Centrify DirectAuthorize for Windows provides a solid defense mechanism against “Pass the Hash attacks” as it enables the granting of privilege only to a specific machine and a specific process at a point in time. In other words users no longer have to long with more privileges than they need and/or a privileged account with power on multiple processes or machines. I will show this with a simple end user scenario screen shots from process explorer, one of the Microsoft Sys Internals tools.
One simple example is Anita Parsons, an end user who needs to defragment her disk. In order to run the disk defragmenter, Anita must have administrator privileges. Obviously we don’t want to make Anita a local administrator on her machine as this would give her more privileges than she needs and also could be exploited by a Privileged User attack to install malware etc. So we use DirectAuthorize for Windows to allow Anita to execute disk defragmenter, and only disk defragmenter, with the power of the built-in Administrators group.
To prove that Anita has Administrator privilege only when she executes the disk defragmenter, I will show several screen shots from process explorer taken from Anita’s windows machine.
This first screen shot shows process explorer for Anita’s session and notice that the “Explorer.exe” process is highlighted. The security properties show the groups that Anita is a member of as it applies to the Explorer process. As you can see at this time for this process she is NOT a member of the Built-in Administrators group.
The second screen shot shows is choosing to run with privilege when executing the Disk Defragmenter application. Run with privilege via DirectAuthorize for Windows allows the user to run a specific application with the power of a builtin group, AD Group, service account, etc - depending on how the configuration is specified.
The third screen shot show again shows the process explorer for Anita’s session and notice that the “dfrgui.exe” process is highlighted. The security properties show the groups that Anita is a member of as it applies to the dfgui.exe (Disk Defragmenter) process. As you can see at this time for the dfgui.exe process, Anita is a member of the Built-In Administrators group for this process at this time.
While this was a simple example, I am sure you can think of many times - like database administrator, web server administrator etc, where the user needs to run some applictions as an administrator or service account and DirectAuthorize could enable this securely. DirectAuthorize for Windows enables organizations to enforce least privilege and minimize the use of highly privileged accounts. When deployed, it enables a user to have only the privileges needed for the task at hand, limited to specific machine(s), individual processes, at a point in time. Use of Multi-Factor Authentication on Privilege Elevation can further compliment the protection provided by DirectAuthorize for Windows. With the continued threat posed by privileged user attacks, DirectAuthorize for Windows can help your organization minimize the threat and attack surface.