Product Overview

Privilege Management allows you to create reusable user privilege policies which can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, application groups, and Control Panel components. A more granular level of control allows you to assign specific privileges for debugging or installing software, or to set integrity levels for managing interoperability between different products, such as Microsoft Outlook and Microsoft Word.

Privileges Management contains four primary functions:

• Elevating user privileges for applications.
• Elevating user privileges for Control Panel components and Management Snapins.
• Reducing user privileges for applications.
• Reducing user privileges for Control Panel components and Management Snapins.

By default, only application files owned by an administrator or the Local System are allowed to execute. Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run. Application Manager automatically blocks any file where ownership cannot be established, such as files located on non-NTFS drives, removable storage devices, or network locations. These files can optionally be allowed to run either by specifying them as Allowed Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured to suit each environment.

Extend application accessibility by applying rules based on username, group membership, computer or connecting device, scripts and parent processes, or combinations of these. Allowed Items and Denied Items, Trusted Vendors, and Privilege Management can be specified in each rule, and are applied to a user session based on the environment in which the user operates.

Scripted rules allow administrators to apply Allowed Items, Denied Items, Trusted Vendors, and Privilege Management policies based on the outcome of a Windows PowerShell or VBScript. Scripts can be run for each individual user session or run once per computer.

Process rules apply to parent processes to manage access to child processes at the next level below the parent processes. Process rules include Allowed Items, Denied Items, Trusted Vendors and Privilege Management. The rule does not manage access to the parent process.

Allow authentic applications to run when they have digital certificates signed by trusted sources, and are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted Vendor certificates for each User, Group, Device, Custom, Scripted, and Process rule in the configuration.

Application Termination allows you to control triggers, behavior, and warning messages for terminating applications on managed computers. You can also control the manner in which applications are terminated and how the user is notified.

Block access to certain applications accessed via IP, Universal Naming Convention (UNC) or host name. Application Control can manage access based on the location of the requester, for example if they are connecting via a virtual private network (VPN) or directly to the network.

SHA-1, SHA-256 and Adler-32 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists.

Access to Windows Store apps can be controlled by Application Control. Grant or restrict access by applying group rules to one or more Windows Store apps. Application snippets can also be imported and rules configured if the machine being used to create the configuration is not compatible with Windows Store apps.

Allows an administrator to browse to any endpoint and retrieve a list of applications that have been installed on that endpoint. Search for any executable files and add them to the configuration. Application Control records which applications are started and by whom. The recording of data is started and stopped by the administrator. Organize the files into authorized and unauthorized groups to quickly create a policy. The configurations can be deployed to a user, a group of users, a machine, or a group of machines. Endpoint Analysis is on demand and inactive by default.

Users are increasingly mobile. So it is important that entitlement rules are enforced when the user is not connected to the corporate network. Application Control ensures users only access the applications and resources to which they have permission when offline by using entitlement rules on the endpoint device.

Application Control can monitor application use without preventing users running applications. Passive monitoring can be enabled or disabled on a per user, device, or group basis and provides a tool to track user behavior prior to full implementation, or to understand application use for software license management.

Provides the option for users to execute applications that they have introduced into the system. Applications can be added to a secure machine while outside of the office without relying on IT support. A comprehensive audit can detail information such as the application name and the time and date of execution and device. Additionally, a copy of the application can be taken and stored centrally for examination.

Apply a policy to control the number of application instances a user can run, along with the times when it can run. You can create a policy to control or enforce licensing models by controlling application limits on a per user basis, but not per device.

Best practice configuration templates are provided that can be imported into Application Control. Application Control can import a number of configuration files and use these in combination.

Allows you to monitor endpoints to identify applications that use administrative rights. A web service is used to collect the data and relays that data to the Privilege Discovery Mode work area in the Application Control Console.

Events are raised by Application Control according to the default Event Filtering configuration and audited directly to a local file log or the Windows Event Log. Alternatively, events can be forwarded for auditing to the Management Center via the Deployment Agent (CCA). The Application Control audit event reports available in the Management Center can also be used to provide details of current application usage across the enterprise.

The default configuration in Application Control validates all Windows Scripting Host (WSH) scripts, such as VBS, against configuration rules. This ensures that uses can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that contain viruses or malicious code.

The Validation settings can be disabled in the Application Control Options dialog, along with validation of cmd.exe, self-extracting ZIP files, registry files, and Windows installer (MSI) files.

Only self-extracting EXEs formatted using the ZIP specification are supported. For additional information, see ZIP Specifications.

Enable and disable certain features in Application Control either when not in use or when troubleshooting issues in your configurations. The functionality that you can manage in this way includes:

• Application Access Control
• Application Network Access Control
• Privilege Management