Contributor:
Mark Austin
November 27th, 2012

Privileged Account Management in Privilege Guard 3.6

It’s important for a privilege management solution to protect itself from tampering and to prevent users from circumventing the solution. Privilege Guard (Edit: now Defendpoint) already has a sophisticated anti-tamper mechanism that protects the Privilege Guard software and configuration settings against modification from elevated processes, while still allowing the solution to be administered by true system administrators. This has now been complemented by the new Privileged Account Management capability in Privilege Guard 3.6, ensuring that Privilege Guard continues to be the most secure and flexible privilege management solution on the market.

You will find a new policy rule in the General Rules section of a policy that prohibits a user from modifying the members of any privileged groups. This can be applied to standard users, in order to restrict processes that are elevated through Privilege Guard, or to real system administrators, who should not be allowed to manage privileged accounts. Policy filters can be defined to apply this policy rule to a specific set of users or any other criteria supported by the filters.

Privilege Account Management has been implemented at the SAM (Security Account Manager) level, which ensures that it’s enforced for all applications that attempt to manipulate user and group accounts, such as the Local Users and Groups MMC snap-in, the User Accounts control panel applet and even the net.exe command.

Below is an attempt by a user, running an elevated MMC process, to add a user to the local administrators group, with the Prohibit privileged account management policy enabled. As soon as the user clicks the OK or Apply button the operation fails, resulting in an access denied error message.

Privileged Account Management is not limited to the local administrators group. It detects attempts to modify the members of any of the privileged local groups on a system, which also includes power users, account operators, printer operators, backup operators and network configuration operators.

Introducing Defendpoint

Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.

More from the Blog

Related technology and security insights

  • 13
    May
  • Story related

    WannaCry Ransomware goes global

    On Friday, a cyber attack on an unprecedented scale struck a wide range of organizations in over 99 countries across the globe. The ransomware attack, known as WanaCry or WanaCrypt0r shut down IT systems in NHS hospitals and GP surgeries ...
  • 19
    May
  • WannaCry One Week On

    It’s been a busy week in the security world. On Friday 12th May 2017 the ...