Entitlement Manager for Windows Desktop

Entitlement Manager for Windows Desktop, or Windows Desktop Enforcer (WDE) allows organizations to prevent wrongful disclosure by using Attribute-Based Access Control (ABAC) to define and enforce Need-to-Know access policies.  ABAC policies are used to control access to files anywhere they are accessed from the desktop.  WDE enables Zero Trust Architecture (ZTA) on the Windows Desktop, enforcing Least Privileged Access even when the protected device is offline or disconnected from the grid.

WDE runs on desktops/laptops, windows server, windows virtual desktop, and VDI to monitor and control user activities, covering:

  • USB devices
  • CD/DVD burners
  • File system (local and remote shared files)
  • Network file access
  • Clipboard (copy and paste)
  • Application execution
  • Web uploads and downloads (including web mail, posts through forms, blogs)
  • File transfers (rcp)

It works in the background without needing any user attention and interacts only when a policy applies to help the user follow proper information handling procedures.

Prevent Wrongful Disclosure Enforce Need-to-Know data access policies with Attribute-Based Access Control (ABAC), preventing wrongful disclosure by ensuring only those authorized are ever able to view controlled data.
Enable Zero Trust Architecture (ZTA) on the Windows Desktop Enforce the principle of least privileged access on the Windows desktop even when a device is online or disconnected from the secure network.
Prevent Data Loss Proactively Stop endpoint data loss in real-time, online or off-line, through USB devices, Web uploads, file copying, and sharing.
Ensure Electronic Data Storage Compliance Prevent storing data in locations that expose sensitive information to unintended audiences.
Simplify Data Security with Interactive Remediations Automate remediations to deliver real-time policy education, data classification, data cleansing and much more.
Illuminate Audit and Incident Investigation Use detailed endpoint activity logs to reconstruct sequences of events across systems and users to investigate incidents.
Proactive Data Loss Prevention Monitor and control activity at the endpoint in real-time, avoiding traces of data on the wire or on other systems, thereby reducing audit and incident investigations
Application Whitelisting Limit application usage to only those applications that are explicitly allowed.
Attribute-Based Access Control (ABAC) on Files and Folders Define access an entitlements to files and folders with policies that are based on the dynamic evaluation of attributes of the user, the resources being accessed, as well as the environmental context of the access request.
Broadest User Action Coverage Whether user is accessing file, uploading to the Web, or running an application, the Enforcer logs and controls these activities constantly, online and off-line.
Fine-Grained Data Control Prevent data loss by selecting right data to protect with precise, fact-based data identification.
Identity-based Policy Enforcement Accurately enforce policy by pinpointing the user based on user name, email address, group membership, assigned roles, or any user attribute defined in enterprise directory, such as Active Directory.
DLP for Mobile and Remote User Data protection policies may vary depending on the user’s device and physical location. Location awareness and device detection provides tunable controls that dynamically restrict or allow access and use.
Policy Assistants Help end-user perform remediation tasks with interactive wizards, simplifying data security for end-users and improving compliance policy adoption.
Compliance Audit and Incident Investigation Provide the most comprehensive activity monitoring on the end point with full details about not only who accessed what information, but also from where that data came, where are other copies, and who else modified or copied it. Investigators can reconstruct the path of data loss to hone in on how and what data is lost.
Automatic Policy Update Periodic policy updates and user identity changes are automatically delivered to the enforcer without any end user interaction.
Online Enforcement and Logging User actions are monitored, controlled, and logged regardless of network connectivity. Store-&-forward logging collects activity details and uploads logs when network is available.
Tamper-Resistance of Enforcer Software The Enforcer is password protected and prevents users with elevated privileges including administrators from terminating or removing the software. This ensures ongoing compliance with enterprise policies.
Secured Communication Encrypted communication via SSL between the Windows Desktop Enforcer software and the Policy server protects the policy set download and log upload. The enforcer authenticates the policy set to ensure it comes from the trusted Policy Server.

Microsoft Dynamic Access Control for IT and Compliance: An Example Use Case


Securing Sensitive IP and Trade Secrets When Working with Remote Employees and Partners


Rockwell Collins