Privileged Endpoint Management
Enforce “least privilege” policies while enabling productivity
What is Privileged Endpoint Management?
Privileged Endpoint Management, or PEM, removes the need for local administrator accounts from the computers that every worker has access to every day. Often known as a “Least Privilege” approach, organisations aim to remove the local administrator accounts as they are highly valuable to attackers.
The need for better endpoint management
Enforcing “least privilege” – ensuring the right people have the right level of access and no more, can mean users don’t have access to the applications or resources they need to get their work done without a call to the IT helpdesk. The balance between security and productivity gets tipped towards security at the cost of productivity.
Traditionally, endpoint privilege management has needed substantial infrastructure and was complex to manage as many legacy solutions include tools, often from different vendors originally, for a broad range of capabilities from operating system patching through to antivirus or even desktop customisation. Osirium’s Privileged Endpoint Management (PEM) solution is a new approach and built to be lightweight and highly focused on the primary need: removing the need for Local Administrator accounts on Windows desktops and laptops while not interfering with the computer user’s daily work.
PEM allows organisations to remove local administrator rights from users, while at the same time enabling them to have escalated privileges only for specific processes and executables. The balance tips back towards productivity while increasing the organisation’s security posture.
Balancing the need for security on Windows endpoints with keeping end-users productive is difficult. That’s where Privileged Endpoint Management (PEM) is critical to addressing those needs and reducing the load on help desks.
A natural extension to the Windows desktop
Osirium PEM is a natural extension to the Windows desktop.
Accessed from the application icon context menu, the user requests permission to execute as an Administrator using PEM. For whitelisted applications, the application starts with elevated privileges. The session is logged by Windows as running with the real user’s credentials but with elevated privileges maintaining a complete audit trail.
PEM learns which applications users need to run with elevated privileges which is reviewed by an Administrator to create a “whitelist” of approved applications and a list of applications to be denied access, based on filename, publisher, and digital signature. Once learning is complete, the local admin accounts can be removed and PEM is put into “enable” mode.
If there are any applications that weren’t identified during the learning phase, the user requests the application is added to their group and they can continue working. As these are exceptions, for most of their time, users continue to work as normal without interruption.
Powerful Admin Tools
The PEM Administrator Interface controls application whitelisting, policies and logs all PEM activity. From a single console, the administrator can review all application elevations and requests for new applications to be approved during the learning phase.
Enforce "Least Privilege"
End-users only need user-level accounts.
- Remove local admin privileges
- Elevate the application, not the user
Run Privileged Applications
Approved applications can be run with elevated permissions without contacting IT.
- Users run approved applications as normal using the application context menu
Track which privileged applications are used, by whom and when
- Audit trail of authorisations and usage to show policy compliance
- Elevated applications are always run in the context of the real user for audit trails
Reduce Help Desk Load
Reduce the need for users to call the IT help desk to run privileged applications.
- Define and deploy policies to allow users to run approved applications as Administrator without contacting the help desk
Permissions are granted as policies to reduce IT effort deploying rules.
- Define permissions for Active Directory groups
Applications to run with elevated privileges are automatically discovered while users perform their normal work
- Actual applications used are approved, not an arbitrary list
- Applications are identified to prevent tampering and to ensure only approved versions are used
Get more information
Download the Osirium PEM Datasheet for more information.