Re: On-demand Privilege Escalation Solution for Endpoints

[WALTER KERNER <walter_kerner () FITNYC EDU>]

We’re just beginning to use Avecto here.  It’s still early but it seems
like it will be a good fit.  It will let traveling faculty add printers,
adjust networks, and handle timezones with admin rights.  We also use it to
confirm on software installs: we don’t prohibit faculty from installing
what they want, but we want to alert them to drive-by downloads







Walter Kerner

AVP and CISO

[image: blue]

333 7th Avenue, 13th Floor

New York, NY 10001

Voice: 212-217-3415



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Davis, Chris
*Sent:* Tuesday, March 27, 2018 10:28 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] On-demand Privilege Escalation Solution for
Endpoints



Check out Avecto Defendpoint or CyberArk Viewfinity. Both do what you are
looking for without having to grant admin rights on an extended basis.

Sent from my iPhone - please excuse any minor errors.



Chris Davis, PhD

Chief Information Officer

Lourdes University

cdavis () lourdes edu


On Mar 27, 2018, at 22:02, Nitin Singh <Nitin.Singh () VU EDU AU> wrote:

Good Day Folks,



We are looking at possible solutions to allow administrative rights on
endpoints.



Currently by default our users get administrative rights (oooops!) on their
machines which is for historic reasons to provide academic freedom and
flexibility. And as you would know this freedom and flexibility comes with
significant security exposure and risk for our University.



Moving forward we will be removing all administrative rights on endpoints
and looking to deploy a solution which can:

   1. Allow demand Privilege Escalation from local machine regardless it is
   connected to University Network or Not
   2. Limit the window of Escalated Rights such as allowing users to select
   how long they need administrative rights for and automatically removing
   privileges after selected period of 30mins, 2 hours, 4 hours or 8 hours.
   3. Monitor, log and alert on all activities undertaken (including
   installation, download etc.) during the period of escalated rights
   4. Block/notify users whenever download/installation of a malicious
   code/software is detected
   5. Easy to use, install and does not require excessive operational
   overheads.



Anyone who is using similar technologies or have explored such solutions
who can share insights that would be highly appreciated.



Rgds, Nitin



*Nitin Singh*

*Director – ITS Security and Risk Assurance*

Information Technology Services

(P) +61 3 9919 5849

(M) +61 430 989 430



Victoria University CRICOS Provider No. 00124K (Melbourne) CRICOS Provider
No. 02475D (Sydney)



<image001.png>