MasterSAM Secure @ Windows

“MasterSAM Secure @ Windows is so much powerful and yet non-intrusive to the operating system, gives me the flexibility to control system object access effectively. This is a perfect least privilege enforcement model that fulfils the security and operational needs.”

- Senior Operation Manager, Government Industry





MasterSAM Secure @ Windows


Windows based systems are commonly found in most of the organizations. Most of the time enterprises are using Microsoft Active Directory as a main identity infrastructure solution. Global statistic shows that close to 90% of desktop operating system market share belongs to Microsoft Windows. Due to its popularity, it has raised the interest level for hackers to plan for a series of exploits against Windows based desktop and create harmful damage to the organizations. In addition, we often heard that those common cybersecurity attacks such as Pass-the-Hash, Ransomware, etc. are much more vulnerable at Windows based platform.

In a typical enterprise environment, system administrators will demand for full administrative rights onto the operating system in order to support their day-to-day administration and maintenance. Worse still, some of them are granted with Domain Administrators rights which allow them to access the entire domain servers easily across the network. This group of users is always the main target for attackers, once compromised, the damage is rather huge. On the other hand, database administrators would also aim for administrator’s credential to help them performing some operating system administrations such as start/stop certain service, besides using Windows Authentication to login to database. Again, this is creating a huge security vulnerability and it fails big time in compliance. To mitigate the risk of exploits on administrator privilege, it is recommended that organizations further restrict the usage of local & domain administrator, come out with a strategy to control application/program effectively with whitelist/blacklist rules.

Is that possible one can login to Windows server at different ways, besides using the traditional and native client called mstsc.exe? The answer is – YES. Regardless how strong your network control is, you can never rule out the possibility of someone that tries to login at the console level, or leap-frogging with multiple hops.

MasterSAM Secure @ Windows is designed for organizations to enforce least privilege principle and apply stringent granular access control over critical system objects. Its surveillance engine provides full transparency and accountability, ensures that each access to the server – regardless the methods of login, either with privilege or normal rights, it is subject for monitoring and control.


Supported Platforms:
• Microsoft Windows 2003
bull; Microsoft Windows 2003 R2
• Microsoft Windows 2008
• Microsoft Windows 2008 R2
• Microsoft Windows 2012
• Microsoft Windows 2012 R2
• Microsoft Windows 2016
• Microsoft Windows 2019
• Active Directory
• Both joint-domain or workgroup server

Least Privilege Principle
  • Ensure users are assigned with the least privilege by default
  • Reduce the risk of attack surface for users that are granted with full administrator rights at all time
  • Best practice for industry and compliance regulations
Role Based & Dynamic Privilege Escalation
  • Flexible & intuitive management of privileges to cater for every possible role – Domain Admin, Local Admin, Enterprise Admin, Power User, Remote Desktop User, SQL Admin, etc
  • On demand privilege escalation based on authorized period
  • No involvement of privileged password
Centralised Management & Session Control
  • Connected and managed centrally via MasterSAM Privilege Management System (PMS)
  • Option to automatically terminate user session upon exceeding the approved duration, or allow session continuity with exceptional alert
100% Surveillance Engine For User Session Recording
  • Record each access to server – regardless methods of login (remote, console, leapfrogging)
  • Compensating control to track users that bypass the authorized gateway/proxy
  • Option to record all users’ activities – with or without privileged access
  • • Achieve full transparency and disclosure
In-depth Granular Access Control
  • Restrict system object access to file/folder, registry, service, shared folder and event viewer
  • Support whitelist & blacklist rules
  • Non-intrusive and works on top of Windows GPO
  • Immediate enforcement without re-login
  • Enforcement still intact despite connection failure with centralised management server
Compliance & System Integrity Check
  • Track modifications on sensitive file/folder, shared folder and process lifecycle
  • Detect non-compliant servers against the enterprise baseline password policy & simple password
  • Detect users that are member of Administrators group
  • Detect default administrator account not being renamed
  • Detect guest account not being disabled