Safeguard Privilege Manager for Windows 4.4 - Administrator Guide

Configuring temporary session elevation

Available only in Privilege Manager Professional and Professional Evaluation editions.

Temporary Session Elevation (TSE) allows an administrator to generate Elevation passcodes that can provide end users the ability to temporarily elevate the privileges of any process or application on their machine. The passcodes work for both on-network and off-network machines, even if there are active internet connections.

Temporary Session Elevation passcodes are intended to be used during a specific user session. A user session comprises the period between the user logon and logoff times, regardless of the reason that caused the logoff.

Temporary Session Elevation passcode usage can be limited by time or number of uses. More granular limitations can selected by using Validation Logic in the passcode. Examples of this are limiting use by computer name, user name or time and date range. When the passcode is used on a client computer, Validation Logic allows or denies usage based on selected options.

For more information, see the following KB articles:

• Temporary Session Elevation: Duration (293630)
• Temporary Session Elevation: What is a session? (293610)

Using the Temporary Session Elevation Passcode Manager

Before you configure Temporary Session Elevation settings, ensure the following components are set up:

1. The Client is running on the computers you want to apply the settings to.
2. The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003).
3. Client data collection settings are enabled for the selected GPO.
4. The cCient is enabled to use offline passcodes to create Temporary Elevated Sessions (enabled in the Client Deployment Settings wizard).

To use the Temporary Session Elevation Wizard to set up privileges:

1. Open the wizard:
   1. Open Passcode Manager from the Temporary Session Elevation section on the navigation pane of the Console.
2. Create a new passcode:
   1. Click New to start the Instant Elevation TSE passcode generator.
3. Enable the Instant On Demand Privilege Elevation settings on the State tab.

4. Use the Groups tab to alter the settings. By default, users of the target GPO will automatically inherit the administrator's settings (BUILTIN\Administrators).
5. Complete the advanced options in the Privileges, Integrity and Validation Logic tabs.
6. The Passcode is created on the next tab, Passcode.
   1. Enter a Title to describe the passcode.
   2. Enter a Maximum allowed usage. This is the number of times the passcode can be used before expiring.
   3. Enter a Duration. The duration is the amount of time the passcode remains active, after being activated.
   4. Optionally, select the check box to End all elevated processes (and child processes) when Passcode duration expires. If selected, all windows that are opened with a Temporary Session Elevation passcode are closed.
   5. Click Export to file to save the passcode for end-user use.
7. Click Finish to complete the wizard.
   1. The passcode is delivered to the user for usage.

8. Run a Temporary Session Elevation Usage Report to view the processes that have been launched. For more information, see Temporary Session Elevation Request Report.

Configuring privileged application discovery

Available only in Privilege Manager Professional and Professional Evaluation editions.

Use the Privileged Application Discovery Settings Wizard to collect information about the privileged applications used over your network during a specified time period. By default, once this feature is enabled, it is set to collect information for two weeks, but you can adjust the setting.

Using the Privileged Application Discovery Settings Wizard

Before you configure privileged application discovery settings, ensure the following components are set up:

1. The Client is running on the computers you want to apply the settings to;
2. The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
3. Client data collection settings are enabled for the selected GPO.

To use the Privileged Application Discovery Settings Wizard to set up, modify, or discard settings:

1. Open the wizard by completing one of the following steps:
   • Open the Privileged Application Discovery Settings Wizard from the Setup Tasks section. It always shows the default settings.
   • On the Advanced Policy Settings tab of the target GPO, double-click Privileged Application Discovery Settings. The changes made within the wizard are saved here.

2. Enable the Privileged Application Discovery Settings on the State tab.

   • Choose Enabled, to ensure the settings apply to the selected GPO.
   • Choose Not Configured, to enable child GPOs to inherit settings from their parent.
3. Use the Settings tab to set the period during which the settings apply and the data is collected (a month by default).

4. Click Next to use Validation Logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

   If an error message indicates that the target GPO is not selected:

   1. Click OK to close the message window.
   2. Open the GPO tab and select the desired GPO.
5. Click Next to use the Filters tab to filter out Application Discovery data according to different application specific criteria.

   On the Filters tab, select the check box to enable application filters.
   

   Enter filter criteria in one or more of the available boxes (Executable path contains, Product name contains, Publisher name contains, and File description contains).

   An application only needs to meet a single filter criteria in order for its Application Discovery data to be filtered out. A comma delimiter can be used to enter multiple criteria in each filter box.

   NOTE: The Privilege Manager Client does not transmit any Application Discovery data for one or more applications that meet any of the existing filter criteria.

6. Click Save on the GPO toolbar to save the new settings.

Processing discovered privileged applications

Once a privileged process starts (or failed to start) on a client computer, the corresponding information is sent to the Server and displayed in the Privileged Application Discovery section of the Console (provided that your environment is properly configured according to the Maximum Sleep Time setting).

You can only view data stored in the database of the server that is selected in the Server configuration (under Setup Tasks > Configure a Server).

When processing a discovered privileged application, you can either create a rule for it so that a user without elevated privileges can launch it, or choose to mark it as processed so that it will not display in the list (unless the filter is specifically set to display it).

Use the Generate Rules wizard to automatically create a number of rules for different types of applications in one pass. Rules are created based on the preferences with which the application was started. You can select an application and view its preferences in the Privileged Applications Discovered grid.

Using the Generate Rules Wizard

To view discovered privileged applications and generate rules for them:

1. Open the Privileged Application Discovery section from the navigation pane of the Console. The applications are displayed in the window on the right.
2. Click the Display applications button to list the privileged applications and other processes that are started (or failed to start), based on the default filter settings shown in the Applied Filters section on the top of the screen.
3. Select an application in the Privileged Applications Discovery grid below. Use the grid's column headers to sort the applications.

4. Use the Applied Filters wizard to modify the list. You can create multiple shared filter sets and save settings that other administrators can use. For more information, see Using the Applied Filters Wizard.
5. Select a record and then click the Generate rules button to open the Generate Rules Wizard wizard.
   1. On the first tab of the wizard, specify your rule type preferences. Click Next.
   2. Add Validation Logic preferences into the rule, if necessary. The selected preferences will be used to create the corresponding Validation Logic type. Click Next.
   3. Review your rules and click Next, or
      1. Click the Review rules that will be created button to open a window with more information.
      2. Click the Details button for more information, or click Close.

   4. Select a target GPO for the rule and specify the GPO policy type. By default, the Administrators group (stored in the BUILTIN\Administrators Active Directory OU) is added to the rule. Click Create to save the rule.

6. Once a discovered privileged application is processed and a rule is created for it, or it has been marked as ignored, the application is considered processed.
7. To view ignored applications or applications for which the rules are created, change the Process Date of Item filter on the Applied Filters Wizard from None: Item has not been processed to the corresponding Date Range.
8. The rule created from the application is added to the selected GPO with a default name.
9. Select Export to export the list of applications presented on the grid. The list is saved as an .xls file.

After the rule has been created:

• The rule is added to the target GPO of the Group Policy Settings section.
• The rule applies after the GPO settings are updated on the client computer.

Deploying rules

Privilege Manager for Windows can create Privilege Elevation Rules and Blacklisting Rules. Privilege Elevation rules are rules that raise the permissions level of the user for an application. Blacklisting rules deny a user access to an application, regardless of what their default domain user permissions allows.

You can create five types of rules with Privilege Manager for Windows:

• By Path to the Executable: a file rule that applies to the path to an executable. For more information, see Creating file rules.
• By Folder Path: a folder path rule that applies to all processes run from a path. For more information, see Creating folder path rules.
• By ActiveX Rule: an ActiveX rule that applies to a specific URL. For more information, see Creating ActiveX rules.

Available only in Privilege Manager Professional and Professional Evaluation editions:

• By Path to Windows Installer: a rule that applies to the path to Windows Installer files and patches. For more information, see Creating rules for Windows Installer files.
• By Path to Script File: a rule that applies to the path to a script file. For more information, see Creating rules for script files.

You can create a rule in one of the following ways:

• Create a default rule using the Create GPO with Default Rules Wizard.
• Create a new rule using the Group Policy Management Editor or the Create Rule Wizard.

Once you create a rule, you can:

• Test the rule. For more information, see Testing rules.
• Edit or delete the rule. For more information, see Managing rules.
• Build a report to view the rule's settings, save them into a file, and get statistics on the rule’s usage. For more information, see Reporting.

Using the Create GPO with Default Rules Wizard

Using the Create GPO with Default Rules Wizard (Privilege Elevation Rules only)

Privilege Manager for Windows contains a range of useful default rules that you can add to a new or existing GPO. To create the default rules provided by Privilege Manager, use the Create GPO with Default Rules Wizard. To access the wizard from the Getting Started screen, select the Setup Tasks tab and then double-click Create GPO with default rules.

To use the Create GPO with Default Rules Wizard:

1. Double-click Create GPO with default rules to open the wizard.
2. Review the text in the Introduction dialog and click Next.
3. In the Select privilege elevation rules dialog, select your operating system from the drop-down menu and select the corresponding rules from a list of common ones. Click Next.
4. In the Select target GPO dialog, select or create a GPO to assign the rule to complete one of the following steps:
   • Select a GPO from the list under the domain that your local computer is a part of.
   • Select a domain, click the Create GPO button, name it, and click OK. The newly created GPO is added to the All GPOs list in the Group Policy Objects container.
   • Link any GPO not marked with the icon to your domain or Active Directory OU.
     1. Highlight the GPO in the left pane and click the Link GPO button on the right to link the GPO to the domain or an OU.
     2. Browse for an OU or add the GPO to the domain in the dialog box that appears.
     3. Click OK.
     4. Once the rule is created, its icon changes to to indicate that it contains a rule and it is listed in the GPOs with Policy Settings node.

     Note: You can only link a GPO to an item for which you have sufficient rights. For more information, see Select user policy or computer policy.

   • Click Finish to save and apply the rule. If you did not specified the required data, the wizard notifies you.

5. An error message will notify you if you have insufficient permissions to perform any of the operations listed above.

   • You must have permission to perform the same actions in the GPMC.
   • Contact your system administrator to get the proper permissions.

6. The displays in the list of rules for the corresponding GPO under the Group Policy Settings section.

7. The rule is applied once the Group Policy is updated on the client computer.
8. A message notifies you that the rule’s parameters change when the trial period expires, if you create a rule with any of the Privilege Manager Professional features while using the evaluation edition. For more information, see Editions.
9. Modify the rule, as necessary. For more information, see Managing rules.