Least Privilege Policy Type

Overview

The Keeper Least Privilege policy will remove local admin from standard users on the target endpoint. On Windows devices, Keeper will not remove administrative rights from built-in admin accounts or root accounts. See the Protected Administrators Exclusion List section for details.

Activating Least Privilege

From the Admin Console > Endpoint Privilege Manager > Policies create a new policy. Select "Least Privilege" from the policy type and then "Enforce".

Visit the "Advanced" section to apply an exclusion policy to any local admins which should not be managed by Keeper.

Exclusion List

When the Least Privilege Policy is applied, Keeper will remove local admin rights from any user that is not in the "exclusion" list. This list is defined in the Advanced settings of the policy editor page.

The section to modify is below:

"CertificationCheck": [],
"Extension": {
    "Exclusions": [
        "your_username_to_exclude"
    ]
},

When the least privilege policy is applied, the endpoints will receive a notification that indicates they have been removed from the administrators group.

Protected Administrators Exclusion List

Keeper protects the following administrators by default through SID (security identifier) pattern matching and enhanced detection. This prevents enforcing least privilege on root accounts.

1. Well-Known SID Patterns

• S-1-5-32-544 - Built-in Administrators group

• S-1-5-18 - SYSTEM account

• S-1-5-19 - LOCAL SERVICE

• S-1-5-20 - NETWORK SERVICE

2. Domain Administrator SID Patterns

• S-1-5-21-*-512 - Domain Admins (any domain)

• S-1-5-21-*-519 - Enterprise Admins (forest root domain)

• S-1-5-21-*-518 - Schema Admins (forest root domain)

• S-1-5-21-*-500 - Built-in Administrator account (any domain)

Additional Protected Accounts

• KeeperUserSession - Always protected (service account)

• Built-in Administrator - Always protected (even if renamed)

Linux / macOS Protected Accounts

• Linux and macOS "root" user