Features Explained


Identifies which endpoints have local admin rights, including hidden or hardcoded admin privileges, and which applications can run processes that require admin rights.

Local Admin Rights Removal

Easily resets all endpoints to a “clean-slate,” removing all local admin privileges at once.

Policy-based application control

Elevates applications, never individual users. Reduces one-off application management by IT.


Allow users to run known and trusted applications so they can do their jobs without IT.


Uses latest information from threat intelligence databases (VirusTotal) to deny applications from running.


Allows apps that don’t fit into either category to be isolated for further testing and run in restricted mode with no admin rights.


Quarantine applications so they are not allowed to execute, or only execute in a limited way so they don’t touch any system folders or underlying OS configurations.

Contextual control

Control over who can run certain processes, if processes can run on certain endpoints, if processes are allowed in certain regions or during certain times.

Limit child processes

Limit child processes, such as executing processes from within a PDF, which may allow malware to execute.

Inventory all local groups and users

Allows you to discover all local accounts that exist on endpoints and gives you the ability to control the exact membership of every local group. This helps mitigate the risk of backdoor accounts in the environment.

Coverage of non-domain endpoints

Not bound by users in GPO or Active Directory, so can include 3rd parties.

Auditing and reporting

Out-of-the-box and custom reports can be configured and shared with management and auditors.

How customers use it

  • To remove users from local admin groups on endpoints

    To remove users from local admin groups on endpoints


    Most breaches involve compromised endpoints. Endpoints are targeted because they are run by users who click malicious links or download malware. All it takes to cause severe damage is a hacker gaining local admin privileges through a single endpoint.


    With IBM Security Privilege Manager, you can discover which users on what end points have local administrative rights, and which applications require the administrator access token to execute.

  • To implement a Least Privilege model

    To implement a Least Privilege model


    Least privilege means users should only have sufficient access and rights to do the things they need. Enforcing this on endpoints has always been a challenge. IT administrators are often left with more privileges than they need.


    With IBM Security Privilege Manager, least privilege via application control reduces the attack surface by restricting the applications allowed to run, the devices allowed to connect, and the actions a system can perform.

  • To meet and adhere to audit/compliance requirements

    To meet and adhere to audit/compliance requirements


    Many compliance regulations, (including HIPAA, PCI DSS, FDDC, Government Connect, FISMA, and SOX) recommend/require that organizations apply least privilege to demonstrate proper data protection and security.


    With IBM Security Privilege Manager, create reports that demonstrate how you are protecting endpoints by following security best practices for least privilege. Manipulate these reports to track/compare over time to show trends and continued progress.

  • To enforce least privilege for remote users

    To enforce least privilege for remote users


    With remote users/contractors accessing your internal network, it’s difficult to mitigate the risk of rogue behavior. If one of these users downloads malware while being connected, it could cause severe damage by moving horizontally or vertically.


    IBM Security Privilege Manager has the ability to automatically deploy policies on these types of endpoints to ensure the safety of your organization. It provides a central dashboard to control, modify and access remote or non-domain joined machines.

  • To leverage reputation engines to get real-time protection

    To leverage reputation engines to get real-time protection


    With evolving attack vectors the chances of being compromised is at an all-time high. The ability to generate an accurate assessment of known-good apps based on various factors becomes increasingly unpredictable, leaving your company vulnerable 24x7.


    IBM Security Privilege Manager performs real-time reputation checks for any unknown apps by integrating with analysis tools like VirusTotal or Symantec’s FireEye, giving the ability to prevent apps that have been flagged as malicious from running.

You may also be interested in

Consider these related products in the Identity & Access Management family

IBM Security Secret Server

Privileged account discovery, protection and monitoring.

Learn more

IBM Security Identity Governance & Intelligence (IGI)

Full enterprise-level identity governance and administration.

Learn more

IBM Security Verify for Workforce IAM

Identity-as-a-service platform for employees.

Learn more