In PUM, the Audit feature uses a store and forward mechanism, so when it connects to the agent machine, audit logs will be stored on the agent machine and forwarded to the manager.
But this leads to the concern where the service could be stopped or mishandled on the agent machine. In that case audit events will not reach the manager and the manager will not have the audit logs. This leads to the security flaw where audit logs are not reaching the manager.
The Solution here is "Control Access to Privileged User Manager Service".
This document lists the steps to be followed to control access to Privileged User Manager service. (pdf)
Assumptions:
It is assumed that the Windows computer where PUM is installed is added to a Windows domain.
The privileged credential used in PUM is a domain user.
Steps:
The following steps need to be followed by a domain admin when at least one instance of PUM is installed on a Windows system in the domain:
Open the Domain Security Policy tool on domain controller machine. This tool displays the default domain security.
Traverse to 'System Services-> NetIQ Privileged User Manager'.
By default, it shows 'not defined'. Go to properties and define a policy.
Select 'Automatic'' startup mode.
In security, do following:
REMOVE – Administrators group if any.
REMOVE – INTERACTIVE group.
ADD – Everyone group and give only READ access to it.
ADD – A domain admin, and give FULL access to it. This user can uninstall the PUM software or start/stop the service.
For example, check following screen shot:
Here, 'mgr2' and 'SYSTEM' has FULL control, whereas 'Everyone' has only READ access.
Usually, Group Policies update themselves to individual computers in the domain at some time interval.
If you want to update immediately, go to the computer where PUM is installed and perform GPUPDATE at the command prompt.