Safeguard Privilege Manager for Windows 4.3 - Administrator Guide

Configuring temporary session elevation

Available only in Privilege Manager Professional and Professional Evaluation editions.

Temporary Session Elevation (TSE) allows an administrator to generate elevation passcodes that can provide end users the ability to temporarily elevate the privileges of any process or application on his/her machine. The passcodes will work for both on-network and off-network machines, even if there is not an active internet connections.

Using the Temporary Session Elevation Passcode Manager

Before you configure temporary session elevation settings, ensure the following components are set up:

1. The client is running on the computers you want to apply the settings to;
2. The server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
3. Client data collection settings are enabled for the selected GPO.
4. The client is enabled to use offline passcodes to create temporary elevated sessions (enabled in the Client Deployment Settings wizard).

To use the Temporary Session Elevation Wizard to set up privileges:

1. Open the wizard:
   1. Open Passcode Manager from the Temporary Session Elevation section on the navigation pane of the console.
2. Create a new passcode:
   1. Click New to start the Instant Elevation TSE passcode generator.
3. Enable the Instant On Demand Privilege Elevation settings on the State tab.

4. Use the Groups tab to alter the settings. By default, users of the target GPO will automatically inherit the administrator's settings (BUILTIN\Administrators).
5. Complete the advanced options in the Privileges, Integrity and Validation Logic tabs.
6. The Passcode is created on the next tab, Passcode.
   1. Enter a Title to describe the passcode.
   2. Enter a Maximum allowed usage. This is the number of times the passcode can be used before expiring.
   3. Enter a Duration. The duration is the amount of time the passcode will remain active for once activated.
   4. Optionally, select the checkbox toe End all elevated processes (and child processes) when Passcode duration expires. If selected, this will close all windows that were opened with a Temporary Session Elevation passcode.
   5. Click Export to file to save the passcode for end user use.
7. Click Finish to complete the wizard.
   1. The passcode should be delivered to the user for usage.

8. Run a Temporary Session Elevation Usage Report to view the processes that have been launched. For more information, see Temporary Session Elevation Request Report.

Configuring privileged application discovery

Available only in Privilege Manager Professional and Professional Evaluation editions.

Use the Privileged Application Discovery Settings Wizard to collect information about the privileged applications used over your network during a specified time period. By default, once this feature is enabled, it is set to collect information for two weeks, but you can adjust the setting.

Using the Privileged Application Discovery Settings Wizard

Before you configure privileged application discovery settings, ensure the following components are set up:

1. The client is running on the computers you want to apply the settings to;
2. The server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
3. Client data collection settings are enabled for the selected GPO.

To use the Privileged Application Discovery Settings Wizard to set up, modify, or discard settings:

1. Open the wizard:
   1. Open the Privileged Application Discovery Settings Wizard from the Setup Tasks section. It will always show the default settings, or
   2. Double-click Privileged Application Discovery Settings on the Advanced Policy Settings tab of the target GPO. The changes made within the wizard will be saved here.

2. Enable the Privileged Application Discovery Settings on the State tab.

   1. Choose Enabled, otherwise the settings won't apply to the selected GPO.
   2. Choose Not Configured to enable child GPOs to inherit settings from their parent.
3. Use the Settings tab to set the period during which the settings will apply and the data will be collected (a month by default).

4. Click Next to use validation logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

   If an error message indicates that the target GPO has not been selected:

   1. Click OK to close the message window.
   2. Open the GPO tab and select the desired GPO.
5. Click Next to use the Filters tab to filter out Application Discovery data according to different application specific criteria.

   On the Filters tab, select the checkbox to enable application filters.
   

   Enter filter criteria in at least one of the available boxes (Executable path contains, Product name contains, Publisher name contains, and File description contains).

   An application only needs to meet a single filter criteria in order for its Application Discovery data to be filtered out. A comma delimiter can be used to enter multiple criteria in each filter box.

   NOTE: The Privilege Manager client will not transmit any Application Discovery data for application(s) that meet any of the existing filter criteria.

6. Click Save on the GPO toolbar to save the new settings.

   

Processing discovered privileged applications

Once a privileged process has started (or failed to start) on a client computer, the corresponding information will be sent to the server and display in the Privileged Application Discovery section of the console (provided that your environment is properly configured according to the Maximum Sleep Time setting).

You can only view data stored in the database of the server that is selected in the server configuration (Setup Tasks > Configure a Server).

When processing a discovered privileged application, you can either create a rule for it so that a user without elevated privileges can launch it, or choose to mark it as processed so that it will not display in the list (unless the filter is specifically set to display it).

Use the Generate Rules wizard to automatically create a number of rules for different types of applications in one pass. Rules are created based on the preferences with which the application was started. You can select an application and view its preferences in the Privileged Applications Discovered grid.

Using the Generate Rules Wizard

To view discovered privileged applications and generate rules for them:

1. Open the Privileged Application Discovery section from the navigation pane of the console. The applications will be displayed in the window to the right.
   
2. Click the Display applications button to list the privileged applications and other processes that were started (or failed to start), based on the default filter settings shown in the Applied Filters section on the top of the screen.
3. Select an application in the Privileged Applications Discovery grid below. Use the grid's column headers to sort the applications.

4. Use the Applied Filters wizard to modify the list. You can create multiple shared filter sets and save settings that other administrators can use. For more information, see Using the Applied Filters Wizard.
5. Select a record and then click the Generate rules button to open the Generate Rules Wizard wizard.
   1. On the first tab of the wizard, specify your rule type preferences. Click Next.
   2. Add validation logic preferences into the rule, if necessary. The selected preferences will be used to create the corresponding validation logic type. Click Next.
   3. Review your rules and click Next, or
      1. Click the Review rules that will be created button to open a window with more information.
      2. Click the Details button for more information, or click Close.

   4. Select a target GPO for the rule and specify the GPO policy type. By default, the Administrators group (stored within the BUILTIN\Administrators Active Directory OU) will be added to the rule. Click Create to save the rule.

6. Once a discovered privileged application has been processed and a rule has been created for it or it has been marked as ignored, the application is considered processed.
7. To view ignored applications or applications for which the rules were created, change the Process Date of Item filter on the Applied Filters Wizard from "None: Item has not been processed" to the corresponding Date Range.
8. The rule created from the application will be added to the selected GPO with a default name.
9. Select Export to export the list of applications presented on the grid. The list will be saved as an .xls file.

After the rule has been created:

1. The rule will be added to the target GPO of the Group Policy Settings section; and
2. The rule will apply after the GPO settings are updated on the client computer.

Deploying rules

Privilege Manager for Windows can create Privilege Elevation Rules and Blacklist Rules. Privilege Elevation rules are rules that raise the permissions level of the user for an application. Blacklist rules deny a user access to an application, regardless of what their default domain user permissions allows.

You can create five types of rules with Privilege Manager for Windows:

• By Path to the Executable: a file rule that applies to the path to an executable. For more information, see Creating file rules.
• By Folder Path: a folder path rule that applies to all processes run from a path. For more information, see Creating folder path rules.
• By ActiveX Rule: an ActiveX rule that applies to a specific URL. For more information, see Creating ActiveX rules.

Available only in Privilege Manager Professional and Professional Evaluation editions:

• By Path to Windows Installer: a rule that applies to the path to Windows Installer files and patches. For more information, see Creating rules for Windows Installer files.
• By Path to Script File: a rule that applies to the path to a script file. For more information, see Creating rules for script files.

You can create a rule in one of the following ways:

• Create a default rule using the Create GPO with Default Rules Wizard.
• Create a new rule using the Group Policy Management Editor or the Create Rule Wizard.

Once you create a rule, you can:

• Test the rule. For more information, see Testing rules.
• Edit or delete the rule. For more information, see Managing rules.
• Build a report to view the rule's settings, save them into a file, and get statistics on the rule’s usage. For more information, see Reporting.

Using the Create GPO with Default Rules Wizard

Using the Create GPO with Default Rules Wizard (Privilege Elevation Rules only)

Privilege Manager for Windows contains a range of useful default rules that you can add to a new or existing GPO. To create the default rules provided by Privilege Manager, use the Create GPO with Default Rules Wizard. To access the wizard from the Getting Started screen, select the Setup Tasks tab and then double-click Create GPO with default rules.

To use the Create GPO with Default Rules Wizard:

1. Double-click Create GPO with default rules to open the wizard.
2. Read the text in the Introduction dialog and click Next.
3. In the Select privilege elevation rules dialog, select your operating system from the drop-down menu and select the corresponding rules from a list of common ones. Click Next.
4. In the Select target GPO dialog, select or create a GPO to assign the rule to:
   1. Select a GPO from the list under the domain that your local computer is a part of, or
   2. Select a domain, click the Create GPO button, name it, and click OK. The newly created GPO will be added to the All GPOs list in the Group Policy Objects container, or
   3. Link any GPO not marked with the icon to your domain or Active Directory OU.
      1. Highlight the GPO in the left pane and click the Link GPO button on the right to link the GPO to the domain or an OU.
      2. Browse for an OU or add the GPO to the domain in the dialog that displays.
      3. Click OK.
      4. Once the rule is created, its icon will change to to indicate that it contains a rule and it will be listed in the GPOs with Policy Settings node.

      Note: You can only link a GPO to an item for which you have sufficient rights. For more information, see Select user policy or computer policy.

   4. Click Finish to save and apply the rule. If you have not specified the required data, the wizard will notify you.

5. An error message will notify you if you have insufficient permissions to perform any of the operations listed above.

   1. You must have permission to perform the same actions in the GPMC.
   2. Contact your system administrator to get the proper permissions.

6. The rule will display in the list of rules for the corresponding GPO under the Group Policy Settings section.

   

7. The rule will apply once the Group Policy is updated on the client computer.
8. A message will notify you that the rule’s parameters will change once the trial period expires, if you create a rule with any of the Privilege Manager Professional features while using the evaluation edition. For more information, see Editions.
9. Modify the rule, as necessary. For more information, see Managing rules.