Improve agent security by providing granular control over Prisma Access Agent
protection with unique one-time passwords, emergency access options, and comprehensive audit
logging.
Enhanced anti-tamper protection for Prisma
Access Agent extends the current anti-tamper protection implementation by
introducing a secure and flexible approach to protecting agent services, processes,
files, and registries from unauthorized tampering. The enhanced anti-tamper
protection provides unique one-time passwords (OTPs) and more granular configuration
where you can configure privileged access tokens per user and user group, enabling
more granular control over who can modify the agent and when.
Enhanced anti-tamper protection supports the following use cases:
Granular anti-tamper protection—Gives you the flexibility to configure
anti-tamper settings (also called privileged access protection settings) at
a per-user or per-user group level.
Selective protection for operational teams—Temporarily disable privileged
access protection for certain users or user groups who need the ability to
modify files and folders, such as DevOps users, while maintaining
anti-tamper protection for the rest of your users and user groups.
Streamlined bulk operations—Allow certain users to perform batch operations
such as installing Prisma Access Agent on endpoints for specific users or
user groups.
Offline access continuity—For emergency situations, such as when a device
loses network connectivity, an emergency Privileged Access Token allows
authorized users to perform necessary maintenance.
User-initiated troubleshooting—Provides time-bound access for problem
resolution by providing time-limited Privileged Access OTPs for specific
troubleshooting scenarios. This enables self-service problem resolutions
while maintaining security controls.
The enhanced anti-tamper protection introduces several types of access passwords to
address different scenarios. The Privileged Access Token serves as an emergency
override solution for critical situations, such as when a device loses network
connectivity. The Privileged Access OTP enables end users to execute any privileged
command for troubleshooting. Specific operation OTPs are also available for targeted
actions like disabling or uninstalling the agent. You can configure the duration for
which protection remains disabled after using these tokens, with values ranging from
30-480 minutes.
Role-based access control (RBAC) ensures that only authorized administrators, such as
superusers or security administrators, can access the Privileged Access Token. Any
administrator who has access to the Inventory page can view and copy OTPs. All OTPs
are automatically refreshed after one-time usage and are never stored on the
endpoint, maintaining a secure environment even if a device is compromised.