privilege Guard Agent can be installed in one of three operational modes, depending on the level of signed policy enforcement required:

  1. Certificate Enforcement Mode – The agent will load correctly signed policies. Unsigned or incorrectly signed policies will not be loaded, and an error will be audited.
  2. Certificate Warning Mode – The agent will load correctly signed policies. Unsigned and incorrectly signed policies will also be loaded, but a warning will be audited.
  3. Standard Mode – The agent will load both correctly signed and unsigned policies. Incorrectly signed policies will also be loaded, but a warning will be audited.

Policy Auditing
New events have been added which audit all policy activity on the client, including the source, version and security status. Depending on the agent installation mode and state of the policy, the event number and severity will be audited as follows:

ign Policy Events

New policy auditing events in version 2.8

Signed policies significantly enhance the security of Privilege Guard by restricting which administrators are allowed to modify centrally or locally managed policies, and ensures that cached policies have not been tampered with or overwritten.

Introducing Defendpoint

Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.

More from the Blog

Related technology and security insights