Security Controls

Configuration Settings Privilege Management

Self Elevation

Self-Elevation can be applied to files, folders , file hashes and rule collections that usually require administrative privileges to run and function. Self-Elevation provides an option from the Windows Explorer shortcut menu to run an item with elevated rights. You can specify that when a user attempts to elevate a specified item, a prompt displays to request that the user enters a reason for the elevation before it is applied.

Self-Elevation is audited so you can monitor the types of applications that users typically want to self-elevate. You can add these items to the appropriate Privilege Management node in a configuration so users can access them without request.

In environments where User Access Control (UAC) is disabled, you can enable the self-elevation of Windows Explorer file and folder properties using the custom setting, SelfElevatePropertiesEnabled. In this case, you can customize the Windows Explorer shortcut menu option text using the custom setting, SelfElevatePropertiesMenuText.

The Configuration Settings > Privilege Management node is used to configure a list of file types and associated applications that users can open with elevated or administrative privileges. When a user right-clicks a file, Application Control performs the following checks to determine whether the user can elevate the application associated with the file:

  • Is the file type on the file associations list?
    • No - the file cannot be self-elevated.
    • Yes - check the associated application.
  • Is there an associated application?
    • No - the file is self-elevated using the associated application on the user's endpoint.
    • Yes - the file can be self-elevated only if opened with the application specified in the file associations list.

If the application can be self-elevated, a corresponding option is available from the shortcut menu and the user accesses the application with elevated privileges. If a user changes a default program to one that differs to the associated application set in the configuration, the self-elevation option is no longer available from the shortcut menu.

Options

Display a message box requiring a reason for Self-Elevation from the user - Select if you want a message to display so the user has to enter a reason for the self-elevation request.

The message can be configured in Configuration Message Settings > Privilege Management.

Update Files Associations

Navigate to the Application Control Configuration, once open, select Configuration Settings > Privilege Management.

Update the list of extensions and associated applications using the right-click Add, Edit, and Remove option. Any file extension can be added.

The following extensions are included by default:

File Extension Associated Application
EXE  
BAT  
CMD  
VBS wscript.exe
WSF wscript.exe
VBE wscript.exe
MSI msiexec.exe
MSP msiexec.exe
PS1 powershell.exe
MSC mmc.exe
REG regedit.exe

Related Topics

Privilege Management

Rule Set Privileges Management

Application Control Configuration Settings

Configuration Settings Executable Control

Configuration Message Settings

Rule Collections

Rule Sets


Was this article useful?