Home » General Settings
 

Endpoint Privilege Management

What is privilege management?

With privilege management, administrators can assign and regulate user privileges based on roles, responsibilities, and specific requirements. The privilege management feature supports privilege elevation, allowing temporary elevated access when needed, and privilege delegation, enabling non-admin users to perform delegated tasks without full administrative privileges. By enabling privilege policies and auditing capabilities, organizations can enforce access controls, track privileged operations, and ensure compliance with security policies and regulations. By implementing this feature in Endpoint Central, organizations can minimize security risks, prevent unauthorized actions, and maintain a secure and well-controlled IT environment. One important aspect of privilege management in Endpoint Central is the ability to remove or restrict administrator rights for specific users or groups. By removing excessive administrator privileges, organizations can minimize the potential security risks associated with unrestricted access to critical systems and resources.

How does privilege management work?

  1. Login to the Endpoint Central web console and navigate to App Ctrl--> Privilege Management category → Privilege Management option to create a list of applications that need administrator level access to run.
  2. After this list creation is done, you can navigate to the Policy Deployment tab and choose the Custom Group with the user-devices that require privileged access to those applications. After completion, click yes to Associate the Privileged Application List to the chosen custom group.
  3. The user-devices in the associated custom group can attain privileged access to those applications by right clicking on the application's exe and choosing 'Run as ManageEngine.

Self elevation of applications

Administrators have the option to allow users to elevate their user privileges by providing a justification. The provided justification will be logged, and this capability can be configured for specific applications or all allowlisted applications.

Remove Admin Rights

Removing admin rights in Endpoint Central helps to revoke or restrict administrative privileges for certain users or groups when it comes to managing applications on the endpoint devices. By doing so, you can enhance security and prevent unauthorized or malicious applications from being installed or executed. When you remove admin rights for a user or a group, it means they will no longer have the authority to install, modify, or remove applications on the endpoint devices. This restriction helps in reducing the risk of malware infections, unauthorized software installations, and other security vulnerabilities that may arise from unrestricted access to application management. By selecting a computer and clicking on Remove Local Admin, all Local Admin Accounts in it will be removed except for the ones retained in the Exclusion Policy. To remove admin rights, you have to configure an exclusion policy first. Policies to retain certain admin accounts globally can be created from the Exclusion Policy tab. These admin accounts are retained in all the computers that they are present in. The sysadmin can choose to retain only their account, the built-in administrators account, or any other account depending on their needs.

How to remove admin rights?

Once the exclusion policy is finalized, the sysadmin can remove the remaining unnecessary accounts either manually or automatically. Checking the Enable Automatic Removal box will immediately remove all other admin accounts from the computer groups selected. To delete these accounts manually, return to the Admin Rights Summary tab, select the computers that you wish to modify, and click on the Remove Local Admin option. All local admin accounts in the specified computers will be removed, except for the ones retained using the exclusion policy, if any. Once all unnecessary local admin accounts are removed, the sysadmin can proceed to create a Privileged Application List. This list can then be associated with custom groups of users devices that will then enable select users to run these applications as administrators, even if they are granted only standard user privileges.

Note: If you are unable to access this module in Endpoint Central Cloud, kindly contact Endpoint Central Cloud Support.