立即与支持人员聊天
与支持团队交流

Safeguard Privilege Manager for Windows 4.5.3 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Using the Generate Rules Wizard

To view discovered privileged applications and generate rules for them

  1. Open the Privileged Application Discovery section from the navigation pane of the Console. The applications are displayed in the window on the right.

  2. Click Display applications to list the privileged applications and other processes that are started (or failed to start), based on the default filter settings shown in the Applied Filters section on the top of the screen.

  3. Select an application in the Privileged Applications Discovery grid below. Use the grid's column headers to sort the applications.

    By default, the following information appears:

    • Any type of privileged applications

    • Privileged applications that were discovered during the last 30 days

    • Privileged applications that have no generated rule in the current section, or are marked as ignored

  4. Use the Applied Filters wizard to modify the list. You can create multiple shared filter sets and save settings that other administrators can use. For more information, see Using the Applied Filters Wizard.

  5. Select a record and then click Generate rules to open the Generate Rules Wizard.

  6. On the first tab of the wizard, specify your rule type preferences. Click Next.

  7. Add Validation Logic preferences into the rule, if necessary. The selected preferences will be used to create the corresponding Validation Logic type. Click Next.

  8. Review your rules and click Next, or

    1. Click the Review rules that will be created button to open a window with more information.

    2. Click Details for more information, or click Close.

  9. Select a target GPO for the rule and specify the GPO policy type. By default, the Administrators group (stored in the BUILTIN\Administrators Active Directory OU) is added to the rule. Click Create to save the rule.

  10. Once a discovered privileged application is processed and a rule is created for it, or it has been marked as ignored, the application is considered processed.

  11. To view ignored applications or applications for which the rules are created, change the Process Date of Item filter on the Applied Filters Wizard from None: Item has not been processed to the corresponding Date Range.

  12. The rule created from the application is added to the selected GPO with a default name.

  13. Select Export to export the list of applications presented on the grid. The list is saved as an .xls file.

After the rule has been created

  • The rule is added to the target GPO of the Group Policy Settings section.

  • The rule applies after the GPO settings are updated on the client computer.

Deploying rules

Detailed information about this topic

Safeguard Privilege Manager for Windows can create Privilege Elevation Rules and Blacklisting Rules. Privilege Elevation rules are rules that raise the permissions level of the user for an application. Blacklisting rules deny a user access to an application, regardless of what their default domain user permissions allows.

Creating rules

You can create five types of rules with Safeguard Privilege Manager for Windows:

  • Available in all editions of Safeguard Privilege Manager for Windows:

    By Path to the Executable: a file rule that applies to the path to an executable. For more information, see Creating file rules.

    By Folder Path: a folder path rule that applies to all processes run from a path. For more information, see Creating folder path rules.

    Ÿ By ActiveX Rule: an ActiveX rule that applies to a specific URL. For more information, see Creating ActiveX rules.

  • Available only in Safeguard Privilege Manager for Windows Professional and Safeguard Privilege Manager for Windows Professional Evaluation editions:

    By Path to Windows Installer: a rule that applies to the path to Windows Installer files and patches. For more information, see Creating rules for Windows Installer files.

    By Path to Script File: a rule that applies to the path to a script file. For more information, see Creating rules for script files.

You can create a rule in one of the following ways:
  • Create a default rule using the Create GPO with Default Rules Wizard.

  • Create a new rule using the Group Policy Management Editor or the Create Rule Wizard.

Once you create a rule, you can:
  • Test the rule. For more information, see Testing rules.

  • Edit or delete the rule. For more information, see Managing rules.

  • Build a report to view the rule's settings, save them into a file, and get statistics on the rule’s usage. For more information, see Reporting.

Using the Create GPO with Default Rules Wizard (Privilege Elevation Rules only)

Safeguard Privilege Manager for Windows contains a range of useful default rules that you can add to a new or existing GPO. To create the default rules provided by the product, use the Create GPO with Default Rules Wizard. To access the wizard from the Getting Started screen, navigate to the Setup Tasks tab and then double- click Create GPO with default rules.

NOTE: Rules created with this process are Privilege Elevation rules only. You cannot create deny list rules here.

To use the Create GPO with Default Rules Wizard

  1. Double-click Create GPO with default rules to open the wizard.

  2. Review the text in the Introduction dialog and click Next.

  3. In the Select privilege elevation rules dialog, select your operating system from the drop-down menu and select the corresponding rules from a list of common ones. Click Next.

  4. In the Select target GPO dialog, select or create a GPO to assign the rule to complete one of the following steps:

    • Select a GPO from the list under the domain that your local computer is a part of.

    • Select a domain, click Create GPO, name it, and click OK. The newly created GPO is added to the All GPOs list in the Group Policy Objects container.

    • Link any GPO not marked with the icon to your domain or Active Directory OU.

  5. Highlight the GPO in the left pane and click the Link GPO button on the right to link the GPO to the domain or an OU.

  6. Browse for an OU or add the GPO to the domain in the dialog that appears.

  7. Click OK.

  8. Once the rule is created, its icon changes to to indicate that it contains a rule and it is listed in the GPOs with Policy Settings node.

    NOTE: You can only link a GPO to an item for which you have sufficient rights. For more information, see Select user policy or computer policy:.

    • To save and apply the rule, click Finish. If you did not specify the required data, the wizard notifies you.

  9. An error message will notify you if you have insufficient permissions to perform any of the operations listed above.

    • You must have permission to perform the same actions in the GPMC.

    • Contact your system administrator to get the proper permissions.

  10. The displays in the list of rules for the corresponding GPO under the Group Policy Settings section.

  11. The rule is applied once the Group Policy is updated on the client computer.

  12. A message notifies you that the rule’s parameters change when the trial period expires, if you create a rule with any of the Privilege Manager Professional features while using the evaluation edition. For more information, see Editions.

  13. Modify the rule, as necessary. For more information, see Managing rules.

Using the Group Policy Management Editor

The Group Policy Management Console (GPMC) is a built-in Microsoft Management Console (MMC) snap-in. You can use the features in Privilege Manager based on your Windows rights within the GPMC.

You can use the Group Policy Management Editor in the GPMC to manage and create rules or you can use the Create Rule Wizard in the Privilege Manager for Windows Console.

To use the Group Policy Management Editor to create and manage rules

  1. Open the MMC. On the Start menu, click Run, type MMC, and then click OK.

  2. From the File menu, select Add/Remove Snap-in. The Add or Remove Snap-ins dialog appears.

  3. Select Group Policy Management under the list of snap-ins.

  4. Click Add.

  5. Click OK.

    The Console Root window now has a snap-in, Group Policy Management, rooted at the Console Root folder.

  6. Right-click a GPO under your forest in the Group Policy Management pane on the right and select Edit.

    The Group Policy Management Editor will open. The editor now has Privilege Manager for Windows nodes, under Computer Configuration and User Configuration.

    The right pane has an Extended and a Standard tab.

  7. Click the Extended tab for more information about an item.

Available only in Privilege Manager Professional and Professional Evaluation editions:

To create new rule, use either of the following methods:

  • Select a Privilege Manager for Windows node and use New Rule.

  • Use the other toolbar buttons to delete or modify the selected Privilege Manager for Windows node.

    NOTE: Before clicking New Rule, ensure that the Privilege Elevation Rules or Blacklist Rules tab is selected.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级