Configuring Temporary Session Elevation
Topics:
Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.
Temporary Session Elevation (TSE) allows an administrator to generate Elevation passcodes that can provide end users the ability to temporarily elevate the privileges of any process or application on their machine. The passcodes work for both on-network and off-network machines, even if there are active internet connections.
Temporary Session Elevation passcodes are intended to be used during a specific user session. A user session comprises the period between the user logon and logoff times, regardless of the reason that caused the logoff.
Temporary Session Elevation passcode usage can be limited by time or number of uses. More granular limitations can selected by using Validation Logic in the passcode. Examples of this are limiting use by computer name, user name or time and date range. When the passcode is used on a client computer, Validation Logic allows or denies usage based on selected options.
NOTE: In some cases, Temporary Session Elevation and Blacklisting rules are configured for the same target application. In this case, Blacklisting takes precedence over Temporary Session Elevation and prevents the application from starting. For more information about creating Blacklisting rules, see Using the Create Rule Wizard.
For more information, see the following Knowledge Base Articles:
Before you configure Temporary Session Elevation settings, ensure the following components are set up:
-
The Client is running on the computers you want to apply the settings to.
-
The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003).
-
Client data collection settings are enabled for the selected GPO.
-
The Client is enabled to use offline passcodes to create Temporary Elevated Sessions (enabled in the Client Deployment Settings wizard).
To use the Temporary Session Elevation Wizard to set up privileges
-
Open the wizard:
-
Open Passcode Manager from the Temporary Session Elevation section on the navigation pane of the Console.
-
Create a new passcode:
-
Click New to start the Instant Elevation TSE passcode generator.
-
Enable the Instant On Demand Privilege Elevation settings on the State tab.
-
Choose Enabled, to ensure the settings apply to the selected GPO.
-
Choose Not Configured, to enable child GPOs to inherit settings from their parent.
-
Use the Groups tab to alter the settings. By default, users of the target GPO will automatically inherit the administrator's settings (BUILTIN\Administrators).
-
Complete the advanced options in the Privileges, Integrity and Validation Logic tabs.
-
The Passcode is created on the next tab, Passcode.
-
Enter a Title to describe the passcode.
-
Enter a Maximum allowed usage. This is the number of times the passcode can be used before expiring.
-
Enter a Duration. The duration is the amount of time the passcode remains active, after being activated.
-
Optionally, select the check box to End all elevated processes (and child processes) when Passcode duration expires. If selected, all windows that are opened with a Temporary Session Elevation passcode are closed.
-
Click Export to file to save the passcode for end-user use.
-
Click Finish to complete the wizard.
-
The passcode is delivered to the user for usage.
-
Run a Temporary Session Elevation Usage Report to view the processes that have been launched. For more information, see Temporary Session Elevation Request Report.
Configuring privileged application discovery
Topics:
Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.
Use the Privileged Application Discovery Settings Wizard to collect information about the privileged applications used over your network during a specified time period. By default, once this feature is enabled, it is set to collect information for two weeks, but you can adjust the setting.
NOTE: Before you configure privileged application discovery settings, ensure the following components are set up:
-
The Client is running on the computers you want to apply the settings to;
-
The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
-
Client data collection settings are enabled for the selected GPO.
To use the Privileged Application Discovery Settings Wizard to set up, modify, or discard settings
-
Open the wizard by completing one of the following steps:
-
Open the Privileged Application Discovery Settings Wizard from the Setup Tasks section. It always shows the default settings.
-
On the Advanced Policy Settings tab of the target GPO, double-click Privileged Application Discovery Settings. The changes made within the wizard are saved here.
-
Enable the Privileged Application Discovery Settings on the State tab.
-
Choose Enabled, to ensure the settings apply to the selected GPO.
-
Choose Not Configured, to enable child GPOs to inherit settings from their parent.
-
Use the Settings tab to set the period during which the settings apply and the data is collected (a month by default).
-
Click Next to use Validation Logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.
If an error message indicates that the target GPO is not selected:
-
Click OK to close the message window.
-
Open the GPO tab and select the desired GPO.
-
Click Next to use the Filters tab to filter out Application Discovery data according to different application specific criteria.
On the Filters tab, select the check box to enable application filters.
Enter filter criteria in one or more of the available boxes:
An application only needs to meet a single filter criteria in order for its Application Discovery data to be filtered out. A comma delimiter can be used to enter multiple criteria in each filter box.
NOTE: The Privilege Manager Client does not transmit any Application Discovery data for one or more applications that meet any of the existing filter criteria.
-
Click Save on the GPO toolbar to save the new settings.
Processing discovered privileged applications
Once a privileged process starts (or failed to start) on a client computer, the corresponding information is sent to the Server and displayed in the Privileged Application Discovery section of the Console (provided that your environment is properly configured according to the Maximum Sleep Time setting).
You can only view data stored in the database of the server that is selected in the Server configuration (under Setup Tasks > Configure a Server).
When processing a discovered privileged application, you can either create a rule for it so that a user without elevated privileges can launch it, or choose to mark it as processed so that it will not display in the list (unless the filter is specifically set to display it).
Use the Generate Rules wizard to automatically create a number of rules for different types of applications in one pass. Rules are created based on the preferences with which the application was started. You can select an application and view its preferences in the Privileged Applications Discovered grid.
