Centero Carillon’s features beat Microsoft LAPS
Contemporary malware spreads like wildfire by using the vulnerabilities that careless planning and use can create. Any organization’s IT environment, where user’s devices have unnecessary system admin ID’s, is a true paradise for blackmailing ransomware and the likes.
If an organization wants to be truly cyber-secure, the way to manage and distribute user rights needs to be straightforward, and there are no exceptions to this rule. There are several solutions available for user right management.
To give you an example, Centero Carillon is a service that you can use to remove permanent admin rights from the workstations and give out temporary rights, without additional burden on the IT support and the end user. With Carillon, you can manage local user ID’s and groups on Windows devices in an efficient, centralized way. This means easier workstation and server management, and significantly improved cyber security.
Carillon can meet the end-user’s needs as well
In a closed environment, where the end-user doesn’t have admin rights, the biggest challenges come when something is out of the ordinary. For instance, when the user is traveling on business and out of the IT support’s reach, the user might need to fix a problem, change settings, or install a new device – and their rights are not sufficient for this. There are several tools for managing temporary admin rights and different rights levels, both free and paid, and with different of features.
Microsoft has a free application for admin right management, Microsoft LAPS, but it’s use is rather limited. LAPS, short for Local Administrator Password Solution, is an application that manages a single admin ID, and that is designed for solving an admin’s problem.
“The idea of LAPS is basically to create a backup ID for the IT administrator, who can then check the backup’s password from Active Directory”, says Juha Haapsaari from Centero.
Genuine temporary admin right
Compared to LAPS, Centero Carillon has a lot more features, and as such, is much more useful tool for access right management. In Centero Carillon, you can configure two different ways for activating user rights with different access levels – even without internet access!
The smoothest way to get the temporary admin rights running is this: when the end-user is prompted with Windows’ User Account Control window, they select Centero Carillon as the authentication method, and log the reason for activation. They are granted the admin rights only for the operation’s duration, and the rights revert to their normal status automatically.
You can also activate the temporary admin rights by contacting the service desk, who then creates an activation key the user can use to activate a temporary ID with limited validity. This model gives the administrator a bit more control with rights activation, as the end-user needs to be in touch with the IT support.
Carillon is set to automatically make sure that when the deadline is reached, or the operation performed, the ID in question can’t be used without a new activation code. The activation code doesn’t contain a password or any other sensitive information. Thanks to these functions, Carillon can create a genuinely temporary admin right, unlike the Microsoft LAPS.
The idea of LAPS is to create a user ID for the device, and allow accessing the ID when needed. This doesn’t support the end-user self-service model, which is a very central feature in Centero Carillon.
Manage you Azure AD devices with Carillon
Microsoft LAPS only lets you incorporate your Active Directory devices, whereas devices on the cloud-based Azure AD, or devices in a work group, can’t be connected to the service at all. This means LAPS is out of question for any smaller organization that uses the modern Azure AD or work group devices instead of Active Directory.
Unlike Microsoft LAPS, Carillon allows you to manage devices in work groups. Carillon’s data is saved in an SQL database, which means that Carillon requires a Microsoft SQL server, 2005 or newer. Microsoft LAPS, on the other hand, doesn’t need an SQL base or an IIS.
The database is a safer location for Carillon’s device account data than Active Directory, for example. When operations are performed in Active Directory, there is an increased risk for accidentally deleting a password of an account or a device.
In Carillon, you can configure user ID’s and groups based on the structure of the existing Active Directory. For example, you can set domain-specific ID and group rules on domain level, specify them further on the level of the organization unit, and go even deeper on device level.
You can also create and manage new ID’s and groups with Carillon. Carillon supports known user ID’s and groups, meaning it’s easy to manage them, even if the devices’ operating systems would use different languages.
Comprehensive reports improve the level of cyber security
Centero Carillon keeps a log on each operation performed, and also records the reason for each change in access right status. Carillon logs and reports everything: who was given an admin ID and when, for how long and why.
Carillon’s reports help maintain a high level of cyber security. With Carillon, it’s easy to get wide reports on devices’ current settings related to user ID’s and user groups – unlike with Microsoft LAPS that has almost no reporting functions.
Support and product development
Full, free of charge technical user support is included in Centero Carillon service. With Microsoft LAPS, only the Premium Support customers have access to technical support, and only with problems related to the application’s use or installation. And this service is only available for large organizations.
Carillon offers technical support for its users, and in addition to this, the whole product development is done with the user experience in mind. Centero’s expert, Juha Haapsaari, describes the steps the product development has taken to improve reporting, for instance.
“In the latest version of Centero Carillon, it’s easier to activate a temporary ID”, Haapsaari talks about Carillon’s product development’s general direction, and goes on:
“An integration to other cyber security systems is currently in development, and when it’s released, any information Carillon produces can be run to cyber security reports, composed from several sources.”
|Number of managed ID’s||several, groups included||one|
|Temporary admin ID
|Management environment||AD, Azure AD, work groups||on-prem AD-devices only|
|Support||yes||Premier customers only|
|SQL/AD||requires IIS and SQL-database||requires Active Directory|
How does your admin benefit from Centero Carillon?
- Improve your level of cyber security by significantly limiting the risks of malware and incorrect operations. When admin rights are limited to specific operations and granted based on case-by-case consideration, users can’t accidentally harm their own system or let malware into the company’s network.
- Less pressure on the IT support, when the users can, where required, perform admin operations. The specialists in the IT support can focus on more demanding operations and boost their performance.
- Carillon gives you a report on the reasons the users have needed the admin rights for. Without Carillon, it’s impossible to monitor and report the reasons.
How does Carillon make the end-user’s life easier?
- Your work is more efficient when you can install applications and drivers independently, without any help from the IT support.
- It’s fast and easy to request the Carillon activation key.
- Carillon activation key doesn’t require internet access to work, meaning you can perform admin operations when you are traveling for business.