Online criminals hate us. We protect you from attacks that antivirus can't block.

Thor AdminPrivilege (Access Director Enterprise) install guide

Introduction

This file will describe the steps needed for installing a licensed version of the Access Director.

Bellow are the download links: 

Access Director Enterprise 32 bit:

https://prodcdn.heimdalsecurity.com/access-director/AccessDirectorEnterprise%20x86.msi

Access Director Enterprise 64 bit:

Prerequisites

Configuration

The following steps will describe the process that needed in order to install the Access Director application.

1.Install Orca

  1. Open the OrcaMSI.zip archive, and unpack its contents.
  2. Double click the Orca installer
  3. Follow the installer steps and install the complete version.

2. Update License info in the Access Director installer in Orca

Just run the Orca application, and open the Access Director installer by clicking the Open icon:

mceclip0.png

Select the Registry table:

mceclip2.png

Double click an empty row in the right side of the window and the Add Row popup will appear:

mceclip3.png

Set the following values:

  • Registry = License
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = License
  • Value = The license key provided to you by Heimdal Security
  • Component = ProductInformation

After pressing OK, the new Row should appear in the Registry table. Save the file, close Orca, and the installer will be licensed for your company.

How to remove the existing users from the local admin group at Access Director installation:

3.Additional Configurations

Add another row and use the following values:

  • Registry = CleanLocalAdmins
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = CleanLocalAdmins
  • Value = #1
  • Component = ProductInformation

If you would like to have admin rights on one or more of your domain users, than you should use the following registry entry: 

  • Registry = CleanLocalAdminsExcept
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = CleanLocalAdminsExcept
  • Value = username1, username2, usernameX or you can add domain\group
  • Component = ProductInformation

3.1Active Directory Configuration

Access Directory can be configured to only allow members from a specific Active Directory group to be elevated. In order to do this, along the license configuration, the following rows must be added.

ActiveDirectory

Enables the Active Directory integration.

Set the following values:

  • Registry = ActiveDirectory
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectory
  • Value = 1
  • Component = ActiveDirectory

ActiveDirectoryRefresh

Represents the frequency at which a LDAP call is used to sync the group membership, to see if the user is allowed. The value represents an interval in seconds after which the call is made.

Set the following values:

  • Registry = ActiveDirectoryRefresh
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectoryRefresh
  • Value = 3600
  • Component = ActiveDirectoryRefresh

ActiveDirectoryCache

Represents the number of days for which the synced data should be cached.

Set the following values:

  • Registry = ActiveDirectoryCache
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectoryCache
  • Value = 1
  • Component = ActiveDirectoryCache

ActiveDirectoryGroup

Represents the name of the group inside the ActiveDirectory which contains the users that can be elevated.

Set the following values:

  • Registry = ActiveDirectoryGroup
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director\Connector
  • Name = ActiveDirectoryGroup
  • Value = [Group Name]
  • Component = ActiveDirectoryGroup

3.2.Shell Hook

This functionality is used to hook the moment the user is elevated to prohibit specific exe files from running. It is also used to hook specific files to set them to automatically “Run as administrator” (it will still prompt the user to enter credentials). The primary use is for legacy applications which might require admin rights in order to run.

Configuring Shell Hook

Pre Approved Apps and Block file execution are the configurations which define which programs will be automatically ran as administrator and which will be blocked from running.

These fields can be found in the Settings of the application, in the Application Security section. (Application Security in Configure Access Director using the Reporting Point (Chapter 4)) 

In order to define an application in either of the two fields you can set the whole path of the application (i.e.: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe) or set just the name of the application (i.e.: *chrome.exe).

Disable Shell Hook

Because there were specific versions of Windows for which this functionality did not work, a disable flag can be added by setting the following values:

Set the following values:

  • Registry = DisableShellHook
  • Root = 2
  • Key = SOFTWARE\Policies\Basic Bytes\Access Director
  • Name = DisableShellHook
  • Value = #1
  • Component = ProductInformation

A second way to disable the shell hook would be via the Reporting Point. See the section Application Security in Configure Access Director using the Reporting Point (Chapter 5).

NOTE: If you already installed the Reporting point, you will need to edit the following in the Registry under AuditURL in order for the client to send the information to the reporting point: 

http://<yourserver>/AccessDirector/upload.php

4.Install the Access Director

Just double click the installer and follow the steps. After this, the Access Director will be installed on your machine.

NOTE: The license will need to be set on the installer using Orca only once, after this, the Access Director can be installed on all the computers you wanted to install on, without needing to redo the configuration.

In order to install the Access Director Reporting Point please see the guide bellow:

https://support.heimdalsecurity.com/hc/en-us/articles/360001982138-Thor-AdminPrivilege-Reporting-Access-Director-Reporting-point-install-guide

5.Configure the Access Director using the Reporting Point

In order to allow the Reporting Point to configure the Access Director, you will need to add two settings in the registry:

  1. Managed: add a new DWORD value named Managed with the value 1
  2. ManagedURL: add a new string value name ManagedURL. Set the value as: http://[AccessDirectorLink]/settings.json

Important: if you already configured the Access Director via the msi installer or directly in the registry, this configuration (via reporting point) will overwrite it.

Settings inside the Reporting Point

In order to access the settings inside the Reporting Point, you will need to click the “Gears” icon in the top right corner.

After updating any value, you will need to restart the service (or the PC) for the Access Director to get its settings.

Client Configuration -> Windows

This is the settings tab you will use to configure the Access Director.

In order to save the values, just leave the field you are trying to update (click outside it or select another field).

General
  • Time-span for assigning privileges: set the duration of each elevation
  • License: Active Directory license key
Advanced
  • Remote Verbose Interval: how often the verbose logging files will be uploaded to the reporting point
  • Enable resuscitate: allows the users to be re-elevated after restart if the elevation duration did not completely pass
Audit
  • Audit Logging:
  • Audit Elevated Files: monitors and logs exe files elevated
  • Audit Programs: monitors and logs changes to Add/Remove programs
  • Enable Reason for Assigning Privileges: specifies whether the Access Director will request a reason for elevation
  • Audit refresh interval: number of minutes to use for the refresh interval
  • Verbose Logging: enables verbose logging instead of standard logging. Useful for debugging but not actually recommended for production environments
  • Audit: activates audit
  • Audit URL: the URL where the Access Director will upload the audit logs
Localization
  • Language: application language
  • Preferred UI Language: language used by Access Director
  • Preferred UI Reference: set if the default UI language follows the Windows Display Language or the Defined Keyboard Layout
IOC
  • IOC: activates IOC
  • IOCUploadUrl: URL where the IOC log will be uploaded
  • IOCUrl: Url to a CSV containing the configuration (the csv mirrors what is in Settings -> IOCs)
  • ManagedUrl: the URL to the settings.json file (mirrors the value set in the registry in order to enable the configuring via the Reporting Point)
Application Security
  • Disable Manual Elevation: if enabled, the users will not be able to elevate via the tray application
  • Disable Shell Hook: if enabled, it will disable the shell hook which is necessary for the pre-approved or blocked apps
  • File integrity
  • Pre Approved Apps: names of applications that will automatically start as “Run as Administrator” (the user will still be required to enter credentials; the primary use is for legacy applications which require admin rights to run)
  • Block file execution: names of applications that will be blocked from running (ex: *notepad.exe, C:\Program Files\notepad.exe)
Active Directory
  • SecureAdministratorPaths: removes local administrators access to other windows profiles
  • CleanLocalAdmins: defines if the local admin group should be emptied
  • ActiveDirectory: defines if only users from the active directory group should be elevated
  • ActiveDirectoryCache: if enabled. Renewing cached information is required within the specified remewal interval. If the caching does not validate within the renewal interval, Access Director will deny elevating privileges.
  • ActiveDirectoryGroup: the name of the active directory group which contains the users that are allowed to elevate.
  • ActiveDirectoryRefresh: the refresh interval in minutes

6.Run Access Director Tray

After you finish the installation, in order to show the Access Director icon in the tray (only the first time), you will have to run the Access Director Tray application.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.