Rules Items
Rule items include files, folders, network drives and connections, signature files, Windows Store Apps, and groups, which you can add to rule nodes, such as Allowed Items and User Privileges.
Application Control 2020.3 enables rule items for files, folders, signatures, and groups to be configured to prompt the user before elevating application privilege. This allows the user to choose whether to run the application (or item) elevated or normally. For auditing purposes, it is recommended the user is prompted to supply a reason for the elevation.
Note the audit event code used is 9023 (Self-elevation).
Files
- In the navigation pane, select the Allowed Item or Denied Item node for a rule.
- In the Rule Items ribbon,
select either:
- Add Item > Allowed > File.
- Add Item > Denied > File.
The Add a File dialog displays.
- In the Properties tab, click the ellipsis (...) in the text box, navigate to the file that you want to add and click OK.
- If required, you can select the following:
- Substitute environment variables where possible
- Use regular expressions
-
Enter optional command line arguments in the Arguments text box. Enter all arguments as they appear in Process Explorer.
Command line arguments extend the matching criteria beyond what is entered in the File field. If an argument is added, both file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such are flags, switches, files, and guids, can be added.
For examples of valid argument, see Arguments Example.
- To add metadata to
the file, select the Metadata
tab:
- Click Populate metadata from file.
- The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.
Select the checkboxes for the metadata to refine criteria for the file.
If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.
For further information, see Verify Options.
- To specify that the
file may run at specific access times only, select the Access
Times tab:
- Select Only allow files to run at certain access times.
- To specify a specific allowed period, right-click the time period in the calendar area, and select New Allowed Period.
- To limit the number
of instances of an application a user can have, select the Application
Limits tab:
- Select Enable Application Limits.
- Enter the limit in the spinbox.
- Click Add to add the file to the Allowed/Denied Items for the rule.
- The item is added to the Allowed/Denied work area.
If you want to disable a specific rule item, highlight the item, right-click and select Change State. This toggles between disable and enable. This can be useful when needing to trouble shoot with Support.
- In the navigation pane, select the User Privileges node for a rule.
-
In the User Privileges ribbon, select Add Item > Application > File.
The Add a File for User Privilege Management dialog displays.
- In the Properties tab,
click the ellipsis (...) in the text box:
- In the Open dialog, navigate to the file that you want to add and click OK.
- If required,
you can select the following:
- Substitute environment variables where possible
- Use regular expressions
- Make file an Allowed Item
-
Enter optional command line arguments in the Arguments text box. Enter all arguments as they appear in Process Explorer.
Command line arguments extend the matching criteria beyond what is entered in the File field. If an argument is added, both file and argument must be satisfied for a match to occur. Any argument that appears on the command line for a process, such as flags, switches, files, and guids, can be added.
For examples of valid argument, see Arguments Examples.
-
To apply a policy, select the policy from the drop-down in the Policy section.
You can select the following options for the policy:
- Apply to child processes
- Apply to common dialogs
- Install as a trusted owner
- Prompt the user before elevating (and the related: Require a reason before elevating). See also Message Settings.
- If required, enter an optional description of the file for your future reference.
- To add metadata to
the file, select the Metadata
tab:
- Click Populate metadata from file.
- The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.
Select the checkboxes for the metadata to refine criteria for the file.
If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.
For further information, see Verify Options.
- Click Add to add the file to the User Privilege Management for the rule.
- The item is added to the User Privileges work area.
If you want to disable a specific rule item, highlight the item, right-click and select Change State. This toggles between disable and enable. This can be useful when needing to trouble shoot with Support.
Denied File | Allowed File | Result |
---|---|---|
shutdown.exe |
shutdown.exe Arguments: -r -t 30 |
shutdown.exe runs only when -r -t 30 is on the command line - anything else run by shutdown.exe is denied. |
To configure the arguments of an allowed or denied item correctly, they must appear as they do in Process Explorer for example:
-
File: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
-
Command line: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\example.docx
Would be configured as:
-
File: Absolute or relative path of winword.exe
-
Arguments: /n C:\example.docx
Folders
In the navigation pane, select the Allowed Item or Denied Item node for a rule.
- In the
Rule Items ribbon, select either:
- Add Item > Allowed > Folder.
Add Item > Denied > Folder.
The Add a Folder dialog displays.
- In the Properties tab, click the ellipsis (...) in the text box, navigate to the folder that you want to add and click OK.
- If required,
select the following:
- Substitute environment variables where possible
- Use regular expressions
- Include subfolders
- To add metadata to
the folder, select the Metadata
tab:
- Click Populate metadata from file.
- The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.
Select the checkboxes for the metadata to refine criteria for the file.
If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.
For further information, see Verify Options.
- Click Add to add the folder to the Allowed/Denied Items for the rule.
- The item is added to the Allowed/Denied work area.
If you want to disable a specific rule item, highlight the item, right-click and select Change State. This toggles between disable and enable. This can be useful when needing to trouble shoot with Support.
- In the navigation pane, select the User Privileges node for a rule.
-
In the User Privileges ribbon, select Add Item > Application > Folder.
The Add a Folder for User Privilege Management dialog displays.
- In the Properties tab,
click the ellipsis (...) in the text box:
- In the Open dialog, navigate to the file that you want to add and click OK.
- If required,
you can select the following:
- Substitute environment variables where possible
- Include subfolders
- Use regular expressions
- Make folder an Allowed Item
-
To apply a policy, select the policy from the drop-down in the Policy section.
You can select the following options for the policy:
- Apply to child processes
- Apply to common dialogs
- Install as a trusted owner
- Prompt the user before elevating (and the related: Require a reason before elevating). See also Message Settings.
- If required, enter an optional description of the folder for your future reference.
- To add metadata to
the file, select the Metadata
tab:
- Click Populate metadata from file.
- The following fields can be populated: Product Name, Vendor, Company Name, File Description, File Version, and Product Version.
Select the checkboxes for the metadata to refine criteria for the folder.
If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching.
For further information, see Verify Options.
- Click Add to add the file to the User Privilege Management for the rule.
- The item is added to the User Privileges work area.
If you want to disable a specific rule item, highlight the item, right-click and select Change State. This toggles between disable and enable. This can be useful when needing to trouble shoot with Support.
Drives
- Select the Allowed Items or Denied Items node for a rule.
- In the Rule Items ribbon,
select either:
- Add Item > Allowed > Drive.
- Add Item > Denied > Drive.
- The Add a Drive dialog displays.
- Enter the drive letter and an options description for your future reference.
- Click Add to add the drive to the list of allowed or denied items for the rule.
Signatures and Signature Items
- In the navigation pane, select the Allowed Item or Denied Item node for a rule.
- In the Rule Items ribbon,
select either:
- Add Item > Allowed > Signature Item.
- Add Item > Denied > Signature Item.
The Add a Signature dialog displays.
-
In the Properties tab, click the ellipsis (...) in the text box. In the Open dialog, navigate to the file, for example an EXE file, that you want to add and click OK.
The Signature Hash Value field is populated with the signature hash value of the file.
- To specify
that the file may run at specific access times only, select the Access Times tab:
- Select Only allow files to run at certain access times.
- To specify a specific allowed period, right-click the time period in the calendar area, and select New Allowed Period.
- Click Add to add the signature file to the Allowed/Denied Items for the rule.
- In the navigation pane, select the User Privileges node for a rule.
-
In the User Privileges ribbon, select Add Item > Application > Signature.
The Add a Folder for User Privilege Management dialog displays.
- In the Properties tab, click the ellipsis (...) in the text box:
- In the Open dialog, navigate to the file that you want to add and click OK.
- If required, you can select Make signature file an Allowed Item
- Enter optional command line arguments in the Arguments text box.
-
To apply a policy, select the policy from the drop-down in the Policy section.
You can select the following options for the policy:
- Apply to child processes
- Apply to common dialogs
- Install as a trusted owner
- Prompt the user before elevating (and the related: Require a reason before elevating). See also Message Settings.
- If required, enter an optional description of the folder for your future reference.
- Click Add to add the signature file to the User Privilege Management for the rule.
Network Connection Items
Network Connection Items can be created for any network resource and can be added directly to a Rule. Adding single Network Connection Items to Allowed and Denied Item lists is useful when a more granular level of control is required, or when only a few items are required. However, using this method could prove time-consuming.
Network Connection Items can be cut, copied or dragged and dropped between rules. There are no default Network Connection Items in a configuration. The full path of the Network Connection Item cannot exceed 400 characters.
- In the navigation pane, select the Allowed Item or Denied Item node for a rule.
- In the Rule Items ribbon,
select either:
- Add Item > Allowed > Network Connection.
Add Item > Denied > Network Connection.
The Add a Network Connection dialog displays.
- Select the connection
type:
- IP Address - Select to control access to a specific IP Address.
- Network Share - Select to control access to UNC paths. The prefix \\ is added to the Host field.
- Host Name - Select to control access to a specific Host Name.
- Complete
the connection details. The combined number of characters for all three
fields, Host, Port and Path must not exceed 400.
Host - The IP Address or Host Name for the network connection. This depends on the type of connection selected. You can use the ? and * wildcards. Additionally, ranges can be used for IP Addresses, which are indicated by use of a hyphen (-). An IP Address must be in IP4 octal format, for example, n.n.n.n. If Network Share is selected as the connection type, the \\ prefix is required.
The full path for the target resource can be entered in Host, for example http://server1.company.local:80/resource1/.
Move focus away from Host and the path is automatically split into the separate connection options:
- http:// is removed from the Host field and server1.company.local remains.
- : is removed and 80 is moved to Port.
- /resource1/ is moved to Path.
- Port - The port number of the network connection. This can be used in combination with IP Address or Host Name to control access to a specific port. Ranges and comma separated values are allowed as a part of the port number. Click Ports to display a list of commonly used ports. Select as many ports as required.
Path - The path of the network connection. You can use the ? and * wildcards. To use wildcards in the path, select the Text contains wildcard characters option.
The path is only relevant for controlling HTTP and
- Description - Enter a meaningful description to describe the network connection.
- Click Add to add the network connection to the list of Allowed or Denied Items for the rule.
Windows Store Apps
- In the navigation pane, select the Allowed Items or Denied Items node for a rule.
- In
the Rule Items ribbon, select either:
- Add Item > Allowed > Windows Store App.
- Add Item > Denied > Windows Store App.
- Select the required option:
- All Installed Apps - Include any app that users have installed.
- Individual Apps - Include specific apps selected from built-in snippets and snippets downloaded from Ivanti Marketplace. Use the Version Matching drop-down to target the required app versions.
- Publisher - Include all apps from a named publisher. You can enter publisher details manually or extract details from a locally installed app.
- Click OK.
Groups
Groups can be added to User Privileges to hold and manage logical collections of files, folders, drives, signature files, and network connection items. You can also add them to the lists of Allowed or Denied Items for a rule.
- In the navigation pane, select the Allowed Item or Denied Item node for a rule.
- In
the Rule Items ribbon, select either:
- Add Item > Allowed > Group.
- Add Item > Denied > Group.
The Group Selection dialog displays listing the available groups.
- Select the groups you want to add.
- If you want to execute all the listed rule items regardless of the owner, select the Allow Untrusted Owner checkbox for the app.
- Click OK.
- In the navigation pane, select the User Privileges node for a rule.
-
In the User Privileges ribbon, select Add Item > Applications > Group.
The Group Selection dialog displays. The available groups are listed.
- To assign the User Privileges rules to the selected group, select Add To Rule.
- You can also select
the following options:
- Policy - Select the policy - for example Builtin Elevate - from the drop-down list.
- Make Allowed - Make the selected group allowed and overwrite any associated allowed items.
- Allow Untrusted owner - Execute all the listed rule items regardless of the owner. This option becomes available when Make Accessible is selected.
- Apply to Child Processes - Apply the policy to all the children and other descendants of the parent process.
- Apply
to Common Dialogs - Allow the open and save dialogs to run with administrative
privileges when selected from an elevated process.
Note: To prevent users from modifying the filesystem with administrative privileges, this option should be left unselected. - Install as Trusted Owner - Make local administrators the owner of all files created by the defined application.
- Prompt the user before elevating (and the related: Require a reason before elevating) - Displays a configured message that helps the user determine whether they wish to elevate privileges or not. The prompt can require the user to enter a reason before privileges are elevated. See also Message Settings.
- Click OK.