search

Least Privilege Policy Type

Understanding the Keeper least privilege policy setup and usage

hashtag
Overview

The Keeper Least Privilege policy will remove local admin from standard users on the target endpoint. On Windows devices, Keeper will not remove administrative rights from built-in admin accounts or root accounts. See the Protected Administrators Exclusion List section for details.

Least Privilege policies may incorporate granular command-level restrictions to ensure that elevation is scoped only to approved commands or operational contexts. This reduces excessive privilege exposure within permitted applications.

hashtag
Policy Interaction or Enforcement Model

Least Privilege policies operate in conjunction with Application AllowList and DenyList controls. When default-deny strategies are implemented, least privilege enforcement ensures that only explicitly permitted applications and approved elevated actions are allowed.

hashtag
Activating Least Privilege

From the Admin Console > Endpoint Privilege Manager > Policies create a new policy. Select "Least Privilege" from the policy type and then "Enforce".

Visit the "Advanced" section to apply an exclusion policy to any local admins which should not be managed by Keeper.

hashtag
Exclusion List

When the Least Privilege Policy is applied, Keeper will remove local admin rights from any user that is not in the "exclusion" list. This list is defined in the Advanced settings of the policy editor page.

triangle-exclamation

Ensure that your default admin username is defined in the exclusion list, or admin rights will be removed from this user after policy has been applied.

The section to modify is below:

hashtag
Protected Administrators Exclusion List

Keeper protects the following administrators by default through SID (security identifierarrow-up-right) pattern matching and enhanced detection. This prevents enforcing least privilege on root accounts.

hashtag
1. Well-Known SID Patterns

  • S-1-5-32-544 - Built-in Administrators group

  • S-1-5-18 - SYSTEM account

  • S-1-5-19 - LOCAL SERVICE

  • S-1-5-20 - NETWORK SERVICE

hashtag
2. Domain Administrator SID Patterns

  • S-1-5-21-*-512 - Domain Admins (any domain)

  • S-1-5-21-*-519 - Enterprise Admins (forest root domain)

  • S-1-5-21-*-518 - Schema Admins (forest root domain)

  • S-1-5-21-*-500 - Built-in Administrator account (any domain)

hashtag
Additional Protected Accounts

  • KeeperUserSession - Always protected (service account)

  • Built-in Administrator - Always protected (even if renamed)

hashtag
Linux / macOS Protected Accounts

  • Linux and macOS "root" user

PreviousPoliciesNextPrivilege Elevation Policy Type

Last updated

Was this helpful?