After our recent “What is Elevation Control” blog, we wanted to take a deeper dive into the technical aspects of ThreatLocker’s Elevation Control tool, and asked our social media audience for their burning questions. In this blog, we address six of the frequently asked questions received to share the answers with you!
How Is Elevation Control Deployed?
Elevation Control can be turned on with a few clicks. In your ThreatLocker portal organizations tab, Elevation Control can simply be selected for the organizations you'd like to add it to from the product dropdown menu, then you’re ready to start adding elevation permissions.
How Is Elevation Control Configured within ThreatLocker?
Elevation Control is an option with the existing application policies allowing elevated permissions on an application-by-application basis without granting the user admin rights on their user account. Elevation can also be granted at the computer level using ThreatLockers’ maintenance mode for situations where a user needs admin rights for windows itself or for all applications. Both of these options can be approved in advance, as needed on demand, or configured on a schedule or for a limited time frame eliminating the need to manually revert changes at a later time.
What Prevents an Elevated User from “Application Hopping” to Infiltrate Another Application Maliciously?
Elevation Control (along with any PAM tool) is a tool for convenience, not a security tool, but when paired with ThreatLocker Ringfencing, applications can be blocked from using an elevated application to access a different application altogether. Some applications require interaction, in this case, the policy can be modified to allow interaction with specific required applications but still block hopping to other more high-risk applications like PowerShell, Command Prompt, or CScript.
What Is the Level of Administration Required for Elevation Control?
Administration is only required when a user requests elevation. Any time an application requires elevation, the user will be prompted to submit a request. These requests are processed by a ThreatLocker administrator who determines to either grant or deny the request. Approvals can be processed within the ThreatLocker portal or using the ThreatLocker mobile app. If there is an elevation need that is known in advance, an elevation policy can be configured beforehand for the required application. This can be limited to a very specific process, a scheduled time or a limited period of time to reduce the risk of elevated access being abused and eliminate the need for a manual approval each time that application has a need.
Is Elevation Control a Necessary Tool?
Elevation Control is an effective tool for saving time, reducing the number of tickets for elevated access, and minimizing human error by removing all admin users and granting admin control only to a very specific purpose. For example, if a QuickBooks update requires admin rights to be installed, rather than submitting a ticket each month for a tech to run the update, a policy can be created to allow just the QuickBooks update process to run as an administrator.
Are Privileged Sessions Logged?
Elevation Control will log in the Unified Audit all processes that were elevated as a result of a ThreatLocker policy. You can easily search by the action type “Elevation” to identify those specific processes or applications.
Talk to the Cyber Hero Team today to see Elevation Control in action.