Security Controls

Rule Set Privileges Management

In this section:

Applications

Components

Self-Elevation

System Controls

Applications

To disable an item, highlight the item, right-click and select Change State. This toggles between disable and enable. This can be useful when needing to trouble shoot with Support.

Components

Add Component Displays the Select Components dialog.

Filter the view by supported operating system and select the name of the control panel and management snap-in component(s) you want to add to the rule.

Self-Elevation

Enable Self-Elevation - Select to enable self elevation and apply the required setting:

Only apply Self-Elevation to items in the list below

Apply Self-Elevation to all items except those in the list below

Options - Displays the Self-Elevation Options dialog.

Self-Elevation Options

Option Description
Make Item(s) Allowed Make the rule items allowed and overwrite any associated allowed items.
Allow items to run even if it is not owned by a trusted owner
  • This option is available when Make item(s) Allowed is selected. When selected, all the rule items listed are executed regardless of the owner.

  • Apply to child processes By default, the Self-Elevation Policy applied to rule items is not inherited by child processes. Select this option to apply the policy to the direct children of the parent process.
    Apply to common dialogs Elevate access to the Open File and Save File Windows menu options when a file or folder has been elevated. By default, any common dialogs are not elevated.
    Install as trusted owner Make the local administrator the owner of all files created by the defined application. This option is not applied to regular applications, only installer packages.
    Hide the 'Run as Administrator' Windows options for Self-Elevated items Hide the Run as Administrator option from the Windows shortcut menu.

    System Controls

    Use System Controls to control the ability to perform any of the following actions. Controls can be applied to elevate or restrict access to the specified item.

    Uninstall Control Item: Use this option to allow or restrict installed applications from being uninstalled when the rule conditions have been matched. Uninstall Control Items are configured by defining which applications are controlled. Further validation can be applied to target a named publisher and specific application versions. To allow or restrict all applications from a publisher, enter a * in the Application field combined with the publisher name.

    Service Control Item: Use this option to select which services can be modified, stopped, started and restarted when the Rule conditions have been matched.

    The Agent Service is the only service that cannot be restarted once stopped.

    Service Control Items are configured by specifying the display name and/or the internal name. The service display name may differ between different localized Operating Systems, whereas the internal name will remain the same. Therefore, if this configuration will be used across different locales, it is recommended only the internal name is used.

    Event Log Control Item: Use this option to select which event logs can or cannot be cleared when the Rule conditions have been matched. Event log control items are configured by selecting the name of the log or logs to be controlled.

    Process Termination Control Item: Use this option to protect processes, such as anti virus software, from termination by all users, including administrators. Users can still stop processes gracefully, for example, by clicking close in an application UI, but they cannot forcibly terminate a process, such as ending a task from the Details tab in Task Manager. An individual file can be specified or all processes in a particular folder can be targeted.

    Optionally, add Metadata to include additional criteria for matching files and folders.

    Related Topics

    Privilege Management

    Configuration Settings Privilege Management


    Was this article useful?