Transcription
PowerBroker for WindowsUser GuideVersion 7.5 – May 2018
Revision/Update Information: May 2018Software Version: PowerBroker for Windows 7.5Revision Number: 1CORPORATE H EADQUARTERS5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000COPYRIGHT NOTICECopyright 2018 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.No part of this document may be photocopied, reproduced or copied or translated in any manner to anotherlanguage without the prior written consent of BeyondTrust Software.BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental orconsequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any otherlegal theory in connection with the furnishing, performance, or use of this material.All brand names and product names used in this document are trademarks, registered trademarks, or trade namesof their respective holders. BeyondTrust Software is not associated with any other vendors or products mentionedin this document.
ContentsContentsBeyondTrust PowerBroker for Windows8Where to BeginBeyondTrust Product Name Conventions899999Contacting SupportTelephoneOnlineProduct Overview10Getting Started with PowerBroker for Windows11Planning a RuleDetermining the Type of Rule NeededUsing Wildcards in Rule PropertiesChoosing a Rule Creation MethodViewing the BeyondTrust DashboardRule LibraryCreating or Editing a GPO11111314141515Creating Privileged Identity Rules18OverviewTypes of RulesCreating a Rule with the WizardSelecting an Action for Application ControlConfiguring Common OptionsMatchingParent-Child ProcessBehaviorMonitoringConfiguring Security on PoliciesConfiguring Execution OptionsSession Monitoring181818192021212222232324Risk and Compliance25OverviewTypes of ComplianceCreating a Risk and Compliance Rule252526Targeting Users or Computers with Item-Level TargetingGrouping Targeting Items into a CollectionBattery Present TargetingComputer Name TargetingCPU Speed TargetingDate Match TargetingDial-Up Connection TargetingDisk Space TargetingUser Guide27303132323334343 2018. BeyondTrust Software, Inc.
ContentsDomain TargetingEnvironment Variable TargetingFile Match TargetingIP Address Range TargetingLanguage TargetingLDAP Query TargetingMAC Address Range TargetingMSI Query TargetingQuery TypesOperating System TargetingOrganizational Unit TargetingPCMCIA Present TargetingPortable Computer TargetingProcessing Mode TargetingRAM TargetingRegistry Match TargetingSecurity Group TargetingSite TargetingTerminal Session TargetingTime Range TargetingUser TargetingWMI Query 657Targeting Applications or Processes59Targeting by Location (Path Rule)Example: Elevate IE for a WebsiteExample: Elevate a Visual Basic ScriptExample: Elevate a Registry MergeExample: Elevate a Batch FileTargeting by Signature (Publisher Rule)Target by Publisher OnlyTarget by Any Digital Signature ElementTargeting Regardless of Location (Hash Rule)Targeting by Folder Location (Folder Rule)Targeting an Installation File by Location (MSI Path Rule)Targeting Installation Files by Folder Location (MSI Folder Rule)Targeting through Internet Explorer (ActiveX Rule)Targeting Applications on Demand (Shell Rule)Targeting a CD/DVD (CD/DVD Rule)Targeting Applications That Trigger UAC (UAC Rule)Event Monitoring86OverviewLog TypeCreating an Event Monitoring Rule868686Quarantine Rules87OverviewCreating the RuleUser Guide5962636364656666687275767881838487874 2018. BeyondTrust Software, Inc.
ContentsCreating File Integrity Rules89OverviewRule OptionsCreating the Rule898989Managing Policies91Navigating the Policy Management DashboardEditing a RuleModifying PermissionsModifying PrivilegesModifying Process SecurityModifying Integrity LevelChanging the Name of a RuleDisabling or Enabling a RuleEffects of Disabling Rules or ExtensionsChanging the Order of RulesCopying a RuleUsing Variables in Rule PropertiesEnvironment VariablesProcess and Volatile VariablesSelect a Variable DialogViewing a Settings ReportEditing the XML Source Code of a Rule9191929494959595969697979798100100102Using Policy Accelerator103OverviewConnecting to MachinesEnable Event LoggingSelecting Rule TypeNarrowing the Data Set103103103104105How to use BeyondInsight with PowerBroker for WindowsCreating a Smart GroupCreating PowerBroker RulesIncluding Arguments in a RuleMarking Events to ExcludeDeploying and Managing Policies Using BeyondInsightDeploying PoliciesDeploying Policies Using an Asset Smart RuleDeploying Policies Using a Policy User Smart RulePowerBroker Clients and BeyondInsightReviewing PoliciesSession MonitoringViewing Events on the Session ViewerViewing Screen Capture EventsSaving Session DataPowerBroker for Windows and Password assword Safe SettingsUser Guide1071155 2018. BeyondTrust Software, Inc.
ContentsRun As FunctionPassword Safe Status Message DialogPassword Updates for Services via Password Safe115115116BeyondInsight Reports117Managing User Messages118User Messages EditorLanguage SelectionExporting Translation FilesImporting Translation FilesPassword Safe Status118118119119119Multifactor Authentication120Configuring the Radius ServerGenerating a Passcode to Respond to a MessageGenerating a PasscodeChanging the Key Pair and Keys PathCreating Application Launch Dialog Box (Application Launch)120122123123124User Message Justification128Creating Blocked Application Dialog Box(Blocked Application)Creating Quarantined Application Dialog BoxCustomizing the Appearance of Internet Explorer When Elevated (IE Elevation)Customizing the Internet Explorer Component Failure Dialog Box(IE Failure)Customizing the Right-Click Menu Options (On-Demand Elevation)Customizing the UAC Information Dialog Box(UAC Prompt Detected)Customizing the Internet Explorer Download Dialog BoxWorking with Collections128130131132133134136138Managing Multiple Rules with a CollectionRule Processing When Collections Are PresentDetermining an Application Control Approach138139140Configuring Logging for Data Collection143Troubleshooting145Troubleshooting: Rules Have No EffectTroubleshooting: Problems Requiring Process-Specific Access RightsTroubleshooting: Other ProblemsTroubleshooting MechanismsEvent LoggingTracing with Policy MonitorTrace LoggingResultant Set of Policy (RSoP) ReportingWindows User Environment Log (userenv.log)Status MessagesAppendix A: Group Policy PrimerUser Guide1451461471481491531541551551561576 2018. BeyondTrust Software, Inc.
ContentsBasic Group Policy ConceptsOrganizationGroup Policy Objects and StorageEditing Group PolicyApplying Group PolicyGroup Policy ReportingCreating or Editing a GPO157157157157157158158Appendix B: Administrative Template Settings159Group Policy Processing SettingsPolicy Processing SettingsLicense Policy Processing SettingsBeyondInsight ConfigurationLogging and Tracing SettingsSecurity Driver SettingsTroubleshooting SettingsSession Monitoring Settings160160161161162163165167Appendix C: Additional Technical Information168Security ContextsWMI NamespaceUser Guide1681687 2018. BeyondTrust Software, Inc.
BeyondTrust PowerBroker for WindowsBeyondTrust PowerBroker for WindowsPowerBroker for Windows is a Group Policy extension that provides a least privilege security model for Windows.Using PowerBroker for Windows, you can provide standard users with elevated permissions for selected tasks andapplications. You can also reduce permissions of applications such as Internet Explorer and Outlook when launchedby administrators.To learn more about how PowerBroker for Windows enhances security while maximizing productivity inenterprise computing environments, view this introductory video.Where to BeginIf you are new to PowerBroker for Windows, see “Getting Started with PowerBroker for Windows,” page 11, tolearn how to create rules to perform application control and manage application and process security.For an introduction to Group Policy, see “Appendix A: Group Policy Primer,” page 157.For information about licensing, see the PowerBroker for Windows Installation Guide.For additional documentation and support, see Documentation and Support.User Guide8 2018. BeyondTrust Software, Inc.
BeyondTrust Product Name ConventionsThis User Guide uses the following naming conventions for BeyondTrust products:PowerBroker for WindowsPowerBroker Policy EditorBeyondInsightPowerBroker for WindowsPolicy EditorBeyondInsightContacting SupportFor support, go to our Customer Portal then follow the link to the product you need assistance with.The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.TelephonePrivileged Account Management SupportWithin Continental United States: 800.234.9072Outside Continental United States: 818.575.4040Vulnerability Management SupportNorth/South America: 866.529.2201 949.333.1997 enter access codeAll other RegionsStandard Support: 949.333.1995 enter access codePlatinum Support: 949.333.1996 enter access port/User Guide9 2018. BeyondTrust Software, Inc.
Product OverviewProduct OverviewIn many organizations, higher levels of privileges are often given to ordinary users so that they can run anapplication or perform mundane system tasks such as mounting a printer or setting the system clock. However,granting such privileges creates significant vulnerability to network security. When credentials are elevated,common users can perform a wide variety of tasks beyond the scope their responsibility and authority.In a truly secure environment, users are given rights to only the resources they need, and only when they need theresource. Ideally, all users are assigned Least Privileged User Accounts (LUA). This means that they have minimalrights in the overall network context.Unfortunately, in the Windows environment, many applications and processes require elevated rights in order tobe launched and run.User Guide10 2018. BeyondTrust Software, Inc.
Getting Started with PowerBroker for WindowsGetting Started with PowerBroker for WindowsPowerBroker for Windows enables you to create rules in the Group Policy Management Editor, a part of the GroupPolicy Management Console (GPMC). Each PowerBroker for Windows rule elevates or reduces the permissionsand privileges of a Windows application or process at runtime. A rule can also elevate or reduce the permissionsand privileges of an MSI package or an ActiveX control when they launch.You can create rules by using the Create a Rule Wizard or by using the Properties dialog for a rule. Rule generationis a practical way to assemble a basic rule set for your organization based on existing application usage. You canthen refine this set of rules to meet your specific needs.For increased targeting granularity, you can use item-level targeting to apply some rules only to selectedcomputers or specific users.The following topics sections can help you get started creating and configuring rules to manage security forapplications and processes.l“Creating or Editing a GPO,” page 15l“Viewing the BeyondTrust Dashboard,” page 14l“Planning a Rule,” page 11l“Creating a Rule with the Wizard,” page 18l“Editing a Rule,” page 91l“Changing the Name of a Rule,” page 95l“Viewing a Settings Report,” page 100l“Disabling or Enabling a Rule,” page 95For information about performing other tasks and using advanced features, see “Advanced Techniques” page 1.Planning a RuleBefore you create a new rule, you should determine the type of rule needed, determine the appropriate action forthe rule to support your approach to application control, and choose a rule creation method appropriate to yourcircumstances.For more information, see the following topics:l“Determining the Type of Rule Needed,” page 11l“Determining an Application Control Approach,” page 140l“Using Wildcards in Rule Properties,” page 13l“Choosing a Rule Creation Method,” page 14Determining the Type of Rule NeededPowerBroker for Windows enables you to create rules that target applications by using various methods. Thefollowing tables provide guidance about selecting the type of rule applicable to a particular situation.Table 1.Selecting a Rule Type for a Security NeedTo modify permissions and privileges of Use a A Windows processPath ruleA program in a specific locationPath ruleUser Guide11 2018. BeyondTrust Software, Inc.
Getting Started with PowerBroker for WindowsTo modify permissions and privileges of Use a A specific program regardless of locationHash ruleAll applications published by a specific companyPublisher ruleAll programs in a specific folderFolder ruleA specific version of an applicationPublisher ruleAn MSI package in a specific locationMSI Path ruleAll MSI packages in a specific folderMSI Folder ruleAll installations initiated by Internet ExplorerActiveX ruleSpecific installations initiated by Internet ExplorerActiveX ruleInstallation of all ActiveX controlsActiveX ruleInstallation of specific ActiveX controlsActiveX ruleAll applications on a certain CD or DVDCD/DVD ruleAny application that a user specifiesShell ruleAn application that triggers a UAC promptUAC ruleThe following table provides guidance about the type of rule to select to address various user managementscenarios.Table 2.Selecting a Rule Type for a Management ScenarioI want to Use a Elevate the permission level for restricted users performinga common Windows task or running an application requiring Path rule or Hash rulehigher privilegesElevate the permission level for restricted users running anyFolder ruleapplications in a specific folderReduce the permissions for administrators when usingapplications such as Internet Explorer and OutlookPath rule or Hash ruleElevate all applications from a specific companyPublisher ruleElevate a specific version of an applicationPublisher ruleProvide a self-service software installation point forrestricted usersFolder rule forexecutable and MSIFolder rule for MSIpackagesEnable restricted users to use the Add Hardware wizard orprevent users from using the wizardPath ruleEnable restricted users to add or remove plug and playhardware or prevent users from adding plug and playhardwarePath ruleEnable restricted users to shut down their computersPath ruleEnable users to elevate applications on demandShell ruleEnable users to elevate all applications on a certain CD orDVDCD/DVD ruleEnable certain users to use credentials in UAC dialogs toinitiate application launchUAC ruleUser Guide12 2018. BeyondTrust Software, Inc.
Getting Started with PowerBroker for WindowsFor more about planning a rule, see “Planning a Rule,” page 11.For more about specific rule types, see “Targeting Applications or Processes,” page 59.Using Wildcards in Rule PropertiesWildcard characters are supported in some text input fields in the rule Properties dialog and Create a Rule Wizard.The asterisk (*) wildcard can replace one or more characters in a string. The question mark (?) wildcard canreplace a single character in a string.For example, MyComputer? matches MyComputer9 and MyComputerW, but not MyComputer09 orMyComputer. When using the multi-character wildcard, MyC*mputer matches MyComputer, MyCxmputer,and MyCxxxmputer.The following types of rules support wildcards:lPublisher - In the Product name, File name, or file version fieldslShell - In the Path fieldlPath - In the Path and Arguments fieldslHash - In the Arguments fieldlFolder - In the Folder fieldlMSI Path - In the Package fieldlMSI Folder - In the Folder fieldlUAC - In the Path fieldVariables can also be used in some rule properties. For information, see “Using Variables in Rule Properties,”page 97.Wildcard Cautions and ExamplesThe net effect of a wildcard is to make a rule more generic. However, this might not always be in the best interestof the rule. For example, when using wildcards for path rules, it is wise to make the rule as specific possible to keepthe rule secure. Consider the wildcard placement in the following example:http://*example.com/*The * placement makes this URL very broad and thus potentially subject to abuse.If the site is not a trusted site, a better use of the wildcard is exemplified by the his placement narrows the scope of the rule. In this example, hard-coding as much as possible of the actual pathor URL prevents the standard user from downloading unapproved files from unforeseen locations.Another typical use for a wildcard is in a setting in which a naming convention is used to represent hardware suchas servers or computers. In this case, a wildcard can be substituted for certain elements of the name. For example:\\example accounting1\\example accounting2\\example sales\\example engineering\\example marketingAll these servers can be addressed by the following:\\example*As these examples illustrate, wildcards must be used with caution, and only after evaluating the all their potentialeffects on the rule.User Guide13 2018. BeyondTrust Software, Inc.
Getting Started with PowerBroker for WindowsWildcards and SubfoldersA check box setting available in many rule types can change rule behavior when a wildcard is used. This settingallows a rule to traverse a directory structure. The setting is:Apply rule to all programs in all subfolders of the specified folder.When this setting is enabled and a wildcard is used, a rule will behave as described in the following table.For this example, the following statement is used as the rule path statement or argument:c:\Folder1\*\my.exe. This statement uses a wildcard to represent a folder.Table 3.Rule Behavior for the wildcard statement: C:\Folder1\*\my.exeSubfolder Setting is EnabledExecutable File isElevatedNoExecutable der1\Folder2\Folder3\my.exeYesNoThe table illustrates that when the subfolder setting is enabled, the rule will traverse the subdirectory structurelooking for a match until it finds one.In addition, if the * wildcard is substituted for the executable name (*.exe), all executable files in the directorystructure will have the rule applied. This technique is often used to apply a rule to multiple applications stored in ahierarchical directory structure.For more about planning a rule, see “Planning a Rule,” page 11.Choosing a Rule Creation MethodAfter you have created a GPO, you must edit the GPO to create and apply PowerBroker for Windows rules.You can create rules in the following ways: Using the Wizard - The Create a Rule Wizard can guide you step-by-step through the creation andconfiguration of a new rule. The wizard is a good choice if you are new to the concepts of rule creation andapplication elevation. For more information, see “Creating a Rule with the Wizard,” page 18. Managing Policies Option - On the BeyondTrust Dashboard, you can select the Manage Polices button to bringup the Policy Management Dashboard. From here, you can select the type of rule you would like to create,make collections, and change the order of your rules.Viewing the BeyondTrust DashboardThe PowerBroker for Windows BeyondTrust Dashboard serves as a starting point from which you can create rulesto manage application and process security, manage user messages, and perform other tasks.User Guide14 2018. BeyondTrust Software, Inc.
Getting Started with PowerBroker for WindowsTo use the BeyondTrust Dashboard:1. In the Group Policy Management Editor, click the BeyondTrust PowerBroker for Windows node. TheBeyondTrust Dashboard is displayed in the detail
Contents BeyondTrust PowerBroker forWindows 8 WheretoBegin 8 BeyondTrustProductNameC
