Safeguard Privilege Manager for Windows 4.4 - Administrator Guide

Managing rules

Once a rule is created, you can change its settings, delete, import and export it.

To delete, modify, or share a rule:

1. Use the applicable toolbar buttons.

To use the Edit Rule Wizard to configure a rule:

1. Select the Privilege Elevation Rules or Blacklist Rules tab based on the type of rule to be created.
2. Double-click a rule's title or click the Details button on the toolbar to open the Edit Rule Wizard.
3. Specify the data requested in each tab and click Next.
   1. Follow the prompts through the default tabs: Description, Type, Groups, and Validation Logic (available only for Privilege Manager Professional). The Privileges and Integrity tabs display as advanced options.
   2. Enter the required fields, marked with an asterisk '*' on the Description and Type tabs.
4. Click Finish to save and apply the rule. If you did not specified the required data, the wizard notifies you.
5. Click the Save button on the menu bar of the Rule section. Or, if prompted, confirm that you want to save the rule.

More information for managing rules:

• To delete or modify a GPO created with Privilege Manager, use the Microsoft Group Policy Management Console (GPMC). You can also edit rules using the GPMC. For more information, see Using the Group Policy Management Editor on page 1
• If you are using the Privilege Manager Community Edition and open a rule with a Privilege Manager Professional feature to view or modify its settings, a notification appears. Click Yes to open the Edit Rule window to display all the rule settings except for the Professional ones. Modifying the rule discards the Professional features.

Import/Export Rules

Once rules are created for a GPO they can be exported in order to share the rules, copy the rules to another GPO or even for backup purposes.

To export rules:

1. Select a GPO in the domain tree.
2. Right-click on the GPO name and select Export Rules.
3. Enter the path and file name of the export file to be created. Click ... to select a path using File Explorer.
4. In the pop-up window that displays a count of the Privilege Elevation Rules and Blacklist Rules for the GPO, complete the following steps, as applicable:
   • Select Export all Privilege Elevation Rules to include those rules in the export.
   • Select Export all Blacklist Rules to include those rules in the export.
5. Click Export to begin the export process.

To import rules:

1. Select a GPO in the domain tree.
2. Right-click on the GPO name and select Import Rules.
3. Enter the path and file name of the file to be imported. Click ... to select a path using File Explorer.
4. In the pop-up window that displays a count of the Privilege Elevation Rules and Blacklist Rules for the GPO, complete the following steps, as applicable:
   • Select Import all Privilege Elevation Rules to include those rules in the import.
   • Select Import all Blacklist Rules to include those rules in the import.
5. Click Import to begin the import process.

Testing rules

You can test a rule to ensure that the settings you specified map to a process on a local or remote computer. You can test all types of rules, except ActiveX.

Before you test a rule, ensure the following components are set up:

1. The Client is running on the computer on which you intend to test the rule.
2. The remote computer is switched on and is accessible from the network.
3. The correct credentials to connect to the remote computer are provided.
4. The following exceptions are added for remote computers with a firewall turned on:

• Windows Management Instrumentation (WMI): dllhost.exe
• Host process for Windows services: svchost.exe for 32-bit OS and %SystemRoot%\SysWOW64\svchost.exe for 64-bit OS.

To test a rule:

1. Within the Group Policy Settings section, select a rule, and click the Test button.

2. Select whether to test the rule on a local or remote computer.

   A test window appears and the test starts. The window displays the initial conditions necessary for the rule to run and present its status in the Test Progress section, testing if:

   • The connection with the target computer has been established;
   • The Client is installed on your computer;
   • The Group Policy update has run successfully on the client computer;
   • The GPO with the selected rule is present on the domain; and

   • The rule exists on the client side and on the domain.

3. If the test fails any of the steps, resolve the issue. If you encounter a Failed to retrieve processes. Please refer to documentation for more info error, complete the steps above before you test the rule.
4. Click Next.
5. When the Detecting Process window opens, manually run the process the rule applies to. Use the parameters specified in the Rule Details section of the Test File Rule window. The window shows two tabs:
   • The Started Processes tab with the processes started after you switched from the Detecting Process window.
     • The process that you start to test the will display with either a tick or a cross sign.
     • If the process is marked with the cross sign, look at Process Details and check that you started the process with the right parameters, or modify the rule settings.
   • The All Processes tab with all currently running processes.
6. When the rule is created and distributed to clients through Group Policy, the rule is applied to the corresponding process.

Removing local admin rights

The last step in preparing your environment for least privileged use is to remove administrative access from users who no longer require it.

Using the Active Directory Users and Computers utility

Use the Windows utility Active Directory Users and Computers, installed on Windows Server operating systems such as Windows 2008, to scrub the Domain Administrators group of users that should no longer be given administrative rights to every computer in the domain. Select Domain Admins Properties > Members tab > Remove.

Using the Users with Local Admin Rights screen

Available only in Privilege Manager Professional and Professional Evaluation editions.

Under the Discovery & Remediation tab on the Console, select the Users with Local Admin Rights screen to discover which domain users have been assigned to the local Administrators group on client computers and remove them.

Before you begin, check the following on each target computer:

1. The computer is turned on and accessible from the network; and
2. Windows Management Instrumentation (WMI), Distributed Component Object Model (DCOM), File and Printer Sharing, and Remote Administration are allowed through the firewall.

To remove domain users from the local Administrators group on computers on your domain:

1. Within the Select Computers section, use the Add and Remove buttons to add and remove computers.
   • You cannot select a domain controller computer.
   • If the File and Printer Sharing exception is not enabled for a computer, it will not display in the list.

   • If the Windows Management Instrumentation exception is not enabled, the Class and OS columns will display the Unavailable value.

2. Click the Clear all entries button to remove all computers from the list.

3. Click the Discover Accounts in local Administrator groups button to discover users and domain groups with local administrator rights. By default, the search results will only include domain users and domain groups. However, you can optionally opt to include local and built-in (for informational purposes only) users.

4. In the window that opens, specify whether to search for local Administrator groups, users, or both.

5. Check the Only display domain accounts discovered in the results list option to restrict the search to Domain accounts only. Clear the option to include local accounts from the Administrators group on client machines.

   A window displays your progress as the list builds.

6. Complete the following steps:.

   1. If an error occurs, it will display in the Errors section with a description. The Unable to open log file... notification signifies that no users in the local Administrators group have been detected.

   2. Click the Open report file button to view data on detected users. The button will not be activated if no users have been found in the local Administrators group.
   3. When the discovery operation is completed, click the Close button.

   The list of discovered users will display in the User Accounts Discovered in Local Administrators Groups section.

7. Revise the list to only include users you are potentially going to revoke rights from then make your final selection from the remaining list.

   1. Click the Exclude selected entries from list link to remove users from this list.

   2. Select users from the remaining list, for which you want to revoke their local administrator rights.

   3. Click the Remove all selected users from local Administrators groups button.

8. In the window that opens, click Yes to confirm that you want to remove the users or groups.

   A window displays your progress as the users are removed.

9. Complete the following steps:

   1. If an error occurs, it will display in the Errors section with a description.
   2. Click the Open report file button to view the operation log.
10. When the operation is complete, the users no longer have local administrator rights.

Congratulations! You are now running in a least privileged use environment.

Reporting

Reporting is available only within the Professional edition; once a trial license expires, data is no longer being collected and reports stop generating.

You can build five types of reports on activities from client computers:

• Blacklist Activity Report: Lists how frequently a rule is used.
• Rule Deployment Report: Lists rules deployed on the client computer.
• Instant Elevation Report: Lists processes that are elevated using Instant Elevation.
• Rule Details Report: Lists rules that are configured.

• Advanced Policy Settings Report: Lists Advanced Policy Settings, except those set to the Not Configured option.