Building a Central File Authorization List

You can use Standard File Definitions (SFD) to simplify the task of building a central file authorization list.

Standard File Definitions (SFDs) contain digital signatures corresponding to standard executable files that are distributed with Microsoft Windows operating systems.

Using SFDs:

  • Simplifies initial setup.
  • Includes information necessary to automatically allocate files to predefined file groups and assign files to well-known user and user groups.
  • Minimizes the risk of authorizing tampered versions of operating system files.
  • Simplifies operating system upgrades because Ivanti Device and Application Control recognizes the standard files, and respective default file groups. Ivanti Device and Application Control automatically saves upgraded file definitions to the same locations as the originals.

The following table describes the system users/groups that can access the default SFD file groups.

File Group Name

Users/Groups Assigned

16 Bit Applications

Administrators (group)

Accessories

Administrators (group), Everyone (group)

Administrative Tools

Administrators (group)

Boot files

Local Service (user), LocalSystem (user), Network Service (user)

Communication

Administrators (group)

Control Panel

Administrators (group)

DOS Applications

Administrators (group)

Entertainment

Administrators (group)

Logon files

Everyone (group)

Ivanti Device and Application Control support files

Administrators (group), Everyone (group)

Setup

Administrators (group)

Windows Common

Everyone (group)

Importing Standard File Definitions

You can use standard Microsoft file definitions to quickly build a central file authorization list for executable files, macros, and scripts.

  1. From the Management Console, select Tools > Import Standard File Definitions.
    The Import Standard File Definitions dialog opens.
  2. Click Add.
    The Open dialog opens and displays files with an .sfd extension.
  3. Tip: You can import standard file definitions from the Self-Service Portal by downloading to a local computer and unzipping the archived files.

  4. Select the standard definition file(s) to import.
  5. Click Open.
    The file(s) are shown in the Add window.
  6. Select one or more of the following options:
  7. Option

    Description

    Assign File Groups to Well Known Users Automatically

    Assigns the executable files, scripts, and macros found in the scan to the system users/groups.

    Process Known Files Automatically

    The wizard adds the file to the database if they have the same name but different digital signature.

    Import SFD with file hashes and create predefined File Groups:

    Ivanti Device and Application Control automatically imports standard file definition digital signatures, then creates and assigns the files to predefined file groups.

    Import SFD without file hashes and create predefined File Groups:

    Predefined file groups for standard file definitions are created but no digital signatures are imported. Ivanti Device and Application Control partially assists you by identifying file names and proposing file groups for authorization during scanning.

  8. Click Import.
  9. After importing standard file definitions, click OK.
  10. Click Close.
    The designated standard file definitions are now authorized and assigned to respective predefined file groups and system users/groups.

Caution: When you import standard file definitions, you should authorize logon and boot files. If these are not authorized, the system will not work properly. This is especially important for system updates.

After Completing This Task:

Assign the imported predefined file groups to users/groups, if you did not select the Assign File Groups to Well Known User Automatically option.