On-demand local admin privilege for AADJ Windows 10 devices – Admin By Request

0
control local admin rights of AADJ Windows 10 devices - Provide elevated privilege on-demand to end-users without compromising security - Privileged Access Management solution

Are you facing a challenge in deciding how to control and manage the local administrator rights on the Intune managed Azure AD joined Windows 10 workstations? Then this blog post is probably for you.

Prologue

Providing local admin rights to end-users is always considered a security risk in the enterprise scenario – the risk of installing harmful applications and infecting the infrastructure. With the onslaught of malware and ransomware attacks in the recent past, this security concern has been further bolstered.

With the pandemic situation forcing many organizations to switch to remote working with very little time for planning and preparing for the move, many organizations decided to allow users to be local administrators, utilizing windows built-in User Account Control (UAC) to handle the admin sessions.

Although UAC along with protective software does prevent most viruses, malware, and ransomware being installed, attacks can still happen anyway due to user negligence and unawareness.

Study reveals majority of security risks and vulnerabilites can be mitigated just by removing local admin privileges from end-users.
Study reveals majority of security risks and vulnerabilites can be mitigated just by removing local admin privileges from end-users.

It is a fact that removing local admin rights from an end-user helps to prevent and mitigate lateral movement and elevation of privilege attacks.

Removing local admin rights though helps to reduce the security risk count, it also significantly reduces end user experience quality and increases workload on the IT Helpdesk.

It is never always possible for the IT team to anticipate the end-users need and prepare a whitelist ahead of time. This causes increased remote install calls for the IT team. Further, a whitelist does not necessarily mean that those files or applications are safe and the entire process is resource extensive. Moreover, there are also cases where end users can react to system lockdowns by turning to ‘shadow IT’ workarounds, creating new security risks.

Over the last few years, with more and more organization shifting their workloads to cloud and adopting digital workplace solutions, transitioning from traditional management to modern management, the end-users have also significantly matured in a way that they expect the best of user experience with the least amount of obstructions in their daily workflows.

Removal of local admin rights if planned and implemented well can be a boon, but otherwise a bane for the IT support.

What are the challenges: Controlling Local Admin Rights for Azure AD Joined Windows Workstations

The user account that is used to perform the Azure AD join operation gains local administrator privilege on the Windows 10 workstation, as it is automatically added to Local Administrators group.

Other than that, Azure AD also adds the security principals of the following accounts

  • the Azure AD Global Administrator (GA) account of the tenant
  • the Azure AD Device Administrator account of the tenant

to the Local Administrators group on the workstation. This is by design. Ref Microsoft Article.

Azure AD natively gives you the option to specify additional Azure AD user accounts to be granted local admin privileges on the Azure AD joined Windows 10 endpoints. But then that is all that is available natively.

If you want to remove local admin rights from the end-user accounts, you either have the option to

  • Provision devices with Standard User Autopilot profile, or
  • Use PowerShell script to remove end-user account from the local administrators group of the workstation

This works fine till the point you are only concerned about removing local admin rights from the end-users.

But the real pain comes when you decide that you need to provide local admin rights to select personas, say your local IT support team members, in a way that the support member of region A will have admin rights on the workstations that belongs to region A only, and not outside the region.

The requirement of having region-based dynamic device grouping is complex to achieve as the AAD device object do not have location property to be used for creating a dynamic device group. You also cannot create a dynamic device group based on the associated user property.

When you remove local admin rights from end-users, there are scenarios which needs to be considered as exception cases during the planning phase. Examples of such scenarios

  • Specific application (which runs in user-context) or process might stop working properly, since it requires elevated permission to run.
  • Specific personas, mostly developers, require to run certain tasks with elevated permissions, which breaks.

Other than this, installing new software (with business justification) or updating existing software requires the end-user to call IT support who would be then initiating a remote to perform the requested activity. This really adds to the IT overhead as well as can be considered as a hindrance to end-users natural workflow disrupting productivity.

What we are looking for: Revoke Local Admin rights without hampering user productivity and workflow and also without adding IT overhead

Modern digital workplace solutions require to include a solution which can not only effectively remove local admin rights from end-user accounts, making use of the least privilege principle to run most tasks and activities on the workstations, but can also handle the exceptional cases, which is to

  • allow end-users to request and gain elevated privilege for running an activity on-demand
  • allow only specific approved applications to run with elevated privilege on the workstations
  • allow only specific group of users to gain access to elevated privilege on the workstation (IT Support Team)
  • allow elevated session for a limited time period, with force closure of applications on session termination

It is needless to say that all such requests and activities need to be audited and reports available for later review.

The above basically gel into the working principles of a Privileged Access Management solution which offers

  • Isolation of privilege: Account used for performing daily activities should be assigned the least privilege
  • Just-in-time privilege: Privileged access to be acquired only when required
  • Just-enough privilege: Privileged access should be just enough to perform the required task only
  • Time-bound privilege: Privileged access granted should be only for the minimum possible time required to complete the task
  • Require approval and provide justification for requesting privileged access
  • Auditing and review

Privileged Access Management (PAM) is Gartner Top 10 Security Projects for 2019

Though I might be wrong, but I am really not aware of any Microsoft offerings in this space or category.

Yes, I know there is Privileged Identity Management (PIM) service for Azure AD which enables you to manage, control, and monitor access to important resources in your organization. However, the resource here refers to Microsoft online services and the level of access a user has to it. There is also Privileged Access Management (PAM) for Active Directory which you can consider the on-premise instance of the above.

But neither helps to manage and control local admin rights of your managed endpoints.

Trying to explore my options on this very topic, when I reached out to one of my seniors to seek help and suggestion, I was referred to a product named Admin By Request.

I immediately checked out their website and saw a functional trial available for 14 days to test the product. This blog post essentially captures my testing experience with the product.

Disclaimer: There are a variety of vendors that provide products in this space, such as CyberArk and BeyondTrust to name a few. Though this blog post is about one such product, my intention is to not recommend one over any other. You would have to try and evaluate the products to find the one that is the best fit for your environment and needs.

Knowing the product: Admin By Request

Admin By Request from Fastrack Software is a simple, easy to set up, easy to use, brilliant product with zero infrastructure footprint.

Admin By Request [ABR in short] allows you to revoke local admin rights of your end-users from their workstations providing on-demand elevation of privilege on request, which can be controlled and time-restricted, to allow performing activities which requires elevated access, while maintaining a full audit trail.

The product helps to greatly reduce the propagation of malware and ransomware threats due to working on the principle of least privilege access. Requesting elevation permission to execute an infected file will get blocked due to the advanced real-time cloud threat detection capabilities on offer.

ABR cloud service utilizes the OPSWAT MetaDefender Cloud service to provide real-time cloud threat detection capabilities. The file to be executed, for which the elevation is requested, is subjected to evaluation by 30+ AV engines (OPSWAT MetaDefender Cloud Multiscanning) before it is even allowed to get executed.

Irrespective of your present infrastructure model, if you are cloud-only, or hybrid or fully on-premises, ABR can integrate with your infrastructure with minimal IT efforts required.

Did I forget to mention about inventory information? You also get a great deal of inventory information as the client retrieves hardware and installed software information from the workstations.

Last but not the least, the product also ships with a fully functional comprehensive auditing and geographic asset tracking solution.

What if you want to have richer analytics? Well, that’s also sorted since you can easily hook up your ABR service with Microsoft PowerB1 via the API access made available by ABR. Awesome isn’t it!

Admin By Request is a complete SaaS service hosted in Microsoft Azure and if you are worried about the SLA and Compliance, their website has everything mentioned that you would need regarding this.

Features on Offer

Let’s check out what the product offers in a bit more details.

Run as Administrator (App Elevation)

Allow your end-users to request and gain elevated privilege on-demand

Saves IT from the chores of whitelisting applications and doing repeated remote installs. The way it works is, though it takes away the local admin privilege from the end-user, it does not impact the end-user experience. When an end-user starts installing an application, the activity is intercepted by Admin By Request client which then sandboxes the execution without providing end-user with full admin rights. The activity is audited for future reference.

Similarly for any application which is already installed but requires elevated privilege to perform its task, the user can request the “Run As Admin” while executing the application. The admin privilege granted is applicable to that particular instance or process only.

AdminByRequest - Revoke local admin privilege from end-user and instead provide on-demand elevation of privilege per request basis, to be audited.
AdminByRequest – Revoke local admin privilege from end-user and instead provide on-demand elevation of privilege per request basis, to be audited.

Allow only specific group of users to gain access to elevated privilege on the workstation

You would mostly not want to apply the same set of restriction configuration organization-wide. As such, you have the option to create sub-settings which can override the global settings based on scope. If you really want to have a complete lockdown by not allowing your end-users to ever get admin rights, but instead allow admin rights to only specific personas, you can do that by configuring the Global Access Scope and Sub Settings Scope.

Allow elevated session for a limited time period (mostly for IT Support Team)

You can allow to start a protected admin session on the workstation where the persona requesting the same will be provided with a sandboxed elevated session for a specified period of time as configured, thereby allowing the persona to perform various elevated tasks simulatneoulsy which would otherwise require seperate approvals. The entire session is audited for the activities performed and is available for future reference.

AdminByRequest - Administrator Session allows to perform all tasks on the computer under full audit, except modifying users or tamper the client software.
AdminByRequest – Administrator Session allows to perform all tasks on the computer under full audit, except modifying users or tamper the client software. 

Allow execution of pre-approved applications with elevated privilege without the need to request for elevation

IT can create and define pre-approved application list. This results the execution of those specified applications to “Run as Admin” without requiring an approval, which is required otherwise. This is a good way to reduce the audit log entries by making known-good applications and trusted legacy business applications (LOB) pre-approved to bypass the approval flow.

Read from their website to know more about the Logic flow implemented behind “Run as Admin” approval.

Considerations for pre-approving files

When you pre-approve an application file, you need to ensure that the end-users will not be able rename any file to match the pre-approved one to get the exemptions. To do this, you get to choose from 3 types of protection mode.

  1. File must be located in read-only directory which ensures the file name cannot be modified by the end-user.
  2. File must match checksum which is the most secured since only 1 file in the world can match the checksum. But it is not viable since it is version dependent.
  3. File must match digital certificate which allows you to pre-approve all applications from a particular vendor.
AdminByRequest - Pre approve known mostly used applications to reduce audit events. Similar to AppLocker in Windows.
AdminByRequest – Pre approve known mostly used applications to reduce audit events. Similar to AppLocker in Windows.

This is quite similar to creating AppLocker policies where you get the same options to create a rule, which can be

  • Path (location-based)
  • Hash (checksum-based
  • Publisher (digital cert based)

Real-time Malware Detection

When an user requests for “Run as Admin” to execute an application installation or start an application which requires elevated privilege, the ABR client on the endpoint initiates an API call to the backend cloud service which then scans the file to be executed using 30+ anti-virus engine in real time.

The real-time scan is prior to actual execution, thus ensuring that no malicious code can get executed with admin privilege.

This does not conflict with security software that is already present on the endpoint (Windows Defender or other 3rd party AV products) as it does not install any additional AV components. The entire process of malware detection is cloud-driven.

Admin By Request cloud service leverages the OPSWAT MetaDefender cloud service for this purpose utilizing the OPSWAT’s REST API or the MetaDefender Cloud API.

Read from their website to know how ABR uses real-time cloud scan for malware detection.

OPSWAT MetaDefender Cloud analyzes files to detect threats using a process known as multiscanning – an advanced threat detection and prevention technology that increases detection rates, decreases outbreak detection times and provides resiliency to anti-malware vendor issues. OPSWAT pioneered the concept of multiscanning files with over 30 anti-malware engines available to deliver enhanced protection from a variety of cyber threats.

If you are really interested in learning more about OPSWAT MetaDefender Cloud API, here is the reference documentation.

Mobile App for Admins

Admin By Request also provides you with a free publicly available mobile application available on both Google Play Store and Apple App Store, which can act as a supplement to the web portal.

After testing the product, I can assure you what they have stated on their website!

Admins will only require to login to the web portal when they require to extract a report. Otherwise, admins would be mostly using the mobile app to approve or deny incoming and pending requests. The app is very well designed for the admin work I must say…

AdminByRequest - Companion mobile app available in both Google Playstore and Apple App Store which very well supplements the web portal for carrying out admin activities.
AdminByRequest – Companion mobile app available in both Google Playstore and Apple App Store which very well supplements the web portal for carrying out admin activities.

Setting up Admin By Request to use Azure AD

Admin By Request integrates with your Azure Active Directory tenant with minimal fuss and efforts. Once connected you can utilize your Azure AD user and device groups to base your Scope (Global Access and Sub Settings) to differentiate or customize access settings for different scope groups.

For us, who works with Microsoft cloud, we know Azure AD connect as the tool which syncs your on-premises directory with Azure AD. As such, don’t get confused when you come up to the same term in Admin By Request while setting up Azure AD connection. Here the term Azure AD connect is simply used to signify the connection of ABR cloud services with Azure AD.

The setup activity is well documented in their website – Setup Admin By Request with Azure AD App Registration

Your current infrastructure is Hybrid or fully On-Premises. Don’t worry as ABR supports your infrastructure environment in all forms, be it Cloud, Hybrid or On-premises.

Deployment of the Client with Intune

The Admin By Request client is an MSI application package which you can easily deploy from Intune as an LOB app.

AdminByRequest - Easy deployment of client via Intune. The client is an MSI app package.
AdminByRequest – Easy deployment of client via Intune. The client is an MSI app package.

As usual, you can track the deployment using Windows Event logs

Windows Logs > Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
 
Event ID 1901
 
EnterpriseDesktopAppManagement CSP: A node instance of was created successfully.  MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, MSI UpgradeCode: null, User SID: (S-0-0-00-0000000000-0000000000-000000000-000).
 
Event ID 1904
 
EnterpriseDesktopAppManagement CSP: MDMAppInstaller task has started.
 
Event ID 1905
 
EnterpriseDesktopAppManagement CSP: Application content download started. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000), BITS job: (2cf08fe2-7c6c-47e0-a9c2-4e2e57eb7403).
 
Event ID 1906
 
EnterpriseDesktopAppManagement CSP: Application content download completed. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000), BITS job: (2cf08fe2-7c6c-47e0-a9c2-4e2e57eb7403).
 
Event ID 1920
 
EnterpriseDesktopAppManagement CSP: An application install has started. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000).
 
Event ID 1922
 
EnterpriseDesktopAppManagement CSP: An application install has succeeded. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000), Result: (The operation completed successfully.).

Related Application events as below

Windows Logs > Application
 
MsiInstaller Event ID 1040
 
Beginning a Windows Installer transaction: C:\Windows\system32\config\systemprofile\AppData\Local\mdm\{653905F7-95D6-4F7B-8C3B-31EDF9AECEC6}.msi. Client Process Id: 8772.
 
MsiInstaller Event ID 11707
 
Product: Admin By Request Workstation -- Installation completed successfully.

Once the install is confirmed, you can get the event which confirms the removal of the end-user account (other than the Azure AD GA account and Azure AD Device Administrator account) from the local administrators group of the device.

Windows Logs > Application
 
Admin By Request Event ID 0
 
User <Display Name>/<SID> removed from local admins group
AdminByRequest - Client removes any account from local administrators group of the workstation excluding the Azure Global Admin account and Azure Device Administrator account by default.
AdminByRequest – Client removes any account from local administrators group of the workstation excluding the Azure Global Admin account and Azure Device Administrator account by default.

You should have the Admin By Request Tray Icon enabled at this point.

AdminByRequest - Deploy the client to the end device and you are ready to revoke admin rights off your end-user accounts, without them ever feeling any real impact to their everyday workflow.
AdminByRequest – Deploy the client to the end device and you are ready to revoke admin rights off your end-user accounts, without them ever feeling any real impact to their everyday workflow.

Computers went offline? User’s won’t be able to override settings!

Admin By Request works the same whether the computer is online or offline. Portal settings are cached on the client and as an end-user you do not have any rights to tamper with the client or its settings.

Nevertheless, policy settings go here in registry HKEY_LOCAL_MACHINE\SOFTWARE\FastTrack Software\Admin By Request but if you try and access the same, you would be greeted with an error.

AdminByRequest - User cannot gain elevated privilege for making tamper to user accounts manually on the workstation or tamper with the ABR client itself.
AdminByRequest – User cannot gain elevated privilege for making tamper to user accounts manually on the workstation or tamper with the ABR client itself.

End-User Experience

Run As Admin without requiring Admin Approval

AdminByRequest - The client revokes local admin rights from end-users and controls the Run as Admin activity
AdminByRequest – The client revokes local admin rights from end-users and controls the Run as Admin activity

I start an application file by using the Run as Admin. This will trigger the ABR client to intercept the activity and as a result I am greeted with the screen where I need to provide the justification for action to seek approval from Admin.

AdminByRequest - Require to provide justification for the request of elevation in privilege
AdminByRequest – Require to provide justification for the request of elevation in privilege

Once I provide the justification and click on OK, it will show me the Code of Conduct message which states the activity will be monitored.

AdminByRequest - Code of Conduct display box shows that the activity of privilege escalation will be audited
AdminByRequest – Code of Conduct display box shows that the activity of privilege escalation will be audited

I click on OK and the installer process will continue.

Run As Admin with Admin Approval required

I start an application file by using the Run as Admin. This will trigger the ABR client to intercept the activity and as a result, I am greeted with the screen where I need to provide the justification for action to seek approval from Admin.

AdminByRequest - Require to provide justification for the request of elevation in privilege
AdminByRequest – Require to provide justification for the request of elevation in privilege

Once I provide the justification and click on OK, it will trigger a request to the Admin.

AdminByRequest - Request for elevated privilege is sent to Admin for approval
AdminByRequest – Request for elevated privilege is sent to Admin for approval

Once Admin approves the request, I will get an email notification for the same. (If Admin denies, you get an email notifying the same)

AdminByRequest - Email will be sent to end-user notifying the approval state of their request for privilege elevation. The email will also contain the instruction that the end user needs to follow to run the task.
AdminByRequest – Email will be sent to end-user notifying the approval state of their request for privilege elevation. The email will also contain the instruction that the end user needs to follow to run the task.

I just need to start the process again. This time the ABR client on the device will automatically detect the Admin has granted consent for the activity and will show the generic Code of Conduct message.

AdminByRequest - Code of Conduct display box shows that the activity of privilege escalation will be audited
AdminByRequest – Code of Conduct display box shows that the activity of privilege escalation will be audited

I click on OK and the installer process will continue.

Note: The request for elevation is tagged to the file for which the request is being made. The elevated privilege is only applicable to that file and also for that particular instance of execution only.

AdminByRequest - Comprehensive audit logs available for future reference
AdminByRequest – Comprehensive audit logs available for future reference

Before the actual execution of the file, the ABR client also makes an API call to the backend service (REST API call to OPSWAT MetaDefender Cloud) to verify the file being executed.

AdminByRequest - Provides robust security by utilizing OPSWAT MetaDefender Cloud service for real-time scanning of file before allowing to let it get executed with elevated privilege.
AdminByRequest – Provides robust security by utilizing OPSWAT MetaDefender Cloud service for real-time scanning of file before allowing to let it get executed with elevated privilege.

Depending on the status of the response, the process will continue or will be stopped there!

AdminByRequest - File is blocked from execution if the multiscanning report of the file reverts with malicious state
AdminByRequest – File is blocked from execution if the multiscanning report of the file reverts with malicious state

API Access to bind with Power B1 for Rich Analytics and Visualization

Admin By Request also gives you an API to integrate with Power B1 for getting rich analytics.

Navigate to Settings > Windows Settings > Privacy > API Access and enable the switch for API access. This would give you the secret API key.

AdminByRequest - Use API Access to bind PowerB1 to get rich analytics
AdminByRequest – Use API Access to bind PowerB1 to get rich analytics

Open Power B1 and click on Get data > Web

AdminByRequest - Setting up PowerB1 to have rich analytics
AdminByRequest – Setting up PowerB1 to have rich analytics

Fill out the form with the details. Choose Advanced and the fill in the URL parts. You can find the details to fill in the link here.

Notice the FQDN will contain the data center number which is hosting your ABR service.

AdminByRequest - Setting up PowerB1 for getting rich analytics.
AdminByRequest – Setting up PowerB1 for getting rich analytics.

Click on OK and then Connect and you have now connected your Admin By Request cloud service with Power B1.

Ending

Privileged Access Management solution for endpoints should really be an integral part of every modern digital workplace, which can help to effectively protect against and mitigate security risks, mostly caused by end-user ignorance and/or negligence.

It can help an organization save its reputation and credibility, not to forget the money, efforts, and resources that it has to put to contain and fix the security risks post an attack or breach.

Well, that’s all for today. I know this was pretty long, so thank you for your patience if you are still with me.

Continue to stay strong and safe as we still continue to fight the effects and after-effects of this pandemic.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.