Chat now with support
Chat with Support

Safeguard Privilege Manager for Windows 4.6.1 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Using the Create Rule Wizard

To use the Create Rule Wizard

  1. Select or create a GPO in the All GPOs node in the left pane of the Privilege Manager for Windows Console:

    1. Select a GPO from the list under the domain that your local computer is a part of.

    2. Select a domain, click New GPO, name it, and click OK. The newly created GPO is added to the All GPOs list in the Group Policy Objects container.

  2. Link any GPO not marked with the icon to your domain or Active Directory OU.

    1. Highlight the GPO in the left pane and click Link above it.

    2. Browse for an OU or add the GPO to the domain in the dialog that appears.

    3. Click OK.

    4. Once the rule is created, its icon changes to to indicate that it contains a rule and it is listed in the GPOs with Policy Settings node.

    NOTE: You can only link a GPO to an item for which you have sufficient rights. For more information, see Select user policy or computer policy:.

  3. Use the Create Rule Wizard to configure the rule.

    1. Select the Privilege Elevation Rules or Blacklist Rules tab based on the type of rule to be created.

    2. Click New Rule to open the Create Rule Wizard.

    3. Specify the data requested in each tab and click Next.

      1. Privilege Elevation rules only. Follow the prompts through the default tabs:

        • Start

        • Description

        • Type

        • Groups

        • Validation Logic (available only for Safeguard Privilege Manager for Windows Professional)

        The Privileges and Integrity tabs display as advanced options.

      2. Blacklist rules only. Follow the prompts through the default tabs:

        • Start

        • Description

        • Type

        • Validation Logic (available only for Privilege Manager Professional)

    4. Enter the required fields, marked with an asterisk '*' on the Description and Type tabs.

      NOTE: Blacklist rules only. In some cases, Blacklist rules could be configured with Instant, Temporary Session, or Self-Service Elevation, for the same target application. In this case, Blacklisting takes precedence over any type of Elevation and prevents the application from starting. For more information, see the following sections:

    5. To save and apply the rule, click Finish. If you did not specify the required data, the wizard notifies you.

  4. Click Save on the menu bar of the Rule section. Or, if prompted, confirm that you want to save the rule.

  5. An error message will notify you if you have insufficient permissions to perform any of the operations listed above.

    • You must have permission to perform the same actions in the GPMC.

    • Contact your system administrator to get the proper permissions.

  6. The rule is applied once the Group Policy is updated on the client computer.

  7. A message notifies you that the rule’s parameters change when the trial period expires, if you create a rule with any of the Privilege Manager Professional features while using the evaluation edition. For more information, see Editions.

Getting started

To use the Start tab in the Create Rule Wizard

  1. To create your own settings, select Create your own rule, or

  2. Create a rule with predefined settings:

    1. Select the Select common rule from the list below option.

    2. To sort the rules according to the operating system they apply to, use the Operating System menu.

    3. To modify the default settings, click Next. To save your settings for the target GPO and quit, click Finish.

To use the Description tab in the Create Rule Wizard

  1. Enter a title to identify the rule and an optional description.

    1. To display the title of the rule when using the View current rules option on the Client system tray, select the Advertise this rule in the system tray on client computers option.

      The system tray also shows a notification message any time there is a change to the set of rules flagged as advertised.

    2. To enable or disable data collection for a specific rule, select Disable data collection activity for this rule.

    3. To stop the rule from applying, select Disable the rule regardless of validation. To apply the rule again, clear the option.

  2. Click Next.

To use the Type Tab in the Create Rule Wizard to specify the essential parameters of the processes for the rule

  • Available in all editions of Safeguard Privilege Manager for Windows:

    By Path to the Executable: A file rule that applies to the path to an executable. For more information, see Creating file rules.

    By Folder Path: A folder path rule that applies to all processes run from a path. For more information, see Creating folder path rules.

    By ActiveX Rule: An ActiveX rule that applies to a specific URL. For more information, see Creating ActiveX rules.

  • Available only in Privilege Manager Professional Edition and Professional Evaluation Edition:

    By Path to Windows Installer: A rule that applies to the path to Windows Installer files and patches. For more information, see Creating rules for Windows Installer files.

    By Path to Script File: A rule that applies to the path to a script file. For more information, see Creating rules for script files.

  1. Specify the options that correspond to the type of rule you have selected.

  2. Select user policy or computer policy:

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer irrespective of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor. Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

Creating file rules

Use the By Path to the Executable rule to elevate or decrease privileges for processes that start from an executable file.

To create a By Path to the Executable file rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.

  2. Specify the Path to an executable file on the client computer or a network share in one of the following ways:

    • Type the path to the file, including its extension, in the following format:

      \\ComputerName\SharedFolder\Filename.exe

      DriveLetter:\Filename.exe

    • Use the common % variable and the * and ? wildcards to identify the path, for example, *\filename.exe.

    • Use Browse to locate the path. Once you locate the process, a dialog will prompt you to:

      1. Retrieve a digital signature for the rule's Publisher field. Click Yes to add the available digital signature. Click No to skip the prompt.

      2. Create a file version for the file. Click Yes to add the setting. Click No to skip the prompt.

      3. Create a unique cryptographic hash for the file to secure its identification. Click Yes to add the setting. Click No if you are creating the rule for the file for which data is likely to be updated in the future, or for any file with its name within the specified folder.

        NOTE: When saving the rule, Safeguard Privilege Manager for Windows converts the path into environment variables.

  3. To simplify adding parameters into the rule, click Processes.

    NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

    1. Select whether you will create the rule from a process on a local or remote computer.

    2. A list of processes running on the computer will open. Locate the process and view its details in the fields to the right:

      • Path: the path to the process's executable.

      • Arguments: the arguments with which the process was started.

      • Publisher: the digital certificate of a publisher.

      • Version: the File Version property.

      • Hash: a unique cryptographic hash.

      • Integrity level: the security level with which the process runs in Windows.

      • Privileges: the privileges granted to the process.

    3. Click OK. The data for the processes will be saved to the rule and displayed on the corresponding tabs of the wizard.

    4. To troubleshoot a Failed to retrieve processes, refer to documentation for more info error, check the following on the remote computer:

      1. The computer is turned on and accessible from the network;

      2. The domain administrator credentials have been provided; and

      3. Windows Management Instrumentation (WMI), Distributed Component Object Model (DCOM), File and Printer Sharing, and Remote Administration are allowed through the firewall.

  4. Fill in these optional fields, as necessary:

    • Arguments: Specify the common or user-defined arguments with which the executable will run. For example, to build a rule that will allow a non-administrator to access the Date/Time tool in the Control Panel from the task bar, enter this data:

      • Path: %SystemFolder%\rundll32.exe

      • Arguments: /d c:\windows\system32\shell32.dll,Control_RunDLL timedate.cpl

    • Available only in Privilege Manager Professional Edition and Professional Evaluation Edition.

      • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use Browse to locate it.

      • File Version: Limit Elevation to those whose File Version property match the ones specified.

      • File Hash: Click Browse to locate the file and create a unique cryptographic hash that limits Elevation to files that match it. This ensures that the rule will not apply to dangerous content that is similarly named and will help prevent security issues.

        NOTE: The file hash will not apply to a file that you have modified during program updates, so do not add it to the rule for a file which is likely to be updated, or for any file with the same name in that location.

      • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

      • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.

  5. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  6. Complete the Privileges (see Granting or denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

  7. Click Finish to quit the wizard.

  8. The rule will be named after the executable.

Creating folder path rules

Use the By Folder Path rule to elevate or decrease privileges for processes that start from a folder path.

To create a By Folder Path rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard

  2. Specify the location of a Folder on the client computer or a network share in one of the following ways:

    • Type the folder path in the following format:

      \\ComputerName\SharedFolder DriveLetter:\Folder

    • Use the common % variable and the * and ? wildcards to identify the folder, for example, *\Folder

    • Use Browse to locate the folder.

    NOTE: When saving the rule, Privilege Manager for Windows converts the path into environment variables.

  3. Fill in these optional fields, as necessary:

    • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use Browse to locate it.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

    • Apply settings to sub folders: Apply the rule to processes started from any file under any sub folders of the path.

    • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

    • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.

  4. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  5. Complete the Privileges (see Granting or denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

  6. Click Finish to quit the wizard.

  7. The rule will be named after the folder path.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating