Chat now with support
Chat mit Support

Safeguard Privilege Manager for Windows 4.5 - Administration Guide

About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Creating rules for script files

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

Use the By Path to Script File rule to elevate or decrease privileges for processes that start from a script file.

To create a By Path to Script File rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.

  2. Set the absolute or relative path to one of the following types of script files:

    • Command Prompt: .cmd

    • Batch File: .bat

    • JavaScript: .js

    • VBScript: .vbs

    • PowerShell: .ps1

    • Perl: .pl

      Wildcards are supported and you can use Browse to locate the path.

  3. Fill in these optional fields, as necessary:

    • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use Browse to locate it.

      This field is not supported for .pl, .cmd, and .bat files.

    • File Hash: Click Browse to locate the file and create a unique cryptographic hash that limits Elevation to files that match it. This ensures that the rule will not apply to dangerous content that is similarly named and will help prevent security issues.

    • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

    • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.

  4. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged in to the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  5. Complete the Privileges (see Granting/denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

  6. Click Finish to quit the wizard.

  7. The rule will be named after the script file.

Using Active Directory user groups (Privilege Elevation Rules only)

Use the Groups tab to add or remove an Active Directory user group from the security token of the target process. Removing a group decreases the privileges with which the process will run.

To add or remove an Active Directory user group using the Groups tab in the Create Rule Wizard

  1. If the Administrators group (stored within the BUILTIN\Administrators Active Directory OU) does not appear on the list by default, click to add it.

    • Select this group of users, who have complete and unrestricted access to a local computer, instead of domain administrators.

    • The button will not be active if the group is already on the list.

  2. Use the button to add or remove other groups. When the window opens:

  1. Click Browse to specify the group name.

  2. Select add or remove.

  1. To delete or modify a record within the Security Group list, select it and use the or button.

    • You can only add security groups in Active Directory which have a group scope property of Built-in local to the security token of a process on a client computer if the Client also has the same security identifier definition (SID) in its built-in security groups.

    • When removing a group from the security token, ensure that the user account under which the process is launched is a member of more than one primary group. Otherwise, the rule will not apply as intended.

Using Validation Logic

Topics:

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

By default, a rule will apply to all client computers to which the previously selected GPO is linked. For more granular targeting, you can use the Standard Rules and Validation Logic Rules sub-tabs of the Validation Logic tab in the Create Rule Wizard to target the rule based on the client’s operating system, their IP address, and/or a logged-in user.

Using standard rules

Within the Standard Rules sub-tab in the Create Rule Wizard, you can set a rule to apply only to clients with specified operating systems, servers, or workstations. By default, all operating systems are selected. If no options are selected, then the rule will apply to all supported operating systems.

To use the Standard Rules sub-tab in the Create Rule Wizard

  • Select the Server check box in the Class section to apply the rule to your Windows Server installation.

  • Select the Workstation check box in the Class section to apply the rule to Windows 10.

  • In the Operating System section, select the check boxes for your operating systems.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen