Chat now with support
Chat mit Support

Safeguard Privilege Manager for Windows 4.5 - Administration Guide

About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Creating folder path rules

Use the By Folder Path rule to elevate or decrease privileges for processes that start from a folder path.

To create a By Folder Path rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard

  2. Specify the location of a Folder on the client computer or a network share in one of the following ways:

    • Type the folder path in the following format:

      \\ComputerName\SharedFolder DriveLetter:\Folder

    • Use the common % variable and the * and ? wildcards to identify the folder, for example, *\Folder

    • Use Browse to locate the folder.

    NOTE: When saving the rule, Privilege Manager for Windows converts the path into environment variables.

  3. Fill in these optional fields, as necessary:

    • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use Browse to locate it.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

    • Apply settings to sub folders: Apply the rule to processes started from any file under any sub folders of the path.

    • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

    • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.

  4. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  5. Complete the Privileges (see Granting/denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

  6. Click Finish to quit the wizard.

  7. The rule will be named after the folder path.

Creating ActiveX rules

Use the By ActiveX Rule to allow installation of ActiveX controls from the Internet.

To create an ActiveX Rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.

  2. Specify the URL for the ActiveX control in the Source URL field, for example:

    http://*.macromedia.com

  3. Available only in Privilege Manager Professional Edition and Professional Evaluation Edition.

    1. Click Installed ActiveX Controls to view details of the ActiveX controls installed on the local computer and create rules based on them.

    2. Fill in these optional fields, as necessary.

      • Control: Enter the name of the ActiveX control from the CodeBase attribute of the web page.

      • CLSID/MIME: Restrict loading a control unless the CLSID or MIME value on the web page matches the one specified.

      • ActiveX Version: Restrict Elevation to ActiveX controls with a matching version number on the web page from which it will be downloaded.

  4. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  5. Click Finish to quit the wizard.

  6. The rule will be named after the ActiveX control.

Applying ActiveX rules

In order for an ActiveX rule to take effect on clients, set up the following components

  1. Enable the GPE ActiveX Installer add-on in the Internet Explorer browser.

  2. Open the Internet Options menu.

    1. Clear the Enable Protected Mode check box on the Security tab.

    2. Select the Enable third-party browser extensions* check box on the Advanced tab.

  3. Restart Internet Explorer.

To centrally enable third-party browser extensions by modifying a GPO:

  1. Create a dedicated GPO or open the Group Policy Management Editor.

  2. Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page, double-click Allow third-party browser extensions in the list to the right, and enable it.

  3. Open the User Configuration node and perform the configurations described in step 2 above.

Creating rules for Windows Installer files

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

Use the By Path to Windows Installer rule to elevate or decrease privileges for processes that start from Windows Installer files (.msi) and patches (.msp).

To create a By Path to Windows Installer rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.

  2. Fill in the following fields:

    • Name: Set a path to an .msi or .msp file. Wildcards are supported and you can use Browse to locate the path.

      Optional:

      • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use Browse to locate it.

      • Product Code: Limit Elevation to those whose ProductCode MSI property match the one specified. Enter the exact name or use Browse to locate it.

      • Product Version: Limit Elevation to those whose ProductVersion MSI property match the one specified.

      • File Hash: Click Browse to locate the file and create a unique cryptographic hash that limits Elevation to files that match it. This ensures that the rule will not apply to dangerous content that is similarly named and will help prevent security issues.

      • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

      • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.

  3. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  4. Complete the Privileges (see Granting/denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

  5. Click Finish to quit the wizard.

  6. The rule will be named after the installer file or patch.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen