WEBVTT

1
00:00:00.000 --> 00:00:01.260
In this lesson,

2
00:00:01.260 --> 00:00:05.130
we will learn about configuration and privilege management.

3
00:00:05.130 --> 00:00:07.440
Configuration and privilege management

4
00:00:07.440 --> 00:00:09.570
are the processes and tools

5
00:00:09.570 --> 00:00:13.080
used to manage system settings and user permissions

6
00:00:13.080 --> 00:00:17.040
to ensure secure, consistent, and compliant operation

7
00:00:17.040 --> 00:00:20.910
across all enterprise devices and systems.

8
00:00:20.910 --> 00:00:23.760
Configuration and privilege management concepts

9
00:00:23.760 --> 00:00:26.100
include configuration management

10
00:00:26.100 --> 00:00:28.350
and endpoint privilege management.

11
00:00:28.350 --> 00:00:31.812
Configuration management is the control of system settings,

12
00:00:31.812 --> 00:00:34.410
software versions, and updates

13
00:00:34.410 --> 00:00:38.340
to maintain security and operational consistency.

14
00:00:38.340 --> 00:00:40.560
Endpoint privilege management focuses

15
00:00:40.560 --> 00:00:42.960
on controlling user access levels

16
00:00:42.960 --> 00:00:46.050
and permissions on individual endpoints

17
00:00:46.050 --> 00:00:48.720
to prevent unauthorized actions.

18
00:00:48.720 --> 00:00:52.050
Let's learn more about configuration management

19
00:00:52.050 --> 00:00:54.450
and endpoint privilege management.

20
00:00:54.450 --> 00:00:57.420
First, we have configuration management.

21
00:00:57.420 --> 00:01:00.240
Configuration management is used to control

22
00:01:00.240 --> 00:01:02.250
and maintain system settings,

23
00:01:02.250 --> 00:01:05.250
software versions, and updates.

24
00:01:05.250 --> 00:01:08.130
The main goal of configuration management

25
00:01:08.130 --> 00:01:10.860
is to ensure that systems remain secure

26
00:01:10.860 --> 00:01:14.730
and operate consistently across the organization.

27
00:01:14.730 --> 00:01:17.190
This is done by setting up rules

28
00:01:17.190 --> 00:01:19.569
for how software is installed, updated,

29
00:01:19.569 --> 00:01:24.569
and maintained on all devices within the organization.

30
00:01:24.750 --> 00:01:27.990
One of the main tools used in this process

31
00:01:27.990 --> 00:01:32.640
is Microsoft's System Center Configuration Manager or SCCM.

32
00:01:33.750 --> 00:01:36.780
The SCCM allows administrators

33
00:01:36.780 --> 00:01:38.430
to automate the deployment

34
00:01:38.430 --> 00:01:41.400
of software updates, security patches,

35
00:01:41.400 --> 00:01:44.790
and configuration settings across all windows

36
00:01:44.790 --> 00:01:47.010
based devices in the network,

37
00:01:47.010 --> 00:01:49.350
maintaining consistency and ensuring

38
00:01:49.350 --> 00:01:51.240
that all systems are up-to-date

39
00:01:51.240 --> 00:01:54.150
and compliant with security policies.

40
00:01:54.150 --> 00:01:56.700
Another popular tool is Ansible,

41
00:01:56.700 --> 00:01:58.830
which is an open source platform,

42
00:01:58.830 --> 00:02:02.580
widely used for automating configuration tasks

43
00:02:02.580 --> 00:02:04.680
across different types of systems,

44
00:02:04.680 --> 00:02:08.250
including Linux, Windows, and network devices.

45
00:02:08.250 --> 00:02:12.480
Ansible uses simple human readable scripts called playbooks

46
00:02:12.480 --> 00:02:16.440
that define how systems should be configured and managed.

47
00:02:16.440 --> 00:02:19.140
Then Ansible executes these playbooks

48
00:02:19.140 --> 00:02:21.000
in a declarative manner,

49
00:02:21.000 --> 00:02:23.100
meaning that it ensures the system

50
00:02:23.100 --> 00:02:27.180
reaches the desired state specified in the playbook.

51
00:02:27.180 --> 00:02:29.070
In declarative configurations,

52
00:02:29.070 --> 00:02:32.280
tools like Ansible focus on the end state,

53
00:02:32.280 --> 00:02:33.990
like ensuring that a particular

54
00:02:33.990 --> 00:02:35.850
software package is installed

55
00:02:35.850 --> 00:02:37.410
or a service is running.

56
00:02:37.410 --> 00:02:39.510
Then they automatically handle

57
00:02:39.510 --> 00:02:42.660
the necessary steps to achieve that state.

58
00:02:42.660 --> 00:02:46.260
This simplifies management by allowing administrators

59
00:02:46.260 --> 00:02:49.800
to define what the final configuration should look like,

60
00:02:49.800 --> 00:02:52.290
and then letting Ansible take care

61
00:02:52.290 --> 00:02:54.090
of the rest of the details.

62
00:02:54.090 --> 00:02:57.060
Second, we have endpoint privilege management.

63
00:02:57.060 --> 00:02:59.370
Endpoint Privilege management focuses

64
00:02:59.370 --> 00:03:03.360
on managing user permissions on individual devices

65
00:03:03.360 --> 00:03:05.640
or endpoints specifically.

66
00:03:05.640 --> 00:03:09.330
Endpoint privilege management reduces security risks

67
00:03:09.330 --> 00:03:11.220
by restricting user access

68
00:03:11.220 --> 00:03:13.230
based on their specific roles

69
00:03:13.230 --> 00:03:16.200
and the tasks that they need to perform.

70
00:03:16.200 --> 00:03:20.790
This strategy minimizes the chances of unauthorized actions,

71
00:03:20.790 --> 00:03:23.460
whether accidental or malicious

72
00:03:23.460 --> 00:03:26.700
by enforcing the principle of least privilege.

73
00:03:26.700 --> 00:03:28.140
In a Linux environment,

74
00:03:28.140 --> 00:03:31.470
endpoint privilege management is commonly implemented

75
00:03:31.470 --> 00:03:33.330
using the pseudo command,

76
00:03:33.330 --> 00:03:35.670
which allows users to execute

77
00:03:35.670 --> 00:03:37.980
specific administrative commands

78
00:03:37.980 --> 00:03:41.520
without granting them full administrative rights.

79
00:03:41.520 --> 00:03:46.520
By configuring the /etc/sudoers file,

80
00:03:47.010 --> 00:03:50.520
which would be pronounced etc/sudoers.

81
00:03:50.520 --> 00:03:54.120
Administrators can define precise command permissions

82
00:03:54.120 --> 00:03:55.920
for users or groups,

83
00:03:55.920 --> 00:03:59.760
effectively controlling what actions can be performed.

84
00:03:59.760 --> 00:04:03.060
Advanced configurations might also include

85
00:04:03.060 --> 00:04:06.000
time-based access controls and logging,

86
00:04:06.000 --> 00:04:07.770
which can track and audit

87
00:04:07.770 --> 00:04:10.410
privileged activities in real time.

88
00:04:10.410 --> 00:04:12.030
In a Windows environment,

89
00:04:12.030 --> 00:04:15.180
tools like Microsoft's Local Administrator

90
00:04:15.180 --> 00:04:17.550
Password Solution or LAPS,

91
00:04:17.550 --> 00:04:19.530
enhance endpoint security

92
00:04:19.530 --> 00:04:22.830
by managing local administrative accounts.

93
00:04:22.830 --> 00:04:27.390
LAPS automatically generates complex unique passwords

94
00:04:27.390 --> 00:04:30.510
for local admin accounts on each endpoint,

95
00:04:30.510 --> 00:04:32.850
and then it stores those passwords

96
00:04:32.850 --> 00:04:35.250
securely in Active Directory

97
00:04:35.250 --> 00:04:38.010
where access can be tightly controlled.

98
00:04:38.010 --> 00:04:42.090
Secure storage combined with automated password rotation

99
00:04:42.090 --> 00:04:45.600
minimizes the risk of lateral movement by attackers

100
00:04:45.600 --> 00:04:48.510
who might exploit static credentials.

101
00:04:48.510 --> 00:04:51.630
Furthermore, LAPS supports audit trails

102
00:04:51.630 --> 00:04:53.250
and provides an easy way

103
00:04:53.250 --> 00:04:55.260
to track password access,

104
00:04:55.260 --> 00:04:57.540
allowing administrators to enforce

105
00:04:57.540 --> 00:05:01.590
stringent security policies and maintain compliance.

106
00:05:01.590 --> 00:05:05.970
So remember, configuration and privilege management

107
00:05:05.970 --> 00:05:08.040
help organizations maintain

108
00:05:08.040 --> 00:05:10.530
and secure consistent operation

109
00:05:10.530 --> 00:05:13.560
across all their devices and systems.

110
00:05:13.560 --> 00:05:16.320
First, configuration management focuses

111
00:05:16.320 --> 00:05:19.320
on controlling system settings, software versions,

112
00:05:19.320 --> 00:05:20.970
and updates to ensure

113
00:05:20.970 --> 00:05:25.050
that devices are consistently configured and secure.

114
00:05:25.050 --> 00:05:28.080
Second, endpoint privilege management controls

115
00:05:28.080 --> 00:05:32.100
user access and permissions on individual devices,

116
00:05:32.100 --> 00:05:34.230
minimizing security risks

117
00:05:34.230 --> 00:05:37.020
by enforcing least privileged principles.

118
00:05:37.020 --> 00:05:39.360
Both of these management approaches

119
00:05:39.360 --> 00:05:43.410
involve using specialized tools to automate processes,

120
00:05:43.410 --> 00:05:46.830
enforce security policies, and ensure compliance.

121
00:05:46.830 --> 00:05:49.260
Together, they play a critical role

122
00:05:49.260 --> 00:05:51.480
in preventing unauthorized actions

123
00:05:51.480 --> 00:05:55.143
and maintaining the integrity of enterprise systems.