Application Control powered by AppSense

Ivanti Application Control is the new name for AppSense Application Manager

User Privilege Management

In this section:

About User Privilege Management

Many user environments are very restrictive in order to limit user access to sensitive data and key applications. However, users often require administrative privileges to perform their role. For example, the many proprietary systems, system updates, and applications that allow the installation of drivers for devices such as printers, antivirus scans, and so on all require administrative privileges. So users typically have full administrative privileges or no administrative privileges at all.

Application Control secures and protects many corporate desktops by controlling application and network access. Application Control 8.1 and higher extends policy management capabilities by providing comprehensive user privilege management functionality. User privilege management allows you to create reusable user privilege policies that can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, Windows Store Apps, application groups, and supported Control Panel components specific to an operating system.

User privilege management enables enterprise IT departments to reduce access control privileges on a per user, group, application, or business rule basis. It ensures users have only the rights they need to fulfill their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, and improving security and productivity. The perfect balance between user productivity and security is to control user privileges, not at a session or account level, but at the level of an application or individual task.

With user privileges management, access to applications and tasks is managed dynamically by managing user privileges on demand, in response to user actions. For example, administrator privileges can be applied to a named application or Control Panel component for a particular user or user group by either elevating the privileges of a standard user to an administrator level, or dropping the privileges of an administrator to that of a standard user account.

By controlling user privileges throughout the user session, IT can provide users with the accessibility they require to perform their job, while protecting the desktop and the environment and reducing management costs.

User privileges management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment.

User privileges management allows you to create a library of reusable policies that can be associated with any available Application Control rule, to assign the relevant privileges to files, folders, signatures, and application groups. User privileges policies include domain user group membership and a range of administrative privileges that you can apply to each policy.

If a new application is spawned from an existing application with administrative privileges the new application does not automatically receive the same privileges. Instead it is evaluated to determine whether or not is should receive administrative privileges.

Least Privilege

Many users run their computer with administrative privileges. Users running with these privileges can introduce viruses, malware, and spyware. This can affect an entire enterprise, causing security breaches and downtime. Access to private data can also be at risk.

User privileges management allows you to apply the principle of least privilege. This principle requires that users are provided the minimum privileges to do their job, without giving the user full administrator privileges. The experience is seamless to the user.

For the complete definition of least privilege refer to the Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28.STD), also known as the Orange Book. This is located at http://csrc.nist.gov/publications/history/dod85.pdf.

With user privileges management, any downtime, coupled with the number of calls made to IT Support due to viruses and so on, is greatly reduced because computers are made secure against the problems that occur when a user has full administrative privileges. This means IT Support can focus on more important tasks rather than spending large amounts of time troubleshooting computers to find out the problem. Licensing is also easier to control, for example, by allowing users to install only authorized applications.

Common Tasks that Require Administrative Privileges

In order to fulfil their roles, users may need to perform a number of tasks that need administrative privileges. A solution must be provided to allow these tasks to be performed; otherwise the user must fulfil their role without accomplishing these specific tasks. These tasks can include:

  • Installing printers
  • Installing certain hardware
  • Installing particular applications
  • Operating applications that require administrative privileges
  • Changing system time
  • Running legacy applications

User privileges management allows the user to perform these tasks by elevating a user to have specific administrative privileges.

User Privileges Management vs Run As

Many users, particularly knowledge workers, use the Run as command to run applications. Users can perform their daily tasks running with least privilege but can also, as required, use the Run as command to elevate their credentials, thus performing a task under the context of a different user. This, however, requires that a user has two accounts: one for least privileges and one for elevation.

A common problem when using Run as is allowing the administrative password to become known throughout an organization. For example, an administrator may communicate the administrator password to a user to enable them to use the Run as command to fix a problem with their computer. Unfortunately, the password commonly gets passed around, causing unforeseen security risks.

An additional problem with Run as is how software actually interacts with it. Run as executes an application or process under the context of a different user. Therefore, that application or process does not have access to the correct HKEY_CURRENT_USER hive in the registry.

This hive is where all the profile data is stored and is protected space. So the application or process running under the context of a different user cannot read or write to this source, causing some applications to not function. Running under the context of a different user can also cause problems reading and writing to a network share. This is because network shares are based on the account under the context you are running. So your local account and the Run as account may not have the same access to resources.

Run As and UAC

Some operating systems, such as Windows 7 and Windows 8, have features that allow a user to run applications or processes without administrative privileges. These are the Run as command and User Account Control (UAC). (

These features also apply to Server 2008 and 2012 versions.

Although these features do allow users to run without administrative privileges, they still require the user to have access to an administrator account to perform administrative tasks. Unfortunately, this limitation means these features are more appropriate for administrators. It enables them to log on as a standard user and use the administrator account to perform administrative tasks only.

Because the user must provide the credentials for a local administrator to use Run as and UAC, this creates a number of concerns. For example:

  • A user with access to an administrator account must be trusted not to abuse these privileges.
  • Applications running with administrative privileges are now running under the context of a different user. This can cause problems, for example, these particular applications do not have access to the actual user’s profile or network shares, as stated in the User Privileges Management vs. Run As section.
  • Two passwords are required. One for the standard account and one for the administrator account. The user must remember both. Security required for one account is challenging, and for two accounts more so.

Technology

In a Microsoft Windows computing environment, as part of the application launch process, when an execution request is made, the application requests a security token as part of the application launch approval process. This token details the rights and permissions given to the application and these rights can be used to interact with the operating system or other applications.

When Users privileges management is configured to manage an application, the security token that is requested is dynamically modified to have permissions elevated or restricted, thus allowing the application to be run or blocked.

  1. The User Rights Management mechanism handles process startup requests as follows:
    • A User Rights Policy is defined in the configuration rule and applies to applications or components.
    • The Application list can include files, folders, signatures or application groups.
  2. The Components list can include Control Panel components.
  3. When a process is created by the launch of an application or other executable, the Application Control hook intercepts the process and queries the Application Control agent whether elevated or restricted rights are required to run the process.
  4. The agent confirms whether the configuration assigns elevated or restricted rights and if required, the agent requests a modified user token from the Windows Local Security Authority (LSA).
  5. The hook receives the modified user token from the Windows LSA granting the necessary privileges. Otherwise, the process runs with the existing user token according to the definitions of the normal user rights.

Benefits of User Privilege Management

The main benefits of User Privileges Management are:

  • Discover User Applications that Require Elevated Privileges - Use the Privilege Discovery Mode to monitor and generate reports on applications that require administrative privileges. Use the data listed in the reports to create Application Management configurations.
  • Elevation of User Privileges for Running Applications - Use User Privileges Management to specify the applications to be run with administrative credentials. The user does not have administrative credentials but is able to run the application.

  • Elevation of User Privileges for Running Control Panel Applets - Many roaming users need to do various tasks that need administrative privileges. For example, to install printers, to change network and firewall settings, change the time and date, and to add and remove programs. All of these tasks require certain components to run as administrator. Use User Privileges Management to elevate privileges for individual components so that the non-administrative standard user can make the changes to perform their role.

  • Reducing Privileges to Restrict Application Privileges - By default, users have certain administration credentials, but are enforced to run specific application as a non-administrator. By running certain applications as an administrator, for example, Internet Explorer, the user is able to change many undesirable settings, install applications and potentially open up the desktop to the Internet. Use User Privileges Management to restrict an administrator level user from running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop.

  • Reducing Privileges to Restrict Access to System Settings - Use User Privileges Management to give a higher level system administrator the ability to stop an administrative user from altering settings that they should not change, for example, firewalls and certain services. Use User Privileges Management to reduce administrative privileges for certain processes. Although the user has administrative privileges, the system administrator retains control of the environment.

Use Cases

User privileges management has many use cases and solves problems that many enterprises have until now been unable to address. A small number of scenarios are given below:

  • Organizations that use local administrator accounts for their users may need to lock down elements of the desktop, such as the Control Panel component, Add Hardware, or Add and Remove Programs \ Programs and Features. By dynamically dropping the user account from administrator to a standard user for specific controls, the user is now prohibited from accessing the control and executing an unwanted task.
  • Some applications require administrator rights because the application itself interacts with certain parts of the desktop operating system or registry. However, the organization does not wish to provide users with full administrator accounts. User privileges management can elevate the user rights for the named application to an administrator level, enabling the user to run their application while protecting the desktop.
  • Automatic update elements of some applications can require administrator rights to perform the update actions and therefore not function in the context of a standard user. User privileges management can enable the named application to run under the context of an administrator account while all other applications remain in standard user context.
  • Mobile users may need to manually change their IP address, configure a wireless network, or change date and time properties, all of which require administrative rights.
  • User privileges management can elevate the user rights to administrator level for named tasks, enabling the user to make the changes they require.

Elevate User Privileges for Running Applications

Users often require administrative rights to perform their role. User Privilege Management allows you to elevate a user so that they have administrative rights for specified applications. To elevate user privileges, you must first create a policy and then apply this to a rule.

Example: Allow Users to Run Visual Studio and Debug Applications

Users often require administrative privileges to run, for example, Visual Studio, and to debug applications. Use user privilege management to elevate administrative rights for the specified applications.

To elevate user privileges, you need to first create one or more reusable policies and apply these to a rule.

Elevate User Privileges for Running Control Panel Components

Many roaming users need to do various tasks that need to be run as an administrator, for example:

  • To install printers
  • To change network and firewall settings
  • To change the time and date
  • To add and remove programs.

All of these tasks require components to run as administrator.

Use user privilege management to elevate privileges for individual components so that the non-administrative standard user can make the changes to perform their role.

Elevate privileges for a Component

  1. Select the User Privileges node beneath the applicable Rules node, for example, the Group > Everyone node.
  2. On the Privilege Management ribbon select Add Item > Add Component.

    The Select Components dialog displays.

  3. Select one or more components that you want to elevate, and click OK.

    Use the filter at the top of the Select Components dialog to filter components by operating system.

    The component is now listed on the Components tab in the policy work area.

  4. Ensure the Builtin Elevate policy is selected in the User Privilege Policy column.
  5. Save the configuration.

Reduce Privileges to Restrict Application Privileges

Running applications as an administrator enables a user to change many undesirable settings, install applications, and potentially open up the desktop to the Internet. Use user privilege management to restrict an administrator level user to running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop.

To elevate user privileges, you need to first create a policy and then apply this to a rule.

Reduce User Privileges for Running Components

Use user privilege management to reduce privileges for individual components so that the non-administrative standard user cannot make certain changes.

Reduce Privileges for a Component

  1. Select the User Privileges node beneath the applicable Rules node, for example, the Group > Everyone node.
  2. On the Privilege Management ribbon select Add Item > Add Component.

    The Select Components dialog displays.

  3. Select one or more components that you want to reduce privileges for, and click OK.

    Use the filter at the top of the Select Components dialog to filter components by operating system.

    The selected component now displays on the Components tab in the work area.

  4. Select the drop-down arrow in the User Privileges Policy column and select the Builtin Restrict policy.
  5. Save the configuration.

Related topics


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other