Beruflich Dokumente
Kultur Dokumente
BOOKTITLE
ii
AppSense Limited, 2011 All rights reserved. No part of this document may be produced in any form (including photocopying or storing it in any medium) for any purposes without the written permission of AppSense Limited, except in accordance with applicable law. Furthermore, no part of this document may be sold, licensed or distributed. The doing of an unauthorized act in relation to a copyright work may result in both a civil claim for damages and criminal prosecution. The information contained in this document is believed to be accurate at the time of printing and may be subject to change without notice. Any reference to a manufacturer or product does not constitute an endorsement of, or representation or warranty (whether express, implied or statutory) in respect of, the manufacturer or product or the use of the product with any AppSense software. This document does not grant any right or license to you in respect of any patents, patent applications, trademarks, copyrights, or other intellectual property rights in or relating to the subject matter of this document. Where relevant, any AppSense software provided pursuant to or otherwise related to this document shall only be licensed to you on and subject to the end user license agreement which shall be displayed and which you shall be required to accept prior to accessing or using the software. AppSense is a registered trademark of AppSense Holdings Limited or its affiliated companies in the United Kingdom, the United States and/or other countries, Microsoft, Windows and SQL Server are all registered trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual products and companies mentioned in this document may be the trademarks of their respective owners. Patents AppSense Performance Manager includes patented technology. All rights reserved.
C O N T E N T S
Welcome
About this Document Terms and Conventions Feedback
ix ix x x 1 1 2 2 6 7 8 11
Section 1
iii
iv
Section 2
General Features
Trusted Owners Whitelists Extension Filtering Options Application Termination Application Termination Options Customize Application Termination Message Message Settings Access Denied Application Limits Exceeded Time Limits Self-Authorization Network Connections Archiving Archiving Settings Global Properties File Options Folders
13 14 17 17 19 21 24 25 26 26 28 30 32 34 36 37 37 38 39
Section 3
Security Methods
Introduction Method 1 - Trusted Ownership Application Manager and Trusted Ownership Trusted Ownership Rule Method 2 - Digital Signatures Signature Wizard Method 3 - Trusted Vendors Certificate Verification Advanced Options Method 4 - Whitelist vs. Blacklist vs. Trusted Ownership Whitelist Model Blacklist Model Application Manager and Whitelists Access Times Application Limits Security Method Recommendation
41 41 42 43 44 44 45 46 47 47 49 49 49 50 52 53 54 56 56 57 57 58 59 60 61 62 64 68 69 73
Section 4
Configuration
Configuration Files Default Configuration Protection Default Settings Configuration Elements Rule Matching Customize a Configuration Define Users Specify Group and User Rule Items Specify Device, Custom, Scripted, and Process Rules Example Configuration Procedures Configuration Profiler
vi
Section 5
77 77 78 79 79 80 81 81 82 83 96 102 112 115 115 116 117 118 119 120 128 128 130 130 130 131 131 137
Section 6
Section 7
Endpoint Analysis
Endpoint Analysis Overview Endpoint Analysis Scans Endpoint Scan Application Usage Scan Order of Scans Working with Endpoint Analysis Adding Files to a Configuration
vii
Section 8
Auditing
Overview Logging Windows Application Event Log AppSense Event Log Anonymous Logging Local Log File Local Event Filter Event Filtering
139 139 141 141 141 141 141 142 143 144 144 145 147 148
Section 9
Rules Analyzer
About Rules Analyzer The Console Working with Rules Analyzer Log Files
viii
Section 10
Scripting
Overview Sample Scripting Reference Loading and Saving Configurations Default Rules Group Rules User Rules Device Rules Custom Rules Scripted Rules Process Rules Rule List Items Configure Properties Network Connections User Rights Management (URM) Object Types Configuration Object Configuration Helper Object
152 152 153 154 154 156 157 159 161 163 165 167 175 176 178 188 188 209 212 212 213 214 2 3
Section 11
Licensing
Licensing About License Manager Managing Licenses
W E L C O M E
In this Section:
About this Document on page ix Terms and Conventions on page x Feedback on page x
Document Information
Document Version AM Product 8.2 2011/04/01
ix
Code
Italic Green + underlined >
Tip Offers additional techniques and help for users, to demonstrate the advantages and capabilities of the product.
Caution/Warning Provides critical information relating to specific tasks or indicates important considerations or risks.
Further Information Provides links to further information which include more detail about the topic, either in the current document or related sources.
FEEDBACK
The AppSense Documentation team aim to provide accurate and high quality documentation to assist you in the installation, configuration and ongoing operation of AppSense products. We are constantly striving to improve the documentation content and value any contribution you wish to make based on your experiences with AppSense products. Please send any comments to the following email address: documentation.feedback@appsense.com Thanks in advance, The AppSense Documentation team
In this Section:
About Application Manager on page 1 Key Benefits on page 2 Feature Summary on page 2 Architecture on page 6
Control Panel applets. User Rights Management enables users with no administrative privileges to have elevated rights for specified applications. Similarly it can restrict access to specified applications for users that do have administrative rights. Application Manager is part of a closely integrated system of management components and can be centrally configured and deployed to desktops, servers and Terminal Servers throughout the enterprise using the AppSense Management Center.
For more information on the Management Center see the AppSense Management Center Help and the AppSense Management Center Product Guide.
KEY BENEFITS
There are several key benefits to using Application Manager.
Protects against malicious code. Controls role based application usage. Elevates and reduces user rights for applications and Control Panel components and Management Snapins. Terminates applications based on trigger points. Allows child applications to run from authorized applications. Contains out-of-the-box protection against all unauthorized application usage.
Stops unauthorized device license usage. Applies time restrictions on when applications can or cannot be run. Manages control of network access from within applications. Manages control of network access based on location.
License management Maintain the enviroment in the desired state. Increased visibility into application landscape. Enforce licensing, ensure compliance. Reduces support calls. User acceptance.
FEATURE SUMMARY
Application Manager provides the following key features for application control: User Rights Management User Rights Management allows you to create reusable User Rights policies which can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, application groups, and Control Panel components. A more granular level of control allows you to assign specific privileges for debugging or installing software. User Rights Management contains four primary functions:
Elevating user rights for applications Elevating user rights for Control Panel components and Management Snapins. Reducing user rights for applications Reducing user rights for Control Panel components and Management Snapins.
For more information see User Rights Management on page 77.
Trusted Ownership By default, only application files owned by an administrator or the local system are allowed to execute. Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run. Application Manager automatically blocks any file where ownership cannot be established, such as files located on non-NTFS drives, removable storage devices, or network locations. These files can optionally be allowed to run either by specifying them as Accessible Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured to suit each environment.
For more information see Security Methods on page 41.
Rules: User, Group, Device, Custom, Scripted and Process Extend application accessibility by applying rules based on username, group membership, computer, or connecting device, scripts and parent processes, or combinations of these. Accessible Items and Prohibited Items, Trusted Vendors and User Rights Management can be specified in each rule, and are applied to a user session based on the environment in which the user operates. Scripted Rules Scripted Rules allow administrators to Apply Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management policies based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer. Process Rules Process rules apply to parent processes to manage access to child processes to the level required. Process rules include Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management. Trusted Vendors Allow authentic applications to run which have certificates for trusted sources, and which are otherwise prohibited by Trusted Owneship checking. Define a list of Trusted Vendor certificates for each User, Group, Device, Custom, Scripted, and Process rule in the configuration.
Application Termination Application Manager provides the ability to shutdown an application, complete with various shutdown options, based on trigger point such as a change to an IP address, connecting device, or application access entitlement configuration.
For more information see General Features on page 13.
Network Connections Block access to certain applications via IP, UNC or host name. Application Manager has the ability to manage access based on the location of the requester, for example, if they are connecting via VPN or directly to the network.
For more information see Application Network Access Control on page 115.
Digital Signatures SHA-1 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists.
For more information see Security Methods on page 41.
Endpoint Analysis Allows an administrator to browse to any endpoint and retrieve a list of applications that have been installed on that device. Application Manager records which applications are started and by whom. The recording of data is started and stopped by the administrator. Organize the files into authorized and unauthorized groups to quickly create a policy. The configurations can be deployed to a user, a group of users, a machine, or a group of machines. Endpoint Analysis is on demand and inactive by default.
For more information see Endpoint Analysis on page 128.
Offline Entitlement Users are increasingly mobile. Thus, it is important that entitlement rules are enforced when the user is not connected to the corporate network. Application Manager ensures users only access the applications and resources they have permission to when offline by using entitlement rules on the endpoint device. Passive Monitoring Application Manager can monitor application usage without preventing users from running applications. Passive monitoring can be enabled or disabled on a per user, device, group basis and provides a tool to track user behavior prior to full implementation or to understand application usage for software license management. Self-Authorizing Users Provides the option for users to execute applications that they have introduced into the system. Applications can be added to a secure machine whilst outside of the office without relying on IT support. A comprehensive audit can detail information such as application name, time and date of execution and device. Additionally, a copy of the application can be taken and stored centrally for examination. Application Limits and Time Restrictions Apply a policy to control the number of application instances a user can run, along with at what times it can run. A policy can be created to control or enforce licensing models by controlling application limits on a per device basis. AppSense Configuration Templates AppSense provides a number of best practice configuration templates, for example that can be imported into Application Manager. Application Manager can import a number of configuration files and use these in combination. Auditing Events are raised by Application Manager according to the default Event Filtering configuration and audited directly to a local log file or the Windows Event Log. Altenatively, events can be forwarded to the AppSense Management Center via the Client Communications Agent (CCA). The Application Manager audit event reports available in the Management Center can also be used to provide details of current application usage across the enterprise.
For more information see Auditing on page 139.
Windows Scripting Host Validation The default configuration in Application Manager validates all Windows Scripting (WSH) scripts, such as VBS, against configuration rules. This ensures that users can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that contain viruses or malicious code. The Validation settings can be disabled in the console., along with validation of .bat files, selfextracting files, registry files, and Windows Installed (MSI) files.
Functionality Cut-Off Settings Enable and disable certain features in Application Manager either if not in use or when troubleshooting issues in your configurations. The functionality which you can manage in this way includes:
Application Access Control Application Network Access Control User Rights Management
For more information see General Features on page 13
ARCHITECTURE
This section provides details on the architecture of Application Manager.
Console
The Application Manager console launches when the link is selected in the Start > All Programs > AppSense menu. The console enables you to create, view, edit and save configurations for Application Manager. The console includes the Configuration Profiler which you can use to review the probable effect of the configuration on users. The Rules Analyzer function allows you to record the actual effect of the configuration on users on an endpoint which has the Application Manager agent installed and running. The Endpoint Analysis tool allows you to record application usage, and to catalog installed application usage on an endpoint that has the Application Manager agent installed.
Console Installer The console installer is a MSI package that contains all the files needed to install the console on a computer. Both 32-bit and 64-bit installers are provided.
Software Agent
Application Manager is installed and run on endpoints using a lightweight agent. The agent is installed directly onto the local computer. Both agents and configurations are constructed as Windows Installer MSI packages and so can be distributed using any third party deployment system which supports the MSI format.The installers are delivered in separate 32-bit and 64-bit Microsoft Installer (MSI) packages. For Application Manager to function the agent must be installed on the client machine together with an associated configuration. The installation may be manually performed or by means of a deployment system such as the AppSense Management Center. Since agents and configurations are installed and stored locally on the endpoint, they continue to operate when the endpoint is disconnected or offline. The Application Manager agent installs a Windows Service (the AppSense Application Manager Service), a filter driver, and a hook. The hook sits above the driver and intercepts all executables. It does not intercept DLLs, unlike the driver. If an executable is not intercepted by the hook it is intercepted by the driver. The driver intercepts execution requests that are made within the operating system that pass from the I/O Manager to the drive and the device subsystems for example, NFTS.SYS or the LanMan Redirector for Microsoft Networking Services. The driver does not intercept ordinary file access such as the opening of a document or text file.
Every intercepted create process request is intercepted by the hook. When the request is intercepted by the hook the request is passed on to the Application Manager Agent Service for validation against the configuration settings, which returns an execution granted or denied response which is dealt with by the hook or driver, depending on which sent the request. If the response is granted, then the request is passed on to the relevant file system driver to continue with the application loading from disk. In the case of a denied executable or script, the agent replaces the original path with Application Managers customizable message box (AMMessage). This effectively blocks access to the original requested excecutable and instead displays a message to the user. In the event of a DLL being blocked, no message is displayed and the default operating system message is displayed. Agent Service The Application Manager Agent Service runs as a SYSTEM service on each computer that is to be controlled using the Application Manager component. The agent provides the intelligence for dealing with the execution requests passed from the Application Manager kernel level driver and the hook. Each and every execution request is validated against the configuration settings that are held on each local machine containing the Application Manager agent software. Along with the details of the application request, the agent service checks who the user is and which computer the request originates from so that this can be processed at the same time to enable user / group / client / custom rules to function as expected. The configuration is stored in a local configuration file for performance and control reasons. This means that all requests can be turned around in minimum time and perhaps more importantly without the need for a network link to a central server, and hence also ensuring that unconnected machines, such as laptops, remain secured even when not physically connected to the Local Area Network. Agent Assist Agent Assist provides support for the agent. Instances of Agent Assist are started on-demand by the agent and run using the SYSTEM account. Each Agent Assist is specific to a user session. If Agent Assist is initiated, no more than one instance runs in a session. Once started, Agent Assist typically remains running until the session logs off or the agent is stopped. Agent Assist does the following:
Enforces time limits on applications Prompts Self Authorizing Users to confirm whether to allow prohibited DLLs (Applications are handled by Agent Assist). Performs auditing for the events, 9006, 9007, 9017.
9006 - Self-authorization decision by user. 9007 - Self-authorized execution request. 9017 - An application has been terminated by Application Manager.
On 64-bit systems, Agent Assist can start the 32-bit DLL component which installs the 32bit Application Hook into 32-bit applications running in the same user session.
10
DLL Injection Assist DLL Injection Assist is a 32-bit component which is only installed on 64-bit systems. It is used solely by Agent Assist to install the 32-bit application hook into 32-bit applications running in the same user session. Filter Drivers The agent intercepts, then validates all application execution requests against the configuration. It then either grants or denies access to the executable content. The agent also triggers auditing events which are collected by the AppSense Client Communications Agent.
For more information on the Client Communications Agent see the AppSense Management Center Product Guide.
The driver only intercepts execution requests placed against the Operating System since it is connected between the I/O Manager (in the Executive Services) and the actual device drivers for the file systems themselves (for example, NTFS.SYS, CDROM.SYS, or LanMan Redirector for Microsoft Networking Services). The driver does not intercept ordinary file access such as the opening of a text file, document or presentation. Every intercepted request is subsequently passed on to the Application Management Agent Service for validation against the current configuration. The agent service returns an allowed or denied response which is dealt with by the filter driver. If the response is allowed, then the request is passed on to the relevant file system driver to continue with the application loading from disk. On the other hand, if the request is denied, then the filter driver replaces the request with Application Managers error handling system which is responsible for the display of a fully customized message box to the end user. This error handling effectively blocks access to the requested executable code by advising the originating process that all is successful, and the AppSense customized message box is displayed in place of the expected executable code. This prevents the Operating System from displaying a File not Found or Access Denied message. The driver is a lightweight driver which filters file system requests for files, but not folders, with the Execute, Overwrite and Rename permissions requests. The driver sends requests to the Application Manager agent for authorization. Depending on the response from the agent, the driver allows, redirects, or denies the request.
The driver only redirects as a fallback, if the request is missed by the hook.
When it redirects, the driver redirects to one of the Message Box applications. The filter driver can dynamically start but cannot be stopped without a reboot. This can be found in %systemdrive%\Program Files\ApplicationManager\Agent\AmFilterInstall and is called AMFilterDriver.sys.
11
Mini Filter Driver The mini filter driver is a lightweight driver which filters file system requests for both files and folders on UNC paths, but not for local drives. The driver sends requests to the agent for authorization. Depending on the response from the agent, the driver allows or denies the request. %systemdrive%\Program Files\ApplicationManager\Agent\AmMiniFilterInstall and is called AMMiniFilterDriver.sys. The mini filter driver can be dynamically started and stopped. Application Hook This is a DLL which is loaded into every user process. The Application Hook sends create process and network requests to the agent for authorization. In the event of a blocked executable, the original request is replaced with a request for AMMessage. In the event of a blocked network request, access to the network resource is denied. If any token modification is required, as part of User Rights Management, an appropriate request is sent to the agent. The agent sends back a modified token which is used to launch the requested process. Where Application Network Access Control (ANAC) is concerned, because requests for network traffic is high, the results provided by the agent are cached in the memory of the application. This is essential to avoid a dramatic performance degradation to network traffic.
For more informatiom on ANAC see Application Network Access Control on page 115.
Configuration
AppSense Application Manager configuration files (.aamp files) contain the rule settings for securing your system. The agent checks the configuration rules to determine the action to take when intercepting file execution requests. Configurations are stored locally in the All Users profile and are protected by NTFS security. In standalone mode, configuration changes are written directly to the file system from the Application Manager console. In Enterprise mode, configurations are stored in the AppSense Management Center database, and distributed in MSI format using the AppSense Management Center console.
For more information on the Management Center see the AppSense Management Center Help and the AppSense Management Center Product Guide.
Configurations can also be exported and imported to and from MSI file format using the Application Manager console. This is useful for creating templates or distributing configurations using third party deployment systems.
12
After creating or modifying a configuration you must save the configuration (and deploy if necessary) to ensure that they are actioned.
General Features
In this Section:
Trusted Owners on page 14 Extension Filtering on page 17 Options on page 19 Application Termination on page 21 Message Settings on page 26 Archiving on page 36
13
14
TRUSTED OWNERS
During the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that the ownership of the items is matched with the list of Trusted Owners specified in the default configuration. For example, if a match is made between the file you want to run and an Accessible Item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with, or if a file which contains a security threat has been renamed to resemble an accessible file, Trusted Ownership checking identifies the irregularity and prevents the file execution. Trusted Ownership checking is not necessary for items with digital signatures as these cannot be imitated. The list of Trusted Owners is maintained in the Trusted Owners dialog box available from the General Features ribbon page > Default Restrictions group.
Application Manager trusts all local administrators and system owned applications by default. You can extend this list to include other users or groups. The Enable Trusted Ownership checking option within the dialog box is selected by default, thus enabling Trusted Ownership from the outset.
15
When the Change a files ownership when it is overwritten or renamed option is selected, Application Manager selectively changes the NTFS file ownership of executable files when they are overwritten or renamed. If a user who is not a Trusted Owner attempts to overwrite a file which is accessible due to Trusted Ownership or an Accessible Item rule, it could constitute a security threat if the file contents have changed. Application Manager changes the ownership of an overwritten file to the user performing the action, making the file un-trusted and ensuring the system is secure. Likewise, attempts to rename a prohibited file to the name of an Accessible Item could constitute a security threat. Application Manager also changes the ownership of these files to the user who performs the rename action and ensures the file remains un-trusted.
Overwrite and rename actions are both audited. For more information on auditing see Auditing on page 139.
To ignore Trusted Ownership for individual files, deselect the Trusted Ownership option for an Accessible Item.
If you choose to ignore Trusted Ownership it is recommended to assign Self-Authorization status to allow the user to decide whether or not to allow a file to run.
16
Set the Self-Authorizing level for a Group, User, Device, Custom, Scripted, or Process rule.
17
Whitelists
You can use a whitelist approach where nothing is allowed to run by default, other than the executables contained in the whitelist. Deselect the Make local drive accessible by default option in the Options dialog box available from the General Features ribbon page > Default Restrictions group.
If you do use the whitelist approach, ensure that you allow important system files to run, by adding all of the relevant files or folders to the Accessible Items for the Everyone group. Otherwise, many crucial executable files and .dll files, such as those stored in the system32 directory, can be prevented from running and adversely affect core system functions.
For more information on Trusted Ownership, Whitelist methods and security see Security Methods on page 41.
EXTENSION FILTERING
The Extension Filtering feature is used to determine if the configuration should check certain file types or if it should ignore certain file types. This feature is disabled by default. The Extension Filtering dialog box is available from the General Features ribbon page > Default Restrictions group.
18
For example, to only check .exe files and .vbs files, select the Enable extension filtering and Only check files with extensions in the list below options. Use the Add button to add the file extensions. Once the configuration is saved, the Application Manager agent only checks the files with the specified extensions against the rules when execution requests occur against the computer that the configuration is deployed to. Use the Exclude files with extensions in the list below option to not check files with particular extensions, for example, to not check any .dll files. The default configuration within Application Manager does not have any extension filtering configured. Therefore, all executable code, irrespective of its file extension, is checked. This is the most secure option since nothing can get past the agent unless it has been expressly configured in the remainder of the rules.
19
OPTIONS
Various options for Application Manager are provided in the Options dialog box available from the General Features ribbon page > Default Restrictions group.
These options provide general Application Manager settings to apply to all application and process requests. Options are also available for enabling and disabling functionality. For example, you can run Application Manager using User Rights Management functionality only.
By default, all functionality options are enabled.
The following table describes each option in the Options dialog box and identifies whether the feature is selected by default.
20
General Features Make local drives accessible by default Select this option to make Application Manager configurations blacklists. Everything on the local drive is allowed unless it is specified in the Prohibited Items list, or it fails trusted ownership. Deselect this option to make the configuration a whitelist. Everything on the local drive is blocked unless it is specified in the Accessible Items list. Note: A whitelist configuration is the most secure. However, this type of configuration is time consuming to configure and can affect the endpoint stability as all unspecified applications are blocked. It is expected that cmd.exe is prohibited by administrators. The Allow cmd.exe for batch files option allows cmd.exe to run provided it is executing an allowed batch file with the /c command line switch. This particular switch ensures that the cmd.exe application is shut down after completing the batch file run. During logon the computer may execute a number of essential applications. Blocking these can cause the computer to function incorrectly, or not at all. Hence, this option is selected by default. A self-extracting ZIP file is an executable, with a .exe extension, that contains a number of compressed files and a small application to extract them. Self-extracting ZIP files are often used as an alternative to distributing and installing an application by a MSI file as typically the executable is smaller in size. The Extract self-extracting ZIP files option allows the compressed file contents to be decompressed and extracted to disk, even if the parent file would be normally be prohibited, so that the contents of the file can be accessed. Once the contents have been extracted, any executable content it contains is still subject to the normal Trusted Ownership checks and is prevented from executing if the user is not a Trusted Owner. This is useful for scenarios where the self-extracting ZIP file may contain nonexecutable content such as a document that the user requires. If this option is deselected, then the self-extracting ZIP file is treated as a standard executable and can be prevented from executing (and hence extracting its contents) subject to the normal rule processing. By default, all applications which run during Active Setup are subject to the Application Manager rules. Select this option to make these applications exempt from ruless checks during Active Setup phase.
Validation Validate System processes Select this option to validate any files executed by the system user. Note that it is not recommended to select this option as it increases the amount of validation occurring on the endpoint computer and can block crucial applications from running. Selecting this option means all executables launched by the system are subject to rule validation. Selecting this option specifies that the command line contents of scripts run using wscript or cscript are subject to rule validation. Note: Scripts can introduce viruses and malicious code. It is recommended to validate WSH scripts.
21
Enabled
Functionality Enable Application Access Control Enable Application Network Access Control Enable User Rights Management Select to enable Application Access Control. Deselect to not validate or block executables. Select to enable the Application Network Access Control feature. Deselect to not validate or block outbound network connections. Select to enable the User Rights Management feature. Deselect to not apply any User Rights policies.
APPLICATION TERMINATION
Application Termination allows you to control triggers, behavior and warning messages for terminating applications on managed computers. You can terminate applications gracefully allowing the user to save work before closing or to force a termination. Notification messages for each type of trigger can be edited individually. Three triggers cover the range of possible scenarios when this might be a necessary action to take.
22
The triggers for terminating an application include when a new configuration is applied, when the IP address of the computer changes, or when the connecting device changes.
23
When a trigger is activated, processes are evaluated against the rules to determine if an application requires terminating. Rules with Self-Authorizing and Audit Only security levels are not evaluated because Self-Authorizing rules allow user discretion over application control and Audit Only rules do not apply Application Manager control. Application Termination is available from the General Features ribbon page > Default Restrictions group. This feature is disabled by default. Select the Enable Application Termination option in the Application Termination dialog box to enable this feature.
Figure 2.8
Configuration applied - Terminate the application according to the configuration that is applied. Computer IP address changed - Terminate the application when the IP address has changed, for example, when moving between secure and insecure environments. Connecting device changed - Terminate the application when the connecting device has changed, for example, changing between a laptop and a desktop in the same session.
24
Display an initial warning message - Specifies to display an initial warning message. The message can be customized on the Configuration Applied Message, IP Address Changed Message and Connecting Device Changed Message tabs. Use in conjunction with the Close application and Terminate application options. If you do not use this in conjunction with these options, only a message is displayed and application does not close. Close the application - Closes the application allowing the user to save their work. Select along with the Display an initial warning message option. Terminate the application - Terminate the application without allowing the user to save their work. Choose to select the Display an initial warning message or not, the application terminates regardless. Wait ... seconds between options - Specify the time period in seconds between actions, and between closing and terminating. The maximum is 9999 seconds.
25
You can audit Application Termination. The auditing event is 9017. See Auditing on page 139 for more information.
Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened. Message body - The text to display in the body of the message.
26
Environment variables are supported for both the caption and the message. In addition to system environment variables it also supports %ExecutableName%, %DirectoryName% and %FullPathName% for each file.
Click here to see how the message will appear to users - Displays the message with the caption and body specified in the above options.
The message caption must not be left empty, be a single line, and can contain up to 100 characters.
The message body must not be left blank, can contain zero or more line breaks, and can contain up to 1000 characters.
MESSAGE SETTINGS
The Message Settings dialog box is used to configure the information displayed in messaging that occurs when a particular user attempts to launch an application in violation of the defined configuration. You can specify messages for when access is denied, application limits are exceeded, for self-authorization, and for blocked network connections. Time limits and application behavior, for example, terminating the application, can be specified with warning and denied messages. The Message Settings dialog box is available from the General Features ribbon page > Properties group.
Access Denied
Access to applications can be denied for a user. For example, all applications defined in the Prohibited Items list within the configuration can be denied. Prohibited Items are specified in the Group, User, Device, Custom, Scripted, and Process rules.
27
Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened. Message body - The text to display in the body of the message.
Environment variables are supported for both the caption and the message. In addition to system environment variables it also supports %ExecutableName%, %DirectoryName% and %FullPathName% for each file.
Click here to see how the message will appear to users - Displays the message with the caption and body specified in the above options.
28
Time limits and application behavior, for example terminating the application, can be specified with warning messages for Time Limits and Application Limits Exceeded Limits. See Time Limits on page 30 for more information.
29
Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened. Message body - The text to display in the body of the message.
Environment variables are supported for both the caption and the message. In addition to system environment variables it also supports %ExecutableName%, %DirectoryName% and %FullPathName% for each file.
Click here to see how the message will appear to users - Displays the message with the caption and body specified in the above options.
30
Time limits and application behavior, for example terminating the application, can be specified with warning messages for Access Denied and Application Limits Exceeded Limits. See Time Limits on page 30 for more information.
Time Limits
Access time limits to applications can be specified in Application Manager. For example, certain applications can only be allowed to run between 9 am and 5 pm, Monday to Friday. There are two messages that can be displayed. One to inform the user if they are attempting to run the application outside of those hours. Another to inform the user if the time period has expired whilst the application is still running. You can specify whether the user is allowed to save their work before closing the application, or to just close the application upon the warning.
For more information on access times for an application see Access Times on page 52.
31
Similar to the Application Termination feature you can specify how the application closes. The following options describe the ways.
Display an initial warning message - Specifies to display an initial warning message. Use in conjunction with the Close application and Terminate application options. If you do not use this in conjunction with these options, only a message is displayed and application does not close. Close the application - Closed the application allowing the user to save their work. Select along with the Display an initial warning message option. Terminate the application - Terminate the application without allowing the user to save their work. Choose to select the Display an initial warning message or not, the application will terminate regardless. Wait ... seconds between options - Specify the time period, in seconds, between actions, and between closing and terminating. The maximum is 120 seconds.
32
As previously mentioned you can configure two messages. The Warning Message is for when an application is continuing to run outside of the specified access times, for example, if a user is working later.
Figure 2.17 Example Warning Message for an Application Running outside of Specified Time
The Denied Message is for when a user attempts to run an application outside of the specified time.
Figure 2.18 Example Warning for Attempts to Run an Application outside of Specified Time
Self-Authorization
Self-authorization is a security level within Application Manager. Certain applications can require self-authorization by a user before they are allowed to run. You can specify the message displayed when a user runs an application. The caption and body can be defined for the initial message and the response.
For more information on security levels see Application Manager has the ability to assign four distinct security levels to the group rules. on page 62.
33
Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened. Message body - The text to display in the body of the message.
Environment variables are supported for both the caption and the message. In addition to system environment variables it also supports %ExecutableName%, %DirectoryName% and %FullPathName% for each file.
Click here to see how the message will appear to users - Displays the message with the caption and body specified in the above options.
34
Figure 2.21
Network Connections
Application Network Access Control can be used to block network connections. All Network Connection Items within Prohibited Items for a Group, User, Custom, Scripted, and Process rule can be prohibited, and therefore, blocked. You can choose to display a message when a connection is blocked, or you can choose not to. The default setting is to display a message. You can also specify how often to display a message, and the caption and body for the message.
For more information on network access see Application Network Access Control on page 115.
35
Display a message box for blocked network connections - Displays a message box for all blocked network connections. This option is enabled by default. Display a warning on every connection attempt - Displays a warning message every time a connection is attempted. Display a warning message once - Displays a message only on the first attempt per application within the same session. Wait ... seconds between messages - Specifies the number of seconds to wait before a new message is issued. Only one message displays per application within the specified period. No message displays for any subsequent attempts within the same period. Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened. Message body - The text to display in the body of the message.
36
Click here to see how the message will appear to users - Displays the message with the caption and body specified in the above options.
ARCHIVING
Archiving allows you to copy any denied executables into a secure folder. When a user attempts to run an unauthorized executable, or an executable specified in the Prohibited Items list, Application Manager can take a copy of each application that attempted to execute and place them in a secured file system or archive. This information can be used by an administrator to inspect the kinds of executable content that Application Manager has blocked access to by taking a complete copy for the administrator. It is often found that blocked applications are files with false names such as winword.exe. Unfortunately, the name alone does not tell the administrator a great deal as these are typically other executables that have been simply renamed in an attempt by the user to get the application to run on the computer. By having a specific copy of each executable, the administrator can accurately assess each application and what impact they would have on the enterprise had they been allowed to run.
It is recommended that archived executables be checked in a secure environment so as to minimize the threat from viruses and malware.
Archiving is disabled by default. You can enable archiving in the Archiving Settings dialog box available from the General Features ribbon page > Properties group.
37
Archiving Settings
Use archiving - Enables the Archiving feature. This option is disabled by default.
Global Properties
The following are the global properties for archiving:
Do not archive administrator owned files - Select to not take an archive of applications owned (NTFS) by the administrator. An example of this is when a user tries to execute regedit.exe and is blocked by the Application Manager agent. It is unlikely you would require an archive of this file. However, it is useful to archive when the user attempts to execute their own copy of regedit.exe to determine what the application is and what effect it could have on the enterprise if it were to execute. Do not archive if the file already exists - Select to not take an archive of an unauthorized executable if a copy of the file already exist. The Application Manager agent does not try to copy it over again. This helps to save space, although it may result in inaccurate archiving as only one copy of an executable with the same name is ever retained. Enable anonymous archiving - Some locations have restriction laws in place, forbidding administrators to record which user attempted to execute unauthorized applications. Select this option to prevent the Application Manager agent from using any %username% file
38
paths. The agent removes the percentage sign (%) leaving simply username. An example can be where an application is executed from a home directory that has the username as the folder name. Application Manager replaces the username with the text, username, so as to protect the users identity in accordance with the local restriction laws.
Maximum archive size for all users combined - The maximum size in Mb that Application Manager allows the archive to reach before it stops archiving for all users combined together. Maximum archive size per-user - The maximum size in Mb that a single user archive is allowed to reach before it stops archiving. For example, if an archive path is specified as C:\archive\%username% then every user on the computer would have a separate archive under the C:\archive directory. It is this user archive that is subject to the user limit.
File Options
The second tab in the Archiving Settings dialog box is the File Options tab.
39
Only archive files smaller than - This option allows you to specify the maximum file size to archive. By selecting this option and inserting a file size, you can ensure large executables are not copied to the archive. As an example, a user may well attempt to execute a service pack or other similarly large file which you typically would not want to copy over the network into an archive. When a users archive is full allow the oldest files to be overwritten - Instead of simply stopping archiving when either the Total Limit or User Limit options are invoked, select this option to overwrite the oldest files. This is an easy way to ensure that the enterprise captures the most up to date information without utilizing huge data space for unauthorized applications.
Folders
The third tab in the Archiving Settings dialog box is the Folders tab.
Use the Folders tab to configure the location into which you want the archive files to go. The default location is to place all archived files into: %SystemDrive%\AppSenseLogs\ApplicationManager\%UserName% This has the effect of placing all archived files for a specific user in the same folder and the folder is named after the user making it easier to manage.
40
If the Use anonymous archiving option is selected the folder is named username and all archived files for all users are placed in the same folder.
Additional folders can be added to the list by using the Add Folder button. The location can be either typed in or browsed to on the local computer or local network by using the Browse button. The order of the archive list is important as Application Manager attempts to copy the file to the first relevant archive in the list. If this copy fails then it attempts to copy the file to the second archive location, and so on. If the copy succeeds, Application Manager does not use any of the remaining archives. Use the Move Up and Move Down buttons to order any new folders ensuring you have the correct default folder at the top.
Security Methods
In this Section:
Introduction on page 41 Method 1 - Trusted Ownership on page 42 Method 2 - Digital Signatures on page 44 Method 3 - Trusted Vendors on page 46 Method 4 - Whitelist vs. Blacklist vs. Trusted Ownership on page 49 Security Method Recommendation on page 54
INTRODUCTION
Application Manager has a number of security methods to allow you to protect a system without complex lists and constant management. These include Trusted Ownership, Digital Signatures, Trusted Vendor, Whitelists, and Blacklist. You can choose whichever method and use a hybrid approach. The following sections describe the various methods and culminates in a recommendation.
41
42
For information on the Trusted Ownership rule see Trusted Ownership Rule on page 44.
43
Figure 3.1
Trusted Owners
Users and groups can be deleted or added as required. In the NTFS system a file may be owned by either a user or a group and therefore both may be added. When the check for Trusted Ownership is performed the System Identifier (SID) of the file owner is determined and this is checked against the list of SIDs within the trusted owner configuration. Application Manager does not evaluate a group or determine users of a group. This ensures that Application Manager continues to function correctly when machines are not connected to a network and this information is not available. There are two options within the Trusted Owners dialog box: Enable Trusted Ownership checking Select to switch on Trusted Ownership checking. If this is not selected Application Manager does not perform any Trusted Ownership checking and other security methods must be configured to give the desired security.
44
Change a files ownership when it is overwritten or renamed The default for certain Operating Systems is to retain file ownership when a file is overwritten or renamed. This can be seen as a security flaw as if NTFS permissions allow, a user may overwrite a legitimate file with a file that would otherwise be blocked. Select this option to ensure that if a legitimate file is compromised in this way the ownership changes to that of the user and Trusted Ownership prevents the file from being executed
The file owner is the group BUILTINAdministrators and this group is a Trusted Owner. Trusted Ownership allows the file to execute. The file owner is an individual administrator and the individual administrator is a Trusted Owner. Trusted Ownership allows the file to execute. The file owner is an individual administrator and the individual administrator is not a Trusted Owner, but the BUILTIN/Administrators group IS a Trusted Owner. Trusted Ownership does not allow the file to execute.
In the last case, even though the administrator who owns the file is in the Administrators group, the file owner is not trusted. The group is not expanded to find out whether the individual owner should be trusted. In this case, to allow the file to execute, the files ownership must be changed to that of the BUILTIN/Administrators.
45
example, a service pack is applied to Microsoft Office then for the updated parts to work new digital hashes of the updated files must now be taken. Care must be taken to ensure that these are available when the update is available to ensure no downtime is seen. Additionally it is recommended that the old signatures should be removed.
Signature Wizard
Application Manager has a Signature Wizard that allows you to apply digital signatures either to an individual file or a group. Digital signatures can be grouped in one of two ways, by means of scanning folders and subfolders, or by examining a running process. The Signature Wizard is available from the Groups ribbon page > Advanced group when you select a group beneath the Library > Group Management node.
The Search Folders option within the Signature Wizard scans all executable and script based files, for the selected folder, automatically and calculates the digital hashes. The Examine a running process option allows you to select a process that is currently running. The process, along with all executable files it has currently loaded, is scanned and digital hashes calculated. If a file is found for which the signature has already been calculated a notification of a duplicate is displayed. There is no need for a duplicate hash in a configuration. If the files are updated by means of, for example, a service pack, you can select the signature file group and choose to re-scan. All of the digital signatures are automatically updated and the new configuration can be deployed.
46
From Signed-File - Specify a known file that has already been signed by the vendor who you wish to trust. Application Manager identifies the vendors specific signature to identify additional code from that same vendor. From File-Based Store - Browse to the specific digital certificate if available. Use this option to choose the files you require. The Import File-Based Store imports all files. Import File-Based Store - Import a digital certificate for use in setting up a Trusted Vendor rule. Use this option to import all files.
47
Certificate Verification
You can also verify a certificate. Application Manager displays a message if there are any warnings for the certificate, for example, if it is not possible to determine whether a certificate has been revoked. The following graphic show an example warning. The Verify Certificates command is available from Rule Items ribbon page > Trusted Vendors group. The following shows a message displayed for a certificate with warnings.
Figure 3.4
Advanced Options
Advanced options allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes. The certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate. The advanced options are available from the Advanced Options dialog box. The Advanced Options dialog box is available from the Rule Items ribbon page > Trusted Vendors group.
48
Ignore CTL revocation errors - Ignores that the certificate trust list (CTL) revocation is unknown when determining certificate verification. Ignore CA revocation errors - Ignores that the certificate authority revocation is unknown when determining certificate verification. Ignore end Certificate revocation errors - Ignores that the end certificate, that is the user certificate, revocation is unknown when determining certificate verification. Ignore root revocation errors - Ignores that the root revocation is unknown when determining certificate verification. Ignore CTL not time valid errors - Ignores that the certificate trust list is not valid, for example, the certificate may have expired, when determining certificate verification. Ignore time nesting errors - Ignores that the certificate authority (CA) certificate and the issued certificate have validity periods that are not nested when verifying the certificate. For example, the CA certificate may be valid from January 1st to December 1st , and the issued certificate from January 2nd to December 2nd. This means that the validity periods are not nested. Ignore basic constraint errors - Ignores that the basic constraints are not valid when determining certificate verification. Ignore invalid name errors - Ignores that the certificate has an invalid name when determining certificate verification. Ignore invalid policy errors - Ignores that the certificate has an invalid policy when determining certificate verification. Ignore invalid usage errors - Ignores that the certificate was not issued for the current use when determining certificate verification. Allow untrusted roots - Ignores that the root cannot be verified due to an unknown certificate authority.
49
The Click here to test these settings link helps to validate the certificate based on the options you have selected and, where relevant, are dependent on connectivity with the appropriate certification authority.
Whitelist Model
The whitelist approach dictates that every single piece of executable content must be predefined prior to the user making the request for the application on the Operating System. Details of all the content identified in this way is kept on a whitelist which has to be checked each time an execution request occurs. If the executable file is on the whitelist it is permitted otherwise it is denied. There are a small number of security technologies that work in this way, but they often experience issues with the level of administration required once implemented. This is due to the necessity of adding and maintaining all patches, service packs and upgrades to the whitelist. Application Manager fully supports this model of control, and adds significant steps to enable additional security in the model. Such an addition is the ability to include SHA-1 digital signatures (hash), so that not only must the application name match up but so must the SHA-1 signature of that executable to that of a signature in the database. Furthermore, Application Manger also adds the full path of the executable to the list to ensure that all three items match prior to application execution: Filename - for example, winword.exe. File Path - for example, C:\Program Files\Microsoft Office\Office\SHA-1 digital signature To take the technology into the next stage of control, Application Manager does not only take the details of the executables but also requests that the administrator specify specific .dlls as well as all other executable content such as ActiveX controls, Visual Basic Scripts and Command Scripts.
Blacklist Model
In contrast to whitelists, blacklists are a potential low security measure. A list is generated and then maintained which contains the applications that are to be denied execution. This is the main failing of this method, as it presumes that all dangerous applications are actually known about. This is of little use in most enterprises, specifically with e-mail and internet access and / or where the user can introduce files and applications without administrator intervention. Application Manager does not need to actively maintain a list of denied applications, as any applications not installed, and therefore owned by the administrator, are denied by use of Trusted Ownership. One of the main reasons for prohibition of applications via a blacklist is to enable Trusted Ownership to be used for license management by not allowing even known (and therefore trusted and owned) applications to run, until the administrator can later explicitly allow access to that very same application by defining a certain user / group or client rule. This protection needs no configuration, except to allow an outside application.
50
Additionally, a blacklist is useful for denying access to files owned by trusted owners by that may be deemed security risks. For example, regedit.exe, ftp.exe, and so on.
Items within the Accessible Items list may be: File If the filename alone is specified, for example, myapp.exe, then all instances of this are allowed regardless of the location of the application. If the file is specified with the full path, for example, \\servername\sharename\myapp.exe, then only this instance of the application is allowed / not allowed. Other instances of this application need to satisfy other Application Manager rules to be granted execution. Folder A complete folder may be specified, for example, \\servername\servershare\myfolder, and all applications within this folder, and all subfolders if required, are allowed to execute. Select Include subdirectories to include all directories beneath the specified directory.
51
No checks are made on the files within the folder and as such any file copied into this folder will be allowed to execute.
To automatically apply environment variables select Substitute environment variables where possible for a file or folder. This makes the paths more generic for applying on different machines. Wildcard support provides an additional level of control for specifying generic file paths.
Drive A complete drive may be specified, for example, W, and all the applications on this drive, including subfolders are allowed to execute.
No checks are made on the files within the drive so any file copied into any folder on this drive is allowed to execute.
Signature Item A file may be added along with a digital hash of the file. This ensures that only that particular file may be executed but from any location. Network Connection Item A Network Connection Item can be specified. All files on the network are allowed to run.
52
For more information see Application Network Access Control on page 115.
Group Groups can contain any number and combination of items, for example, all the File, Folder, Drive, Signature, and Network for a particular application. All files are allowed to execute. Trusted Ownership This option must be selected in the Accessible Items work area if you want to perform trusted ownership checking on the defined Accessible Item. If this option is not selected the file is allowed to execute regardless of the owner.
Access Times
It is possible to define what times and on what days a particular application is allowed to execute. The Access Times dialog box is available on the Rule Items ribbon page > Accessible & Prohibited Items group.
Access times can only be applied to Accessible Items within the Group, User, Device, Custom, Scripted, and Process rules.
53
Figure 3.8 Access Times Specified between 8am and 6pm, Monday to Friday
A message can be displayed when a user attempts to access an application outside of the specified time limits. Another message can be displayed if the time limit expires whilst the application is still running. You can configure this message. See Time Limits on page 30.
Application Limits
It is also possible to define the number of occurrences of an application that can run at one time. The Application Limits dialog box is available on the Rule Items ribbon page > Accessible & Prohibited Items group.
Application limits can only be applied to Accessible Items within the Group, User, Device, Custom, Scripted, and Process rules.
54
A message can be displayed for a user when application limits have been exceeded. You can configure this message. See Application Limits Exceeded on page 28.
55
Trusted Vendor checking is recommended for development and test environments where end users may need to constantly install and test different versions of company owned application and script content. By signing the desired executables with a digital certificate, Trusted Vendor checking can be configured to allow all signed components to be executed as and when needed. Finally, Prohibited Items should be configured to create a blacklist preventing specific user access to applications that would typically be installed and hence owned by Trusted Owners, including parts of the operating system such as registry editing tools, file sharing tools and access to Control Panel components. This blacklist of Prohibited Items can additionally be used to cater for application license management, when used in conjunction with Accessible Items whitelists and the Application Limits functionality.
Configuration
In this Section:
Configuration Files on page 56 Default Configuration on page 57 Customize a Configuration on page 61 Example Configuration Procedures on page 69 Configuration Profiler on page 73
CONFIGURATION FILES
Application Manager configuration files (.aamp) contain the rule settings for securing your system. The Application Manager agent checks the configuration rules to determine the action to take when intercepting file execution requests. Configurations are stored locally in C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration for Windows XP and Server 2003. For Vista and above they are stored in C:\ProgramData\AppSense\Application Manager\Configuration. Configurations are protected by NTFS security.
56
57
ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
In Standalone mode, configuration changes are written directly to the local .aamp file from the Application Manager console. In Enterprise mode, configurations can be created and stored centrally in the AppSense Management Center database, and distributed to endpoints in MSI format via the AppSense Management Server. Configurations can also be exported and imported to and from MSI file format, which is useful for creating templates or distributing configurations using third-party deployment systems. After creating or modifying a configuration, you must save the configuration with the latest settings to ensure that they are implemented.
DEFAULT CONFIGURATION
Application Manager is ready to manage your security as soon as you install the agent and a configuration on managed endpoints. A default configuration loads when you run the console and can be used for immediate protection on all client computers to which the configuration is deployed. This configuration blocks any file with an un-trusted owner and non administrative users from accessing executables on non-secure locations, including network locations, and removable media.
For more information on Trusted Ownership see Security Methods on page 41.
The default configuration can be saved directly in Standalone mode to the local computer via the console or saved to the database of the AppSense Management Center when operating in Enterprise mode, ready for deployment.
Protection
All application and process execution requests are checked against the Application Manager Rules before access is granted. All application and process Network access requests are prohibited unless allowed by Application Manager Rules. Members of the Local Administrators group are granted unrestricted access to applications. Members of non-administrative user groups are granted restricted access to applications. MSI, WSH and Registry Files are validated against the Application Manager Rules. Windows Installer (msiexec.exe) is allowed to run all child processes with the DLL and EXE extensions.
58
Default Settings
Table 4.1 Setting
General Features Options
Description
Ignore restrictions at logon delays the implementation of the Application Manager rules until logon is complete to avoid any disruption or prevention of the logon process completing. This option allows logon scripts to run. While cmd.exe and self-extracting zip files are usually blocked as potential loopholes for attempts to breach security, this option allows CMD and ZIP files to run for legitimate files.
System process validation can affect performance and is disabled by default. Application Manager validates MSIs, Registry files and WSH against the rules by default. Otherwise, they are ignored unless they are specified in the rules themselves. Turn these options off only if you trust these types of files running or you have adequate protection in place in the Application Manager rules or by some other method.
Functionality Enable Application Access Control Enable Application Network Access Control Enable User Rights Management Application Termination Settings for closing and terminating applications. Set triggers, warning message behavior to users and warning message notifications. For creating reusable groups of applications to assign to Rules. Reusable User Rights Policies which elevate or restrict user privileges. For assigning to files, folders, signatures, drives and application groups in Rules. Local Administrator Group Rule for managing access to applications for local administrators. Group Rule for all system users unless a user matches other rules with higher priority settings.
All Application Manager functionality is enabled by default but you can disable any of these as part of any troubleshooting process.
Disabled by default.
Libraries
Rules
Administrator
Security level set to Unrestricted. No other default settings are applied. Security level set to Restricted. AppSense Program Files Directories are added to Accessible Items. No other default settings are applied. All EXE and DLL files are allowed to run when spawned by msiexec.exe. This rule does not manage access to msiexec.exe. You must manage access to this file in another rule.
Everyone
Process
59
CONFIGURATION ELEMENTS
The Application Manager console provides configuration settings in the following key areas:
Library Rules
Library The Library nodes provides the following: Group Management The Group Management node allows you to group a number of items such as Files. Folders, Drives, Signature Files, and Network Connections. For example, for one particular application. You can then add this group to the Accessible and Prohibited Items lists. User Rights Policies The User Rights Policies node allows you to add User Rights Policies to selectively promote or demote administrative rights for individual applications. Rules Rule nodes provide default settings for handling file executions and specific settings which apply to particular users, groups or devices. Group, User, Device, Custom, Scripted, and Process Rules Allow you to specify Security Level settings that specify restrictions which apply to users, groups or devices matching the rule. Custom rules target combinations of particular users or groups operating on specific collections of devices. Scripted rules allow administrators to apply Accessible Items and Prohibited Items to users based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer. Process rules allow you to manage access for the application to run child processes which might otherwise be managed differently in other rules. You can add Accessible Items, Prohibited Items, Trusted Vendors, and User Rights to the rule.
Accessible / Prohibited Items - Sub-node lists within each rule which you can populate and maintain with specific files, folders, drives, and digital signatures to provide an additional level of granularity for controlling file execution requests. For example, items which Trusted Ownership checking normally prohibits can be made accessible for the users or devices targeted in the rule. Likewise, files which would normally be accessible can be prohibited.
Trusted Vendors - A sub-node list in each rule which you can populate with digital certificates issued by trusted sources. Files which fail Trusted Ownership checking are checked for the presence of digital certificates and are allowed to run when a match is made with the Trusted Vendors list. For example, a highly restricted user might be prohibited under normal rule conditions from introducing executable files on the system but may be required to download and run software updates from a particular source, from time to time. If the downloaded file includes a digital certificate which matches a certificate in the Trusted Vendors list, the file is allowed to run.
60
User RIghts - A sub-node list in each rule which you can populate with applications, components and web installations for you to apply User Rights Policies to. User Rights Policies allow you to selectively promote or demote administrative rights for individual applications, components and web installations.
Rule Matching
Rule matching takes place when Application Manager intercepts a file execution request and checks the configuration policy to determine whether a file is allowed to run. Applying Rule Policies The most lenient security policy is applied to a user profile which is affected by more than one rule. For example, a user who matches both a User rule assigned Restricted security level and also a Group rule which assigns the Self Authorizing level, is granted self-authorizing privileges for all decisions and application use. Matching Files and Rules The Application Manager agent applies rules by making a suitable match for the file type.
Matching is based on a three stage approach which considers security, matching order and policy decisions:
61
1. Security:
Is the user restricted? Is ownership of the executable item trusted? Where is the executable loaded? Does the executable match a signature? Does the executable match and Accessible or Prohibited Item? Is Trusted Ownership checking enabled? Is there a timed exception? Is there an Application Limit?
2. Matching:
3. Policy:
Trusted Ownership Checking During the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that ownership of the items is matched with the list of trusted owners in the default rule configuration. For example, if a match is made between the file you want to run and an accessible item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with or a file which is a security threat has been renamed to resemble an accessible item, Trusted Ownership checking identifies the irregularity and prevents file execution. Trusted Ownership checking is not necessary for items with digital signatures as these cannot be imitated.
For more information on Trusted Ownership see Security Methods on page 41.
Trusted Vendors Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking. Application Manager queries each file execution to detect the presence of a digital certificate. If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendor list, the file is allowed to run, and overrides any Trusted Ownership checking.
CUSTOMIZE A CONFIGURATION
As previously mentioned, the default configuration is ready to use as soon as you install the agent and the configuration on the managed endpoints. However, all enterprises are different and thus it is possible to edit or create a configuration more suitable to the environment.
62
You can use Endpoint Analysis to determine the applications on a users endpoint and what applications are used. You can use this information to simplify the creation of a configuration. The results of the analysis can be dragged and dropped into an existing configuration. See Endpoint Analysis on page 128 for more information.
Define Users
The first step in creating a configuration is to determine the users that you want to apply rules to, for example, the users that you want to restrict certain applications for. Rules can be applied to all users within a group or to individual users. Users can belong to more than one group. By default there are two existing Group rules:
BUILTIN\Administrators Everyone
Users within BUILTIN\Administrators have an Unrestricted security level whilst users in the Everyone group have a Restricted security level. Select a rule to display the security level.
Application Manager has the ability to assign four distinct security levels to the group rules.
63
By default, the BUILTIN\Administrators group rule has a security level of Unrestricted. The Everyone group rule and all additional group rules have a security level of Restricted.
Table 4.2
Security Level
Restricted
Self-Authorizing
Audit Only
Unrestricted
64
When an application is prevented from running a dialog box is displayed to inform the user. You can customize the message shown in this dialog box. For more information see Message Settings on page 26. All users, including administrators are part of the Everyone group. This means administrators are part of two group rules, the BUILTIN\ADMINISTRATORS group which is unrestricted and the Everyone group that is restricted. Application Manager uses the least restrictive rules, therefore all administrator requests are unrestricted. The BUILTIN\Administrators group is for managing access to the applications for local administrators, whilst the Everyone group is for all other users unless a user matches other group or user rules with higher priority settings. Typically, you specify all the files, folders, drives, signature items, network connection items, and groups to prohibit for Everyone. You can then create a new group or user and specify the items you want to be accessible for that group or user. This enables you to control what users have access to.
1. Expand the Group > Everyone node. 2. Select the Prohibited Items node. 3. Right-click the within the work area and select Add > File or Add > Folder. Add the files or folders to prohibit
For information on making Network Connection Items accessible or prohibited see Application Network Access Control on page 115.
1. Right-click the Group node or the User node. 2. Select Add Group Rule or Add User Rule. 3. Add a group or add a user.
65
Accessible Items
Accessible Items are available in each group or user rule. These are rule items for granting access to specific files, folders, drives, signature item, network connection item, and group item for the users, groups or devices matching the rule.
By default the Trusted Ownership option is selected for all Accessible Items. Therefore, an application must always pass trusted ownership checking if it is enabled, even if the application is an Accessible Item. Although the Trusted Ownership option can be disabled, this is not recommended as it weakens the default security.
Prohibited Items
Prohibited Items are available in each group or user rule. These are rule items for restricting access to specific files, folders, drives , signature item, network connection item, and group item for the users, groups or devices matching the rule. When an application is prohibited a warning message is displayed. This warning message can be customized using the Message Settings dialog box. This dialog box is available from the General Features ribbon page > Properties group.
66
Figure 4.3
67
Trusted Vendors
The Trusted Vendor node is available in each group or user rule and is used to list valid digital certificates. An increasing number of applications are being signed by vendors with a digital signature. A digital certificate is supplied with a public key and this may be used to verify the authenticity of the application. If trusted ownership fails then providing the file is not explicitly blocked within the Application Manager configuration then it may be allowed to execute if it has a valid digital signature. Advanced options allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes, the certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate. A test option helps to validate the certificate based on the options you have selected and, where relevant, are dependent on connectivity with the appropriate Certification Authority. The following options are available for adding Trusted Vendors: From signed file You can specify a known file that has already been signed by the vendor who you wish to trust. Application Manager can then identify the vendors specific signature to identify additional code from that same vendor. From file-based store You can browse to the specific digital certificate if available. Import file-based store Allows you to import a digital certificate for use in setting up a trusted vendor rule.
For more information on Trusted Vendors see Method 3 - Trusted Vendors on page 46.
User Rights
The User Rights node is used to apply User Rights Policies to files, folders, signatures, groups, and Windows components when the rule is matched. User Rights Policies are used to elevate or restrict user privileges. For example, many organizations are restrictive on what users are allowed to use and many applications require administrator rights. A User Rights Policy can be used to elevate a user or group of users from standard user rights to administrator rights for a particular application or Control Panel component.
For more information on User Rights see User Rights Management on page 77.
68
Rules Description
The Device rules node allows you to match security control rules with specific devices within the enterprise. Device rules can apply the rule settings either to the device hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host. The Device node provides the ability to perform Per Seat license management in a server based computing environment. For example, a configuration rule can allow certain applications to run on a server but prohibit the application from running when launched by users operating from specific devices listed in the rule as connecting devices to the host server. For an example of a Device rule see Control Microsoft Software Licensing in a Virtualized Desktop Infrastructure (VDI) Environment on page 69. The Custom rule node allows you to match security control settings with combinations of specific users or groups and devices within the enterprise. The rule can apply settings to devices hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host. For example, a rule that targets computer IP address 192.168.0.2 as a connecting device and domain\user, allows you to apply security controls when the specific user logs on from the specified device through terminal services to the computer hosting the Application Manager agent and configuration. For an example of a Custom rule see Prohibit Starting Applications from a Connecting Device on page 72. The Scripted rules node allows you to create rules based on custom VB Scripts which run whenever a user logs on. The success or failure of a VB Script determines whether the security level, Accessible Items and Prohibited Items, which are part of the rule, apply to the user. Scripted rules can take advantage of any interface accessible via VB Script, such as COM and WMI, and allow the administrator to define Application Manager policy based on any computer user, registry, file or system property. Scripted rules also allow integration with the other third party solutions, such as Microsoft Active Directory and Citrix Advanced Access. Scripted rules can run for each new session in the context of the user or in the context of the SYSTEM. Alternatively, Scripted Rules can run once per computer and the result is applied to all user sessions. Scripted rules are re-evaluated when a new configuration is deployed to the computer. Scripts run when the Application Manager agent starts up or when the configuration changes. For an example of a Scripted rule see Determine if a User is a Member of a Certain OU on page 70. The Process node allows you to match security control rules with specific requesting processes. Process rules allow you to manage access for an application to run child processes which might otherwise be managed differently in other rules. You can add Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management to the rule. You can add files, folders, drives, signature items, network connection items and application groups as managed items into the Accessible Items and Prohibited Items lists of a process rule. The Process Rule manages all levels of child process run by the application. The Process does not manage the application. This must be managed by other rules unless the application is managed as a child process in another Process Rule. For an example of a Process rule see Prohibit Child Processes Running from a Parent Process on page 73.
Custom
Scripted
Process
69
1. Click Endpoint Analysis in the navigation pane and add endpoints by domain/workgroup or by browsing a Management Center Deployment group. Add all existing desktops you wish to manage. 2. Once endpoints are added, run scans of all endpoints or just selected endpoints to identify what the usage is for Microsoft Office applications. From these results you can potentially cut license costs by removing unused licenses.
If necessary, run an Installed Applications scan to identify on which devices Microsoft Office Applications are installed to establish where licenses are required and also ensure to make those applications available on the correct devices based on where the key users or groups operate.
1. Click the Configuration button in the navigation pane. 2. Navigate to Group Management in the Library node and create a new Group Management entry called Microsoft Office. 3. Click Add Item in the Items ribbon group and select Folder. Browse to Program Files to locate and add the relevant folder for the Microsoft Office product executable files. 4. Create a Device Rule called Cannot Use Office. 5. Right-click in the work area for the Device Rule and select Add Client Device. Enter and asterisk (*) in the text field, click Add and select the Connecting Device type. This ensures that all devices are blocked by this rule.
70
6. Add the Microsoft Office application group to the Prohibited Items folder to ensure that all the specified devices in this rule are blocked from accessing the applications in the Office group. 7. Create another Device Rule called Can Use Office . 8. Right-click in the work area and select Add Client Device. 9. Browse the network or Active Directory. Add all the devices which are allowed to access the Office products. 10. Add the Microsoft Office application group to the Accessible Items folder to ensure that all the specified devices in this rule are allowed to access the applications in the Office group.
The results of the running applications scan you performed in the previous task can be used to determine on which devices Microsoft Office is used. You can select multiple devices to add simultaneously.
1. Right-click the Scripted rule node in the navigation tree and select Add Scripted Rule. 2. Right-click the new rule and select Rename. Enter an intuitive name for the rule, for example, Users in OU. 3. Right-click the rule and select Edit Script. The Scripted Rule dialog box displays. 4. Enter the following example script. 5. 9Select the correct Entry Function. In the example above this is MyScript. This is the main function that is called when the script run and evaluates the outcome of the rule. 6. Click OK.
71
Options Tab The Options tab contains the following: Run script once per logon session as the logged on user The script runs for each user logging on. Settings are only applied for the duration of the user session. Run script once per logon session as the SYSTEM user The script runs with SYSTEM account permissions once for each user logging on. Settings are only applied for the duration of the user session. Run script once per computer as the SYSTEM user The script runs with SYSTEM account permission once at computer startup. Settings are applied to all user sessions until the computer restarts, the Application Manager agent restarts or there is a configuration change.
72
Running scripts as the SYSTEM user can cause serious damage to your computer and should only be enabled by experienced script authors.
Do not execute script until user logon is complete Select to prevent the script from running until user logon is complete. Wait for <n> seconds before script timeout Allows you to specify the number of seconds to allow a script to continue running before the script times out. A setting of zero (0) seconds prevents the script timeout. If a timeout occurs the result is fail and settings cannot be applied.
1. Right-click the Custom rule node in the navigation tree and select Add Custom Rule. 2. Right-click the User/Group Name column in the work area and select Set Account. The Account Selection dialog box displays. 3. Add the user or group to prohibit access to an application when connecting from a specified device. 4. Right-click the new rule and select Rename. 5. Enter an intuitive name for the rule. 6. Right-click in the work area and select Add Client Device.The Add a Client Device dialog box is displayed. 7. Enter the computer name or IP address of the computer users are connecting from and click Add. 8. Select the Connecting Device option in the Device Type column. 9. Expand the rule and select the Prohibited Items node. 10. Right-click in the work area and select Add > File. The Add a File dialog box displays. 11. Enter the name of the application or browse to it using the Browse button and click Add. 12. Save the configuration and deploy to managed endpoints.
73
1. Right-click the Process rule node in the navigation tree and select Add Process Rule. 2. Right-click the new process and select Rename. 3. Enter an intuitive name for the process rule. 4. With the process rule selected, right-click the work area and select Add > File. The Add a File dialog box is displayed. 5. Enter the name of the application to be the parent process. 6. Expand the new rule and select the Prohibited Items node. 7. Right-click the work area and select Add > File. The Add a File dialog box is displayed. 8. Enter the name of the application to prohibit from running from the parent process. 9. Save the configuration and deploy to the managed endpoints.
How to Drop User Rights for Changing the System Date and Time
Sometimes it is prudent to limit local Administrator rights to avoid the risk of disruption to system integrity. For example, local changes to the system date and time can prevent scheduled scripts from running. In a domain, the System date and time is usually best managed by the domain controller.
DROP LOCAL ADMINISTRATOR USER RIGHTS FOR CHANGING SYSTEM DATE AND TIME
1. Expand the BUILTIN\Administrators group. 2. Select User Rights node. 3. Select the Components tab. 4. Right-click the Components tab and select Add Component. 5. Select the Date and Time component in the list and select Add. 6. When the component is added to the Components tab list, ensure that the User rights Policy of the Date and Time component is set to Builtin Restrict or open the drop-down to select that option. Local administrative users are now prohibited from modifying the system date and time.
CONFIGURATION PROFILER
The Configuration Profiler, available from the Home ribbon page > Common group, allows administrators to produce detailed reports on configurations. This can be done whether they are stored locally or in the central database. The reports can be a general study of the overall configuration or can be aimed at how it interacts with a specific user, group of users or specific file.
74
Use general reports to assist auditing and compliance requirements such as Sarbanes Oxley or HIPAA. Use custom reports to highlight specific elements to assist in troubleshooting a large configuration. In order to create a Configuration Profiler report, the configuration in question must be loaded into the Application Manager console. It does not need to be deployed for this to be achieved. Complete reports can be created using the Configuration Profiler or based on specific criteria such as the File, Folder, Network Connection, User, Group, and Device rule items.
Use Rules Analyzer to examine problems with a configuration deployed to endpoints. See Rules Analyzer on page 144.
Figure 4.5
Configuration Profiler
The following graphic shows a report of the default configuration that comes with Application Manager. This is a complete report and specifies that the Everyone group rule and the Windows Installer process rules have a restricted security level. The remaining rules in Application Manager are not displayed because there is no configuration set up for them. Both the Everyone group rule and the Windows Installer process rules have Accessible Items listed. The path for the Windows Installer process rule is also given.
75
No Prohibited Items, Trusted Vendors or User Rights are listed because none are configured. The configuration properties are shown. These include details about Archiving, the default rules specified in the Options dialog box available from the General Features ribbon page > Default Restrictions group, details about Trusted Owners, and the Extension Filtering property.
76
In this Section:
Overview on page 74 User Rights Management Benefits on page 77 Use Cases on page 78 Technology on page 78 Configuring User Rights Management on page 80 Web Installations on page 99 Snippets on page 109
OVERVIEW
Many user environments are very restrictive in order to limit user access to sensitive data and key applications. Application Manager secures and protects many corporate desktops by controlling application and network access. Application Manager 8.1 extends policy management capabilities by providing comprehensive User Rights Management functionality.
77
78
User Rights Management enables enterprise IT departments to reduce access control privileges on a per user, group, application, or business rule basis. It ensures users have only the rights they need to fulfil their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, improving security and productivity. The perfect balance between user productivity and security is to control user rights, not at a session or account level, but at an application or individual task level. With User Rights Management, access to applications and tasks is managed dynamically by managing user rights, on demand, in response to user actions. For example, administrator rights can be applied to a named application or Control Panel component for a particular user or user group, by either elevating the privileges of a standard user to an administrator level, or dropping the rights of an administrator to that of a standard user account. By controlling user rights throughout the user session, IT can provide users with the accessibility they require to perform their job, while protecting the desktop and the environment and reducing management costs. User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment. User Rights Management allows you to create a library of reusable policies which can be associated with any available Application Manager rules, to assign the relevant privileges to files, folders, signatures, and application groups. User Rights Policies include domain user group membership and a range of administrative privileges which you can apply to each policy.
You can run Application Manager in User Rights Management mode only. See Options on page 19.
Least Privilege
Many users run their computer with administrative privileges. It is evident that users running with these privileges can introduce viruses, malware and spyware. Inevitably this can affect the entire enterprise, causing security breaches and downtime. Access to private data can also be at risk. User Rights Management allows the application of the principle of least privilege. This principle requires that users are provided the minimum rights to do their job, without giving the user full administrator rights. The experience is seamless to the user.
For the complete definition of least privilege refer to the Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28.STD), also known as the Orange Book. This is located at http://csrc.nist.gov/publications/history/dod85.pdf.
With User Rights Management any downtime, coupled with the number of calls made to IT support due to viruses and so on, are greatly reduced because computers are made secure against the problems that occur when a user has full administrative rights. This means IT
79
Support can focus on more important tasks as opposed to spending large amounts of time troubleshooting computers to find out the problem. Licensing is also easier to control, for example, by allowing users to only install authorized applications.
Installation of printers Installation of certain hardware Installation of particular applications Operation of applications that require administrative privileges Change of system time Legacy applications
User Rights Management allows the user to perform these tasks by elevating a user to have specific administrative privileges.
80
UAC also applies to Windows 7. However, it is an addition to the Run as command and not a replacement.
These features also apply to Server 2003 and Server 2008 versions.
Although these features do allow users to run without administrative rights they still require the user to have access to an administrator account to perform administrative tasks. Unfortunately, this limitation means these features are more appropriate for administrators. It enables them to logon as a standard user and use the administrator account to perform administrative tasks only. As the user must provide the credentials for a local administrator to use Run as and UAC this creates a number of concerns. For example:
A user with access to an administrator account must be trusted not to abuse these privileges. Applications running with administrative rights are now running under the context of a different user. This can cause problems, for example, these particular applications do not have access to the actual users profile or network shares, as stated in the User Rights Management v Run As section above. Two passwords are required. One for the standard account and one for the administrator account. The user must remember both. Security required for one account is challenging, and for two accounts more so.
81
applications and potentially open up the desktop to the Internet. Use User Rights Management to restrict an administrator level user from running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop. Reducing Privileges to Restrict Access to System Settings Use User Rights Management to give a higher level system administrator the ability to stop an administrative user from altering settings that they should not change, for example, firewalls and certain services. Use User Rights Management to reduce administrative privileges for certain processes. Although the user has administrative rights, the system administrator retains control of the environment.
USE CASES
User Rights Management has many use cases and solves problems that many enterprises have until now been unable to address. A small number of scenarios are given below:
Organizations that use local administrator accounts for their users may need to lock down elements of the desktop, such as the Control Panel component, Add Hardware, or Add and Remove Programs \ Programs and Features. By dynamically dropping the user account from administrator to a standard user for specific controls, the user is now prohibited from accessing the control and executing an unwanted task. Some applications require administrator rights as the application itself interacts with certain parts of the desktop operating system or registry. However, the organization does not wish to provide users with full administrator accounts. User Rights Management can elevate the user rights for the named application to an administrator level, enabling the user to run their application while protecting the desktop. Automatic update elements of some applications can require administrator rights to perform the update actions and therefore not function in the context of a standard user. User Rights Management can enable the named application to run under the context of an administrator account while all other applications remain in standard user context. Mobile users may need to manually change their IP address, configure a wireless network, or change date and time properties, all of which require administrative rights. User Rights Management can elevate the user rights to administrator level for named tasks, enabling the user to make the changes they require.
TECHNOLOGY
In a Microsoft Windows computing environment, as part of the application launch process, when an execution request is made, the application requests a security token as part of the application launch approval process. This token details the rights and permissions given to the application and these rights can be used to interact with the operating system or other applications. When Users Rights Management is configured to manage an application, the security token that is requested is dynamically modified to have permissions elevated or restricted, therefore allowing the application to be run or blocked.
82
The User Rights Management mechanism handles process startup requests as follows: 1. A User Rights Policy is defined in the configuration rule and applies to applications or components.
The Application list can include files, folders, signatures or application groups. The Components list can include Control Panel components.
2. When a process is created by the launch of an application or other executable, the Application Manager hook intercepts the process and queries the Application Manager agent whether elevated or restricted rights are required to run the process. 3. The agent confirms whether the configuration assigns elevated or restricted rights and if required, the agent requests a modified user token from the Windows Local Security Authority (LSA). 4. The hook receives the modified user token from the Windows LSA granting the necessary privileges. Otherwise, the process runs with the existing user token according to the definitions of the normal user rights.
83
1. Right-click the User Rights Policies node in the navigation pane and select Add Policy. 2. Right-click the policy and select Rename. 3. Enter an intuitive name for the policy, for example, Elevate to Admin. 4. Right-click the Group Membership tab in the work area and select Add Group Action. The Account Selection dialog box displays. 5. Enter or navigate to the administrators group and click OK. 6. Click in the Action column and select Add Membership. This is the default setting.
The Add Membership option allows users to run an application as if they were part of the specified group. The Drop Membership option does not allow users to run an application.
84
Merging Policies A configuration can contain a number of User Rights Policies. These can be applied to many files, folders, signatures, and groups in the various rules. If any of the files, folders, signatures, or groups in the rules match, and their policies are relevant, Application Manager merges the polices and the least restictive policy takes precedence. Application Manager also applies rule ordering against the polices to determine which policy takes precendence. The rule ordering and precedence is as follows:
Signature with arguments takes the highest precedence. Taking the above into account, when an application is specified both as a file and by its signature, only the policy for the signature is applied because a signature has higher precedence over a file.
85
Privileges A privilege is the right of a user account to perform a particular system-related operation, such as shutting down the computer or changing the system time. You can use the User Rights Management feature to enable, disable or remove privileges.
Figure 5.3
Privilege Options
No change - Leaves the privilege as it is with its original token. Enabled - Sets the flag in the token to enabled. Disabled - Sets the flag in the token to disabled. Use the Enabled option to re-enable the privilege. Remove - Removes the privilege from the token. You cannot undo this option.
The following table list the privileges that only apply to specific operating systems. The remaining privileges apply across all operating systems.
86
Table 5.1
Privilege
SeCreateSymbolicLinkPrivilege SeEnableDelegationPrivilege SeIncreaseWorkingSetPrivilege SeRelabelPrivilege SeTimeZonePrivilege SeTrustedCredManAccessPrivilege SeUndockPrivilege SeUnsolicitedInputPrivilege
User Right
Create symbolic links Enable computer and user accounts to be trusted for delegation Increase a process working set Modify an object label Change the time zone Access credential manager as a trusted caller Remove computer from a docking station Receive unsolicited data from a terminal device
2003
No Server Only Not Applicable
Server Only
2008 R2 Only
Not Applicable
Desktop Only
1. Expand the applicable Group rule in the navigation pane and select the User Rights node. 2. Select the Applications tab in the work area. 3. Right-click the work area and select Add > Add File. The Add a File for User Rights Management dialog box displays. 4. Browse to the Task Manager executable, taskmgr.exe, and click Add. 5. Select the policy you created in the above procedure (Elevate to Admin) in the User Rights Policy column. 6. Save the configuration. Now that the Administrator Membership rule is applied to Task Manger using User Rights Management, Task Manager runs under the context of administrator privileges for that group.
An empty default User Rights Policy is created if one does not exist.
87
Applications Tab The following columns and options appear on the Applications tab.
Item - Specifies the location of a file, folder or signature and the name of a group. Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. Arguments are only applicable to files and signatures. Note that files are the application / process.
Arguments support environment variables and wildcards. Environment variables make the path more generic for applying on different machines. Wildcard support provides an additional level of control for specifying generic file paths.
Apply to Child - Applying a User Rights Policy to an application / process can launch child processes. This implies that the application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.
88
Include subdirectories - Select to include all directories beneath the specified directory. User Rights Management is applied to all subdirectories. Deselect to only apply User Rights Management to the current folder.
This column is only applicable to folders.
Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe. Signature - Displays the actual signature for a signature file.
This column is only applicable to signature files.
User Rights Policy - Specifies the User Rights Policy for the file, folder, signature, or group. Select the drop-down arrow in the column to select a policy.
Use the Library > User Rights Polices node to create a User Rights policy.
89
Applications and Components You can apply User Rights Policies to files, folders, signatures, and groups. These are specified on the Applications tab. Components are specified on the Components tab. Right-click the Applications tab for a User Rights node and select Add > Add File, Add Folder, Add Signature, or Add Group. Right-click the Components tab and select Add Component. File The following are the options available in the Add a File for User Rights Management dialog box.
90
Figure 5.6 Add a File for User Rights Management Dialog Box
File - The file path of the file / process. Enter the file path into this field or use the Browse button to locate the file. Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument. Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.
Application Manager only supports one level of inheriting the token.
Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe. Substitute environment variables where possible - For example, replaces the Windows directory with the generic environment variable %SystemRoot%.
Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths.
Folder The following are the options in the Add a Folder for User Right Management dialog box.
91
Figure 5.7
Folder - The name of the folder. Enter the name of the folder into this field or use the Browse button to locate the folder. Include subdirectories - Select to include all directories beneath the specified directory. User Rights Management is applied to all subdirectories. Deselect to only apply User Rights Management to the current folder. Substitute environment variables where possible - For example, replaces the Windows directory with the generic environment variable %SystemRoot%. Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application in the specified folder is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management. Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe.
Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths.
Signature The following are the options in the Add a Signature File for User Rights Management dialog box.
92
Figure 5.8
File - The file path of the signature file for an application / process. Enter the file path into this field or use the Browse button to locate the file. Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument. Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management. Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe.
Application Manager only supports one level of inheriting the token.
Group You can add a group to User Rights. Groups are used to hold and manage a logical collection of files, folders, drives, signature files, and network connection items. Use the Library > Group Management node to create a group.
93
Components Control Panel components and Network Adaptor features and functions are typically controlled by explorer.exe. Elevating explorer.exe to run in the context of a Local Administrator is not ideal as this can open up a range of security issues. To resolve this and enable the user to access the said functionality under the context of an administrator without opening the entire explorer shell, User Rights Management places the AppSense Contol Panel components in the Windows Contol Panel alongside existing components. These can now be controlled at an access level specific to the function, without changing any rights associated with explorer.exe.
Use the filter in the Select Components dialog box to filter components by operating system.
94
The following table gives a list of components that are specific to particular operating systems. The remaining components are available for all operating systems.
Table 5.2 Components Type
Control Panel Control Panel Control Panel Control Panel Control Panel Control Panel Management Snapin Control Panel
Component Name
Add Plug and Play Backup and Restore Center BitLocker Enable Calibrate Color Clear Type Text Desktop DPI Disk Management Display
Operating System
XP, 2003 Vista Vista, 2008, W7 Vista, 2008, W7 W7 XP, 2003, Vista, 2008 Vista, 2008, W7 XP, 2003
95
Table 5.2
Components Type
Control Panel Management Snapin Control Panel Control Panel Control Panel Control Panel Control Panel Management Snapin Control Panel Control Panel Control Panel Control Panel Control Panel Control Panel Control Panel Management Snapin Control Panel Management Snapin Control Panel Management Snapin
Component Name
Easy Transfer Install/Uninstall Languages iSCSI Initiator Offline Files Power Options Recovery Disc Recovery Restore Server Manager System (pre-Vista) System Configuration System Properties, Advanced System Properties, Computer Name System Properties, Performance System Properties, Protection System Properties, Remote Task Scheduler Troubleshoot Trusted Platform Windows Features Windows Firewall Advanced Settings
Operating System
Vista, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008 XP, 2003 Vista, 2008, W7 Vista, 2008, W7 2008 XP, 2003 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 W7 Vista, 2008, W7 Vista, 2008, W7
96
1. Expand the applicable Group rule in the navigation pane and select the User Rights node. 2. Select the Components tab in the work area. 3. Right-click the work area and select Add Component. The Select Components dialog box displays.
The Select Components dialog box displays a list of Control Panel and Management Snapin tools. You can choose to elevate or restrict privileges for each component. See Components on page 90for a list of the components that are specific to a particular operating system.
4. Select the components you want the user to run as an administrator. 5. In the User Right Policy select the Builtin Elevate policy to elevate privileges for the component. Select the Builtin Restrict policy to restrict privileges for the component. 6. Click Add. 7. Save the configuration.
One or more Control Panel and Management Snapin components can be selected in the Select Components dialog box. This provides access only to the selected components and not the whole Control Panel and Management Snapins. Strepsils representing the components are displayed in the Control Panel dialog box.
Example Configurations
The following section consists of a number of example configurations for User Rights Management. RESTRICT USERS FROM STARTING AND STOPPING SERVICES Use User Rights Management to reduce privileges for the Services component so that the administrator cannot start and stop services. 1. Select the User Rights node beneath the BUILTIN\Administrators rules node. 2. Select the Components tab within the work area. 3. Right-click within the work area and select Add Component. The Select Components dialog box displays. 4. Select the Services component and click Add.
Use the filter at the top of the Select Components dialog box to filter by operating system.
5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Restrict policy. 6. Save the configuration.
97
Figure 5.11
1. Select the User Rights node beneath the applicable rules node. 2. Select the Components tab within the work area. 3. Right-click within the work area and select Add Component. The Select Components dialog box displays. 4. Select the Automatic\Windows Update component and click Add. 5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Elevate policy. 6. Save the configuration.
98
99
1. Select the User Rights node beneath the applicable rules node. 2. Select the Components tab in the User Rights work area. 3. Right-click within the work area and select Add Component. The Select Components dialog box is displayed. 4. Select the Defragment option, and click Add. 5. Select the drop-down arrow in the User Rights Policy and select the Builtin Elevate policy. 6. Save the configuration.
100
Step 1 - Create a Policy to Elevate User Privileges 1. Select the Library > User Rights Policies node. 2. Select Add Policy on the User Rights ribbon page > Manage Policy group. 3. Right-click the new policy and select Rename. 4. Enter an intuitive name for the policy, for example, Elevate Visual Studio. 5. Right-click the Group Membership tab in the Policy Contents work area and select Add Group Action. The Account Selection dialog box displays. 6. Enter the account into the Account field or use the Browse button to browse to the account. 7. Ensure Add Membership is selected in the Action column.
101
Step 2 - Allow Users to Run Visual Studio and Debug Applications 1. Select the Library > User Rights Policies node. 2. Select Add Policy on the User Rights ribbon page > Manage Policy group. 3. Right-click the new policy and select Rename. 4. Enter an intuitive name for the policy, for example, Run Debug. 5. Select the Privileges tab. The Privileges work area displays. 6. Click the Action column for the debugging privilege, SeDebugPrivilege, and select Enable.
102
Step 3 - Create a Group Rule 1. Select Rules > Group in the navigation pane. 2. Select the Add Rule drop-down arrow on the Rules ribbon page > Manage group and select Group Rule. The Add Group Rule dialog box is displayed 3. Enter the domain name into the Add Group Rule dialog box and click Add. Step 4 - Apply the Elevate Visual Studio Policy to the Rule 1. Select the User Rights node beneath the rule you have created. The User Rights work area displays. 2. Right-click within the work area and select Add > Add File. The Add a File for User Rights Management dialog box displays. 3. Browse to the Visual Studio application file. 4. Select the Apply policy to child processes option and click Add. 5. Select the Elevate Visual Studio policy in the User Rights column. This is the policy created in one of the above procedures. Step 5 - Apply the Run Debug Policy to the Rule 1. Right-click within the User Rights work area and select Add > Add File. 2. Enter * in the File path field. This is to allow for all debug applications. 3. Click Add. 4. Select the Run Debug policy in the User Rights column. This is the policy created in one of the above procedures. Step 6 - Save the Configuration 1. Save the configuration.
WEB INSTALLATIONS
A number of Web Installations require the end user to have administrative rights. For example, an ActiveX control such as Adobe Flash Player or a web download such as Microsoft Silverlight. A common scenario is whereby a standard user may attempt to download and install Adobe Flash Player. This requires administrative rights. When an attempt is made the User Account Control (UAC) dialog box is displayed requesting the user enter an administrative password. Most organizations will not want to give their users administrative rights. The Web Installation feature of User Rights Management allows elevation to administrative rights for ActiveX installers from a particular domain. You can create a simple configuration whereby you enter the name of the domain only, or you can create an advanced configuration by specifying the CAB file for an item, its Class ID and the minimum and maximum version numbers. You can also specify that only signed controls from the domain can be installed.
A CAB file is the Microsoft Windows compressed archive format. This format supports compression and digital signing and is used in a variety of Microsoft installation engines.
103
1. Select the User Rights node for a particular group, for example, the Everyone group. 2. Select the Web Installations tab. 3. Right-click within the work area and select Add Web Installation. The Add new Web Installation dialog box displays. 4. Enter a name for the Web Installation in the Name field, for example, Adobe Flash. 5. Enter the URL in the Website URL field. For example, adobe.com, to allow installations from all of adobe.com. 6. Ensure the Only allow signed controls option is selected. 7. Click Add. 8. Ensure the default Builtin Elevate policy is selected in the User Rights Policy column. 9. Save the configuration. All downloads that are signed and are from the specified website are allowed.
Along with the above procedure other configurable items need to be considered. For example, for an ActiveX installation you would need to allow the ActiveX file to run, and any executables that the control calls. You need to consider Process rules, Trusted Vendors, any Digital Certificates, Accessible Items, Elevated items, and so on. Application Manger consists of a number of snippets to assist in the creation of configurations for Web Installations. See Snippets on page 109 for more information.
104
105
Step 1 - Create a Policy to Elevate to Administrator 1. Right-click the Library > User Rights Policies node and select Add Policy. 2. Right-click the new policy beneath the User Rights Policies node and select Rename. 3. Enter an intuitive name for the policy, for example, Elevate. 4. Right-click within the Group Membership tab work area and select Add Group Action. 5. Enter the name of the administrator user group or use the Browse button to navigate to the account. 6. Click Add. 7. Ensure Add Membership is selected in the Action column.
106
Step 2 - Add the Application to the User Rights Node. 1. Select the User Rights node for a particular group, for example, the Everyone group. 2. Select the Applications tab. 3. Right-click the Applications tab work area and select Add > Add File. The Add a File for User Rights Management dialog box displays. 4. Enter the name of the web installation you want to add in the File field for example silverlight.exe or use the Browse button to locate the file. 5. Select the Apply policy to child processes option. 6. Select the Install as Trusted Owner option.
For information on the Apply policy to child processes and Install as Trusted Owner options see Applications and Components on page 86.
7. Click Add. 8. Ensure the policy created in the first step procedure, Elevate, is selected in the User Rights Policy column.
107
Figure 5.18
Step 3 - Add a Signature for the Web Installation to the Accessible Items 1. Select the Accessible Items node for the same group. 2. Right-click in the work area and select Add > Add Signature Item. The Select Accessible Signature File dialog box displays. 3. Navigate to the web installation and click Open. 4. Save the configuration.
Along with the above procedure other configurable items need to be considered. For example, for an ActiveX installation you would need to allow the ActiveX file to run, and any executables that the control calls. You need to consider Process rules, Trusted Vendors, any Digital Certificates, Accessible Items, Elevated items, and so on. Application Manger consists of a number of snippets to assist in the creation of configurations for Web Installations. See Snippets on page 109 for more information.
108
CREATE A GRANULAR CONFIGURATION FOR INSTALLING GOTOMEETING You can create a granular configuration for a web installation. You can refer to the specific CAB file, the Class ID and also the minimum and maximum versions.
Use the Application Manager auditing events to gather information such as the name of the CAB file. Use the 9021 auditing event. See Auditing on page 139 for more information.
109
1. Select the User Rights node for a particular group, for example, the Everyone group. 2. Select the Web Installations tab. 3. Right-click within the work area and select Add Web Installation. The Add new Web Installation dialog box displays. 4. Enter a name for the Web Installation in the Name field, for example, GoToMeeting. 5. Select the Use advanced settings option. 6. Enter the location of the installer URL and the CAB file of the Web Installation in the Installer URL field. For example, https://www2.gotomeeting.com/default/applets/ g2mdlax.cab. 7. Enter the Class ID in the Class ID field and, if required, enter the version numbers or leave blank to ignore.
The details for the CAB file, Class ID and version numbers can also be found in the source view for the web installer download page. Navigate to the download page and select View > Source.
110
111
8. Click Add. 9. Ensure that Builtin Elevate selected in the User Rights Policy column. 10. Save the configuration.
Along with the above procedure other configurable items need to be considered. For example, for an ActiveX installation you would need to allow the ActiveX file to run, and any executables that the control calls. You need to consider Process rules, Trusted Vendors, any Digital Certificates, Accessible Items, Elevated items, and so on. Application Manger consists of a number of snippets to assist in the creation of configurations for Web Installations. See Snippets on page 109 for more information.
112
SNIPPETS
Snippets give Application Manager the ability to import and merge partial configurations into a currently open configuration in the console. This is particularly useful for Web Installations because along with creating the Web Installation part of the configuration a number of other configurable items need to considered. These include Process Rules, Accessible Items, Trusted Vendors, any Digital Certificates, Elevated items, and so on. Application Manager consists of a number of snippets to help with the creation of the Web Installation configurations such as the configurations given in the previous section, Web Installations on page 99. The following example uses the Create a Granular Configuration for Installing GoToMeeting procedure. The snippet contains all the extra configurable items for the configuration.
1. Complete the Create a Granular Configuration for Installing GoToMeeting procedure. 2. Select the User Rights node for the group. 3. Select the Web Installations tab. 4. Right-click the work area and select Import Snippet. The Import Snippet dialog box displays. 5. Select the en_gotomeeting_4_5 snippet and click Add. 6. To view what is included in the snippet click the View the items that will be added to the configuration link. A configuration report is displayed. 7. Click Continue. The snippet is imported and you can view the items in the various nodes in the console.
Use the Configuration Profiler available from the Home ribbon page to view a configuration report for the full configuration.
113
114
In this Section:
Overview on page 115 About Application Network Access Control on page 116 Define Network Access Policies and Rules on page 118 Auditing on page 119 Configuring Application Network Access Control on page 120
OVERVIEW
Application Manager automatically controls application access on a per user or per device basis, without the overhead of scripts or lists. Application Network Access Control (ANAC) manages network access on a per user or per device basis. You can use Application Manager to restrict and monitor application network access via the Application Manager console using the ANAC functionality.
115
116
You can run Application Manager in ANAC mode only. Select Enable Application Network Access Control only in the Options dialog box available from the General Features ribbon page > Default Restrictions group.
117
Figure 6.1
Technology
The following describes the basic technology for the ANAC functionality. Mini Filter Driver ANAC uses a mini filter driver to intercept and control requests made to network UNC locations. The driver is loaded dynamically by Application Manager (AM) Agent Service only when its functionality is required, that is, when the configuration contains Network Connection Items that specify Network Share as its Connection Type. When a user makes a file request for a shared folder, subfolder or file on a network location the I/O manager sends a create request to Application Managers mini filter driver. The mini filter driver gathers information about this request, the file name and location, user, process, thread data, and so on, and passes this to the AM Agent Service for processing. After the AM Agent Service has processed the request the mini filter driver responds back to the I/O manager with the result. If the request is denied then an access denied error is returned, otherwise the request is left unaltered.
APPLICATION NETWORK ACCESS CONTROL Define Network Access Policies and Rules
118
Application Hook Application Managers hook uses Microsofts Detours technology to hook a subset of the Winsock API functions. In hooking these functions Application Manager reads and gathers information about the network location the application is attempting to connect to. This information is then passed to the AM Agent Service for further processing. If the request is allowed the hook permits the application to continue using the Winsock API otherwise the hook is denied access to the Winsock API. An error code is returned to the application to indicate the request has failed.
It is important to mention, unlike configuring a firewall, when using Application Network Access Controls you only define the denied application on a port by port and \ or server by server basis, as opposed to defining all network accessing systems and services for the endpoint workstation or server as you might on a firewall. A list of commonly used application ports is included within the Application Manager console as shown below.
119
AUDITING
Application Manager has a comprehensive set of in-built auditing and reporting which can give granular information on how, when, and by whom, network resources and applications are accessed. This auditing can be placed in an Audit Only mode to silently monitor security restrictions or can generate events when users attempt to access denied locations and are blocked. Auditing events are available from the Auditing dialog box. This is found on the Home ribbon page > Common group. The events that are specific to Application Network Access Control are 9013 and 9014.
120
1. Expand the group that you want to prohibit an IP Address or Host for, for example, the Everyone group. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the IP Address or Host Name option.
121
5. Enter the IP Address or Host Name in the Host field. 6. Do one of the following:
To block access to the whole IP Address or Host, click Add. To block only a part of the IP Address or Host, for example, a certain folder, enter the folder or path the Path field and click Add.
7. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog box and specifies the Host Name as www.abc.co.uk and the Path as Finance. This means that all users in the specified group can access www.abc.co.uk but not the Finance area.
1. Expand the group that you want to prohibit an Network Share for, for example, the Everyone group. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the Network Share option.
122
5. Enter the Network Share in the Host field. 6. To include any subdirectories, select the Include subdirectories option. 7. Do one of the following:
To block access to the whole Network Share, click Add. To block only a part of the Network Share, enter the folder or path in the Path field and click Add.
8. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog box and specifies the Network Share as managementdata and the Path as personnel. This means that all users in the specified group can access managementdata but not the personnel area.
Figure 6.5
1. Expand the group that you want to prohibit RDP sessions for, for example, the Everyone group. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the IP Address or Host Name option.
123
5. Enter the IP Address of Host Name in the Host field. 6. Click the Ports button. 7. Select the port 3389 Microsoft Terminal Server (RDP) port and click Add. 8. Click Add in the Add a Network Connection dialog box. 9. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog box and specifies the Host Name as sql.testing.local and the Port as 3389. This means that all users in the specified group cannot create an RDP session to sql.testing.local.
124
1. Right-click the Library > Group Management node in the navigation pane and select Add Group. A new group is created. 2. Right-click the new group, select Rename and enter an intuitive name for the group, for example, FTP Software.
3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box is displayed. 4. Enter the wildcard expression *.*.*.* into the Host field. 5. Select the Ports button. The Common Ports dialog box is displayed. 6. Select port 21 and click Add. This is the FTP - Control Port.
125
7. Expand the Everyone group in the navigation pane and select the Prohibited Items node. 8. Right-click the work area and select Add > Group. The Group selection for <group name> dialog box is displayed. 9. Select the group created previously, for example, FTP Software, and click OK. This prohibits all users from accessing any IP Address using FTP applications.
1. Expand the group that you want to provide access to particular folder, for example, a group called Accounts. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the Network Share option. 5. Enter the name of the network share in the Host field. For example, \\managementdata. 6. Enter the name of the path in the Path field. That is the path to prohibit but also contains the folder to provide access to. 7. Ensure the Include subdirectories option is selected. This prohibits access to any subdirectories on the share.
126
8. Click Add. The following graphic shows the Add a Network Connection dialog box for a Prohibited Item and specifies the network share as managementdata and the path as scratch. This means that all users in the specified group cannot access the scratch folder on the managementdata network share.
9. Select the Accessible Items node. 10. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 11. Select the Network Share option. 12. Enter the name of the network share in the Host field. For example, \\managementdata. 13. Enter the name of the path to prohibit in the Path field, that is the path for the folder to provide access to, for example, \scratch\Accounts. 14. Deselect the Include subdirectories option. 15. Click Add. 16. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog for an Accessible Item and specifies the network share as managementdata and the path as scratch\Accounts. This means that all users in the specified group can only access the scratch\Accounts folder on the managementdata network share. All other folders are prohibited.
127
Endpoint Analysis
Endpoint Analysis Overview on page 128 Endpoint Analysis Scans on page 130 Working with Endpoint Analysis on page 131 Adding Files to a Configuration on page 137
128
129
Application Manager configuration installed on the endpoint. Administrative share rights to the endpoint. Remote registry access to the endpoint.
1. On the Start menu select Control Panel. 2. Select Administrative Tools. 3. Double-click Services. 4. Locate the AppSense Application Manager Agent.
1. Launch the Registry Editor on the managed endpoint. 2. Locate the license under HKLM\Software\AppSense Technologies\Licensing. TEST THAT THE CONFIGURATION IS INSTALLED ON THE ENDPOINT Configurations are stored in the following location: 1. For Windows XP and Server 2003, navigate to C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration. 2. For Vista and above, navigate to C:\ProgramData\AppSense\Application Manager\Configuration.
ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
1. Open Windows Explorer on the computer that has the Application Manager console installed. 2. In the Address bar enter \\<computername>\c$ and press Enter. If you can browse the folders you have access rights. If not, you are prompted for user credentials which allows access.
1. Open the Registry Editor on the computer that has the Application Manager console installed. 2. Select File > Connect Network Registry. The Select Computer dialog box is displayed. 3. Locate the computer and click OK. If you can see the registry keys, you have access.
On remote computers running Microsoft Vista and above, File Sharing and Remote Registry Service are disabled by default and must be enabled.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center. Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.
130
Endpoint Analysis files for a given endpoint are stored on the computer that has the Application Manager console installed under the following locations:
For Windows XP and Server 2003, C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis. For Vista and above, C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.
Endpoint Scan
The Endpoint Scan searches the endpoint for any applications that are present. These applications may have been officially installed by an administrator, or be an esoteric piece of virus-ridden freeware installed by an unsuspecting end user. The following directory and registry locations are scanned:
During an Endpoint Scan,100% of the CPU on the endpoint can be used. However, if user tasks need to be performed, the Application Manager agent utilizes built-in smart scheduling technology to allow tasks to take precedence over the scan itself, thus not affecting the end-user perception of performance.
131
Order of Scans
Typically, the Endpoint Scan is run first to determine which applications are installed on the endpoint. This can be followed by the Application Usage Scan to track the applications that have been run on an endpoint over a period of time. By highlighting which applications are being used and which are not, unlicensed software can be identified and restricted and unlicensed software can be removed.
The Application Usage Scan can detect applications in use that have not been installed using the Windows Installer technology and therefore not detected in the Installed Applications Scan, for example, Firefox or Shareware.
1. Select the Endpoint Analysis button in the navigation pane. 2. Right-click the Endpoint node in the navigation tree and select Add Endpoint. 3. Select either Browse Deployment Group or Browse Domain/Workgroup depending on the location of the endpoint you want to add. Browse Deployment Group displays the Select Management Server dialog box. Browse Domain/Workgroup displays the Active Directory Select Computers dialog box. 4. Locate the required endpoint and click Add. A new node is created for the selected endpoint under the Endpoints node in the navigation tree. 5. Select the new endpoint node and view the Endpoint Summary. Application Manager searches for the computer and connects. Ensure that Application Manager has connected to the endpoint.
132
Endpoint Summary The Endpoint Analysis Summary displays whether Application Manager is connected to the endpoint, whether an Installed Applications Scan is running, and whether an Application Usage Scan is running. If an Installed Applications Scan is running the percentage of the completion of the scan is shown.
133
The summary also displays information about the operating system and processor for the endpoint and information about the data files which includes:
Number of data files. These are the data files created for each Application Usage Scans. Total size of data files Installed Applications updated. That is the last date the Installed Applications Scan ran.
Once you have added one or more endpoints you can run an Installed Applications Scan for one or all endpoints. You can also run an Application Usage Scan for each individual endpoint.
2. Select the Installed Applications node for an endpoint to see all applications installed by the administrator and users.
134
The Installed Application data is stored in an xml file. The xml file has the format EndpointName^Installed.xml. On Windows XP and Server 2003 the files are located at C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis. On Vista and above the files are located at C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.
ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
135
1. Select an endpoint and select Start Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage Scans group. 2. Allow a period of time for the scan and then select Stop Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage Scans group. The File dialog box displays. 3. Enter an intuitive name for the file. The file is displayed beneath the Recorded Data node in the navigation tree.
Figure 7.4
The Application Usage data is stored in an xml file. The xml file has the format EndpointName^FileName.xml. On Windows XP and Server 2003 the files are located at C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis. On Vista and above the files are located at C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.
136
ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
As previously mentioned, when you perform a scan you can also show all the loaded files (child processes) and digital certificates for discovered applications. It is recommended to add all loaded files to the Accessible Items to allow specified applications to function correctly. It is also useful to add any digital signatures to the Trusted Vendors in the configuration.
1. Select either the Installed Applications node or an xml file beneath the Recorded Data node. 2. Select Show Loaded Files on the Endpoint Analysis ribbon page > Application Data group. The Loaded files dialog is displayed.
1. Select a discoverd application in the work area. 2. Select Show Digital Certificates on the Endpoint Analysis ribbon page > Application Data group. The Certificates dialog box displays.
137
If you drag and drop files into any of the Accessible or Prohibited Items lists they are dropped in as files.
If files are placed in Accessible Items, any associated loaded files are automatically included. If files are placed in Prohibited Items, any associated loaded files are not included, only the main application executable.
To add a certificate to any of the Trusted Vendors you can either drag and drop a file on to a Trusted Vendors node, if any certificates exist for that file they are added or you can select Show Digital Signatures on the Endpoint Analysis ribbon page > Application Data group to display the Certificates dialog box. You can then drag and drop from that dialog box into the configuration.
When you drag and drop files from Endpoint Analysis to the Accessible Items and Prohibited Items node you must drag, hover the mouse over the Configuration button in the navigation pane to display the configuration, and then drop onto the node.
138
When you drag and drop files into a configuration, the digital signature for the file is always copied over as this is the most secure method for authenticating an application. See Security Methods on page 41 for more information.
Auditing
In this Section:
Overview on page 139 Logging on page 141 Local Event Filter on page 142 Event Filtering on page 143
OVERVIEW
Auditing allows you to define rules for the capture of auditing information and to raise events. There are multiple places to raise events and include:
Windows Application event log AppSense event log Anonymous Local log
In addition there is an event filter for specifying the type of files to include in the audit log for particular events.
139
AUDITING Overview
140
In Enterprise installations, events can be forwarded to the AppSense Management Center via the Client Communications Agent (CCA). When using this method for auditing, event data storage and filtering is configured through the Management Center console.
For more information on the Management Center see the AppSense Management Center Help and the AppSense Management Center Product Guide.
The Auditing dialog box is available from the Home ribbon page > Common group.
AUDITING Logging
141
LOGGING
There are a number of ways of capturing events using the Auditing dialog box. These are covered in the following sections.
Anonymous Logging
Anonymous logging can be performed when auditing. Anonymous logging does not record the computer name or the user name. This form of logging searches the file path for any instances where a directory matches the username and replaces the directory name with the string USERNAME.
(or csv if the CSV file log format is selected). Storing events in a local log file is useful for exchanging the information in the log and for merging information. You can choose to save the logs in xml or csv file format. For example, you can open a csv file in Microsoft Excel allowing you to easily analyze the data, create graphs, and so on.
142
Description
Prohibited execution request. Allowed execution request. Overwrite of an allowed executable. Rename of a prohibited executable. Application limit denial. Time limit denial. Self-authorization decision by user. Self-authorized execution request. Script execution timed out. Script failed to complete. Script completed successfully. Digital Certificate failed Trusted Vendor check. Prohibited Network Item request. Allowed Network Item request. An allowed application started running. The files ownership could not be changed, An application has been terminated by Application Manager. The applications user rights have been changed. Allowed Web Installation request. Restricted Web Installation request. Windows Restricted Web Installation request. Web Installation failed to complete AppSense Application Manger has not been configured. AppSense Application Manager is not licensed.
Default
143
EVENT FILTERING
Event Filtering allows you to filter the file types that you want to audit. This is particularly useful if you choose a high volume event. For example, if you choose event 9001, 9007, 9014 or 9015, which are high volume events, it may be useful to only select only certain file types to audit. To audit all file types, according to the events that are selected in the Auditing dialog box, deselect the Enable event filtering option. This option is selected by default.
Ensure when you select an event that the event is also selected in Event Filtering, or the file types for the particular event.
Rules Analyzer
This section provides details on Application Manager Rules Analyzer and includes the following:
About Rules Analyzer on page 144 The Console on page 145 Working with Rules Analyzer on page 147
144
145
Rules Analyzer provides you with a graphical interface that can be used to manually troubleshoot and fine tune Application Manager configurations in real time anywhere across the enterprise. All that is required is a network link to a remote Application Manager managed endpoint so the Rules Analyzer can connect to the agent software and start logging on the local endpoint. When the logging has completed you can use the Rules Analyzer to automatically pull the log file across the network back to the computer where the analysis is occurring, for investigation. All logging information is held in xml format and each execution request that the Application Manager agent processed is listed along with the details of what occurred during processing, including if the process was allowed to execute or not and the reason for the outcome.
THE CONSOLE
The Rules Analyzer is accessed from the navigation pane within the Application Manager console and is used to create, retrieve and examine the log files. An Endpoint node allows you to control logging on to a specific managed endpoint to retrieve the log files. Below each Endpoint node is a node for each Retrieved Log Files node. You can review a summary page, view all requests, or view the requests for a specific user. You can restrict the view to the denied or allowed requests. Within the analysis panel you can navigate to a specific request and view the full details of that request, including which rules were applied by Application Manager. You must be logged on with an account that allows read and write access to the registry of any managed endpoint for which you wish to generate logs for using Rules Analyzer, and have read and write access to the local registry of the computer on which the console operates. Checklist You must have the following to use Rules Analyzer: Application Manager agent installed on the endpoint. License installed on the endpoint. Application Manager configuration installed on the endpoint. Administrative share rights to the endpoint. Remote registry access to the endpoint.
1. On the Start menu select Control Panel. 2. Select Administrative Tools. 3. Double-click Services. 4. Locate the AppSense Application Manager Agent.
1. Launch the Registry Editor on the managed endpoint. 2. Locate the license under HKLM\Software\AppSense Technologies\Licensing.
146
TEST THAT THE CONFIGURATION IS INSTALLED ON THE ENDPOINT Configurations are stored in the following location: 1. For Windows XP and Server 2003, navigate to C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration. 2. For Vista and above, navigate to C:\ProgramData\AppSense\Application Manager\Configuration.
ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
1. Open Windows Explorer on the computer that has the Application Manager console installed. 2. In the Address bar enter \\<computername>\c$ and press Enter. If you can browse the folders you have access rights. If not, you are prompted for user credentials which allows access.
1. Open the Registry Editor on the computer that has the Application Manager console installed. 2. Select File > Connect Network Registry. The Select Computer dialog box is displayed. 3. Locate the computer and click OK. If you can see the registry keys, you have access.
On remote computers running Microsoft Vista and above, File Sharing and Remote Registry Service are disabled by default and must be enabled to ensure Rules Analyzer can access or create log files.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center. Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.
The Rules Analyzer console allows you to diagnose Application Manager problems by connecting directly to computers managed by Application Manager, and includes:
Creating Log Files You can create log files on managed endpoints. Examining Log Files You can retrieve and examine log files to view the requests processed by Application Manager. In particular you can see which rules were applied to each request and whether the request was allowed or denied.
147
ADD AN ENDPOINT
1. Select the Rules Analyzer button in the navigation pane. The Rules Analyzer navigation tree displays. 2. Click the Add Endpoint button on the Rules Analyzer ribbon page > Endpoint Management group. 3. Select either Browse Deployment Group or Browse Domain/Workgroup depending on the location of the endpoint you want to add. Browse Deployment Group displays the Select Management Server dialog box. Browse Domain/Workgroup displays the Active Directory Select Computers dialog box. 4. Locate the required endpoint and click Add. A new node is created for the selected endpoint under the Endpoints node in the navigation tree. Once the endpoints have been added you can right-click on a specific computer and select any of the following options:
Start Logging Stop Logging - Only enabled once logging is started. Import Remove Endpoint
1. Select the endpoint in the navigation tree. 2. Select Start Logging on the Rules Analyzer ribbon page > Data Acquisition group. 3. When required, for example, after you have recreated a problem on the endpoint, select Stop Logging on the Rules Analyzer ribbon page > Data Acquisition group.The File dialog box is displayed. 4. Enter a name for the log file and click OK. The XML file is displayed in the navigation tree.
Rules Analyzer files can be large so this feature should only be used when a problem manifests itself and investigation is required.
All log files for a given computer are stored on the local machine during logging and are temporarily stored in the following location: C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\RulesAnalyzerLog.xml
148
For Windows Vista and above, this and the following files are stored in the allusersprofile folder in ProgramData. ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
When logging is stopped on the specific endpoint, the log file is closed and transferred to the computer that is running the Rules Analyzer, where it is stored in the cache for the endpoint in question. The cache is held in the following location: C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\ The naming convention for the files is ComputerName^enteredname. For example, C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\APPUKTECHPUBS2^Regedit.xml. The computer name is the name of the endpoint as it is entered in the User Interface. Therefore, if it is an IP address it is stored as IPAddress^enteredname.xml. The entered name is the name given to the XML file in the Rules Analyzer.
Log Files
The Rules Analyzer console displays the information regarding execution requests in several different ways to enable easy access to the details. Log File Contents Summary The Summary page displays when you select a log file in the navigation tree. It shows the number of requests processed by Application Manager. The top row of the table shows the total number of requests for all users. The remaining rows show the number of requests for each user. The Total column shows the total number of requests, allowed and denied. The Allowed and Denied column shows the number of allowed or denied requests. Click on any link to display the Log File Contents Request List.
149
Figure 9.1 Rules Analyzer Summary Page To export the log file in XML format select the Export ribbon button.
You can select View the requests by processing time on the Summary page to display a Request List page showing requests sorted with the longest running request first.
Log File Contents Request List The Request List page displays a list of Application Manager requests when you click a link in the Summary page. The requests are listed in the order in which they were processed by Application Manager. Each request displays a green tick or red cross to indicate whether the request was allowed or denied. Click on a request link to display the Log File Contents Request Details.
150
Log File Contents Request Information The Request Information page displays details of a particular request when you click a request in the Request List page. The Request Information page displays each rule applied by Application Manager in processing the request. The rules are listed in the order applied. The last rule in the list determines the final result allow or deny. The rule information includes links which, when selected, display popup messages providing an explanation for the rule item.
151
Figure 9.3 Rules Analyzer Log File Contents Request Details Use the Return link at the top of the page to navigate to the previous page and the Summary link to return to the Summary page. The Back button on the console toolbar is for navigating the navigation tree.
Use the shortcut keys Ctrl+F to search within the request pages.
Scripting
10
In this section:
Overview on page 152 Sample Scripting Reference on page 153 Object Types on page 188 Configuration Helper Object on page 209
OVERVIEW
This chapter provides a reference to the AppSense Application Manager COM interface object architecture and Visual Basic script samples.
152
153
Loading and Saving Configurations Default Rules Group Rules User Rules Device Rules Custom Rules Scripted Rules Process Rules Rule List Items Configure Properties Network Connections User Rights Management (URM)
154
Create a New Configuration and Save to File Create a New Configuration and Save to Live Configuration
Default Rules
Edit a Default Rules Configuration
155
The DefaultConfiguration( ) method only returns a configuration in the English language. This means that some group names and other text in the configuration may not be in the native language of the operating system, which can result in the configuration not being applied correctly. For non-English operating systems it is necessary to export the default configuration from the product console on a native operating system. This can be stored as a file on the network or distributed to the machine where the configuration scripting will be performed. Once this is done, use the LoadLocalConfiguration( ) method in place of the the DefaultConfiguration( ). This will produce the same configuration but in the correct native language.
156
Group Rules
157
'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
User Rules
158
ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create and add the new user rule Dim UserRule Set UserRule = Configuration.ManufactureInstanceFromClassName("AM.UserRule") UserRule.DisplayName = "%COMPUTERNAME%\Guest" UserRule.SID = "S-1-5-Domain-501" Configuration.UserRules.Add UserRule.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
159
Configuration.ParseXML ConfigurationXml 'Remove the user rule Configuration.UserRules.Remove "%COMPUTERNAME%\Guest" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Device Rules
160
Dim AnotherDevice Set AnotherDevice = Configuration.ManufactureInstanceFromClassName("AM.Device") AnotherDevice.Host = "192.168.0.2" AnotherDevice.NameType = AM_HostNameType_IPAddress Configuration.DeviceRules.Item("Device Rule (1)").Devices.Add AnotherDevice.Xml Configuration.DeviceRules.Item("Device Rule (1)").Devices.Item("192.168.0.2").HostType = AM_DeviceType_ConnectingDevice 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
161
'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove "Device Rule(1)" Configuration.DeviceRules.Remove "Device Rule (1)" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Custom Rules
162
CustomRule.Name = "Custom Rule (1)" Configuration.CustomRules.Add CustomRule.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
163
const AM_SecurityLevel_Restricted = 0 const AM_SecurityLevel_SelfAuthorizing = 1 const AM_SecurityLevel_Unrestricted = 2 const AM_SecurityLevel_AuditOnly = 3 ' Constant definitions for the AM.HostNameType enumeration. const AM_HostNameType_HostName = 0 const AM_HostNameType_IPAddress = 1 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove the rule Configuration.CustomRules.Remove "Custom Rule (1)" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Scripted Rules
164
Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create the scripted rule. Dim ScriptedRule Set ScriptedRule = Configuration.ManufactureInstanceFromClassName("AM.ScriptedRule") ScriptedRule.Name = "Scripted Rule (1)" Configuration.ScriptedRules.Add ScriptedRule.Xml Configuration.ScriptedRules.Item("Scripted Rule (1)").WaitForLogin = True Configuration.ScriptedRules.Item("Scripted Rule (1)").Script = "Function ScriptedRule()" & Chr(10) & "'Test scripted rule" & Chr(10) & "ScriptedRule=TRUE" & Chr(10) & "End Function" Configuration.ScriptedRules.Item("Scripted Rule (1)").EntryFunction = "ScriptedRule" Configuration.ScriptedRules.Item("Scripted Rule (1)").Timeout = 6 Configuration.ScriptedRules.Item("Scripted Rule (1)").Context = AM_ExecutionContext_PerSessionAsSystem 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
165
Next 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Process Rules
166
'Create a process rule Dim ProcessRule Set ProcessRule = Configuration.ManufactureInstanceFromClassName("AM.ProcessRule") ProcessRule.Name = "Process Rule (1)" Configuration.ProcessRules.Add ProcessRule.Xml 'Add a file process to the rule Dim FileProcess Set FileProcess = Configuration.ManufactureInstanceFromClassName("AM.File") FileProcess.Path = "c:\windows\system32\notepad.exe" FileProcess.CommandLine = "c:\windows\system32\notepad.exe" Configuration.ProcessRules.Item("Process Rule (1)").FileProcessItems.Add FileProcess.Xml 'Add another file to the rule Dim AnotherFile Set AnotherFile = Configuration.ManufactureInstanceFromClassName("AM.File") AnotherFile.Path = "c:\windows\system32\cmd.exe" AnotherFile.CommandLine = "c:\windows\system32\cmd.exe" Configuration.ProcessRules.Item("Process Rule (1)").FileProcessItems.Add AnotherFile.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
167
Add a File Edit a File Delete a File Add a Folder Edit a Folder Add a Digital Signature Add a Digital Signature Editing a Digital Signature Deleting a Digital Signature Add and Delete Drives Add a Trusted Vendor Edit a Trusted Vendor Delete a Trusted Vendor
168
Add a File
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Add a file to the list of accessible files. Dim AccessibleFile Set AccessibleFile = Configuration.ManufactureInstanceFromClassName("AM.File") AccessibleFile.Path = "calc.exe" AccessibleFile.Commandline = "calc.exe" Configuration.GroupRules.Item("Everyone").AccessibleFiles.Add AccessibleFile.Xml 'Add a file to the list of prohibited files. Dim ProhibitedFile Set ProhibitedFile = Configuration.ManufactureInstanceFromClassName("AM.File") ProhibitedFile.Path = "regedit.exe" ProhibitedFile.CommandLine = "regedit.exe" Configuration.GroupRules.Item("Everyone").ProhibitedFiles.Add ProhibitedFile.Xml 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a File
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Edit calc.exe. Configuration.GroupRules.Item("Everyone").AccessibleFiles.Item("calc.exe").TrustedOwnershipChecking = False Configuration.GroupRules.Item("Everyone").AccessibleFiles.Item("calc.exe").ApplicationLimit = 5 'Save the live configuration.
169
Delete a File
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove files Configuration.GroupRules.Item("Everyone").AccessibleFiles.Remove "calc.exe" Configuration.GroupRules.Item("Everyone").ProhibitedFiles.Remove "regedit.exe" 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Add a Folder
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Dim AccessibleFolder Set AccessibleFolder = Configuration.ManufactureInstanceFromClassName("AM.Folder") AccessibleFolder.Path = "%ALLUSERSPROFILE%" Configuration.GroupRules.Item("Everyone").AccessibleFolders.Add AccessibleFolder.Xml Dim ProhibitedFolder Set ProhibitedFolder = Configuration.ManufactureInstanceFromClassName("AM.Folder") ProhibitedFolder.Path = "%SystemDrive%\Utilities" Configuration.GroupRules.Item("Everyone").ProhibitedFolders.Add ProhibitedFolder.Xml 'Save the live configuration.
170
Edit a Folder
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").Recursive = False Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.MondayTimeRangeCollectio n.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.TuesdayTimeRangeCollecti on.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.WednesdayTimeRangeCollec tion.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.ThursdayTimeRangeCollect ion.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.FridayTimeRangeCollectio n.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.SaturdayTimeRangeCollect ion.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.SundayTimeRangeCollectio n.Clear() Dim TimeRange Set TimeRange = Configuration.ManufactureInstanceFromClassName("AM.TimeRange") TimeRange.StartHour = 9 TimeRange.EndHour = 13 Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.MondayTimeRangeCollectio n.InsertBefore TimeRange.Xml, 0 Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").ApplyAccessTimes = True 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a Folder
'Create the configuration Dim Configuration
171
Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove the accessible folder Configuration.GroupRules.Item("Everyone").AccessibleFolders.Remove "%ALLUSERSPROFILE%" 'Remove the prohibited folder Configuration.GroupRules.Item("Everyone").ProhibitedFolders.Remove "%SystemDrive%\Utilities" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
172
Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Digital signatures are keyed by CommandLine, containing the SHA1 hash, so obtain the hash value to access the required item. Dim sha1Hash sha1Hash = ConfigurationHelper.ReadSha1HashFromFile("C:\WINDOWS\regedit.exe") Configuration.GroupRules.Item("Everyone").AccessibleSignatures.Item(sha1Hash).ApplyAccessTimes = False 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
173
'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Add first drive Dim FirstDrive Set FirstDrive = Configuration.ManufactureInstanceFromClassName("AM.Drive") FirstDrive.Path = "H" Configuration.GroupRules.Item("Everyone").AccessibleDrives.Add FirstDrive.Xml 'Add a second drive Dim SecondDrive Set SecondDrive = Configuration.ManufactureInstanceFromClassName("AM.Drive") SecondDrive.Path = "I" Configuration.GroupRules.Item("Everyone").AccessibleDrives.Add SecondDrive.Xml 'Remove the first drive that was added Configuration.GroupRules.Item("Everyone").AccessibleDrives.Remove "H" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
174
'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
175
Configure Properties
Message Settings
' Constant definitions for the AM.ANACMessageFrequencyType enumeration. const AM_ANACMessageFrequencyType_EveryConnectionAttempt = 0 const AM_ANACMessageFrequencyType_Once = 1 const AM_ANACMessageFrequencyType_UseDelayBetweenMessages = 2 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Modify the message settings Configuration.MessageSettings.AccessDeniedMessageCaption = "Warning" Configuration.MessageSettings.AccessDeniedMessageBody = "File has been blocked" Configuration.MessageSettings.ApplicationLimitsExceededMessageCaption = "Warning" Configuration.MessageSettings.ApplicationLimitsExceededMessageBody = "Too many files" Configuration.MessageSettings.DisplayInitialWarningMessage = False Configuration.MessageSettings.CloseApplication = False Configuration.MessageSettings.TerminateApplication = False Configuration.MessageSettings.WaitTime = 120 Configuration.MessageSettings.TimeLimitsWarningMessageCaption = "Warning" Configuration.MessageSettings.TimeLimitsWarningMessageBody = "Out of time" Configuration.MessageSettings.TimeLimitsDeniedMessageCaption = "Warning" Configuration.MessageSettings.TimeLimitsDeniedMessageBody = "Wrong time" Configuration.MessageSettings.SelfAuthorizationMessageCaption = "Warning" Configuration.MessageSettings.SelfAuthorizationMessageBody = "Needs authorization" Configuration.MessageSettings.SelfAuthorizationResponseCaption = "Authorized File" Configuration.MessageSettings.SelfAuthorizationResponseBody = "File is now authorized." Configuration.MessageSettings.ANACMessageBoxEnabled = True Configuration.MessageSettings.ANACMessageFrequency = AM_ANACMessageFrequencyType_Once Configuration.MessageSettings.ANACMessageDelayBetweenMessageBoxes = 60 Configuration.MessageSettings.ANACMessageBoxCaption = "Application Manager - Application Network Access Control"
176
Configuration.MessageSettings.ANACMessageBoxBody = "%ExecutableName% has been denied access to %NetworkLocation%." 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Archive Options
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Modify the archiving settings Dim ArchiveFolder Set ArchiveFolder = Configuration.ManufactureInstanceFromClassName("AM.ArchiveFolder") ArchiveFolder.Path = "C:\ArchiveBackup" Set ArchiveFolder = Configuration.ArchivingSettings.ArchiveFolders.InsertBefore(ArchiveFolder.Xml, 1) Configuration.ArchivingSettings.ArchivingEnabled = True Configuration.ArchivingSettings.AnonymousEnabled = True Configuration.ArchivingSettings.UserLimit = 26 Configuration.ArchivingSettings.TotalLimit = 51 Configuration.ArchivingSettings.NoAdminOwnedFiles = True Configuration.ArchivingSettings.OverwriteExistingFiles = False Configuration.ArchivingSettings.ArchiveLessThanEnabled = True Configuration.ArchivingSettings.OverwriteOldest = True Configuration.ArchivingSettings.ArchiveLessThanAmount = 10 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Network Connections
177
178
Configuration.ParseXML ConfigurationXml 'Modify the port number of the network connection Configuration.GroupRules.Item("Everyone").AccessibleNetworkConnections.Item("www.google.com:80/foo/*").Port = 8080 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Create URM Policies Edit URM Policies Delete URM Policies Add a User Rights File Edit a User Rights File Delete a User Rights File
179
180
const AM_URMPrivilegeAction_Remove = 3 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'create a new URMPolicy Dim URMPolicy Set URMPolicy = Configuration.ManufactureInstanceFromClassName("AM.URMPolicy") URMPolicy.Name = "Add Administrator" Configuration.URMPolicies.Add URMPolicy.Xml 'Add a Group Behaviour Action Dim URMBehaviour Set URMBehaviour = Configuration.ManufactureInstanceFromClassName("AM.URMGroupBehaviour") URMBehaviour.DisplayName = "BUILTIN\Administrators" URMBehaviour.SID = "S-1-5-Domain-544" URMBehaviour.Action = AM_URMGroupAction_Add Configuration.URMPolicies("Add Administrator").GroupMembershipActions.Add URMBehaviour.Xml 'Set up the privilege actions Dim PrivilegeAction Set PrivilegeAction = Configuration.ManufactureInstanceFromClassName("AM.URMPrivilege") PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeAssignPrimaryTokenPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeAssignPrimaryTokenPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeAuditPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeAuditPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeBackupPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeBackupPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeChangeNotifyPrivilege"
181
PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeChangeNotifyPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreateGlobalPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateGlobalPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreatePagefilePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreatePagefilePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreatePermanentPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreatePermanentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreateSymbolicLinkPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateSymbolicLinkPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreateTokenPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateTokenPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeDebugPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeDebugPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeEnableDelegationPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeEnableDelegationPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeImpersonatePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeImpersonatePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange
182
PrivilegeAction.Name = "SeIncreaseBasePriorityPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseBasePriorityPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeIncreaseQuotaPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseQuotaPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeIncreaseWorkingSetPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseWorkingSetPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeLoadDriverPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeLoadDriverPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeLockMemoryPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeLockMemoryPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeMachineAccountPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeMachineAccountPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeManageVolumePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeManageVolumePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeProfileSingleProcessPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeProfileSingleProcessPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeRelabelPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRelabelPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml
183
PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeRemoteShutdownPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRemoteShutdownPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeRestorePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRestorePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSecurityPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSecurityPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeShutdownPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeShutdownPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSyncAgentPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSyncAgentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSystemEnvironmentPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemEnvironmentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSystemProfilePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemProfilePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSystemtimePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemtimePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTakeOwnershipPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTakeOwnershipPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml
184
PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTcbPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTcbPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTimeZonePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTimeZonePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTrustedCredManAccessPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTrustedCredManAccessPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeUndockPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeUndockPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeUnsolicitedInputPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeUnsolicitedInputPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
185
Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.URMPolicies("Add Administrator").PrivilegeActions("SeBackupPrivilege").Action = AM_URMPrivilegeAction_Enable Configuration.URMPolicies("Add Administrator").GroupMembershipActions("BUILTIN\Administrators").Action = AM_URMGroupAction_Drop 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
186
Dim File Set File = Configuration.ManufactureInstanceFromClassName("AM.File") File.Path = "notepad.exe" File.CommandLine = "notepad.exe" Dim URMItem Set URMFile = Configuration.ManufactureInstanceFromClassName("AM.URMRuleItemPolicy") URMFile.KeyPath = "notepad.exe" URMFile.Policy.Policy = Configuration.URMPolicies.Item("Add Administrator").Name URMFile.Application = File.Xml Configuration.GroupRules.Item("Everyone").UserRightsRules.URMFiles.Add URMFile.xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
187
188
OBJECT TYPES
This section covers the Application Manager Object Types and Includes the following:
Configuration Object
The Configuation object represents the Application Manger configuration. It is solely concentrated on data and contains no business logic.
189
Strongly-Typed Collections
Collection: ArchiveFolderCollection BaseType: Array ValueType: ArchiveFolder Collection: AuditEventFilterDictionary BaseType: Map ValueType: AuditEventFilter Key: File Collection: ApplicationGroupDictionary BaseType: Map ValueType: ApplicationGroup Key: Path Collection: CustomRuleDictionary BaseType: Map ValueType: CustomRule Key: Name Collection: DeviceDictionary BaseType: Map ValueType: Device Key: Host
190
Collection: DeviceRuleDictionary BaseType: Map ValueType: DeviceRule Key: Name Collection: DriveCollection BaseType: Map ValueType: Drive Key: Path Collection: EngineeringKeyCollection BaseType: Array ValueType: EngineeringKey Collection: FileCollection BaseType: Map ValueType: File Key: CommandLine Collection: FileExtensionDictionary BaseType: Map ValueType: FileExtension Key: Name Collection: FolderCollection BaseType: Map ValueType: Folder Key: Path Collection: GroupRuleDictionary BaseType: Map ValueType: GroupRule Key: DisplayName Collection: NetworkConnectionCollection Base Type: Map Value Type: NetworkConnection Key: Path
191
Collection: ProcessRuleDictionary Base Type: Map Value Type: ProcessRule Key: Name Collection: ScriptedRuleDictionary BaseType: Map ValueType: ScriptedRule Key: Name Collection: SignatureFileCollection BaseType: Map ValueType: SignatureFile Key: CommandLine Collection: TimeRangeCollection BaseType: Array ValueType: TimeRange Collection: TrustedApplicationCollection BaseType: Array ValueType: TrustedApplication Collection: TrustedOwnerDictionary BaseType: Map ValueType: TrustedOwner Key: DisplayName Collection: UserRuleDictionary BaseType: Map ValueType: UserRule Key: DisplayName Collection: URMPolicyDictionary BaseType: Map ValueType: URMPolicy Key: Name
192
Collection: URMGroupBehaviourDictionary BaseType: Map ValueType: URMGroupBehaviour Key: DisplayName Collection: URMPrivilegeDictionary BaseType: Map ValueType: URMPrivilege Key: Name Collection: URMRuleItemDictionary BaseType: Map ValueType: URMRuleItem Key: KeyPath Collection: URMRuleItemPolicyDirectory BaseType: Map ValueType: URMRuleItemPolicy Key: KeyPath
Object Definitions
Object: AccessTimes
Property
MondayTimeRangeCollection TuesdayTimeRangeCollection WednesdayTimeRangeCollection ThursdayTimeRangeCollection FridayTimeRangeCollection SaturdayTimeRangeCollection SundayTimeRangeCollection
Type
TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection
Description
A collection of time ranges that are applied on Mondays. A collection of time ranges that are applied on Tuesdays. A collection of time ranges that are applied on Wednesdays. A collection of time ranges that are applied on Thursdays. A collection of time ranges that are applied on Fridays. A collection of time ranges that are applied on Saturdays. A collection of time ranges that are applied on Sundays.
193
Object: ApplicationGroup
Property
Path Description Files Folders SignatureFiles NetworkConnections Drives
Type
BSTR BSTR FileCollection FolderCollection BSTR BSTR BSTR
Description
The name of the Application Group. The description of the group. Collection of files contained within this group. Collection fo folders contained within this group. Collection of signature files contained within this group. Collection of network connections contained within this group. Collection of drives contained within this group.
Object: ArchiveFolder
Property
Path
Type
BSTR
Description
Full path to folder.
Object: ArchivingSettings
Property
ArchivingEnabled
Type
VARIANT_BOOL
Description
Specify whether to use archiving. Default = False Enable administrator-owned files to be ignored. Default = False Specify whether files copied to the archive should overwrite existing files. Default = True Specify whether file should have any user information stripped. The maximum size of the archive in MB. Default = 50. The maximum size of a users archive in MB. Default = 25. Specify whether only files smaller than a certain size will be archived. Default = False.
NoAdminOwnedFiles
VARIANT_BOOL
OverwriteExistingFiles
VARIANT_BOOL
AnonymousEnabled TotalLimit
VARIANT_BOOL LONG
UserLimit
LONG
ArchiveLessThanEnabled
VARIANT_BOOL
194
Property
ArchiveLessThanAmount
Type
LONG
Description
The maximum size of a file that will be copied to the archive. Default = False. Specify whether the oldest file in the archive are overwritten when the archive is full. Default = False. A list of archive folder locations, the first location in the list will be given preference, the last location given the lowest preference.
OverwriteOldest
VARIANT_BOOL
ArchiveFolders
ArchiveFolderCollection
Object: AuditEventFilter
Property
File Events
Type
BSTR BSTR
Description
The file name/extension to which this filter will be applied. A semi-colon delimited list of events e.g 9005;9006;9008
Object: AuditEventFiltering
Property
Enabled
Type
VARIANT_BOOL
Description
Specify whether event filtering is enabled. Default = True The list of event filters.
Files
AuditEventFilterDictionary
Object: Configuration
Property
Info DefaultRules MessageSettings ArchivingSettings UserRules ApplicationGroups ProcessRules GroupRules
Type
ConfigurationInfo DefaultRules MessageSettings ArchivingSettings UserRuleDictionary ApplicationGroupDictionary ProcessRuleDictionary GroupRuleDictionary
Description
Configuration metadata. Default rules settings. Settings to allow customization of AM generated message boxes. Options for files that are archived. Collection of configured user rules. Library of Application Groups. Collection of configured Process Rules. Collection of configured group rules.
195
Property
DeviceRules CustomRules ScriptedRules EngineeringKeys EnableTrustedApplications
Type
DeviceRuleDictionary CustomRuleDictionary ScriptedRuleDictionary EngineeringKeyCollection VARIANT_BOOL
Description
Collection of configured device rules. Collection of configured custom rules. Collection of configured scripted rules. Collection of engineering keys. Enable Trusted Applications functionality. Default = True Library of User rights policies. Options relating to which audit events are reported.
URMPolicies AuditEventFilteringSettings
URMPolicyDictionary AuditEventFiltering
Object: ConfigurationInfo
Property
Name UniqueIdentifier Version Notes RevisionLevel
Type
BSTR BSTR LONG BSTR LONG
Description
The name of the configuration. The unique ID for the configuration. The configuration version. Any appropriate notes. The configuration revision number.
Object: CustomRule
Property
DisplayName SID Devices Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives
Type
BSTR BSTR DeviceDictionary BSTR SecurityLevel ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection
Description
The account name. The account SID. Collection of devices to which this rule applies. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives.
196
Property
AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection DigitalCertificateCollection URMRules
Description
Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: DefaultRules
Property
TrustedOwnershipChecking
Type
VARIANT_BOOL
Description
Enable trusted ownership checking. Default = True Enable a change of file ownership when a file is overwritten or renamed. Default = True A collection of configured Trusted Owners. Specify whether the local drives are accessible by default. Default = True Allows restrictions to be ignored until the logon process is complete. Allows cmd.exe to run if it is run via execution of a batch file. Default = True Specify whether Application Manager should extract self extracting .ZIP files. Default = True Specify whether system process will be subject to AM rules processing. Default = False Specify whether Windows Installer (.MSI) packages are validated.
VARIANT_BOOL
TrustedOwnerDictionary VARIANT_BOOL
IgnoreRestrictionsDuringLogon AllowCMDForBatchFiles
VARIANT_BOOL VARIANT_BOOL
ExtractSelfExtractingZIPFiles
VARIANT_BOOL
ValidateSystemProcesses
VARIANT_BOOL
ValidateMSI
VARIANT_BOOL
197
Property
ValidateWSH
Type
VARIANT_BOOL
Description
Specify whether Windows Script Host (.WSH) files are validated. Default = True Specify whether Windows Registry (.REG) files are validated. Default = True Enable extension filtering. Default = False Specify whether the file extensions in the FileExtensions property are included or excluded from rules processing. Default = Exclude A list of extensions used for extension filtering. Specify whether all denied requests are passed through the Trusted Applications checking routine. True = Check all, False = only check requests denied by Trusted Ownership. Default = True Specify whether Application Access Control is enabled. Default = True. Specify whether Application Network Access control is enabled. Default = True. Specify whether User Rights Management is enabled. Default = True.
ValidateREG
VARIANT_BOOL
DoExtensionFiltering
VARIANT_BOOL
ExtensionFilteringScope
FileExtensionFilteringScope
FileExtensions TrustedAppsCheckAll
FileExtensionDictionary VARIANT_BOOL
Object: Device
Property
Host HostType
Type
BSTR DeviceType
Description
The host address. Specify whether the address refers to a computer or a connecting device. Default = Computer Specify whether the address is a host name of IP address. Default = HostName
NameType
HostNameType
198
Object: DeviceRule
Property
Devices Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
DeviceDirectory BSTR SecurityLevel ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection Digital CertificateCollection URMRules
Description
Collection of devices to which this rule applies. Than name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: DigitalCertificate
Property
Path Description EnforceExpiryDate
Type
BSTR BSTR VARIANT_BOOL
Description
Unused for this object. The description of the digital certificate. Specify whether the expiry date verification will be applied to this certificate. Default = False The base64 encoded digital certificate.
RawCertificateData
BSTR
199
Property
ExpiryDate IssuedTo ErrorIgnoreFlags
Type
BSTR BSTR LONG
Description
The certificate expiry date. The name of the certificate owner. A bitwise OR operation of the values below. Default = 0
ErrorIgnoreFlags CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x00000001 CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x00000002 CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x00000004 CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x00000008 CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x00000010 CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x00000020 CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x00000040 CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x00000080 CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x00000100 CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x00000200 CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x00000400 CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x00000800 Object: Drive
Property
Path Description
Type
BSTR BSTR
Description
Full path to drive. The drive description.
Object: File
Property
Path Description Arguments CommandLine ApplyAccessTimes
Type
BSTR BSTR BSTR BSTR VARIANT_BOOL
Description
Full path to file. The file description. The commandline arguments used for spawning a process. The full commandline (Path + Arguments) when a file is run. Specify whether access times are to be applied. Default = False
200
Property
AccessTimes TrustedOwnershipChecking
Type
AccessTimes VARIANT_BOOL
Description
Collection of access times to be applied. Specify whether the file is subject to Trusted Ownership checking. Default = True The number of concurrent instances of this file that can be executed (0 means unlimited). Default = 0
ApplicationLimit
LONG
Object: FileExtension
Property
Path Description ApplyAccessTimes
Type
BSTR BSTR VARIANT_BOOL
Description
Full path to folder. The folder description. Specify whether access time are to be applied. Default = False Collection of access times to be applied. Specify whether the folder is subject to Trusted Ownership checking. Default = True Whether the rules are applied to subfolder. Default = True
AccessTimes TrustedOwnershipChecking
AccessTimes VARIANT_BOOL
Recursive
VARIANT_BOOL
Object: Folder
Property
Path Description ApplyAccessTimes AccessTimes TrustedOwnershipChecking
Type
BSTR BSTR VARIANT_BOOL AccessTimes VARIANT_BOOL
Description
Full path to folder. The folder description. Specify whether access times are to be applied. Collection of access times to be applied. Specify whether the folder is subject to Trusted Ownership cheching. Default = True Whether rules are applied to subfolders. Default = True
Recursive
VARIANT_BOOL
201
Object: GroupRule
Property
DisplayName SID Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
BSTR BSTR BSTR SecurityLevel ApplicationGroupReferenceDic tionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDic tionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection DigitalCertificateCollection URMRules
Description
The account name. The account SID. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: MessageSettings
Property
DisplayInitialWarningMessage
Type
VARIANT_BOOL
Description
Determines if the user should be warned that an application is about to be closed due to its allowed time having expired. Determine if an application with an expired allowed time should be sent a WM_CLOSE to allow the user chance to save work. Determine if an application with an expired allowed time should be forcefully terminated.
CloseApplication
VARIANT_BOOL
TerminateApplication
VARIANT_BOOL
202
Property
WaitTime
Type
LONG
Description
The delay period between warning the user, sending a WM_CLOSE and terminating the application. This value is in seconds. The caption for the denied message box. The text for the denied message box. The caption for the message box that is displayed when an application has reached its application limit. The text for the message box that is displayed when an application has reached its application limit. The caption for the message box that is displayed when an application has reached the end of its allowed time. The text for the message box that is displayed when an application has reached the end of its allowed time. The caption for the message box that is displayed when an application is denied due to a time restriction. The text for the message box that is displayed when an application is denied due to a time restrcition. The caption for the message box that is displayed when user authorization is required to run a file. The text for the message box that is displayed when user authorization is required to run a file. The text for the message box that is displayed when the user has previously self-authorized a file to run. The caption for the message box that is displayed when the user has previously selfauthorized a file to run.
AccessDeniedMessageCaption AccessDeniedMessageBody ApplicationLimitsExceeded MessageCaption ApplicationLimitsExceeded MessageBody TimeLimitsWarningMessage Caption TimeLimitsWarningMessage Body TimeLimitsDeniedMessage Caption TimeLimitsDeniedMessageBody
BSTR
BSTR
BSTR
BSTR
BSTR
BSTR
BSTR
BSTR
BSTR
Object: NetworkConnection
Property
Path Description Address
Type
BSTR BSTR BSTR
Description
Full path to network resource. The description of the network resource. The address of the network resource (e.g. www.bbc.co.uk).
203
Property
Resource Port UseWildcards AddressType
Type
BSTR BSTR VARIANT_BOOL NetworkConnectionType
Description
The resource path (e.g. \weather). The port to which this network connection applies (if appropriate). Specify whether any part of the whole network location contains wildcards. The connection type. Default = False Specify whether child resources are included as part of this connection.
Recursive
VARIANT_BOOL
Object: ProcessRule
Property
SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
SecurityLevel ApplicationGroupRefer enceDictionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCo llection ApplicationGroupRefer enceDictionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCo llection DigitalCertificateCollec tion URMRules
Description
The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
204
Property
SecurityLevel FileProcessItems SignatureProcessItems
Type
SecurityLevel FileCollection SignatureProcessItems
Description
The level of restriction applied to this rule. Collection of processes for which this rule applies. Collection of processes for which this rule applies, defined by signature.
Object: ScriptedRule
Property
EntryFunction Script Context
Type
BSTR BSTR ExecutionContext
Description
The function that will be executed when the script is launched. The body of the script. The context in which the script executed. Default = PerSessionAsUser. Specify whether the execution of the script will be delayed until the login process is complete. Default = False The timeout period a script is given before being terminated. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures.
WaitForLogin
VARIANT_BOOL
Timeout Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures
LONG BSTR SecurityLevel ApplicationGroupReferenceDict ionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDict ionary FileCollection FolderCollection DriveCollection SignatureFileCollection
205
Property
ProhibitedNetworkConnections
Type
NetworkConnection Collection DigitalCertificateCollection URMRules
Description
Collection of prohibited network connections.
TrustedVendors UserRightsRules
Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: SignatureFile
Property
Path Description Arguments SHA1 Hash CommandLine Version ApplyAccessTimes
Type
BSTR BSTR BSTR BSTR BSTR BSTR VARIANT_BOOL
Description
Full path to the file. The file description. The commandline arguments used for spawning a process. The SHA1 hash of the file. The full commandline (Sha1Hash + Arguments) when a file is run. The file version information. Specify whether access time are to be applied. Default = False Collection of access times to be applied.
AccessTimes
AccessTimes
Object: TimeRange
Property
StartHour EndHour
Type
LONG LONG
Description
The hour at which the time range starts. The hour at which the time range ends.
Object: TrustedOwner
Property
DisplayName SID Description
Type
BSTR BSTR BSTR
Description
The account name. The account SID. The account description.
206
Object: URMGroupBehaviour
Property
DisplayName SID Action
Type
BSTR BSTR URMGroupAction
Description
The name of the group. The group's SID The action to perform with this group. Default = Add
Object: URMPolicy
Property
Name Description GroupMembershipActions
Type
BSTR BSTR URMGroupBehaviourDi ctionary
Description
Name of the Policy A description for the policy. collection of configured URM Group Behaviour actions.
PrivilegeActions
URMPrivilegeDictionary
Object: URMPrivilege
Property
Name Privilege Action
Type
BSTR URMPrivilegeConstant URMPrivilegeAction
Description
Textual description of the privilege. The privilege being set. default = SeAssignPrimaryTokenPrivilege The action to perform on the privilege. Default = NoChange.
Object: URMRuleItem
Property
KeyPath Application
Type
BSTR RuleItem
Description
The keypath used in collections of URMRuleItems The application forwhich to apply the User Rights setting. Can be of type File, Folder, SignatureFile or ApplicationGroup setting to specify if the user rights setting should be applied to any child processes. Default = False.
ApplyToChildren
VARIANT_BOOL
207
Object: URMRuleItemPolicy
Property
KeyPath Application
Type
BSTR RuleItem
Description
The keypath used in collections of URMRuleItems The application forwhich to apply the User Rights policy. Can be of type File, Folder, SignatureFile or ApplicationGroup setting to specify if the user rights policy should be applied to any child processes. Default = False. The URM Policy to apply to the application.
ApplyToChildren Policy
VARIANT_BOOL URMPolicyReference
Object: URMRules
Property
URMFiles URMSignatures URMFolders URMApplicationGroups URMWellKnowncontrolPanelApp lets
Type
URMRuleItemPolicyDict ionary URMRuleItemPolicyDict ionary URMRuleItemPolicyDict ionary URMRuleItemPolicyDict ionary URMRuleItemDictionar y
Description
Collection of Files and URM Policies to apply to them. Collection of SignatureFiles and URM Policies to apply to them. Collection of Folders and URM Policies to apply to them. Collection of ApplicationGroups and URM Policies to apply to them. Cannot currently be scripted.
Object: UserRule
Property
DisplayName SID Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures
Type
BSTR BSTR BSTR SecurityLevel ApplicationGroupReferenceDicti onary FileCollection FolderCollection DriveCollection SignatureFileCollection
Description
The accout name. The account SID. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures.
208
Property
AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
NetworkConnectionCollection ApplicationGroupReferenceDicti onary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection DigitalCertificateCollection URMRules
Description
Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Enumerations Name: Device Type Computer = 0 ConnectingDevice = 1 Name: ExecutionContext PerSessionAsUser = 0 PerSessionAsSystem = 1 PerComputerAsSystem = 2 Name: FileExtensionFilteringScope Exclude = 0 Include = 1 Name: HostNameType HostName = 0 IPAddress = 1 Name: LocalEventLogging None = 0 WindowsApplication = 1 ApplicationManager = 2
209
Name: NetworkConnectionType HostAddress = 0 IPAddress = 1 UNCPath = 2 Name: SecurityLevel Restricted = 0 SelfAuthorizing = 1 Unrestricted = 2 AuditOnly = 3
210
HRESULT - Returns S_OK if successful. Parameters BSTR - the full file path of the configuration to load. SaveLocalConfiguration (method) Parameters BSTR - the full file path of the configuration to load. BSTR - the xml representation of the configuration to save. ReadNumCertificatesFromFile (method) Returns LONG - the number of certificates used to sign the specified executable file. Parameters BSTR - the full file path of the executable file used in determining the certificate count. ReadCertificateFromFile (method) Returns BSTR - the raw certificate data. Parameters BSTR - the full file path of the executable file from which the certificate will be read. LONG - the index of the certificate to read. ReadSha1HashFromFile (method) Returns BSTR - the hash value. HRESULT - Returns S_OK if successful. Parameters BSTR - the full file path of the file for which the has will be generated. DefaultConfiguration (property) This BSTR property contains the xml representation of the default configuration.
211
The DefaultConfiguration( ) method only returns a configuration in the English language. This means that some group names and other text in the configuration may not be in the native language of the operating system, which can result in the configuration not being applied correctly. For non-English operating systems it is necessary to export the default configuration from the product console on a native operating system. This can be stored as a file on the network or distributed to the machine where the configuration scripting will be performed. Once this is done, use the LoadLocalConfiguration( ) method in place of the the DefaultConfiguration( ). This will produce the same configuration but in the correct native language.
Licensing
11
In this Section:
Licensing on page 212 About License Manager on page 213 Managing Licenses on page 214
LICENSING
The AppSense License Manager allows you to create and manage AppSense product licenses. This section provides details about using the console and describes the following processes:
Add and Activate a License on page 214 To Import a License File on page 215 To Export a License File on page 215
212
213
Manage licenses for single products, the AppSense Management Suite or Evaluation licenses. Export license packages to MSI file format for saving to the AppSense Management Center or other computers which can be remotely accessed.
It is recommended to use the Management Center Enterprise Licensing for Enterprise installations.
When License Manager is launched, details of current licenses are displayed in the console.
214
Description
Full Suite license. Requires activation using the activation code sent from AppSense with the license code. Single product license. Requires activation using the activation code sent from AppSense with the license code. Full Suite or single product licenses. Evaluation licenses are available during the first installation of the product and do not require activation. They are valid for 21 days.
Application Manager
Evaluation
MANAGING LICENSES
The following procedures show how to add and activate a new license, import and export licenses to Microsoft Windows Installer files (*.msi) or to backup a set of licenses.
1. Click Add to create a new entry in the license grid. 2. Enter the license code in the License Code entry box. You can manually enter each digit or copy and paste the license in to the entry box. When a license entry is highlighted, a description displays in the bottom section of the console and includes the following details:
License Code License State - Not Activated, Valid, Invalid. Expiry Date - The date that the license runs out. Description The type of license and the product and version it relates to.
A license is invalid until an Activation Code is entered. 3. Click Activate and enter the activation code in to the Activation Code entry box, and click Enter. The license details in the bottom section of the console are updated to match the license. Once a license is active, the icon changes to indicate the current license state. 4. Close the Licensing console. All the settings are automatically saved.
215
1. Click Import to display the file Open dialog box and navigate to the location of the license MSI file. 2. Click Open to load the license file in the Management Suite Licensing Console.
1. Click Export to display the file Save As dialog box and browse to the location for saving the license MSI file. 2. Provide a name for the file and click Save to save the file. You can copy this file to any network location and load the file in Application Manager or in Management Center Enterprise Licensing.
A PPENDIXES
This section provides additional or supporting information about topics covered in the guide and includes:
Streamed Applications
Streamed Applications
CITRIX XENAPP
To set up Citrix XenApp streaming applications to work with certain elements of Application Manager you need to specify certain exclusions, as follows: 1. Navigate to Citrix Streaming Profiler for Windows. 2. Open the Application Profile. 3. Highlight the relevant Target and select the Edit menu. 4. Select Target Properties. The Target Properties screen displays. 5. Select Rules. The Rules work area displays on the right hand side. 6. Click Add in the Rules work area. The New Rule Select Action and Objects dialog box displays. 7. In the Action section leave the default setting as Ignore. 8. In the Object section select Named Objects and click Next. The New Rule Select Objects dialog box displays. 9. Select Some Named Objects and click Add. The Choose Named Object dialog box displays. 10. Add \??\pipe\AppSense* and click OK. This displays in Named Objects on the New Rule Select Objects dialog box. 11. Click Next to display the New Rule Name Rule dialog box. 12. Enter a name for the rule or accept the default and click Finish. 13. Click OK. The Target Properties screen re-displays and the Ignore all named objects rule is now listed in the work area on the right hand side. 14. Save the profile. 15. Repeat for each application profile as required.
G L O S S A R Y
AAC Accessible Items Agent Application Limit Audit Only CCA Configuration Configuration File Configuration Profiler Console DAC Deploy DFS Digital Signature
DLL DNS DLL Event Fast User Switching Group Management GUID LSA NetBIOS Network Connection Item Node OU Prohibited Items Process Rules Rule Security Identifier Security Level Self-Authorizing User SHA-1 SID Time Limits Trusted Ownership Trusted Vendors UNC User Rights Management Wildcards
AAC Citrix Advanced Access Control. Accessible Items Accessible Items are files, folders, drives or digitally signed files or groups of files in an Application Manager configuration Rule which are allowed to run when file execution requests are matched with the rule security settings and would otherwise be prohibited by other configuration settings. See also: Prohibited Items, Trusted Vendors, User Rights Management
Agent A proactive software component which implements the product configuration rules. For example, the Application Manager Agent is software that runs as a Windows service to validate execute requests according to the rules in the configuration installed on a computer. Application Limit Application Limits specify the number of instances of an application a user can run. An application limit can be applied to an item in the Accessible Items node. Audit Only Security Level assigned to users, groups or devices in an <product name> Rule which audits events according to the Auditing Configuration without applying the rule. Used for passive monitoring in evaluations to assess application usage on the host environment. CCA Client Communications Agent. Installed on computers operating in an Enterprise installation to provide a link between the product agent running on a managed computer and the AppSense Management Center. The CCA sends event data generated by the product agents to the Management Server and also polls the Management Server to manage the download and installation for software configuration, agent and package updates. The CCA can be downloaded and installed directly on managed machines from the Management Server website. Configuration The Application Manager configuration consists of lists of files/folders that you have decided should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also contains optional settings and text to be displayed to the user. A configuration is created and managed using the Application Manager Console and used by the Application Manager Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration settings to determine whether or not an execute request is to be denied. Configuration File An Application Manager configuration exported from the Console and saved to Windows Installer MSI file format. The file can be installed on any computer and the configurations rules applied when an Application Manager Agent is present and running as a service on the computer. Configuration Profiler Generates reports detailing the current settings in the Configuration. Filtering options allow you to query settings affecting specific users or groups, devices, and files or folders. Console AppSense Application Manager software interface.
DAC Discretionary Access Control. Deploy To deliver a configuration or AppSense software component to one or more computers, which can include the local machine. Digital Signature Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely identify files. The signature can be used as a security measure when adding files as Accessible Items, Prohibited Items and Trusted Vendors. Signatures can also be used for allowing applications on non-NTFS formatted drives to run, which Application Manager would otherwise block by default. Add the digital signatures to the Accessible Items list and disable trusted ownership checking for the individual files. Signature Group Management provides easier administration for large groups of signatures. Accessible Items with digital signatures can be used to verify that the file which the user is attempting to run is actually the file permitted by the administrator. Prohibited Items with digital signatures can be used to ensure the file is always prevented from executing, even when the user renames the file. DLL Dynamic link library. This is a collection of small programs which may be called upon when needed by an executable that is running. The DLL lets the executable communicate with a specific device such as a printer or may contain source code to do particular functions. DFS Distributed File System. A DFS is any file system that allows access to files from multiple hosts sharing via a computer network. This makes it possible for multiple users on multiple machines to share files and storage resources. DNS Domain Name System. This is a database system that translates a computers fully qualified domain name into an IP address. Networked computers use IP addresses to locate and connect to each other. However, IP addresses are difficult to remember. For example, on the web it is easier to remember the domain name www.AppSense.com than its corresponding IP address. DNS allows you to connect to another networked computer or remote service by using its userfriendly domain name rather than its numerical IP address. EPA Endpoint Analysis. See Endpoint Analysis for more information.
GLOSSARY
EVENT OU
Event An Event is generated by Application Manager to report file execution requests, overwrites or renames and Self-Authorizing User decisions. The event number indicates the outcome of the request. Events are logged according to the method set up in the Auditing node. Fast User Switching The Fast User Switching feature in Microsoft Windows enables multiple user accounts to logon to a computer simultaneously. With this feature users can switch sessions without closing Windows, programs, and so on. For example, User A is logged on and is browsing the Internet, User B wants to logon to their user account and check their email account. User A can leave their programs running while User B logs on and checks their email account. User A can then return to their session where their programs would still be running. Group Management Group Management is a library for compiling reusable groups of files, folders, drives, signatures and network connections which can be associated with rules in the configuration. For example, Groups can be used to manage licenses for a suite of software or common sets of applications for assigning to certain user groups. GUID Globally Unique Identifier. LSA Local Security Authority. This is an important required component of Windows that deals with login authentication and security policies. It verifies users logging on to a Windows computer or server and handles password changes. NetBIOS Network Basic Input/Output System. This is a program that allows applications on different computers to communicate within a within a local area network (LAN) Network Connection Item Network Connection identify. Node A node is a term used in the Application Manager Console to represent a branch in the navigation tree. OU Organizational Unit. A Microsoft Active Directory container that includes users and computers.
Prohibited Items Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an Application Manager Rule which are not allowed to run when file execution requests are matched with the rule security settings and would otherwise be allowed by other Configuration settings. See also: Accessible Items and Trusted Vendors Process Rules Process rules allow you to manage access for a parent process to run child processes which might be managed differently in other rules. Process Rules include settings for adding Prohibited Items, Accessible Items, Trusted Vendors and User Rights Management. Rule A Configuration rule assigns a Security Level to the specified users or groups, devices and combinations of these and contains control lists for Accessible Items, Prohibited Items, Trusted Vendors and Process Rules. The Application Manager agent intercepts kernel level file execution requests and matches these with the Configuration rules to implement security controls. Security Identifier (SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Likewise Application Manager also refers to a user or group SID unless the SID could not be found when added to the configuration. Security Level Application Manager configuration Rule settings include security levels which specify how to manage requests to run unauthorized applications by the users, groups or devices which a rule matches. Restricted Only authorized applications can run. These include files owned by members of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted Ownership. Self-Authorizing Users are prompted for decisions about blocking or running unauthorized files on the host device. Audit only All actions are permitted but events are logged and audited, for monitoring purposes. Unrestricted All actions are permitted without event logging or auditing. Self-Authorizing User User, group or device granted control to choose whether to block or run an unauthorized application on the host computer. The Self-authorizing Security Level can be assigned in an <product name> Rule to match a file execute request for users, groups or devices.
GLOSSARY
SHA-1 UNC
SHA-1 Secure Hash Identifier SID See Security Identifier. Time Limits Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application Manager Rule which determine day and time ranges when the controls apply. For example, an entry in the Prohibited Items node of a rule can restrict use of the local web browser to users except between the hours of 12pm and 2pm on specific days of the week. Trusted Ownership Trusted Ownership checking is a secure method Application Manager uses to prevent users running unauthorized applications is. On NTFS formatted drives, files have owners and Application Manager is configured, by default, to only allow files to be executed if the file owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by a trusted owner, the execute request is denied and a message notifies the user. Any files downloaded from the internet or received in email are owned by the user, so those files are not permitted to run unless ownership is held by members of the trusted owner list. By default, Application Manager blocks execution requests for all applications on non-NTFS formatted drives. Trusted Vendors Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking allows applications which fail Trusted Ownership checking to match digital certificates with the Trusted Vendors list. A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted Rule of the configuration. Application Manager queries each file execution which fails Trusted Ownership checking to detect the presence of a digital certificate. If the file has a digital certificate which is signed by a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run. Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking and Trusted Application checking. UNC Universal Naming Convention. This is a NetBIOS naming format for identifying the location of servers, printers, and other resources on a local area network (LAN). Almost all LANs are based on NetBIOS, making a NetBIOS naming format an easy and compatible way to access files and resources across a network. UNC begins with two backslashes (\\) and takes the form: \\Computer_name\Share_name
GLOSSARY
10
User Rights Management User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment. Wildcards Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the Application Manager Console. The asterisk represents one or more characters, excluding the back slash (\) character, whilst the question mark wildcard represents one character, excluding the forward slash (/) character. Both of the wildcard characters can be used in any part of a file path, including the drive letter for local paths. For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the question mark can only replace one character, it does not match c:\sample path\test100. The only limitation imposed by Application Manager on the use of wildcards is that the asterisk cannot be used to match more than one subdirectory.