Jump to content


anyweb

Dealing with annoying admin requests using 1E Tachyon

Recommended Posts

Introduction

In a previous blog post I explained how to sign up for a webinar series and by doing so, learn from industry experts and Microsoft MVP’s about how and why they use tools like  Tachyon from 1E to make things work better for your users, including how to deal with slow endpoints, or how to deal with apps that crash or for todays blog post, how to deal with those annoying admin requests.

I will blog about each episode in the webinar series and link them here for your perusal.

Security. Love it or hate it, without it we’d all be in a worse situation. However security mandates as a best practice that the user logged on to Windows should be a standard user and not a local administrator. Why ? because that helps thwart the spread of damage to the operating system from running files that could overwrite operating system kernel files for example, or simply to keep root kits or viruses in check. Bad software can do bad things especially if you are a local administrator.

That said, most users will need to be able to install legitimate software or configure things that require local administrator permissions on their computer, so how can we deal with that in a seamless, automated way with Tachyon.

“Maybe you need an application for a demo, in 30 minutes.”

special guest for this episode is Kenny.png

Software Installation Requests are the probably the most common reason why people request admin elevation. Here are some ways that people typically deal with local admin rights requests.

  • Group Policy – It’s a bit of a legacy dinosaur. Not that granular. The downside is knowing did it apply to the right group, did you clean it up after wards.
  • Local Admin Password solution – LAPS, giving out a password for the local admin account and risks associated with it, able to add others to the local admin group, security team not so happy about that.

How does Tachyon deal with this problem ?

Tachyon deals with this seamlessly and fast, but it doesn’t sacrifice security to enable this ability. It’s part of the Guaranteed state module, specifically the real time security broker (RSB) shown below.

realtme security broker.pngThis is made up of three rules listed here.

  • RSB: Disable Inactive RDP
  • RSB: Remove ‘Own Machine’ Local Admin escalations once timeout is exceeded.
  • RSB: Remove unauthorised local admins.

Here’s an example of it how Tachyon deals with this from start to finish. This is broken down into a couple of actions which are security focused, in that the user must be whitelisted in order to be allowed local administrative privileges.

  • Whitelisting an account/Verifying whitelisted account
  • Adding that whitelisted account to the local admins group

Whitelisting an account

Below we can see a user (aneel) is logged on to PC0004 and we can clearly see that the user is not a member of the Local Admins group on that PC.

pc0004 and the user is Aneel.png

In the Tachyon Explorer console, you can search for RSB and then select RSB Whitelist: <Action> user <UserName> to add (or remove) a user.

i want to rsb whitelist.PNG

Next, click on Edit (shown below with the red arrow) to add Parameters to your action.

click edit to add parameters.png

In the parameters section on the right side of the console, select the device name that you want that user to have local admin permissions on.

Tachyon adding user to local admin on specific pc.png

Adding a user to local admin on PC0004 in Tachyon

After clicking Perform this action the request is then validated and any alternative accounts needed to approve the request will be informed to approve it.

pending approval.PNG

After the instruction was approved you can see that the user has been whitelisted and all of this is in real time.

user-has-been-whitelisted.pngVerifying whitelisted account

To verify that the whitelist request has succeeded you can use the List Real-time Security Broker Whitelist action in Tachyon Explorer.

list real time.PNG

and in an instant you can see that the user has been added to the whitelist.

user added to whitelist.png

 

Adding the user to the Local Admins group

Next, you actually add the user (aneel) to the Local Admins Group. In Tachyon Explorer use the RSB Command: Add user <UserName> to the Local Administrators group, ONLY ON HOST: <hostname>.

adding user to local admin group on pc0004.PNG

After performing the action you can see that the user is added to the Local Admins group.

aneel is now a local admin.PNG

The entire process took less than a minute to whitelist and then add the user to the local admins group including the secondary approvals.

You can also set the amount of time needed, for example give the user 30 minutes of Local Admin time.

What about Self service for the end user ?

If you want to allow your users to do this on their own, to elevate on demand using self-service, it’s possible as long as they’ve been given the correct permissions/ability. We can deploy an app  called “Escalate to local admin” via Tacyhon to a small subset of users whom we trust to use appropriately.

Below we can see another user (Ataylor) is logged on to PC0005 and this user is not a member of the Local admins group.

ataylor is not an admin.PNG

This user launches the “Escalate to local admin” app so that they can self-service (with 2FA) the action themselves.

escalate-to-local-admin.png

 

and after clicking Go and satisfying the security prompts, the user is now added to the local admins group.

ataylor-is-now-local-admin.png

Users behaving badly

What about users adding other accounts without permission, below we can see a user that was granted local admin permissions has decided to add another user (sneakyadmin) to the local admins group.

addinng-a-sneakadmin-account.pngBut no sooner than they click Apply, they are informed that the unauthorized action was denied. This is because the user added was not authorized via the Tachyon platform, and was instantly denied, not only that but the action has been logged and undone.

unauthorized-action-1.pnggoing back into the Local Admins group you can see that the sneakyadmin account is not listed any more.

sneakadmin-is-not-present.png

Reporting on actions

If you look in the Guaranteed State rules which drive this you can see that the action has been remediated, this is revealed under Report, Remediations.

remdiated.PNG

Conclusion

Using Tachyon to provide admin credentials using security focused methods is easy and painless, yet retains useful features such as auditing, whitelisting and the ability to deny unapproved users.

That’s it for this blog post, I hope to see you in the next one. In the meantime, I’d suggest that you sign up for the next DEM webinar, it’s free, tell them Niall sent you .

And for those of you who want to see previously published episodes on youtube please click here.

DISCLAIMER: The contents of this article are the opinion of the author and have been written from an impartial standpoint; however, 1E may have reimbursed the author for time and expenses for undertaking the findings and conclusions detailed in the article.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...