User Privilege Management Use Cases

User privileges management has many use cases and solves problems that many enterprises have until now been unable to address. A small number of scenarios are given below:

  • Organizations that use local administrator accounts for theirs users may need to lock down elements of the desktop, such as the Control Panel component, Add Hardware or Add and Remove Programs \ Programs and Features. By dynamically dropping the user account from administrator to a standard user for specific controls, the user is now prohibited from accessing the control and executing an unwanted task.
  • Some applications require administrator rights because the application itself interacts with certain parts of the desktop operating system or registry. However, the organization does not wish to provide users with full administrator accounts. User privileges management can elevate the user rights for the named application to an administrator level, enabling the user to run their application while protecting the desktop.
  • Automatic update elements of some applications can require administrator rights to perform the update actions and therefore not function in the context of a standard user. User privileges managements can enable the named application to run under the context of an administrator account while all other applications remain in standard user context.
  • Mobile users may need to manually change their IP address, configure a wireless network, or change date and time properties, all of which require administrative rights.
  • User privileges management can elevate the user rights to administrator level for named tasks, enabling the user to make the changes they require.

Elevate User Privileges for Running Applications

Users often require administrative rights to perform their role. User Privilege Management allows you to elevate a user so that they have administrative rights for specified applications. To elevate user privileges, you must first create a policy and then apply this to a rule.

  1. Navigate to the Library > User Privilege Policies node.
  2. On the Privilege Management ribbon select Add Policy.
  3. Select and right-click the new policy and select Rename.
  4. Give the policy an intuitive name, for example, Elevate Admin Rights.

  5. Select the new policy and in the Privilege Management ribbon click Add Group Action.

    The Account Selection dialog displays

  6. Browse to and select the group you want to add to the policy.

  7. The group is listed in the Group Membership tab in the User Privilege Policy work area.

    Ensure that Add Membership is specified in the Action column. This allows users to run an application as if they were a member of the group.

    • The Group Membership tab is used to specify the credentials an application can run under.
    • The Privileges tab provides granular control of the privileges the user will have over an application.
    • The Properties tab is used to specify the integrity level. Applications with a low integrity level cannot interoperate with applications that have a high integrity level.
  1. Select Rules > Group > Everyone > User Privileges in the navigation pane.
  2. On the Privilege ribbon select the Add Item drop-down arrow, highlight Application and then select one of File, Folder, Signature or Group.
  3. Select the item you want to add.
  4. Set the User Privilege Policy to the policy created in the Create a User Privilege Management Policy step above.
  5. Select the Everyone node.
  6. Move the Security Level slider to Unrestricted to prevent Application Control from blocking.
  7. Save the configuration.

Event 9018 audits when the user privileges to an application change.

Example: Allow Users to Run Visual Studio and Debug Applications

Users often require administrative privileges to run, for example, Visual Studio, and to debug applications. Use user privilege management to elevate administrative rights for the specified applications.

To elevate user privileges, you need to first create one or more reusable policies and apply these to a rule.

  1. Select the Library > User Privilege Policies node.
  2. Select Add Policy on the Privilege Management ribbon.
  3. Select and right-click the new policy and select Rename.
  4. Enter an intuitive name for the policy, for example, Elevate Visual Studio.

  5. In the Privilege Management ribbon, click Add Group Action.

    The Account Selection dialog displays.

  6. Browse to and select the group you want to add to the policy.

    The group is added to the Group Membership tab in the rule work area.

  7. In the tab, ensure that Add Membership is specified in the Action column.

    This allows users to run an application as if they were a member of the group.

  1. Select the Library > User Privilege Policies node.
  2. Select Add Policy on the Privilege Management ribbon.
  3. Select and right-click the new policy and select Rename.
  4. Enter an intuitive name for the policy, for example, Run Debug.

  5. Select the Privileges tab.

    The Privileges work area displays.

  6. Select the drop-down menu for the debugging privilege in the Action column and select Enable.
  1. Select Rules > Group in the navigation pane.

  2. Select the Add Rule drop-down arrow on the Rules ribbon and select Group Rule.

    The Add Group Rule dialog displays.

  3. Enter the domain name into the Account field.
  4. Click Add.

  1. Select the User Privileges node beneath the rule you have created.

    The User Privilege work area displays.

  2. In the Privileges Management ribbon, select Add Item > Application > File.
    The Add a File for User Privilege Management dialog displays.
  3. Browse to and select the visual studio application file.
  4. Select the Apply policy to child processes option.

  5. Click Add.

    The file path and name of the executable file is added to the Applications tab in the work area.

  6. In the tab, select the Elevate Visual Studio policy in the User Privileges Policy column. This is the policy created in Step 1.

  1. In the User Privileges work area, select Add Item > Application > File from the Privileges Management ribbon.

    The Add a File for User Privilege Management dialog displays.

  2. Enter * in the File field. This is to allow for all debug applications.
  3. Click Add.

  4. Select the Run Debug policy in the User Privileges Policy column.

    This is the policy created in Step 4.

Save the Configuration.

Elevate User Privileges for Running Control Panel Components

Many roaming users need to do various tasks that need to be run as an administrator, for example:

  • To install printers
  • To change network and firewall settings
  • To change the time and date
  • To add and remove programs.

All of these tasks require components to run as administrator.

Use user privilege management to elevate privileges for individual components so that the non-administrative standard user can make the changes to perform their role.

Elevate privileges for a Component

  1. Select the User Privileges node beneath the applicable Rules node, for example, the Group > Everyone node.

  2. On the Privilege Management ribbon select Add Item > Add Component.

    The Select Components dialog displays.

  3. Select one or more components that you want to elevate, and click OK.

    Use the filter at the top of the Select Components dialog to filter components by operating system.

    The component is now listed on the Components tab in the policy work area.

  4. Ensure the Builtin Elevate policy is selected in the User Privilege Policy column.
  5. Save the configuration.

The ability to defragment a disk requires administrative privileges and is governed by a particular component. Use privileges management to elevate user privileges for this component, thus allowing them to defragment a disk.

  1. Select the applicable Rules node, for example, the Group > Everyone node.

  2. In the Privileges Management ribbon, select Add Item > Add Component.

    The Select Components dialog displays.

  3. Select the Defragment component, and click OK.

    Use the filter at the top of the Select Components dialog to filter components by operating system.

    The component is added to the Components tab in the work area for the rule.

  4. Select the drop-down arrow in the User Privileges Policy column, and select the Builtin Elevate policy.
  5. Save the configuration.

The ability to update Microsoft Windows is governed by a particular component. Use privilege management to elevate privileges for this component so that the non-administrative standard user can make the changes to perform their role.

To elevate privileges for the applet:

  1. Select the applicable Rules node, for example, the Group > Everyone node.

  2. In the Privileges Management ribbon, select Add Item > Add Component.

    The Select Components dialog displays.

  3. Select the Automatic Update\Windows Update component, and click OK.

    Use the filter at the top of the Select Components dialog to filter components by operating system.

    The component is added to the Components tab in the work area for the rule.

  4. Select the drop-down arrow in the User Privileges Policy column, and select the Builtin Elevate policy.
  5. Save the configuration.

Reduce Privileges to Restrict Application Privileges

Running applications as an administrator enables a user to change many undesirable settings, install applications, and potentially open up the desktop to the Internet. Use user privilege management to restrict an administrator level user to running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop.

To elevate user privileges, you need to first create a policy and then apply this to a rule.

  1. Navigate to the Library > User Privilege Policies node.
  2. On the Privilege Management ribbon select Add Policy.
  3. Select and right-click the new policy and select Rename.
  4. Give the policy an intuitive name, for example, Reduce Admin Privileges.
  5. Select the new policy and on the Privilege Management ribbon select Add Group Action.
    The Account Selection dialog displays

  6. Browse to and select the group you want to add to the policy. These are the account credentials to run the application. Click Add.

    The group is listed in the Group Membership tab of the policy work area.

  7. Select Drop Membership in the Action column.
    • The Group Membership tab is used to specify the credentials an application can run under.
    • The Privileges tab provides granular control of the privileges the user will have over an application.
    • The Properties tab is used to specify the integrity level. Applications with a low integrity level cannot interoperate with applications that have a high integrity level.
  1. Navigate to the Rules > Group > Everyone > User Privileges node.
  2. On the Privilege Management ribbon select the Add Item drop-down arrow point to Application and then select one of the following:
    • File
    • Folder
    • Signature
    • Group
  3. Select the item you want to add.
  4. Set the User Privileges Policy to the policy created in the Step 1.
  5. Select the Everyone node.
  6. Move the Security Level slider to Restricted.
  7. Save the configuration.

Event 9018 audits when the user privileges to an application change.

Reduce User Privileges for Running Components

Use user privilege management to reduce privileges for individual components so that the non-administrative standard user cannot make certain changes.

Reduce Privileges for a Component

  1. Select the User Privileges node beneath the applicable Rules node, for example, the Group > Everyone node.

  2. On the Privilege Management ribbon select Add Item > AddComponent.

    The Select Components dialog displays.

  3. Select one or more components that you want to reduce privileges for, and click OK.

    Use the filter at the top of the Select Components dialog to filter components by operating system.

    The selected component now displays on the Components tab in the work area.

  4. Select the drop-down arrow in the User Privileges Policy column and select the Builtin Restrict policy.
  5. Save the configuration.

Services is a Control Panel component. Use user privilege management to reduce privileges for the Services component so that the non-administrative standard user cannot start and stop Services.

  1. Select the User Privileges node beneath the applicable Rules node, for example, the Group > Everyone node.

  2. On the Privilege Management ribbon select the Add Item > Add Component.

    The Select Components dialog displays.

  3. Select the Services component, and click OK.

    Use the filter at the top of the Select Components dialog to filter components by operating system.

    The selected component is now displayed in the Components tab in the work area.

  4. Select the drop-down arrow in the User Privilege Policy column and select the Builtin Restrict policy.
  5. Save the configuration.

Secure Dialogs

An administrator can use Application Control and Privilege Management to elevate a standard user to have administrative privileges. Allowing a user to have administrative privileges grants them access to all files, including important system files, and the ability to, for example, delete or rename them. These actions can compromise a system.

Application Control and Privilege Management provides a Secure Common Dialogs feature prohibiting users from manipulating files. The dialog boxes still open and provide access to files but the files cannot be deleted or renamed.

Application Control does not restrict access to areas that a user ordinarily has access to.

Elevate to Administrator and Secure Common Dialogs

Scenario

  • You are an IT Administrator
  • You are creating a new User Privilege policy

Process

  1. Navigate to the Library > User Privileges Policies node and select Add Policy on the Privilege Management ribbon.

    A new policy is created.

  2. Right-click the new policy and select Rename.
  3. Enter an intuitive name for the policy, for example, Elevate to Administrator.

  4. Select the new policy and select Add Group Action on the Privilege Management ribbon.

    The Account Selection dialog displays.

  5. Type the administrator account into the Account field or use the Browse button to search for an account. Click Add.
  6. Ensure Add Membership is selected in the Action column. This is the default setting. The Add Membership option allows users to run an application as if they were part of the specified group. The Drop Membership option does not allow the users to run an application.
  7. Select the User Privileges node for the applicable group, for example, the Everyone group.
  8. On the Privilege Management ribbon, select Add Item > Application > File.
  9. The Add a File for User Privilege Management dialog displays.
  10. Enter the name of the application that you want to secure common dialogs for or click the Browse button and browse to the application.
  11. Ensure that the Apply to common dialogs option is not selected.
    With this option not selected, the common open\save dialogs will run with standard privileges and the user will be unable to modify any files or folders that they should not be able to access.
  12. Click Add.
  13. Ensure the policy created in steps 1 to 6 is selected in the User Privilege Policy column.
  14. Save the configuration.