AppSense Application Manager Product Guide

AppSense Application Manager
Version 8.2 | Product Guide
BOOKTITLE
ii
AppSense Limited, 2011 All rights reserved. No part of this document may be produced in any form (including photocopying or storing it in any medium) for any purposes without the written permission of AppSense Limited, except in accordance with applicable law. Furthermore, no part of this document may be sold, licensed or distributed. The doing of an unauthorized act in relation to a copyright work may result in both a civil claim for damages and criminal prosecution. The information contained in this document is believed to be accurate at the time of printing and may be subject to change without notice. Any reference to a manufacturer or product does not constitute an endorsement of, or representation or warranty (whether express, implied or statutory) in respect of, the manufacturer or product or the use of the product with any AppSense software. This document does not grant any right or license to you in respect of any patents, patent applications, trademarks, copyrights, or other intellectual property rights in or relating to the subject matter of this document. Where relevant, any AppSense software provided pursuant to or otherwise related to this document shall only be licensed to you on and subject to the end user license agreement which shall be displayed and which you shall be required to accept prior to accessing or using the software. AppSense is a registered trademark of AppSense Holdings Limited or its affiliated companies in the United Kingdom, the United States and/or other countries, Microsoft, Windows and SQL Server are all registered trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual products and companies mentioned in this document may be the trademarks of their respective owners. Patents AppSense Performance Manager includes patented technology. All rights reserved.
C O N T E N T S
Welcome
About this Document Terms and Conventions Feedback
ix ix x x 1 1 2 2 6 7 8 11
Section 1
About Application Manager

About Application Manager Key Benefits Feature Summary Architecture Console Software Agent Configuration
iii
APPLICATION MANAGER PRODUCT GUIDE
iv
Section 2
General Features
Trusted Owners Whitelists Extension Filtering Options Application Termination Application Termination Options Customize Application Termination Message Message Settings Access Denied Application Limits Exceeded Time Limits Self-Authorization Network Connections Archiving Archiving Settings Global Properties File Options Folders
13 14 17 17 19 21 24 25 26 26 28 30 32 34 36 37 37 38 39
Section 3
Security Methods
Introduction Method 1 - Trusted Ownership Application Manager and Trusted Ownership Trusted Ownership Rule Method 2 - Digital Signatures Signature Wizard Method 3 - Trusted Vendors Certificate Verification Advanced Options Method 4 - Whitelist vs. Blacklist vs. Trusted Ownership Whitelist Model Blacklist Model Application Manager and Whitelists Access Times Application Limits Security Method Recommendation
41 41 42 43 44 44 45 46 47 47 49 49 49 50 52 53 54 56 56 57 57 58 59 60 61 62 64 68 69 73
Section 4
Configuration
Configuration Files Default Configuration Protection Default Settings Configuration Elements Rule Matching Customize a Configuration Define Users Specify Group and User Rule Items Specify Device, Custom, Scripted, and Process Rules Example Configuration Procedures Configuration Profiler
vi
Section 5
User Rights Management

Overview Least Privilege Common Tasks that Require Administrative Privileges User Rights Management v Run As User Rights Management Benefits Use Cases Technology User Rights Management Mechanism Configuring User Rights Management Example Configurations Web Installations Snippets
77 77 78 79 79 80 81 81 82 83 96 102 112 115 115 116 117 118 119 120 128 128 130 130 130 131 131 137
Section 6
Application Network Access Control

Overview About Application Network Access Control Technology Define Network Access Policies and Rules Auditing Configuring Application Network Access Control
Section 7
Endpoint Analysis
Endpoint Analysis Overview Endpoint Analysis Scans Endpoint Scan Application Usage Scan Order of Scans Working with Endpoint Analysis Adding Files to a Configuration
vii
Section 8
Auditing
Overview Logging Windows Application Event Log AppSense Event Log Anonymous Logging Local Log File Local Event Filter Event Filtering
139 139 141 141 141 141 141 142 143 144 144 145 147 148
Section 9
Rules Analyzer
About Rules Analyzer The Console Working with Rules Analyzer Log Files
viii
Section 10
Scripting
Overview Sample Scripting Reference Loading and Saving Configurations Default Rules Group Rules User Rules Device Rules Custom Rules Scripted Rules Process Rules Rule List Items Configure Properties Network Connections User Rights Management (URM) Object Types Configuration Object Configuration Helper Object
152 152 153 154 154 156 157 159 161 163 165 167 175 176 178 188 188 209 212 212 213 214 2 3
Section 11
Licensing
Licensing About License Manager Managing Licenses
Streamed Applications Glossary
W E L C O M E
In this Section:

About this Document on page ix Terms and Conventions on page x Feedback on page x
ABOUT THIS DOCUMENT

This product guide is for use by AppSense Application Manager administrators. It provides information on how Application Manager works and describes its components and architecture. The aim of the guide is to enable the administrator to optimize the effectiveness of Application Manager and assist in troubleshooting any issues that may arise.
Document Information
Document Version AM Product 8.2 2011/04/01
ix
APPSENSE PRODUCT MANAGER USER GUIDE
WELCOME Terms and Conventions
TERMS AND CONVENTIONS

The following table shows the textual and formatting conventions used in this document:
Table iii.1 Convention
Bold
Terms and Conventions Use

Highlights items you can select in Windows and the product interface, including nodes, menus items, dialog boxes and features. Used for scripting samples and code strings. Highlights values you can enter in console text boxes and titles for other guides and Helps in the documentation set. Indicates a Glossary link. Indicates the path of a menu option. For example, Select File > Open" means "click the File menu, and then click Open." Note Highlights important points of the main text or provides supplementary information.
Code
Italic Green + underlined >
Tip Offers additional techniques and help for users, to demonstrate the advantages and capabilities of the product.
Caution/Warning Provides critical information relating to specific tasks or indicates important considerations or risks.
Further Information Provides links to further information which include more detail about the topic, either in the current document or related sources.
FEEDBACK
The AppSense Documentation team aim to provide accurate and high quality documentation to assist you in the installation, configuration and ongoing operation of AppSense products. We are constantly striving to improve the documentation content and value any contribution you wish to make based on your experiences with AppSense products. Please send any comments to the following email address: documentation.feedback@appsense.com Thanks in advance, The AppSense Documentation team
About Application Manager
In this Section:

About Application Manager on page 1 Key Benefits on page 2 Feature Summary on page 2 Architecture on page 6
ABOUT APPLICATION MANAGER

Application Manager provides centralized management of corporate application control, eliminating unauthorized application usage and controlling application network access enterprise wide. Protective measures such as blocking the execution of all unauthorized software is provided and extensive options for creating rules to manage production application usage. Application Manager also includes User Rights Management. User Rights Management allows the administrator to create reusable user rights policies which can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, application groups and
ABOUT APPLICATION MANAGER Key Benefits
Control Panel applets. User Rights Management enables users with no administrative privileges to have elevated rights for specified applications. Similarly it can restrict access to specified applications for users that do have administrative rights. Application Manager is part of a closely integrated system of management components and can be centrally configured and deployed to desktops, servers and Terminal Servers throughout the enterprise using the AppSense Management Center.
For more information on the Management Center see the AppSense Management Center Help and the AppSense Management Center Product Guide.
KEY BENEFITS
There are several key benefits to using Application Manager.

Protects against malicious code. Controls role based application usage. Elevates and reduces user rights for applications and Control Panel components and Management Snapins. Terminates applications based on trigger points. Allows child applications to run from authorized applications. Contains out-of-the-box protection against all unauthorized application usage.

Stops unauthorized device license usage. Applies time restrictions on when applications can or cannot be run. Manages control of network access from within applications. Manages control of network access based on location.
License management Maintain the enviroment in the desired state. Increased visibility into application landscape. Enforce licensing, ensure compliance. Reduces support calls. User acceptance.
FEATURE SUMMARY
Application Manager provides the following key features for application control: User Rights Management User Rights Management allows you to create reusable User Rights policies which can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, application groups, and Control Panel components. A more granular level of control allows you to assign specific privileges for debugging or installing software. User Rights Management contains four primary functions:
ABOUT APPLICATION MANAGER Feature Summary
Elevating user rights for applications Elevating user rights for Control Panel components and Management Snapins. Reducing user rights for applications Reducing user rights for Control Panel components and Management Snapins.
For more information see User Rights Management on page 77.
Trusted Ownership By default, only application files owned by an administrator or the local system are allowed to execute. Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run. Application Manager automatically blocks any file where ownership cannot be established, such as files located on non-NTFS drives, removable storage devices, or network locations. These files can optionally be allowed to run either by specifying them as Accessible Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured to suit each environment.
For more information see Security Methods on page 41.
Rules: User, Group, Device, Custom, Scripted and Process Extend application accessibility by applying rules based on username, group membership, computer, or connecting device, scripts and parent processes, or combinations of these. Accessible Items and Prohibited Items, Trusted Vendors and User Rights Management can be specified in each rule, and are applied to a user session based on the environment in which the user operates. Scripted Rules Scripted Rules allow administrators to Apply Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management policies based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer. Process Rules Process rules apply to parent processes to manage access to child processes to the level required. Process rules include Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management. Trusted Vendors Allow authentic applications to run which have certificates for trusted sources, and which are otherwise prohibited by Trusted Owneship checking. Define a list of Trusted Vendor certificates for each User, Group, Device, Custom, Scripted, and Process rule in the configuration.
Application Termination Application Manager provides the ability to shutdown an application, complete with various shutdown options, based on trigger point such as a change to an IP address, connecting device, or application access entitlement configuration.
For more information see General Features on page 13.
Network Connections Block access to certain applications via IP, UNC or host name. Application Manager has the ability to manage access based on the location of the requester, for example, if they are connecting via VPN or directly to the network.
For more information see Application Network Access Control on page 115.
Digital Signatures SHA-1 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists.
Endpoint Analysis Allows an administrator to browse to any endpoint and retrieve a list of applications that have been installed on that device. Application Manager records which applications are started and by whom. The recording of data is started and stopped by the administrator. Organize the files into authorized and unauthorized groups to quickly create a policy. The configurations can be deployed to a user, a group of users, a machine, or a group of machines. Endpoint Analysis is on demand and inactive by default.
For more information see Endpoint Analysis on page 128.
Offline Entitlement Users are increasingly mobile. Thus, it is important that entitlement rules are enforced when the user is not connected to the corporate network. Application Manager ensures users only access the applications and resources they have permission to when offline by using entitlement rules on the endpoint device. Passive Monitoring Application Manager can monitor application usage without preventing users from running applications. Passive monitoring can be enabled or disabled on a per user, device, group basis and provides a tool to track user behavior prior to full implementation or to understand application usage for software license management. Self-Authorizing Users Provides the option for users to execute applications that they have introduced into the system. Applications can be added to a secure machine whilst outside of the office without relying on IT support. A comprehensive audit can detail information such as application name, time and date of execution and device. Additionally, a copy of the application can be taken and stored centrally for examination. Application Limits and Time Restrictions Apply a policy to control the number of application instances a user can run, along with at what times it can run. A policy can be created to control or enforce licensing models by controlling application limits on a per device basis. AppSense Configuration Templates AppSense provides a number of best practice configuration templates, for example that can be imported into Application Manager. Application Manager can import a number of configuration files and use these in combination. Auditing Events are raised by Application Manager according to the default Event Filtering configuration and audited directly to a local log file or the Windows Event Log. Altenatively, events can be forwarded to the AppSense Management Center via the Client Communications Agent (CCA). The Application Manager audit event reports available in the Management Center can also be used to provide details of current application usage across the enterprise.
For more information see Auditing on page 139.
Windows Scripting Host Validation The default configuration in Application Manager validates all Windows Scripting (WSH) scripts, such as VBS, against configuration rules. This ensures that users can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that contain viruses or malicious code. The Validation settings can be disabled in the console., along with validation of .bat files, selfextracting files, registry files, and Windows Installed (MSI) files.
ABOUT APPLICATION MANAGER Architecture
For more information see General Features on page 13
Functionality Cut-Off Settings Enable and disable certain features in Application Manager either if not in use or when troubleshooting issues in your configurations. The functionality which you can manage in this way includes:

Application Access Control Application Network Access Control User Rights Management
For more information see General Features on page 13
ARCHITECTURE
This section provides details on the architecture of Application Manager.

Console on page 7 Software Agent on page 8 Configuration on page 11
Figure 1.1 Application Manager Architecture
Console
The Application Manager console launches when the link is selected in the Start > All Programs > AppSense menu. The console enables you to create, view, edit and save configurations for Application Manager. The console includes the Configuration Profiler which you can use to review the probable effect of the configuration on users. The Rules Analyzer function allows you to record the actual effect of the configuration on users on an endpoint which has the Application Manager agent installed and running. The Endpoint Analysis tool allows you to record application usage, and to catalog installed application usage on an endpoint that has the Application Manager agent installed.
Figure 1.2 Application Manager Console
Console Installer The console installer is a MSI package that contains all the files needed to install the console on a computer. Both 32-bit and 64-bit installers are provided.
Software Agent
Application Manager is installed and run on endpoints using a lightweight agent. The agent is installed directly onto the local computer. Both agents and configurations are constructed as Windows Installer MSI packages and so can be distributed using any third party deployment system which supports the MSI format.The installers are delivered in separate 32-bit and 64-bit Microsoft Installer (MSI) packages. For Application Manager to function the agent must be installed on the client machine together with an associated configuration. The installation may be manually performed or by means of a deployment system such as the AppSense Management Center. Since agents and configurations are installed and stored locally on the endpoint, they continue to operate when the endpoint is disconnected or offline. The Application Manager agent installs a Windows Service (the AppSense Application Manager Service), a filter driver, and a hook. The hook sits above the driver and intercepts all executables. It does not intercept DLLs, unlike the driver. If an executable is not intercepted by the hook it is intercepted by the driver. The driver intercepts execution requests that are made within the operating system that pass from the I/O Manager to the drive and the device subsystems for example, NFTS.SYS or the LanMan Redirector for Microsoft Networking Services. The driver does not intercept ordinary file access such as the opening of a document or text file.
Every intercepted create process request is intercepted by the hook. When the request is intercepted by the hook the request is passed on to the Application Manager Agent Service for validation against the configuration settings, which returns an execution granted or denied response which is dealt with by the hook or driver, depending on which sent the request. If the response is granted, then the request is passed on to the relevant file system driver to continue with the application loading from disk. In the case of a denied executable or script, the agent replaces the original path with Application Managers customizable message box (AMMessage). This effectively blocks access to the original requested excecutable and instead displays a message to the user. In the event of a DLL being blocked, no message is displayed and the default operating system message is displayed. Agent Service The Application Manager Agent Service runs as a SYSTEM service on each computer that is to be controlled using the Application Manager component. The agent provides the intelligence for dealing with the execution requests passed from the Application Manager kernel level driver and the hook. Each and every execution request is validated against the configuration settings that are held on each local machine containing the Application Manager agent software. Along with the details of the application request, the agent service checks who the user is and which computer the request originates from so that this can be processed at the same time to enable user / group / client / custom rules to function as expected. The configuration is stored in a local configuration file for performance and control reasons. This means that all requests can be turned around in minimum time and perhaps more importantly without the need for a network link to a central server, and hence also ensuring that unconnected machines, such as laptops, remain secured even when not physically connected to the Local Area Network. Agent Assist Agent Assist provides support for the agent. Instances of Agent Assist are started on-demand by the agent and run using the SYSTEM account. Each Agent Assist is specific to a user session. If Agent Assist is initiated, no more than one instance runs in a session. Once started, Agent Assist typically remains running until the session logs off or the agent is stopped. Agent Assist does the following:

Enforces time limits on applications Prompts Self Authorizing Users to confirm whether to allow prohibited DLLs (Applications are handled by Agent Assist). Performs auditing for the events, 9006, 9007, 9017.

9006 - Self-authorization decision by user. 9007 - Self-authorized execution request. 9017 - An application has been terminated by Application Manager.
On 64-bit systems, Agent Assist can start the 32-bit DLL component which installs the 32bit Application Hook into 32-bit applications running in the same user session.
10
DLL Injection Assist DLL Injection Assist is a 32-bit component which is only installed on 64-bit systems. It is used solely by Agent Assist to install the 32-bit application hook into 32-bit applications running in the same user session. Filter Drivers The agent intercepts, then validates all application execution requests against the configuration. It then either grants or denies access to the executable content. The agent also triggers auditing events which are collected by the AppSense Client Communications Agent.
For more information on the Client Communications Agent see the AppSense Management Center Product Guide.
The driver only intercepts execution requests placed against the Operating System since it is connected between the I/O Manager (in the Executive Services) and the actual device drivers for the file systems themselves (for example, NTFS.SYS, CDROM.SYS, or LanMan Redirector for Microsoft Networking Services). The driver does not intercept ordinary file access such as the opening of a text file, document or presentation. Every intercepted request is subsequently passed on to the Application Management Agent Service for validation against the current configuration. The agent service returns an allowed or denied response which is dealt with by the filter driver. If the response is allowed, then the request is passed on to the relevant file system driver to continue with the application loading from disk. On the other hand, if the request is denied, then the filter driver replaces the request with Application Managers error handling system which is responsible for the display of a fully customized message box to the end user. This error handling effectively blocks access to the requested executable code by advising the originating process that all is successful, and the AppSense customized message box is displayed in place of the expected executable code. This prevents the Operating System from displaying a File not Found or Access Denied message. The driver is a lightweight driver which filters file system requests for files, but not folders, with the Execute, Overwrite and Rename permissions requests. The driver sends requests to the Application Manager agent for authorization. Depending on the response from the agent, the driver allows, redirects, or denies the request.
The driver only redirects as a fallback, if the request is missed by the hook.
When it redirects, the driver redirects to one of the Message Box applications. The filter driver can dynamically start but cannot be stopped without a reboot. This can be found in %systemdrive%\Program Files\ApplicationManager\Agent\AmFilterInstall and is called AMFilterDriver.sys.
11
Mini Filter Driver The mini filter driver is a lightweight driver which filters file system requests for both files and folders on UNC paths, but not for local drives. The driver sends requests to the agent for authorization. Depending on the response from the agent, the driver allows or denies the request. %systemdrive%\Program Files\ApplicationManager\Agent\AmMiniFilterInstall and is called AMMiniFilterDriver.sys. The mini filter driver can be dynamically started and stopped. Application Hook This is a DLL which is loaded into every user process. The Application Hook sends create process and network requests to the agent for authorization. In the event of a blocked executable, the original request is replaced with a request for AMMessage. In the event of a blocked network request, access to the network resource is denied. If any token modification is required, as part of User Rights Management, an appropriate request is sent to the agent. The agent sends back a modified token which is used to launch the requested process. Where Application Network Access Control (ANAC) is concerned, because requests for network traffic is high, the results provided by the agent are cached in the memory of the application. This is essential to avoid a dramatic performance degradation to network traffic.
For more informatiom on ANAC see Application Network Access Control on page 115.
Configuration
AppSense Application Manager configuration files (.aamp files) contain the rule settings for securing your system. The agent checks the configuration rules to determine the action to take when intercepting file execution requests. Configurations are stored locally in the All Users profile and are protected by NTFS security. In standalone mode, configuration changes are written directly to the file system from the Application Manager console. In Enterprise mode, configurations are stored in the AppSense Management Center database, and distributed in MSI format using the AppSense Management Center console.
Configurations can also be exported and imported to and from MSI file format using the Application Manager console. This is useful for creating templates or distributing configurations using third party deployment systems.
12
After creating or modifying a configuration you must save the configuration (and deploy if necessary) to ensure that they are actioned.
General Features
In this Section:

Trusted Owners on page 14 Extension Filtering on page 17 Options on page 19 Application Termination on page 21 Message Settings on page 26 Archiving on page 36
13
GENERAL FEATURES Trusted Owners
14
TRUSTED OWNERS
During the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that the ownership of the items is matched with the list of Trusted Owners specified in the default configuration. For example, if a match is made between the file you want to run and an Accessible Item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with, or if a file which contains a security threat has been renamed to resemble an accessible file, Trusted Ownership checking identifies the irregularity and prevents the file execution. Trusted Ownership checking is not necessary for items with digital signatures as these cannot be imitated. The list of Trusted Owners is maintained in the Trusted Owners dialog box available from the General Features ribbon page > Default Restrictions group.
Figure 2.1 Trusted Owners Dialog Box
Application Manager trusts all local administrators and system owned applications by default. You can extend this list to include other users or groups. The Enable Trusted Ownership checking option within the dialog box is selected by default, thus enabling Trusted Ownership from the outset.
15
When the Change a files ownership when it is overwritten or renamed option is selected, Application Manager selectively changes the NTFS file ownership of executable files when they are overwritten or renamed. If a user who is not a Trusted Owner attempts to overwrite a file which is accessible due to Trusted Ownership or an Accessible Item rule, it could constitute a security threat if the file contents have changed. Application Manager changes the ownership of an overwritten file to the user performing the action, making the file un-trusted and ensuring the system is secure. Likewise, attempts to rename a prohibited file to the name of an Accessible Item could constitute a security threat. Application Manager also changes the ownership of these files to the user who performs the rename action and ensures the file remains un-trusted.
Overwrite and rename actions are both audited. For more information on auditing see Auditing on page 139.
To ignore Trusted Ownership for individual files, deselect the Trusted Ownership option for an Accessible Item.
Figure 2.2 Trusted Ownership Checking
If you choose to ignore Trusted Ownership it is recommended to assign Self-Authorization status to allow the user to decide whether or not to allow a file to run.
16
Set the Self-Authorizing level for a Group, User, Device, Custom, Scripted, or Process rule.
Figure 2.3 Self-Authorizing Security Level for a User Rule
GENERAL FEATURES Extension Filtering
17
Whitelists
You can use a whitelist approach where nothing is allowed to run by default, other than the executables contained in the whitelist. Deselect the Make local drive accessible by default option in the Options dialog box available from the General Features ribbon page > Default Restrictions group.
Figure 2.4 Make local drives accessible by default option
If you do use the whitelist approach, ensure that you allow important system files to run, by adding all of the relevant files or folders to the Accessible Items for the Everyone group. Otherwise, many crucial executable files and .dll files, such as those stored in the system32 directory, can be prevented from running and adversely affect core system functions.
For more information on Trusted Ownership, Whitelist methods and security see Security Methods on page 41.
EXTENSION FILTERING
The Extension Filtering feature is used to determine if the configuration should check certain file types or if it should ignore certain file types. This feature is disabled by default. The Extension Filtering dialog box is available from the General Features ribbon page > Default Restrictions group.
GENERAL FEATURES Extension Filtering
18
Figure 2.5 Extension Filtering Dialog Box
For example, to only check .exe files and .vbs files, select the Enable extension filtering and Only check files with extensions in the list below options. Use the Add button to add the file extensions. Once the configuration is saved, the Application Manager agent only checks the files with the specified extensions against the rules when execution requests occur against the computer that the configuration is deployed to. Use the Exclude files with extensions in the list below option to not check files with particular extensions, for example, to not check any .dll files. The default configuration within Application Manager does not have any extension filtering configured. Therefore, all executable code, irrespective of its file extension, is checked. This is the most secure option since nothing can get past the agent unless it has been expressly configured in the remainder of the rules.
GENERAL FEATURES Options
19
OPTIONS
Various options for Application Manager are provided in the Options dialog box available from the General Features ribbon page > Default Restrictions group.
Figure 2.6 Options Dialog Box
The various options are split into three categories:

General Features Validation Functionality
These options provide general Application Manager settings to apply to all application and process requests. Options are also available for enabling and disabling functionality. For example, you can run Application Manager using User Rights Management functionality only.
By default, all functionality options are enabled.
The following table describes each option in the Options dialog box and identifies whether the feature is selected by default.
GENERAL FEATURES Options
20
Table 2.1 Option
Application Manager General Options Description Enabled
General Features Make local drives accessible by default Select this option to make Application Manager configurations blacklists. Everything on the local drive is allowed unless it is specified in the Prohibited Items list, or it fails trusted ownership. Deselect this option to make the configuration a whitelist. Everything on the local drive is blocked unless it is specified in the Accessible Items list. Note: A whitelist configuration is the most secure. However, this type of configuration is time consuming to configure and can affect the endpoint stability as all unspecified applications are blocked. It is expected that cmd.exe is prohibited by administrators. The Allow cmd.exe for batch files option allows cmd.exe to run provided it is executing an allowed batch file with the /c command line switch. This particular switch ensures that the cmd.exe application is shut down after completing the batch file run. During logon the computer may execute a number of essential applications. Blocking these can cause the computer to function incorrectly, or not at all. Hence, this option is selected by default. A self-extracting ZIP file is an executable, with a .exe extension, that contains a number of compressed files and a small application to extract them. Self-extracting ZIP files are often used as an alternative to distributing and installing an application by a MSI file as typically the executable is smaller in size. The Extract self-extracting ZIP files option allows the compressed file contents to be decompressed and extracted to disk, even if the parent file would be normally be prohibited, so that the contents of the file can be accessed. Once the contents have been extracted, any executable content it contains is still subject to the normal Trusted Ownership checks and is prevented from executing if the user is not a Trusted Owner. This is useful for scenarios where the self-extracting ZIP file may contain nonexecutable content such as a document that the user requires. If this option is deselected, then the self-extracting ZIP file is treated as a standard executable and can be prevented from executing (and hence extracting its contents) subject to the normal rule processing. By default, all applications which run during Active Setup are subject to the Application Manager rules. Select this option to make these applications exempt from ruless checks during Active Setup phase.
Allow cmd.exe for batch files
Ignore restrictions during logon Extract self-extracting ZIP files
Ingnore Restictions during Active Setup
Validation Validate System processes Select this option to validate any files executed by the system user. Note that it is not recommended to select this option as it increases the amount of validation occurring on the endpoint computer and can block crucial applications from running. Selecting this option means all executables launched by the system are subject to rule validation. Selecting this option specifies that the command line contents of scripts run using wscript or cscript are subject to rule validation. Note: Scripts can introduce viruses and malicious code. It is recommended to validate WSH scripts.
Validate WSH (Windows Script Host) scripts
2 GENERAL FEATURES Application Termination
21
Table 2.1 Option
Application Manager General Options Description

MSI files are the standard method of installing Windows applications. It is recommended that the user is not allowed to freely install MSI applications. Selecting this option means all MSIs are subject to rule validation. Deselecting this option means that only the Windows installer itself, msiexec.exe, is validated by the Application Manager rule processing, and not the MSI file that it is trying to run. Select this option to enable rule validation for regedit.exe and regini.exe Note: It is not recommended to allow users to access the registry or registry files.
Enabled
Validate (MSI Windows Installer) packages
Validate Registry files
Functionality Enable Application Access Control Enable Application Network Access Control Enable User Rights Management Select to enable Application Access Control. Deselect to not validate or block executables. Select to enable the Application Network Access Control feature. Deselect to not validate or block outbound network connections. Select to enable the User Rights Management feature. Deselect to not apply any User Rights policies.
APPLICATION TERMINATION
Application Termination allows you to control triggers, behavior and warning messages for terminating applications on managed computers. You can terminate applications gracefully allowing the user to save work before closing or to force a termination. Notification messages for each type of trigger can be edited individually. Three triggers cover the range of possible scenarios when this might be a necessary action to take.
22
Figure 2.7 Application Termination Mechanism
The triggers for terminating an application include when a new configuration is applied, when the IP address of the computer changes, or when the connecting device changes.
23
When a trigger is activated, processes are evaluated against the rules to determine if an application requires terminating. Rules with Self-Authorizing and Audit Only security levels are not evaluated because Self-Authorizing rules allow user discretion over application control and Audit Only rules do not apply Application Manager control. Application Termination is available from the General Features ribbon page > Default Restrictions group. This feature is disabled by default. Select the Enable Application Termination option in the Application Termination dialog box to enable this feature.
Figure 2.8
Application Termination Triggers
The triggers for Application Termination are as follows:
Configuration applied - Terminate the application according to the configuration that is applied. Computer IP address changed - Terminate the application when the IP address has changed, for example, when moving between secure and insecure environments. Connecting device changed - Terminate the application when the connecting device has changed, for example, changing between a laptop and a desktop in the same session.
24
Application Termination Options

After specifying the triggers that you want to use you can decide how you want to terminate the application.
Figure 2.9 Application Termination Options
Display an initial warning message - Specifies to display an initial warning message. The message can be customized on the Configuration Applied Message, IP Address Changed Message and Connecting Device Changed Message tabs. Use in conjunction with the Close application and Terminate application options. If you do not use this in conjunction with these options, only a message is displayed and application does not close. Close the application - Closes the application allowing the user to save their work. Select along with the Display an initial warning message option. Terminate the application - Terminate the application without allowing the user to save their work. Choose to select the Display an initial warning message or not, the application terminates regardless. Wait ... seconds between options - Specify the time period in seconds between actions, and between closing and terminating. The maximum is 9999 seconds.
25
You can audit Application Termination. The auditing event is 9017. See Auditing on page 139 for more information.
Customize Application Termination Message

As previously mentioned, you can customize the message that is displayed according to the configuration that is applied, when the IP address has changed and when the connecting device has changed. Use the Configuration Applied Message, IP Address Changed Message and Connecting Device Changed Message tabs. Each tab has the same settings.
Figure 2.10 Configuration Applied Termination Message
Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened. Message body - The text to display in the body of the message.
GENERAL FEATURES Message Settings
26
Environment variables are supported for both the caption and the message. In addition to system environment variables it also supports %ExecutableName%, %DirectoryName% and %FullPathName% for each file.
Click here to see how the message will appear to users - Displays the message with the caption and body specified in the above options.
Figure 2.11 Example Warning Message
The message caption must not be left empty, be a single line, and can contain up to 100 characters.
The message body must not be left blank, can contain zero or more line breaks, and can contain up to 1000 characters.
A separate message box must be used for each trigger type.
MESSAGE SETTINGS
The Message Settings dialog box is used to configure the information displayed in messaging that occurs when a particular user attempts to launch an application in violation of the defined configuration. You can specify messages for when access is denied, application limits are exceeded, for self-authorization, and for blocked network connections. Time limits and application behavior, for example, terminating the application, can be specified with warning and denied messages. The Message Settings dialog box is available from the General Features ribbon page > Properties group.
Access Denied
Access to applications can be denied for a user. For example, all applications defined in the Prohibited Items list within the configuration can be denied. Prohibited Items are specified in the Group, User, Device, Custom, Scripted, and Process rules.
27
Figure 2.12 Access Denied Message Settings
28
Figure 2.13 Example Access Denied Message
Time limits and application behavior, for example terminating the application, can be specified with warning messages for Time Limits and Application Limits Exceeded Limits. See Time Limits on page 30 for more information.
Application Limits Exceeded

The number of running of occurrences of an application can be limited in Application Manager. A message can be displayed once a user exceeds this limit. Similar to Access Denied you can specify a caption and the body of the message.
For more information on application limits see Application Limits on page 53.
29
Figure 2.14 Application Limits Exceeded Message Settings
30
Figure 2.15 Example Application Limits Exceeded Message
Time limits and application behavior, for example terminating the application, can be specified with warning messages for Access Denied and Application Limits Exceeded Limits. See Time Limits on page 30 for more information.
Time Limits
Access time limits to applications can be specified in Application Manager. For example, certain applications can only be allowed to run between 9 am and 5 pm, Monday to Friday. There are two messages that can be displayed. One to inform the user if they are attempting to run the application outside of those hours. Another to inform the user if the time period has expired whilst the application is still running. You can specify whether the user is allowed to save their work before closing the application, or to just close the application upon the warning.
For more information on access times for an application see Access Times on page 52.
31
Figure 2.16 Time Limits Message Settings
Similar to the Application Termination feature you can specify how the application closes. The following options describe the ways.
Display an initial warning message - Specifies to display an initial warning message. Use in conjunction with the Close application and Terminate application options. If you do not use this in conjunction with these options, only a message is displayed and application does not close. Close the application - Closed the application allowing the user to save their work. Select along with the Display an initial warning message option. Terminate the application - Terminate the application without allowing the user to save their work. Choose to select the Display an initial warning message or not, the application will terminate regardless. Wait ... seconds between options - Specify the time period, in seconds, between actions, and between closing and terminating. The maximum is 120 seconds.
32
As previously mentioned you can configure two messages. The Warning Message is for when an application is continuing to run outside of the specified access times, for example, if a user is working later.
Figure 2.17 Example Warning Message for an Application Running outside of Specified Time
The Denied Message is for when a user attempts to run an application outside of the specified time.
Figure 2.18 Example Warning for Attempts to Run an Application outside of Specified Time
Self-Authorization
Self-authorization is a security level within Application Manager. Certain applications can require self-authorization by a user before they are allowed to run. You can specify the message displayed when a user runs an application. The caption and body can be defined for the initial message and the response.
For more information on security levels see Application Manager has the ability to assign four distinct security levels to the group rules. on page 62.
33
Figure 2.19 Self-Authorization Message Settings
34
Figure 2.20 Example Self-Authorizing Warning Message
Figure 2.21
Example Self-Authorizing Response Message
Network Connections
Application Network Access Control can be used to block network connections. All Network Connection Items within Prohibited Items for a Group, User, Custom, Scripted, and Process rule can be prohibited, and therefore, blocked. You can choose to display a message when a connection is blocked, or you can choose not to. The default setting is to display a message. You can also specify how often to display a message, and the caption and body for the message.
For more information on network access see Application Network Access Control on page 115.
35
Figure 2.22 Network Connections Message Settings
Display a message box for blocked network connections - Displays a message box for all blocked network connections. This option is enabled by default. Display a warning on every connection attempt - Displays a warning message every time a connection is attempted. Display a warning message once - Displays a message only on the first attempt per application within the same session. Wait ... seconds between messages - Specifies the number of seconds to wait before a new message is issued. Only one message displays per application within the specified period. No message displays for any subsequent attempts within the same period. Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened. Message body - The text to display in the body of the message.
GENERAL FEATURES Archiving
36
Figure 2.23 Example Warning Message for a Blocked Network Connection
ARCHIVING
Archiving allows you to copy any denied executables into a secure folder. When a user attempts to run an unauthorized executable, or an executable specified in the Prohibited Items list, Application Manager can take a copy of each application that attempted to execute and place them in a secured file system or archive. This information can be used by an administrator to inspect the kinds of executable content that Application Manager has blocked access to by taking a complete copy for the administrator. It is often found that blocked applications are files with false names such as winword.exe. Unfortunately, the name alone does not tell the administrator a great deal as these are typically other executables that have been simply renamed in an attempt by the user to get the application to run on the computer. By having a specific copy of each executable, the administrator can accurately assess each application and what impact they would have on the enterprise had they been allowed to run.
It is recommended that archived executables be checked in a secure environment so as to minimize the threat from viruses and malware.
Archiving is disabled by default. You can enable archiving in the Archiving Settings dialog box available from the General Features ribbon page > Properties group.
37
Figure 2.24 Archiving Settings Dialog Box - Global Properties
Archiving Settings
Use archiving - Enables the Archiving feature. This option is disabled by default.
Global Properties
The following are the global properties for archiving:
Do not archive administrator owned files - Select to not take an archive of applications owned (NTFS) by the administrator. An example of this is when a user tries to execute regedit.exe and is blocked by the Application Manager agent. It is unlikely you would require an archive of this file. However, it is useful to archive when the user attempts to execute their own copy of regedit.exe to determine what the application is and what effect it could have on the enterprise if it were to execute. Do not archive if the file already exists - Select to not take an archive of an unauthorized executable if a copy of the file already exist. The Application Manager agent does not try to copy it over again. This helps to save space, although it may result in inaccurate archiving as only one copy of an executable with the same name is ever retained. Enable anonymous archiving - Some locations have restriction laws in place, forbidding administrators to record which user attempted to execute unauthorized applications. Select this option to prevent the Application Manager agent from using any %username% file
38
paths. The agent removes the percentage sign (%) leaving simply username. An example can be where an application is executed from a home directory that has the username as the folder name. Application Manager replaces the username with the text, username, so as to protect the users identity in accordance with the local restriction laws.
Maximum archive size for all users combined - The maximum size in Mb that Application Manager allows the archive to reach before it stops archiving for all users combined together. Maximum archive size per-user - The maximum size in Mb that a single user archive is allowed to reach before it stops archiving. For example, if an archive path is specified as C:\archive\%username% then every user on the computer would have a separate archive under the C:\archive directory. It is this user archive that is subject to the user limit.
File Options
The second tab in the Archiving Settings dialog box is the File Options tab.
Figure 2.25 Archiving Settings Dialog - File Options
39
Only archive files smaller than - This option allows you to specify the maximum file size to archive. By selecting this option and inserting a file size, you can ensure large executables are not copied to the archive. As an example, a user may well attempt to execute a service pack or other similarly large file which you typically would not want to copy over the network into an archive. When a users archive is full allow the oldest files to be overwritten - Instead of simply stopping archiving when either the Total Limit or User Limit options are invoked, select this option to overwrite the oldest files. This is an easy way to ensure that the enterprise captures the most up to date information without utilizing huge data space for unauthorized applications.
Folders
The third tab in the Archiving Settings dialog box is the Folders tab.
Figure 2.26 Archiving Settings Dialog Box - Folders tab
Use the Folders tab to configure the location into which you want the archive files to go. The default location is to place all archived files into: %SystemDrive%\AppSenseLogs\ApplicationManager\%UserName% This has the effect of placing all archived files for a specific user in the same folder and the folder is named after the user making it easier to manage.
40
If the Use anonymous archiving option is selected the folder is named username and all archived files for all users are placed in the same folder.
Additional folders can be added to the list by using the Add Folder button. The location can be either typed in or browsed to on the local computer or local network by using the Browse button. The order of the archive list is important as Application Manager attempts to copy the file to the first relevant archive in the list. If this copy fails then it attempts to copy the file to the second archive location, and so on. If the copy succeeds, Application Manager does not use any of the remaining archives. Use the Move Up and Move Down buttons to order any new folders ensuring you have the correct default folder at the top.
Security Methods
In this Section:

Introduction on page 41 Method 1 - Trusted Ownership on page 42 Method 2 - Digital Signatures on page 44 Method 3 - Trusted Vendors on page 46 Method 4 - Whitelist vs. Blacklist vs. Trusted Ownership on page 49 Security Method Recommendation on page 54
INTRODUCTION
Application Manager has a number of security methods to allow you to protect a system without complex lists and constant management. These include Trusted Ownership, Digital Signatures, Trusted Vendor, Whitelists, and Blacklist. You can choose whichever method and use a hybrid approach. The following sections describe the various methods and culminates in a recommendation.
41
APPLICATION MANAGER TECHNICAL GUIDE
3 SECURITY METHODS Method 1 - Trusted Ownership
42
METHOD 1 - TRUSTED OWNERSHIP

Application Manager uses secure filter drivers and Microsoft NTFS security policies to intercept all execution requests. Execution requests go though the Application Manager hook and any unwanted applications are blocked. Application entitlement is based on the ownership of the application, with default trusted ownership typically being for administrators. By using this method, current application access policy is enforced without the need for scripting or list management. This is called Trusted Ownership. In addition to executable files, Application Manager also manages entitlement to application content such as VBScripts, batch files, MSI packages and registry configuration files. Trusted Ownership is the default method of controlling access to applications within Application Manager. It makes use of the Discretionary Access Control (DAC) model. It examines the owner attribute of the file and compares it to a predefined list of trusted owners. If the owner of the file appears in the list then execution of the file is granted, otherwise it is denied. The decision is made independently of the user actually trying to execute the file. An important feature of this security method is the ability to not consider the file contents itself. In this way Application Manager is able to control both known and unknown applications. Conventional security systems such as anti-virus applications compare file patterns against those in a known list to identify potential threats. Therefore, the protection it offers is directly proportional to the accuracy of the list it uses for comparison. Many malware applications are either never identified, or at best, identified only after a period of time while systems are left vulnerable. Application Manager, by default, allows ALL locally installed executable content to execute IF the owner of the executable is listed in the Trusted Owners list in the configuration. The administrator must then supply a list of applications that they do not want to execute from the local disk subsystem, which would typically be administrative applications such as mmc.exe, eventvwr.exe, setup.exe, and so on. If this approach is taken, then the administrator does not have to find out the full details of every piece of executing code required for the application set to function, as the Trusted Ownership model allows / denies access as appropriate.
Although Application Manager is able to stop any executable script based malware as soon as it is introduced to a system it must be noted that Application Manager is not intended to be a replacement for existing malware removal tools, but should act as a complementary technology sitting alongside them. For example, although Application Manager is able to stop the execution of a virus it is not able to clean if off the system.
For information on the Trusted Ownership rule see Trusted Ownership Rule on page 44.
3 SECURITY METHODS Method 1 - Trusted Ownership
43
Application Manager and Trusted Ownership

Application Manager maintains a trusted owners list which is defined in the Trusted Owners dialog box. This dialog box is found on the General Features ribbon page > Default Restrictions group > Trusted Owners.
Figure 3.1
Trusted Owners
Users and groups can be deleted or added as required. In the NTFS system a file may be owned by either a user or a group and therefore both may be added. When the check for Trusted Ownership is performed the System Identifier (SID) of the file owner is determined and this is checked against the list of SIDs within the trusted owner configuration. Application Manager does not evaluate a group or determine users of a group. This ensures that Application Manager continues to function correctly when machines are not connected to a network and this information is not available. There are two options within the Trusted Owners dialog box: Enable Trusted Ownership checking Select to switch on Trusted Ownership checking. If this is not selected Application Manager does not perform any Trusted Ownership checking and other security methods must be configured to give the desired security.
3 SECURITY METHODS Method 2 - Digital Signatures
44
Change a files ownership when it is overwritten or renamed The default for certain Operating Systems is to retain file ownership when a file is overwritten or renamed. This can be seen as a security flaw as if NTFS permissions allow, a user may overwrite a legitimate file with a file that would otherwise be blocked. Select this option to ensure that if a legitimate file is compromised in this way the ownership changes to that of the user and Trusted Ownership prevents the file from being executed
Trusted Ownership Rule

Trusted Ownership does not need to take into account the logged on user. It does not matter whether the logged on user is a Trusted Owner, administrator, or not. Trusted Ownership revolves around which user (or group) owns a file on the disk. This is typically the user who created the file. It is common to see the group BUILTIN\Administrators within the Application Manager console as the File Owner. It is also possible to find that the file owner is an individual administrators account, This gives the following situations:
The file owner is the group BUILTINAdministrators and this group is a Trusted Owner. Trusted Ownership allows the file to execute. The file owner is an individual administrator and the individual administrator is a Trusted Owner. Trusted Ownership allows the file to execute. The file owner is an individual administrator and the individual administrator is not a Trusted Owner, but the BUILTIN/Administrators group IS a Trusted Owner. Trusted Ownership does not allow the file to execute.
In the last case, even though the administrator who owns the file is in the Administrators group, the file owner is not trusted. The group is not expanded to find out whether the individual owner should be trusted. In this case, to allow the file to execute, the files ownership must be changed to that of the BUILTIN/Administrators.
METHOD 2 - DIGITAL SIGNATURES

Digital Signatures provide a means to accurately identify a file according to the actual contents of the file itself. Each file is examined and according to its contents, a digital hash, which may be likened to a fingerprint, is produced. Application Manager makes use of the industry standard SHA-1 hashes. If the file is altered in any way then the SHA-1 hash is also altered. Digital hashing is seen as the ultimate security method as it is accurate. lt identifies each file independently of all other factors other than the file itself. For example, an administrator takes a digital hash of all executables on a computer system and records them. A user then tries to execute an application, the digital hash of the application is calculated and then compared to the recorded values. If there is a match the application is granted execution, otherwise it is denied. This methodology also provides zero-day protection as not only does it stop new applications from being introduced, it also blocks any applications which have been infected with malware. Although digital signatures provide a similar protection to Trusted Ownership one must also consider the time and management involved with respect to maintaining the security systems in place. Applications are constantly being updated with service packs, bug fixes and vulnerability patches. This means that all associated files are also constantly being updated. So if, for
3 SECURITY METHODS Method 2 - Digital Signatures
45
example, a service pack is applied to Microsoft Office then for the updated parts to work new digital hashes of the updated files must now be taken. Care must be taken to ensure that these are available when the update is available to ensure no downtime is seen. Additionally it is recommended that the old signatures should be removed.
Signature Wizard
Application Manager has a Signature Wizard that allows you to apply digital signatures either to an individual file or a group. Digital signatures can be grouped in one of two ways, by means of scanning folders and subfolders, or by examining a running process. The Signature Wizard is available from the Groups ribbon page > Advanced group when you select a group beneath the Library > Group Management node.
Figure 3.2 Signature Wizard
The Search Folders option within the Signature Wizard scans all executable and script based files, for the selected folder, automatically and calculates the digital hashes. The Examine a running process option allows you to select a process that is currently running. The process, along with all executable files it has currently loaded, is scanned and digital hashes calculated. If a file is found for which the signature has already been calculated a notification of a duplicate is displayed. There is no need for a duplicate hash in a configuration. If the files are updated by means of, for example, a service pack, you can select the signature file group and choose to re-scan. All of the digital signatures are automatically updated and the new configuration can be deployed.
3 SECURITY METHODS Method 3 - Trusted Vendors
46
METHOD 3 - TRUSTED VENDORS

Trusted Vendors can be specified in each Application Manager rule node. Trusted Vendors are used for listing valid digital certificates. A digital certificate is a electronic document that uses a digital signature to bind together a public key with an identify. This includes information such as the name of a person or organization, address, and so on. The certificate is used to verify that a public key belongs to an individual. Digital certificates are issued by a certificate authority. An increasing number of applications are being signed with digital certificates. A digital certificate is supplied with a public key and this may be used to verify the authenticity of the application. If Trusted Ownership fails then providing the file is not explicitly blocked within the Application Manager configuration then it is allowed to execute if it has a valid digital signature. Right-click in the Trusted Vendors work area to display the following commands for adding certificates to the list.
From Signed-File - Specify a known file that has already been signed by the vendor who you wish to trust. Application Manager identifies the vendors specific signature to identify additional code from that same vendor. From File-Based Store - Browse to the specific digital certificate if available. Use this option to choose the files you require. The Import File-Based Store imports all files. Import File-Based Store - Import a digital certificate for use in setting up a Trusted Vendor rule. Use this option to import all files.
Figure 3.3 Add Certificate to Trusted Vendor List
47
Certificate Verification
You can also verify a certificate. Application Manager displays a message if there are any warnings for the certificate, for example, if it is not possible to determine whether a certificate has been revoked. The following graphic show an example warning. The Verify Certificates command is available from Rule Items ribbon page > Trusted Vendors group. The following shows a message displayed for a certificate with warnings.
Figure 3.4
Certificate Verification Warning
Advanced Options
Advanced options allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes. The certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate. The advanced options are available from the Advanced Options dialog box. The Advanced Options dialog box is available from the Rule Items ribbon page > Trusted Vendors group.
48
Figure 3.5 Advanced Options
Ignore CTL revocation errors - Ignores that the certificate trust list (CTL) revocation is unknown when determining certificate verification. Ignore CA revocation errors - Ignores that the certificate authority revocation is unknown when determining certificate verification. Ignore end Certificate revocation errors - Ignores that the end certificate, that is the user certificate, revocation is unknown when determining certificate verification. Ignore root revocation errors - Ignores that the root revocation is unknown when determining certificate verification. Ignore CTL not time valid errors - Ignores that the certificate trust list is not valid, for example, the certificate may have expired, when determining certificate verification. Ignore time nesting errors - Ignores that the certificate authority (CA) certificate and the issued certificate have validity periods that are not nested when verifying the certificate. For example, the CA certificate may be valid from January 1st to December 1st , and the issued certificate from January 2nd to December 2nd. This means that the validity periods are not nested. Ignore basic constraint errors - Ignores that the basic constraints are not valid when determining certificate verification. Ignore invalid name errors - Ignores that the certificate has an invalid name when determining certificate verification. Ignore invalid policy errors - Ignores that the certificate has an invalid policy when determining certificate verification. Ignore invalid usage errors - Ignores that the certificate was not issued for the current use when determining certificate verification. Allow untrusted roots - Ignores that the root cannot be verified due to an unknown certificate authority.
3 SECURITY METHODS Method 4 - Whitelist vs. Blacklist vs. Trusted Ownership
49
The Click here to test these settings link helps to validate the certificate based on the options you have selected and, where relevant, are dependent on connectivity with the appropriate certification authority.
METHOD 4 - WHITELIST VS. BLACKLIST VS. TRUSTED OWNERSHIP

There are two key approaches that can be used in Application Manager that differ from Trusted Ownership, namely whitelisting and blacklisting.
Whitelist Model
The whitelist approach dictates that every single piece of executable content must be predefined prior to the user making the request for the application on the Operating System. Details of all the content identified in this way is kept on a whitelist which has to be checked each time an execution request occurs. If the executable file is on the whitelist it is permitted otherwise it is denied. There are a small number of security technologies that work in this way, but they often experience issues with the level of administration required once implemented. This is due to the necessity of adding and maintaining all patches, service packs and upgrades to the whitelist. Application Manager fully supports this model of control, and adds significant steps to enable additional security in the model. Such an addition is the ability to include SHA-1 digital signatures (hash), so that not only must the application name match up but so must the SHA-1 signature of that executable to that of a signature in the database. Furthermore, Application Manger also adds the full path of the executable to the list to ensure that all three items match prior to application execution: Filename - for example, winword.exe. File Path - for example, C:\Program Files\Microsoft Office\Office\SHA-1 digital signature To take the technology into the next stage of control, Application Manager does not only take the details of the executables but also requests that the administrator specify specific .dlls as well as all other executable content such as ActiveX controls, Visual Basic Scripts and Command Scripts.
Blacklist Model
In contrast to whitelists, blacklists are a potential low security measure. A list is generated and then maintained which contains the applications that are to be denied execution. This is the main failing of this method, as it presumes that all dangerous applications are actually known about. This is of little use in most enterprises, specifically with e-mail and internet access and / or where the user can introduce files and applications without administrator intervention. Application Manager does not need to actively maintain a list of denied applications, as any applications not installed, and therefore owned by the administrator, are denied by use of Trusted Ownership. One of the main reasons for prohibition of applications via a blacklist is to enable Trusted Ownership to be used for license management by not allowing even known (and therefore trusted and owned) applications to run, until the administrator can later explicitly allow access to that very same application by defining a certain user / group or client rule. This protection needs no configuration, except to allow an outside application.
50
Additionally, a blacklist is useful for denying access to files owned by trusted owners by that may be deemed security risks. For example, regedit.exe, ftp.exe, and so on.
Application Manager and Whitelists

Whitelists are defined with Application Manager as Accessible Items.
Figure 3.6 Accessible Items
Items within the Accessible Items list may be: File If the filename alone is specified, for example, myapp.exe, then all instances of this are allowed regardless of the location of the application. If the file is specified with the full path, for example, \\servername\sharename\myapp.exe, then only this instance of the application is allowed / not allowed. Other instances of this application need to satisfy other Application Manager rules to be granted execution. Folder A complete folder may be specified, for example, \\servername\servershare\myfolder, and all applications within this folder, and all subfolders if required, are allowed to execute. Select Include subdirectories to include all directories beneath the specified directory.
51
No checks are made on the files within the folder and as such any file copied into this folder will be allowed to execute.
To automatically apply environment variables select Substitute environment variables where possible for a file or folder. This makes the paths more generic for applying on different machines. Wildcard support provides an additional level of control for specifying generic file paths.
Drive A complete drive may be specified, for example, W, and all the applications on this drive, including subfolders are allowed to execute.
No checks are made on the files within the drive so any file copied into any folder on this drive is allowed to execute.
Signature Item A file may be added along with a digital hash of the file. This ensures that only that particular file may be executed but from any location. Network Connection Item A Network Connection Item can be specified. All files on the network are allowed to run.
52
Figure 3.7 Add a Network Connection Dialog Box
For more information see Application Network Access Control on page 115.
Group Groups can contain any number and combination of items, for example, all the File, Folder, Drive, Signature, and Network for a particular application. All files are allowed to execute. Trusted Ownership This option must be selected in the Accessible Items work area if you want to perform trusted ownership checking on the defined Accessible Item. If this option is not selected the file is allowed to execute regardless of the owner.
Access Times
It is possible to define what times and on what days a particular application is allowed to execute. The Access Times dialog box is available on the Rule Items ribbon page > Accessible & Prohibited Items group.
Access times can only be applied to Accessible Items within the Group, User, Device, Custom, Scripted, and Process rules.
53
Figure 3.8 Access Times Specified between 8am and 6pm, Monday to Friday
A message can be displayed when a user attempts to access an application outside of the specified time limits. Another message can be displayed if the time limit expires whilst the application is still running. You can configure this message. See Time Limits on page 30.
Application Limits
It is also possible to define the number of occurrences of an application that can run at one time. The Application Limits dialog box is available on the Rule Items ribbon page > Accessible & Prohibited Items group.
Application limits can only be applied to Accessible Items within the Group, User, Device, Custom, Scripted, and Process rules.
3 SECURITY METHODS Security Method Recommendation
54
Figure 3.9 Application Limits Dialog Box
A message can be displayed for a user when application limits have been exceeded. You can configure this message. See Application Limits Exceeded on page 28.
SECURITY METHOD RECOMMENDATION

In order to get the most value out of an Application Manager configuration, it is recommended to utilize a hybrid approach where the most suitable components from each security method can be combined to provide the optimum security model, whilst minimizing the overall management and configuration overheads. The Trusted Ownership approach enables new applications to be installed by Trusted Owners without any changes required to the Application Manager configuration, yet still provides full security against unknown application and script content introduced by non-trusted end users. It is therefore recommended that this security method be used for the basis of most Application Manager configurations and is the reason why this functionality is enabled by default in all new Application Manager configurations. As stated previously, the whitelist approach is the most secure, yet it is an administrative intensive security model. If an enterprise does not utilize NTFS security on their file systems, then the use of a whitelist is the recommended option since Trusted Ownership relies on the file owner information that is only found within NTFS. Trusted Ownership is only appropriate for locally installed executable content, that is applications that exist on local fixed drives within a computer. Any executable or script content that resides on network locations or on removable media, such as a CD or a DVD-ROM, is automatically considered as un-trusted, and hence is immediately blocked from executing. Any such application which is required to be executed by a user must be specifically added to the Accessible Items whitelist within the Application Manager configuration, with a full UNC path to the relevant executable. It is possible to optionally disable Trusted Ownership checking on these items if necessary or to optionally select to take a SHA-1 signature to check the file at run-time. It is considered good practice to use SHA-1 digital signature checking for network or removable media based applications since these files tend to be outside of the control of the administrator responsible for the organization's endpoint devices.
3 SECURITY METHODS Security Method Recommendation
55
Trusted Vendor checking is recommended for development and test environments where end users may need to constantly install and test different versions of company owned application and script content. By signing the desired executables with a digital certificate, Trusted Vendor checking can be configured to allow all signed components to be executed as and when needed. Finally, Prohibited Items should be configured to create a blacklist preventing specific user access to applications that would typically be installed and hence owned by Trusted Owners, including parts of the operating system such as registry editing tools, file sharing tools and access to Control Panel components. This blacklist of Prohibited Items can additionally be used to cater for application license management, when used in conjunction with Accessible Items whitelists and the Application Limits functionality.
Configuration
In this Section:

Configuration Files on page 56 Default Configuration on page 57 Customize a Configuration on page 61 Example Configuration Procedures on page 69 Configuration Profiler on page 73
CONFIGURATION FILES
Application Manager configuration files (.aamp) contain the rule settings for securing your system. The Application Manager agent checks the configuration rules to determine the action to take when intercepting file execution requests. Configurations are stored locally in C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration for Windows XP and Server 2003. For Vista and above they are stored in C:\ProgramData\AppSense\Application Manager\Configuration. Configurations are protected by NTFS security.
56
4 CONFIGURATION Default Configuration
57
ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
In Standalone mode, configuration changes are written directly to the local .aamp file from the Application Manager console. In Enterprise mode, configurations can be created and stored centrally in the AppSense Management Center database, and distributed to endpoints in MSI format via the AppSense Management Server. Configurations can also be exported and imported to and from MSI file format, which is useful for creating templates or distributing configurations using third-party deployment systems. After creating or modifying a configuration, you must save the configuration with the latest settings to ensure that they are implemented.
DEFAULT CONFIGURATION
Application Manager is ready to manage your security as soon as you install the agent and a configuration on managed endpoints. A default configuration loads when you run the console and can be used for immediate protection on all client computers to which the configuration is deployed. This configuration blocks any file with an un-trusted owner and non administrative users from accessing executables on non-secure locations, including network locations, and removable media.
For more information on Trusted Ownership see Security Methods on page 41.
The default configuration can be saved directly in Standalone mode to the local computer via the console or saved to the database of the AppSense Management Center when operating in Enterprise mode, ready for deployment.
Protection
All application and process execution requests are checked against the Application Manager Rules before access is granted. All application and process Network access requests are prohibited unless allowed by Application Manager Rules. Members of the Local Administrators group are granted unrestricted access to applications. Members of non-administrative user groups are granted restricted access to applications. MSI, WSH and Registry Files are validated against the Application Manager Rules. Windows Installer (msiexec.exe) is allowed to run all child processes with the DLL and EXE extensions.
4 CONFIGURATION Default Configuration
58
Default Settings
Table 4.1 Setting
General Features Options
Default Configuration Settings Value

General Features Make local drives accessible by default Ignore restrictions during logon Allow cmd.exe for batch files Allow self-extracting ZIP files Ignore restrictions during Active Setup Validation Validate MSI (Windows Installer) Packages Validate WSH (WIndows Script Hosts) Validate registry files Validate system processes
Description
Ignore restrictions at logon delays the implementation of the Application Manager rules until logon is complete to avoid any disruption or prevention of the logon process completing. This option allows logon scripts to run. While cmd.exe and self-extracting zip files are usually blocked as potential loopholes for attempts to breach security, this option allows CMD and ZIP files to run for legitimate files.
System process validation can affect performance and is disabled by default. Application Manager validates MSIs, Registry files and WSH against the rules by default. Otherwise, they are ignored unless they are specified in the rules themselves. Turn these options off only if you trust these types of files running or you have adequate protection in place in the Application Manager rules or by some other method.
Functionality Enable Application Access Control Enable Application Network Access Control Enable User Rights Management Application Termination Settings for closing and terminating applications. Set triggers, warning message behavior to users and warning message notifications. For creating reusable groups of applications to assign to Rules. Reusable User Rights Policies which elevate or restrict user privileges. For assigning to files, folders, signatures, drives and application groups in Rules. Local Administrator Group Rule for managing access to applications for local administrators. Group Rule for all system users unless a user matches other rules with higher priority settings.
All Application Manager functionality is enabled by default but you can disable any of these as part of any troubleshooting process.
Disabled by default.
Libraries
Group Management Node User Rights Policies
No default settings. No default settings.
Rules
Administrator
Security level set to Unrestricted. No other default settings are applied. Security level set to Restricted. AppSense Program Files Directories are added to Accessible Items. No other default settings are applied. All EXE and DLL files are allowed to run when spawned by msiexec.exe. This rule does not manage access to msiexec.exe. You must manage access to this file in another rule.
Everyone
Process
Windows Installer (msiexec.exe) *.EXE *.DLL
4 CONFIGURATION Configuration Elements
59
CONFIGURATION ELEMENTS
The Application Manager console provides configuration settings in the following key areas:

Library Rules
Library The Library nodes provides the following: Group Management The Group Management node allows you to group a number of items such as Files. Folders, Drives, Signature Files, and Network Connections. For example, for one particular application. You can then add this group to the Accessible and Prohibited Items lists. User Rights Policies The User Rights Policies node allows you to add User Rights Policies to selectively promote or demote administrative rights for individual applications. Rules Rule nodes provide default settings for handling file executions and specific settings which apply to particular users, groups or devices. Group, User, Device, Custom, Scripted, and Process Rules Allow you to specify Security Level settings that specify restrictions which apply to users, groups or devices matching the rule. Custom rules target combinations of particular users or groups operating on specific collections of devices. Scripted rules allow administrators to apply Accessible Items and Prohibited Items to users based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer. Process rules allow you to manage access for the application to run child processes which might otherwise be managed differently in other rules. You can add Accessible Items, Prohibited Items, Trusted Vendors, and User Rights to the rule.
Accessible / Prohibited Items - Sub-node lists within each rule which you can populate and maintain with specific files, folders, drives, and digital signatures to provide an additional level of granularity for controlling file execution requests. For example, items which Trusted Ownership checking normally prohibits can be made accessible for the users or devices targeted in the rule. Likewise, files which would normally be accessible can be prohibited.
Trusted Vendors - A sub-node list in each rule which you can populate with digital certificates issued by trusted sources. Files which fail Trusted Ownership checking are checked for the presence of digital certificates and are allowed to run when a match is made with the Trusted Vendors list. For example, a highly restricted user might be prohibited under normal rule conditions from introducing executable files on the system but may be required to download and run software updates from a particular source, from time to time. If the downloaded file includes a digital certificate which matches a certificate in the Trusted Vendors list, the file is allowed to run.
4 CONFIGURATION Configuration Elements
60
User RIghts - A sub-node list in each rule which you can populate with applications, components and web installations for you to apply User Rights Policies to. User Rights Policies allow you to selectively promote or demote administrative rights for individual applications, components and web installations.
Rule Matching
Rule matching takes place when Application Manager intercepts a file execution request and checks the configuration policy to determine whether a file is allowed to run. Applying Rule Policies The most lenient security policy is applied to a user profile which is affected by more than one rule. For example, a user who matches both a User rule assigned Restricted security level and also a Group rule which assigns the Self Authorizing level, is granted self-authorizing privileges for all decisions and application use. Matching Files and Rules The Application Manager agent applies rules by making a suitable match for the file type.
Figure 4.1 Rule Matching
Matching is based on a three stage approach which considers security, matching order and policy decisions:
4 CONFIGURATION Customize a Configuration
61
1. Security:

Is the user restricted? Is ownership of the executable item trusted? Where is the executable loaded? Does the executable match a signature? Does the executable match and Accessible or Prohibited Item? Is Trusted Ownership checking enabled? Is there a timed exception? Is there an Application Limit?
2. Matching:

3. Policy:

Trusted Ownership Checking During the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that ownership of the items is matched with the list of trusted owners in the default rule configuration. For example, if a match is made between the file you want to run and an accessible item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with or a file which is a security threat has been renamed to resemble an accessible item, Trusted Ownership checking identifies the irregularity and prevents file execution. Trusted Ownership checking is not necessary for items with digital signatures as these cannot be imitated.
For more information on Trusted Ownership see Security Methods on page 41.
Trusted Vendors Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking. Application Manager queries each file execution to detect the presence of a digital certificate. If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendor list, the file is allowed to run, and overrides any Trusted Ownership checking.
CUSTOMIZE A CONFIGURATION
As previously mentioned, the default configuration is ready to use as soon as you install the agent and the configuration on the managed endpoints. However, all enterprises are different and thus it is possible to edit or create a configuration more suitable to the environment.
62
You can use Endpoint Analysis to determine the applications on a users endpoint and what applications are used. You can use this information to simplify the creation of a configuration. The results of the analysis can be dragged and dropped into an existing configuration. See Endpoint Analysis on page 128 for more information.
Define Users
The first step in creating a configuration is to determine the users that you want to apply rules to, for example, the users that you want to restrict certain applications for. Rules can be applied to all users within a group or to individual users. Users can belong to more than one group. By default there are two existing Group rules:

BUILTIN\Administrators Everyone
Users within BUILTIN\Administrators have an Unrestricted security level whilst users in the Everyone group have a Restricted security level. Select a rule to display the security level.
Figure 4.2 Security Level Slider
Application Manager has the ability to assign four distinct security levels to the group rules.
63
By default, the BUILTIN\Administrators group rule has a security level of Unrestricted. The Everyone group rule and all additional group rules have a security level of Restricted.
Table 4.2
Security Levels Description

Select to restrict users, groups, and devices, enabling them to run only authorized applications. These include files owned by members of the Trusted Owners list and files listed in the Accessible Items node only. If access to an executable is denied for the user then execution of it will be blocked and the user does not have the ability to override the decision. This is the most secure setting and it is recommended that most users are configured this way. This, essentially, turns on the Application Manager protection for those that meet the group, user, device or scripted rule criteria. Select to prompt users, groups and devices in the rule to decide whether to allow execute requests for each unauthorized file. Unauthorized files either do not belong to the Trusted Owners list or are not specified in the Accessible Items list of a given rule. A Self-Authorizing user prompt includes the following: Remember my decision for this session only The authorization decision is upheld for the current session only. The user is prompted again for an authorization decision when attempting to run an application in any future sessions. Remember my decision permanently The user decision is upheld for all future sessions. If neither of the above options are selected, the decision is upheld only for the current instance the user is attempting to run. The Self-Authorization prompt is reissued for any future attempts to run instances of the application. Allow Allows the application to run. Block Prevents the application from running. When a DLL file is allowed to run, a message notifies the user that the application which uses the DLL may need to be restarted. The default message which displays can be modified on the General Features page > Properties group > Message Settings. For more information see Trusted Owners on page 14. Once the decision has been made the setting is stored within a registry key. This can be one of two keys. If the user authorizes per session the signature is stored in the HKCU\Software\AppSense Technologies\Application Manager\SIGSNATIVE\Session\X (where X is the session ID). If the user authorizes permanently the signature is stored in HKCU\Software\AppSense Technologies\Application Manager\SIGS-NATIVE\Always. Once allowed, the file is recorded with a digital signature therefore ensuring the integrity of the file itself. If the file should change the user will once again be prompted. Auditing events allow administrators to keeptrack of all files which are self authorized by the user. See Auditing on page 139 for more information. This setting applies the rules in a defined configuration but does not enforce them. An audit record is created for monitoring purposes, according to policy settings in the Auditing component. Auditing results are useful in determining what to add to the Application Manager configuration. No applications are blocked from executing. See Auditing on page 139 for more information. Use this setting to permit all actions without logging or auditing. While this may be desirable, it also means that the malware control afforded by Application Manager will be bypassed. This, essentially, turns off the Application Manager protection for those that meet the group, user, device or scripted rule criteria.
Security Level
Restricted
Self-Authorizing
Audit Only
Unrestricted
64
When an application is prevented from running a dialog box is displayed to inform the user. You can customize the message shown in this dialog box. For more information see Message Settings on page 26. All users, including administrators are part of the Everyone group. This means administrators are part of two group rules, the BUILTIN\ADMINISTRATORS group which is unrestricted and the Everyone group that is restricted. Application Manager uses the least restrictive rules, therefore all administrator requests are unrestricted. The BUILTIN\Administrators group is for managing access to the applications for local administrators, whilst the Everyone group is for all other users unless a user matches other group or user rules with higher priority settings. Typically, you specify all the files, folders, drives, signature items, network connection items, and groups to prohibit for Everyone. You can then create a new group or user and specify the items you want to be accessible for that group or user. This enables you to control what users have access to.
PROHIBIT FILES AND FOLDERS FOR EVERYONE
1. Expand the Group > Everyone node. 2. Select the Prohibited Items node. 3. Right-click the within the work area and select Add > File or Add > Folder. Add the files or folders to prohibit
For information on making Network Connection Items accessible or prohibited see Application Network Access Control on page 115.
CREATE A NEW GROUP OR USER
1. Right-click the Group node or the User node. 2. Select Add Group Rule or Add User Rule. 3. Add a group or add a user.
Specify Group and User Rule Items

The next step in creating a configuration is to specify the following rule items: Accessible Items on page 65 Prohibited Items on page 65 Trusted Vendors on page 67 User Rights on page 67
65
Accessible Items
Accessible Items are available in each group or user rule. These are rule items for granting access to specific files, folders, drives, signature item, network connection item, and group item for the users, groups or devices matching the rule.
By default the Trusted Ownership option is selected for all Accessible Items. Therefore, an application must always pass trusted ownership checking if it is enabled, even if the application is an Accessible Item. Although the Trusted Ownership option can be disabled, this is not recommended as it weakens the default security.
Prohibited Items
Prohibited Items are available in each group or user rule. These are rule items for restricting access to specific files, folders, drives , signature item, network connection item, and group item for the users, groups or devices matching the rule. When an application is prohibited a warning message is displayed. This warning message can be customized using the Message Settings dialog box. This dialog box is available from the General Features ribbon page > Properties group.
66
Figure 4.3
Message Settings Dialog Box
For more information on configuring Message Settings see Trusted Owners on

page 14.
67
Trusted Vendors
The Trusted Vendor node is available in each group or user rule and is used to list valid digital certificates. An increasing number of applications are being signed by vendors with a digital signature. A digital certificate is supplied with a public key and this may be used to verify the authenticity of the application. If trusted ownership fails then providing the file is not explicitly blocked within the Application Manager configuration then it may be allowed to execute if it has a valid digital signature. Advanced options allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes, the certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate. A test option helps to validate the certificate based on the options you have selected and, where relevant, are dependent on connectivity with the appropriate Certification Authority. The following options are available for adding Trusted Vendors: From signed file You can specify a known file that has already been signed by the vendor who you wish to trust. Application Manager can then identify the vendors specific signature to identify additional code from that same vendor. From file-based store You can browse to the specific digital certificate if available. Import file-based store Allows you to import a digital certificate for use in setting up a trusted vendor rule.
For more information on Trusted Vendors see Method 3 - Trusted Vendors on page 46.
User Rights
The User Rights node is used to apply User Rights Policies to files, folders, signatures, groups, and Windows components when the rule is matched. User Rights Policies are used to elevate or restrict user privileges. For example, many organizations are restrictive on what users are allowed to use and many applications require administrator rights. A User Rights Policy can be used to elevate a user or group of users from standard user rights to administrator rights for a particular application or Control Panel component.
For more information on User Rights see User Rights Management on page 77.
68
Specify Device, Custom, Scripted, and Process Rules

The base configuration consists of defined users, Accessible Items, Prohibited Items, Trusted Vendors, and User Rights, as required. For a more comprehensive configuration you can specify the following:
Table 4.3 Rule
Device
Rules Description
The Device rules node allows you to match security control rules with specific devices within the enterprise. Device rules can apply the rule settings either to the device hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host. The Device node provides the ability to perform Per Seat license management in a server based computing environment. For example, a configuration rule can allow certain applications to run on a server but prohibit the application from running when launched by users operating from specific devices listed in the rule as connecting devices to the host server. For an example of a Device rule see Control Microsoft Software Licensing in a Virtualized Desktop Infrastructure (VDI) Environment on page 69. The Custom rule node allows you to match security control settings with combinations of specific users or groups and devices within the enterprise. The rule can apply settings to devices hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host. For example, a rule that targets computer IP address 192.168.0.2 as a connecting device and domain\user, allows you to apply security controls when the specific user logs on from the specified device through terminal services to the computer hosting the Application Manager agent and configuration. For an example of a Custom rule see Prohibit Starting Applications from a Connecting Device on page 72. The Scripted rules node allows you to create rules based on custom VB Scripts which run whenever a user logs on. The success or failure of a VB Script determines whether the security level, Accessible Items and Prohibited Items, which are part of the rule, apply to the user. Scripted rules can take advantage of any interface accessible via VB Script, such as COM and WMI, and allow the administrator to define Application Manager policy based on any computer user, registry, file or system property. Scripted rules also allow integration with the other third party solutions, such as Microsoft Active Directory and Citrix Advanced Access. Scripted rules can run for each new session in the context of the user or in the context of the SYSTEM. Alternatively, Scripted Rules can run once per computer and the result is applied to all user sessions. Scripted rules are re-evaluated when a new configuration is deployed to the computer. Scripts run when the Application Manager agent starts up or when the configuration changes. For an example of a Scripted rule see Determine if a User is a Member of a Certain OU on page 70. The Process node allows you to match security control rules with specific requesting processes. Process rules allow you to manage access for an application to run child processes which might otherwise be managed differently in other rules. You can add Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management to the rule. You can add files, folders, drives, signature items, network connection items and application groups as managed items into the Accessible Items and Prohibited Items lists of a process rule. The Process Rule manages all levels of child process run by the application. The Process does not manage the application. This must be managed by other rules unless the application is managed as a child process in another Process Rule. For an example of a Process rule see Prohibit Child Processes Running from a Parent Process on page 73.
Custom
Scripted
Process
69
Example Configuration Procedures

The following procedures address common issues you may want to solve:
Control Microsoft Software Licensing in a Virtualized Desktop Infrastructure (VDI) Environment

In a VDI environment, users logon to a desktop session which is delivered from a central point, based on a template. Many Microsoft applications including Office, Visio and Project are licensed per device. In VDI environments, the user can potentially access the desktop and applications from multiple devices requiring each connecting device to have a license. Application Manager can restrict access to applications by device name and IP address allowing you to manage and control the number of licenses, and in some cases reduce them. You can create a rule which explicitly states which connecting machines are allowed and which are prohibited from running Microsoft Office applications. Licenses are only required for those machines which are explicitly allowed. The following procedures show how to create an Application Manager Device Rule which manages licenses for Microsoft Office products.
EVALUATE WHICH DEVICES ACCESS MICROSOFT OFFICE APPLICATIONS
1. Click Endpoint Analysis in the navigation pane and add endpoints by domain/workgroup or by browsing a Management Center Deployment group. Add all existing desktops you wish to manage. 2. Once endpoints are added, run scans of all endpoints or just selected endpoints to identify what the usage is for Microsoft Office applications. From these results you can potentially cut license costs by removing unused licenses.
If necessary, run an Installed Applications scan to identify on which devices Microsoft Office Applications are installed to establish where licenses are required and also ensure to make those applications available on the correct devices based on where the key users or groups operate.
SETUP DEVICE RULES TO PROHIBIT AND ALLOW DEVICES
1. Click the Configuration button in the navigation pane. 2. Navigate to Group Management in the Library node and create a new Group Management entry called Microsoft Office. 3. Click Add Item in the Items ribbon group and select Folder. Browse to Program Files to locate and add the relevant folder for the Microsoft Office product executable files. 4. Create a Device Rule called Cannot Use Office. 5. Right-click in the work area for the Device Rule and select Add Client Device. Enter and asterisk (*) in the text field, click Add and select the Connecting Device type. This ensures that all devices are blocked by this rule.
70
6. Add the Microsoft Office application group to the Prohibited Items folder to ensure that all the specified devices in this rule are blocked from accessing the applications in the Office group. 7. Create another Device Rule called Can Use Office . 8. Right-click in the work area and select Add Client Device. 9. Browse the network or Active Directory. Add all the devices which are allowed to access the Office products. 10. Add the Microsoft Office application group to the Accessible Items folder to ensure that all the specified devices in this rule are allowed to access the applications in the Office group.
The results of the running applications scan you performed in the previous task can be used to determine on which devices Microsoft Office is used. You can select multiple devices to add simultaneously.
Determine if a User is a Member of a Certain OU

You can create a scripted rule to access information about the username of the user logging on to the system, and match with a specific domain and organizational unit.
CREATE A SCRIPTED RULE
1. Right-click the Scripted rule node in the navigation tree and select Add Scripted Rule. 2. Right-click the new rule and select Rename. Enter an intuitive name for the rule, for example, Users in OU. 3. Right-click the rule and select Edit Script. The Scripted Rule dialog box displays. 4. Enter the following example script. 5. 9Select the correct Entry Function. In the example above this is MyScript. This is the main function that is called when the script run and evaluates the outcome of the rule. 6. Click OK.
71
Figure 4.4 Scripted Rule
Options Tab The Options tab contains the following: Run script once per logon session as the logged on user The script runs for each user logging on. Settings are only applied for the duration of the user session. Run script once per logon session as the SYSTEM user The script runs with SYSTEM account permissions once for each user logging on. Settings are only applied for the duration of the user session. Run script once per computer as the SYSTEM user The script runs with SYSTEM account permission once at computer startup. Settings are applied to all user sessions until the computer restarts, the Application Manager agent restarts or there is a configuration change.
72
Running scripts as the SYSTEM user can cause serious damage to your computer and should only be enabled by experienced script authors.
Do not execute script until user logon is complete Select to prevent the script from running until user logon is complete. Wait for <n> seconds before script timeout Allows you to specify the number of seconds to allow a script to continue running before the script times out. A setting of zero (0) seconds prevents the script timeout. If a timeout occurs the result is fail and settings cannot be applied.
Prohibit Starting Applications from a Connecting Device

You can create a Custom rule to prevent users from running applications on a remote computer that has the Application Manager agent installed when connecting from a particular device.
CREATE A CUSTOM RULE
1. Right-click the Custom rule node in the navigation tree and select Add Custom Rule. 2. Right-click the User/Group Name column in the work area and select Set Account. The Account Selection dialog box displays. 3. Add the user or group to prohibit access to an application when connecting from a specified device. 4. Right-click the new rule and select Rename. 5. Enter an intuitive name for the rule. 6. Right-click in the work area and select Add Client Device.The Add a Client Device dialog box is displayed. 7. Enter the computer name or IP address of the computer users are connecting from and click Add. 8. Select the Connecting Device option in the Device Type column. 9. Expand the rule and select the Prohibited Items node. 10. Right-click in the work area and select Add > File. The Add a File dialog box displays. 11. Enter the name of the application or browse to it using the Browse button and click Add. 12. Save the configuration and deploy to managed endpoints.
4 CONFIGURATION Configuration Profiler
73
Prohibit Child Processes Running from a Parent Process

You can create a Process rule to prohibit child processes running from a parent process. For example, a user may be able to run Internet Explorer from the Start menu. However, you can create a Process rule to prevent the user from running Internet Explorer from another process, that is, a parent process.
CREATE A PROCESS RULE
1. Right-click the Process rule node in the navigation tree and select Add Process Rule. 2. Right-click the new process and select Rename. 3. Enter an intuitive name for the process rule. 4. With the process rule selected, right-click the work area and select Add > File. The Add a File dialog box is displayed. 5. Enter the name of the application to be the parent process. 6. Expand the new rule and select the Prohibited Items node. 7. Right-click the work area and select Add > File. The Add a File dialog box is displayed. 8. Enter the name of the application to prohibit from running from the parent process. 9. Save the configuration and deploy to the managed endpoints.
How to Drop User Rights for Changing the System Date and Time
Sometimes it is prudent to limit local Administrator rights to avoid the risk of disruption to system integrity. For example, local changes to the system date and time can prevent scheduled scripts from running. In a domain, the System date and time is usually best managed by the domain controller.
DROP LOCAL ADMINISTRATOR USER RIGHTS FOR CHANGING SYSTEM DATE AND TIME
1. Expand the BUILTIN\Administrators group. 2. Select User Rights node. 3. Select the Components tab. 4. Right-click the Components tab and select Add Component. 5. Select the Date and Time component in the list and select Add. 6. When the component is added to the Components tab list, ensure that the User rights Policy of the Date and Time component is set to Builtin Restrict or open the drop-down to select that option. Local administrative users are now prohibited from modifying the system date and time.
CONFIGURATION PROFILER
The Configuration Profiler, available from the Home ribbon page > Common group, allows administrators to produce detailed reports on configurations. This can be done whether they are stored locally or in the central database. The reports can be a general study of the overall configuration or can be aimed at how it interacts with a specific user, group of users or specific file.
74
Use general reports to assist auditing and compliance requirements such as Sarbanes Oxley or HIPAA. Use custom reports to highlight specific elements to assist in troubleshooting a large configuration. In order to create a Configuration Profiler report, the configuration in question must be loaded into the Application Manager console. It does not need to be deployed for this to be achieved. Complete reports can be created using the Configuration Profiler or based on specific criteria such as the File, Folder, Network Connection, User, Group, and Device rule items.
Use Rules Analyzer to examine problems with a configuration deployed to endpoints. See Rules Analyzer on page 144.
Figure 4.5
Configuration Profiler
The following graphic shows a report of the default configuration that comes with Application Manager. This is a complete report and specifies that the Everyone group rule and the Windows Installer process rules have a restricted security level. The remaining rules in Application Manager are not displayed because there is no configuration set up for them. Both the Everyone group rule and the Windows Installer process rules have Accessible Items listed. The path for the Windows Installer process rule is also given.
75
No Prohibited Items, Trusted Vendors or User Rights are listed because none are configured. The configuration properties are shown. These include details about Archiving, the default rules specified in the Options dialog box available from the General Features ribbon page > Default Restrictions group, details about Trusted Owners, and the Extension Filtering property.
76
User Rights Management
In this Section:

Overview on page 74 User Rights Management Benefits on page 77 Use Cases on page 78 Technology on page 78 Configuring User Rights Management on page 80 Web Installations on page 99 Snippets on page 109
OVERVIEW
Many user environments are very restrictive in order to limit user access to sensitive data and key applications. Application Manager secures and protects many corporate desktops by controlling application and network access. Application Manager 8.1 extends policy management capabilities by providing comprehensive User Rights Management functionality.
77
USER RIGHTS MANAGEMENT Overview
78
User Rights Management enables enterprise IT departments to reduce access control privileges on a per user, group, application, or business rule basis. It ensures users have only the rights they need to fulfil their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, improving security and productivity. The perfect balance between user productivity and security is to control user rights, not at a session or account level, but at an application or individual task level. With User Rights Management, access to applications and tasks is managed dynamically by managing user rights, on demand, in response to user actions. For example, administrator rights can be applied to a named application or Control Panel component for a particular user or user group, by either elevating the privileges of a standard user to an administrator level, or dropping the rights of an administrator to that of a standard user account. By controlling user rights throughout the user session, IT can provide users with the accessibility they require to perform their job, while protecting the desktop and the environment and reducing management costs. User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment. User Rights Management allows you to create a library of reusable policies which can be associated with any available Application Manager rules, to assign the relevant privileges to files, folders, signatures, and application groups. User Rights Policies include domain user group membership and a range of administrative privileges which you can apply to each policy.
You can run Application Manager in User Rights Management mode only. See Options on page 19.
Least Privilege
Many users run their computer with administrative privileges. It is evident that users running with these privileges can introduce viruses, malware and spyware. Inevitably this can affect the entire enterprise, causing security breaches and downtime. Access to private data can also be at risk. User Rights Management allows the application of the principle of least privilege. This principle requires that users are provided the minimum rights to do their job, without giving the user full administrator rights. The experience is seamless to the user.
For the complete definition of least privilege refer to the Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28.STD), also known as the Orange Book. This is located at http://csrc.nist.gov/publications/history/dod85.pdf.
With User Rights Management any downtime, coupled with the number of calls made to IT support due to viruses and so on, are greatly reduced because computers are made secure against the problems that occur when a user has full administrative rights. This means IT
USER RIGHTS MANAGEMENT Overview
79
Support can focus on more important tasks as opposed to spending large amounts of time troubleshooting computers to find out the problem. Licensing is also easier to control, for example, by allowing users to only install authorized applications.
Common Tasks that Require Administrative Privileges

There are a number of common tasks users may be required to perform in order to fulfil their role that may need administrative privileges. A solution must be provided to allow these tasks to be performed, else the user must satisfy their role without accomplishing these specific tasks. These tasks may include:

Installation of printers Installation of certain hardware Installation of particular applications Operation of applications that require administrative privileges Change of system time Legacy applications
User Rights Management allows the user to perform these tasks by elevating a user to have specific administrative privileges.
User Rights Management v Run As

Many users, particularly knowledge workers use the Run as command to run applications. Users can perform their daily tasks running with least privilege but can also, as required, use the Run as command to elevate their credentials, thus performing a task under the context of a different user. This, however, requires that a user has two accounts, that is, one for least privileges and one for elevation. A common problem within an enterprise is the communication of the administrative password throughout an enterprise. For example, an administrator may communicate the administrator password to a user enabling them to use the Run as command to fix a problem with their computer. Unfortunately the password commonly gets passed around causing unforeseen security risks. Additionally, a problem with Run as is how software actually interacts with it. Run as executes an application or process under the context of a different user. Therefore, that application or process does not have access to the correct HKEY_CURRENT_USER hive in the registry. This hive is where all the profile data is stored and is protected space. Because of this, the application or process running under the context of a different user cannot read or write to this source, causing some applications to not function. Running under the context of a different user can also cause problems reading and writing to a network share. This is because network shares are based on the account under the context you are running. Thus, your local account and the Run as account may not have the same access to resources. Run as and UAC Windows XP, Windows Vista and Windows 7 have certain features that allow a user to run applications or process without administrative rights. These are the Run as command in Windows XP and Windows 7 and User Account Control (UAC) in Windows Vista.
5 USER RIGHTS MANAGEMENT User Rights Management Benefits
80
UAC also applies to Windows 7. However, it is an addition to the Run as command and not a replacement.
These features also apply to Server 2003 and Server 2008 versions.
Although these features do allow users to run without administrative rights they still require the user to have access to an administrator account to perform administrative tasks. Unfortunately, this limitation means these features are more appropriate for administrators. It enables them to logon as a standard user and use the administrator account to perform administrative tasks only. As the user must provide the credentials for a local administrator to use Run as and UAC this creates a number of concerns. For example:
A user with access to an administrator account must be trusted not to abuse these privileges. Applications running with administrative rights are now running under the context of a different user. This can cause problems, for example, these particular applications do not have access to the actual users profile or network shares, as stated in the User Rights Management v Run As section above. Two passwords are required. One for the standard account and one for the administrator account. The user must remember both. Security required for one account is challenging, and for two accounts more so.
USER RIGHTS MANAGEMENT BENEFITS

The main benefits of User Rights Management are: Elevation of User Privileges for Running Applications Use User Rights Management to specify the application to be run with administrative credentials. The user does not have administrative credentials but is able to run the application. Elevation of User Privileges for Running Control Panel Components Many users need to do various tasks that need administrative rights. For example, to install printers, to change network and firewall settings, change the time and date and to add and remove programs. All of these tasks require Control Panel components as administrator. Use User Rights Management to elevate privileges for individual components so that the nonadministrative standard user can make the changes to perform their role. Reducing Privileges to Restrict Application Rights By default, users have certain administration credentials, but are enforced to run specific applications as non-administrator. By running certain applications as an administrator, for example, Internet Explorer, the user is able to change many undesirable settings, install
USER RIGHTS MANAGEMENT Use Cases
81
applications and potentially open up the desktop to the Internet. Use User Rights Management to restrict an administrator level user from running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop. Reducing Privileges to Restrict Access to System Settings Use User Rights Management to give a higher level system administrator the ability to stop an administrative user from altering settings that they should not change, for example, firewalls and certain services. Use User Rights Management to reduce administrative privileges for certain processes. Although the user has administrative rights, the system administrator retains control of the environment.
USE CASES
User Rights Management has many use cases and solves problems that many enterprises have until now been unable to address. A small number of scenarios are given below:
Organizations that use local administrator accounts for their users may need to lock down elements of the desktop, such as the Control Panel component, Add Hardware, or Add and Remove Programs \ Programs and Features. By dynamically dropping the user account from administrator to a standard user for specific controls, the user is now prohibited from accessing the control and executing an unwanted task. Some applications require administrator rights as the application itself interacts with certain parts of the desktop operating system or registry. However, the organization does not wish to provide users with full administrator accounts. User Rights Management can elevate the user rights for the named application to an administrator level, enabling the user to run their application while protecting the desktop. Automatic update elements of some applications can require administrator rights to perform the update actions and therefore not function in the context of a standard user. User Rights Management can enable the named application to run under the context of an administrator account while all other applications remain in standard user context. Mobile users may need to manually change their IP address, configure a wireless network, or change date and time properties, all of which require administrative rights. User Rights Management can elevate the user rights to administrator level for named tasks, enabling the user to make the changes they require.
TECHNOLOGY
In a Microsoft Windows computing environment, as part of the application launch process, when an execution request is made, the application requests a security token as part of the application launch approval process. This token details the rights and permissions given to the application and these rights can be used to interact with the operating system or other applications. When Users Rights Management is configured to manage an application, the security token that is requested is dynamically modified to have permissions elevated or restricted, therefore allowing the application to be run or blocked.
USER RIGHTS MANAGEMENT Technology
82
User Rights Management Mechanism

The User Rights Management mechanism controls access for users and applications, as shown in the figure below.
Figure 5.1 User Rights Management Mechanism
The User Rights Management mechanism handles process startup requests as follows: 1. A User Rights Policy is defined in the configuration rule and applies to applications or components.

The Application list can include files, folders, signatures or application groups. The Components list can include Control Panel components.
2. When a process is created by the launch of an application or other executable, the Application Manager hook intercepts the process and queries the Application Manager agent whether elevated or restricted rights are required to run the process. 3. The agent confirms whether the configuration assigns elevated or restricted rights and if required, the agent requests a modified user token from the Windows Local Security Authority (LSA). 4. The hook receives the modified user token from the Windows LSA granting the necessary privileges. Otherwise, the process runs with the existing user token according to the definitions of the normal user rights.
5 USER RIGHTS MANAGEMENT Configuring User Rights Management
83
CONFIGURING USER RIGHTS MANAGEMENT

Standard users typically have no administrative rights. The following scenario demonstrates how to create an administrator membership rule and describes how to allow a standard user to run Task Manager as an administrator. Additionally the membership rule is applied to a particular Control Panel component allows the user to run the component as an administrator. User Rights Management provides the ability to add membership to a selected group or to drop membership. The first step in creating the configuration is to create a User Rights Policy and to specify the membership, in this case, to add membership.
CREATE A USER RIGHTS POLICY FOR ADMINISTRATORS
1. Right-click the User Rights Policies node in the navigation pane and select Add Policy. 2. Right-click the policy and select Rename. 3. Enter an intuitive name for the policy, for example, Elevate to Admin. 4. Right-click the Group Membership tab in the work area and select Add Group Action. The Account Selection dialog box displays. 5. Enter or navigate to the administrators group and click OK. 6. Click in the Action column and select Add Membership. This is the default setting.
The Add Membership option allows users to run an application as if they were part of the specified group. The Drop Membership option does not allow users to run an application.
84
Figure 5.2 Membership Rule
Merging Policies A configuration can contain a number of User Rights Policies. These can be applied to many files, folders, signatures, and groups in the various rules. If any of the files, folders, signatures, or groups in the rules match, and their policies are relevant, Application Manager merges the polices and the least restictive policy takes precedence. Application Manager also applies rule ordering against the polices to determine which policy takes precendence. The rule ordering and precedence is as follows:

Signature with arguments Signature File with arguments File Folder
Signature with arguments takes the highest precedence. Taking the above into account, when an application is specified both as a file and by its signature, only the policy for the signature is applied because a signature has higher precedence over a file.
85
Privileges A privilege is the right of a user account to perform a particular system-related operation, such as shutting down the computer or changing the system time. You can use the User Rights Management feature to enable, disable or remove privileges.
Figure 5.3

Privilege Options
No change - Leaves the privilege as it is with its original token. Enabled - Sets the flag in the token to enabled. Disabled - Sets the flag in the token to disabled. Use the Enabled option to re-enable the privilege. Remove - Removes the privilege from the token. You cannot undo this option.
The following table list the privileges that only apply to specific operating systems. The remaining privileges apply across all operating systems.
86
Table 5.1
Privileges Vista W7 XP 2008 2008 R2
Privilege
SeCreateSymbolicLinkPrivilege SeEnableDelegationPrivilege SeIncreaseWorkingSetPrivilege SeRelabelPrivilege SeTimeZonePrivilege SeTrustedCredManAccessPrivilege SeUndockPrivilege SeUnsolicitedInputPrivilege
User Right
Create symbolic links Enable computer and user accounts to be trusted for delegation Increase a process working set Modify an object label Change the time zone Access credential manager as a trusted caller Remove computer from a docking station Receive unsolicited data from a terminal device
2003
No Server Only Not Applicable
Server Only
2008 R2 Only
Not Applicable
2008 R2 Only Desktop Only 2008 R2 Only
Desktop Only
APPLY POLICY TO ALLOW TASK MANAGER TO RUN WITH ADMINISTRATIVE PRIVILEGES
1. Expand the applicable Group rule in the navigation pane and select the User Rights node. 2. Select the Applications tab in the work area. 3. Right-click the work area and select Add > Add File. The Add a File for User Rights Management dialog box displays. 4. Browse to the Task Manager executable, taskmgr.exe, and click Add. 5. Select the policy you created in the above procedure (Elevate to Admin) in the User Rights Policy column. 6. Save the configuration. Now that the Administrator Membership rule is applied to Task Manger using User Rights Management, Task Manager runs under the context of administrator privileges for that group.
An empty default User Rights Policy is created if one does not exist.
87
Figure 5.4 Task Manager Application
Applications Tab The following columns and options appear on the Applications tab.

Item - Specifies the location of a file, folder or signature and the name of a group. Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. Arguments are only applicable to files and signatures. Note that files are the application / process.
Arguments support environment variables and wildcards. Environment variables make the path more generic for applying on different machines. Wildcard support provides an additional level of control for specifying generic file paths.
Apply to Child - Applying a User Rights Policy to an application / process can launch child processes. This implies that the application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.
88
This column is only applicable to files, folders and signatures.
Include subdirectories - Select to include all directories beneath the specified directory. User Rights Management is applied to all subdirectories. Deselect to only apply User Rights Management to the current folder.
This column is only applicable to folders.
Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe. Signature - Displays the actual signature for a signature file.
This column is only applicable to signature files.
User Rights Policy - Specifies the User Rights Policy for the file, folder, signature, or group. Select the drop-down arrow in the column to select a policy.
Use the Library > User Rights Polices node to create a User Rights policy.
89
Figure 5.5 Applications tab for User Rights
Applications and Components You can apply User Rights Policies to files, folders, signatures, and groups. These are specified on the Applications tab. Components are specified on the Components tab. Right-click the Applications tab for a User Rights node and select Add > Add File, Add Folder, Add Signature, or Add Group. Right-click the Components tab and select Add Component. File The following are the options available in the Add a File for User Rights Management dialog box.
90
Figure 5.6 Add a File for User Rights Management Dialog Box
File - The file path of the file / process. Enter the file path into this field or use the Browse button to locate the file. Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument. Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.
Application Manager only supports one level of inheriting the token.
Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe. Substitute environment variables where possible - For example, replaces the Windows directory with the generic environment variable %SystemRoot%.
Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths.
Folder The following are the options in the Add a Folder for User Right Management dialog box.
91
Figure 5.7
Add a Folder for User Rights Management Dialog Box
Folder - The name of the folder. Enter the name of the folder into this field or use the Browse button to locate the folder. Include subdirectories - Select to include all directories beneath the specified directory. User Rights Management is applied to all subdirectories. Deselect to only apply User Rights Management to the current folder. Substitute environment variables where possible - For example, replaces the Windows directory with the generic environment variable %SystemRoot%. Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application in the specified folder is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management. Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe.
Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths.
Signature The following are the options in the Add a Signature File for User Rights Management dialog box.
92
Figure 5.8
Add a Signature File for User Rights Management Dialog box
File - The file path of the signature file for an application / process. Enter the file path into this field or use the Browse button to locate the file. Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument. Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management. Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe.
Application Manager only supports one level of inheriting the token.
Group You can add a group to User Rights. Groups are used to hold and manage a logical collection of files, folders, drives, signature files, and network connection items. Use the Library > Group Management node to create a group.
93
Figure 5.9 Group Selection for <Group name> Dialog Box
Components Control Panel components and Network Adaptor features and functions are typically controlled by explorer.exe. Elevating explorer.exe to run in the context of a Local Administrator is not ideal as this can open up a range of security issues. To resolve this and enable the user to access the said functionality under the context of an administrator without opening the entire explorer shell, User Rights Management places the AppSense Contol Panel components in the Windows Contol Panel alongside existing components. These can now be controlled at an access level specific to the function, without changing any rights associated with explorer.exe.
Use the filter in the Select Components dialog box to filter components by operating system.
94
Figure 5.10 Select Components Dialog Box
The following table gives a list of components that are specific to particular operating systems. The remaining components are available for all operating systems.
Table 5.2 Components Type
Control Panel Control Panel Control Panel Control Panel Control Panel Control Panel Management Snapin Control Panel
Component Name
Add Plug and Play Backup and Restore Center BitLocker Enable Calibrate Color Clear Type Text Desktop DPI Disk Management Display
Operating System
XP, 2003 Vista Vista, 2008, W7 Vista, 2008, W7 W7 XP, 2003, Vista, 2008 Vista, 2008, W7 XP, 2003
95
Table 5.2
Components Type
Control Panel Management Snapin Control Panel Control Panel Control Panel Control Panel Control Panel Management Snapin Control Panel Control Panel Control Panel Control Panel Control Panel Control Panel Control Panel Management Snapin Control Panel Management Snapin Control Panel Management Snapin
Component Name
Easy Transfer Install/Uninstall Languages iSCSI Initiator Offline Files Power Options Recovery Disc Recovery Restore Server Manager System (pre-Vista) System Configuration System Properties, Advanced System Properties, Computer Name System Properties, Performance System Properties, Protection System Properties, Remote Task Scheduler Troubleshoot Trusted Platform Windows Features Windows Firewall Advanced Settings
Operating System
Vista, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008 XP, 2003 Vista, 2008, W7 Vista, 2008, W7 2008 XP, 2003 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 Vista, 2008, W7 W7 Vista, 2008, W7 Vista, 2008, W7
96
APPLY A USER RIGHTS POLICY TO A CONTROL PANEL COMPONENT
1. Expand the applicable Group rule in the navigation pane and select the User Rights node. 2. Select the Components tab in the work area. 3. Right-click the work area and select Add Component. The Select Components dialog box displays.
The Select Components dialog box displays a list of Control Panel and Management Snapin tools. You can choose to elevate or restrict privileges for each component. See Components on page 90for a list of the components that are specific to a particular operating system.
4. Select the components you want the user to run as an administrator. 5. In the User Right Policy select the Builtin Elevate policy to elevate privileges for the component. Select the Builtin Restrict policy to restrict privileges for the component. 6. Click Add. 7. Save the configuration.
One or more Control Panel and Management Snapin components can be selected in the Select Components dialog box. This provides access only to the selected components and not the whole Control Panel and Management Snapins. Strepsils representing the components are displayed in the Control Panel dialog box.
Example Configurations
The following section consists of a number of example configurations for User Rights Management. RESTRICT USERS FROM STARTING AND STOPPING SERVICES Use User Rights Management to reduce privileges for the Services component so that the administrator cannot start and stop services. 1. Select the User Rights node beneath the BUILTIN\Administrators rules node. 2. Select the Components tab within the work area. 3. Right-click within the work area and select Add Component. The Select Components dialog box displays. 4. Select the Services component and click Add.
Use the filter at the top of the Select Components dialog box to filter by operating system.
5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Restrict policy. 6. Save the configuration.
97
Figure 5.11
Restrict Administrators s from Starting and Stopping Services
ALLOW USERS TO PERFORM WINDOWS UPDATE
1. Select the User Rights node beneath the applicable rules node. 2. Select the Components tab within the work area. 3. Right-click within the work area and select Add Component. The Select Components dialog box displays. 4. Select the Automatic\Windows Update component and click Add. 5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Elevate policy. 6. Save the configuration.
98
Figure 5.12 Allow Users to Perform Windows Update
99
ALLOW USERS TO DEFRAGMENT DISKS
1. Select the User Rights node beneath the applicable rules node. 2. Select the Components tab in the User Rights work area. 3. Right-click within the work area and select Add Component. The Select Components dialog box is displayed. 4. Select the Defragment option, and click Add. 5. Select the drop-down arrow in the User Rights Policy and select the Builtin Elevate policy. 6. Save the configuration.
Figure 5.13 Allow Users to Defragment Disks
100
ALLOW USERS TO RUN VISUAL STUDIO AND DEBUG APPLICATIONS
Step 1 - Create a Policy to Elevate User Privileges 1. Select the Library > User Rights Policies node. 2. Select Add Policy on the User Rights ribbon page > Manage Policy group. 3. Right-click the new policy and select Rename. 4. Enter an intuitive name for the policy, for example, Elevate Visual Studio. 5. Right-click the Group Membership tab in the Policy Contents work area and select Add Group Action. The Account Selection dialog box displays. 6. Enter the account into the Account field or use the Browse button to browse to the account. 7. Ensure Add Membership is selected in the Action column.
Figure 5.14 Policy to Elevate User Privileges
101
Step 2 - Allow Users to Run Visual Studio and Debug Applications 1. Select the Library > User Rights Policies node. 2. Select Add Policy on the User Rights ribbon page > Manage Policy group. 3. Right-click the new policy and select Rename. 4. Enter an intuitive name for the policy, for example, Run Debug. 5. Select the Privileges tab. The Privileges work area displays. 6. Click the Action column for the debugging privilege, SeDebugPrivilege, and select Enable.
Figure 5.15 Enable the Debugging Privilege
USER RIGHTS MANAGEMENT Web Installations
102
Step 3 - Create a Group Rule 1. Select Rules > Group in the navigation pane. 2. Select the Add Rule drop-down arrow on the Rules ribbon page > Manage group and select Group Rule. The Add Group Rule dialog box is displayed 3. Enter the domain name into the Add Group Rule dialog box and click Add. Step 4 - Apply the Elevate Visual Studio Policy to the Rule 1. Select the User Rights node beneath the rule you have created. The User Rights work area displays. 2. Right-click within the work area and select Add > Add File. The Add a File for User Rights Management dialog box displays. 3. Browse to the Visual Studio application file. 4. Select the Apply policy to child processes option and click Add. 5. Select the Elevate Visual Studio policy in the User Rights column. This is the policy created in one of the above procedures. Step 5 - Apply the Run Debug Policy to the Rule 1. Right-click within the User Rights work area and select Add > Add File. 2. Enter * in the File path field. This is to allow for all debug applications. 3. Click Add. 4. Select the Run Debug policy in the User Rights column. This is the policy created in one of the above procedures. Step 6 - Save the Configuration 1. Save the configuration.
WEB INSTALLATIONS
A number of Web Installations require the end user to have administrative rights. For example, an ActiveX control such as Adobe Flash Player or a web download such as Microsoft Silverlight. A common scenario is whereby a standard user may attempt to download and install Adobe Flash Player. This requires administrative rights. When an attempt is made the User Account Control (UAC) dialog box is displayed requesting the user enter an administrative password. Most organizations will not want to give their users administrative rights. The Web Installation feature of User Rights Management allows elevation to administrative rights for ActiveX installers from a particular domain. You can create a simple configuration whereby you enter the name of the domain only, or you can create an advanced configuration by specifying the CAB file for an item, its Class ID and the minimum and maximum version numbers. You can also specify that only signed controls from the domain can be installed.
A CAB file is the Microsoft Windows compressed archive format. This format supports compression and digital signing and is used in a variety of Microsoft installation engines.
103
CREATE A CONFIGURATION FOR ALLOWING THE INSTALL OF ADOBE FLASH PLAYER
1. Select the User Rights node for a particular group, for example, the Everyone group. 2. Select the Web Installations tab. 3. Right-click within the work area and select Add Web Installation. The Add new Web Installation dialog box displays. 4. Enter a name for the Web Installation in the Name field, for example, Adobe Flash. 5. Enter the URL in the Website URL field. For example, adobe.com, to allow installations from all of adobe.com. 6. Ensure the Only allow signed controls option is selected. 7. Click Add. 8. Ensure the default Builtin Elevate policy is selected in the User Rights Policy column. 9. Save the configuration. All downloads that are signed and are from the specified website are allowed.
Along with the above procedure other configurable items need to be considered. For example, for an ActiveX installation you would need to allow the ActiveX file to run, and any executables that the control calls. You need to consider Process rules, Trusted Vendors, any Digital Certificates, Accessible Items, Elevated items, and so on. Application Manger consists of a number of snippets to assist in the creation of configurations for Web Installations. See Snippets on page 109 for more information.
104
Figure 5.16 Basic Web Installation Configuration
105
CREATE A CONFIGURATION TO ALLOW THE DOWNLOAD OF MICROSOFT SILVERLIGHT
Step 1 - Create a Policy to Elevate to Administrator 1. Right-click the Library > User Rights Policies node and select Add Policy. 2. Right-click the new policy beneath the User Rights Policies node and select Rename. 3. Enter an intuitive name for the policy, for example, Elevate. 4. Right-click within the Group Membership tab work area and select Add Group Action. 5. Enter the name of the administrator user group or use the Browse button to navigate to the account. 6. Click Add. 7. Ensure Add Membership is selected in the Action column.
Figure 5.17 Elevate Policy for a Web Installation
106
Step 2 - Add the Application to the User Rights Node. 1. Select the User Rights node for a particular group, for example, the Everyone group. 2. Select the Applications tab. 3. Right-click the Applications tab work area and select Add > Add File. The Add a File for User Rights Management dialog box displays. 4. Enter the name of the web installation you want to add in the File field for example silverlight.exe or use the Browse button to locate the file. 5. Select the Apply policy to child processes option. 6. Select the Install as Trusted Owner option.
For information on the Apply policy to child processes and Install as Trusted Owner options see Applications and Components on page 86.
7. Click Add. 8. Ensure the policy created in the first step procedure, Elevate, is selected in the User Rights Policy column.
107
Figure 5.18
Silverlight Added to the Configuration
Step 3 - Add a Signature for the Web Installation to the Accessible Items 1. Select the Accessible Items node for the same group. 2. Right-click in the work area and select Add > Add Signature Item. The Select Accessible Signature File dialog box displays. 3. Navigate to the web installation and click Open. 4. Save the configuration.
108
Figure 5.19 Silverlight Added to the Accessible Items List
CREATE A GRANULAR CONFIGURATION FOR INSTALLING GOTOMEETING You can create a granular configuration for a web installation. You can refer to the specific CAB file, the Class ID and also the minimum and maximum versions.
Use the Application Manager auditing events to gather information such as the name of the CAB file. Use the 9021 auditing event. See Auditing on page 139 for more information.
109
1. Select the User Rights node for a particular group, for example, the Everyone group. 2. Select the Web Installations tab. 3. Right-click within the work area and select Add Web Installation. The Add new Web Installation dialog box displays. 4. Enter a name for the Web Installation in the Name field, for example, GoToMeeting. 5. Select the Use advanced settings option. 6. Enter the location of the installer URL and the CAB file of the Web Installation in the Installer URL field. For example, https://www2.gotomeeting.com/default/applets/ g2mdlax.cab. 7. Enter the Class ID in the Class ID field and, if required, enter the version numbers or leave blank to ignore.
The details for the CAB file, Class ID and version numbers can also be found in the source view for the web installer download page. Navigate to the download page and select View > Source.
110
Figure 5.20 Advanced Details for a Web Installation
111
8. Click Add. 9. Ensure that Builtin Elevate selected in the User Rights Policy column. 10. Save the configuration.
Figure 5.21 Web Installation Added
USER RIGHTS MANAGEMENT Snippets
112
SNIPPETS
Snippets give Application Manager the ability to import and merge partial configurations into a currently open configuration in the console. This is particularly useful for Web Installations because along with creating the Web Installation part of the configuration a number of other configurable items need to considered. These include Process Rules, Accessible Items, Trusted Vendors, any Digital Certificates, Elevated items, and so on. Application Manager consists of a number of snippets to help with the creation of the Web Installation configurations such as the configurations given in the previous section, Web Installations on page 99. The following example uses the Create a Granular Configuration for Installing GoToMeeting procedure. The snippet contains all the extra configurable items for the configuration.
ADD A SNIPPET TO A GOTOMEETING WEB INSTALLATION CONFIGURATION
1. Complete the Create a Granular Configuration for Installing GoToMeeting procedure. 2. Select the User Rights node for the group. 3. Select the Web Installations tab. 4. Right-click the work area and select Import Snippet. The Import Snippet dialog box displays. 5. Select the en_gotomeeting_4_5 snippet and click Add. 6. To view what is included in the snippet click the View the items that will be added to the configuration link. A configuration report is displayed. 7. Click Continue. The snippet is imported and you can view the items in the various nodes in the console.
Use the Configuration Profiler available from the Home ribbon page to view a configuration report for the full configuration.
113
Figure 5.22 Imported Snippet
Default Snippets The following snippets are available:

en_adobe_flash_10_2 en_adobe_reader_10_0_1 en_adobe_shockwave_11_5_9_620 wave_11_5_9_620 en_akamai_download_manager_2_2_5_7 en_gotomeeting_4_5 en_itunes_10_1_2 en_quicktime_7_6_9 en_silverlight_4_0_60129_0
114
The default location for snippets is C:\Program Files\AppSense\Application Manager\Console\Snippets.
In this Section:

Overview on page 115 About Application Network Access Control on page 116 Define Network Access Policies and Rules on page 118 Auditing on page 119 Configuring Application Network Access Control on page 120
OVERVIEW
Application Manager automatically controls application access on a per user or per device basis, without the overhead of scripts or lists. Application Network Access Control (ANAC) manages network access on a per user or per device basis. You can use Application Manager to restrict and monitor application network access via the Application Manager console using the ANAC functionality.
115
6 APPLICATION NETWORK ACCESS CONTROL About Application Network Access Control
116
You can run Application Manager in ANAC mode only. Select Enable Application Network Access Control only in the Options dialog box available from the General Features ribbon page > Default Restrictions group.
ABOUT APPLICATION NETWORK ACCESS CONTROL

Application Network Access Control provides the ability to control outbound network connections by IP address, Host name, URL, UNC, or Port, based on the outcome of rules processing. It is designed to control access within a company network infrastructure. This control is achieved by intercepting application requests made through the Winsock layer, for example, HTTP, FTP and RDP. Within Application Manager access to these resources is controlled by adding a Network Connection Item beneath a specific rule. Network Connection Items can be created individually or as part of a group which logically defines groups of items based on, for example, common criteria, for ease of management and configuration. Groups and Network Connection Items can be applied to any rule in the Accessible Items rules to allow access, or applied to the Prohibited Items rules to deny access. Application Manager intercepts and blocks access if requests are made to prohibited network resources. The execution of applications is not controlled.
Access is allowed to all network resources until actively prohibited.
6 APPLICATION NETWORK ACCESS CONTROL About Application Network Access Control
117
Figure 6.1
Technology
The following describes the basic technology for the ANAC functionality. Mini Filter Driver ANAC uses a mini filter driver to intercept and control requests made to network UNC locations. The driver is loaded dynamically by Application Manager (AM) Agent Service only when its functionality is required, that is, when the configuration contains Network Connection Items that specify Network Share as its Connection Type. When a user makes a file request for a shared folder, subfolder or file on a network location the I/O manager sends a create request to Application Managers mini filter driver. The mini filter driver gathers information about this request, the file name and location, user, process, thread data, and so on, and passes this to the AM Agent Service for processing. After the AM Agent Service has processed the request the mini filter driver responds back to the I/O manager with the result. If the request is denied then an access denied error is returned, otherwise the request is left unaltered.
APPLICATION NETWORK ACCESS CONTROL Define Network Access Policies and Rules
118
Application Hook Application Managers hook uses Microsofts Detours technology to hook a subset of the Winsock API functions. In hooking these functions Application Manager reads and gathers information about the network location the application is attempting to connect to. This information is then passed to the AM Agent Service for further processing. If the request is allowed the hook permits the application to continue using the Winsock API otherwise the hook is denied access to the Winsock API. An error code is returned to the application to indicate the request has failed.
DEFINE NETWORK ACCESS POLICIES AND RULES

By default, Application Manager processes rules and grants access to the least restrictive rule. Or, in other words, the most flexible allow rule granted to a user after the rules have been processed applies. Allow rules, known as Accessible Items in Application Manager, have a higher priority over the deny rules, also known as Prohibited Items. For example, an Accessible Network Connection Item with a Path takes priority over a Prohibited Network Connection Item with a Path. Both take priority over an Accessible Network Connection Item with No Path, and last is a Prohibited Item with No Path. Network Connection Rule Items are configured in a similar way. There are different rules that can be customized for devices (or groups of devices) by user, and by groups of users. This flexibility provides a number of ways of configuring network access within an enterprise, locking down the physical device, defined user groups, or both. Given the above, the best practice for defining a Network Access Policy and configuring the associated rule is a two stage approach: 1. Prohibit network access for controlled users and devices. 2. Granularly allow and make accessible specific network resources on a case by case basis. This may be somewhat familiar if you have configured a network firewall. This is essentially the same. However, it is easiest to consider this as an outward bound firewall living on the endpoints.
Application Network Access Control is an addition to firewalls. It is not a replacement.
It is important to mention, unlike configuring a firewall, when using Application Network Access Controls you only define the denied application on a port by port and \ or server by server basis, as opposed to defining all network accessing systems and services for the endpoint workstation or server as you might on a firewall. A list of commonly used application ports is included within the Application Manager console as shown below.
APPLICATION NETWORK ACCESS CONTROL Auditing
119
Figure 6.2 Common Ports
AUDITING
Application Manager has a comprehensive set of in-built auditing and reporting which can give granular information on how, when, and by whom, network resources and applications are accessed. This auditing can be placed in an Audit Only mode to silently monitor security restrictions or can generate events when users attempt to access denied locations and are blocked. Auditing events are available from the Auditing dialog box. This is found on the Home ribbon page > Common group. The events that are specific to Application Network Access Control are 9013 and 9014.
6 APPLICATION NETWORK ACCESS CONTROL Configuring Application Network Access Control
120
Figure 6.3 Auditing Dialog Box
For more information about auditing see Auditing on page 139.
CONFIGURING APPLICATION NETWORK ACCESS CONTROL
PROHIBIT AN IP ADDRESS OR HOST
1. Expand the group that you want to prohibit an IP Address or Host for, for example, the Everyone group. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the IP Address or Host Name option.
121
5. Enter the IP Address or Host Name in the Host field. 6. Do one of the following:

To block access to the whole IP Address or Host, click Add. To block only a part of the IP Address or Host, for example, a certain folder, enter the folder or path the Path field and click Add.
7. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog box and specifies the Host Name as www.abc.co.uk and the Path as Finance. This means that all users in the specified group can access www.abc.co.uk but not the Finance area.
Figure 6.4 Network Connection Details for a Host Name
PROHIBIT A NETWORK SHARE
1. Expand the group that you want to prohibit an Network Share for, for example, the Everyone group. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the Network Share option.
122
5. Enter the Network Share in the Host field. 6. To include any subdirectories, select the Include subdirectories option. 7. Do one of the following:

To block access to the whole Network Share, click Add. To block only a part of the Network Share, enter the folder or path in the Path field and click Add.
8. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog box and specifies the Network Share as managementdata and the Path as personnel. This means that all users in the specified group can access managementdata but not the personnel area.
Figure 6.5
Network Connection Details for a Network Share
PROHIBIT RDP SESSIONS TO AN IP ADDRESS OR HOST THROUGH A PORT
1. Expand the group that you want to prohibit RDP sessions for, for example, the Everyone group. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the IP Address or Host Name option.
123
5. Enter the IP Address of Host Name in the Host field. 6. Click the Ports button. 7. Select the port 3389 Microsoft Terminal Server (RDP) port and click Add. 8. Click Add in the Add a Network Connection dialog box. 9. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog box and specifies the Host Name as sql.testing.local and the Port as 3389. This means that all users in the specified group cannot create an RDP session to sql.testing.local.
Figure 6.6 Network Connection Details to Block RDP
124
MANAGE NETWORK CONNECTIONS USING FTP
1. Right-click the Library > Group Management node in the navigation pane and select Add Group. A new group is created. 2. Right-click the new group, select Rename and enter an intuitive name for the group, for example, FTP Software.
Figure 6.7 FTP Software Group
3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box is displayed. 4. Enter the wildcard expression *.*.*.* into the Host field. 5. Select the Ports button. The Common Ports dialog box is displayed. 6. Select port 21 and click Add. This is the FTP - Control Port.
125
Figure 6.8 Network Connection Details
7. Expand the Everyone group in the navigation pane and select the Prohibited Items node. 8. Right-click the work area and select Add > Group. The Group selection for <group name> dialog box is displayed. 9. Select the group created previously, for example, FTP Software, and click OK. This prohibits all users from accessing any IP Address using FTP applications.
ALLOW ACCESS TO ONLY A PARTICULAR FOLDER ON A SHARE
1. Expand the group that you want to provide access to particular folder, for example, a group called Accounts. 2. Select the Prohibited Items node. 3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 4. Select the Network Share option. 5. Enter the name of the network share in the Host field. For example, \\managementdata. 6. Enter the name of the path in the Path field. That is the path to prohibit but also contains the folder to provide access to. 7. Ensure the Include subdirectories option is selected. This prohibits access to any subdirectories on the share.
126
8. Click Add. The following graphic shows the Add a Network Connection dialog box for a Prohibited Item and specifies the network share as managementdata and the path as scratch. This means that all users in the specified group cannot access the scratch folder on the managementdata network share.
Figure 6.9 Network Connection Details for a Prohibited Network Share
9. Select the Accessible Items node. 10. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays. 11. Select the Network Share option. 12. Enter the name of the network share in the Host field. For example, \\managementdata. 13. Enter the name of the path to prohibit in the Path field, that is the path for the folder to provide access to, for example, \scratch\Accounts. 14. Deselect the Include subdirectories option. 15. Click Add. 16. Save the configuration and deploy to the managed endpoints. The following graphic shows the Add a Network Connection dialog for an Accessible Item and specifies the network share as managementdata and the path as scratch\Accounts. This means that all users in the specified group can only access the scratch\Accounts folder on the managementdata network share. All other folders are prohibited.
127
Figure 6.10 Network Connection Details for an Accessible Folder
Endpoint Analysis
This section contains:

Endpoint Analysis Overview on page 128 Endpoint Analysis Scans on page 130 Working with Endpoint Analysis on page 131 Adding Files to a Configuration on page 137
ENDPOINT ANALYSIS OVERVIEW

Endpoint Analysis (EPA) allows you to scan single or multiple endpoints, to provide a list of applications that are present and that have run on a particular computer. Endpoint Analysis helps to simplify the creation of an appropriate Application Manager configuration. This feature is utilized on demand and is inactive by default. For Endpoint Analysis to function the following must be installed. Checklist Application Manager agent installed on the endpoint. License installed on the endpoint.
128
7 ENDPOINT ANALYSIS Endpoint Analysis Overview
129
Application Manager configuration installed on the endpoint. Administrative share rights to the endpoint. Remote registry access to the endpoint.
TEST THAT THE APPLICATION MANAGER AGENT IS INSTALLED ON THE ENDPOINT
1. On the Start menu select Control Panel. 2. Select Administrative Tools. 3. Double-click Services. 4. Locate the AppSense Application Manager Agent.
TEST THAT THE LICENSE IS INSTALLED ON THE ENDPOINT
1. Launch the Registry Editor on the managed endpoint. 2. Locate the license under HKLM\Software\AppSense Technologies\Licensing. TEST THAT THE CONFIGURATION IS INSTALLED ON THE ENDPOINT Configurations are stored in the following location: 1. For Windows XP and Server 2003, navigate to C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration. 2. For Vista and above, navigate to C:\ProgramData\AppSense\Application Manager\Configuration.
TEST THAT THE ENDPOINT HAS ADMIN SHARE RIGHTS
1. Open Windows Explorer on the computer that has the Application Manager console installed. 2. In the Address bar enter \\<computername>\c$ and press Enter. If you can browse the folders you have access rights. If not, you are prompted for user credentials which allows access.
TEST THAT REMOTE REGISTRY ACCESS IS AVAILABLE
1. Open the Registry Editor on the computer that has the Application Manager console installed. 2. Select File > Connect Network Registry. The Select Computer dialog box is displayed. 3. Locate the computer and click OK. If you can see the registry keys, you have access.
On remote computers running Microsoft Vista and above, File Sharing and Remote Registry Service are disabled by default and must be enabled.

Turn on File Sharing in Start > Control Panel > Network and Sharing Center. Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.
7 ENDPOINT ANALYSIS Endpoint Analysis Scans
130
ENDPOINT ANALYSIS SCANS

There are two types of Endpoint Analysis scans. These are:

Endpoint Scan Application Usage Scan
Endpoint Analysis files for a given endpoint are stored on the computer that has the Application Manager console installed under the following locations:
For Windows XP and Server 2003, C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis. For Vista and above, C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.
Endpoint Scan
The Endpoint Scan searches the endpoint for any applications that are present. These applications may have been officially installed by an administrator, or be an esoteric piece of virus-ridden freeware installed by an unsuspecting end user. The following directory and registry locations are scanned:

HKLM\SOFTWARE\Microsoft\Windows\Current\CurrentVersion\Installer\Folders HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Program Files

An Endpoint Scan can several minutes. The reason for this is that Application Manger not only scans the Program Files folder and the registry keys, but also each dependent file and digital signatures. Application Manager records all this information.
During an Endpoint Scan,100% of the CPU on the endpoint can be used. However, if user tasks need to be performed, the Application Manager agent utilizes built-in smart scheduling technology to allow tasks to take precedence over the scan itself, thus not affecting the end-user perception of performance.
Application Usage Scan

The Application Usage Scan is used to detect applications in use that have not been installed using the Windows Installer technology and therefore not detected by the Endpoint Scan. When an Application Usage Scan is in progress, all execute requests are passed through for Endpoint Analysis processing once the standard Application Manager rules checking has been performed on that request. The details of requests are held in memory. When the scan has stopped all the request data is saved to file. If the endpoint is rebooted while a scan is in progress, for example, if a user takes their laptop from the workplace and switches it on at home, the Endpoint Analysis runtime detects that it should be recording application usage and restarts the recording. This is done on agent startup.
7 ENDPOINT ANALYSIS Working with Endpoint Analysis
131
Order of Scans
Typically, the Endpoint Scan is run first to determine which applications are installed on the endpoint. This can be followed by the Application Usage Scan to track the applications that have been run on an endpoint over a period of time. By highlighting which applications are being used and which are not, unlicensed software can be identified and restricted and unlicensed software can be removed.
The Application Usage Scan can detect applications in use that have not been installed using the Windows Installer technology and therefore not detected in the Installed Applications Scan, for example, Firefox or Shareware.
WORKING WITH ENDPOINT ANALYSIS

Endpoint Analysis is available from the Application Manager console. This feature provides the ability to perform the aforementioned scans and to show all loaded files (child processes) for scanned applications and any digital certificates for the discovered applications. It is recommended to include all loaded files in the configuration for an Accessible Item so that the application functions correctly. It is also useful to add any digital certificates to the Trusted Vendors in your configuration. The first step in using Endpoint Analysis is to add one or more endpoints, that is the endpoint that you want to scan.
ADD AN ENDPOINT TO ENDPOINT ANALYSIS
1. Select the Endpoint Analysis button in the navigation pane. 2. Right-click the Endpoint node in the navigation tree and select Add Endpoint. 3. Select either Browse Deployment Group or Browse Domain/Workgroup depending on the location of the endpoint you want to add. Browse Deployment Group displays the Select Management Server dialog box. Browse Domain/Workgroup displays the Active Directory Select Computers dialog box. 4. Locate the required endpoint and click Add. A new node is created for the selected endpoint under the Endpoints node in the navigation tree. 5. Select the new endpoint node and view the Endpoint Summary. Application Manager searches for the computer and connects. Ensure that Application Manager has connected to the endpoint.
132
Figure 7.1 Connected Endpoint
Endpoint Summary The Endpoint Analysis Summary displays whether Application Manager is connected to the endpoint, whether an Installed Applications Scan is running, and whether an Application Usage Scan is running. If an Installed Applications Scan is running the percentage of the completion of the scan is shown.
133
Figure 7.2 Percentage of Completion
The summary also displays information about the operating system and processor for the endpoint and information about the data files which includes:

Number of data files. These are the data files created for each Application Usage Scans. Total size of data files Installed Applications updated. That is the last date the Installed Applications Scan ran.
Once you have added one or more endpoints you can run an Installed Applications Scan for one or all endpoints. You can also run an Application Usage Scan for each individual endpoint.
RUN AN ENDPOINT SCAN

Select an endpoint and select Run Endpoint Scan on the Endpoint Analysis ribbon page > Installed Applications group. The Endpoint Summary displays the percentage of completion. Select Run Scan for all Endpoints on the Endpoint Analysis ribbon page > Installed Applications group. The Endpoint Summary displays the percentage of completion.
1. Do one of the following:
2. Select the Installed Applications node for an endpoint to see all applications installed by the administrator and users.
134
Figure 7.3 Applications Installed on the APPUKTECHPUBS2 Endpoint
The Installed Application data is stored in an xml file. The xml file has the format EndpointNameÎnstalled.xml. On Windows XP and Server 2003 the files are located at C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis. On Vista and above the files are located at C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.
135
RUN AN APPLICATION USAGE SCAN
1. Select an endpoint and select Start Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage Scans group. 2. Allow a period of time for the scan and then select Stop Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage Scans group. The File dialog box displays. 3. Enter an intuitive name for the file. The file is displayed beneath the Recorded Data node in the navigation tree.
Figure 7.4
XML File for an Application Usage Scan
The Application Usage data is stored in an xml file. The xml file has the format EndpointName^FileName.xml. On Windows XP and Server 2003 the files are located at C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis. On Vista and above the files are located at C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.
136
As previously mentioned, when you perform a scan you can also show all the loaded files (child processes) and digital certificates for discovered applications. It is recommended to add all loaded files to the Accessible Items to allow specified applications to function correctly. It is also useful to add any digital signatures to the Trusted Vendors in the configuration.
SHOW ALL LOADED FILES FOR DISCOVERED APPLICATIONS
1. Select either the Installed Applications node or an xml file beneath the Recorded Data node. 2. Select Show Loaded Files on the Endpoint Analysis ribbon page > Application Data group. The Loaded files dialog is displayed.
Figure 7.5 Loaded Files for an Application Usage Scan
SHOW DIGITAL CERTIFICATES FOR A DISCOVERED APPLICATION
1. Select a discoverd application in the work area. 2. Select Show Digital Certificates on the Endpoint Analysis ribbon page > Application Data group. The Certificates dialog box displays.
7 ENDPOINT ANALYSIS Adding Files to a Configuration
137
Figure 7.6 Digital Certificates for an Application Usage Scan
ADDING FILES TO A CONFIGURATION

Once you have performed a scan you can add any of the applications or associated files or certificates to a configuration by dragging and dropping.
If you drag and drop files into any of the Accessible or Prohibited Items lists they are dropped in as files.
If files are placed in Accessible Items, any associated loaded files are automatically included. If files are placed in Prohibited Items, any associated loaded files are not included, only the main application executable.
To add a certificate to any of the Trusted Vendors you can either drag and drop a file on to a Trusted Vendors node, if any certificates exist for that file they are added or you can select Show Digital Signatures on the Endpoint Analysis ribbon page > Application Data group to display the Certificates dialog box. You can then drag and drop from that dialog box into the configuration.
When you drag and drop files from Endpoint Analysis to the Accessible Items and Prohibited Items node you must drag, hover the mouse over the Configuration button in the navigation pane to display the configuration, and then drop onto the node.
7 ENDPOINT ANALYSIS Adding Files to a Configuration
138
When you drag and drop files into a configuration, the digital signature for the file is always copied over as this is the most secure method for authenticating an application. See Security Methods on page 41 for more information.
Auditing
In this Section:

Overview on page 139 Logging on page 141 Local Event Filter on page 142 Event Filtering on page 143
OVERVIEW
Auditing allows you to define rules for the capture of auditing information and to raise events. There are multiple places to raise events and include:

Windows Application event log AppSense event log Anonymous Local log
In addition there is an event filter for specifying the type of files to include in the audit log for particular events.
139
AUDITING Overview
140
In Enterprise installations, events can be forwarded to the AppSense Management Center via the Client Communications Agent (CCA). When using this method for auditing, event data storage and filtering is configured through the Management Center console.
The Auditing dialog box is available from the Home ribbon page > Common group.
Figure 8.1 Auditing Dialog Box
AUDITING Logging
141
LOGGING
There are a number of ways of capturing events using the Auditing dialog box. These are covered in the following sections.
Windows Application Event Log

Many applications store events in the Application event log. You can choose to store AppSense events in the same log. This log is located in the Event Viewer in the Windows Logs folder.
AppSense Event Log

Application Manager records many events. You can choose to store events in the AppSense event log making them easier to manage. This log is located in the Event Viewer in the Applications and Service Logs folder.
You can only send events to the Application event log or the AppSense event log and not both.
Anonymous Logging
Anonymous logging can be performed when auditing. Anonymous logging does not record the computer name or the user name. This form of logging searches the file path for any instances where a directory matches the username and replaces the directory name with the string USERNAME.
Local Log File

Events can be written to a local file in CSV and XML format. By default, the local log file is located at
%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%.xml
(or csv if the CSV file log format is selected). Storing events in a local log file is useful for exchanging the information in the log and for merging information. You can choose to save the logs in xml or csv file format. For example, you can open a csv file in Microsoft Excel allowing you to easily analyze the data, create graphs, and so on.
8 AUDITING Local Event Filter
142
LOCAL EVENT FILTER

Application Manager contains a number of events. Some of the events are selected by default. The following table shows all the events available in Application Manager and indicates whether they are selected by default.
Table 8.1 ID
9000 9001 9002 9003 9004 9005 9006 9007 9009 9010 9011 9012 9013 9014 9015 9016 9017 9018 9019 9020 9021 9022 9095 9099
Local Events Name

Denied execution Allowed execution Overwrite changed owner Renamed changed owner Application limit denial Time limit denial Self-authorization Self-authorized allow Scripted rule timeout Scripted rule fail Scripted rule success Trusted Vendor denial Network Item denied Network Item allowed Application started Unable to change ownership Application Termination Application User Rights changed Web Installation allowed Web Installation restricted Web Installation restricted Web Installation fail Not configured Agent not licensed
Description
Prohibited execution request. Allowed execution request. Overwrite of an allowed executable. Rename of a prohibited executable. Application limit denial. Time limit denial. Self-authorization decision by user. Self-authorized execution request. Script execution timed out. Script failed to complete. Script completed successfully. Digital Certificate failed Trusted Vendor check. Prohibited Network Item request. Allowed Network Item request. An allowed application started running. The files ownership could not be changed, An application has been terminated by Application Manager. The applications user rights have been changed. Allowed Web Installation request. Restricted Web Installation request. Windows Restricted Web Installation request. Web Installation failed to complete AppSense Application Manger has not been configured. AppSense Application Manager is not licensed.
Default
8 AUDITING Event Filtering
143
EVENT FILTERING
Event Filtering allows you to filter the file types that you want to audit. This is particularly useful if you choose a high volume event. For example, if you choose event 9001, 9007, 9014 or 9015, which are high volume events, it may be useful to only select only certain file types to audit. To audit all file types, according to the events that are selected in the Auditing dialog box, deselect the Enable event filtering option. This option is selected by default.
Ensure when you select an event that the event is also selected in Event Filtering, or the file types for the particular event.
Figure 8.2 Event Filter
Rules Analyzer
This section provides details on Application Manager Rules Analyzer and includes the following:

About Rules Analyzer on page 144 The Console on page 145 Working with Rules Analyzer on page 147
ABOUT RULES ANALYZER

Standard AppSense auditing can be used to track unauthorized application usage or to track when users are overwriting / renaming applications. It is a simple mechanism to use and can function without interaction. The standard auditing mechanism advises you when an application has not, for example, been allowed to execute but does not advise why this was the case. Therefore an additional tool is required so you can analyze the rules base in real time, and determine exactly why an application is or is not allowed to execute.
For more information on the auditing feature see Auditing on page 139.
144
RULES ANALYZER The Console
145
Rules Analyzer provides you with a graphical interface that can be used to manually troubleshoot and fine tune Application Manager configurations in real time anywhere across the enterprise. All that is required is a network link to a remote Application Manager managed endpoint so the Rules Analyzer can connect to the agent software and start logging on the local endpoint. When the logging has completed you can use the Rules Analyzer to automatically pull the log file across the network back to the computer where the analysis is occurring, for investigation. All logging information is held in xml format and each execution request that the Application Manager agent processed is listed along with the details of what occurred during processing, including if the process was allowed to execute or not and the reason for the outcome.
THE CONSOLE
The Rules Analyzer is accessed from the navigation pane within the Application Manager console and is used to create, retrieve and examine the log files. An Endpoint node allows you to control logging on to a specific managed endpoint to retrieve the log files. Below each Endpoint node is a node for each Retrieved Log Files node. You can review a summary page, view all requests, or view the requests for a specific user. You can restrict the view to the denied or allowed requests. Within the analysis panel you can navigate to a specific request and view the full details of that request, including which rules were applied by Application Manager. You must be logged on with an account that allows read and write access to the registry of any managed endpoint for which you wish to generate logs for using Rules Analyzer, and have read and write access to the local registry of the computer on which the console operates. Checklist You must have the following to use Rules Analyzer: Application Manager agent installed on the endpoint. License installed on the endpoint. Application Manager configuration installed on the endpoint. Administrative share rights to the endpoint. Remote registry access to the endpoint.
TEST THAT THE APPLICATION MANAGER AGENT IS INSTALLED ON THE ENDPOINT
1. On the Start menu select Control Panel. 2. Select Administrative Tools. 3. Double-click Services. 4. Locate the AppSense Application Manager Agent.
TEST THAT THE LICENSE IS INSTALLED ON THE ENDPOINT
1. Launch the Registry Editor on the managed endpoint. 2. Locate the license under HKLM\Software\AppSense Technologies\Licensing.
RULES ANALYZER The Console
146
TEST THAT THE CONFIGURATION IS INSTALLED ON THE ENDPOINT Configurations are stored in the following location: 1. For Windows XP and Server 2003, navigate to C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration. 2. For Vista and above, navigate to C:\ProgramData\AppSense\Application Manager\Configuration.
TEST THAT THE ENDPOINT HAS ADMIN SHARE RIGHTS
1. Open Windows Explorer on the computer that has the Application Manager console installed. 2. In the Address bar enter \\<computername>\c$ and press Enter. If you can browse the folders you have access rights. If not, you are prompted for user credentials which allows access.
TEST THAT REMOTE REGISTRY ACCESS IS AVAILABLE
1. Open the Registry Editor on the computer that has the Application Manager console installed. 2. Select File > Connect Network Registry. The Select Computer dialog box is displayed. 3. Locate the computer and click OK. If you can see the registry keys, you have access.
On remote computers running Microsoft Vista and above, File Sharing and Remote Registry Service are disabled by default and must be enabled to ensure Rules Analyzer can access or create log files.

Turn on File Sharing in Start > Control Panel > Network and Sharing Center. Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.
The Rules Analyzer console allows you to diagnose Application Manager problems by connecting directly to computers managed by Application Manager, and includes:

Creating Log Files You can create log files on managed endpoints. Examining Log Files You can retrieve and examine log files to view the requests processed by Application Manager. In particular you can see which rules were applied to each request and whether the request was allowed or denied.
9 RULES ANALYZER Working with Rules Analyzer
147
WORKING WITH RULES ANALYZER

The Rules Analyzer console has various options that you can use during operations. The first thing that is required is to add an endpoint to the list of endpoints that the Rules Analyzer can interact with.
ADD AN ENDPOINT
1. Select the Rules Analyzer button in the navigation pane. The Rules Analyzer navigation tree displays. 2. Click the Add Endpoint button on the Rules Analyzer ribbon page > Endpoint Management group. 3. Select either Browse Deployment Group or Browse Domain/Workgroup depending on the location of the endpoint you want to add. Browse Deployment Group displays the Select Management Server dialog box. Browse Domain/Workgroup displays the Active Directory Select Computers dialog box. 4. Locate the required endpoint and click Add. A new node is created for the selected endpoint under the Endpoints node in the navigation tree. Once the endpoints have been added you can right-click on a specific computer and select any of the following options:

Start Logging Stop Logging - Only enabled once logging is started. Import Remove Endpoint
START AND STOP LOGGING
1. Select the endpoint in the navigation tree. 2. Select Start Logging on the Rules Analyzer ribbon page > Data Acquisition group. 3. When required, for example, after you have recreated a problem on the endpoint, select Stop Logging on the Rules Analyzer ribbon page > Data Acquisition group.The File dialog box is displayed. 4. Enter a name for the log file and click OK. The XML file is displayed in the navigation tree.
Rules Analyzer files can be large so this feature should only be used when a problem manifests itself and investigation is required.
All log files for a given computer are stored on the local machine during logging and are temporarily stored in the following location: C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\RulesAnalyzerLog.xml
148
For Windows Vista and above, this and the following files are stored in the allusersprofile folder in ProgramData. ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.
When logging is stopped on the specific endpoint, the log file is closed and transferred to the computer that is running the Rules Analyzer, where it is stored in the cache for the endpoint in question. The cache is held in the following location: C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\ The naming convention for the files is ComputerNameênteredname. For example, C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\APPUKTECHPUBS2^Regedit.xml. The computer name is the name of the endpoint as it is entered in the User Interface. Therefore, if it is an IP address it is stored as IPAddressênteredname.xml. The entered name is the name given to the XML file in the Rules Analyzer.
Log Files
The Rules Analyzer console displays the information regarding execution requests in several different ways to enable easy access to the details. Log File Contents Summary The Summary page displays when you select a log file in the navigation tree. It shows the number of requests processed by Application Manager. The top row of the table shows the total number of requests for all users. The remaining rows show the number of requests for each user. The Total column shows the total number of requests, allowed and denied. The Allowed and Denied column shows the number of allowed or denied requests. Click on any link to display the Log File Contents Request List.
149
Figure 9.1 Rules Analyzer Summary Page To export the log file in XML format select the Export ribbon button.
You can select View the requests by processing time on the Summary page to display a Request List page showing requests sorted with the longest running request first.
Log File Contents Request List The Request List page displays a list of Application Manager requests when you click a link in the Summary page. The requests are listed in the order in which they were processed by Application Manager. Each request displays a green tick or red cross to indicate whether the request was allowed or denied. Click on a request link to display the Log File Contents Request Details.
150
Figure 9.2 Rules Analyzer Log File Contents Request List
Log File Contents Request Information The Request Information page displays details of a particular request when you click a request in the Request List page. The Request Information page displays each rule applied by Application Manager in processing the request. The rules are listed in the order applied. The last rule in the list determines the final result allow or deny. The rule information includes links which, when selected, display popup messages providing an explanation for the rule item.
151
Figure 9.3 Rules Analyzer Log File Contents Request Details Use the Return link at the top of the page to navigate to the previous page and the Summary link to return to the Summary page. The Back button on the console toolbar is for navigating the navigation tree.
Use the shortcut keys Ctrl+F to search within the request pages.
Scripting
10
In this section:

Overview on page 152 Sample Scripting Reference on page 153 Object Types on page 188 Configuration Helper Object on page 209
OVERVIEW
This chapter provides a reference to the AppSense Application Manager COM interface object architecture and Visual Basic script samples.
152
10 SCRIPTING Sample Scripting Reference
153
SAMPLE SCRIPTING REFERENCE

This section details Visual Basic script examples showing common operations that can be performed with the Application Manager scriptable interface and includes:

Loading and Saving Configurations Default Rules Group Rules User Rules Device Rules Custom Rules Scripted Rules Process Rules Rule List Items Configure Properties Network Connections User Rights Management (URM)
154
Loading and Saving Configurations

Create a New Configuration and Save to File Create a New Configuration and Save to Live Configuration
Create a New Configuration and Save to File

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the default configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.DefaultConfiguration Configuration.ParseXML ConfigurationXml ConfigurationHelper.SaveLocalConfiguration "C:\Configuration.aamp",Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Create a New Configuration and Save to Live Configuration

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the default configuration Configuration.ParseXML ConfigurationHelper.DefaultConfiguration 'Save the blank configuration to file. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Default Rules
Edit a Default Rules Configuration
155
Edit a Default Rules Configuration

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.DefaultRules.AllowCMDForBatchFiles = True Configuration.DefaultRules.ValidateSystemProcesses = False 'Add a trusted owner to the configuration Dim theTrustedOwner Set theTrustedOwner = Configuration.ManufactureInstanceFromClassName("AM.TrustedOwner") theTrustedOwner.DisplayName = "%COMPUTERNAME%\Guest" theTrustedOwner.SID = "S-1-5-Domain-501" Configuration.DefaultRules.TrustedOwners.Add theTrustedOwner.Xml 'Save the configuration to file. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
The DefaultConfiguration( ) method only returns a configuration in the English language. This means that some group names and other text in the configuration may not be in the native language of the operating system, which can result in the configuration not being applied correctly. For non-English operating systems it is necessary to export the default configuration from the product console on a native operating system. This can be stored as a file on the network or distributed to the machine where the configuration scripting will be performed. Once this is done, use the LoadLocalConfiguration( ) method in place of the the DefaultConfiguration( ). This will produce the same configuration but in the correct native language.
156
Group Rules

Create a Group Rule Edit a Group Rule Delete a Group Rule
Create a Group Rule

Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Dim GroupRule Set GroupRule = Configuration.ManufactureInstanceFromClassName("AM.GroupRule") GroupRule.DisplayName = "BUILTIN\Remote Desktop Users" GroupRule.SID = "S-1-5-32-555" Set GroupRule = Configuration.GroupRules.Add(GroupRule.Xml) Set GroupRule = Configuration.ManufactureInstanceFromClassName("AM.GroupRule") GroupRule.DisplayName = "Everyone" GroupRule.SID = "S-1-5-Domain" Set GroupRule = Configuration.GroupRules.Add(GroupRule.Xml) ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a Group Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Change the SID of the Everyone group Configuration.GroupRules.Item("Everyone").SID = "S-1-1-0"
157
'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a Group Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create the group rule Dim GroupRule Set GroupRule = Configuration.ManufactureInstanceFromClassName("AM.GroupRule") GroupRule.DisplayName = "BUILTIN\Remote Desktop Users" GroupRule.SID = "S-1-5-32-555" Configuration.GroupRules.Add GroupRule.Xml 'Delete the rule Configuration.GroupRules.Remove "BUILTIN\Remote Desktop Users" ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
User Rules

Create a User Rule Edit a User Rule Delete a User Rule
Create a User Rule

Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml
158
ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create and add the new user rule Dim UserRule Set UserRule = Configuration.ManufactureInstanceFromClassName("AM.UserRule") UserRule.DisplayName = "%COMPUTERNAME%\Guest" UserRule.SID = "S-1-5-Domain-501" Configuration.UserRules.Add UserRule.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a User Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Modify the user rule Dim UserRule Set UserRule = Configuration.UserRules.Item("%COMPUTERNAME%\Guest") UserRule.SID = "S-1-5-Domain-501" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a User Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration
159
Configuration.ParseXML ConfigurationXml 'Remove the user rule Configuration.UserRules.Remove "%COMPUTERNAME%\Guest" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Device Rules

Create a Device Rule Edit a Device Rule Delete a Device Rule
Create a Device Rule

const AM_DeviceType_Computer = 0 const AM_DeviceType_ConnectingDevice = 1 ' Constant definitions for the AM.HostNameType enumeration. const AM_HostNameType_HostName = 0 const AM_HostNameType_IPAddress = 1 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create a device rule Dim DeviceRule Set DeviceRule = Configuration.ManufactureInstanceFromClassName("AM.DeviceRule") DeviceRule.Name = "Device Rule (1)" Configuration.DeviceRules.Add DeviceRule.Xml 'Add a device to the rule Dim Device Set Device = Configuration.ManufactureInstanceFromClassName("AM.Device") Device.Host = "192.168.0.1" Device.NameType = AM_HostNameType_IPAddress Configuration.DeviceRules.Item("Device Rule (1)").Devices.Add Device.Xml 'Add another device to the rule
160
Dim AnotherDevice Set AnotherDevice = Configuration.ManufactureInstanceFromClassName("AM.Device") AnotherDevice.Host = "192.168.0.2" AnotherDevice.NameType = AM_HostNameType_IPAddress Configuration.DeviceRules.Item("Device Rule (1)").Devices.Add AnotherDevice.Xml Configuration.DeviceRules.Item("Device Rule (1)").Devices.Item("192.168.0.2").HostType = AM_DeviceType_ConnectingDevice 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a Device Rule

' Constant definitions for the AM.SecurityLevel enumeration. const AM_SecurityLevel_Restricted = 0 const AM_SecurityLevel_SelfAuthorizing = 1 const AM_SecurityLevel_Unrestricted = 2 const AM_SecurityLevel_AuditOnly = 3 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create a device rule Dim DeviceRule Set DeviceRule = Configuration.ManufactureInstanceFromClassName("AM.DeviceRule") DeviceRule.Name = "Device Rule (1)" Configuration.DeviceRules.Add DeviceRule.Xml Configuration.DeviceRules.Item("Device Rule (1)").Name = "My Device Rule" Configuration.DeviceRules.Item("My Device Rule").SecurityLevel = AM_SecurityLevel_AuditOnly 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a Device Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2")
161
'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove "Device Rule(1)" Configuration.DeviceRules.Remove "Device Rule (1)" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Custom Rules

Create a Custom Rule Edit a Custom Rule Delete a Custom Rule
Create a Custom Rule

' Constant definitions for the AM.SecurityLevel enumeration. const AM_SecurityLevel_Restricted = 0 const AM_SecurityLevel_SelfAuthorizing = 1 const AM_SecurityLevel_Unrestricted = 2 const AM_SecurityLevel_AuditOnly = 3 ' Constant definitions for the AM.HostNameType enumeration. const AM_HostNameType_HostName = 0 const AM_HostNameType_IPAddress = 1 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create the custom rule and add it to the configuration. Dim CustomRule Set CustomRule = Configuration.ManufactureInstanceFromClassName("AM.CustomRule")
162
CustomRule.Name = "Custom Rule (1)" Configuration.CustomRules.Add CustomRule.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a Custom Rule

' Constant definitions for the AM.SecurityLevel enumeration. const AM_SecurityLevel_Restricted = 0 const AM_SecurityLevel_SelfAuthorizing = 1 const AM_SecurityLevel_Unrestricted = 2 const AM_SecurityLevel_AuditOnly = 3 ' Constant definitions for the AM.HostNameType enumeration. const AM_HostNameType_HostName = 0 const AM_HostNameType_IPAddress = 1 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Set the account for the rule. Configuration.CustomRules.Item("Custom Rule (1)").DisplayName = "BUILTIN\Administrators" Configuration.CustomRules.Item("Custom Rule (1)").SID = "S-1-5-32-544" 'Add a device to the rule Dim Device Set Device = Configuration.ManufactureInstanceFromClassName("AM.Device") Device.Host = "192.168.0.1" Device.NameType = AM_HostNameType_IPAddress Configuration.CustomRules.Item("Custom Rule (1)").Devices.Add Device.Xml Configuration.CustomRules.Item("Custom Rule (1)").SecurityLevel = AM_SecurityLevel_Unrestricted 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a Custom Rule

' Constant definitions for the AM.SecurityLevel enumeration.
163
const AM_SecurityLevel_Restricted = 0 const AM_SecurityLevel_SelfAuthorizing = 1 const AM_SecurityLevel_Unrestricted = 2 const AM_SecurityLevel_AuditOnly = 3 ' Constant definitions for the AM.HostNameType enumeration. const AM_HostNameType_HostName = 0 const AM_HostNameType_IPAddress = 1 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove the rule Configuration.CustomRules.Remove "Custom Rule (1)" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Scripted Rules

Create a Scripted Rule Edit a Scripted Rule Delete a Scripted Rule
Create a Scripted Rule

' Constant definitions for the AM.ExecutionContext enumeration. const AM_ExecutionContext_PerSessionAsUser = 0 const AM_ExecutionContext_PerSessionAsSystem = 1 const AM_ExecutionContext_PerComputerAsSystem = 2 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration
164
Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create the scripted rule. Dim ScriptedRule Set ScriptedRule = Configuration.ManufactureInstanceFromClassName("AM.ScriptedRule") ScriptedRule.Name = "Scripted Rule (1)" Configuration.ScriptedRules.Add ScriptedRule.Xml Configuration.ScriptedRules.Item("Scripted Rule (1)").WaitForLogin = True Configuration.ScriptedRules.Item("Scripted Rule (1)").Script = "Function ScriptedRule()" & Chr(10) & "'Test scripted rule" & Chr(10) & "ScriptedRule=TRUE" & Chr(10) & "End Function" Configuration.ScriptedRules.Item("Scripted Rule (1)").EntryFunction = "ScriptedRule" Configuration.ScriptedRules.Item("Scripted Rule (1)").Timeout = 6 Configuration.ScriptedRules.Item("Scripted Rule (1)").Context = AM_ExecutionContext_PerSessionAsSystem 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a Scripted Rule

' Constant definitions for the AM.ExecutionContext enumeration. const AM_ExecutionContext_PerSessionAsUser = 0 const AM_ExecutionContext_PerSessionAsSystem = 1 const AM_ExecutionContext_PerComputerAsSystem = 2 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create the scripted rule. Dim ScriptedRule Set ScriptedRule = Configuration.ManufactureInstanceFromClassName("AM.ScriptedRule") ScriptedRule.Name = "Scripted Rule (1)" Configuration.ScriptedRules.Add ScriptedRule.Xml Dim CurrentScriptedRule For Each CurrentScriptedRule in Configuration.ScriptedRules If CurrentScriptedRule.Name = "Scripted Rule (1)" Then CurrentScriptedRule.Timeout = 7 End If
165
Next 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a Scripted Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove the scripted rule. Configuration.ScriptedRules.Remove "Scripted Rule (1)" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Process Rules

Create a Process Rule Edit a Process Rule Delete a Process Rule
Create a Process Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml
166
'Create a process rule Dim ProcessRule Set ProcessRule = Configuration.ManufactureInstanceFromClassName("AM.ProcessRule") ProcessRule.Name = "Process Rule (1)" Configuration.ProcessRules.Add ProcessRule.Xml 'Add a file process to the rule Dim FileProcess Set FileProcess = Configuration.ManufactureInstanceFromClassName("AM.File") FileProcess.Path = "c:\windows\system32\notepad.exe" FileProcess.CommandLine = "c:\windows\system32\notepad.exe" Configuration.ProcessRules.Item("Process Rule (1)").FileProcessItems.Add FileProcess.Xml 'Add another file to the rule Dim AnotherFile Set AnotherFile = Configuration.ManufactureInstanceFromClassName("AM.File") AnotherFile.Path = "c:\windows\system32\cmd.exe" AnotherFile.CommandLine = "c:\windows\system32\cmd.exe" Configuration.ProcessRules.Item("Process Rule (1)").FileProcessItems.Add AnotherFile.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a Process Rule

' Constant definitions for the AM.SecurityLevel enumeration. const AM_SecurityLevel_Restricted = 0 const AM_SecurityLevel_SelfAuthorizing = 1 const AM_SecurityLevel_Unrestricted = 2 const AM_SecurityLevel_AuditOnly = 3 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.ProcessRules.Item("Process Rule (1)").Name = "My Process Rule" Configuration.ProcessRules.Item("My Process Rule").SecurityLevel = AM_SecurityLevel_AuditOnly 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
167
Delete a Process Rule

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove "Process Rule(1)" Configuration.ProcessRules.Remove "Process Rule (1)" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Rule List Items

Add a File Edit a File Delete a File Add a Folder Edit a Folder Add a Digital Signature Add a Digital Signature Editing a Digital Signature Deleting a Digital Signature Add and Delete Drives Add a Trusted Vendor Edit a Trusted Vendor Delete a Trusted Vendor
168
Add a File
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Add a file to the list of accessible files. Dim AccessibleFile Set AccessibleFile = Configuration.ManufactureInstanceFromClassName("AM.File") AccessibleFile.Path = "calc.exe" AccessibleFile.Commandline = "calc.exe" Configuration.GroupRules.Item("Everyone").AccessibleFiles.Add AccessibleFile.Xml 'Add a file to the list of prohibited files. Dim ProhibitedFile Set ProhibitedFile = Configuration.ManufactureInstanceFromClassName("AM.File") ProhibitedFile.Path = "regedit.exe" ProhibitedFile.CommandLine = "regedit.exe" Configuration.GroupRules.Item("Everyone").ProhibitedFiles.Add ProhibitedFile.Xml 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a File
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Edit calc.exe. Configuration.GroupRules.Item("Everyone").AccessibleFiles.Item("calc.exe").TrustedOwnershipChecking = False Configuration.GroupRules.Item("Everyone").AccessibleFiles.Item("calc.exe").ApplicationLimit = 5 'Save the live configuration.
169
ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a File
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove files Configuration.GroupRules.Item("Everyone").AccessibleFiles.Remove "calc.exe" Configuration.GroupRules.Item("Everyone").ProhibitedFiles.Remove "regedit.exe" 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Add a Folder
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Dim AccessibleFolder Set AccessibleFolder = Configuration.ManufactureInstanceFromClassName("AM.Folder") AccessibleFolder.Path = "%ALLUSERSPROFILE%" Configuration.GroupRules.Item("Everyone").AccessibleFolders.Add AccessibleFolder.Xml Dim ProhibitedFolder Set ProhibitedFolder = Configuration.ManufactureInstanceFromClassName("AM.Folder") ProhibitedFolder.Path = "%SystemDrive%\Utilities" Configuration.GroupRules.Item("Everyone").ProhibitedFolders.Add ProhibitedFolder.Xml 'Save the live configuration.
170
ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a Folder
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").Recursive = False Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.MondayTimeRangeCollectio n.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.TuesdayTimeRangeCollecti on.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.WednesdayTimeRangeCollec tion.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.ThursdayTimeRangeCollect ion.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.FridayTimeRangeCollectio n.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.SaturdayTimeRangeCollect ion.Clear() Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.SundayTimeRangeCollectio n.Clear() Dim TimeRange Set TimeRange = Configuration.ManufactureInstanceFromClassName("AM.TimeRange") TimeRange.StartHour = 9 TimeRange.EndHour = 13 Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").AccessTimes.MondayTimeRangeCollectio n.InsertBefore TimeRange.Xml, 0 Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILE%").ApplyAccessTimes = True 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a Folder
'Create the configuration Dim Configuration
171
Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove the accessible folder Configuration.GroupRules.Item("Everyone").AccessibleFolders.Remove "%ALLUSERSPROFILE%" 'Remove the prohibited folder Configuration.GroupRules.Item("Everyone").ProhibitedFolders.Remove "%SystemDrive%\Utilities" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Add a Digital Signature

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Create new signature item Dim SignatureFile Set SignatureFile = Configuration.ManufactureInstanceFromClassName("AM.SignatureFile") SignatureFile.SHA1Hash = ConfigurationHelper.ReadSha1HashFromFile("C:\WINDOWS\regedit.exe") SignatureFile.Path = "C:\WINDOWS\regedit.exe" SignatureFile.CommandLine = SignatureFile.SHA1Hash 'Add the signature to the rule Configuration.GroupRules.Item("Everyone").AccessibleSignatures.Add SignatureFile.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Editing a Digital Signature

'Create the configuration
172
Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Digital signatures are keyed by CommandLine, containing the SHA1 hash, so obtain the hash value to access the required item. Dim sha1Hash sha1Hash = ConfigurationHelper.ReadSha1HashFromFile("C:\WINDOWS\regedit.exe") Configuration.GroupRules.Item("Everyone").AccessibleSignatures.Item(sha1Hash).ApplyAccessTimes = False 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Deleting a Digital Signature

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Digital signatures are keyed by SHA1 hash, so obtain the hash value to access the required item. Dim sha1Hash sha1Hash = ConfigurationHelper.ReadSha1HashFromFile("C:\WINDOWS\regedit.exe") Configuration.GroupRules.Item("Everyone").AccessibleSignatures.Remove sha1Hash 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Add and Delete Drives

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2")
173
'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Add first drive Dim FirstDrive Set FirstDrive = Configuration.ManufactureInstanceFromClassName("AM.Drive") FirstDrive.Path = "H" Configuration.GroupRules.Item("Everyone").AccessibleDrives.Add FirstDrive.Xml 'Add a second drive Dim SecondDrive Set SecondDrive = Configuration.ManufactureInstanceFromClassName("AM.Drive") SecondDrive.Path = "I" Configuration.GroupRules.Item("Everyone").AccessibleDrives.Add SecondDrive.Xml 'Remove the first drive that was added Configuration.GroupRules.Item("Everyone").AccessibleDrives.Remove "H" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Add a Trusted Vendor

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Use the helper object to read the certificate from the signed file Dim CertificateData CertificateData = ConfigurationHelper.ReadCertificateFromFile("C:\Program Files\Internet Explorer\iexplore.exe", 0) Dim DigitalCertificate Set DigitalCertificate = Configuration.ManufactureInstanceFromClassName("AM.DigitalCertificate") DigitalCertificate.RawCertificateData = CertificateData DigitalCertificate.Description = "Microsoft Corporation - Internet Explorer Certificate" Set DigitalCertificate = Configuration.GroupRules.Item("Everyone").TrustedVendors.Add(DigitalCertificate.Xml)
174
'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a Trusted Vendor

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Use the helper object to read the certificate from the signed file Dim CertificateData CertificateData = ConfigurationHelper.ReadCertificateFromFile("C:\Program Files\Internet Explorer\iexplore.exe", 0) Configuration.GroupRules.Item("Everyone").TrustedVendors.Item(CertificateData).EnforceExpiryDate = True 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete a Trusted Vendor

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Use the helper object to read the certificate from the signed file Dim CertificateData CertificateData = ConfigurationHelper.ReadCertificateFromFile("C:\Program Files\Internet Explorer\iexplore.exe", 0) Configuration.GroupRules.Item("Everyone").TrustedVendors.Remove CertificateData 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing
175
Set Configuration = Nothing
Configure Properties

Message Settings Archive Options
Message Settings
' Constant definitions for the AM.ANACMessageFrequencyType enumeration. const AM_ANACMessageFrequencyType_EveryConnectionAttempt = 0 const AM_ANACMessageFrequencyType_Once = 1 const AM_ANACMessageFrequencyType_UseDelayBetweenMessages = 2 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Modify the message settings Configuration.MessageSettings.AccessDeniedMessageCaption = "Warning" Configuration.MessageSettings.AccessDeniedMessageBody = "File has been blocked" Configuration.MessageSettings.ApplicationLimitsExceededMessageCaption = "Warning" Configuration.MessageSettings.ApplicationLimitsExceededMessageBody = "Too many files" Configuration.MessageSettings.DisplayInitialWarningMessage = False Configuration.MessageSettings.CloseApplication = False Configuration.MessageSettings.TerminateApplication = False Configuration.MessageSettings.WaitTime = 120 Configuration.MessageSettings.TimeLimitsWarningMessageCaption = "Warning" Configuration.MessageSettings.TimeLimitsWarningMessageBody = "Out of time" Configuration.MessageSettings.TimeLimitsDeniedMessageCaption = "Warning" Configuration.MessageSettings.TimeLimitsDeniedMessageBody = "Wrong time" Configuration.MessageSettings.SelfAuthorizationMessageCaption = "Warning" Configuration.MessageSettings.SelfAuthorizationMessageBody = "Needs authorization" Configuration.MessageSettings.SelfAuthorizationResponseCaption = "Authorized File" Configuration.MessageSettings.SelfAuthorizationResponseBody = "File is now authorized." Configuration.MessageSettings.ANACMessageBoxEnabled = True Configuration.MessageSettings.ANACMessageFrequency = AM_ANACMessageFrequencyType_Once Configuration.MessageSettings.ANACMessageDelayBetweenMessageBoxes = 60 Configuration.MessageSettings.ANACMessageBoxCaption = "Application Manager - Application Network Access Control"
176
Configuration.MessageSettings.ANACMessageBoxBody = "%ExecutableName% has been denied access to %NetworkLocation%." 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Archive Options
'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Modify the archiving settings Dim ArchiveFolder Set ArchiveFolder = Configuration.ManufactureInstanceFromClassName("AM.ArchiveFolder") ArchiveFolder.Path = "C:\ArchiveBackup" Set ArchiveFolder = Configuration.ArchivingSettings.ArchiveFolders.InsertBefore(ArchiveFolder.Xml, 1) Configuration.ArchivingSettings.ArchivingEnabled = True Configuration.ArchivingSettings.AnonymousEnabled = True Configuration.ArchivingSettings.UserLimit = 26 Configuration.ArchivingSettings.TotalLimit = 51 Configuration.ArchivingSettings.NoAdminOwnedFiles = True Configuration.ArchivingSettings.OverwriteExistingFiles = False Configuration.ArchivingSettings.ArchiveLessThanEnabled = True Configuration.ArchivingSettings.OverwriteOldest = True Configuration.ArchivingSettings.ArchiveLessThanAmount = 10 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Network Connections

Add Network Connections Edit Network Connections Delete Network Connections
177
Add Network Connections

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Add a connection to the list of accessible connections. Dim AccessibleConn Set AccessibleConn = Configuration.ManufactureInstanceFromClassName("AM.NetworkConnection") AccessibleConn.Path = "www.google.com:80/foo/*" AccessibleConn.Address = "www.google.com" AccessibleConn.Port = 80 AccessibleConn.Resource = "/foo/*" AccessibleConn.UseWildcards = True AccessibleConn.AddressType = 0 Configuration.GroupRules.Item("Everyone").AccessibleNetworkConnections.Add AccessibleConn.Xml 'Add a connection to the list of prohibited connections. Dim ProhibitedConn Set ProhibitedConn = Configuration.ManufactureInstanceFromClassName("AM.NetworkConnection") ProhibitedConn.Path = "www.facebook.com" ProhibitedConn.AddressType = 0 ProhibitedConn.Description = "www.facebook.com" Configuration.GroupRules.Item("Everyone").ProhibitedNetworkConnections.Add ProhibitedConn.Xml 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit Network Connections

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration
178
Configuration.ParseXML ConfigurationXml 'Modify the port number of the network connection Configuration.GroupRules.Item("Everyone").AccessibleNetworkConnections.Item("www.google.com:80/foo/*").Port = 8080 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete Network Connections

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'Remove network conenction Configuration.GroupRules.Item("Everyone").ProhibitedNetworkConnections.Remove "www.facebook.com" 'Save the live configuration. ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
User Rights Management (URM)

Create URM Policies Edit URM Policies Delete URM Policies Add a User Rights File Edit a User Rights File Delete a User Rights File
179
Create URM Policies

'URM Group Action options const AM_URMGroupAction_Add = 0 const AM_URMGroupAction_Drop = 1 'URM Privileges const AM_URMPrivilegeConstant_SeAssignPrimaryTokenPrivilege = 0 const AM_URMPrivilegeConstant_SeAuditPrivilege = 1 const AM_URMPrivilegeConstant_SeBackupPrivilege = 2 const AM_URMPrivilegeConstant_SeChangeNotifyPrivilege = 3 const AM_URMPrivilegeConstant_SeCreateGlobalPrivilege = 4 const AM_URMPrivilegeConstant_SeCreatePagefilePrivilege = 5 const AM_URMPrivilegeConstant_SeCreatePermanentPrivilege = 6 const AM_URMPrivilegeConstant_SeCreateSymbolicLinkPrivilege = 7 const AM_URMPrivilegeConstant_SeCreateTokenPrivilege = 8 const AM_URMPrivilegeConstant_SeDebugPrivilege = 9 const AM_URMPrivilegeConstant_SeEnableDelegationPrivilege = 10 const AM_URMPrivilegeConstant_SeImpersonatePrivilege = 11 const AM_URMPrivilegeConstant_SeIncreaseBasePriorityPrivilege = 12 const AM_URMPrivilegeConstant_SeIncreaseQuotaPrivilege = 13 const AM_URMPrivilegeConstant_SeIncreaseWorkingSetPrivilege = 14 const AM_URMPrivilegeConstant_SeLoadDriverPrivilege = 15 const AM_URMPrivilegeConstant_SeLockMemoryPrivilege = 16 const AM_URMPrivilegeConstant_SeMachineAccountPrivilege = 17 const AM_URMPrivilegeConstant_SeManageVolumePrivilege = 18 const AM_URMPrivilegeConstant_SeProfileSingleProcessPrivilege = 19 const AM_URMPrivilegeConstant_SeRelabelPrivilege = 20 const AM_URMPrivilegeConstant_SeRemoteShutdownPrivilege = 21 const AM_URMPrivilegeConstant_SeRestorePrivilege = 22 const AM_URMPrivilegeConstant_SeSecurityPrivilege = 23 const AM_URMPrivilegeConstant_SeShutdownPrivilege = 24 const AM_URMPrivilegeConstant_SeSyncAgentPrivilege = 25 const AM_URMPrivilegeConstant_SeSystemEnvironmentPrivilege = 26 const AM_URMPrivilegeConstant_SeSystemProfilePrivilege = 27 const AM_URMPrivilegeConstant_SeSystemtimePrivilege = 28 const AM_URMPrivilegeConstant_SeTakeOwnershipPrivilege = 29 const AM_URMPrivilegeConstant_SeTcbPrivilege = 30 const AM_URMPrivilegeConstant_SeTimeZonePrivilege = 31 const AM_URMPrivilegeConstant_SeTrustedCredManAccessPrivilege = 32 const AM_URMPrivilegeConstant_SeUndockPrivilege = 33 const AM_URMPrivilegeConstant_SeUnsolicitedInputPrivilege = 34 'URM Privilege actions const AM_URMPrivilegeAction_NoChange = 0 const AM_URMPrivilegeAction_Enable = 1 const AM_URMPrivilegeAction_Disable = 2
180
const AM_URMPrivilegeAction_Remove = 3 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'create a new URMPolicy Dim URMPolicy Set URMPolicy = Configuration.ManufactureInstanceFromClassName("AM.URMPolicy") URMPolicy.Name = "Add Administrator" Configuration.URMPolicies.Add URMPolicy.Xml 'Add a Group Behaviour Action Dim URMBehaviour Set URMBehaviour = Configuration.ManufactureInstanceFromClassName("AM.URMGroupBehaviour") URMBehaviour.DisplayName = "BUILTIN\Administrators" URMBehaviour.SID = "S-1-5-Domain-544" URMBehaviour.Action = AM_URMGroupAction_Add Configuration.URMPolicies("Add Administrator").GroupMembershipActions.Add URMBehaviour.Xml 'Set up the privilege actions Dim PrivilegeAction Set PrivilegeAction = Configuration.ManufactureInstanceFromClassName("AM.URMPrivilege") PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeAssignPrimaryTokenPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeAssignPrimaryTokenPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeAuditPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeAuditPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeBackupPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeBackupPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeChangeNotifyPrivilege"
181
PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeChangeNotifyPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreateGlobalPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateGlobalPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreatePagefilePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreatePagefilePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreatePermanentPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreatePermanentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreateSymbolicLinkPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateSymbolicLinkPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeCreateTokenPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateTokenPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeDebugPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeDebugPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeEnableDelegationPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeEnableDelegationPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeImpersonatePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeImpersonatePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange
182
PrivilegeAction.Name = "SeIncreaseBasePriorityPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseBasePriorityPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeIncreaseQuotaPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseQuotaPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeIncreaseWorkingSetPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseWorkingSetPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeLoadDriverPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeLoadDriverPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeLockMemoryPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeLockMemoryPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeMachineAccountPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeMachineAccountPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeManageVolumePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeManageVolumePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeProfileSingleProcessPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeProfileSingleProcessPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeRelabelPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRelabelPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml
183
PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeRemoteShutdownPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRemoteShutdownPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeRestorePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRestorePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSecurityPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSecurityPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeShutdownPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeShutdownPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSyncAgentPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSyncAgentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSystemEnvironmentPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemEnvironmentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSystemProfilePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemProfilePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeSystemtimePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemtimePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTakeOwnershipPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTakeOwnershipPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml
184
PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTcbPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTcbPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTimeZonePrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTimeZonePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeTrustedCredManAccessPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTrustedCredManAccessPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeUndockPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeUndockPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange PrivilegeAction.Name = "SeUnsolicitedInputPrivilege" PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeUnsolicitedInputPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeAction.Xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit URM Policies

'URM Group Action options const AM_URMGroupAction_Add = 0 const AM_URMGroupAction_Drop = 1 'URM Privilege actions const AM_URMPrivilegeAction_NoChange = 0 const AM_URMPrivilegeAction_Enable = 1 const AM_URMPrivilegeAction_Disable = 2 const AM_URMPrivilegeAction_Remove = 3 'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper
185
Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.URMPolicies("Add Administrator").PrivilegeActions("SeBackupPrivilege").Action = AM_URMPrivilegeAction_Enable Configuration.URMPolicies("Add Administrator").GroupMembershipActions("BUILTIN\Administrators").Action = AM_URMGroupAction_Drop 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Delete URM Policies

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.URMPolicies.Remove "Add Administrator" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Add a User Rights File

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'create a new FileItem
186
Dim File Set File = Configuration.ManufactureInstanceFromClassName("AM.File") File.Path = "notepad.exe" File.CommandLine = "notepad.exe" Dim URMItem Set URMFile = Configuration.ManufactureInstanceFromClassName("AM.URMRuleItemPolicy") URMFile.KeyPath = "notepad.exe" URMFile.Policy.Policy = Configuration.URMPolicies.Item("Add Administrator").Name URMFile.Application = File.Xml Configuration.GroupRules.Item("Everyone").UserRightsRules.URMFiles.Add URMFile.xml 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
Edit a User Rights File

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml 'create a new FileItem Dim File Set File = Configuration.ManufactureInstanceFromClassName("AM.File") File.Path = "notepad.exe" File.Arguments = "test.txt" File.CommandLine = "notepad.exe test.txt" Configuration.GroupRules.Item("Everyone").UserRightsRules.URMFiles.Item("notepad.exe").Application = File.Xml Configuration.GroupRules.Item("Everyone").UserRightsRules.URMFiles.Item("notepad.exe").KeyPath = File.CommandLine 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
187
Delete a User Rights File

'Create the configuration Dim Configuration Set Configuration = CreateObject("AM.Configuration.2") 'Create the configuration helper Dim ConfigurationHelper Set ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1") 'Load the live configuration Dim ConfigurationXml ConfigurationXml = ConfigurationHelper.LoadLiveConfiguration Configuration.ParseXML ConfigurationXml Configuration.Grouprules.Item("Everyone").UserRightsRules.URMFiles.Remove "notepad.exe test.txt" 'Save the live configuration ConfigurationHelper.SaveLiveConfiguration Configuration.Xml Set ConfigurationHelper = Nothing Set Configuration = Nothing
10 SCRIPTING Object Types
188
OBJECT TYPES
This section covers the Application Manager Object Types and Includes the following:

Configuration Object Configuration Helper Object
Configuration Object
The Configuation object represents the Application Manger configuration. It is solely concentrated on data and contains no business logic.
Generic Base Types for Collections

Map Methods: Add(ValueType item) Description: Adds a new item into the collection. Parameters: item - The value to be added. Remove(KeyType kt) Description: Removes the value with the given key from the collection. Parameters: kt - The key of the value to remove from the collection. Item(KeyType kt) Description: Accessor for a value within the collection Returns: The item (value) with the given key. Parameters: kt - The key of the requested value. Array Methods: Add(ValueType item) Description: Adds a new item into the collection. Parameters: item - the value to be added. Remove(LONG index) Description: Removes the item at the given position within the collection. Parameters: index - The 0-based index of the value to remove. Item(LONG index) Description: Accessor for the item (value) at the given position within the collection. Parameters: index - The 0-based index of the requested value.
189
Strongly-Typed Collections
Collection: ArchiveFolderCollection BaseType: Array ValueType: ArchiveFolder Collection: AuditEventFilterDictionary BaseType: Map ValueType: AuditEventFilter Key: File Collection: ApplicationGroupDictionary BaseType: Map ValueType: ApplicationGroup Key: Path Collection: CustomRuleDictionary BaseType: Map ValueType: CustomRule Key: Name Collection: DeviceDictionary BaseType: Map ValueType: Device Key: Host
190
Collection: DeviceRuleDictionary BaseType: Map ValueType: DeviceRule Key: Name Collection: DriveCollection BaseType: Map ValueType: Drive Key: Path Collection: EngineeringKeyCollection BaseType: Array ValueType: EngineeringKey Collection: FileCollection BaseType: Map ValueType: File Key: CommandLine Collection: FileExtensionDictionary BaseType: Map ValueType: FileExtension Key: Name Collection: FolderCollection BaseType: Map ValueType: Folder Key: Path Collection: GroupRuleDictionary BaseType: Map ValueType: GroupRule Key: DisplayName Collection: NetworkConnectionCollection Base Type: Map Value Type: NetworkConnection Key: Path
191
Collection: ProcessRuleDictionary Base Type: Map Value Type: ProcessRule Key: Name Collection: ScriptedRuleDictionary BaseType: Map ValueType: ScriptedRule Key: Name Collection: SignatureFileCollection BaseType: Map ValueType: SignatureFile Key: CommandLine Collection: TimeRangeCollection BaseType: Array ValueType: TimeRange Collection: TrustedApplicationCollection BaseType: Array ValueType: TrustedApplication Collection: TrustedOwnerDictionary BaseType: Map ValueType: TrustedOwner Key: DisplayName Collection: UserRuleDictionary BaseType: Map ValueType: UserRule Key: DisplayName Collection: URMPolicyDictionary BaseType: Map ValueType: URMPolicy Key: Name
192
Collection: URMGroupBehaviourDictionary BaseType: Map ValueType: URMGroupBehaviour Key: DisplayName Collection: URMPrivilegeDictionary BaseType: Map ValueType: URMPrivilege Key: Name Collection: URMRuleItemDictionary BaseType: Map ValueType: URMRuleItem Key: KeyPath Collection: URMRuleItemPolicyDirectory BaseType: Map ValueType: URMRuleItemPolicy Key: KeyPath
Object Definitions
Object: AccessTimes
Property
MondayTimeRangeCollection TuesdayTimeRangeCollection WednesdayTimeRangeCollection ThursdayTimeRangeCollection FridayTimeRangeCollection SaturdayTimeRangeCollection SundayTimeRangeCollection
Type
TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection TimeRangeCollection
Description
A collection of time ranges that are applied on Mondays. A collection of time ranges that are applied on Tuesdays. A collection of time ranges that are applied on Wednesdays. A collection of time ranges that are applied on Thursdays. A collection of time ranges that are applied on Fridays. A collection of time ranges that are applied on Saturdays. A collection of time ranges that are applied on Sundays.
193
Object: ApplicationGroup
Property
Path Description Files Folders SignatureFiles NetworkConnections Drives
Type
BSTR BSTR FileCollection FolderCollection BSTR BSTR BSTR
Description
The name of the Application Group. The description of the group. Collection of files contained within this group. Collection fo folders contained within this group. Collection of signature files contained within this group. Collection of network connections contained within this group. Collection of drives contained within this group.
Object: ArchiveFolder
Property
Path
Type
BSTR
Description
Full path to folder.
Object: ArchivingSettings
Property
ArchivingEnabled
Type
VARIANT_BOOL
Description
Specify whether to use archiving. Default = False Enable administrator-owned files to be ignored. Default = False Specify whether files copied to the archive should overwrite existing files. Default = True Specify whether file should have any user information stripped. The maximum size of the archive in MB. Default = 50. The maximum size of a users archive in MB. Default = 25. Specify whether only files smaller than a certain size will be archived. Default = False.
NoAdminOwnedFiles
VARIANT_BOOL
OverwriteExistingFiles
VARIANT_BOOL
AnonymousEnabled TotalLimit
VARIANT_BOOL LONG
UserLimit
LONG
ArchiveLessThanEnabled
VARIANT_BOOL
194
Property
ArchiveLessThanAmount
Type
LONG
Description
The maximum size of a file that will be copied to the archive. Default = False. Specify whether the oldest file in the archive are overwritten when the archive is full. Default = False. A list of archive folder locations, the first location in the list will be given preference, the last location given the lowest preference.
OverwriteOldest
VARIANT_BOOL
ArchiveFolders
ArchiveFolderCollection
Object: AuditEventFilter
Property
File Events
Type
BSTR BSTR
Description
The file name/extension to which this filter will be applied. A semi-colon delimited list of events e.g 9005;9006;9008
Object: AuditEventFiltering
Property
Enabled
Type
VARIANT_BOOL
Description
Specify whether event filtering is enabled. Default = True The list of event filters.
Files
AuditEventFilterDictionary
Object: Configuration
Property
Info DefaultRules MessageSettings ArchivingSettings UserRules ApplicationGroups ProcessRules GroupRules
Type
ConfigurationInfo DefaultRules MessageSettings ArchivingSettings UserRuleDictionary ApplicationGroupDictionary ProcessRuleDictionary GroupRuleDictionary
Description
Configuration metadata. Default rules settings. Settings to allow customization of AM generated message boxes. Options for files that are archived. Collection of configured user rules. Library of Application Groups. Collection of configured Process Rules. Collection of configured group rules.
195
Property
DeviceRules CustomRules ScriptedRules EngineeringKeys EnableTrustedApplications
Type
DeviceRuleDictionary CustomRuleDictionary ScriptedRuleDictionary EngineeringKeyCollection VARIANT_BOOL
Description
Collection of configured device rules. Collection of configured custom rules. Collection of configured scripted rules. Collection of engineering keys. Enable Trusted Applications functionality. Default = True Library of User rights policies. Options relating to which audit events are reported.
URMPolicies AuditEventFilteringSettings
URMPolicyDictionary AuditEventFiltering
Object: ConfigurationInfo
Property
Name UniqueIdentifier Version Notes RevisionLevel
Type
BSTR BSTR LONG BSTR LONG
Description
The name of the configuration. The unique ID for the configuration. The configuration version. Any appropriate notes. The configuration revision number.
Object: CustomRule
Property
DisplayName SID Devices Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives
Type
BSTR BSTR DeviceDictionary BSTR SecurityLevel ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection
Description
The account name. The account SID. Collection of devices to which this rule applies. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives.
196
Property
AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection DigitalCertificateCollection URMRules
Description
Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: DefaultRules
Property
TrustedOwnershipChecking
Type
VARIANT_BOOL
Description
Enable trusted ownership checking. Default = True Enable a change of file ownership when a file is overwritten or renamed. Default = True A collection of configured Trusted Owners. Specify whether the local drives are accessible by default. Default = True Allows restrictions to be ignored until the logon process is complete. Allows cmd.exe to run if it is run via execution of a batch file. Default = True Specify whether Application Manager should extract self extracting .ZIP files. Default = True Specify whether system process will be subject to AM rules processing. Default = False Specify whether Windows Installer (.MSI) packages are validated.
ChangeFileOwnershipOn OverwriteOrRename TrustedOwners LocalDrivesAccessible
VARIANT_BOOL
TrustedOwnerDictionary VARIANT_BOOL
IgnoreRestrictionsDuringLogon AllowCMDForBatchFiles
VARIANT_BOOL VARIANT_BOOL
ExtractSelfExtractingZIPFiles
VARIANT_BOOL
ValidateSystemProcesses
VARIANT_BOOL
ValidateMSI
VARIANT_BOOL
197
Property
ValidateWSH
Type
VARIANT_BOOL
Description
Specify whether Windows Script Host (.WSH) files are validated. Default = True Specify whether Windows Registry (.REG) files are validated. Default = True Enable extension filtering. Default = False Specify whether the file extensions in the FileExtensions property are included or excluded from rules processing. Default = Exclude A list of extensions used for extension filtering. Specify whether all denied requests are passed through the Trusted Applications checking routine. True = Check all, False = only check requests denied by Trusted Ownership. Default = True Specify whether Application Access Control is enabled. Default = True. Specify whether Application Network Access control is enabled. Default = True. Specify whether User Rights Management is enabled. Default = True.
ValidateREG
VARIANT_BOOL
DoExtensionFiltering
VARIANT_BOOL
ExtensionFilteringScope
FileExtensionFilteringScope
FileExtensions TrustedAppsCheckAll
FileExtensionDictionary VARIANT_BOOL
ApplicationAccessEnabled ANACEnabled URMEnabled
VARIANT_BOOL VARIANT_BOOL VARIANT_BOOL
Object: Device
Property
Host HostType
Type
BSTR DeviceType
Description
The host address. Specify whether the address refers to a computer or a connecting device. Default = Computer Specify whether the address is a host name of IP address. Default = HostName
NameType
HostNameType
198
Object: DeviceRule
Property
Devices Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
DeviceDirectory BSTR SecurityLevel ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDi ctionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection Digital CertificateCollection URMRules
Description
Collection of devices to which this rule applies. Than name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: DigitalCertificate
Property
Path Description EnforceExpiryDate
Type
BSTR BSTR VARIANT_BOOL
Description
Unused for this object. The description of the digital certificate. Specify whether the expiry date verification will be applied to this certificate. Default = False The base64 encoded digital certificate.
RawCertificateData
BSTR
199
Property
ExpiryDate IssuedTo ErrorIgnoreFlags
Type
BSTR BSTR LONG
Description
The certificate expiry date. The name of the certificate owner. A bitwise OR operation of the values below. Default = 0
ErrorIgnoreFlags CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x00000001 CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x00000002 CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x00000004 CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x00000008 CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x00000010 CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x00000020 CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x00000040 CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x00000080 CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x00000100 CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x00000200 CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x00000400 CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x00000800 Object: Drive
Property
Path Description
Type
BSTR BSTR
Description
Full path to drive. The drive description.
Object: File
Property
Path Description Arguments CommandLine ApplyAccessTimes
Type
BSTR BSTR BSTR BSTR VARIANT_BOOL
Description
Full path to file. The file description. The commandline arguments used for spawning a process. The full commandline (Path + Arguments) when a file is run. Specify whether access times are to be applied. Default = False
200
Property
AccessTimes TrustedOwnershipChecking
Type
AccessTimes VARIANT_BOOL
Description
Collection of access times to be applied. Specify whether the file is subject to Trusted Ownership checking. Default = True The number of concurrent instances of this file that can be executed (0 means unlimited). Default = 0
ApplicationLimit
LONG
Object: FileExtension
Property
Path Description ApplyAccessTimes
Type
BSTR BSTR VARIANT_BOOL
Description
Full path to folder. The folder description. Specify whether access time are to be applied. Default = False Collection of access times to be applied. Specify whether the folder is subject to Trusted Ownership checking. Default = True Whether the rules are applied to subfolder. Default = True
AccessTimes TrustedOwnershipChecking
AccessTimes VARIANT_BOOL
Recursive
VARIANT_BOOL
Object: Folder
Property
Path Description ApplyAccessTimes AccessTimes TrustedOwnershipChecking
Type
BSTR BSTR VARIANT_BOOL AccessTimes VARIANT_BOOL
Description
Full path to folder. The folder description. Specify whether access times are to be applied. Collection of access times to be applied. Specify whether the folder is subject to Trusted Ownership cheching. Default = True Whether rules are applied to subfolders. Default = True
Recursive
VARIANT_BOOL
201
Object: GroupRule
Property
DisplayName SID Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
BSTR BSTR BSTR SecurityLevel ApplicationGroupReferenceDic tionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDic tionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection DigitalCertificateCollection URMRules
Description
The account name. The account SID. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: MessageSettings
Property
DisplayInitialWarningMessage
Type
VARIANT_BOOL
Description
Determines if the user should be warned that an application is about to be closed due to its allowed time having expired. Determine if an application with an expired allowed time should be sent a WM_CLOSE to allow the user chance to save work. Determine if an application with an expired allowed time should be forcefully terminated.
CloseApplication
VARIANT_BOOL
TerminateApplication
VARIANT_BOOL
202
Property
WaitTime
Type
LONG
Description
The delay period between warning the user, sending a WM_CLOSE and terminating the application. This value is in seconds. The caption for the denied message box. The text for the denied message box. The caption for the message box that is displayed when an application has reached its application limit. The text for the message box that is displayed when an application has reached its application limit. The caption for the message box that is displayed when an application has reached the end of its allowed time. The text for the message box that is displayed when an application has reached the end of its allowed time. The caption for the message box that is displayed when an application is denied due to a time restriction. The text for the message box that is displayed when an application is denied due to a time restrcition. The caption for the message box that is displayed when user authorization is required to run a file. The text for the message box that is displayed when user authorization is required to run a file. The text for the message box that is displayed when the user has previously self-authorized a file to run. The caption for the message box that is displayed when the user has previously selfauthorized a file to run.
AccessDeniedMessageCaption AccessDeniedMessageBody ApplicationLimitsExceeded MessageCaption ApplicationLimitsExceeded MessageBody TimeLimitsWarningMessage Caption TimeLimitsWarningMessage Body TimeLimitsDeniedMessage Caption TimeLimitsDeniedMessageBody
BSTR BSTR BSTR
BSTR
BSTR
BSTR
BSTR
BSTR
SelfAuthorizationMessage Caption SelfAuthorizationMessageBody
BSTR
BSTR
SelfAuthorizationResponse Caption SelfAuthorizationResponseBody
BSTR
BSTR
Object: NetworkConnection
Property
Path Description Address
Type
BSTR BSTR BSTR
Description
Full path to network resource. The description of the network resource. The address of the network resource (e.g. www.bbc.co.uk).
203
Property
Resource Port UseWildcards AddressType
Type
BSTR BSTR VARIANT_BOOL NetworkConnectionType
Description
The resource path (e.g. \weather). The port to which this network connection applies (if appropriate). Specify whether any part of the whole network location contains wildcards. The connection type. Default = False Specify whether child resources are included as part of this connection.
Recursive
VARIANT_BOOL
Object: ProcessRule
Property
SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
SecurityLevel ApplicationGroupRefer enceDictionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCo llection ApplicationGroupRefer enceDictionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCo llection DigitalCertificateCollec tion URMRules
Description
The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
204
Property
SecurityLevel FileProcessItems SignatureProcessItems
Type
SecurityLevel FileCollection SignatureProcessItems
Description
The level of restriction applied to this rule. Collection of processes for which this rule applies. Collection of processes for which this rule applies, defined by signature.
Object: ScriptedRule
Property
EntryFunction Script Context
Type
BSTR BSTR ExecutionContext
Description
The function that will be executed when the script is launched. The body of the script. The context in which the script executed. Default = PerSessionAsUser. Specify whether the execution of the script will be delayed until the login process is complete. Default = False The timeout period a script is given before being terminated. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures. Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures.
WaitForLogin
VARIANT_BOOL
Timeout Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures
LONG BSTR SecurityLevel ApplicationGroupReferenceDict ionary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection ApplicationGroupReferenceDict ionary FileCollection FolderCollection DriveCollection SignatureFileCollection
205
Property
ProhibitedNetworkConnections
Type
NetworkConnection Collection DigitalCertificateCollection URMRules
Description
Collection of prohibited network connections.
TrustedVendors UserRightsRules
Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Object: SignatureFile
Property
Path Description Arguments SHA1 Hash CommandLine Version ApplyAccessTimes
Type
BSTR BSTR BSTR BSTR BSTR BSTR VARIANT_BOOL
Description
Full path to the file. The file description. The commandline arguments used for spawning a process. The SHA1 hash of the file. The full commandline (Sha1Hash + Arguments) when a file is run. The file version information. Specify whether access time are to be applied. Default = False Collection of access times to be applied.
AccessTimes
AccessTimes
Object: TimeRange
Property
StartHour EndHour
Type
LONG LONG
Description
The hour at which the time range starts. The hour at which the time range ends.
Object: TrustedOwner
Property
DisplayName SID Description
Type
BSTR BSTR BSTR
Description
The account name. The account SID. The account description.
206
Object: URMGroupBehaviour
Property
DisplayName SID Action
Type
BSTR BSTR URMGroupAction
Description
The name of the group. The group's SID The action to perform with this group. Default = Add
Object: URMPolicy
Property
Name Description GroupMembershipActions
Type
BSTR BSTR URMGroupBehaviourDi ctionary
Description
Name of the Policy A description for the policy. collection of configured URM Group Behaviour actions.
PrivilegeActions
URMPrivilegeDictionary
A collection of configured URM Privilege actions.
Object: URMPrivilege
Property
Name Privilege Action
Type
BSTR URMPrivilegeConstant URMPrivilegeAction
Description
Textual description of the privilege. The privilege being set. default = SeAssignPrimaryTokenPrivilege The action to perform on the privilege. Default = NoChange.
Object: URMRuleItem
Property
KeyPath Application
Type
BSTR RuleItem
Description
The keypath used in collections of URMRuleItems The application forwhich to apply the User Rights setting. Can be of type File, Folder, SignatureFile or ApplicationGroup setting to specify if the user rights setting should be applied to any child processes. Default = False.
ApplyToChildren
VARIANT_BOOL
207
Object: URMRuleItemPolicy
Property
KeyPath Application
Type
BSTR RuleItem
Description
The keypath used in collections of URMRuleItems The application forwhich to apply the User Rights policy. Can be of type File, Folder, SignatureFile or ApplicationGroup setting to specify if the user rights policy should be applied to any child processes. Default = False. The URM Policy to apply to the application.
ApplyToChildren Policy
VARIANT_BOOL URMPolicyReference
Object: URMRules
Property
URMFiles URMSignatures URMFolders URMApplicationGroups URMWellKnowncontrolPanelApp lets
Type
URMRuleItemPolicyDict ionary URMRuleItemPolicyDict ionary URMRuleItemPolicyDict ionary URMRuleItemPolicyDict ionary URMRuleItemDictionar y
Description
Collection of Files and URM Policies to apply to them. Collection of SignatureFiles and URM Policies to apply to them. Collection of Folders and URM Policies to apply to them. Collection of ApplicationGroups and URM Policies to apply to them. Cannot currently be scripted.
Object: UserRule
Property
DisplayName SID Name SecurityLevel AccessibleApplicationGroups AccessibleFiles AccessibleFolders AccessibleDrives AccessibleSignatures
Type
BSTR BSTR BSTR SecurityLevel ApplicationGroupReferenceDicti onary FileCollection FolderCollection DriveCollection SignatureFileCollection
Description
The accout name. The account SID. The name of the rule. The level of restriction applied to this rule. Collection of accessible Application Groups. Collection of accessible files. Collection of accessible folders. Collection of accessible drives. Collection of accessible signatures.
208
Property
AccessibleNetworkConnections ProhibitedApplicationGroups ProhibitedFiles ProhibitedFolders ProhibitedDrives ProhibitedSignatures ProhibitedNetworkConnections TrustedVendors UserRightsRules
Type
NetworkConnectionCollection ApplicationGroupReferenceDicti onary FileCollection FolderCollection DriveCollection SignatureFileCollection NetworkConnectionCollection DigitalCertificateCollection URMRules
Description
Collection of accessible network connections. Collection of prohibited Application Groups. Collection of prohibited files. Collection of prohibited folders. Collection of prohibited drives. Collection of prohibited signatures. Collection of prohibited network connections. Collection of trusted vendors digital certificates. Configured settings for User rights rules.
Enumerations Name: Device Type Computer = 0 ConnectingDevice = 1 Name: ExecutionContext PerSessionAsUser = 0 PerSessionAsSystem = 1 PerComputerAsSystem = 2 Name: FileExtensionFilteringScope Exclude = 0 Include = 1 Name: HostNameType HostName = 0 IPAddress = 1 Name: LocalEventLogging None = 0 WindowsApplication = 1 ApplicationManager = 2
209
Name: NetworkConnectionType HostAddress = 0 IPAddress = 1 UNCPath = 2 Name: SecurityLevel Restricted = 0 SelfAuthorizing = 1 Unrestricted = 2 AuditOnly = 3
Configuration Helper Object

The Configuration Helper object provides useful functionality that is not provided by the configuration model, such as the ability to load and save configurations. The methods listed below provide error reporting as a HRESULT which can be tested for in VBScript using the Err object. Success is reported as S_OK which is 0. In case of error, most of the time the Configuration Helper Object returns the error code 2147500037 which is 0x80004005 in hex and defined as E_FAIL in COM. The other most common error is 2147942405 which is 0x80070005 in hex and defined as E_ACCESSDENIED in COM. This error occurs if the user the script is running as does not have access to a file, folder or registry key used by the Configuration Helper Object. LoadLiveConfiguration (method) Returns BSTR - the xml representation of the live configuration. HRESULT - Returns S_OK if successful. SaveLiveConfiguration (method) Returns HRESULT - Returns S_OK if successful. Parameters BSTR - the xml representation of the configuration loaded from disk. LoadLocalConfiguration (method) Returns BSTR - the xml representation of the configuration loaded from disk.
210
HRESULT - Returns S_OK if successful. Parameters BSTR - the full file path of the configuration to load. SaveLocalConfiguration (method) Parameters BSTR - the full file path of the configuration to load. BSTR - the xml representation of the configuration to save. ReadNumCertificatesFromFile (method) Returns LONG - the number of certificates used to sign the specified executable file. Parameters BSTR - the full file path of the executable file used in determining the certificate count. ReadCertificateFromFile (method) Returns BSTR - the raw certificate data. Parameters BSTR - the full file path of the executable file from which the certificate will be read. LONG - the index of the certificate to read. ReadSha1HashFromFile (method) Returns BSTR - the hash value. HRESULT - Returns S_OK if successful. Parameters BSTR - the full file path of the file for which the has will be generated. DefaultConfiguration (property) This BSTR property contains the xml representation of the default configuration.
211
The DefaultConfiguration( ) method only returns a configuration in the English language. This means that some group names and other text in the configuration may not be in the native language of the operating system, which can result in the configuration not being applied correctly. For non-English operating systems it is necessary to export the default configuration from the product console on a native operating system. This can be stored as a file on the network or distributed to the machine where the configuration scripting will be performed. Once this is done, use the LoadLocalConfiguration( ) method in place of the the DefaultConfiguration( ). This will produce the same configuration but in the correct native language.
Licensing
11
In this Section:

Licensing on page 212 About License Manager on page 213 Managing Licenses on page 214
LICENSING
The AppSense License Manager allows you to create and manage AppSense product licenses. This section provides details about using the console and describes the following processes:

Add and Activate a License on page 214 To Import a License File on page 215 To Export a License File on page 215
212
11 LICENSING About License Manager
213
ABOUT LICENSE MANAGER

AppSense License Manager allows you to manage individual AppSense product licenses, full Management Suite licenses and evaluation licenses for computers operating in Standalone mode.
For information about Enterprise license management and deployment, see the AppSense Management Center Product Guide.
The console allows you to:
Manage licenses for single products, the AppSense Management Suite or Evaluation licenses. Export license packages to MSI file format for saving to the AppSense Management Center or other computers which can be remotely accessed.
It is recommended to use the Management Center Enterprise Licensing for Enterprise installations.
Import and manage licenses from MSI file format.
When License Manager is launched, details of current licenses are displayed in the console.
Figure 11.1 Licensing Console
11 LICENSING Managing Licenses
214
An installation requires one of the following licenses:

License
AppSense Management Suite
Description

Full Suite license. Requires activation using the activation code sent from AppSense with the license code. Single product license. Requires activation using the activation code sent from AppSense with the license code. Full Suite or single product licenses. Evaluation licenses are available during the first installation of the product and do not require activation. They are valid for 21 days.
Application Manager
Evaluation
MANAGING LICENSES
The following procedures show how to add and activate a new license, import and export licenses to Microsoft Windows Installer files (*.msi) or to backup a set of licenses.
ADD AND ACTIVATE A LICENSE
1. Click Add to create a new entry in the license grid. 2. Enter the license code in the License Code entry box. You can manually enter each digit or copy and paste the license in to the entry box. When a license entry is highlighted, a description displays in the bottom section of the console and includes the following details:

License Code License State - Not Activated, Valid, Invalid. Expiry Date - The date that the license runs out. Description The type of license and the product and version it relates to.
A license is invalid until an Activation Code is entered. 3. Click Activate and enter the activation code in to the Activation Code entry box, and click Enter. The license details in the bottom section of the console are updated to match the license. Once a license is active, the icon changes to indicate the current license state. 4. Close the Licensing console. All the settings are automatically saved.
11 LICENSING Managing Licenses
215
TO IMPORT A LICENSE FILE
1. Click Import to display the file Open dialog box and navigate to the location of the license MSI file. 2. Click Open to load the license file in the Management Suite Licensing Console.
TO EXPORT A LICENSE FILE
1. Click Export to display the file Save As dialog box and browse to the location for saving the license MSI file. 2. Provide a name for the file and click Save to save the file. You can copy this file to any network location and load the file in Application Manager or in Management Center Enterprise Licensing.
A PPENDIXES
This section provides additional or supporting information about topics covered in the guide and includes:
Streamed Applications
STREAMED APPLICATIONS Citrix XenApp
Streamed Applications
CITRIX XENAPP
To set up Citrix XenApp streaming applications to work with certain elements of Application Manager you need to specify certain exclusions, as follows: 1. Navigate to Citrix Streaming Profiler for Windows. 2. Open the Application Profile. 3. Highlight the relevant Target and select the Edit menu. 4. Select Target Properties. The Target Properties screen displays. 5. Select Rules. The Rules work area displays on the right hand side. 6. Click Add in the Rules work area. The New Rule Select Action and Objects dialog box displays. 7. In the Action section leave the default setting as Ignore. 8. In the Object section select Named Objects and click Next. The New Rule Select Objects dialog box displays. 9. Select Some Named Objects and click Add. The Choose Named Object dialog box displays. 10. Add \??\pipe\AppSense* and click OK. This displays in Named Objects on the New Rule Select Objects dialog box. 11. Click Next to display the New Rule Name Rule dialog box. 12. Enter a name for the rule or accept the default and click Finish. 13. Click OK. The Target Properties screen re-displays and the Ignore all named objects rule is now listed in the work area on the right hand side. 14. Save the profile. 15. Repeat for each application profile as required.
G L O S S A R Y
AAC Accessible Items Agent Application Limit Audit Only CCA Configuration Configuration File Configuration Profiler Console DAC Deploy DFS Digital Signature
GLOSSARY AAC Accessible Items
DLL DNS DLL Event Fast User Switching Group Management GUID LSA NetBIOS Network Connection Item Node OU Prohibited Items Process Rules Rule Security Identifier Security Level Self-Authorizing User SHA-1 SID Time Limits Trusted Ownership Trusted Vendors UNC User Rights Management Wildcards
AAC Citrix Advanced Access Control. Accessible Items Accessible Items are files, folders, drives or digitally signed files or groups of files in an Application Manager configuration Rule which are allowed to run when file execution requests are matched with the rule security settings and would otherwise be prohibited by other configuration settings. See also: Prohibited Items, Trusted Vendors, User Rights Management
GLOSSARY AGENT Console
Agent A proactive software component which implements the product configuration rules. For example, the Application Manager Agent is software that runs as a Windows service to validate execute requests according to the rules in the configuration installed on a computer. Application Limit Application Limits specify the number of instances of an application a user can run. An application limit can be applied to an item in the Accessible Items node. Audit Only Security Level assigned to users, groups or devices in an <product name> Rule which audits events according to the Auditing Configuration without applying the rule. Used for passive monitoring in evaluations to assess application usage on the host environment. CCA Client Communications Agent. Installed on computers operating in an Enterprise installation to provide a link between the product agent running on a managed computer and the AppSense Management Center. The CCA sends event data generated by the product agents to the Management Server and also polls the Management Server to manage the download and installation for software configuration, agent and package updates. The CCA can be downloaded and installed directly on managed machines from the Management Server website. Configuration The Application Manager configuration consists of lists of files/folders that you have decided should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also contains optional settings and text to be displayed to the user. A configuration is created and managed using the Application Manager Console and used by the Application Manager Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration settings to determine whether or not an execute request is to be denied. Configuration File An Application Manager configuration exported from the Console and saved to Windows Installer MSI file format. The file can be installed on any computer and the configurations rules applied when an Application Manager Agent is present and running as a service on the computer. Configuration Profiler Generates reports detailing the current settings in the Configuration. Filtering options allow you to query settings affecting specific users or groups, devices, and files or folders. Console AppSense Application Manager software interface.
GLOSSARY DAC EPA
DAC Discretionary Access Control. Deploy To deliver a configuration or AppSense software component to one or more computers, which can include the local machine. Digital Signature Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely identify files. The signature can be used as a security measure when adding files as Accessible Items, Prohibited Items and Trusted Vendors. Signatures can also be used for allowing applications on non-NTFS formatted drives to run, which Application Manager would otherwise block by default. Add the digital signatures to the Accessible Items list and disable trusted ownership checking for the individual files. Signature Group Management provides easier administration for large groups of signatures. Accessible Items with digital signatures can be used to verify that the file which the user is attempting to run is actually the file permitted by the administrator. Prohibited Items with digital signatures can be used to ensure the file is always prevented from executing, even when the user renames the file. DLL Dynamic link library. This is a collection of small programs which may be called upon when needed by an executable that is running. The DLL lets the executable communicate with a specific device such as a printer or may contain source code to do particular functions. DFS Distributed File System. A DFS is any file system that allows access to files from multiple hosts sharing via a computer network. This makes it possible for multiple users on multiple machines to share files and storage resources. DNS Domain Name System. This is a database system that translates a computers fully qualified domain name into an IP address. Networked computers use IP addresses to locate and connect to each other. However, IP addresses are difficult to remember. For example, on the web it is easier to remember the domain name www.AppSense.com than its corresponding IP address. DNS allows you to connect to another networked computer or remote service by using its userfriendly domain name rather than its numerical IP address. EPA Endpoint Analysis. See Endpoint Analysis for more information.
GLOSSARY
EVENT OU
Event An Event is generated by Application Manager to report file execution requests, overwrites or renames and Self-Authorizing User decisions. The event number indicates the outcome of the request. Events are logged according to the method set up in the Auditing node. Fast User Switching The Fast User Switching feature in Microsoft Windows enables multiple user accounts to logon to a computer simultaneously. With this feature users can switch sessions without closing Windows, programs, and so on. For example, User A is logged on and is browsing the Internet, User B wants to logon to their user account and check their email account. User A can leave their programs running while User B logs on and checks their email account. User A can then return to their session where their programs would still be running. Group Management Group Management is a library for compiling reusable groups of files, folders, drives, signatures and network connections which can be associated with rules in the configuration. For example, Groups can be used to manage licenses for a suite of software or common sets of applications for assigning to certain user groups. GUID Globally Unique Identifier. LSA Local Security Authority. This is an important required component of Windows that deals with login authentication and security policies. It verifies users logging on to a Windows computer or server and handles password changes. NetBIOS Network Basic Input/Output System. This is a program that allows applications on different computers to communicate within a within a local area network (LAN) Network Connection Item Network Connection identify. Node A node is a term used in the Application Manager Console to represent a branch in the navigation tree. OU Organizational Unit. A Microsoft Active Directory container that includes users and computers.
GLOSSARY PROHIBITED ITEMS Self-Authorizing User
Prohibited Items Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an Application Manager Rule which are not allowed to run when file execution requests are matched with the rule security settings and would otherwise be allowed by other Configuration settings. See also: Accessible Items and Trusted Vendors Process Rules Process rules allow you to manage access for a parent process to run child processes which might be managed differently in other rules. Process Rules include settings for adding Prohibited Items, Accessible Items, Trusted Vendors and User Rights Management. Rule A Configuration rule assigns a Security Level to the specified users or groups, devices and combinations of these and contains control lists for Accessible Items, Prohibited Items, Trusted Vendors and Process Rules. The Application Manager agent intercepts kernel level file execution requests and matches these with the Configuration rules to implement security controls. Security Identifier (SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Likewise Application Manager also refers to a user or group SID unless the SID could not be found when added to the configuration. Security Level Application Manager configuration Rule settings include security levels which specify how to manage requests to run unauthorized applications by the users, groups or devices which a rule matches. Restricted Only authorized applications can run. These include files owned by members of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted Ownership. Self-Authorizing Users are prompted for decisions about blocking or running unauthorized files on the host device. Audit only All actions are permitted but events are logged and audited, for monitoring purposes. Unrestricted All actions are permitted without event logging or auditing. Self-Authorizing User User, group or device granted control to choose whether to block or run an unauthorized application on the host computer. The Self-authorizing Security Level can be assigned in an <product name> Rule to match a file execute request for users, groups or devices.
GLOSSARY
SHA-1 UNC
SHA-1 Secure Hash Identifier SID See Security Identifier. Time Limits Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application Manager Rule which determine day and time ranges when the controls apply. For example, an entry in the Prohibited Items node of a rule can restrict use of the local web browser to users except between the hours of 12pm and 2pm on specific days of the week. Trusted Ownership Trusted Ownership checking is a secure method Application Manager uses to prevent users running unauthorized applications is. On NTFS formatted drives, files have owners and Application Manager is configured, by default, to only allow files to be executed if the file owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by a trusted owner, the execute request is denied and a message notifies the user. Any files downloaded from the internet or received in email are owned by the user, so those files are not permitted to run unless ownership is held by members of the trusted owner list. By default, Application Manager blocks execution requests for all applications on non-NTFS formatted drives. Trusted Vendors Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking allows applications which fail Trusted Ownership checking to match digital certificates with the Trusted Vendors list. A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted Rule of the configuration. Application Manager queries each file execution which fails Trusted Ownership checking to detect the presence of a digital certificate. If the file has a digital certificate which is signed by a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run. Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking and Trusted Application checking. UNC Universal Naming Convention. This is a NetBIOS naming format for identifying the location of servers, printers, and other resources on a local area network (LAN). Almost all LANs are based on NetBIOS, making a NetBIOS naming format an easy and compatible way to access files and resources across a network. UNC begins with two backslashes (\\) and takes the form: \\Computer_name\Share_name
GLOSSARY
USER RIGHTS MANAGEMENT Wildcards
10
User Rights Management User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment. Wildcards Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the Application Manager Console. The asterisk represents one or more characters, excluding the back slash (\) character, whilst the question mark wildcard represents one character, excluding the forward slash (/) character. Both of the wildcard characters can be used in any part of a file path, including the drive letter for local paths. For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the question mark can only replace one character, it does not match c:\sample path\test100. The only limitation imposed by Application Manager on the use of wildcards is that the asterisk cannot be used to match more than one subdirectory.

AppSense Application Manager Product Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AppSense Application Manager Product Guide

Hochgeladen von

Copyright:

Verfügbare Formate

AppSense Application Manager

Version 8.2 | Product Guide

About Application Manager

APPLICATION MANAGER PRODUCT GUIDE

APPLICATION MANAGER PRODUCT GUIDE

APPLICATION MANAGER PRODUCT GUIDE

User Rights Management

Application Network Access Control

APPLICATION MANAGER PRODUCT GUIDE

APPLICATION MANAGER PRODUCT GUIDE

Streamed Applications Glossary

ABOUT THIS DOCUMENT

APPSENSE PRODUCT MANAGER USER GUIDE

WELCOME Terms and Conventions

TERMS AND CONVENTIONS

Terms and Conventions Use

About Application Manager

ABOUT APPLICATION MANAGER

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Key Benefits

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Feature Summary

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Feature Summary

For more information see Security Methods on page 41.

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Feature Summary

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Architecture

For more information see General Features on page 13

Console on page 7 Software Agent on page 8 Configuration on page 11

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Architecture

Figure 1.1 Application Manager Architecture

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Architecture

Figure 1.2 Application Manager Console

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Architecture

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Architecture

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Architecture

APPLICATION MANAGER PRODUCT GUIDE

ABOUT APPLICATION MANAGER Architecture

APPLICATION MANAGER PRODUCT GUIDE

GENERAL FEATURES Trusted Owners

Figure 2.1 Trusted Owners Dialog Box

APPLICATION MANAGER PRODUCT GUIDE

GENERAL FEATURES Trusted Owners

Figure 2.2 Trusted Ownership Checking

APPLICATION MANAGER PRODUCT GUIDE

GENERAL FEATURES Trusted Owners

Figure 2.3 Self-Authorizing Security Level for a User Rule

APPLICATION MANAGER PRODUCT GUIDE

GENERAL FEATURES Extension Filtering

Figure 2.4 Make local drives accessible by default option

APPLICATION MANAGER PRODUCT GUIDE

GENERAL FEATURES Extension Filtering

Figure 2.5 Extension Filtering Dialog Box

APPLICATION MANAGER PRODUCT GUIDE

GENERAL FEATURES Options

Figure 2.6 Options Dialog Box