According to a recent report, breaches involving admin accounts have increased by 17% from 2023[1]. Moreover, approximately 45% of ransomware attacks targeted specifically admin accounts in 2024[2].
These statistics highlight that administrator accounts are prime targets for hackers, as gaining access to such accounts grants full control over administrative actions, including user management, file access, and app installation, posing significant security risks.
Traditional administrative access methods are often inadequate in addressing these risks. The lack of automation can result in users retaining extended admin access, which increases the potential for security breaches.
Furthermore, sharing admin credentials among multiple users escalates the issue, heightening the risk of malware attacks and data breaches, and compromising sensitive organizational information.
This underscores the need for a robust privileged access management solution, such as Scalefusion’s Just-In-Time Admin Access feature. This blog will explain what Just-In-Time Admin Access entails and highlight the key capabilities of this feature.
What is Just-In-Time Access?
Scalefusion offers privileged access management with the Just-In-Time Admin Access feature. This feature ensures that users operate with standard privileges, offering a secure way to access temporary admin privileges only when necessary. It significantly reduces the risks associated with excessive user privileges by providing elevated access only when required, maintaining security while minimizing potential threats.
Just-In-Time Access enables users to obtain temporary access to launch applications in admin mode, on managed Windows devices. This feature ensures that users operate with elevated privileges securely and only when necessary, allowing them to perform essential tasks without prolonged admin access.
Key Features of Just-In-Time Access for Windows Devices
1. JIT Admin Configuration
JIT admin configuration allows IT admins to configure:
a. Duration of Admin Privilege
IT admins can specify the duration (in minutes) during which the user can access the applications in elevated mode. Once the duration ends, the app will be automatically closed. Admin can set the duration from 5 to 60 minutes.
b. Allowed number of Requests per Day
IT admin can enable this setting to allow users to elevate the applications with admin privileges by entering other admin’s credentials. Users will be able to elevate applications using only the Scalefusion account if the admin credentials are not available
c. Enforce Request justification text
Administrators can make it compulsory for Windows device users to enter the reason for requesting access to any application with elevated access.
d. Enforce active internet connection
If this setting is enabled, a Windows device user must have an active internet connection to access any application in admin mode
e. Allow users to elevate using other Admin credentials
IT admin can enable this setting to allow Windows users to elevate the applications with admin privileges by entering other admin’s credentials. If the admin credentials are not available, users will be able to elevate applications using only the Scalefusion Account.
f. Configure Disclaimer Note
IT admins can enter a disclaimer note for users that is displayed on the JIT Admin screen to notify them when the set duration ends.
2. Log and Activities
a. Monitor Admin Access and Collect logs
Admins can configure whether logs monitoring the number of times critical operations and applications were started/stopped with admin privileges, should be captured and synced to the dashboard.
Also read: Just-in-Time Access Control
3. Elevation Scope
Elevation scope enables IT admins to set a limit of access elevation. It allows them to configure the following settings:
a. Configure Accounts That Can Request Admin Access
IT admins can configure whether all non-admins accounts or specific accounts on the device can request to access the application in elevated mode. If the admins select ‘Specific Accounts’, they must provide the names of user accounts to whom they want to grant access.
b. Select Applications that can be Run as Administrator
Administrators can select which applications should run as an administrator. They can choose from three options:
- ‘All Allowed Applications’ enables all applications specified in the Select Apps section of the Device Profile.
- ‘All Applications’ permits any application on the managed device to be run as an administrator.
- ‘Specific Applications’ restricts administrative access to particular applications. Admins must add the application names by clicking “Add Application” and providing relevant details such as the app name and version.
c. Override Duration of Admin Privilege
Admins can specify the duration (in minutes) after which the admin privileges will be automatically revoked, automatically closing the app. This setting overrides the duration of admin privileges configured as a part of JIT Admin Configuration. The time duration ranges between 1 to 1440 mins.
Also read: Just-in-time access for MacOS
4. JIT Admin Access Summary
JIT Admin Access summary provides IT admins with the following details:
a. Device Summary
The device summary offers a comprehensive overview, detailing the total number of devices with Just-In-Time (JIT) Admin configuration applied, the count of standard users on these devices, and the number of admin users. This summary provides clear visibility into the user distribution and administrative access across the configured devices.
b. Request Summary
Request Summary gives IT admins an overview of the number of admin requests made during a single day and the total number of admin requests made during the last 60 days.
c. Device Overview
With the device overview section, admins can access a consolidated tabular view of the name of devices where the configuration has been applied, the serial number of devices, the number of requests received from the device today, the total number of admin requests received from the device, the name of the configuration applied to the device.
5. Activity Logs
Activity logs enable admins to view activities done by the users on the device, during their elevation from standard to admin user. Apart from the device name and serial number, activity logs include the names of users requesting JIT Admin Access, the files accessed, the start and end time of the JIT admin activity (indicating when the user was elevated to admin and when they were downgraded back to a standard user), and the justification text entered by the user when requesting JIT admin access.
6. Recommendations
The recommendations section offers a summarized view of the admin accounts available on the devices. It includes the names and serial numbers of JIT-configured devices, the total number of users and admins on each device, the number of managed admins, and the name of the JIT Admin configuration applied.
Optimize User Privilege Escalation for Windows with Scalefusion OneIdP
Scalefusion OneIdP provides organizations with robust identity and access management capabilities. It allows organizations to gain full control over user privilege elevation by offering time-based admin access, preventing users from obtaining extended admin access, securing data, and maintaining system integrity.
To learn more about Just-In-Time Admin Access for Windows contact our experts or schedule a free demo today.
References
2. Verizon
FAQs
Why is JIT Access important for Windows environments?
JIT Access enhances security by limiting the time a user has elevated privileges, minimizing the risk of misuse, accidental changes, or exploitation of administrative credentials on Windows devices.
How does Just-in-Time Access work on Windows devices?
JIT Access on Windows devices involves granting temporary administrative rights to users or service accounts for specific tasks. After the task is completed or a defined time period ends, access is automatically revoked.
What are the key benefits of implementing JIT Access in a Windows environment?
The main benefits include reducing the attack surface for potential cyber threats, preventing the misuse of elevated privileges, and enhancing compliance with security policies and standards.
How can JIT Access reduce the risks of privileged accounts in Windows systems?
By limiting the duration and scope of privileged access, JIT Access significantly reduces the risk associated with long-term administrative privileges, which are often targets for attackers.
How does Just-in-Time Access help in regulatory compliance?
JIT Access helps organizations meet regulatory requirements by enforcing strict access controls, reducing the risk of unauthorized access, and ensuring audit trails of all privileged activities.
