In this article, you will learn everything you need to know about the Privilege Elevation and Delegation Management module. Privilege Elevation and Delegation Management allows you to easily elevate user rights or file executions, it gives you the ability to revoke escalations and supports zero-trust executions. Privilege Elevation and Delegation Management features a lightweight and stunning interface that puts you in complete control over the user’s elevated session. Approve or deny from the HEIMDAL Dashboard or on the go, right from your mobile device. You can keep track of sessions, block elevation for system files, live-cancel user admin rights, and set escalation periods.
1. Description
2. How does Privilege Elevation and Delegation Management work?
3. HEIMDAL Agent - Privilege Elevation and Delegation Management
4. Privilege Elevation and Delegation Management view
5. Privilege Elevation and Delegation Management settings
DESCRIPTION
Privilege Elevation and Delegation Management is a PEDM tool that can be used to give users the ability to install software they need for a period of time you select using the Administrator Session or the Run with Admin Privileges option for single file elevation. Rights granted can be revoked at any time and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over his/her machine by sending a request to the HEIMDAL Dashboard Administrator who can deny or accept his/her request. The length of the session is limited and all his/her actions are logged into the HEIMDAL Dashboard.
HOW DOES PRIVILEGE ELEVATION AND DELEGATION ACCESS MANAGEMENT WORK?
On macOS, Privilege Elevation and Delegation Management is a product under the HEIMDAL Agent that manages the user permissions on a device. Privilege Elevation and Delegation Management runs under the local SYSTEM user and can be used in 2 ways: Run with Admin Privilege (single-file elevation) or Administrator Session (Administrator rights).
A. Run with Admin Privilege
The Run with Admin Privilege feature allows the user to right-click an executable file (.pkg, .dmg, .zip, and .app) and run it with Administrator permissions.
If the Require reason option is enabled in the Group Policy, then the pop-up below will appear to add details for the elevation request (more than 2 characters should be added to be able to submit the elevation request reason). This step is skipped if Require reason is disabled.
After clicking Elevate, depending on the Group Policy configuration, a request can be sent to the server, to ask permission from the HEIMDAL Dashboard Administrator (if Approval via Dashboard is selected in the GP) and the left popup below will appear or the elevation will be automatically granted (if Auto-mode is selected in the GP). After clicking Start Now, the file will be elevated.
IMPORTANT
An elevation is granted in a 5-minute interval after being approved by the HEIMDAL Dashboard Administrator.
B. Administrator Session
The Administrator Session feature allows the user who is requesting elevation to get elevated for a specific number of minutes to run applications/processes with Administrator rights. When an Administrator Session elevation is started, the user can use their own credentials (username and password) to run processes/applications. To run a process/application with Administrator rights, you need to right-click the executable file and click Run as Administrator (just like you would if your user were already an Administrator). Elevations can be requested from the HEIMDAL Agent by pressing the Elevate button.
If the Require reason option is enabled in the Group Policy, then the pop-up below will appear to add details for the elevation request (more than 30 characters should be added to be able to submit the elevation request reason). This step is skipped if Require reason is disabled.
After clicking Elevate, depending on the Group Policy configuration, a request can be sent to the server, to ask permission from the HEIMDAL Dashboard Administrator (if Approval via Dashboard is selected in the GP) and the left popup below will appear or the elevation will be automatically granted (if Auto-mode is selected in the GP) and the right popup below will appear:
After the elevation has been revoked or the remaining time reached 0, the below popup will appear to inform the user that the local admin privileges have been removed.
IMPORTANT
An elevation is granted in a 5-minute interval after being approved by the HEIMDAL Dashboard Administrator or in less than a minute if Realtime communication is enabled on the Group Policy that is applying to the endpoint.
On macOS, Privilege Elevation and Delegation Management is supported on devices that are NOT domain-joined and can elevate the Standard user to Administrator permissions for a specific amount of time.
HEIMDAL AGENT - PRIVILEGE ELEVATION AND DELEGATION MANAGEMENT
On the HEIMDAL Agent's home page view, you can see the current status of the Agent and the modules that are enabled for your computer. To access the Privilege Elevation and Delegation Management module, you can click on the Privileges & App Control icon or use the left-side menu.
The Privilege Elevation and Delegation Management module displays information about the Total Elevations. The data that is logged in this view includes Username, Reason, Request date, and Action and Duration.
Pressing the Elevate button will elevate the user or will display a Reason for elevation popup to be sent to the HEIMDAL Dashboard.
PRIVILEGE ELEVATION AND DELEGATION MANAGEMENT view
The Privileges & App Control - Privilege Elevation and Delegation Management view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the elevation requests, the processes that are running during the elevations, and the Zero-Trust processes that are executed in your environment. On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.
The collected information is placed in the following views: Pending Approvals, History, Most Escalated Process, Most Escalating Hostname, Compliance, and Zero-Trust Execution Protection.
-
Pending Approvals
This view displays a table with the pending elevation requests and the following details: Hostname, Username, Reason given, Request Time, Type, Application, and Status. If the Status is Requested and written in red, this means the endpoint is running a 3rd Party Application that has a vulnerability with a CVSS score of 7 or higher.
Clicking on the process listed under the Application column, you will get additional information regarding the elevated process: Full Path, Publisher, Version and MD5.
When you select an elevation request, you have the option to send a message to the user by enabling the Administrator message tickbox and by filling in your message. -
History
This view displays a table with the elevated/de-elevated requests and the following details: Hostname, Username, Start Time, End Time, Reason Given, Action, Executed Process(es), Handled By;
Process Details will provide all the additional information related to a process that has been executed via PEDM. You can access this view just by pressing on one of the processes listed in the Executed Process column.
-
Most Executed Processes
This view displays a table with the number of executed processes (during the elevated session) and the following details: Process Name, Number of Executions, Hostname, and Username.
-
Most Escalating Hostname
This view displays a table with the number of escalating hostnames and the following details: Hostname, Username, and Total Number of Elevations.
-
Compliance
This view displays a table with the compliant endpoints and the following details: Hostname, Active User, Domain Name, Local Groups, AD Groups, and Admin rights (Y/N). The Local Group field populates if the active user is found in any of the local groups or AD Groups. If it is found, it is marked as Admin (Yes).
-
Zero - Trust Execution Protection
This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard. The status of detection can be: Unknown (intercepted by ZTEP and not found in our database; files that are whitelisted globally by the Heimdal Support Team propagate to the endpoints after 3 days since the whitelist), Allowed (intercepted by ZTEP, but whitelisted in our database). The data in this view gets updated in real time.
Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage. -
Primary User
In the newly created tab, a grid, containing information about endpoints and their primary users, will be displayed.
Each row will display a unique hostname, the primary user set on that machine, and the source from where the primary user was defined – if it was configured from Azure AD or was the first logged-in user, the AAD Primary user (if it was previously configured in Azure AD), the username with the highest number of logins, on that machine, during the last 30 days (“Most logins user”) and an “Action” column, containing a drop-down list, at hostname level, displaying all users that logged in on that machine in the last 30 days will be displayed (selecting a user from this drop-down will update the primary user for that specific hostname).
Post clicking on the action a confirmation modal window will be displayed, showing the hostname(s) and corresponding user(s) which will be unassigned as primary user(s):
The Action column drop-down lists allow you to manually choose which users are mapped to each hostname. The drop-downs contain all the users that have been logging in on each machine during the last 30 days:
When one of the users is selected, a pop-up window will appear, displaying the hostname, the old primary user selection, and the new one, asking you to confirm if you want to update the assignment. Clicking cancel will abort the operation.
The entries from this grid can be sorted ascending/descending by any column except the Action one; also, a search bar will give the possibility to filter the entries by any column (except the number of logins for the most active user and the way that the Primary User was set). The stats from the page header will display at customer level: the number of primary users configured in Azure AD (“AAD primary users”), the number of primary users configured based on the first login on each machine (“First login primary users”), the number of logins for each primary user for each machine (“Most logins primary users”) and the number of hostnames that do not have any primary users configured yet (“Unassigned hostnames”). On the agent side, we will restrict the possibility of requesting any admin privileges (“Run as administrator” or “Administrator session”) only to the user that is configured as the “Primary User”.
Note: In case there are any WIP elevations in use on that machine, while a new Primary User info is received, all of them will be terminated immediately and the “Elevate” button from the agent will be grayed out. Also, the “Run with Admin Privileges” option from the context menu, used for file elevations, will be removed.
The tables in each view have a 60-second refresh rate.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
PRIVILEGE ELEVATION AND DELEGATION MANAGEMENT settings
The Privilege Elevation and Delegation Management module will allow you to give users the ability to install software they need for a period you select using the Administrator Session or the Run with Admin Privileges option for single file elevation. Rights granted can be revoked at any time and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over his machine by sending a request to the Heimdal Dashboard System Administrator who can deny or accept his request.
Privilege Elevation and Delegation Management - turn ON/OFF the Privilege Elevation and Delegation Management module;
De-elevate and block elevation for users with risk of infections - automatically removes the Administrator privileges and blocks elevation requests for a user if there were any malware detections found on the endpoint by the Heimdal Agent's Next-Gen Antivirus (statuses: None, QuarantinePending, ExcludePending, RepairPending, DeletePending, ErrorRepair, ErrorDelete, ErrorQuarantine) or VectorN detections in the past 7 days;
Run as Administrator
Allow run as administrator - turn ON/OFF the single-file elevation request (Run with AdminPrivilege) feature;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation;
Auto-mode - all single-file elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> History filter);
Approval via Dashboard - all single-file elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
Administrator Session
Allow administrator session - turn ON/OFF the full administrator elevation request feature. Note that some changes cannot be committed during an Administrator Elevation although the user has Administrator rights;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation;
Auto-mode - all Administrator Session elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> History filter);
Approval via Dashboard - all Administrator Session elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
SESSION LENGTH (2 MIN -24 H) - allows you to set the interval for the elevation session;