Hello Everyone!
My organization is looking to lean heavily on PolicyPak Least Privilege Manager to heavily supplement and/or replace our current Software Restriction Policy in group policy.
Our SRP has grown a bit out of control, and we’d like to use LPM as a sort of “fresh start” where we know we can keep things tidy as well as leverage LPM to bypass UAC prompt and was hoping someone might have some experience or words of wisdom?
We’re in a pretty good spot with having users NOT having local admin access. My quick take before doing a deeper dive seems to be to enable SecureRun to effectively stop users from being able to run anything we don’t deploy ourselves and then add additional access to specific applications via LPM elevation.
Let me know if y’all have any thoughts or wisdom or if i may be misunderstanding anything.
Thanks!
4 Likes
Hi Adrian and welcome to the Netwrix Community! It sounds like you are on the right track with regards to SecureRun and elevated access via Least Privilege Manager. You can also enable Admin Approval for end user applications via email or over the phone. I’ve included a couple of video resources for you to review! How are you looking to deploy? We have on-prem, cloud, and MDM (Intune) delivery options available.
1 Like
Thank you for the welcome Ryan!
I’ll look through that documentation shortly, from a quick glance I think I may have already viewed them, which is great to know that I’m on the right track. We’ve already got the client-side extension baked into our deployment process and we’ve actually had LPM for a little while now, but this is our first big attempt to really leverage it over traditional SRP through GP.
1 Like
Hi Adrian,
As Ryan mentioned, welcome to the Netwrix Community!
You are on the right path by first eliminating local admin privileges for your users and taking away the keys to the kingdom, as we would say, but now overcoming UAC prompts is the next challenge where we can create LPM policies to elevate the application as long as it meets certain conditions (hash value, file location, digital signature, or the file info). We generally recommend users create these policies for known applications, and for those applications you dont have a rule for, we can use Admin Approval as Ryan suggested. From there, SecureRun is a powerful feature so we recommend adding that last to not mess with the other policies created before, as anything not sanctioned or installed by IT will be blocked. If you have already checked out those videos and you feel a learning session with the team may help to review your policies and provide guidance on any of the LPM features, we are happy to set that up!
2 Likes
What’s also true is replacing SRP with SecureRun is easier and stronger.
Instead of finding “all the things you want to block one by one” (more or less)… SecureRun is the big HAMMER DOWN and then you “open up the doggie door.”
Yes, yes, you DO have to crack some eggs to make the omlette… some users will complain.. “Hey this thing I downloaded from 2011 and now you blocked it.”
YES EXACTLY.
Now you (Mr. Admin) are in charge, which means making some decisions about what to open up.
But yes, in general you are on the right track.
-Jeremy Moskowitz, PolicyPak Founder
2 Likes
Hello All,
Things seem to be going okay with my small 3 test units as we proceed to add rules as needed to LPM with our old GP SRP disabled. At this point i have SecureRun and AdminApproval enabled. The latter is quite useful for generating specific rules. I have been running into one particular instance i was hoping i could get some expertise with.
I have the following event that’s getting blocked by SecureRun. Its occurring on all three machines I’m testing on.
I see that the parent process is LogMeIn.exe, which i have a rule to allow based off of hash and signature, but i still get this block.
I’ve tried adding an exception for CMD calling
“C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe” oesis
as mentioned by the parent process but that doesn’t seem to work, but I’m not certain whether i have the syntax correct.
Finally, if i have the admin approval tool generate a rule, it creates a fairly generic rule for powershell/cmd seemingly not taking the parent process into mind, which may just be a limitation of the tool and that’s fine.
Path: %systemroot%\system32\cmd.exe
Publisher: CN=Microsoft WIndows, O=Microsoft Corpororation, L=Redmond, S=Washington, C=US
Command Line: /S /C “”%systemroot%\system32\where" powershell"
Any suggestions? If this isn’t the right forum for this type of question, just let me know and I can move it.
Hi Adrian,
Thanks for reaching out and sharing this issue. For this specific issue with SecureRun blocking this event from running, I submitted a ticket to our support team on your behalf to have them look into this further to better understand what is causing it. The team can also provide additional suggestions around policy elevation, SecureRun, and your Admin Approval.
They should be reaching out soon. Thanks!
-Christian
2 Likes
