Security Controls Evaluation Guide

Home 

Applications

Overview

An administrator can use Privilege Management to elevate a standard user to have administrative privileges for specific applications. This useful if a user requires admin rights to only a few applications and not for everything in order to carry out their role.

Privilege Management can also be used to restrict permissions, for example by allowing a user to have administrative privileges they are granted access to all files, including important system files, and the ability to, for example, delete or rename them. These actions can compromise a system.

Try it yourself

In this example we are going to give the everyone group elevated rights to the CCleaner application because full functionality is required for everyone's role.

1.In the Application Control Configuration Editor navigate to Rule Sets > Group > Everyone > Privilege Management.

2.Right-click and select Application > File.

The Add a File for User Privilege Management displays.

3.Enter CCleaner.exe for the File.

You will need to select Make file an Allowed Item and Allow file to run even if it not owned by a trusted owner if any users are not on the trusted owners list as Trusted Ownership is a higher priority in the rule processing order, see Creating an AC Configuration for more details.

4.In the Policy section, ensure Builtin Elevate is selected.

5.Click Add, the item displays in the Applications list.

6.Save and deploy the configuration.

Test it

1.Download CCleaner.exe.

2.Attempt to install CCleaner.exe, it should install without any need to be an administrator.

Your next step

Components

Self Elevation

System Controls

Why use Privilege Management?


Was this article useful?