appsense application manager user rights management

Version 8 FR6

Application Manager

User Rights Management Edition Guide

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDEii

© AppSense Limited, 2013

All rights reserved. No part of this document may be produced in any form (including photocopying or storing it in any medium) for any purposes without the written permission of AppSense Limited, except in accordance with applicable law. Furthermore, no part of this document may be sold, licensed or distributed. The doing of an unauthorized act in relation to a copyright work may result in both a civil claim for damages and criminal prosecution.

The information contained in this document is believed to be accurate at the time of printing and may be subject to change without notice. Any reference to a manufacturer or product does not constitute an endorsement of, or representation or warranty (whether express, implied or statutory) in respect of, the manufacturer or product or the use of the product with any AppSense software.

This document does not grant any right or license to you in respect of any patents, patent applications, trademarks, copyrights, or other intellectual property rights in or relating to the subject matter of this document. Where relevant, any AppSense software provided pursuant to or otherwise related to this document shall only be licensed to you on and subject to the end user license agreement which shall be displayed and which you shall be required to accept prior to accessing or using the software.

AppSense is a registered trademark of AppSense Holdings Limited or its affiliated companies in the United Kingdom, the United States and/or other countries, Microsoft, Windows and SQL Server are all registered trademarks or Microsoft Corporation in the United States and/or other countries. The names of actual products and companies mentioned in this document may be the trademarks of their respective owners.

C O N T E N T S

Welcome v

About This Document vi

Terms and Conventions vi

Feedback vi

Section 1 About Application Manager URM Edition 1

About Application Manager User Rights Management Edition 2

Key Benefits 2

Feature Summary 2

Architecture 4

Console 5

Software Agent 5

Configuration 6

iii

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDEiv

Section 2 User Rights Management 7

About User Rights Management 8

Least Privilege 8

Common Tasks that Require Administrative Privileges 9

User Rights Management vs. Run As 9

User Rights Management Benefits 10

Use Cases 11

Technology 11

User Rights Management Mechanism 12

Configuring User Rights Management 13

User Rights Policies 14

Applying User Rights Policies 17

Merging Policies 24

Example Configurations 25

Web Installations 31

Snippets 32

Self-Elevation 33

Securing Common Dialogs 35

Using Metadata 37

Glossary 40

WELCOME

In this Section:

About This Document on page vi

Terms and Conventions on page vi

Feedback on page vi

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE WELCOMEAbout This Document vi

ABOUT THIS DOCUMENT

This User Rights Management Guide is for use by AppSense Application Manager administrators. It provides information on how User Rights Management works and describes its components and architecture.

TERMS AND CONVENTIONS

The following tables shows the textual and formatting conventions used in this document:

FEEDBACK

The AppSense Documentation team aim to provide accurate and high quality documentation to assist you in the installation, configuration and ongoing operation of AppSense products.

We are constantly striving to improve the documentation content and value any contribution you wish to make based on your experiences with AppSense products.

Please email any comments to: [email protected]

Convention Use

Bold Highlights items you can select in Windows and the product interface, including nodes, menus items, dialogs and features.

Code Used for scripting samples and code strings.

Italic Highlights values you can enter in console text boxes and titles for other guides and Helps in the documentation set.

Green + underlined Indicates a glossary link.

> Indicates the path of a menu option. For example, “Select File > Open" means "click the File menu, and then click Open."

Information tables - Highlights important points of the main text or provides supplementary information, additional techniques and help for users. Also used to provides links to further information which include more detail about the topic, either in the current document or related sources

Caution/Warning — Provides critical information relating to specific tasks or indicates important considerations or risks.

mailto:[email protected]?subject=AppSense Documentation Feedback&body=<Please indicate the document title and the product version in your comments.>%0A%0A

1

About Application Manager URM Edition

In this Section:

About Application Manager User Rights Management Edition on page 2

Key Benefits on page 2

Feature Summary on page 2

Architecture on page 4

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 1 ABOUT APPLICATION MANAGER URM EDITIONAbout Application Manager User Rights Management Edition 2

ABOUT APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION

Application Manager User Rights Management Edition (URM Edition) allows you to create reusable user rights policies which can be associated with any rules and can elevate or restrict access to files, folders, signatures, application groups and Control Panel components. User Rights Management enables users with no administrative privileges to have elevated rights for specified applications. Similarly it can restrict access to specified applications for users that do have administrative rights.

KEY BENEFITS

There are several key benefits to using Application Manager.

Protects against malicious code.

Controls role based application usage.

Elevates and reduces user rights for applications and Control Panel components and Management Snapins.

Reduces support calls.

User acceptance.

FEATURE SUMMARY

Application Manager URM Edition provides the following key features for application control:

User Rights Management

User Rights Management allows you to create reusable User Rights policies which can be associated with any rules and can elevate or restrict access to files, folders, signatures, application groups and Control Panel components.

User Rights Management Edition contains four primary functions:

Elevating user rights for applications

Elevating user rights for Control Panel components and Management Snapins.

Reducing user rights for applications

Reducing user rights for Control Panel components and Management Snapins.

For more information see User Rights Management on page 7.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 1 ABOUT APPLICATION MANAGER URM EDITIONFeature Summary 3

Rules: User, Group, Device, Custom, Scripted and Process

Extend application accessibility by applying rules based on username, group membership, computer, or connecting device, scripts and parent processes, or combinations of these. User Rights Management can be specified in each rule, and are applied to a user session based on the environment in which the user operates.

Scripted Rules

Scripted Rules allow administrators to apply User Rights Management policies based on the outcome of PowerShell or a Windows VBScript. Scripts can be run for each individual user session or run once per computer.

Process Rules

Process rules apply to parent processes to manage access to child processes to the level required. Process rules include User Rights Management.

Digital Signatures

SHA-1 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 1 ABOUT APPLICATION MANAGER URM EDITIONArchitecture 4

ARCHITECTURE

This section provides details on the architecture of Application Manager URM Edition.

Console on page 5

Software Agent on page 5

Configuration on page 6


Console

The Application Manager URM Edition console launches when the link is selected in the Start > All Programs > AppSense menu.

The console enables you to create, view, edit and save configurations for Application Manager URM Edition. The Rules Analyzer function allows you to record the actual effect of the configuration on users on an endpoint which has the Application Manager agent installed and running.

Console Installer

The console installer is a MSI package that contains all the files needed to install the console on a computer. Both 32-bit and 64-bit installers are provided.

Software Agent

Application Manager URM Edition is installed and run on endpoints using a lightweight agent. The agent is installed directly onto the local computer.

Both agents and configurations are constructed as Windows Installer (MSI) packages and so can be distributed using any third party deployment system which supports the MSI format.The installers are delivered in separate 32-bit and 64-bit Microsoft Installer packages.

For Application Manager URM Addition to function the agent must be installed on the client endpoint together with an associated configuration. Since agents and configurations are installed and stored locally on the endpoint, they continue to operate when the endpoint is disconnected or offline.


Agent Service

The Application Manager Agent Service used by the URM Edition, runs as a SYSTEM service on each computer that is to be controlled using the Application Manager component. The agent provides the intelligence for dealing with the execution requests passed from the Application Manager kernel level driver and the hook. Each and every execution request is validated against the configuration settings that are held on each local machine containing the Application Manager agent software. Along with the details of the application request, the agent service checks who the user is and which computer the request originates from so that this can be processed at the same time to enable user / group / client / custom rules to function as expected.

The configuration is stored in a local configuration file for performance and control reasons. This means that all requests can be turned around in minimum time and perhaps more importantly without the need for a network link to a central server, and hence also ensuring that unconnected machines, such as laptops, remain secured even when not physically connected to the Local Area Network.

Application Hook

This is a DLL which is loaded into every user process.

The Application Hook sends create process and network requests to the agent for authorization. If any token modification is required, as part of User Rights Management, an appropriate request is sent to the agent. The agent sends back a modified token which is used to launch the requested process.

Configuration

Application Manager User Rights Management Edition uses AppSense Application Manager configuration files (.aamp files) which contain the rule settings for securing your system. The agent checks the configuration rules to determine the action to take when intercepting file execution requests.

Configurations are stored locally in the All Users profile and are protected by NTFS security. In standalone mode, configuration changes are written directly to the file system from the Application Manager URM Edition console.

Configurations can also be exported and imported to and from MSI file format using the Application Manager console. This is useful for creating templates or distributing configurations using third party deployment systems.

After creating or modifying a configuration you must save the configuration (and deploy if necessary) to ensure that they are actioned.

2


In this Section:

About User Rights Management on page 8

User Rights Management Benefits on page 10

Use Cases on page 11

Technology on page 11

Configuring User Rights Management on page 13

Web Installations on page 31

Snippets on page 32

Self-Elevation on page 33

Securing Common Dialogs on page 35

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTAbout User Rights Management 8

ABOUT USER RIGHTS MANAGEMENT

User Rights Management enables enterprise IT departments to reduce access control privileges on a per user, group, application, or business rule basis. It ensures users have only the rights they need to fulfil their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, improving security and productivity.

The perfect balance between user productivity and security is to control user rights, not at a session or account level, but at an application or individual task level.

With User Rights Management, access to applications and tasks is managed dynamically by managing user rights, on demand, in response to user actions. For example, administrator rights can be applied to a named application or Control Panel component for a particular user or user group, by either elevating the privileges of a standard user to an administrator level, or dropping the rights of an administrator to that of a standard user account.

By controlling user rights throughout the user session, IT can provide users with the accessibility they require to perform their job, while protecting the desktop and the environment and reducing management costs.

User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment.

User Rights Management allows you to create a library of reusable policies which can be associated with any available Application Manager rule, to assign the relevant privileges to files, folders, signatures, and application groups. User Rights Policies include domain user group membership and a range of administrative privileges which you can apply to each policy.

Least Privilege

Many users run their computer with administrative privileges. It is evident that users running with these privileges can introduce viruses, malware and spyware. Inevitably this can affect the entire enterprise, causing security breaches and downtime. Access to private data can also be at risk.

User Rights Management allows the application of the principle of least privilege. This principle requires that users are provided the minimum rights to do their job, without giving the user full administrator rights. The experience is seamless to the user.

With User Rights Management any downtime, coupled with the number of calls made to IT Support due to viruses and so on, are greatly reduced because computers are made secure against the problems that occur when a user has full administrative rights. This means IT

For the complete definition of least privilege refer to the Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28.STD), also known as the Orange Book. This is located at http://csrc.nist.gov/publications/history/dod85.pdf.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTAbout User Rights Management 9

Support can focus on more important tasks as opposed to spending large amounts of time troubleshooting computers to find out the problem. Licensing is also easier to control, for example, by allowing users to only install authorized applications.

Common Tasks that Require Administrative Privileges

There are a number of common tasks users may be required to perform in order to fulfil their role that may need administrative privileges. A solution must be provided to allow these tasks to be performed, else the user must satisfy their role without accomplishing these specific tasks. These tasks may include:

Installation of printers

Installation of certain hardware

Installation of particular applications

Operation of applications that require administrative privileges

Change of system time

Legacy applications

User Rights Management allows the user to perform these tasks by elevating a user to have specific administrative privileges.

User Rights Management vs. Run As

Many users, particularly knowledge workers use the Run as command to run applications. Users can perform their daily tasks running with least privilege but can also, as required, use the Run as command to elevate their credentials, thus performing a task under the context of a different user. This, however, requires that a user has two accounts, that is, one for least privileges and one for elevation.

A common problem within an enterprise is the communication of the administrative password throughout an enterprise. For example, an administrator may communicate the administrator password to a user enabling them to use the Run as command to fix a problem with their computer. Unfortunately the password commonly gets passed around causing unforeseen security risks.

Additionally, a problem with Run as is how software actually interacts with it. Run as executes an application or process under the context of a different user. Therefore, that application or process does not have access to the correct HKEY_CURRENT_USER hive in the registry.

This hive is where all the profile data is stored and is protected space. Because of this, the application or process running under the context of a different user cannot read or write to this source, causing some applications to not function. Running under the context of a different user can also cause problems reading and writing to a network share. This is because network shares are based on the account under the context you are running. Thus, your local account and the Run as account may not have the same access to resources.

Hive:A set of registry settings such as keys, sub keys and values that are necessary for the operating system to do its job

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTUser Rights Management Benefits 10

Run as and UAC

Windows XP, Windows Vista and Windows 7 have certain features that allow a user to run applications or process’ without administrative rights. These are the Run as command in Windows XP and Windows 7 and User Account Control (UAC) in Windows Vista.

Although these features do allow users to run without administrative rights they still require the user to have access to an administrator account to perform administrative tasks. Unfortunately, this limitation means these features are more appropriate for administrators. It enables them to logon as a standard user and use the administrator account to perform administrative tasks only.

As the user must provide the credentials for a local administrator to use Run as and UAC this creates a number of concerns. For example:

A user with access to an administrator account must be trusted not to abuse these privileges.

Applications running with administrative rights are now running under the context of a different user. This can cause problems, for example, these particular applications do not have access to the actual user’s profile or network shares, as stated in the User Rights Management vs. Run As section above.

Two passwords are required. One for the standard account and one for the administrator account. The user must remember both. Security required for one account is challenging, and for two accounts more so.

USER RIGHTS MANAGEMENT BENEFITS

The main benefits of User Rights Management are:

Elevation of User Privileges for Running Applications

Use User Rights Management to specify the application to be run with administrative credentials. The user does not have administrative credentials but is able to run the application.

Elevation of User Privileges for Running Control Panel Components

Many users need to do various tasks that need administrative rights. For example, to install printers, to change network and firewall settings, change the time and date and to add and remove programs. All of these tasks require Control Panel components as administrator.

Use User Rights Management to elevate privileges for individual components so that the non-administrative standard user can make the changes to perform their role.

UAC also applies to Windows 7. However, it is an addition to the Run as command and not a replacement.

These features also apply to Server 2003 and Server 2008 versions.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTUse Cases 11

Reducing Privileges to Restrict Application Rights

By default, users have certain administration credentials, but are enforced to run specific applications as non-administrator. By running certain applications as an administrator, for example, Internet Explorer, the user is able to change many undesirable settings, install applications and potentially open up the desktop to the Internet. Use User Rights Management to restrict an administrator level user from running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop.

Reducing Privileges to Restrict Access to System Settings

Use User Rights Management to give a higher level system administrator the ability to stop an administrative user from altering settings that they should not change, for example, firewalls and certain services. Use User Rights Management to reduce administrative privileges for certain processes. Although the user has administrative rights, the system administrator retains control of the environment.

USE CASES

User Rights Management has many use cases and solves problems that many enterprises have until now been unable to address. A small number of scenarios are given below:

Organizations that use local administrator accounts for their users may need to lock down elements of the desktop, such as the Control Panel component, Add Hardware, or Add and Remove Programs \ Programs and Features. By dynamically dropping the user account from administrator to a standard user for specific controls, the user is now prohibited from accessing the control and executing an unwanted task.

Some applications require administrator rights as the application itself interacts with certain parts of the desktop operating system or registry. However, the organization does not wish to provide users with full administrator accounts. User Rights Management can elevate the user rights for the named application to an administrator level, enabling the user to run their application while protecting the desktop.

Automatic update elements of some applications can require administrator rights to perform the update actions and therefore not function in the context of a standard user. User Rights Management can enable the named application to run under the context of an administrator account while all other applications remain in standard user context.

Mobile users may need to manually change their IP address, configure a wireless network, or change date and time properties, all of which require administrative rights. User Rights Management can elevate the user rights to administrator level for named tasks, enabling the user to make the changes they require.

TECHNOLOGY

In a Microsoft Windows computing environment, as part of the application launch process, when an execution request is made, the application requests a security token as part of the application launch approval process. This token details the rights and permissions given to the application and these rights can be used to interact with the operating system or other applications.

When Users Rights Management is configured to manage an application, the security token that is requested is dynamically modified to have permissions elevated or restricted, therefore allowing the application to be run or blocked.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTTechnology 12

User Rights Management Mechanism

The User Rights Management mechanism controls access for users and applications, as shown in the figure below.

The User Rights Management mechanism handles process startup requests as follows:

1. A User Rights Policy is defined in the configuration rule and applies to applications or components.

The Application list can include files, folders, signatures or application groups.

The Components list can include Control Panel components.

2. When a process is created by the launch of an application or other executable, the Application Manager hook intercepts the process and queries the Application Manager agent whether elevated or restricted rights are required to run the process.

3. The agent confirms whether the configuration assigns elevated or restricted rights and if required, the agent requests a modified user token from the Windows Local Security Authority (LSA).

4. The hook receives the modified user token from the Windows LSA granting the necessary privileges. Otherwise, the process runs with the existing user token according to the definitions of the normal user rights.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTConfiguring User Rights Management 13

CONFIGURING USER RIGHTS MANAGEMENT

Standard users typically have no administrative rights. The following process demonstrates how to create a User Rights Policy for a Support Desk operative.

User Rights Management provides the ability to add membership to a selected group or to drop membership. The first step in creating the configuration is to create a User Rights Policy and to specify the membership, in this case, to add membership.

CREATE A USER RIGHTS POLICY

1. Right-click the User Rights Policies node in the navigation pane and select Add Policy.

2. Right-click a policy and select Rename.

3. Enter a name for the policy, for example, SupportDesk.

4. Right-click the Group Membership tab in the work area and select Add Group Action.

The Account Selection dialog displays.

5. Enter or navigate to the SupportDesk group and click OK.

6. Click in the Action column and select Add Membership. This is the default setting.


User Rights Policies

The Elevate policy is applied to new rule items by default. When an item is elevated the selected item will be given increased privileges and will not require an administrator to run it.

User right policies offer an alternative to using the default Elevate rule and can be customized to meet the needs of your organization. Policies can range from making an individual user a member of a "Power User" group to removing user membership from the Administrators group.

When a User Rights Policy is created, you can customize your policy using the following three tabs:

Group Membership

Privileges

Properties

Group Membership

Group Membership allows you to specify Windows user groups to be dropped or added when a policy is applied. You add a group action to the policy contents and then specify whether or not the selected group is to be applied to the newly created policy or whether their membership is to be dropped.

For further information on Group Rules, see Applying User Rights Policies.


Privileges

A privilege is the right of a user account to perform a particular system-related operation, such as shutting down the computer or changing the system time. You can use the User Rights Management feature to enable, disable or remove privileges.

No change - Leaves the privilege as it is with its original token.

Enabled - Sets the flag in the token to enabled.

Disabled - Sets the flag in the token to disabled.

Remove - Removes the privilege from the token. You cannot undo this option.

The following table lists the privileges that only apply to specific operating systems. The remaining privileges apply across all operating systems.

When you assign membership to a user group, you will only add the group that you have selected, any nested groups will not be included. For example, if you assign group membership to Domain Administrators this will not automatically include the Local Administrator group and they will therefore need to be added separately.


Properties

This tab allows you to add a more meaningful description of the User Rights Policy you have created and the specified information will then be displayed in the list of User Rights Policies. Once defined, the policy can be associated with any rule you create.

Privilege User Right

XP

2003

Vista

W7

2008

2008 R2

SeCreateSymbolicLinkPrivilege Create symbolic links No Yes

SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation

Server Only Server Only

SeIncreaseWorkingSetPrivilege Increase a process working set Not Applicable Yes

SeRelabelPrivilege Modify an object label Yes 2008 R2 Only

SeTimeZonePrivilege Change the time zone Not Applicable Yes

SeTrustedCredManAccessPrivilege

Access credential manager as a trusted caller

Yes 2008 R2 Only

SeUndockPrivilege Remove computer from a docking station

Desktop Only Desktop Only

SeUnsolicitedInputPrivilege Receive unsolicited data from a terminal device

Yes 2008 R2 Only


Applying User Rights Policies

The following section provides details on the dialogs used to apply User Rights Policies:

Files

Folders

Signatures

Groups

Components

These are specified on the Applications tab. Right-click the Applications tab for a User Rights node and select Add > Add File, Add Folder, Add Signature, or Add Group.

Files

The following are the options available in the Add a File for User Rights Management dialog.

File - The file path of the file/process. Enter the file path into this field or use the Browse button to locate the file.

Substitute environment variables where possible - Replaces the Windows directory with the generic environment variable %SystemRoot%.

Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths.


Arguments - The arguments that are to be applied to the application/process specified in the File field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument.

Policy - Select the policy to be applied to the file.

Apply to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File field is the parent process. Select this option to apply the policy to the direct child of the parent process. The policy will be inherited by all child and descendant processes. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.

Apply to Common Dialogs - When using an elevated application, the user may open the standard Open and Save As dialogs from that application. These dialogs offer controls that allow files on disk to be deleted, renamed or replaced. To prevent the user from being able to damage the system, Application Manager URM Edition drops back to the standard user rights while these dialogs are open. This means that the user is only able to change their own files. By Selecting this option this will disable this protection and users will be able to use elevated User Rights Policy when these dialogs are open.

Install as Trusted Owner - Make all files created by the defined application owned by the local administrator.

Description - Provides any additional information relating to the selected file.

Metadata tab

Metadata can be used as advanced criteria when creating your item lists. For example, Microsoft Internet Explorer has unique metadata relating to product name, company and product version added by Microsoft upon creation or upgrade. By utilizing this information you can be more specific as to the criteria that needs to be met in order to apply the rules of your policy.


Folders

The following are the options in the Add a Folder for User Right Management dialog.

Folder - The name of the folder. Enter the name of the folder into this field or use the Browse button to locate the folder.

Substitute environment variables where possible - For example, replaces the Windows directory with the generic environment variable %SystemRoot%.

Include subfolders - Select to include all directories beneath the specified directory. User Rights Management is applied to all subdirectories. Deselect to only apply User Rights Management to the current folder.

Policy - Select the policy to be applied to the folder from the drop-down.

Apply to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application in the specified folder is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.

Apply to Common Dialogs - When using an elevated application, the user may open the standard Open and Save As dialogs from that application. These dialogs offer controls that allow files on disk to be deleted, renamed or replaced. To prevent the user from being able to damage the system, Application Manager URM Edition

Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths


drops back to the standard user rights while these dialogs are open. This means that the user is only able to change their own files. By Selecting this option this will disable this protection and users will be able to use elevated User Rights Policy when these dialogs are open.

Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator.

Description - Provides any additional information relating to the selected folder.

Metadata tab

By utilizing the information contained in the metadata you can be more specific as to the criteria that needs to be met in order to apply the rules of your policy.

Signatures

The following are the options in the Add a Signature File for User Rights Management dialog.

File - The file path of the signature file for an application/process. Enter the file path into this field or use the Browse button to locate the file.

Arguments - Specifies the arguments to provide to the application/process you are starting, that is the application specified in the File path field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument.

Policy - Select the policy to be applied to the signature file from the drop-down.

For further information, see Using Metadata.


Apply to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.

Apply to Common Dialogs - When using an elevated application, the user may open the standard Open and Save As dialogs from that application. These dialogs offer controls that allow files on disk to be deleted, renamed or replaced. To prevent the user from being able to damage the system, Application Manager URM Edition drops back to the standard user rights while these dialogs are open. This means that the user is only able to change their own files. By Selecting this option this will disable this protection and users will be able to use elevated User Rights Policy when these dialogs are open.

Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe.

Description - Provides any additional information relating to the selected signature file.

Groups

You can add a group to User Rights. Groups are used to hold and manage a logical collection of files, folders, drives, signature files, and network connection items. Use the Library > Group Management node to create a group.

When the group is created you can add the group to a User Rights rule. The following option are available:

Add to Rule - Select this option to add a group to your User Rights rule.


Components

As Management Console snapins and Control Panel Applets are not executables they cannot be elevated using a single executable but instead must be elevated using command line matching.The URM components section provides easy shortcuts to configuring these items but are equivalent to an Add File URM policy with specified arguments.

Control Panel components and Network Adaptor features and functions are typically controlled by explorer.exe. Elevating explorer.exe to run in the context of a Local Administrator is not ideal as this can open up a range of security issues. To resolve this and enable the user to access the said functionality under the context of an administrator without opening the entire explorer shell, User Rights Management places the AppSense Control Panel components in the Windows Control Panel alongside existing components. These can now be controlled at an access level specific to the function, without changing any rights associated with explorer.exe.

Command line arguments and spawning mechanisms will vary depending on the Operating system your individual users are using.

Use the filter in the Select Components dialog to filter components by operating system.


The following table gives a list of components that are specific to particular operating systems. The remaining components are available for all operating systems.

Component Name Type Operating System

Add Plug and Play Control Panel XP, 2003

Backup and Restore Center Control Panel Vista

BitLocker Enable Control Panel Vista, 2008, W7

Calibrate Color Control Panel Vista, 2008, W7

Clear Type Text Control Panel W7

Desktop DPI Control Panel XP, 2003, Vista, 2008

Disk Management Management Snapin Vista, 2008, W7

Display Control Panel XP, 2003

Easy Transfer Control Panel Vista, W7

Install/Uninstall Languages Management Snapin Vista, 2008, W7

iSCSI Initiator Control Panel Vista, 2008, W7

Offline Files Control Panel Vista, 2008

Power Options Control Panel XP, 2003

Recovery Disc Control Panel Vista, 2008, W7

Recovery Restore Control Panel Vista, 2008, W7

Server Manager Management Snapin 2008

System Control Panel XP, 2003, Vista, 2008,W7

System Configuration Control Panel Vista, 2008, W7

Task Scheduler Management Snapin Vista, 2008, W7

Troubleshoot Control Panel Vista, 2008, W7

Trusted Platform Management Snapin W7

Windows Features Control Panel Vista, 2008, W7

Windows Firewall Advanced Settings Management Snapin Vista, 2008, W7


Example

APPLYING A USER RIGHTS POLICY TO A CONTROL PANEL COMPONENT

1. Expand the applicable Group rule in the navigation pane and select the User Rights node.

2. Select the Components tab in the work area.

3. Right-click the work area and select Add Component.

The Select Components dialog displays.

4. Select the components you want the user to run as an administrator. For Example, Add and Remove Programs\Programs and Features.

5. Click OK.

The Components work area displays

6. Do one of the following:

To elevate the privileges for the selected component select Builtin Elevate from the drop-down in the User Rights Policy column.

To restrict the privileges for the selected component select BuiltinRestrict from the drop-down in the User Rights Policy column.

7. Save the configuration.

Merging Policies

A configuration can contain numerous User Rights Policies. These can be applied to multiple files, folders, signatures, and groups in the various rules. If any of these items in the rules match, and their policies are relevant, Application Manager merges the polices and the least restrictive policy takes precedence.

Application Manager also applies rule ordering against the polices to determine which policy takes precedence.

The rule ordering and precedence is as follows:

Signature with arguments

Signature

File with arguments

File

The Select Components dialog displays a list of Control Panel and Management Snapin tools. You can choose to elevate or restrict privileges for each component. See Components on page 22 for a list of the components that are specific to a particular operating system.

One or more Control Panel and Management Snapin components can be selected in the Select Components dialog. This provides access only to the selected components and not the whole Control Panel and Management Snapins. Product Icons representing the components are displayed in the Windows Control Panel dialog.


Folder

Signature with arguments takes the highest precedence.

Taking the above into account, when an application is specified both as a file and by its signature, only the policy for the signature is applied because a signature has higher precedence over a file.

Example Configurations

The following section consists of a number of example configurations for User Rights Management.

RESTRICT USERS FROM STARTING AND STOPPING SERVICES

Use User Rights Management to reduce privileges for the Services component so that the administrator cannot start and stop services.

1. Select the User Rights node beneath the BUILTIN\Administrators rules node.

2. Select the Components tab within the work area.

3. Right-click within the work area and select Add Component.


4. Select the Services component and click Add.

5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Restrict policy.


Use the filter at the top of the Select Components dialog to filter by operating system.


ALLOW USERS TO PERFORM WINDOWS UPDATE

1. Select the User Rights node beneath the applicable rules node.

2. Select the Components tab within the work area.



4. Select the Automatic\Windows Update component and click Add.

5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Elevate policy.



ALLOW USERS TO DEFRAGMENT DISKS

1. Select the User Rights node beneath the applicable rules node.

2. Select the Components tab in the User Rights work area.


The Select Components dialog is displayed.

4. Select the Defragment option, and click Add.

5. Select the drop-down arrow in the User Rights Policy and select the Builtin Elevate policy.



ALLOW USERS TO RUN VISUAL STUDIO AND DEBUG APPLICATIONS

Step 1 - Create a Policy to Elevate User Privileges

1. Select the Library > User Rights Policies node.

2. Select Add Policy on the User Rights ribbon.

3. Right-click the new policy and select Rename.

4. Enter an intuitive name for the policy, for example, Elevate Visual Studio.

5. Right-click the Group Membership tab in the Policy Contents work area and select Add Group Action.

The Account Selection dialog displays.

6. Enter the account into the Account field or use the Browse button to browse to the account.

7. Ensure Add Membership is selected in the Action column.


Step 2 - Allow Users to Run Visual Studio and Debug Applications

1. Select the Library > User Rights Policies node.

2. Select Add Policy on the User Rights ribbon.


4. Enter an intuitive name for the policy, for example, Run Debug.

5. Select the Privileges tab.

The Privileges work area displays.

6. Click the Action column for the debugging privilege, SeDebugPrivilege, and select Enable.


Step 3 - Create a Group Rule

1. Select Rules > Group in the navigation pane.

2. Select the Add Rule drop-down arrow on the Rules ribbon and select Group Rule.

The Add Group Rule dialog is displayed

3. Enter the domain name into the Add Group Rule dialog and click Add.

Step 4 - Apply the Elevate Visual Studio Policy to the Rule

1. Select the User Rights node beneath the rule you have created. The User Rights work area displays.

2. Right-click within the work area and select Add > Add File.

The Add a File for User Rights Management dialog displays.

3. Browse to the Visual Studio application file.

4. Select the Apply policy to child processes option and click Add.

5. Select the Elevate Visual Studio policy in the User Rights column. This is the policy created the above procedure (Step 1 - Create a Policy to Elevate User Privileges).

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTWeb Installations 31

Step 5 - Apply the Run Debug Policy to the Rule

1. Right-click within the User Rights work area and select Add > Add File.

2. Enter * in the File path field. This is to allow for all debug applications.

3. Click Add.

4. Select the Run Debug policy in the User Rights column. This is the policy created in the above procedure (Step 2 - Allow Users to Run Visual Studio and Debug Applications).

Step 6 - Save the Configuration


WEB INSTALLATIONS

A number of Web Installations require the end user to have administrative rights. For example, an ActiveX control such as Adobe Flash Player or a web download such as Microsoft Silverlight.

A common scenario is whereby a standard user may attempt to download and install Adobe Flash Player. This requires administrative rights. When an attempt is made the User Account Control (UAC) dialog is displayed requesting the user to enter an administrative password. Most organizations will not want to give their users administrative rights.

The Web Installation feature of User Rights Management allows elevation to administrative rights for ActiveX installers from a particular domain. You can create a simple configuration whereby you enter the name of the domain only, or you can create an advanced configuration by specifying the CAB file for an item, its Class ID and the minimum and maximum version numbers. You can also specify that only signed controls from the domain can be installed.

CREATE A CONFIGURATION FOR ALLOWING THE INSTALL OF ADOBE FLASH PLAYER

1. Select the User Rights node for a particular group, for example, the Everyone group.

2. Select the Web Installations tab.

3. Right-click within the work area and select Add Web Installation.

The Add new Web Installation dialog displays.

4. Enter a name for the Web Installation in the Name field, for example, Adobe Flash.

5. Enter the URL in the Website URL field. For example, adobe.com, to allow installations from all of adobe.com.

6. Ensure the Only allow signed controls option is selected.

7. Click Add.

8. Ensure the default Builtin Elevate policy is selected in the User Rights Policy column.


All downloads that are signed and are from the specified website are allowed.

A CAB file is the Microsoft Windows compressed archive format. This format supports compression and digital signing and is used in a variety of Microsoft installation engines.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTSnippets 32

SNIPPETS

Snippets give Application Manager the ability to import and merge partial configurations into a currently open configuration in the console.

The latest snippets can be downloaded by logging into www.myappsense.com.

DOWNLOAD RECENT SNIPPETS FROM MYAPPSENSE

1. Select the User Rights node for a group, for example, the Everyone group.

2. Select the Web Installations tab.

3. Right-click the work area and select Import Snippet.

The Import Snippet dialog displays.

4. Click the myAppSense.com link in the dialog and log on to myAppSense.

The most recent snippets are displayed.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTSelf-Elevation 33

5. Select a snippet and save it to C:\Program Files\AppSense\Application Manager\Console\Snippets. This is the default location.

The snippet is now available in the Import Snippet dialog.

6. Select the snippet and click Add.

7. To view what is included in the snippet click the View the items that will be added to the configuration link.

A configuration report displays.

8. Click Continue.

The snippet is imported and you can view the items in the various nodes in the console.

SELF-ELEVATION

A number of applications require administrative rights to function or install. Administrators are often reluctant to give administrative credentials to standard users. To do so would allow the standard user to compromise the system.

An administrator can specify which applications can be self-elevated, that is, run with administrative rights, to enhance a standard user’s ability to perform their role.

When a user attempts to elevate a particular item an optional message can be displayed requesting why the user wants to self-elevate the item. The user cannot proceed until a reason is given.

Self-Elevation is audited by default. Auditing allows the administrator to monitor the types of applications that users typically want to self-elevate. If appropriate, these items can be added to the appropriate User Rights node in a configuration.

When Self-Elevation is enabled an option is shown on the Start menu or shortcut menu when the user right-clicks an application to be self-elevated. The default text for the menu option is Run with Administrative Rights (Audited). This menu option can be customized on the Self-Elevation tab of the Message Settings dialog (General Features ribbon).

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTSelf-Elevation 34

ENABLE SELF-ELEVATION

1. Select the User Rights node for the applicable group, for example, the Everyone group.

2. Select the Self-Elevation tab.

3. Select the Enable Self-Elevation option.


Select the Only apply Self-Elevation to items in the list below option and add the items in the list below. Only items specified in the list can be self-elevated.

Select the Apply Self-Elevation to all items except those in the list below option and add the items in the list below. Self-elevation can be applied to all items except those specified in the list.

5. To hide the Windows Runs as / Run as administrator menu option select Hide the Run as administrator Windows option for Self-Elevated items.

The following file types are supported and can be self-elevated:

EXE

BAT

VBS

MSI

MSC

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTSecuring Common Dialogs 35


To display a message to the user requesting a reason for self-elevation select, the Click here to set the message displayed when the user self-elevates link. The Message Settings dialog displays with the Self-Elevation tab in focus.

To not display a message proceed to step 11.

7. Enter a name for the menu option in the Name field. This is the text that is displayed on the menu when the user right-clicks an item that can be self-elevated.

8. Enter text in the Caption field to display a caption at the top of the message. The default caption is Application Manager. You can change the default caption so that the user is not aware that Application Manager has intervened.

9. Enter text to display in the message in the Message body field. For example, to request a reason for self-elevating an item.

Use the %ExecutableName% environment variable given in the example in the dialog box to automatically populate the name of the application. The icon for the application is also automatically populated.

10. Click the Click here to see how this message will appear to users link to display an example of how the message will appear.


SECURING COMMON DIALOGS

An administrator can use Application Manager and User Rights Management to elevate a standard user to have administrative rights. Allowing a user to have administrative rights provides them with access to all files, including important system files, and the ability to, for example, delete or rename them. These actions can compromise a system.

Application Manager and User Rights Management provides a Secure Common Dialogs feature prohibiting users from manipulating files. The dialog boxes still open and provide access to files but the files cannot be deleted or renamed.

Application Manager does not restrict access to areas a user ordinarily has access to.

ELEVATE TO ADMINISTRATOR AND SECURE COMMON DIALOGS

1. Right-click the Library > User Rights Policies node and select Add Policy. A new policy is created.


3. Enter an intuitive name for the policy, for example, Elevate to Administrator.

4. Right-click the Group Membership tab in the Policy Contents work area and select Add Group Action.

The Account Selection dialog is displayed.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTSecuring Common Dialogs 36

5. Enter the administrator account into the Account field or use the Browse button to browse to the account.

6. Ensure Add Membership is selected in the Action column. This is the default setting.

7. Select the User Rights node for the applicable group, for example, the Everyone group.

8. Right-click the Applications tab in the User Rights work area and select Add > Add File.

The Add a File for User Rights Management dialog displays.

9. Enter the name of the application that you want to secure common dialogs for or click the Browse button and browse to the application.

10. Ensure that the Standard user rights on common browse dialogs option is selected.

11. Click Add.

12. Ensure the policy created in steps 1 to 6 is selected in the User Rights Policy column.


The Add Membership option allows users to run an application as if they were part of the specified group. The Drop Membership option does not allow the users to run an application.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE 2 USER RIGHTS MANAGEMENTUsing Metadata 37

USING METADATA

Metadata can be used as advanced criteria when creating your item lists. For example, Microsoft Internet Explorer has unique metadata relating to product name, company and product version added by Microsoft upon creation or upgrade. By utilizing this information you can be more specific as to the criteria that needs to be met in order to apply the rules of your policy.

A file’s metadata can be viewed with Windows Explorer by right clicking on the selected file and selecting Properties, any existing metadata is displayed in the Details tab. Use the metadata tab on the Add a File or Folder dialog to select the data to be used:

General:

Product Name - The name of the product.

Vendor - If the file has been digitally signed. This is the vendor name associated with the signature.

Company Name - The name of the company that produced the product.

File Description - The file or folder description as defined by the vendor or company.

File Version:

Minimum - Displays the minimum version number for the selected file.

The information displayed can be amended to criteria which can include segments of the metadata, wildcards (*) can be used.


Maximum - Displays the maximum version number for the selected file.

Product Version

Minimum - Displays the minimum product version number for the selected file.

Maximum - Displays the maximum product version number for the selected file.

The information displayed can be amended to introduce a version range, where the maximum and minimum version number can be defined using wildcards and all versions of the file that falls between the range can be monitored.

The information displayed can be amended to introduce a version range, where the maximum version number can be defined using wildcards and all versions of the versions of the product tthat falls between the range can be monitored.

Wildcards can be used to substitute parts of the metadata information to allow you specify a required match based a segment of the selected metadata. For Example, if you had a vendor of Microsoft Corporation, but wanted anything associated with Microsoft, you could replace the word “Corporation” with a wildcard (*) to match anything associated with Microsoft not specifically “Microsoft Corporation”.


ADDING METADATA FOR FILES AND FOLDERS

For the purpose of this example we are using metadata for an Applications File for the Everyone group.

1. Select the User Rights node in Rules > Group > Everyone > User Rights.

2. Click Add Item and from the drop-down arrow select Application > Add File.

3. Select the file that you want to add to your user rights policy.

The Add a File for user rights Management dialog displays.

4. Enter or browse for the file, for example Notepad.exe.

5. Select the Metadata tab.

The Add a File dialog is populated with the metadata information

6. Select the checkboxes for the required metadata criteria.

7. Click Add.

If Metadata is already in use on the selected File or Folders they will automatically be excluded from a Metadata check and can therefore be duplicated and used in other group rules.

GLOSSARY

AAC

Accessible Items

Agent

Analysis Service

Application Limit

CCA

Configuration

Configuration File

Configuration Profiler

Console

DAC

Deploy

DFS

Digital Signature

DLL

DNS

DLL

Event

Fast User Switching

Group Management

GUID

LSA

NetBIOS

Network Connection Item

Node

NTFS

OU

Prohibited Items

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE GLOSSARY AACAudit Only 41

Process Rules

Rights Discovery

Rule

Security Identifier

Security Level

Self-Authorizing User

SHA-1

SID

Time Limits

Trusted Ownership

Trusted Vendors

UNC


Wildcards

AAC

Citrix Advanced Access Control.

Accessible Items

Accessible Items are files, folders, drives or digitally signed files or groups of files in an Application Manager configuration Rights Discovery which are allowed to run when file execution requests are matched with the rule security settings and would otherwise be prohibited by other configuration settings.

See also: Prohibited Items, Trusted Vendors, User Rights Management

Agent

A proactive software component which implements the product configuration rules. For example, the Application Manager Agent is software that runs as a Windows service to validate execute requests according to the rules in the configuration installed on a computer.

Analysis Service

The Analysis Service is installed on any machine and is used to collect the data from the Rights Discovery.

Application Limit

Application Limits specify the number of instances of an application a user can run. An application limit can be applied to an item in the Accessible Items node.

Audit Only

Security Level assigned to users, groups or devices in an Application Manager Rights Discovery which audits events according to the Auditing Configuration without applying the

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE GLOSSARY CCADigital Signature 42

rule. Used for passive monitoring in evaluations to assess application usage on the host environment.

CCA

Client Communications Agent. Installed on computers operating in an Enterprise installation to provide a link between the product agent running on a managed computer and the AppSense Management Center.

The CCA sends event data generated by the product agents to the Management Server and also polls the Management Server to manage the download and installation for software configuration, agent and package updates.

The CCA can be downloaded and installed directly on managed machines from the Management Server website.

Configuration

The Application Manager configuration consists of lists of files/folders that you have decided should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also contains optional settings and text to be displayed to the user. A configuration is created and managed using the Application Manager Console and used by the Application Manager Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration settings to determine whether or not an execute request is to be denied.

Configuration File

An Application Manager configuration exported from the Console and saved to Windows Installer MSI file format. The file can be installed on any computer and the configurations rules applied when an Application Manager Agent is present and running as a service on the computer.

Configuration Profiler

Generates reports detailing the current settings in the Configuration. Filtering options allow you to query settings affecting specific users or groups, devices, and files or folders.

Console

AppSense Application Manager software interface.

DAC

Discretionary Access Control.

Deploy

To deliver a configuration or AppSense software component to one or more computers, which can include the local machine.

Digital Signature

Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely identify files.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE GLOSSARY DLLFast User Switching 43

The signature can be used as a security measure when adding files as Accessible Items, Prohibited Items and Trusted Vendors.

Signatures can also be used for allowing applications on non-NTFS formatted drives to run, which Application Manager would otherwise block by default. Add the digital signatures to the Accessible Items list and disable trusted ownership checking for the individual files. Signature Group Management provides easier administration for large groups of signatures.

Accessible Items with digital signatures can be used to verify that the file which the user is attempting to run is actually the file permitted by the administrator.

Prohibited Items with digital signatures can be used to ensure the file is always prevented from executing, even when the user renames the file.

DLL

Dynamic link library. This is a collection of small programs which may be called upon when needed by an executable that is running. The DLL lets the executable communicate with a specific device such as a printer or may contain source code to do particular functions.

DFS

Distributed File System. A DFS is any file system that allows access to files from multiple hosts sharing via a computer network. This makes it possible for multiple users on multiple machines to share files and storage resources.

DNS

Domain Name System. This is a database system that translates a computer’s fully qualified domain name into an IP address. Networked computers use IP addresses to locate and connect to each other. However, IP addresses are difficult to remember. For example, on the web it is easier to remember the domain name www.AppSense.com than its corresponding IP address. DNS allows you to connect to another networked computer or remote service by using its user-friendly domain name rather than its numerical IP address.

EPA

Endpoint Analysis.

Event

An Event is generated by Application Manager to report file execution requests, overwrites or renames and Self-Authorizing User decisions. The event number indicates the outcome of the request. Events are logged according to the method set up in the Auditing node.

Fast User Switching

The Fast User Switching feature in Microsoft Windows enables multiple user accounts to logon to a computer simultaneously. With this feature users can switch sessions without closing Windows, programs, and so on.

For example, User A is logged on and is browsing the Internet, User B wants to logon to their user account and check their email account. User A can leave their programs running while User B logs on and checks their email account. User A can then return to their session where their programs would still be running.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE GLOSSARY GROUP MANAGEMENTProcess Rules 44

Group Management

Group Management is a library for compiling reusable groups of files, folders, drives, signatures and network connections which can be associated with rules in the configuration. For example, Groups can be used to manage licenses for a suite of software or common sets of applications for assigning to certain user groups.

GUID

Globally Unique Identifier.

LSA

Local Security Authority. This is an important required component of Windows that deals with login authentication and security policies. It verifies users logging on to a Windows computer or server and handles password changes.

NetBIOS

Network Basic Input/Output System. This is a program that allows applications on different computers to communicate within a within a local area network (LAN)

Network Connection Item

Network Connection identify.

Node

A node is a term used in the Application Manager Console to represent a branch in the navigation tree.

NTFS

New Technology File System. NTFS is the standard file system of Windows NT, including the later Windows versions: Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, WIndows Vista, and Windows 7.

OU

Organizational Unit. A Microsoft Active Directory container that includes users and computers.

Prohibited Items

Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an Application Manager Rights Discovery which are not allowed to run when file execution requests are matched with the rule security settings and would otherwise be allowed by other Configuration settings.

See also: Accessible Items and Trusted Vendors

Process Rules

Process rules allow you to manage access for a parent process to run child processes which might be managed differently in other rules. Process Rules include settings for adding

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE GLOSSARY RIGHTS DISCOVERYSID 45

Prohibited Items, Accessible Items, Trusted Vendors and User Rights Management.

Rights Discovery

Rights Discovery allows you to monitor what users are running applications that use Administrative Rights and generates reports based on the results.

Rule

A Configuration rule assigns a Security Level to the specified users or groups, devices and combinations of these and contains control lists for Accessible Items, Prohibited Items, Trusted Vendors and Process Rules. The Application Manager agent intercepts kernel level file execution requests and matches these with the Configuration rules to implement security controls.

Security Identifier

(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Likewise Application Manager also refers to a user or group SID unless the SID could not be found when added to the configuration.

Security Level

Application Manager configuration Rights Discovery settings include security levels which specify how to manage requests to run unauthorized applications by the users, groups or devices which a rule matches.

Restricted — Only authorized applications can run. These include files owned by members of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted Ownership.

Self-Authorizing — Users are prompted for decisions about blocking or running unauthorized files on the host device.

Audit only — All actions are permitted but events are logged and audited, for monitoring purposes.

Unrestricted — All actions are permitted without event logging or auditing.

Self-Authorizing User

User, group or device granted control to choose whether to block or run an unauthorized application on the host computer. The Self-authorizing Security Level can be assigned in an Application Manager Rights Discovery to match a file execute request for users, groups or devices.

SHA-1

Secure Hash Identifier.

SID

See Security Identifier.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE GLOSSARY TIME LIMITSUser Rights Management 46

Time Limits

Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application Manager Rights Discovery which determine day and time ranges when the controls apply.

For example, an entry in the Prohibited Items node of a rule can restrict use of the local web browser to users except between the hours of 12pm and 2pm on specific days of the week.

Trusted Ownership

Trusted Ownership checking is a secure method Application Manager uses to prevent users running unauthorized applications is. On NTFS formatted drives, files have owners and Application Manager is configured, by default, to only allow files to be executed if the file owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by a trusted owner, the execute request is denied and a message notifies the user. Any files downloaded from the internet or received in email are owned by the user, so those files are not permitted to run unless ownership is held by members of the trusted owner list.

By default, Application Manager blocks execution requests for all applications on non-NTFS formatted drives.

Trusted Vendors

Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking allows applications which fail Trusted Ownership checking to match digital certificates with the Trusted Vendors list.

A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted Rule of the configuration.

Application Manager queries each file execution which fails Trusted Ownership checking to detect the presence of a digital certificate. If the file has a digital certificate which is signed by a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run.

Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking and Trusted Application checking.

UNC

Universal Naming Convention. This is a NetBIOS naming format for identifying the location of servers, printers, and other resources on a local area network (LAN). Almost all LANs are based on NetBIOS, making a NetBIOS naming format an easy and compatible way to access files and resources across a network.

UNC begins with two backslashes (\\) and takes the form:

\\Computer_name\Share_name


User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment.

APPLICATION MANAGER USER RIGHTS MANAGEMENT EDITION GUIDE GLOSSARY WILDCARDSWildcards 47

Wildcards

Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the Application Manager Console. The asterisk represents one or more characters, excluding the back slash (\) character, whilst the question mark wildcard represents one character, excluding the forward slash (/) character. Both of the wildcard characters can be used in any part of a file path, including the drive letter for local paths.

For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the question mark can only replace one character, it does not match c:\sample path\test100. The only limitation imposed by Application Manager on the use of wildcards is that the asterisk cannot be used to match more than one subdirectory.

appsense application manager user rights management

Documents