Get to know our
Core Features
Per App & Session Elevation
As the name suggests, Admin By Requests provides multiple avenues for users to request the administrative access they need, when they need it. Run as Admin is a feature which elevates a single application, whereas an Admin Session grants the user elevated privileges on their device for a period of time.
Machine Learning & AI Auto-Approval
For large enterprises, manually approving each individual request for elevation may not be the most resource-efficient method. With Machine Learning and Artificial Intelligence Auto-Approval, you can allow the system to decide which applications should be automatically approved.
Skip the reading:
Elevation Methods
Run as Admin
Per App Elevation
Users can right-click the application they want to run with elevated privileges and select Run as Admin from the menu.
Admin By Request provides the ability to perform ‘per app’ elevations. The main benefit of this is you are giving the user the ability to elevate just a single application, rather than granting elevated access to the entire system. Another benefit of ‘Run As Admin’ mode is that it works the exact the same way as the default Windows Run as Admin function, so there is minimal need to ‘re-educate’ users in how to get elevated rights when running apps.
‘Run As’ elevations can be configured to require the user to fill out a ‘reason’ for the elevation, and / or require manual approval to run the application elevated.
You have the option to assign different users / groups of staff different combinations of these options, with the use of our sub-settings functionality.
So when you need to manage the granting of elevation ‘per application’ and not the entire system, the ‘Run As Administrator’ method is the right choice.
Admin Session
Session Elevation
Users can double-click the Admin By Request desktop icon or select the icon from tray tools and confirm that they want to initiate an Admin Session.
Any user given full session elevation gets full local admin rights on their system.
Full session elevation mode is ideal for situations such as when elevated access to ‘system’ resources such as drivers or printers etc. is required, when a user needs elevation only for a specific amount of time, or when a Developer requires the use of multiple elevated applications.
As with ‘Run As’ mode, everything in the elevation session is audited, so you can see the reason why the person needs the elevation, anything installed, uninstalled, or run.
Full Session elevation mode includes the ability to block the elevation of any system files (CMD.EXE etc.) whilst running elevated, and the ability to ‘force terminate’ any elevated processes once the timer has run down.
PIN Code
Provide Offline Access
Offline users, or those not permitted to use other Admin By Request features for elevation, can instead obtain a challenge/response PIN.
This feature is ideal for any user who is unable to gain elevation via Run as Admin or initiate an Admin Session due to being offline – an issue which occurs when a company has Require Approval turned on; requests for elevated privileges cannot be approved by an IT admin because they cannot be sent from the endpoint when that endpoint is not connected to the Internet. The PIN Code feature is also designed for users who are prevented from using the Admin By Request Run as Admin or Admin Session features to gain elevation because they are not within the scope of users permitted to use these features.
These users likely rarely require elevation within their role, but may have the occasional need to perform one-off admin tasks such as printer installation. With the feature, one PIN is generated by the end user and the other by an IT admin. When used together (i.e., entered into the Admin By Request popup window on the end user’s device), offline or out-of-scope elevation is granted.
App Control
Pre-Approval
Create Whitelists
Users who request to run Pre-Approved applications as administrator do not need to wait for approval - instead, it's granted immediately.
Admin By Request comes with sophisticated approval workflows built in, which enable portal administrators to process each elevation request based on a ‘reason’ and to then decide on whether or not to approve it.
But what if you have a known application, perhaps legacy, that some staff need to use all the time? You don’t want to have to ‘workflow’ these requests, but at the same time you don’t want there to be a Local Admin ‘free buffet’ either.
This is the ideal scenario for application pre-approval (previously known as ‘whitelisting’), which allows any user to run a pre-approved program without having to gain full local admin rights to their system.
For more granular control, you can deploy a sub setting and create additional pre-approval entries for those users in that sub setting – so if you need to pre-approved list an application for engineering, you would add this only to the engineering sub setting pre-approved list, so only that department could auto elevate it.
AI Approval
Auto-Approve Trusted Apps
Each application has a score based on how trustworthy it and the app vendor is. Apps which rank above a pre-set score are auto-approved.
Most of the applications run with elevated privileges are the same across the board – and these common apps are generally safe for elevation. So, the question was, how could we use this data to help each customer? We created a system which designates applications two scores between 0 and 100% based on both the application and its vendor’s popularity. A very well-known app from a reputable vendor (e.g., Microsoft Office) would score in the higher end of the scale, whereas a rarely used app from an unknown vendor would receive a low score. The higher each of the scores, the more trustworthy the app is considered to be, and the less risk attached in allowing it to be automatically approved by the Admin By Request AI engine.
Very low scores (i.e., 0-1) indicate ‘exotic’ apps – rare software from unknown vendors which are much more likely to have malware attached. These exotic applications are those that you would not want to be auto-approved by the AI engine, and instead approved manually on a case-by-case basis. The idea with the scoring system is to allow customers to set a score of their choosing, and then enable AI Auto-Approval for every application which meets this score or higher – using the AI engine to approve applications that are very common, and therefore, likely safe.
Machine Learning
Reduce Manual Workload
Each time a user request to run an application as administrator is approved, the system learns what is safe for auto-approval.
The idea behind Machine Learning Auto-Approval is to kill two birds with one stone: why don’t we allow customers to build a Pre-Approved list, as their employees use the software? Let’s say a user requests to elevate an application, and an IT Admin approves this request. What the IT Admin is essentially saying is that the application in question is safe to run; in other words, it likely belongs on the Pre-Approved list. So why not make a rule that if approval for an application elevation is granted X amount of times, that application is now automatically approved from then on?
This is where the Machine Learning feature comes in – it allows the system to handle creating the list of applications that are safe for approval as applications are used. Customers can set a number of times that applications need to be manually approved by an IT Admin before they are added to the Machine Learning Auto-Approved list.
Verification
Endpoint MFA/SSO
Enforce Business Policies
Instead of confirming or authenticating using account credentials, users can be forced to undertake MFA and use SSO with your chosen IdP.
As cyberthreats increase and advance, so do compliance and security requirements specified by governing bodies. Most organizations now have policies around MFA and Single Sign-On (SSO) in place, both to protect their IT environment and to ensure adherence to various compliance regulations. Such policies or business rules can prove cumbersome for all involved: enforcing that they’re followed may present a problem for IT Admins, whereas abiding by them may seem annoying and unnecessary to the end user. Admin By Request PAM solution now has endpoint MFA and SSO capabilities built-in, allowing customers to configure and enforce business rules around these two security features from within their User Portal.
The feature directs users to the configured SSO provider and requires MFA when they request elevation. Admin By Request then verifies that SSO is complete according to the company’s business rules, and the requested elevation is granted. The feature is ideal for enabling organizations to enforce business rules and ensure security and compliance. It enforces MFA on the endpoint prior to elevation – a requirement for UK organizations who must adhere to the UK Cyber Essentials framework. On the end user side, this feature vastly reduces the number of steps the user needs to take by essentially allowing them to bypass Windows Authenticate and use SSO in order to obtain elevated privileges: the same end result, with fewer clicks. Users no longer have to wait for approval (as is the case in Authenticate / Require Approval mode) – as soon as SSO is complete, approval is granted.
Device Owner
Lock Device to One User
The end user, or IT support person working on the PC, would enter PIN 1 into the User Portal, and use this to generate PIN 2.
In larger organizations with thousands of computers, often used by multiple people, you may want to want to restrict the ability for users to gain privileged access to only the predominant user of that device – particularly if your Settings and Sub-Settings for gaining admin rights are on the more lenient side (e.g., you don’t require approval for elevation). As the name suggest, this feature sets a user as the device owner, and can then be used (if desired) to lock down the device to only that person. The way it works is the first non-administrator that logs in to the device (prior to Device Owner being set) becomes the Device Owner.
Once a device has an Owner (listed in the Inventory and Reports pages of your User Portal), you then have the ability to configure Settings to allow only the specified Device Owner to use Admin By Request elevation features on that device (i.e., Run as Admin and Admin Session). These settings can be applied to all users across the board (Global Settings), or to certain users and groups (Sub-Settings). The Device Owner can be viewed, changed to the currently logged in user, and released altogether so that the next non-administrator that logs in takes up ownership.
Support
Break Glass/LAPS
Grant Emergency Local Admin Access
Generate a local admin account in an emergency or safely provision Just-In-Time administrator accounts for specific purposes or third-party users.
The new feature is based on the idea behind Microsoft’s Local Administrator Password Solution (MS LAPS). If you’re familiar with MS LAPS, you’ll know how it works and why it’s necessary: hackers love the tried and tested technique of exploiting administrator accounts, either via horizontal or vertical privilege escalation; MS LAPS works to prevent this by utilizing Active Directory (AD) to manage admin account passwords across all endpoints, with a key component of management being the forced rotation of passwords for each admin account; when access to an admin account is needed, system admins can retrieve stored passwords from AD and log in to the administrator account.
The reasoning is valid, but MS LAPS leaves several security (and usability) gaps that we thought needing filling. The Break Glass feature takes the functionality of MS LAPS and turns it into a much more attractive option: it creates a new, temporary, one-time-use Administrator account on an endpoint, that works on domains, Azure AD, and stand-alone, which Audits all elevated activity, and terminates within a pre-defined amount of time or on log out.
Provide Remote Support
Helpdesk personnel can remotely connect to end user devices and provide the required assistance using Admin By Request.
Support Assistance
Support Assistance is the feature that helps your Helpdesk to better service users. A user may need helpdesk support for a number of reasons: they may not be permitted to use Admin By Request elevation features such as Run as Admin or Admin Session, they may not know where to find the software they need, they may not be tech-savvy enough to self-service using Admin By Request, or they may simply refuse to take on the responsibility of installing software on their work device knowing they will be audited.
Whatever the reason, Support Assist allows your Helpdesk to remotely connect to end user devices and use Admin By Request features to provide assistance. Personnel who are remote-connecting have the same abilities and restrictions within Admin By Request on the end user’s device that they have on their own device (i.e., the Admin By Request scope and settings applied to Helpdesk personnel are applied globally).
Malware Protection with
When a user requests to run a file as administrator, malware checks are performed by more than 35 anti-malware engines before it’s executed, enabled through integration with OPSWAT’s MetaDefender Cloud API. Here are some of the anti-virus engines that scan your files.
Clean Up Local Admins
Staying on top of your local admin accounts is no easy feat. This is particularly true for older, larger companies that have created admin accounts when onboarding new employees and have been unable to keep track of them over time.
The problem that results is an untracked number of rogue accounts that have elevated access, but may not be being used, monitored, or protected adequately. Leaving them be is a dangerous option, but even more so is eliminating them all and unintentionally rendering your endpoints unusable.
With Admin By Request version 7.3, we’ve added a feature that makes the job of tidying up your loose ends (i.e., loose admin accounts) easy:
Clean Up Local Admins.
With Admin By Request version 7.3, we’ve added a feature that makes the job of tidying up your loose ends (i.e., loose admin accounts) easy:
Clean Up Local Admins.
