立即与支持人员聊天
与支持团队交流

Safeguard Privilege Manager for Windows 4.7 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Creating ActiveX rules

Use the By ActiveX Rule to allow installation of ActiveX controls from the Internet.

To create an ActiveX Rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.

  2. Specify the URL for the ActiveX control in the Source URL field, for example:

    http://*.macromedia.com

  3. Available only in Privilege Manager Professional Edition and Professional Evaluation Edition.

    1. To view details of the ActiveX controls installed on the local computer and create rules based on them, click Installed ActiveX Controls.

    2. Fill in these optional fields, as necessary.

      • Control: Enter the name of the ActiveX control from the CodeBase attribute of the web page.

      • CLSID/MIME: Restrict loading a control unless the CLSID or MIME value on the web page matches the one specified.

      • ActiveX Version: Restrict Elevation to ActiveX controls with a matching version number on the web page from which it will be downloaded.

  4. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  5. Click Finish to quit the wizard.

  6. The rule will be named after the ActiveX control.

Applying ActiveX rules

In order for an ActiveX rule to take effect on clients, set up the following components

  1. Enable the GPE ActiveX Installer add-on in the Internet Explorer browser.

  2. Open the Internet Options menu.

    1. Clear the Enable Protected Mode check box on the Security tab.

    2. Select the Enable third-party browser extensions* check box on the Advanced tab.

  3. Restart Internet Explorer.

To centrally enable third-party browser extensions by modifying a GPO:

  1. Create a dedicated GPO or open the Group Policy Management Editor.

  2. Navigate to Computer Configuration > Administrative Templates: Policy definitions (ADMX files) > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page, double-click Allow third-party browser extensions in the list to the right, and enable it.

  3. Open the User Configuration node and perform the configurations described in step 2.

Creating rules for Windows Installer files

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

Use the By Path to Windows Installer rule to elevate or decrease privileges for processes that start from Windows Installer files (.msi) and patches (.msp).

To create a By Path to Windows Installer rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.

  2. Fill in the following fields:

    • Name: Set a path to an .msi or .msp file. Wildcards are supported and you can use Browse to locate the path.

      Optional:

      • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use Browse to locate it.

      • Product Code: Limit Elevation to those whose ProductCode MSI property match the one specified. Enter the exact name or use Browse to locate it.

      • Product Version: Limit Elevation to those whose ProductVersion MSI property match the one specified.

      • File Hash: Click Browse to locate the file and create a unique cryptographic hash that limits Elevation to files that match it. This ensures that the rule will not apply to dangerous content that is similarly named and will help prevent security issues.

      • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

      • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.

  3. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged into the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  4. Complete the Privileges (see Granting or denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

  5. Click Finish to quit the wizard.

  6. The rule will be named after the installer file or patch.

Creating rules for script files

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

Use the By Path to Script File rule to elevate or decrease privileges for processes that start from a script file.

To create a By Path to Script File rule using the Create Rule Wizard

  1. Open the Create Rule Wizard. For more information, see Using the Create Rule Wizard.

  2. Set the absolute or relative path to one of the following types of script files:

    • Command Prompt: .cmd

    • Batch File: .bat

    • JavaScript: .js

    • VBScript: .vbs

    • PowerShell: .ps1

    • Perl: .pl

      TIP: You can use Browse to locate the path and wildcards are supported.

  3. Fill in these optional fields, as necessary:

    • Publisher: Limit Elevation to files signed with the digital certificate of a publisher. Enter the exact name or use Browse to locate it.

      This field is not supported for .pl, .cmd, and .bat files.

    • File Hash: Click Browse to locate the file and create a unique cryptographic hash that limits Elevation to files that match it. This ensures that the rule will not apply to dangerous content that is similarly named and will help prevent security issues.

    • Apply settings to child processes: Ensure that child processes triggered by the rule will not fail due to lack of privileges. This check box is enabled by default.

    • User’s context will be used to resolve system and resource access: Ensure that the Client uses the target's user environment to resolve file and registry access. This might be required to resolve drive mappings, and also if the rule specifies the publisher, version, or file hash for the target process running from a network location.

  4. Define whether the rule will be user-based or computer-based.

    • User Policy: Select this option to apply the rule to the user logged in to the computer. This option corresponds to the User Configuration node of the Group Policy Management Editor and is the default policy for all editions of Safeguard Privilege Manager for Windows.

    • Computer Policy: Select this option to apply the rule to a computer regardless of the user logged in. This option corresponds to the Computer Configuration node of the Group Policy Management Editor.

      NOTE: This option is available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

  5. Complete the Privileges (see Granting or denying privileges (Privilege Elevation Rules only)) and Integrity (see Differentiating security levels (Privilege Elevation Rules only)) tabs to modify the rule.

  6. Click Finish to quit the wizard.

  7. The rule will be named after the script file.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级