Skip to main content

Privilege management

EPM/PEDM class software (Endpoint Privilege Management / Privilege Elevation and Delegation Management) are solutions that combine two basic elements – application control and user privilege management at the operating system level. The integration of these two functions allows for the implementation of mechanisms that allow only trusted applications to run on employee computers while limiting user account privileges to the necessary minimum. By utilizing privilege management systems (EPM/PEDM systems), the need for privileged accounts – such as local accounts with administrator privileges – can be eliminated in a straightforward manner, with minimal impact on employee performance and user experience while working with the operating system.

Ensuring the security and protection of computer hardware is a key aspect of IT resource management, and EPM-class systems are one of the pillars of this security, serving as a fundamental technology in implementing the principle of least privilege for end users.

  • Implementation of EPM systems is based on templates or wizards that facilitate the creation of proper security policies, significantly simplifying and speeding up the deployment process.
  • It is recommended to enforce the principle of least privilege for all types of users, but special attention is given to advanced user groups (such as developers, contractors, administrators), as revoking administrator privileges without utilizing an EPM system would hinder their ability to perform daily tasks.
  • Selective privilege elevation on a per-application basis is a crucial feature. Users can launch specified programs as if they were in the administrator group, while using an account with standard user privileges.
  • EPM systems are capable of preventing the execution of dangerous software like ransomware and malware by reducing the attack surface and granting elevated privileges only to approved applications, scripts, tasks, or commands that actually require them.
  • EPM solutions allow control over the execution of applications by users, including blocking specific programs, even those that don’t require elevated account privileges.
  • EPM systems come equipped with reporting modules, enabling the security department to gather detailed information about all unknown/unapproved applications launched by users.

Minimising risks arising from vulnerability

According to the data provided in the “Malware Threat Report 2021” concerning the security of Microsoft systems, unpatched vulnerabilities account for approximately 30% of all IT security breaches. The number of vulnerabilities in Microsoft products increased by 48% between 2019 and 2020, with 858 vulnerabilities recorded in 2019 and 1268 in 2020. In the case of critical vulnerabilities, 56% of them in 2020 would have been non-exploitable if administrative privileges had been removed. For Windows 10, out of all security vulnerabilities detected in 2020, 132 were classified as critical, with the removal of administrator rights rendering 70% of those vulnerabilities ineffective. A significant portion of these threats can be easily mitigated by removing administrative privileges on endpoint devices, which is a widely recommended best practice by industry experts.

Least privilege strategy

Permission management systems (EPM/PEDM systems) are closely tied to the fundamental principle of IT security known as the least privilege policy. Having local administrator rights means that a user has permissions to perform virtually all functions within the operating system on a computer. These permissions may include tasks such as installing software and hardware drivers, changing system settings, creating user accounts, and modifying passwords on all accounts. Local administrator privileges are sometimes granted to reduce the need for IT support, but they also pose a high security risk.

A common approach to managing privileged user accounts is the least privilege model, which involves assigning users and programs the minimum amount of privileges required to perform specific tasks. The least privilege policy is most effective when combined with the concept of whitelisting applications. Whitelisting is the practice of identifying approved applications that can be installed and run within the operating system. The purpose of whitelisting programs is to protect computers and networks from potentially harmful applications.

Efficient EPM/PEDM systems, with the help of general rules based on easily definable criteria, are able to automatically prevent the execution of unauthorized applications, significantly reducing the risk associated with running programs and applications that do not comply with security standards in the organization.