Online criminals hate us. We protect you from attacks that antivirus can't block.

Access Director Enterprise - Installation guide

Introduction

This guide will describe the steps needed to install a licensed version of the Access Director Enterprise (on a client computer). Below are the download links: 

Download Access Director Enterprise 32-bit:
https://prodcdn.heimdalsecurity.com/access-director/AccessDirectorEnterprise%20x86.msi

Download Access Director Enterprise 64-bit:


Prerequisites


Configuration and Installation

The following steps will describe the process needed to configure the MSI installer of the Access Director Enterprise before installing in on your client computer. 

1. Install Orca

  1. Open the OrcaMSI.zip archive, and unpack its contents.
  2. Double click the Orca installer
  3. Follow the installer steps and install the complete version.

2. Update the License information in the Access Director MSI installer with Orca

Run the Orca application and open the Access Director MSI installer by clicking the Open icon:

mceclip0.png

Select the Registry table:

mceclip2.png

Double click an empty row in the right side of the window and the Add Row pop-up will appear:

mceclip3.png

Set the following values:

  • Registry = License
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = License
  • Value = The license key provided to you by Heimdal Security
  • Component = ProductInformation

After pressing OK, the new Row should appear in the Registry table. Save the file, close Orca, and the installer will be licensed for your company.

How to remove the existing users from the local admin group at Access Director installation:

3. Customize installer

Add another row and use the following values:

  • Registry = CleanLocalAdmins
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = CleanLocalAdmins
  • Value = #1
  • Component = ProductInformation

If you would like to have admin rights on one or more of your domain users, than you should use the following registry entry: 

  • Registry = CleanLocalAdminsExcept
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = CleanLocalAdminsExcept
  • Value = username1, username2, usernameX or you can add domain\group
  • Component = ProductInformation

3.1 Active Directory Configuration

Access Director can be configured to allow only members from a specific Active Directory group to be elevated. In order to do this, along the license configuration, the following rows must be added:

Active Directory - Enables Active Directory integration.

Set the following values:

  • Registry = ActiveDirectory
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectory
  • Value = 1
  • Component = ActiveDirectory

Active Directory Refresh - the frequency at which an LDAP call is used to sync the group membership, to see if the user is allowed. The value is an interval in seconds after which the call is made.

Set the following values:

  • Registry = ActiveDirectoryRefresh
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectoryRefresh
  • Value = 3600
  • Component = ActiveDirectoryRefresh

Active Directory Cache - the number of days for which the synced data should be cached.

Set the following values:

  • Registry = ActiveDirectoryCache
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectoryCache
  • Value = 1
  • Component = ActiveDirectoryCache

ActiveDirectoryGroup

Represents the name of the group inside the ActiveDirectory which contains the users that can be elevated.

Set the following values:

  • Registry = ActiveDirectoryGroup
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectoryGroup
  • Value = [Group Name]
  • Component = ActiveDirectoryGroup

3.2 Shell Hook

This functionality is used to hook the moment the user is elevated to prohibit specific EXE files from running. It is also used to hook specific files to set them to automatically “Run as administrator” (it will still prompt the user to enter credentials). The primary use is for legacy applications which might require admin rights in order to run.

Configuring Shell Hook

Pre Approved Apps and Block file execution are the configurations that define which programs will be automatically run as administrator and which will be blocked from running. These fields can be found in the Settings of the application, in the Application Security section. (Application Security in Configure Access Director using the Reporting Point (Chapter 4). 

In order to define an application in either of the two fields, you can set the whole path of the application (i.e.: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe) or set just the name of the application (i.e.: *chrome.exe).

Disable Shell Hook

Because there were specific versions of Windows for which this functionality did not work, a disable flag can be added by setting the following values:

Set the following values:

  • Registry = DisableShellHook
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = DisableShellHook
  • Value = #1
  • Component = ProductInformation

A second way to disable the shell hook would be via the Reporting Point. See the section Application Security in Configure Access Director using the Reporting Point (Chapter 5).

NOTE: If you already installed the Reporting point, you will need to edit the following in the Registry under AuditURL in order for the client to send the information to the reporting point: 

http://<yourserver>/AccessDirector/upload.php

4. Install Access Director Enterprise

Just double click the installer and follow the steps. After this, Access Director Enterprise will be installed on your client computer.

NOTE: The Access Director Enterprise license key needs to be set prior to the installation process using the Orca app. If this is done, Access Director Enterprise can be installed on all the client computers you want.

5. Allow the Access Director Reporting Point to configure Access Director Enterprise

In order to allow Access Director Reporting Point to configure the Access Director Enterprise, you will need to add two settings in the registry:

  1. Managed: add a new DWORD value named Managed with the value 1
  2. ManagedURL: add a new string value name ManagedURL. Set the value as: http://[AccessDirectorLink]/settings.json

NOTE: The Access Director Reporting Point will overwrite any prior setting that was applied within the MSI installer or directly in the Registry Editor (on the client computer).

Settings inside the Reporting Point

In order to access the settings inside the Reporting Point, you will need to click the “Gears” icon in the top right corner.

After updating any value, you will need to restart the service (or the PC) for the Access Director to get its settings.

Client Configuration -> Windows

This is the settings tab you will use to configure the Access Director.

In order to save the values, just leave the field you are trying to update (click outside it or select another field).

General
  • Time-span for assigning privileges: set the duration of each elevation
  • License: Active Directory license key
Advanced
  • Remote Verbose Interval: how often the verbose logging files will be uploaded to the reporting point
  • Enable resuscitate: allows the users to be re-elevated after restart if the elevation duration did not completely pass
Audit
  • Audit Logging:
  • Audit Elevated Files: monitors and logs exe files elevated
  • Audit Programs: monitors and logs changes to Add/Remove programs
  • Enable Reason for Assigning Privileges: specifies whether the Access Director will request a reason for elevation
  • Audit refresh interval: number of minutes to use for the refresh interval
  • Verbose Logging: enables verbose logging instead of standard logging. Useful for debugging but not actually recommended for production environments
  • Audit: activates audit
  • Audit URL: the URL where the Access Director will upload the audit logs
Localization
  • Language: application language
  • Preferred UI Language: language used by Access Director
  • Preferred UI Reference: set if the default UI language follows the Windows Display Language or the Defined Keyboard Layout
IOC
  • IOC: activates IOC
  • IOCUploadUrl: URL where the IOC log will be uploaded
  • IOCUrl: Url to a CSV containing the configuration (the csv mirrors what is in Settings -> IOCs)
  • ManagedUrl: the URL to the settings.json file (mirrors the value set in the registry in order to enable the configuring via the Reporting Point)
Application Security
  • Disable Manual Elevation: if enabled, the users will not be able to elevate via the tray application
  • Disable Shell Hook: if enabled, it will disable the shell hook which is necessary for the pre-approved or blocked apps
  • File integrity
  • Pre Approved Apps: names of applications that will automatically start as “Run as Administrator” (the user will still be required to enter credentials; the primary use is for legacy applications which require admin rights to run)
  • Block file execution: names of applications that will be blocked from running (ex: *notepad.exe, C:\Program Files\notepad.exe)
Active Directory
  • SecureAdministratorPaths: removes local administrators access to other windows profiles
  • CleanLocalAdmins: defines if the local admin group should be emptied
  • ActiveDirectory: defines if only users from the active directory group should be elevated
  • ActiveDirectoryCache: if enabled. Renewing cached information is required within the specified renewal interval. If the caching does not validate within the renewal interval, Access Director will deny elevating privileges.
  • ActiveDirectoryGroup: the name of the active directory group which contains the users that are allowed to elevate.
  • ActiveDirectoryRefresh: the refresh interval in minutes

6. Run Access Director Tray

After you finish the installation, in order to show the Access Director icon in the tray (only the first time), you will have to run the Access Director Tray application.


Uninstall 

In order to silently uninstall Access Director, please find the attached script that will help you do that. 

 

Access Director Reporting Point

In order to install the Access Director Reporting Point, please see the guide below:

https://support.heimdalsecurity.com/hc/en-us/articles/360001982138-Thor-AdminPrivilege-Reporting-Access-Director-Reporting-point-install-guide

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.