Symantec Privileged Access Management

  • 1.  ControlMinder - How to restrict Windows Administrator privileges

    Posted Jan 14, 2014 03:33 PM

    Good afternoon for all.

    We are implementing CA ControlMinder 12.8, and our client show us the case:

    The DBAdmins need to stay in the Administrators group. Since they are in this group, they are able to create so users, shut down or reboot the server, install / uninstall programs, etc.

    The Security Group wants to restrict these actions for the DBAdmins without remove them from the local Administrators Group.

    ¿Is this possible?  We already know how to protect files, services, etc. . but these actions are more complex.

    Thanks a lot for the help.

    Best regards!

    Luigi



  • 2.  RE: ControlMinder - How to restrict Windows Administrator privileges

     
    Posted Jan 24, 2014 03:04 PM
    joseluigi888:

    Good afternoon for all.

    We are implementing CA ControlMinder 12.8, and our client show us the case:

    The DBAdmins need to stay in the Administrators group. Since they are in this group, they are able to create so users, shut down or reboot the server, install / uninstall programs, etc.

    The Security Group wants to restrict these actions for the DBAdmins without remove them from the local Administrators Group.

    ¿Is this possible?  We already know how to protect files, services, etc. . but these actions are more complex.

    Thanks a lot for the help.

    Best regards!

    Luigi


    Hi All,

    Any ideas here for Luigi?

    Thanks!

    Chris



  • 3.  RE: ControlMinder - How to restrict Windows Administrator privileges
    Best Answer

    Posted Feb 01, 2014 01:44 PM

    I will try first to define resources like services.msc, lusrmgr.msc, compmgmt.msc, and authorize only specific user to execute the file.

     



  • 4.  Re: RE: ControlMinder - How to restrict Windows Administrator privileges

    Broadcom Employee
    Posted May 24, 2015 03:08 PM

    Hello,

     

    It's an old post but currently it's what I'm working with so I want to share some experience:

     

    The .msc files are merely sets of snap-ins, which are utilized in Microsoft Management Console (mmc.exe). Where a snap-in is an individual item on the console root, the list on the left panel of the application. As an example, compmgmt.msc is the console consisting of various snap-ins like Task Scheduler, Disk Management, Services etc.

     

    The problem is, protecting an .msc file is not a solution - yes the user access is denied when it's launched via Run -> compmgmt.msc, but still users CAN launch MMC.EXE itself and then load whatever snap-in they wish, like this:

    mmc.png

    These items are NOT read from .msc files, but from the registry, which point to respective DLL files in the system folder. You may consider protecting MMC.EXE itself, but in my case users did require some level of access (i.e. Event Viewer), so this was not an option for me.

     

    The only solution seems to be blocking access to aforementioned DLL files. For example, Device Manager snap-in uses %systemroot%\system32\devmgr.dll, so you need to protect this one. You can learn which DLL files are used by a specific snap-in under this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns

     

    dev.png

    Working with administrator accounts is difficult, I hope this helps.