Servers

Restricting access to mission critical servers, while allowing your system administrators to perform their responsibilities, raises many challenges. It is typical for system administrators to have excessive privileges over many servers, due to the nature of their role. These privileged accounts pose a huge security risk to the organization.

Logging on to a server with a privileged account also carries major operational concerns, as it is all too easy for an administrator to inadvertently change a critical setting or access services for which they have no responsibility. The lack of sufficient auditing can make it difficult to track down problems and ensure that system administrators are only using their privileges for the role they are authorized to perform.

With Avecto Privilege Guard, system administrators do not have to be granted local administrative rights over a server. Instead these rights can be assigned dynamically to the applications that each administrator is authorized to run, in order to perform their role. This enables system administrators to log on with standard user rights, avoiding inadvertent server changes through the use of privileged accounts.

Where it is not possible to restrict a system administrator’s server access to a well-defined set of applications, Privilege Guard may be configured to provide the administrator with an “on demand” elevation facility. This enables the administrator to log on to the server with standard user rights, but elevate applications, as required. In addition, inappropriate applications may be excluded from this facility and a full audit trail ensures that this privilege is not abused, either deliberately or accidently.

In addition to the security and operational benefits of implementing least privilege, Privilege Guard can provide detailed audit trails, which can help to meet external or internal compliance regulations.

Privilege Guard raises individual events to identify any application that has be run with elevated rights, giving a complete audit trail of all privileged applications run by your systems administrators. If more detailed information is required then Privilege Guard may be configured to log the full details of all privileged operations by applications, including access to the file system, registry and system services. These detailed application forensics may be used to pinpoint inappropriate privileged activity or simply provide more in-depth audit logs to meet compliance initiatives.

Although logging on to servers with privileged accounts carries obvious security concerns, it is the operational risks that can be more costly. The greater the number of privileged accounts, the greater the likelihood that one of these accounts will be used to perform an unauthorized modification to a server’s configuration, which could result in operational problems, including downtime, depending on the nature of the change.

Privilege Guard ensures that the likelihood of unauthorized or unwanted changes to a server are minimized by only giving each administrator privileged access to the applications and tasks required to perform their role. This least privileged approach is just as important on servers, as it is on desktops, and given the critical role of many servers, the benefits can be even greater.