User Privilege Management
In this section:
Many user environments are very restrictive in order to limit user access to sensitive data and key applications. However, users often require administrative privileges to perform their role. For example, the many proprietary systems, system updates, and applications that allow the installation of drivers for devices such as printers, antivirus scans, and so on all require administrative privileges. So users typically have full administrative privileges or no administrative privileges at all.
Application Control secures and protects many corporate desktops by controlling application and network access. Application Control 8.1 and higher extends policy management capabilities by providing comprehensive user privilege management functionality. User privilege management allows you to create reusable user privilege policies that can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, Windows Store Apps, application groups, and supported Control Panel components specific to an operating system.
User privilege management enables enterprise IT departments to reduce access control privileges on a per user, group, application, or business rule basis. It ensures users have only the rights they need to fulfill their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, and improving security and productivity. The perfect balance between user productivity and security is to control user privileges, not at a session or account level, but at the level of an application or individual task.
With user privilege management, access to applications and tasks is managed dynamically by managing user privileges on demand, in response to user actions. For example, administrator privileges can be applied to a named application or Control Panel component for a particular user or user group by either elevating the privileges of a standard user to an administrator level, or dropping the privileges of an administrator to that of a standard user account.
By controlling user privileges throughout the user session, IT can provide users with the accessibility they require to perform their job, while protecting the desktop and the environment and reducing management costs.
User privileges management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment.
User privileges management allows you to create a library of reusable policies that can be associated with any available Application Control rule, to assign the relevant privileges to files, folders, signatures, and application groups. User privileges policies include domain user group membership and a range of administrative privileges that you can apply to each policy.
If a new application is spawned from an existing application with administrative privileges the new application does not automatically receive the same privileges. Instead it is evaluated to determine whether or not is should receive administrative privileges.
Many users run their computer with administrative privileges. Users running with these privileges can introduce viruses, malware, and spyware. This can affect an entire enterprise, causing security breaches and downtime. Access to private data can also be at risk.
User privileges management allows you to apply the principle of least privilege. This principle requires that users are provided the minimum privileges to do their job, without giving the user full administrator privileges. The experience is seamless to the user.
For the complete definition of least privilege refer to the Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28.STD), also known as the Orange Book. This is located at http://csrc.nist.gov/publications/history/dod85.pdf.
With user privileges management, any downtime, coupled with the number of calls made to IT Support due to viruses and so on, is greatly reduced because computers are made secure against the problems that occur when a user has full administrative privileges. This means IT Support can focus on more important tasks rather than spending large amounts of time troubleshooting computers to find out the problem. Licensing is also easier to control, for example, by allowing users to install only authorized applications.
Common Tasks that Require Administrative Privileges
In order to fulfil their roles, users may need to perform a number of tasks that need administrative privileges. A solution must be provided to allow these tasks to be performed; otherwise the user must fulfil their role without accomplishing these specific tasks. These tasks can include:
- Installing printers
- Installing certain hardware
- Installing particular applications
- Operating applications that require administrative privileges
- Changing system time
- Running legacy applications
User privileges management allows the user to perform these tasks by elevating a user to have specific administrative privileges.
User Privileges Management vs Run As
Many users, particularly knowledge workers, use the Run as command to run applications. Users can perform their daily tasks running with least privilege but can also, as required, use the Run as command to elevate their credentials, thus performing a task under the context of a different user. This, however, requires that a user has two accounts: one for least privileges and one for elevation.
A common problem when using Run as is allowing the administrative password to become known throughout an organization. For example, an administrator may communicate the administrator password to a user to enable them to use the Run as command to fix a problem with their computer. Unfortunately, the password commonly gets passed around, causing unforeseen security risks.
An additional problem with Run as is how software actually interacts with it. Run as executes an application or process under the context of a different user. Therefore, that application or process does not have access to the correct HKEY_CURRENT_USER hive in the registry.
This hive is where all the profile data is stored and is protected space. So the application or process running under the context of a different user cannot read or write to this source, causing some applications to not function. Running under the context of a different user can also cause problems reading and writing to a network share. This is because network shares are based on the account under the context you are running. So your local account and the Run as account may not have the same access to resources.
Run As and UAC
Some operating systems, such as Windows 7 and Windows 8, have features that allow a user to run applications or processes without administrative privileges. These are the Run as command and User Account Control (UAC).
These features also apply to Server 2008 and 2012 versions.
Although these features do allow users to run without administrative privileges, they still require the user to have access to an administrator account to perform administrative tasks. Unfortunately, this limitation means these features are more appropriate for administrators. It enables them to log on as a standard user and use the administrator account to perform administrative tasks only.
Because the user must provide the credentials for a local administrator to use Run as and UAC, this creates a number of concerns. For example:
- A user with access to an administrator account must be trusted not to abuse these privileges.
- Applications running with administrative privileges are now running under the context of a different user. This can cause problems, for example, these particular applications do not have access to the actual user’s profile or network shares, as stated in the User Privileges Management vs. Run As section.
- Two passwords are required. One for the standard account and one for the administrator account. The user must remember both. Security required for one account is challenging, and for two accounts more so.
In a Microsoft Windows computing environment, as part of the application launch process, when an execution request is made, the application requests a security token as part of the application launch approval process. This token details the rights and permissions given to the application and these rights can be used to interact with the operating system or other applications.
When User Privilege Management is configured to manage an application, the security token that is requested is dynamically modified to have permissions elevated or restricted, thus allowing the application to be run or blocked.
- The User Rights Management
mechanism handles process startup requests as follows:
- A User Rights Policy is defined in the configuration rule and applies to applications or components.
- The Application list can include files, folders, signatures or application groups.
- The Components list can include Control Panel components.
- When a process is created by the launch of an application or other executable, the Application Control hook intercepts the process and queries the Application Control agent whether elevated or restricted rights are required to run the process.
- The agent confirms whether the configuration assigns elevated or restricted rights and if required, the agent requests a modified user token from the Windows Local Security Authority (LSA).
- The hook receives the modified user token from the Windows LSA granting the necessary privileges. Otherwise, the process runs with the existing user token according to the definitions of the normal user rights.
The main benefits of User Privileges Management are:
- Discover User Applications that Require Elevated Privileges - Use the Privilege Discovery Mode to monitor and generate reports on applications that require administrative privileges. Use the data listed in the reports to create Application Management configurations.
Elevation of User Privileges for Running Applications - Use User Privileges Management to specify the applications to be run with administrative credentials. The user does not have administrative credentials but is able to run the application.
Elevation of User Privileges for Running Control Panel Applets - Many roaming users need to do various tasks that need administrative privileges. For example, to install printers, to change network and firewall settings, change the time and date, and to add and remove programs. All of these tasks require certain components to run as administrator. Use User Privileges Management to elevate privileges for individual components so that the non-administrative standard user can make the changes to perform their role.
Reducing Privileges to Restrict Application Privileges - By default, users have certain administration credentials, but are enforced to run specific application as a non-administrator. By running certain applications as an administrator, for example, Internet Explorer, the user is able to change many undesirable settings, install applications and potentially open up the desktop to the Internet. Use User Privileges Management to restrict an administrator level user from running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop.
Reducing Privileges to Restrict Access to System Settings - Use User Privileges Management to give a higher level system administrator the ability to stop an administrative user from altering settings that they should not change, for example, firewalls and certain services. Use User Privileges Management to reduce administrative privileges for certain processes. Although the user has administrative privileges, the system administrator retains control of the environment.