Endpoint Privilege Management

PAM360 offers end-to-end endpoint privilege management for Windows environments through its fine-grain application controls powered by ManageEngine's enterprise application control tool—Application Control Plus.

Using PAM360's control capabilities, IT administrators can enforce access control restrictions tailored to endpoints and applications. These controls include allowlisting and blocklisting applications, implementing child process controls, removing admin rights at the endpoint level, provisioning just-in-time access to applications, and configuring privilege elevation specific to endpoints.

Narrow the attack surface by allowlisting and blocklisting applications on privileged endpoints

With PAM360's fine-grain application control capabilities, administrators can allowlist and blocklist specific applications running on critical endpoints. This significantly limits the possible attack surface and adds an additional layer of security to privileged sessions.

Administrators can configure two modes when users access endpoints:

• Strict Mode: This lets users launch only allowlisted applications on the target endpoint. However, IT administrators can also provision just-in-time access to applications not on the allowlist when the endpoint is accessed in this mode.
• Audit Mode: This allows users to launch and access all applications except those on the blocklist.

Furthermore, admins can configure application-level self-service privilege elevation for a list of applications on select endpoints or in select groups so that users can run allowed applications with elevated privileges for a limited time.

Extend application control mechanisms to child processes

PAM360's Application Control module allows IT administrators to control child processes invoked by applications. Administrators can configure a list of applications that can invoke child processes and block child processes from being invoked by other applications.

Align with the principle of least privilege by removing unnecessary local admin accounts on endpoints

All the local admin accounts across your IT environment are discovered and listed in one place under the Admin Rights Summary tab of the Application Control module. In line with the principle of least privilege, administrators can filter out and remove unnecessary local admin accounts that no longer serve their purpose, eliminating potential standing privileges.

Extend PAM to endpoints across your enterprise

PAM360 has now added endpoint privilege management to its extensive PAM portfolio. Powered by ManageEngine Application Control Plus, PAM360 allows administrators to manage all endpoints, applications, credentials, sessions, privilege elevation, and much more from a unified PAM console.

For more details about the Application Control module and to learn how to set it up, click here.