Educause Security Discussion mailing list archives

Re: On-demand Privilege Escalation Solution for Endpoints

From: "Davis, Chris" <CDavis () LOURDES EDU>
Date: Wed, 28 Mar 2018 18:20:15 +0000

What about auditing admin events?  Are you aggregating your endpoint logs for that somehow, or can it be pulled into 
something else?



Christopher Davis, Ph.D.
Chief Information Officer
Lourdes University
6832 Convent Blvd. | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>

Don't be a victim of phishing. Lourdes will never ask you to send sensitive information through unsecure channels. 
Report any message that asks you to provide or confirm personal information such as credit card and/or bank account 
numbers, Social Security numbers, passwords, etc.

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) 
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not 
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please 
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its 
attachments is strictly prohibited.






On Mar 28, 2018, at 1:51 PM, Biggs, Nathanael <nbiggs112 () CEDARVILLE EDU<mailto:nbiggs112 () CEDARVILLE EDU>> wrote:

+1 for MakeMeAdmin. We're in the middle of deploying this in conjunction with LAPS (so that the admin passwords change 
regularly), and it looks promising, based on the testing we've done.

Access is administered via GPO, but the tool doesn't require real-time access to the domain in order to function.






[https://www.cedarville.edu/~/media/Images/Email/2column-CU.png?ver=201705150925]
Nathanael Biggs
Network Analyst
Information Technology
Cedarville University
o:      937-766-7905
www.cedarville.edu<https://www.cedarville.edu/>
[https://www.cedarville.edu/~/media/Images/Email/2column-tagline.png?ver=201705150925]
[https://www.cedarville.edu/~/media/Images/Email/email_twitter-22px.png?ver=201705150925]<https://twitter.com/cedarville>
  [https://www.cedarville.edu/~/media/Images/Email/email_youtube-22px.png?ver=201705150925] 
<https://www.youtube.com/user/cedarvilleu>   
[https://www.cedarville.edu/~/media/Images/Email/email_facebook-22px.png?ver=201705150925] 
<https://www.facebook.com/cedarville>   
[https://www.cedarville.edu/~/media/Images/Email/email_linkedin-22px.png?ver=201705150925] 
<https://www.linkedin.com/in/nathanael-biggs-86595125/>   
[https://www.cedarville.edu/~/media/Images/Email/email_instagram-22px.png?ver=201705150925] 
<https://www.instagram.com/cedarville/>


On Wed, Mar 28, 2018 at 12:57 PM, Shen, Philip (ps7xj) <ps7xj () virginia edu<mailto:ps7xj () virginia edu>> wrote:
For those on a budget check out Make Me Admin  https://makemeadmin.com/


Thanks,
Phil


----

Phil Shen BS, GIAC GSEC, ITIL
IT Security - University of Virginia School of Medicine<mailto:Phil.Shen () virginia edu>



________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of WALTER KERNER <walter_kerner () FITNYC EDU<mailto:walter_kerner () FITNYC EDU>>
Sent: Wednesday, March 28, 2018 12:32 PM

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] On-demand Privilege Escalation Solution for Endpoints


We’re just beginning to use Avecto here.  It’s still early but it seems like it will be a good fit.  It will let 
traveling faculty add printers, adjust networks, and handle timezones with admin rights.  We also use it to confirm on 
software installs: we don’t prohibit faculty from installing what they want, but we want to alert them to drive-by 
downloads





Walter Kerner

AVP and CISO

[blue]

333 7th Avenue, 13th 
Floor<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+%0D%0A+New+York,+NY+10001&entry=gmail&source=g>

New York, NY 10001<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+%0D%0A+New+York,+NY+10001&entry=gmail&source=g>

Voice: 212-217-3415<tel:(212)%20217-3415>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Davis, Chris
Sent: Tuesday, March 27, 2018 10:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] On-demand Privilege Escalation Solution for Endpoints



Check out Avecto Defendpoint or CyberArk Viewfinity. Both do what you are looking for without having to grant admin 
rights on an extended basis.

Sent from my iPhone - please excuse any minor errors.



Chris Davis, PhD

Chief Information Officer

Lourdes University

cdavis () lourdes edu<mailto:cdavis () lourdes edu>

On Mar 27, 2018, at 22:02, Nitin Singh <Nitin.Singh () VU EDU AU<mailto:Nitin.Singh () VU EDU AU>> wrote:

Good Day Folks,



We are looking at possible solutions to allow administrative rights on endpoints.



Currently by default our users get administrative rights (oooops!) on their machines which is for historic reasons to 
provide academic freedom and flexibility. And as you would know this freedom and flexibility comes with significant 
security exposure and risk for our University.



Moving forward we will be removing all administrative rights on endpoints and looking to deploy a solution which can:

  1.  Allow demand Privilege Escalation from local machine regardless it is connected to University Network or Not
  2.  Limit the window of Escalated Rights such as allowing users to select how long they need administrative rights 
for and automatically removing privileges after selected period of 30mins, 2 hours, 4 hours or 8 hours.
  3.  Monitor, log and alert on all activities undertaken (including installation, download etc.) during the period of 
escalated rights
  4.  Block/notify users whenever download/installation of a malicious code/software is detected
  5.  Easy to use, install and does not require excessive operational overheads.



Anyone who is using similar technologies or have explored such solutions who can share insights that would be highly 
appreciated.



Rgds, Nitin



Nitin Singh

Director – ITS Security and Risk Assurance

Information Technology Services

(P) +61 3 9919 5849<tel:+61%203%209919%205849>

(M) +61 430 989 430<tel:+61%20430%20989%20430>



Victoria University CRICOS Provider No. 00124K (Melbourne) CRICOS Provider No. 02475D (Sydney)



<image001.png>

Current thread:

On-demand Privilege Escalation Solution for Endpoints Nitin Singh (Mar 27)
- Re: On-demand Privilege Escalation Solution for Endpoints Davis, Chris (Mar 27)
  - Re: On-demand Privilege Escalation Solution for Endpoints WALTER KERNER (Mar 28)
    - Re: On-demand Privilege Escalation Solution for Endpoints Shen, Philip (ps7xj) (Mar 28)
    - Re: On-demand Privilege Escalation Solution for Endpoints Biggs, Nathanael (Mar 28)
    - Re: On-demand Privilege Escalation Solution for Endpoints Davis, Chris (Mar 28)
    - Re: On-demand Privilege Escalation Solution for Endpoints Biggs, Nathanael (Mar 28)
    - Re: On-demand Privilege Escalation Solution for Endpoints Shen, Philip (ps7xj) (Mar 28)