Skip to content

Privileged Endpoint Management

This section introduces PEM, covering:

Note

See Installation and Set Up to get started with deploying PEM.

Overview

PEM is a privileged endpoint management solution, designed to allow system administrators to remove the necessity of using local administrator accounts from Windows users.

The mechanism PEM uses for elevating the privilege of a process is based on the application of policies, which are stored in the Microsoft Domain Controller as Group Policy Objects (GPOs).

The Opus framework gives administrators a simple, powerful interface for carrying out tasks to apply and manage policies for individual employees or groups of employees.

PEM Architecture

PEM Architecture

For end users, PEM operates in a similar way to Run as administrator, the interface allows users to right click on a process and select Run as administrator using PEM as an option. Users must then, via a Windows User Account Control prompt, enter their own credentials to confirm they want to run a process as an administrator, assuming the policy allows them to do so.

PEM Client right click menu

While privilege is elevated, user context is maintained, so any files created will be owned by the user's account and any 'save' or 'open' dialog will default to the user's standard locations. This produces a seamless experience for users to elevate privileges on demand.

Example User Flow

User Flow

Hint

This workflow is for PEM in Explicit Admin mode, which is the recomended permanent operating mode for PEM.

Understanding Policies and PEM Mode Configuration

Policies contain either a process executable name, hash or certificate, or any combination of these properties, as well as an action. There are three possible actions that exist in a policy file:

  • Allow - In cases where an allow policy is in place, the process executes, triggering the Windows User Account Control dialog. The user must then enter their user name and password to start the process.

  • Warn - In cases where the process has been set to warn a configurable warning dialog will be shown to the user before triggering the Windows User Account Control dialog. This is the  recommended action for necessary high risk processes.

Warning Dialog

  • Deny - In cases where a process has not been set to allow or warn, a deny dialog is triggered, allowing the user to either request the process be added to a policy, use an offline authorisation code or cancel the operation. The request offline authorisation option should be used in situations where users are not connected to their corporate network, but a process with no policy in place may need to be installed as or run as administrator. In this case users will need to contact an administrator to request a Response Code. Users can still choose the request option when offline, they'll be presented with a message informing them the request has not been sent, and will be sent when they reconnect.

Deny Dialog

An end user's ability to elevate the privilege of a process depends both on the policy in place (or absence of policy) for that process and the mode in which PEM is configured, there are two possible modes to configure PEM.

  • Permissive Warning - PEM permits the elevation of any process, running processes that are marked as warn or deny will result in a warning notification being shown to the user.
  • Explicit Admin - Only Allow processes can be elevated to run as admin.

Note

Permissive warning mode is designed to ensure a smooth rollout of PEM, allowing administrators to remove local administrator access, while still allowing users to continue their daily tasks where administrator credentials may be required. As such, any process run in permissive warning is tracked, the records of activities can then be used to assist in creating and implementing policies in the future. 

Permissions Table

Mode
Permissive Warning Explicit Admin
Policy Action Allow Privilege elevated for process without any warning. Privilege elevated for process without any warning.
Deny Process is elevated after the user is shown a warning requesting the user to think carefully about elevating this process. They must confirm that they want to go ahead with running the process. The process is not elevated. The user is notified that the system administrator has blocked the action. The user will then be presented with the option to request that the admin authorises this process.
Warn User is shown a warning advising the user that this action should be performed with care. They must confirm that they want to go ahead with running the process. User shown a configurable warning or policy reminder. They must confirm that they want to go ahead with running the process.
Unknown/No Policy Same as Deny. Same as Deny.


Managing Policies

Opus functions as the management interface for PEM, Opus tasks are used to manage: