It’s important for a privilege management solution to protect itself from tampering and to prevent users from circumventing the solution. Privilege Guard (Edit: now Defendpoint) already has a sophisticated anti-tamper mechanism that protects the Privilege Guard software and configuration settings against modification from elevated processes, while still allowing the solution to be administered by true system administrators. This has now been complemented by the new Privileged Account Management capability in Privilege Guard 3.6, ensuring that Privilege Guard continues to be the most secure and flexible privilege management solution on the market.
You will find a new policy rule in the General Rules section of a policy that prohibits a user from modifying the members of any privileged groups. This can be applied to standard users, in order to restrict processes that are elevated through Privilege Guard, or to real system administrators, who should not be allowed to manage privileged accounts. Policy filters can be defined to apply this policy rule to a specific set of users or any other criteria supported by the filters.
Privilege Account Management has been implemented at the SAM (Security Account Manager) level, which ensures that it’s enforced for all applications that attempt to manipulate user and group accounts, such as the Local Users and Groups MMC snap-in, the User Accounts control panel applet and even the net.exe command.
Below is an attempt by a user, running an elevated MMC process, to add a user to the local administrators group, with the Prohibit privileged account management policy enabled. As soon as the user clicks the OK or Apply button the operation fails, resulting in an access denied error message.
Privileged Account Management is not limited to the local administrators group. It detects attempts to modify the members of any of the privileged local groups on a system, which also includes power users, account operators, printer operators, backup operators and network configuration operators.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.