Re: On-demand Privilege Escalation Solution for Endpoints

["Biggs, Nathanael" <nbiggs112 () CEDARVILLE EDU>]

MakeMeAdmin generates event logs that can be collected by Event Log
Forwarding. We don't have that set up for all our endpoints now, but it's
probably not a bad idea.






Nathanael Biggs
*Network Analyst*
Information Technology
*Cedarville University*
o: 937-766-7905
www.cedarville.edu
<https://twitter.com/cedarville>
<https://www.youtube.com/user/cedarvilleu>
<https://www.facebook.com/cedarville>
<https://www.linkedin.com/in/nathanael-biggs-86595125/>
<https://www.instagram.com/cedarville/>

On Wed, Mar 28, 2018 at 2:20 PM, Davis, Chris <CDavis () lourdes edu> wrote:

> What about auditing admin events?  Are you aggregating your endpoint logs
> for that somehow, or can it be pulled into something else?
>
>
>
> Christopher Davis, Ph.D.
> Chief Information Officer
> Lourdes University
> 6832 Convent Blvd
> <https://maps.google.com/?q=6832+Convent+Blvd&entry=gmail&source=g>. |
> REH 003P | Sylvania, OH 43560
> cdavis () lourdes edu
>
> Don't be a victim of phishing. Lourdes will never ask you to send
> sensitive information through unsecure channels. Report any message that
> asks you to provide or confirm personal information such as credit card
> and/or bank account numbers, Social Security numbers, passwords, etc.
>
> CONFIDENTIALITY NOTICE: The contents of this email message and any
> attachments are intended solely for the addressee(s) and may
> contain confidential and/or privileged information and may be
> legally protected from disclosure. If you are not the intended recipient of
> this message or their agent, or if this message has been addressed to
> you in error, please immediately alert the sender by reply email and then
> delete this message and any attachments. If you are not the intended
> recipient, you are hereby notified that any use, dissemination, copying, or
> storage of this message or its attachments is strictly prohibited.
>
>
>
>
>
>
> On Mar 28, 2018, at 1:51 PM, Biggs, Nathanael <nbiggs112 () CEDARVILLE EDU>
> wrote:
>
> +1 for MakeMeAdmin. We're in the middle of deploying this in conjunction
> with LAPS (so that the admin passwords change regularly), and it looks
> promising, based on the testing we've done.
>
> Access is administered via GPO, but the tool doesn't require real-time
> access to the domain in order to function.
>
>
>
>
>
>
> Nathanael Biggs
> *Network Analyst*
> Information Technology
> *Cedarville University*
> o: 937-766-7905 <(937)%20766-7905>
> www.cedarville.edu
> <https://twitter.com/cedarville>
> <https://www.youtube.com/user/cedarvilleu>
> <https://www.facebook.com/cedarville>
> <https://www.linkedin.com/in/nathanael-biggs-86595125/>
> <https://www.instagram.com/cedarville/>
>
> On Wed, Mar 28, 2018 at 12:57 PM, Shen, Philip (ps7xj) <ps7xj () virginia edu
> > wrote:
>
> > For those on a budget check out Make Me Admin  https://makemeadmin.com/
> >
> >
> > Thanks,
> > Phil
> >
> > ----
> > Phil Shen BS, GIAC GSEC, ITIL
> > IT Security - University of Virginia School of Medicine
> > <Phil.Shen () virginia edu>
> >
> >
> >
> > ------------------------------
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> on behalf of WALTER KERNER <
> > walter_kerner () FITNYC EDU>
> > *Sent:* Wednesday, March 28, 2018 12:32 PM
> >
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] On-demand Privilege Escalation Solution for
> > Endpoints
> >
> >
> > We’re just beginning to use Avecto here.  It’s still early but it seems
> > like it will be a good fit.  It will let traveling faculty add printers,
> > adjust networks, and handle timezones with admin rights.  We also use it to
> > confirm on software installs: we don’t prohibit faculty from installing
> > what they want, but we want to alert them to drive-by downloads
> >
> >
> >
> >
> > Walter Kerner
> >
> > AVP and CISO
> >
> > [image: blue]
> >
> > 333 7th Avenue, 13th Floor
> > <https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+%0D%0A+New+York,+NY+10001&entry=gmail&source=g>
> >
> > New York, NY 10001
> > <https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+%0D%0A+New+York,+NY+10001&entry=gmail&source=g>
> >
> > Voice: 212-217-3415 <(212)%20217-3415>
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> > SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Davis, Chris
> > *Sent:* Tuesday, March 27, 2018 10:28 PM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] On-demand Privilege Escalation Solution for
> > Endpoints
> >
> >
> > Check out Avecto Defendpoint or CyberArk Viewfinity. Both do what you are
> > looking for without having to grant admin rights on an extended basis.
> >
> > Sent from my iPhone - please excuse any minor errors.
> >
> >
> > Chris Davis, PhD
> >
> > Chief Information Officer
> >
> > Lourdes University
> >
> > cdavis () lourdes edu
> >
> >
> > On Mar 27, 2018, at 22:02, Nitin Singh <Nitin.Singh () VU EDU AU> wrote:
> >
> > Good Day Folks,
> >
> >
> > We are looking at possible solutions to allow administrative rights on
> > endpoints.
> >
> >
> > Currently by default our users get administrative rights (oooops!) on
> > their machines which is for historic reasons to provide academic freedom
> > and flexibility. And as you would know this freedom and flexibility comes
> > with significant security exposure and risk for our University.
> >
> >
> > Moving forward we will be removing all administrative rights on endpoints
> > and looking to deploy a solution which can:
> >
> >    1. Allow demand Privilege Escalation from local machine regardless it
> >    is connected to University Network or Not
> >    2. Limit the window of Escalated Rights such as allowing users to
> >    select how long they need administrative rights for and automatically
> >    removing privileges after selected period of 30mins, 2 hours, 4 hours or 8
> >    hours.
> >    3. Monitor, log and alert on all activities undertaken (including
> >    installation, download etc.) during the period of escalated rights
> >    4. Block/notify users whenever download/installation of a malicious
> >    code/software is detected
> >    5. Easy to use, install and does not require excessive operational
> >    overheads.
> >
> >
> >
> > Anyone who is using similar technologies or have explored such solutions
> > who can share insights that would be highly appreciated.
> >
> >
> > Rgds, Nitin
> >
> >
> > *Nitin Singh*
> >
> > *Director – ITS Security and Risk Assurance*
> >
> > Information Technology Services
> >
> > (P) +61 3 9919 5849 <+61%203%209919%205849>
> >
> > (M) +61 430 989 430 <+61%20430%20989%20430>
> >
> >
> > Victoria University CRICOS Provider No. 00124K (Melbourne) CRICOS
> > Provider No. 02475D (Sydney)
> >
> >
> > <image001.png>