Excessive privileges and malicious users
IBM® MaaS360® Endpoint Threat Management protects devices from malicious users who are accessing the network with restricted privileges or causing security issues within the organization.
The Privileges setting ensures the security of an endpoint by detecting and removing user accounts that access the network with restricted user privileges and that can cause serious security threats to the organization. The user device risk is calculated based on the number of violations that occur on the device.
- Windows
- macOS
- For Windows, the MES agent must be installed on the user device. The administrator must enroll the devices and install the MaaS360 app or agent on the device.
Detecting the validity of privileges for a user account on a device or an endpoint (check if admin privileges are compromised and if an attacker can access the network by using those privileges)
Administrative privileges are the highest permission levels that are granted to an admin user. These privileges include permissions to access almost all network and system areas of an organization. The administrator grants only the required privileges to standard users and strictly restricts certain privileges that allow users to perform actions that cause threats to the device, enterprise data, and network.
A standard user might intentionally or unintentionally acquire access to certain restricted privileges through malware and perform actions that might cause serious security threats to the organization. In this case, configure this setting to detect users with excessive privileges such as tracking standard users with admin privileges, or selecting from a group of privileges where users have these privileges and then initiate a remediation action.
When the user tries to perform a privileged operation, the system checks the user's access token to determine whether the user holds the necessary privileges, and if so, checks whether the privileges are enabled. If the user fails these tests, the system does not perform the operation.
Detecting the validity of a user account on a device/endpoint (check whether an attacker is masquerading as a user to gain access to the network - malicious usernames)
If an administrator suspects that a specific username is causing issues in the enterprise, they can use MaaS360 to search for that user account (by username or regex pattern) on Windows or macOS devices and then act against that user.
- Report the user of the Windows or macOS devices.
- Block the user, where the user cannot log in to the device again.
- Delete the user from the device and remove the user record from the MaaS360 Portal.
Configuring the EPS policy for privileges and malicious users
You can configure and push EPS policies to detect both users with restricted privileges and malicious users and then act on managed devices.
- From the IBM MaaS360 Portal home page, go to .
- Open an EPS policy and then click Privileges.
- Configure the following settings.
Policy setting Description Supported devices Detect excessive user account privileges (if enabled) Detect excessive privileges of standard users Select the privilege that you want to check on to determine which accounts were granted access to those privileges. For more explanation about the privileges in this list, see https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants. - Assign Primary Token Privilege
- Audit Privilege
- Create Global Privilege
- Backup Privilege
- Create Page file Privilege
- Create Permanent Privilege
- Create Symbolic Link Privilege
- Create Token Privilege
- Debug Privilege
- Delegate Session User Impersonate Privilege
- Enable Delegation Privilege
- Impersonate Privilege
- Increase Base Priority Privilege
- Increase Quota Privilege
- Lock Memory Privilege
- Load Driver Privilege
- Machine Account Privilege
- Manage Volume Privilege
- Profile Single Process Privilege
- Relabel Privilege
- Remote Shutdown Privilege
- Security Privilege
- Restore Privilege
- Sync Agent Privilege
- System Environment Privilege
- System Profile Privilege
- System time Privilege
- Take Ownership Privilege
- Tcb Privilege
- Trusted CredMan Access Privilege
- Unsolicited Input Privilege
Windows Remediation action Configure the real-time action (revoke the privilege or report the user to the administrator) that you want to take on the user when the configured privilege is detected on the user account. Detect malicious users by username (if enabled) Detect local user accounts by name Enter the usernames of the user accounts (any, admin, standard) that you want MaaS360 to search on for potential threats to the enterprise. Use a specific string or a regex for the username. The regex supports all alphanumeric combinations (for example, 123!#, abc, 123_23*).
Windows, macOS To check for user accounts with multiple users (Other Users setting):- Windows: Settings
- macOS:
Remediation action Configure the real-time action that you want to take on the detected malicious user account: - No action: Tracks and reports devices with local usernames that match the configured username criteria.
- Disable user: Disables the user from using the device.
- Delete user: Removes the user from the device.
Windows, macOS
Configuring risk rules for privileges and malicious users
When a risk incident is detected, MaaS360 validates that risk incident against your risk rule to calculate the severity and risk score for the devices and users.
- From the IBM
MaaS360 Portal Home page, go to
. The following
predefined risk rules that are configured for Privileges are displayed in the Risk Rule
Configurator.
EPS policy type/setting Predefined risk rule Description Privileges/ Detect excessive user account privileges Windows privileges violations This rule checks which user accounts were granted specific admin privileges on Windows user devices. If configured admin privileges are detected on a standard user's account, the incident is reported to MaaS360, and based on this risk rule configuration, a risk incident is created with a high severity and a risk score is added. Note:- This risk rule applies to Windows devices only.
- For this risk rule to function, the Endpoint Security service must be enabled on the Services page.
- The rule set is categorized under device-based risk rules as the risk score that is associated with these risk incidents decreases immediately (becomes zero) when all the Windows privileges violations that are associated with the risk incident are remediated on the user account and removed from the Security Dashboard.
- One risk incident is created against any Windows privilege violations that are configured for one Endpoint Security policy. If one or more endpoint security policies are configured and if Windows privilege violations are detected, then one risk incident is created against each of those security policies where the violations are detected.
Privileges/ Detect malicious users by username Malicious local users detected This rule checks specific usernames in Windows or macOS user accounts that are assumed to be malicious users. When the specific username is detected in the account, the incident is reported to MaaS360, and based on this risk rule configuration, a risk incident is created with a high severity and a risk score is added.
Tracking Windows privilege violations and malicious user incidents on the Security Dashboard
- Go to .
- For Windows privileges violations.
- Click Affected devices link. The affected devices with details are displayed.
- Click the username. The User Summary page is displayed which includes the Windows privilege violation for the applied EPS policy.
- For malicious users.
- Click the Affected devices numbered link. The affected devices with details are displayed.
- Click the username. The User Summary page is displayed which includes the
malicious user violation for the applied EPS
policy.
You can also click the Device name in the Risky devices section to display information about the violation.
- For Windows privileges violations.