Default policies

This topic describes the default policies that you can deploy on new Sets from v21.8 when you implement EPM to manage organizational applications that are not currently handled by any other policy.

Overview

The Default Policies page provides an immediate view of all current default policies. You can set any of the policies to manage applications with a single click, in most of the relevant modes.

The purpose of Default Policies is to configure behavior of applications that are not covered by “explicit” application policies (Trusted Sources, Application Groups, Advanced Policies, etc.).

The EPM agent only applies one single action to an application when it is launched. Therefore, different parts of the behavior configuration are structured into hierarchy, and are based on the commonly recommended practice of EPM deployment.

The default policies are divided into Commonly used and Additional policies.

Commonly used policies include all the default policies that a new EPM customer usually implements, in order of priority and best practice.

First, deploy the Detect privileged unhandled applications policy (gradually expanding the group of endpoints where it is applied), then (immediately after or simultaneously) activate the Ransomware Protection policy. After deploying these policies to protect all your endpoints, gradually activate the Control unhandled applications downloaded from the internet policy and/or the Control unhandled applications policy.

The Additional policies tab includes two modes for special scenarios:

Scenario

Additional policy

All is allowed

Elevate unhandled applications

All is forbidden

Block unhandled applications

These modes override the configurations set in any of the previous policies when they apply to (target) the same computers and users.

You can edit the default policies if you have the relevant permission. All the policies are displayed on the Default Policies page, but those that you cannot set or edit appear disabled.

When the EPM Set is created, all the default policies are in Off mode . However, after upgrade, any default policies that have been modified maintain their status and do not need to be reset.

Privilege management policies

The privilege management default policies determine how EPM monitors unhandled applications on endpoints and protects your environment from ransomware.

After creating the initial trusted sources and specifying which applications run with elevated privileges, you can define policies to monitor applications that are not yet managed by an EPM policy, also known as unhandled applications. All events are collected and displayed in the Manage events page.

These policies supervise various unhandled application events, including the following:

  • Launch events on Windows and macOS.

  • Execute sudo Linux commands.

  • Installation events on Windows.

  • Attempts to access the internet, intranet, network shares and memory of other processes on Windows and macOS.

     

    Monitoring becomes effective for after a process is restarted. For example, access to network shares through Windows Explorer are only monitored after the next logon.

  • Activities on Microsoft Windows programs.

  • Activities on applications installed before the EPM agent was installed.

To activate default privilege management policies

You can activate any of the privilege management policies in one click to apply the default policy settings. Alternatively, you can edit these policies and customize them for your organizational needs.

  1. In the Policy line, click the mode to apply.

    Policies

    Detect

    Restrict

    Block

    On/Off

    Platform

    Commonly used

     

    Detect privileged unhandled applications

    -

    -

    -

    ü

    Windows, macOS, Linux

    Protect against ransomware

    ü

    ü

    -

    -

    Windows

    Control unhandled applications downloaded from the internet

    ü

    ü

    ü

    -

    Windows

    Control unhandled applications

    ü

    ü

    -

    -

    Windows, macOS

    Additional

     

    Elevate unhandled applications

    -

    -

    -

    ü

    Windows, macOS, Linux

    Block unhandled applications

    -

    -

    -

    ü

    Windows, macOS

  2. Click Yes to accept the default settings.

Detect privileged unhandled applications

This policy detects privileged applications that are not managed by any other policy, which cannot run due to a lack of administrative privileges.

For more details, see Detect privileged unhandled applications.

Setting

Description

Off

Allows applications to run normally, with no policy or detection.

On

Applications run in detect mode. This does not restrict, block or elevate unhandled applications.

 

Policy settings defined in this policy also apply to the computers and users targeted by other common Privilege Management policies:

  • Protect against ransomware

  • Control unhandled applications downloaded from the internet

  • Control unhandled applications

Protect against ransomware

This policy detects or protects against ransomware, a malicious software that holds data files hostage while hackers demand payment to restore access. It is disabled when the Block unhandled applications policy is set to "On".

For more details, see Protect against ransomware.

Setting

Description

Detect

Detects unauthorized access to sensitive files by unhandled applications. This mode does not restrict unauthorized access and does not prevent ransomware attacks.

Restrict

Restricts unauthorized access to sensitive files by unhandled applications. This mode does not block or elevate unhandled applications, but it does prevent ransomware attacks.
 

Policy settings defined in this policy also apply to the computers and users targeted by other common Privilege Management policies:

  • Control unhandled applications downloaded from the internet

  • Control unhandled applications

Control unhandled applications downloaded from the internet

This policy controls and monitors events triggered by installation and launch of applications downloaded from the internet that are not currently managed by any other policy. It also controls access to the internet, intranet, network shares and memory of other processes.

For more details, see Control unhandled applications downloaded from the Internet.

Setting

Description

Detect

Monitors activities of applications, but does not apply any restrictions.

Restrict

Allows applications downloaded from the internet to run with limited capabilities.

Block

Prevents applications downloaded from the internet from being run. Users cannot read, copy, or move these files.
 

When applied to target machines, this policy merges with the Detect privileged unhandled applications and Protect against ransomware policies.

Control unhandled applications

This policy controls and monitors events triggered by installation and launch of unhandled applications. It also controls access to the internet, intranet, network shares and memory of other processes.

For more details, see Control unhandled applications.

Setting

Description

Detect

Monitors activities of unhandled applications, but does not apply any restrictions.

Restrict

Allows unhandled applications to run with limited capabilities.
 

When applied to target machines, this policy merges with the Detect privileged unhandled applications and Protect against ransomware policies.

Elevate unhandled applications

This policy elevates privileged applications that are not managed by any other policy.

For more details, see Elevate unhandled applications.

Setting

Description

Off

Applications that are not managed by any EPM policy will run normally. This depends on other policies that EPM applies.

On

Applications that are not managed by any EPM policy will run in elevated mode.

 

This policy overrides the commonly used Privilege Management policies for the same target computers and users.

Block unhandled applications

This policy blocks applications for which no explicit behavior has been defined in Application policies. Unmanaged applications that are currently running will be terminated silently.

For more details, see Block unhandled applications.

Settings

Description

Off

Applications that are not managed by any EPM policy can be launched and will run normally. This depends on other policies that EPM applies.

On

Prevents applications that are not managed by any EPM policy from being launched.
 

This policy overrides the commonly used Privilege Management policies for the same target computers and users.

Privilege threat protection policies

The privilege threat protection default policies protect against threats to environments that retain user passwords, which are often similar to users' corporate passwords.

To activate default privilege threat protection policies

You can activate any of the privilege threat protection policies in one click to apply the default policy settings. Alternatively, you can edit these policies and customize them for your organizational needs.

  1. In the Policy line, click the mode to apply.

    Policies

    Detect

    Restrict

    Block

    On/Off

    Platform

    Commonly used

     

    Protect against credentials theft and lateral movement

    ü

    -

    ü

    -

    Windows

    Create credential lures to detect and deceive attackers

    ü

    -

    ü

    -

    Windows

  2. Click Yes to accept the default settings.

Protect against credentials theft and lateral movement

This policy protect against threats to Microsoft Windows operating systems, Web browsers, and remote access and IT applications.

For more details, see Protect against credential theft.

Setting

Description

Detect

Monitors threat protection events.

Block

Prevents potential threats from being run.

Create credential lures to detect and deceive attackers

This policy create lures in endpoints to deceive attackers and report them. Activities that are detected from this policy are displayed as attacks in the Threat Protection Inbox.

For more details, see Implement privilege deception.

Setting

Description

Detect

Monitors credential lures and activities performed by attackers with those fake credentials.

Block

Terminates processes that tried to authenticate with the fake credentials.

Local Privileged Accounts Management policies

To activate default local privileged accounts management policies

You can activate any of the Local Privileged Accounts Management policies in one click to apply the default policy settings. Alternatively, you can edit these policies and customize them for your organizational needs.

  1. In the Policy line, click the mode to apply.

    Policies

    Detect

    Restrict

    Block

    On/Off

    Platform

    Commonly used

     

    Remove local administrators

    -

    -

    -

    ü

    Windows, macOS, Linux

    Rotate credentials of local privileged user accounts

    -

    -

    -

    ü

    Windows, macOS

  2. Click Yes to accept the default settings.

Remove local administrators

This policy enforces the least privilege principle through control over users who have administrator permissions on target computers.

For more details, see Remove local administrators.

Setting

Description

Off

Does not manage users and groups in the local administrators group.

On

Removes users and groups from the local administrator group, except specific sets of of users/groups defined by the EPM administrator.

Rotate credentials of local privileged user accounts

This policy manages credentials by changing them at regular intervals. EPM can integrate with PVWA to manage credentials that are not always accessible from the network.

For more details, see Credentials Rotation.

Setting

Description

Off

Deactivates all credential rotation policies.

On

Applies all credential rotation policies.

Set default policies

  1. From the CyberArk Endpoint Privilege Manager Management Console, expand Policies, then select Default Policies.

    The Default Policies page displays the policies and the modes you can set.

  2. Set the default policies to apply. Each time you set a default policy, a message similar to this appears:

  3. Click Yes to set the policy, using the default policy options and targets.

Edit a policy

In either the Commonly used or the Additional tab, in the policy row, click Edit.

Deactivate a policy

In either the Commonly used or the Additional tab, in the policy row, click Off.

Summary status

View the activities related to policies in the following pages.

Page

What you can see and do

Manage events

View the activities related to each policy and details of each activity.

Manage events

View the activities related to each policy and, where relevant, take action to apply a policy to protect endpoints immediately.