立即与支持人员聊天
与支持团队交流

Safeguard Privilege Manager for Windows 4.4 - Administrator Guide

About this guide What is Privilege Manager? Installing Privilege Manager Configuring client data collection Configuring instant elevation Configuring self-service elevation Configuring temporary session elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI Customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Using the Group Policy Management Editor

  • The Group Policy Management Console (GPMC) is a built-in Microsoft Management Console (MMC) snap in.
  • You can use the features in Privilege Manager based on your Windows rights within the GPMC.

  • You can use the Group Policy Management Editor in the GPMC to manage and create rules or you can use the Create Rule Wizard in the Privilege Manager for Windows Console.

    To use the Group Policy Management Editor to create and manage rules:

    1. Open the MMC. On the Start menu, click Run, type MMC, and then click OK.
    2. From the File menu, select Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
      1. Select Group Policy Management under the list of snap-ins.
      2. Click the Add button.
      3. Click OK.
    3. The Console Root window now has a snap-in, Group Policy Management, rooted at the Console Root folder.
    4. Right-click a GPO under your forest in the Group Policy Management pane on the right and select Edit.

      The Group Policy Management Editor will open. The editor now has Privilege Manager for Windows nodes, under Computer Configuration and User Configuration.

      • The right pane has an Extended and a Standard tab.
      • Click the Extended tab for more information about an item.
    5. Available only in Privilege Manager Professional and Professional Evaluation editions. To create new rule, select a Privilege Manager for Windows node and use the New Rule button, or use the other toolbar buttons to delete or modify it. Before clicking the New Rule button, ensure select the Privilege Elevation Rules or Blacklist Rules tab is selected.
  • Using the Create Rule Wizard

    To use the Create Rule Wizard:

    1. Select or create a GPO in the All GPOs node in the left pane of the Privilege Manager for Windows Console:
      1. Select a GPO from the list under the domain that your local computer is a part of.
      2. Select a domain, click the New GPO button, name it, and click OK. The newly created GPO is added to the All GPOs list in the Group Policy Objects container..
    1. Link any GPO not marked with the icon to your domain or Active Directory OU.
      1. Highlight the GPO in the left pane and click the Link button above it.
      2. Browse for an OU or add the GPO to the domain in the dialog box that appears.
      3. Click OK.
      4. Once the rule is created, its icon changes to to indicate that it contains a rule and it is listed in the GPOs with Policy Settings node.

    Note: You can only link a GPO to an item for which you have sufficient rights. For more information, see Select user policy or computer policy.

    1. Use the Create Rule Wizard to configure the rule.

      1. Select the Privilege Elevation Rules or Blacklist Rules tab based on the type of rule to be created.
      2. Click the New Rule button to open the Create Rule Wizard.
      3. Specify the data requested in each tab and click Next.
        1. Privilege Elevation rules only. Follow the prompts through the default tabs: Start, Description, Type, Groups, and Validation Logic (available only for Privilege Manager Professional). The Privileges and Integrity tabs display as advanced options.

          Blacklist rules only. Follow the prompts through the default tabs: Start, Description, Type, and Validation Logic (available only for Privilege Manager Professional).

        2. Enter the required fields, marked with an asterisk '*' on the Description and Type tabs.

          Blacklist rules only. In some cases, Blacklist rules could be configured with Instant, Temporary Session, or Self-Service Elevation, for the same target application. In this case, Blacklisting takes precedence over any type of Elevation and prevents the application from starting. For more information, see the following sections:

      4. Click Finish to save and apply the rule. If you did not specified the required data, the wizard notifies you.

    2. Click the Save button on the menu bar of the Rule section. Or, if prompted, confirm that you want to save the rule.
    3. An error message will notify you if you have insufficient permissions to perform any of the operations listed above.

      • You must have permission to perform the same actions in the GPMC.
      • Contact your system administrator to get the proper permissions.

    1. The rule is applied once the Group Policy is updated on the client computer.
    2. A message notifies you that the rule’s parameters change when the trial period expires, if you create a rule with any of the Privilege Manager Professional features while using the evaluation edition. For more information, see Editions.

    Getting started

    To use the Start tab in the Create Rule Wizard:

    1. Select Create your own rule to create your own settings, or
    2. Create a rule with pre-defined settings:
      1. Select the Select common rule from the list below option.
      2. Use the Operating System menu to sort the rules according to the operating system they apply to.
      3. Click Next to modify the default settings, or click Finish to save the your settings for the target GPO and quit.

    To use the Description tab in the Create Rule Wizard:

    1. Enter a title to identify the rule and an optional description.
    1. Check the Advertise this rule in the system tray on client computers option to display the title of the rule when using the View current rules option on the Client system tray.

    The system tray also pop ups a desktop notification message any time there is a change to the set of rules flagged as advertised.

    1. Check the Disable data collection activity for this rule option to enable/disable data collection for the individual rule.
    2. Check the Disable the rule regardless of validation option to stop the rule from applying until you clear the option.
    1. Click Next.

    To use the Type Tab in the Create Rule Wizard to specify the essential parameters of the processes for the rule:

    1. Select the type of rule that you would like to create.

    Available only in Privilege Manager Professional and Professional Evaluation editions:

    1. Specify the options that correspond to the type of rule you have selected.
    2. Select user policy or computer policy.

    Define whether the rule will be user or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Privilege Manager for Windows.
    • Computer Policy: Select this option to apply the rule to a computer irrespective of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor. Available only in Privilege Manager Professional and Professional Evaluation editions.

    Creating file rules

    Use the By Path to the Executable rule to elevate or decrease privileges for processes that start from an executable file.

    To create a By Path to the Executable file rule using the Create Rule Wizard:

    1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.
    2. Specify the Path to an executable file on the client computer or a network share in one of the following ways:
    • Type the path to the file, including its extension, in the following format:

    \\ComputerName\SharedFolder\Filename.exe

    DriveLetter:\Filename.exe

    • Use the common % variable and the * and ? wildcards to identify the path, for example, *\filename.exe.
    • Use the Browse button to locate the path. Once you locate the process, a dialog will prompt you to:
      1. Retrieve a digital signature for the rule's Publisher field. Click Yes to add the available digital signature. Click No to skip the prompt.
      2. Create a file version for the file. Click Yes to add the setting. Click No to skip the prompt.
      1. Create a unique cryptographic hash for the file to secure its identification. Click Yes to add the setting. Click No if you are creating the rule for the file for which data is likely to be updated in the future, or for any file with its name within the specified folder.

      Note: When saving the rule, Privilege Manager for Windows converts the path into environment variables.

    1. Click the Processes button to simplify adding parameters into the rule. Available only in Privilege Manager Professional and Professional Evaluation editions.
      1. Select whether you will create the rule from a process on a local or remote computer.
      2. A list of processes running on the computer will open. Locate the process and view its details in the fields to the right:
        • Path: the path to the process's executable.
        • Arguments: the arguments with which the process was started.
        • Publisher: the digital certificate of a publisher.
        • Version: the File Version property.
        • Hash: a unique cryptographic hash.
        • Integrity level: the security level with which the process runs in Windows 7 and higher.
        • Privileges: the privileges granted to the process.
      3. Click OK. The data for the processes will be saved to the rule and displayed on the corresponding tabs of the wizard.
      4. To troubleshoot a Failed to retrieve processes. Please refer to documentation for more info error, check the following on the remote computer:
        1. The computer is turned on and accessible from the network;
        2. The domain administrator credentials have been provided; and
        3. Windows Management Instrumentation (WMI), Distributed Component Object Model (DCOM), File and Printer Sharing, and Remote Administration are allowed through the firewall.
    2. Fill in these optional fields, as necessary:

      • Arguments: Specify the common or user-defined arguments with which the executable will run. For example, to build a rule that will allow a non-administrator to access the Date/Time tool in the Control Panel from the task bar, enter this data:
        1. Path: %SystemFolder%\rundll32.exe

        2. Arguments: /d c:\windows\system32\shell32.dll,Control_RunDLL timedate.cpl
      • Available only in Privilege Manager Professional and Professional Evaluation editions.
        • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use the Browse button to locate it.
        • File Version: Limit Elevation to those whose File Version property match the ones specified.

      • File Hash: Click the Browse button to locate the file and create a unique cryptographic hash that limits Elevation to files that match it. This ensures that the rule will not apply to dangerous content that is similarly named and will help prevent security issues.

        NOTE: The file hash will not apply to a file that you have modified during program updates, so do not add it to the rule for a file which is likely to be updated, or for any file with the same name in that location.

      • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

      • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.
    3. Define whether the rule will be user or computer-based.

      • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Privilege Manager for Windows.
      • Computer Policy: Select this option to apply the rule to a computer irrespective of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor. Available only in Privilege Manager Professional and Professional Evaluation editions.
    4. Complete the Privileges (see Granting/denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

    5. Click Finish to quit the wizard.

    6. The rule will be named after the executable.
    相关文档

    The document was helpful.

    选择评级

    I easily found the information I needed.

    选择评级