ScriptLogic Privilege Authority Administrator'

Privilege Authority 2.7
Administrator’s Guide
© 2012 ScriptLogic Corporation and its licensors.
All rights reserved. Protected by U.S. Patents 6,871,221; 7,293,087;
7,353,262; 7,469,278; 7,814,460 and 7,912,929 with other patents
pending.
This publication is protected by copyright and all rights are reserved by
ScriptLogic Corporation. It may not, in whole or part, be copied, photocopied,
reproduced, translated, or reduced to any electronic medium or machinereadable form without prior consent, in writing, from ScriptLogic Corporation.
This publication supports Privilege Authority. It is possible that it may contain
technical or typographical errors. ScriptLogic Corporation provides this
publication “as is,” without warranty of any kind, either expressed or implied.
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
1.561.886.2400
www.scriptlogic.com
Trademark Acknowledgements
Privilege Authority, ScriptLogic and the ScriptLogic logo are either registered
trademarks or trademarks of ScriptLogic Corporation in the United States
and/or other countries. The names of other companies and products mentioned
herein may be the trademarks of their respective owners.
2
DOCUMENTATION CONVENTIONS
Typeface Conventions
Bold
Used to reference elements of a graphical user interface
as well as to draw attention to important info.
CONTACTING SCRIPTLOGIC
ScriptLogic may be contacted about any questions, problems or concerns you might
have at:
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
561.886.2400 Sales and General Inquiries
561.886.2450 Technical Support
561.886.2499 Fax
www.scriptlogic.com
SCRIPTLOGIC ON THE WEB
l
ScriptLogic can be found on the web at www.scriptlogic.com. Our web site
offers customers a variety of information:
l
Download product updates, patches and/or evaluation products.
l
Locate product information and technical details.
l
Find out about Product Pricing.
l
Search the Knowledge Base for Technical Notes containing an extensive
collection of technical articles, troubleshooting tips and white papers.
l
Search Frequently Asked Questions, for the answers to the most common
non-technical issues.
l
Participate in Discussion Forums to discuss problems or ideas with other
users and ScriptLogic representatives.
3
Table of Contents
OVERVIEW
5
PRIVILEGE AUTHORITY COMPONENTS
6
PRIVILEGE AUTHORITY LICENSING
7
INSTALLING PRIVILEGE AUTHORITY
11
SYSTEM REQUIREMENTS
INSTALLATION AND UPGRADE
INSTALLATION PROCESS
Privilege Authority Server Installation
Privilege Authority Client Installation
Privilege Authority Upgrade
Privilege Authority Uninstallation
12
14
15
15
17
21
22
GETTING STARTED
23
USING PRIVILEGE AUTHORITY
28
DISPLAYING YOUR FOREST 'S DOMAINS
CREATING GPO RULES WITH PRIVILEGE AUTHORITY
Using the Wizard
Using the Description tab
Using the Type tab
Using the Groups tab
Using the Platforms tab
Using the Rules tab
Using the Privileges tab
Using the Integrity tab
TESTING AND APPLYING THE RULE
MANAGING THE RULES
USING GPO RULES CONFIGURED BY OTHER USERS (COMMUNITY RULES EXCHANGE )
Applying Community Rules to your Domain/GPO
Sharing your Rules with the Community
Managing the Community Rules
REGISTERING WITH THE COMMUNITY RULES EXCHANGE SERVER
TROUBLESHOOTING CONNECTION PROBLEMS
REPORTING ON THE PRIVILEGE AUTHORITY ACTIVITIES
Elevation Activity
Deployed Privileges
Rule Configuration
Generating and Using the Reports
Configuring the Reporting Feature
INDEX
29
31
36
39
40
46
47
48
52
53
54
58
59
60
63
65
66
68
69
70
71
72
73
75
87
4
Overview
It is an accepted principle by network administrators that users in the domain must be
configured with a minimum permission set and not be added to any local groups such
as the Local Administrators or Power Users group on the computer. Using this least
privilege configuration will enhance security and data protection while also reducing
faults and support.
However, System Administrators, for a long time, have been running into situations
where users require administrative rights to run an application. At times it is to support
legacy applications that only work when run by someone with administrative rights;
other times it is because a user works remotely, or is traveling and needs greater
control of the system; or it might be that Administrators want to give their users rights
to install commonly used software that often and automatically needs to be updated.
A common but misguided solution to this is to give these users administrator rights
which solves the problem at hand but often leads to many more.
Privilege Authority (PA) solves this issue by raising the privilege level for specific
processes, allowing those that require elevated rights to run, while maintaining the
least restrictive privilege set for the user.
5
Privilege Authority Components
Any user who has permissions to work with a GPO can use the Privilege Authority
Console to set privileges.
There are two software components included with Privilege Authority:
l
Privilege Authority Server is a management application. It is installed on a
server in the domain and used to create and manage rules within Group
Policy.
l
Privilege Authority Client is a service that runs on the client machine. It
applies the rules created in the Privilege Authority Server application by
monitoring processes as they are launched on the client and raises or
reduces the privileges of the processes that it is configured to monitor.
Microsoft Active Directory and Group Policy are used to distribute the Privilege
Authority rules to client machines.
Privilege Authority can modify the privileges only for a standard user account, not a
guest account.
The reporting functionality of the Privilege Authority system requires the following
components running: PA Reporting database and ScriptLogic PA Reporting data
collection web service. All the components can be installed and configured with a
special wizard of the PA Console. When installed, the PA Console starts to serve as a
central reporting server to collect and aggregate all the elevation activity data from the
client machines. For more information about reporting on the elevation activity, refer
to the corresponding section of the Privilege Authority Administrator's Guide.
6
Privilege Authority Licensing
Privilege Authority is available in 2 editions: Privilege Authority Community Edition and
Privilege Authority Professional.
Privilege Authority Community Edition is absolutely free, but in comparison with
Privilege Authority Professional, it lacks the following features:
l
building reports on the activities run within Privilege Authority (see the
Reporting on the Privilege Authority Activities section of the Privilege
Authority Administrator's Guide);
l
creating GPO rules based on digital certificates;
l
targeting rules to a computer operating system version or operating system
class – server or workstation;
l
targeting rules, using Validation Logic, to specific computer's and user's
names, groups or organizational units, computer IP address range, or
specific files or registry keys existing on a client machine, etc.;
l
providing access to full one-year technical support;
l
support for computer policy based GPO.
Privilege Authority Professional must be purchased but has a 30-day trial period.
Following the common PA setup, the customer has access to the Community Edition
only. Here you can either switch to Privilege Authority Professional Evaluation or apply
a license to get into Privilege Authority Professional.
To start trying Privilege Authority Professional:
Note:
Internet connection is required to perform registration to upgrade to PA
Professional.
If you fail registering due to any connection problems, you can download
the Privilege Authority Professional trial package on your own from the
ScriptLogic website.
1. On the PA Server, go Start > All Programs > ScriptLogic Corporation >
Privilege Authority > Privilege Authority. Or, use the Privilege
Authority
shortcut icon of the Start menu.
2. Click the Try PA Pro ! button in the left- hand
Or, click Help > Begin Evaluation of Pro (see Figure 1. ).
tree
pane.
7
Figure 1. Choosing to use PA Professional in trial mode.
3. On the two-tabbed screen that will show, click the Try PA Pro! button, or
switch to the Register tab.
4. Provide some information about yourself by filling in the at least obligatory
fields as shown in Figure 2. Click Register.
Figure 2. Registering for Privilege Authority Professional.
8
5. The notification will show to inform you that the rules containing features of
Privilege Authority Professional will stop working on the client machine(s) in
30 days after starting the evaluation.
6. Click OK within the notification window and the Privilege Authority Console
name will change to Privilege Authority Professional Evaluation.
Now you have access to all Privilege Authority Professional features for the 30-day trial
period. (See Figure 3. ) Once the trial period ends, you’ll be reverted back to the
Community Edition:
l
the rules with the Pro features will stop working;
l
the reports will stop generating;
l
the computer based GPO rules will work as user-based.
9
Note
Since after reverting from PA Pro Evaluation back to PA Community, the
computer based GPO rules will work as user-based, the computer based rule
linked to a container with no users won't apply any more.
Figure 3. This rule is based on a digital certificate - the Privilege Authority Professional
Evaluation feature – and it will be applied until the day specified.
To apply the Privilege Authority Professional license file:
1. Click Help -> About -> Apply License File and then use the Browse
button to locate the license file.
2. Click the Apply License File button that will get activated soon after the
file is located.
10
Installing Privilege Authority
This section details the Privilege Authority system requirements as well as the
installation, removal and upgrade processes.
l
System Requirements
l
Privilege Authority Server Installation l
Privilege Authority Client Installation
l
Privilege Authority Upgrade
l
Privilege Authority Uninstallation
11
SYSTEM REQUIREMENTS
The Privilege Authority setup file comprises both the server and client applications.
Once both applications are installed, Privilege Authority will use Microsoft Group Policy
to distribute rules between the client and server.
The server application requires Microsoft .NET Framework and Microsoft Group Policy
Management Console (GPMC) to install and run. The client can be installed on any
Windows workstation or server.
The following is necessary for proper installation and operation of Privilege Authority.
PA Server Software and Hardware System Requirements
l
.NET Framework 3.5 Service Pack 1 or higher
l
Microsoft Group Policy Management Console
l
Any PDF reader to open the Privilege Authority guides
l
Screen resolution of 1024x768 or greater
PA Server Operating System Requirements
l
Windows XP SP3 or higher
l
Windows Server 2003 SP1 or higher
l
Windows Vista
l
Windows Server 2008
l
Windows Server 2008 R2
l
Windows 7 Enterprise, Professional, or Ultimate Editions
PA Client Software System Requirements
l
No special requirements
PA Client Operating System Requirements
l
Windows XP SP3 or higher
l
Windows Server 2003 SP1 or higher
l
Windows Vista
l
Windows Server 2008
l
Windows Server 2008 R2
l
Windows 7
12
Network Requirements
Both PA Server and Clients should be deployed as a part of the Active Directory
infrastructure.
Required Permissions
l
Local administrator rights to start PA Console
l
Rights to work with GPO set in Group Policy Management Console
l
Full access to (including “WRITE” permissions) the SYSVOL share
(\\DomainName\sysvol) so that the reporting will function domain-wide (see
the corresponding section of the Privilege Authority Administrator's Guide for
more info).
PA Reporting Database Requirements (required to set up the Reporting
feature)
Microsoft SQL Server 2008 or above either local or remote (SQL Server 2008 Express
can be installed by Privilege Authority during configuration of the PA Reporting
feature.)
13
INSTALLATION AND UPGRADE
This section details the Privilege Authority installation, removal and upgrade
processes:
l
Privilege Authority Server Installation
l
Privilege Authority Client Installation
l
Privilege Authority Upgrade
l
Privilege Authority Uninstallation
14
INSTALLATION PROCESS
Privilege Authority uses a client- server model. The main installation will setup the
server side (which is comprised of the Privilege Authority Console) and extract the
Privilege Authority Client MSI file. Deploy the Privilege Authority Client to each client
using Group Policy Management Console or any other software tools, e.g. ScriptLogic
Desktop Authority.
Prior to the installation, refer to the System Requirements section to make sure your
system meets the necessary requirements and prerequisites.
Privilege Authority should be deployed as a part of the Active Directory infrastructure
on a computer residing within the internal LAN network.
The following series of steps are required to install Privilege Authority:
Privilege Authority Server Installation Privilege Authority Client Installation
Privilege Authority Server Installation
Privilege Authority Server must be installed on a domain member and run under the
context of an account that has rights to change Group Policy. The installation wizard
guides you through a series of dialog boxes. Click Next on each dialog box to advance
to the next option.
1. Run the Privilege Authority setup executable.
The installer will check your system and notify if it lacks any of the
necessary requirements. If this is the case, please install the missing
component and resume the installation.
(If installing to Windows 7 without Group Policy Management) a special
message with a link to install all the necessary components and run
Group Policy Management will be shown. For more info, please refer to
the corresponding paragraph.
2. Welcome is the initial dialog box. Click Next to continue.
3. The License Agreement dialog box appears. If you agree with the license
agreement, select the I accept the terms in the License Agreement
option and click Next to continue.
4. On the Destination Directory dialog box, select a path and destination
folder. The installation path depends on the system architecture and defaults
to:
%PROGRAMFILES%\ScriptLogic
Corporation
or
%ProgramFiles(x86)%\ScriptLogic Corporation . Click the Browse
button to select a different installation path. Click Next to continue.
5. Click Install on the final installation dialog to proceed with the installation.
6. Once the file copying portion of the install is complete, click Finish.
15
(For Windows 7 without the Group Policy Management) If you install to a Windows 7
computer that lacks Group Policy Management, a special notification will be displayed.
Figure 4. The Privilege Authority instructs on how to install Group Policy Management onto
Windows 7.
1. Use the link within the notification window to download and install the Remote
Server Administration Tools package.
2. Use the Windows' Turn Windows features on or off section to enable the
Group Policy Management Tools. Consult the Windows 7 Remote
Administration Tools Help for more details. (See Figure 5. )
16
Figure 5. Enabling Group Policy Management Tools.
Click OK to close the notification window.
3. Resume the installation again.
Following the completion of the Privilege Authority Server installation, perform the
Privilege Authority Client installation.
Privilege Authority Client Installation
Once Privilege Authority Server is installed, deploy the Privilege Authority client(s) to
the computers on the domain. For these purposes, you may use login scripts or
software deployment tools.
Administrative privileges are required to run the PA Client setup locally.
To locate the PA Client file:
l
Open the Privilege Authority Console and then click Client > Open file
location from the toolbar. The PA Client file will be displayed in the browse
window.
Once the PA Client installation file is located, use the file to deploy the PA Client in your
environment.
17
Figure 6. Locating the Privilege Authority Client setup file.
To install PA Clients on your domain via Microsoft Group Policy Management Console:
1. Copy the PAClient.msi file to a network share that can be read by all users.
Or, just share the file folder.
2. Open the Group Policy Management Console on the server and select to
create a new Group Policy Object by right-clicking on Group Policy
Objects and selecting New from the popup menu.
3. Enter a name for the new GPO and click OK. (See Figure 7. )
18
Figure 7. Creating a new Group Policy Object via GPMC
5. Open the newly created GPO by selecting it, right-clicking, and selecting
Edit.
6. In the Group Policy Object Editor, select Computer Configuration >
( within Windows Server 2008 ) Policies > Software Settings >
Software installation . In the right hand pane, right-click on the newly
created GPO, and select New > Package.
Note
If the PA Client distribution GPO is computer based (defined under the
Computer Configuration), enable the “Always wait for the network at
computer startup and logon” policy (located in Computer Configuration >
( for
Windows
Server
2008 )
Policies
>Administrative
Templates>System>Logon). Otherwise, PA Client installs after the 2nd
reboot of the client computer.
If the PA Client distribution GPO is user based (defined under the User
Configuration), then PA Client installs after 1st logon.
7. In the dialog box that will open, browse to the PAClient.msi file on the
network share where it was copied to in the corresponding step .
(We recommend that you use the File name field to specify the Client
location in the UNC (Universal Naming Convention) format, e.g.
\\
computername
\
sharename
\filename.msi
).
Click Open. (See Figure 8. )
19
Figure 8. Opening the Privilege Authority Client from a network share.
8. In the Deploy Software dialog that shows, select Assigned.
9. Assign the new GPO to the domain or OU. To assign it to the domain, rightclick on the domain in GPMC and select Link an Existing GPO…. Select the
GPO in the resulting dialog box and click OK. (See Figure 9. )
Figure 9. Assigning the new GPO to a domain.
20
Once the client is deployed to a computer (the CSEHost.exe process is running and the
Privilege Authority Client record shows in Add/Remove Programs), the new GPO
rules created via Privilege Authority will apply on the client computers.
PA Server must be running the PA Client software to make use of the PA rule testing
functionality.
To install PA Client on the PA server computer:
l
Click Client > Install Client within the Privilege Authority Console toolbar.
The client installation will start. On completing the process, the computer
will automatically reboot if necessary.
Privilege Authority Upgrade
Use the PA Server setup file to upgrade the PA Server component installed with any
previous PA releases on the local computer. The upgrade also ensures that all your GPO
rules or reporting configurations created with the older version of PA will be available
in the current Privilege Authority release. Though the GPO rules data changes
implemented in PA 2.7 will be applied to the rules created with other versions of PA
irrespectively whether PA 2.7 is installed via upgrade or not - a confirmation to upgrade
the rules will show on PA Console startup.
When upgrading the server component on a computer running the PA Client component,
you may encounter the following message:
Figure 10. The Privilege Authority Host service notification message during server upgrade.
To resolve the PA Host service problem:
21
1. Cancel the installation.
2. Use the Windows Control Panel to remove the Privilege Authority Client
software from the local computer.
3. Reboot the machine and resume the Privilege Authority server component
installation again.
To upgrade PA Clients installed with any previous Privilege Authority release:
l
Install the newer version over the older one the same way you initially
installed the PA Clients.
See Privilege Authority Uninstallation and Privilege Authority Client Installation
sections for more information.
Privilege Authority Uninstallation
To uninstall any of the Privilege Authority components from a local computer, use the
Windows Control Panel tool. The uninstaller completely removes all the PA-specific
data. Once PA is removed, the rules created with PA will continue working as they will
still be present in the GPOs.
To run PA Server/Client removal on a local machine, administrative privileges are
required.
If the PA Client has been installed using a network share - for example if deployed via a
mass deployment tool, this network share must be available during PA Client removal
(See Figure 11. ).
Figure 11. The PA Client removal fails as the network share is currently unavailable.
Consider editing the GPO through which you deployed the PA Client.
22
Getting Started
Once the PA Server and Client components are installed, you can start using Privilege
Authority to work with GPO rules in your environment.
Based on your Windows rights within Group Policy Management Console, you can use
Privilege Authority Console to create a GPO if necessary and create a rule within the
newly created or already existing GPO. PA Console also provides the option to analyze
activities performed within the PA system. If you do not have enough rights on an
object a special error message will be shown. (One of these messages is shown in
Figure 12. ).
Figure 12. The error message informs users that they do not have enough permissions in
Group Policy Management Console to perform the action.
Note
Make sure you are logged into the Privilege Authority Console with the local
administrator privileges.
To start the Privilege Authority Console:
l
On the PA Server, go Start > All Programs > ScriptLogic Corporation >
Privilege Authority > Privilege Authority. Or, you can use the Privilege
Authority
shortcut icon of the Start menu.
23
Figure 13. Opening the PA Console.
If PA detects any rules created by Privilege Authority version earlier than 2.7 in your
environment, a special message will show on startup to confirm the rules' upgrade
procedure. Otherwise, the Description field of the rule's details window will appear
blank.
Figure 14. Upgrading a rule created with PA earlier than version 2.7.
The Privilege Authority Console workspace is comprised of the following sections that
display the following info.
24
Figure 15. The main view of the PA Console shows your domain node and the list of GPMC
folders and GPO(s).
The left-hand sidebar allows you to navigate to the Local GPO Rules, Community
GPO Rules, or the Reporting sections of the PA Console:
l
The Local Rules section mostly displays the Group Policy Management
Console folder structure of your primary domain with the GPO(s) you have
rights to in the two sub-sections:
n GPOs with Rules shows your GPOs with rules created via
Privilege Authority;
n
All GPOs shows all your GPOs. The GPOs with rules created via
Privilege Authority are marked with a special
icon.
When Local Rules items are selected on the sidebar, the window will display
the info in the following two panes (see Figure 15. ):
n
The GPO Pane used to create/manage group policy objects
depending on your permissions (equal to those you are required
to have to perform the same operation in GPMC);
n
The Rules Pane used to create and manage GPO rules.
Note
An error message will show if you do not have enough
rights to perform an action.
25
Figure 16. PA Console shows only the GPO to which the domain user has rights.
l
The Community section displays the rules available on the Community Rules
Exchange server in the three sub-sections (see Figure 17. ):
n All Rules - shows all the rules available on the Community
Rules Exchange server;
n
Verified Rules - contains the rules that have been tested by
ScriptLogic to confirm that they will function as intended in a
default Windows environment;
n
My Shared Rules - shows the rules you have uploaded to the
Community Rules Exchange server.
When an item from the Community section is selected on the sidebar, the
window to the right provides for the possibility to work with the rules from the
Community Rules Exchange server.
26
Figure 17. Privilege Authority Console shows the Community rules.
(Available only in any PA Professional editions ) The Reporting
provides access to the three types of reports:
n Elevation Activity
l
n
Deployed Privileges
n
Rule Configuration.
section
What’s next:
l
Creating GPO Rules with Privilege Authority l
Using GPO Rules Configured by Other Users (Community Rules Exchange) l
Reporting on the Privilege Authority Activities
l
Displaying your Forest's Domains
27
Using Privilege Authority
This section demonstrates how to implement typical tasks within Privilege Authority
and includes the following topics:
l
Displaying your Forest's Domains
l
The section will describe how to customize the GPO pane to show/hide
domains and their GPOs from the list.
Creating GPO Rules with Privilege Authority l
The section will detail the types of rules that can be created with PA as
well as provide a step-by-step instruction on how to create them.
Using GPO Rules Configured by Other Users (Community Rules
Exchange) This section will show how to take advantage of the integration with the
Community Rules Exchange server - a resource that stores rules created
by other system administrators. You can either download these rules or
upload those ones you have created yourself.
l
Reporting on the Privilege Authority Activities
The section describes the reporting capabilities available in the Privilege
Authority Console.
28
DISPLAYING YOUR FOREST'S DOMAINS
By default, Privilege Authority Console displays only the domain to which the local
computer belongs. However the Privilege Authority Console provides the option to
display other domains of your forest.
Figure 18. The GPO pane is configured to display several forest's domains.
To customize the number of your forest's domains available in the GPO pane:
1. Anywhere within the GPO pane, right- click the mouse and then select the
Show Domains option.
Figure 19. Select the Show Domains option to vary the number of your forest
domains showing in the PA Console.
29
2. In the window that will often check/uncheck next to the domain names as
desired.
Figure 20. Select the domain(s) to display.
The list of the domains and GPOs will change accordingly.
Note
You can create the GPO rules only on the domain where you have
permissions to change the Group Policy Objects.
30
CREATING GPO RULES WITH PRIVILEGE AUTHORITY
The following section will detail how to create a GPO rule with the Privilege Authority.
There are four types of rules that you can create with PA:
l
a file rule, where the path of the executable is specified (see By Path to
the Executable);
l
a folder path rule, in which case, the rule will be applied to all processes
run from the path (By Folder Path);
l
l
an ActiveX rule, where a URL is specified (By ActiveX Rule);
(available only within the Professional edition) a digital certificate to
specify the name of the publisher (By Digital Certificate).
Figure 21. Different types of rules marked with special icons.
A special wizard will help you define the necessary settings for the rule.
The Privilege Authority Getting Started Guide references sample GPO rule creation –
the Allowing ITunes to Install rule.
Note
An error message will notify you of insufficient permissions to perform any
operations listed below. These are the permissions that you must have to
perform the same action in GPMC. Address your domain/system
administrator if any questions arise.
31
Step 1. Choose/Create the GPO to assign a rule to.
Within the Privilege Authority Console, navigate to the All GPOs node in
the left-hand pane of the PA Console , and choose an existing GPO or
create a new GPO to assign a rule to.
To create a new group policy object, click the
New GPO button,
name the new GPO and click OK. (See Figure 22. ) The newly created
GPO will be added to the All GPOs list into the Group Policy Objects
container. (See Figure 23. )
Figure 22. Creating a new GPO in the Privilege Authority Console.
Figure 23. The newly created GPO is displayed within the Group Policy Objects.
32
Step 2. Link the GPO to an OU or the domain.
Any GPO not marked with a special
domain or specific Active Directory OU:
icon must be linked to your
1. With the GPO highlighted in the left-hand pane, click
the
Link button above it.
2. A dialog will be displayed allowing you to browse for
an OU or to select to add the GPO to the domain. (See
Figure 24. )
3. Click OK.
Once the GPO is linked, its icon will be changed to
.
You can link a GPO only to an item to which you have sufficient rights.
Figure 24. Linking a GPO to an OU.
Note
In any PA Professional edition, you can link the GPO to an OU that contains
users and/or computers. The GPO rule linked to an OU will apply depending
whether the user stored within this OU is currently logged in to the client
machine, or whether the computer into which the user is logged in is stored
in this OU. For computer- based and user-based GPO, please address the
corresponding section.
Since after reverting from PA Pro Evaluation back to PA Community, the
computer based GPO rules will work as user-based, the computer based rule
linked to a container with no users won't apply any more.
Step 3. Configure the rule within a GPO.
Within the All GPOs node, select the GPO from the list under the domain
that your local computer is a part of. Click the
New Rule button and
33
a wizard will be displayed (see Figure 25. and Figure 26. ). Walk through
the wizard by clicking Next to specify all the necessary data to configure
the rule.
The wizard’s steps are referenced in the Using the Wizard section.
Or, use the GPO rules other system administrators have configured and
uploaded to the Community Rules Exchange server.
Figure 25. Selecting to add a rule to existing GPO.
34
Figure 26. The Privilege Authority wizard’s main window.
Step 4. Save the rule.
Upon completing the wizard, click the
Save button on the menu bar of
the Rule section. Or, if asked, confirm saving the rule. (See Figure 27. )
35
Figure 27. Save the rule.
Once the rule is created, the GPO’s icon will change to the
icon to
notify that the GPO contains a rule and will be listed within the GPOs
with Rules node. (See Figure 28. )
Figure 28. The special icon indicates that GPO is assigned with a rule.
The rule will be applied to the processes started on the client machine right after the
group policy update occurs on the client machine.
Once the rule is created, you can:
l
Test its settings and the way the rule will apply (see the Testing and
Applying the Rule section).
l
Share your rule on the Community Rules Exchange server (see the Sharing
your Rules with the Community section).
l
Edit or delete the rule (see the Managing the Rules section).
l
View the rule's settings or save them into a file, generate reports to get
statistics on the PA rules usage (see the Reporting on the Privilege Authority
Activities).
Using the Wizard
A special wizard will help you define the necessary settings for the rule.
36
To run the wizard:
1. Within the All GPOs node, select the GPO from the list under the domain
that your local computer is a part of. You may also click the
button to create the GPO, if necessary.
2. Click the
).
New GPO
New Rule button and a wizard will be displayed (see Figure 29.
Figure 29. Selecting to add a rule to existing GPO.
3. Walk through the wizard by clicking Next to specify all the necessary data to
configure the rule.
The list of steps defaults to Description, Type, Groups, Platforms, and
Rules (with Platforms and Rules available only in PA Professional). The
Privileges and Integrity steps show as advanced options.
Only the fields marked * on the Description and Type tabs of the wizard are
mandatory, all the others are optional. If you happen to miss specifying any of
the required data, the wizard will warn you on this right after you click Finish.
37
Figure 30. The wizard's main window.
All the steps of the wizard are detailed in the following corresponding sections:
o
Using the Description tab
o
Using the Type tab
o
Using the Groups tab
o
Using the Platforms tab
o
Using the Rules tab
o
Using the Wizard
o
Using the Wizard
4. Click Finish to save and apply the rule.
38
(If applicable) If, on the Description step of the wizard, you have chosen to
share the rule with the community, confirm or edit in the dialog that will open on
the final step of the wizard.
Figure 31. Setting the details to share the rule.
Using the Description tab
On the first screen of the wizard:
l
Enter a name and description (the latter is optional) for the rule.
l
You may also choose to share your rule with the community by selecting the
On completion open a dialog to share this rule with the community
box. You may also choose to share the rule at any time later, when you have
tested the rule.
39
Figure 32. Specify a title and choose to share the rule with the community.
If you choose to share the rule, you will be presented with the Privilege Authority
Community Forum registration dialog referenced in the Registering with the
Community Rules Exchange Server section.
Using the Type tab
Within the Type tab, you will specify the most essential parameters of the processes
for which the current rule will apply to. Here you are given a choice of several rule
types (the number of types varies depending on the Privilege Authority edition):
l
By Path to the Executable - a file rule, where the path of an executable is
specified;
l
By Folder Path - a folder path rule, in which case, the rule will be applied
to all processes run from the path;
l
By ActiveX Rule - where a URL is specified;
l
(available only within the Professional edition) By Digital Certificate - a
digital certificate to specify the name of the publisher.
Select the type and specify the corresponding options that depend on the selected type.
The options are detailed below.
40
(For PA Professional and PA Professional Evaluation editions) On this tab, you can also
define whether a rule will be user- or computer-based.
l
User Policy ( the default behavior for any editions) - (corresponds to the
User Configuration node of the Group Policy Management Editor). Check the
option to apply the rule based on user logged into a computer.
l
Computer Policy - (corresponds to the Computer Configuration node of the
Group Policy Management Editor) Check the option to apply the rule to
computers irrespective of the user logged in.
Note
For Community edition, the rule always applies based on the user login.
A computer- based rule created with Privilege Authority Professional
Evaluation will change to a user-based one once modified in any way in the
Privilege Authority Community Edition.
By Path to the Executable
When building the By Path to the Executable rule type, specify the following fields
(see Figure 33. ):
Figure 33. Specify the GPO rule type and fill in the required field.
l
Path – requires that you specify the path to an EXE or MSI file that will
run the processes on the client machine (for other file types consider
using the Arguments field). This may be the path on the client local
41
machine or a network share. Use the common % variable and the * and
? wildcards to identify the path if necessary, e.g.
*\filename.fileextension. It is necessary to specify the file
extension.
Use the following formats: \\ComputerName\SharedFolder\Resource
or
DriveLetter:\Filename.
Note
When saving the rule, consider that PA converts the specified
path into existing environment variables.
If you use the Browse
or Processes buttons to locate the
executable, a dialog will show and offer to create a unique cryptographic
hash for the file to secure the file's identification (see Figure 34. ). Click
Yes if you want to apply the rule to only this exact file. Click No if you
are creating the rule for the file for which data is likely to be updated, or
for any file with this name within the specified folder
Figure 34. Choose if you need to create the file hash.
(Available only in PA Professional editions) To create a file rule almost in
no time or help you specify the rule parameters, use the Processes
button:
1. (If necessary ) On your machine, launch the process to which you
intend to create a rule.
2. Click the Processes button to open a list of processes currently
running on your machine.
42
Figure 35. The details of the selected process are shown to the right.
3. Locate the necessary process and view its details in the fields to the
right:
Path - path to the process's executable.
Arguments - (If available) argument(s) with which the process was
started.
Integrity level - ( For Windows Vista and above ) ( if available ) the
security level with which the process runs.
Privileges - (If available) the privileges granted to the process.
4. Click OK.
5. Confirm to create a file hash if desired.
6. ( If applicable) If necessary, confirm to specify the publisher of the
digital certificate for the specified file.
Figure 36. Confirm to create a certificate-based file rule.
43
The processes data will be saved to the rule and displayed on the
corresponding tabs of the rule creation wizard. Use the Type (currently
open), Privileges, and the Integrity tabs to make the necessary changes
to the rule. Now you may simply click Finish on the wizard's screen to
finish creating the rule. The rule will be automatically named after the
executable of the process specified.
l
In the Arguments field, specify the common or user-defined arguments
with which the executable will be run. With this field defined, the rule will
apply only if the executable is run with the argument specified.
By using the Argument field, you can create a rule for a specific file. For
example, to build a rule that will allow non-administrator users to access
the Date and Time Control Panel tool to change the time or time zone
from the task bar, enter the data as shown below.
In the Path field, enter
%SystemFolder%\rundll32.exe
In the Arguments field, enter
/d c:\windows\system32\shell32.dll,Control_RunDLL timedate.cpl
Please access the rules of the Community Rules Exchange for other
examples of PA rules configuration.
l
(Optional) If creating the rule for an exact file, the File Hash field will help
you prevent security issues. Click the Browse
button to locate the
executable and to create a unique cryptographic hash for the file so that the
rule will not apply to dangerous content that is similarly named.
Note
The rule with the File Hash field specified will not apply to a file that has
modified content (e.g. modified in the course of program updates). Thus do
not add the file hash to the rule for a file which data is likely to be updated,
or for any file with this name in the specified location.
l
(Optional ) (Available for PA Professional ) For the sake of security, specify
the publisher of the digital certificate for the specified file. Enter the exact
publisher name either manually or using the Browse
file signed with the necessary digital certificate.
l
button to locate the
The Apply settings to child processes check box is enabled by default to
ensure that all operations the executable will trigger will run successfully
and will not fail due to the lack of privileges for child processes.
44
By Folder Path
Use the By Folder Path rule type if you have to elevate/decrease the privileges for
the applications/processes that will start from within a specific folder on the client local
machine or a network share.
l
Use the Browse
button to locate the folder or specify its location
manually. Use the common % variable and the * and ? wildcards if
necessary.
Use the following formats: \\ComputerName\SharedFolder
or DriveLetter:\Folder.
Note
When saving the rule, consider that PA converts the specified path into
existing environment variables.
l
(Optional ) Checking the Apply settings to subfolders setting will apply
the rule to the processes started from any of the subfolders.
l
The Apply settings to child processes check box is enabled by default to
ensure that all the operations the executables trigger will run successfully
and will not fail due to lack of privileges.
By ActiveX Rule
Use the By ActiveX Rule type to allow installation of ActiveX controls from the
Internet.
l
In the Source URL field, specify the ActiveX control URL http://*.macromedia.com*
Note
In order for the ActiveX rule to take effect on clients running Windows
Server 2008 R2 or Internet Explorer 9, additional configurations should be
implemented on client computers.
By Digital Certificate
(Available only within the Professional edition)
The By Digital Certificate rule provides for the possibility to apply certain privileges
to any processes signed with a digital certificate of a specified publisher.
l
Specify the publisher of the digital certificate of the processes for which you
need to set the rights. Enter the exact publisher name either manually or use
the Browse
button to locate a file signed with the necessary digital
certificate and insert the publisher automatically.
l
The Apply settings to child processes check box is enabled by default to
ensure that the rule settings will be applied to the child processes as well.
45
Using the Groups tab
(Optional)
The next tab is where you select an Active Directory user group whose rights are to be
applied to the process. A group can be added or removed from the security token of a
process. By removing a group you can decrease the privileges with which the process
will run.
l
Click the
button to add the Administrators group (this is the group stored
within the BUILTIN\Administrators Active Directory OU) to the list (see
Figure 37. ). We recommend using this group of users with complete and
unrestricted access to a local computer instead of domain administrators.
Figure 37. Add the Administrators group to the security token of the process.
l
To add/remove any other Active Directory group privileges to the
process(es), use the
button. In the window that will open, specify the
action, add or remove, you need to perform with the group.
Note
Security Groups from Domain AD having "Built-In local" Group
Scope property can be added to a security token of the process
on the client machine only if there is the same group with the
same SID among local security built-in groups.
46
Note
When removing a group from the security token, ensure that
the user account under which the process is launched is a
member of more than one primary group. Otherwise, rule won't
apply as intended.
l
To delete/modify the record within the Security Group list, use the
or
buttons accordingly.
Using the Platforms tab
(Optional)
(Available only for Privilege Authority Professional)
Within this tab, you can define on which computer type, server or workstation, or with
which operating system(s), the rule will apply. (See Figure 38. )
Figure 38. Specify the platforms to apply the new rule on.
47
l
Select the Server option of the Class list to apply the rule to all the
Windows Server operating systems: Windows Server 2003/2008/2008 R2.
l
Select the Workstation option of the Class list to apply the rule to all
operating systems, Windows XP/Vista/7, other than the Windows Server
operating systems.
l
Select the exact Windows operating system by marking the corresponding
option(s) of the Operating System list.
Using the Rules tab
(Available only for Privilege Authority Professional) (Optional)
The Rules tab allows you to set additional validation logic parameters to target the
rule. Within the tab, you can define whether the rule will run on computers with certain
prefix in the name, or pertaining to some special group or IP address range, etc. (See
Figure 39. )
Figure 39. Specify additional parameters of the rule.
You can add and combine adding the following validation logic rule types(s) with the
AND or OR Boolean logic:
l
Computer Group - to set the rule for one or several name(s) or part of
the name(s) of your Active Directory group(s);
l
User Group - to set the rule for one or several name(s) or part of the
name(s) of your Active Directory user groups. The supplied group
membership value is compared against the groups that the user is a part of
48
during the logon process and must match for the configuration element to be
processed.
l
User Name - to set the rule if certain user(s) is/are logged into the
client computer(s);
l
OU (Computer) - to set the rule for name(s) or part of the name(s) of
computer-based organizational unit(s) in your Active Directory. The supplied
OU value is compared against the OU the client machine is a part of during
the logon process and must match for the configuration element to be
processed.
l
OU (User) - to set the rule for certain name(s) or part of the name(s)
of the user-based organizational unit(s). The supplied OU value is compared
against the OU the user is a part of during the logon process and must match
for the configuration element to be processed.
l
Computer Name - to set the rule for computer(s) with certain name(s)
or part of the name(s);
l
IP Address Range (IP v4/IP v6) - to set the rule for IP addresses or
address ranges of the computers;
l
Registry Key Exists - to set the rule based on the registry key(s) that
exist/does not exist on the client machine(s);
l
File Exists - to set the rule for name of the file(s) on the client machine
or on the network.
The validation rules can be combined either with the AND or OR Boolean logic (see
Figure 41. ).
To set the rule parameters within the Rules tab:
1. Click Add to open the Add Validation Logic Rule window. (See Figure 39.
)
2. Within the Add Validation Logic Rule window, select the type of the rule,
and then specify the rule parameters in the dialog window that will show to
the right.
When specifying the parameters for the rule:
o
(where applicable) you can use the common asterisk (*) and
question mark (?) wildcards in the validation value where:
* - stands for 0 or any number of any characters
? - stands for a single character
49
Figure 40. Building the rule that will apply to the OUs which names
end with "department" or "branch".
o
( where applicable ) select the Not option to exclude the item(s)
specified from the rule.
o
When specifying within the
Computer Group,
User Name ,
OU (Computer) ,
Computer Name sections:
User Group,
OU (User) ,
1. Use the Name field to specify the rule's value
manually, and then click the
button.
Or, simply use the
Browse button to select the item
available on your network. Filtering of the listed items
by the first letters is available. (Wildcards are not
supported in the Filter field.)
o
To set the
Computer Group parameter, enter the
corresponding NetBIOS name, e.g.
DERPA\DOMAIN CONTROLLERS
or just
DOMAIN CONTROLLERS;
o
To set the
User Group parameter, enter the
corresponding NetBIOS name, e.g.
DERPA\ADMINISTRATORS
or
ADMINISTRATORS;
50
o
To set the
User Name parameter, enter the
corresponding NetBIOS name, e.g.
DERPA\HELPDESK
or
HELPDESK;
o
To set the
OU (Computer) parameter, enter the
corresponding Fully Qualified Domain Name (FQDN),
e.g.
DERPA.DERPADEV.LOCAL\DOMAIN CONTROLLERS
or
DOMAIN CONTROLLERS;
o
To set the
OU (User) parameter, enter the
corresponding FQDN, e.g.
DERPA.DERPADEV.LOCAL\USER ACCOUNTS
or
USER ACCOUNTS
o
To set the
Computer
corresponding FQDN, e.g.
Name ,
enter
the
DERPA.DERPADEV.LOCAL\PASERVER
or
PASERVER
o
Use the * or ? wildcards if necessary when specifying any
of the parameter.
2. The desired value will add to the list. You may add here as
many rule values as necessary. The OR Boolean logic is
used to tie the values together.
o
When specifying within the
File Exists section, set a certain file
that must exist on the client machine or on the network in order for
the
rule
to
run.
Use
the
following
formats:
\\ComputerName\SharedFolder\Resource
or DriveLetter:\Filename.exe.
51
o
When specifying within the
Registry Key Exists section, set the
registry key that must exist on the client machine in order for the
rule to run.
3. Click OK when finished specifying the settings within the rule type. The
record will be shown in the main Validation Logic Rules list.
4. To add another logic rule, repeat steps 1 through 3.
5. By default, the validation rules will combine with the OR Boolean logic.
To make the rule use the AND operator, simply select the corresponding
option at the bottom of the Validation Logic Rules window (see Figure
41. ).
Figure 41. Adding multiple validation rules.
To edit a rule setting:
Within the Validation Logic Rules list, double-click a desired rule value and
make the necessary changes in the window that will show.
l
When finished, click Next to proceed.
Using the Privileges tab
(Available as advanced option)
On the Privileges tab you can grant or deny certain privileges the process can
perform. The privileges are the standard Windows policies listed in the User Rights
Assignment list (Local Security Settings \ Local Policies).
l
To apply/deny a privilege(s) to the processes (including child processes),
select the necessary one(s) and then click Grant/Deny. To multi-select the
privileges, hold down the CTRL key while selecting the desired items with
the mouse.
52
l
To discard your choices, select the privilege and click Not Set.
Figure 42. Specify changes to the privileges of the application.
Using the Integrity tab
(For Windows Vista, Server 2008/2008 R2 and Windows 7 OSes)
(Available as advanced option)
The integrity level is an inner feature of the Windows operating systems beginning with
the Vista operating system. It is used to differentiate the security level with which the
process will run.
By default this setting does not apply and is set to the Untrusted level option.
53
TESTING AND APPLYING THE RULE
Note
To test the rule, ensure that the computer is installed with the PA Client.
Privilege Authority offers the possibility to test the settings of any rule created with
Privilege Authority except for an ActiveX rule. During the test you can simulate, on the
PA Server machine, the process to which the rule is to be applied.
Note
The testing functionality is not available for ActiveX rules.
To test the rule:
1. Within the Local Rules section, select a rule, and then click the
toolbar button.
Test
2. A special window will be opened and the rule test will start on your local
machine. The window will show the initial conditions necessary for the rule
to run and present their status in the Test Progress section:
o
if the PA Client is installed on your computer (use the link to know
how to install the client locally on the PA Server machine);
o
if the Group Policy update has run successfully on your computer;
o
if the GPO with the selected rule is present on the domain;
o
if the rule exists on the client side and on the domain.
If the test fails on any of the steps, resolve the issue before continuing with the
rule testing.
2. Once the Starting Process Monitor window is presented, manually run
the process the rule will apply to. Note that you should run the process with
the parameters specified in the Rule Details section of the Test File Rule
window. Click Continue.
3. The Test File Rule window content will change and show the two tabs: the
Started Processes tab with the processes started right after you have
continued with the Starting Process Monitor window and the All
Processes tab with all the currently running processes. The process that
you’ve started to test the rule will show in the list of the Started Processes
tab with either the “tick” or “cross” sign. If the process is marked with the
"cross" sign, look at the Process Details and either check that you started
the process with the right parameters or modify the rule settings.
Once the PA rule is created and distributed to clients via Group Policy, the rule will be
automatically applied to the corresponding process.
In order for the ActiveX rule to take effect on
54
some clients, please perform the following additional configurations:
for Windows Server 2008 R2 PA Clients
for PA Clients running Internet Explorer 9
(For Windows Server 2008 R2 PA Clients) In order for the ActiveX rule to take effect on
clients running Windows Server 2008 R2, please enable third-party browser extensions
in the Internet Explorer browsers of the clients:
1. On the Internet Explorer menu bar of the PA Client computer, go Tools ->
Internet Options.
2. On the Advanced tab of the window that will open, check the Enable
third- party browser extensions* checkbox under the Browsing
section of the list.
Figure 43. Enabling third-party browser extensions on Windows 2008 R2 clients
for the ActiveX rules to take effect.
3. Reboot the client computer.
Or, the third- party browser extensions can be centrally enabled via the following
modification of a Group Policy Object:
1. Open a Group Policy Object editor. (Create a dedicated Group Policy Object if
necessary.)
55
2. Go Computer Configuration -> Administrative Template: Policy...
-> Windows Components-> Internet Explorer -> Internet Control
Panel -> Advanced Page, and then double-click on the Allow thirdparty browser extensions item in the list to the right and enable it.
Figure 44. Enabling the third-party browser extensions via Group Policy.
3. Open the User Configuration node and perform the configurations
described in step 2 above.
(For PA Clients running Internet Explorer 9) In order for the ActiveX rule to take effect
on clients running Internet Explorer 9, please enable the ScriptLogic's GPE ActiveX
Installer add-on in the client's browsers.
1. On the PA Clients with the Internet Explorer 9, use the Tools browser menu
to open the Manage Add-ons window.
2. In the window that will show, locate the GPE ActiveX Installer add-on
and enable it.
56
Figure 45. Enabling the ScriptLogic's GPE ActiveX Installer add-on on the PA
Client running Internet Explorer 9.
57
MANAGING THE RULES
Once the rule is created, you can change its settings or delete the rule, or upload the
rule to the Community Rules Exchange server.
l
To delete, modify or share the selected rule, use the corresponding toolbar
buttons (see Figure 46. ).
Figure 46. Use the toolbar to manage a GPO rule.
l
To delete or otherwise modify the GPO created with Privilege Authority, use
Microsoft Group Policy Management Console.
Note
A rule created with Privilege Authority earlier than 2.7 and not updated
during Privilege Authority 2.7 installation does not contain the rule's
description (info within the Description field of the Edit Rule Wizard).
If you are using the Privilege Authority Community Edition and try to access a rule with
any of the Privilege Authority Professional features, to view or modify its settings, a
special notification will show (see Figure 47. ). By clicking Yes, you’ll open the Edit
Rule window that will show all the rule settings except for the Professional ones.
Modifying the rule will not discard any of the Professional features.
Figure 47. Accessing a rule with a Pro feature on a PA Community Edition Console.
l
Consider using the reporting capabilities of the Privilege Authority Console to
view the rule's settings or save them into a file, generate reports to get
statistics on the PA rules usage.
58
USING GPO RULES CONFIGURED BY OTHER USERS (COMMUNITY RULES EXCHANGE)
The ScriptLogic team has created and supports a special GPO rules database stored on
the Community Rules Exchange server. By using the Community Rules Exchange
feature, you can make use of the GPO rules other system administrators have shared
on the server as well as upload your own rules.
You can also access this Rules Exchange database to get a sample list of GPO settings
that may be used in an environment and know how they can be defined with Privilege
Authority.
This feature is available within any of the Privilege Authority editions.
l
Once you open the Privilege Authority Console, click All Rules located under
the Community section. The list of rules will show (provided that PA
Console could successfully connect to the Rules Exchange server over the
Internet). (See Figure 48. )
Figure 48. The Community Rules list.
Use the Community rules to:
l
apply the Community rules in your domain
l
share your rules with the community
l
edit, comment and rate the Community rules.
59
Applying Community Rules to your Domain/GPO
To make use of a certain rule within the Community list or just to see how the GPO
settings can be configured with Privilege Authority:
1. Within the All Rules or Verified Rules section of the Community node of
the Privilege Authority Console, select the rule, and then click the
Import icon. A dialog with the rule settings will open. ( Figure 49. )
Figure 49. Opening the community rule dialog.
If you are using the Privilege Authority Community Edition and try to import a
rule with any of the Privilege Authority Professional features, a special
notification will show (see Figure 50. ). By clicking Yes, you’ll open the Import
Rule Wizard window that will show all the rule settings except for the
Professional ones.
Figure 50. Importing a rule with a Pro feature running PA Community Edition.
Note
If the list of rules does not populate automatically, try the following: click
Help -> Proxy Settings, and specify the proxy server data in the window
that will open. (See Figure 51. )
60
Figure 51. Specifying the proxy server settings.
2. (Optional ) You may switch between the available tabs of the dialog to view
its settings or adjust the GPO rule to your needs.
3. Click the GPO tab to assign the rule to an already existing GPO your user
account is granted Read/Write access to. ( Follow the link if you'd like to
create a custom GPO to link the rule to.) (See Figure 52. )
Figure 52. Selecting a GPO to apply the rule to.
61
4. Click Finish to add the rule to your domain’s GPO settings.
The rule will now display in the list of rules of the corresponding GPO under the Local
Rules node. (See Figure 53. )
Figure 53. A community rule has been set to apply to a GPO in your domain.
The rule will apply, once the Group Policy is updated on the client machine.
When the rule displays within the Local Rules node, you can administer it as any
ordinary PA rule.
62
Sharing your Rules with the Community
To share your rules that you think other system administrators might find useful:
1. Within the Local Rules node, right-click the desired rule to share, and then
select Share with Rules Exchange within the shortcut menu. (See Figure
54. )
Figure 54. Selecting a rule to share.
2. Within the window that opens, make any necessary changes to the GPO rule
settings, and click OK. (See Figure 55. )
63
Figure 55. Modifying and confirming to share the rule.
3. ( If applicable ) If you have not registered at the Privilege Authority
Community Forum, you will be presented with the registration/login dialog.
The dialog is detailed in the Registering with the Community Rules Exchange
Server section.
Once the registration is complete, the rule will be displayed under the Community
node in the All Rules section as well as within the My Shared Rules list. ( Figure 56.
)
Figure 56. The rule has been successfully uploaded to the Community Rules Exchange.
64
Managing the Community Rules
To delete the rule that you’ve shared from the Rules Exchange All Rules list:
l
From within the My Shared Rules section, select the rule, and then click
the
Delete toolbar button. The rule will be deleted after the operation is
confirmed.
To modify the settings of the rule that you’ve shared:
1. Use the Local Rules node, to make the necessary changes.
2. Upload the rule with changes to the Community Rules Exchange site. The
rule’s info will be updated automatically.
Within the Community node, you can modify the title or description of the rule that
you’ve shared:
l
From within the My Shared Rules section, select the rule, and then use the
icon to set the rule’s title and description info as necessary.
To rate any rules uploaded to the Community Exchange Server:
1. From within any section of the Community node, right-click the desired
rule, and then choose between the Not set,
Poor,
Fair,
Good,
Very Good, or
Excellent option of the My
Rating sub menu.
2. Your rating will be saved and the average total will show in the Rating
column of the grid.
To comment the rules uploaded to the Community Exchange Server:
l
From within any section of the Community node, double-click the desired
rule, and then use Add Comment button to place your comment. Registration
at Community Rules Exchange is required.
65
REGISTERING WITH THE COMMUNITY RULES EXCHANGE SERVER
When you upload your rules to the Community Rules Exchange Server, view the My
Shared Rules node content, or want to place a comment on a Community rule, you
first have to be authorized by the server. To do this, fill in the Register or Sign-In
form (see Figure 57. ):
l
If you are already registered on the forum, enter your email and password
in the corresponding fields of the Login section and click Login.
l
If you are not yet registered with the community, click on the Register on
the web link. You will be directed to the Privilege Authority Community
Forum registration page. Fill in every field of the form that will be shown.
Click Register.
You may also use the Register tab of the dialog, to fill in the registration form.
When registering into the community server, please note that the password restriction
policy must compile with the current password policy of the Rules Exchange Server,
e.g. currently it must consist of at least 7 characters.
Figure 57. Registering to upload to the Privilege Authority Community Exchange server.
66
Tip
To prevent connection problems when registering over the internet,
consider specifying your proxy server settings in the PA Console before you
proceed with registration.
To log in at the server as a different user:
l
Click Help -> Logout of Rules Exchange. Now, when required, you’ll be
asked to provide your login details.
67
TROUBLESHOOTING CONNECTION PROBLEMS
If the Rules Exchange All Rules list does not populate automatically or you fail
registering with the Rules Exchange forum, try specifying your proxy settings within the
Privilege Authority Console to solve the issue.
l
To open the Proxy Server Settings window, click Help -> Proxy
Settings, and specify the proxy server data in the window that will open.
Figure 58. Specifying the proxy server settings.
68
REPORTING ON THE PRIVILEGE AUTHORITY ACTIVITIES
(Available only within the Professional edition)
Privilege Authority allows users to build reports on the PA system activities. The user
can generate reports on those GPO for which they have read/write access set within
Windows system. With the feature, users can get the overall information on how
frequently a specific rule is used and on how many machines a specific rule is deployed
to; view the processes elevated by the rule and the rule configuration details. Once the
reporting feature is enabled, the PA Console will collect and aggregate data from the
client machines to make it available for reporting purposes.
This is a licensed feature and requires the Professional edition license. Once the
license, e.g. the trial license, expires, the data will not be collecting anymore and the
reports will stop generating.
Before taking advantage of the reporting feature, you have to configure the PA Console
host. Refer to the Configuring the Reporting Feature section for the necessary steps to
perform.
The Reporting section of the Privilege Authority Console provides the option to build
the following three types of reports: Elevation Activity, Deployed Privileges, Rule
Configuration. In addition to these "out of the box" reports, custom reports can be
created by using 3 rd party tools to query the SQL-based PA reporting database and
generate reports.
You may use the PA database schema below to create your own custom reports or
perform data analysis.
69
Figure 59. PA database schema.
The PA Reporting database is created during the initial setup of the reporting function
and is configured to work with the ScriptLogic PA Reporting data collection web service
running on a PA Console host.
Elevation Activity
This report allows you to track the elevation activity for a desired period of time on all
managed client computers. With this report, you can see what user elevated what exact
process on what computer and when this happened. (See Figure 60. )
The following drop-down menus and fields are available to create a report:
l
Type - use the menu to create a report on all rule types (the default setting),
or a File, Folder, ActiveX, or Digital Certificate rule type.
l
Rule Name - use the menu to create a report on all rules created by PA (the
default setting) or a rule with a specific name.
l
User Name - use the field to get the data on rules applied for all the
users (the default setting) or a specific user (refer to this paragraph for
details).
l
Computer Name - use the field to get the data on rules applied to all the
computers (the default setting) or a specific computer (refer to this
paragraph for details).
70
l
From, To - use the field to set the period of time for which to generate
statistics. (Please consider this Note information.)
Each Privilege elevation event reported contains the following detail:
l
Type - the privilege elevation rule type;
l
Rule Name - the privilege elevation rule name;
l
User (Domain\Name) - the user and domain name;
l
Computer (Domain\Name) - the computer and domain name.
l
Elevation Time - the time of the privilege elevation on the client computer.
l
Rule GUID - the privilege elevation rule GUID;
l
Elevated Item - a path to the elevated application or command with the
argument (if any).
Figure 60. Each Privilege elevation event reported is detailed according to the parameters
circled in red.
Follow the link, to know how to create this kind of report and manage the generated
report data.
Deployed Privileges
This report indicates the overall usage of the deployed privilege elevation rules across
the domain. The report details each privilege showing to how many clients each rule
has been copied and how many times each rule has been used to elevate privileges.
The following drop-down menus are available to create a report:
l
Rule Name - use the menu to create a report on all privilege elevation rule
names (the default setting) or a rule with a specific name;
l
GUID - use the menu to create a report on all privilege elevation rule IDs
(the default setting) or a rule with a specific ID;
71
l
Sort - use the menu to sort the generated report entries (in ascending order)
according to:
l Deployed Data - date the rule was deployed;
l
Rule Title - rule name;
l
Applied Count - number of PA Client computers where the rule
is deployed;
l
Used Count - number of times the rule has been enforced.
Each Privilege elevation event reported contains the following detail (see Figure 61. ):
l
Rule Name - the privilege elevation rule name;
l
Rule GUID - the privilege elevation rule ID;
l
# Comp - number of PA Client computers where the rule is deployed;
l
# Used - number of times the rule has been enforced.
Figure 61. Each Privilege elevation event reported is detailed according to the parameters
circled in red.
Follow the link, to know how to create this kind of report and manage the generated
report data.
Rule Configuration
This report will list all the configuration details of each deployed rule in a single view.
The following drop-down menus are available to create a report:
l
Domain - the domain name
l
Rule Name - the privilege elevation rule name;
l
GPO Name - the Group Policy Objects that the rules are linked to;
l
Created From, Created To - the date range when the rule was created;
l
Modified From, Modified To - the date range when the rule was modified.
72
The details listed for each Privilege elevation event reported are the settings specified
in the rule creation wizard (see Figure 62. ).
Figure 62. The PA Rule Configuration report.
Follow the link, to know how to create this kind of reports and manage the generated
report data.
Generating and Using the Reports
To generate a report:
1. Under the Reporting section of the PA Console, select the desired type of the
report to create. The window for the desired report generation will open to
the right. (See Figure 63. )
2. Specify the data to build a report on by using the menus and fields at the
upper part of the report window. (The available menu items and fields are
detailed in the corresponding report type description .) You may leave
these fields as they are to get statistics from your whole PA environment
for the specified period of time (if the time interval specification is
available). By default, the data is generated for the last month.
73
To get results on a specific user or computer, enter the desired name in
the User Name or Computer Name fields respectively as shown:
DomainName\UserName
or
DomainName\ComputerName
3. Click the Generate Report button. The generated reports results will show.
Figure 63. Generating the reports
Note
Please note that if you have redeployed the Reporting feature, the reports
will generate the data starting only from the last web service installation.
l
Within the Deployed Privileges report, there is an option to sort the
generated data.
l
Once the report is generated, use the toolbar at the top of the generated
report results window to navigate the pages or organize them as necessary,
search for the necessary data, etc. (See Figure 65. )
l
To navigate across a multi-page report, use the
l
The Number of Records field in the upper part of the generated results
page refers to the number of PA rules listed in the report.
and
toolbar buttons.
74
Figure 64. The Number of Records field shows the number of rules displayed
within the report.
To save the generated report data, use either the Copy or Export To ... buttons:
1. Click anywhere on the page with the generated report results, and then click
the Copy button shown on Figure 65.
2. Paste the copied data into a file you need.
Or,
1. From within the toolbar of the of the generated report results window, click
Export To PDF , Export To Html , or Export To RTF button to save the
data into a PDF, HTML, or RTF file respectively.
2. In the Save As window that will open, name the report and, if desired,
change the location of the report. By default, the reports are saved to
%USERPROFILE%\Documents. Click Save. The generated data will be saved.
Figure 65. Saving the report with the Copy or Export To buttons.
Configuring the Reporting Feature
To start using the Privilege Authority reporting feature, you have to perform additional
configuration of the PA server host: install a data collection web service (ScriptLogic
PA Reporting Service ) and create the PA reporting database (PAReporting) in a
SQL Server instance. This is the web service that is responsible for collecting data from
the PA Clients and sending the data to the PA database. To generate the reports, the PA
Console(s) will then communicate with the PA database.
The reporting feature configured by a domain admin (or the user with WRITE access to
the SYSVOL share, precisely to the
\\DOMAINNAME\sysvol\DOMAINNAME\ScriptLogic\Privilege
75
Authority\DataCollectionSettings.xml file) is automatically made available for other PA
Console users on the domain to build reports.
Until the reporting feature is centrally enabled, OU level admins can setup reporting
locally on their computers.
A special wizard will aid you in performing the necessary steps.
Setting up reporting
Modifying the PA reporting setup settings
Removing the PA reporting feature
To run the preliminary reporting configuration:
Step 1. Start the Reporting configuration wizard
To start the configuration wizard, from within the main menu, click Reporting > Configure Reporting.
Figure 66. Launching the reporting configuration wizard.
Step 2. Enable the reporting feature and data collection web service.
To setup the reporting feature:
1. Select the Enable Reporting option.
2. Mark in the Set up a new data collection web service on
this computer check-box to install the ScriptLogic PA
Reporting data collection web service locally. Once installed
successfully, the instance of this service will be used by the
PA system running on your domain.
76
Note
If the Set up a new data collection web service on this
computer option is disabled for you, then you do not
have enough rights to setup reporting. Please use the
reporting settings that are centrally configured for
you.
Click Finish and proceed to building the reports.
Figure 67. Installing the ScriptLogic PA Reporting service.
3. (If the ScriptLogic PA Reporting web service is already
running on your domain ) The URL of the service will be
detected automatically showing in the field under Use the
Data Collection Web service specified at the URL
77
below if there is the PA Console with the reporting feature
enabled within your domain.
You may use the Test Connection button (see Figure 68. ) to
test connection to the data connection web service.
If not set automatically, you may provide the URL manually.
To do this, simply select the Use the Data Collection Web
service specified at the URL below option and specify the
URL of the service as shown on Figure 68. - replace the
SERVERNAME item with the exact name of the server running
the ScriptLogic PA Reporting service.
Figure 68. Specifying the URL of the web service installed in your
environment.
(If necessary) Use the Advanced Options button to configure
how often each client will send its data to the data collection web
78
service. The web service supports collecting data from a
significant number of concurrent clients.
l Use Maximum Sleep Time (in seconds) to set
the stagger time period within which each client will
send its data to the ScriptLogic PA Reporting
data collection service. This value is set to 60
seconds by default.
l
Use Send Retries to define the number of retries in
case an attempt to connect to the web service fails.
This number of attempts is set to 1 by default.
l
Use Network Timeout (in seconds) to set in how
many seconds a PA Client should stop sending data.
This value is set to 60 seconds by default.
l
Maximum Records Per Transaction (0 indicates
unlimited). This value is set to 0 seconds by default.
Try increasing the value to 1 or 2 on large networks
where each client computer is generating a large
amount privilege elevation audit records and a client
might not be able to connect to the data collection
service because it is too busy processing large data
collection transactions from each client. In this case
client will only send cached collected data by
portions (indicated in this Maximum records per
transaction value), reducing total load on the
server side.
4. Click Next to proceed further on.
Note
The data collection web service listens for incoming reporting data from the
PA clients on port 8001, so (if applicable), configure the firewall where data
collection web service is running to allow communication over this port.
Step 3. Choose the SQL instance to use.
Use the available options to select what SQL server instance to use for the
PA Reporting database:
l
Select Download and install a local instance of
Microsoft SQL Server 2008 Express to install the
Microsoft SQL Server 2008 Express software from the
Internet , and then click Next to navigate to the next step.
Note
The default password for the sa user of the SQL server installed
via PA Console is “PrivilegeAuthority1”.
79
l
Select Use an existing SQL Server instance to instruct
Privilege Authority to connect to an existing local or remote SQL
instance, and then click Next to navigate to the next step.
If using an already existing SQL instance, please consider the
following requirements:
l Microsoft SQL Server 2008 or above.
If using a remote SQL database, please consider additionally
the following requirements:
l
TCP/IP protocol is enabled for the selected SQL
server instance;
l
the PA Console host can address the remote SQL
server;
l
( if applicable ) the firewall is setup to allow
communication between the SQL database and
PA Console host on the port that the remote SQL
server is configured to listen on;
l
additional authentication requirements are listed in
Step 6.
Note
If this is the Domain Controller that hosts the PA Console, consider that
Microsoft does not recommend running a database on a Domain Controller
computer. In this case either connect to a remote SQL database instance or
use another computer to install the PA Console and download the SQL
Server 2008 Express software via the PA reporting configuration wizard.
Step 4. Specify the necessary accounts.
Verify the automatically detected user group and user accounts which will be
granted with administrative privileges in the PA Reporting database. Or specify
the new ones.
l
Within the Data Collection Web Service Account section,
enter the password of the account that will be used to run the
PA data collection service.
If getting an "invalid name or password" error, try providing
the account name in other formats, i.e.
USERNAME@DOMAIN
l
(Available if selected to download the SQL Server 2008 Express)
Use the SQL Server Express Service Account section to set
other than the default account for the SQL Server service.
80
Figure 69. Specifying the accounts necessary for proper work of the
reporting feature.
Note
If you plan the configured reporting to be used domainwide, i.e. from other PA Consoles run either by domain
or OU level admins, then ensure the provided Database
Super User Group includes all the user accounts that
may address the PAReporting database. Otherwise a
user that has no rights to the PA database will
encounter an error.
Step 5. ( Applicable if selected to use an existing SQL database ) Install the SQL
Server Management Objects (SMO).
Click Next to install the list of SQL SMO if the local computer misses them:
81
l
Windows Installer 4.5 Redistributable
l
Microsoft SQL Server 2008 Native Client
l
Microsoft SQL Server System CLR Types
l
Microsoft SQL Server 2008 Management Objects
l
Microsoft Core XML Services 6.0 Service Pack 1
Figure 70. Clicking Next to install the required SQL SMO.
Step 6. (Applicable if selected to use an existing SQL database ) Select the SQL
server instance.
Specify the SQL database installed on any computer, remote or local.
1. In the SQL Server Instance Name field , specify the database
instance name in the following format:
2. SQLSERVER\INSTANCENAME
82
You may use the
button to view the server instances
available on your network.
Figure 71. Specifying the SQL Server instance.
Use the available options to set the authentication type supported
by your SQL Server.
When using the Windows Authentication, ensure that the Windows account you
are currently logged into the PA Console host:
l
is assigned with the System Administrator server role on the
specified SQL server instance;
l
is the member of the "db_owner" role for the "master" database;
83
l
(when upgrading the database previously created with the
Reporting configuration wizard) is the member of the "db_owner"
role for the "PAReporting" database.
If targeting a remote SQL database, consider that:
l
the SQL database must accept Windows authentication for
runtime access to data (although the SQL authentication can be
used for the database setup).
Step 7. Install the prerequisites and launch the services.
Click Next and PA will perform the following steps:
l
(if applicable) install Microsoft SQL Server 2008 Express;
l
(omitted if the DB had already been created) create the
PAReporting database;
l
install and launch the ScriptLogic PA Reporting data collection
web service.
During installation the Command Prompt window may show.
84
Click OK and then Finish to exit the reporting configuration wizard.
Once the reporting components are installed, you can proceed to building the reports.
If you have access to the SYSVOL share on your domain, you can modify the reporting
configuration settings that will be available for other PA Consoles on the domain. Other
users working with PA Console can install/re-install the reporting feature on their local
machines only if reporting is not enabled centrally by domain admins, otherwise the
respective options are disabled.
If you need to change the PA reporting database settings, i.e. connect to another
instance or modify the authentication parameters, or setup a new data collection
service:
1. Use the wizard to remove the data collection web service first.
2. Restart the wizard to re-install the service and set the SQL database settings
as necessary.
If you need to disable and uninstall the data collection web service running locally on a
PA Console, perform the following.
Note
Removal of the reporting web service by domain admin or admin of a nested
OU may render the reporting functioning unavailable on other PA Console
computers of the domain or downstream from the parent OU. Please read
about the Not Configured and Disable Reporting options below.
1. Open the reporting configuration wizard and then perform one of the
following:
l
Select the Disable Reporting option to stop the ScriptLogic PA
Reporting service on the local machine and disable the reporting feature
running. The service as well as the reporting feature will become
unavailable for all the PA Consoles. Further on any domain admin with
WRITE privileges to SYSVOL will be able to use this very web service or
setup a new one to make the reporting feature work.
l
( If desired or necessary ) Check into the Not Configured option to
uninstall the ScriptLogic PA Reporting service from the local computer
and PA system completely. Any domain user with read/write access to a
GPO will be able to setup reporting on their local machines.
85
Note
In order for the OU level admins to be able to configure
reporting locally, the reporting service must be removed
through the Not Configured option.
To remove the service running remotely, please go to the computer that hosts the
service and remove it either manually or via the wizard.
Note
Please note that if you have redeployed the Reporting feature, the reports
will generate the data starting only from the last web service installation.
Once you made any changes to the reporting configuration settings, the following
message will be shown to confirm the GPOs update.
Figure 72. Confirming to update GPOs to send info to the newly configured reporting service.
86
Index
A
ActiveX Rule
45, 54
C
Community Rule
27-28, 59
downloading
60
managing
65
uploading
63
D
Data collection web service
76
configuring the client-web service interaction
78
removing
85
G
GPO
deleting/modifying
58
L
Logging into Rules Exchange
66
M
Multi-domain environment
29
O
OU level admins support
23
P
PA Client Installation
17
using GPMC
18
PA Console
opening
PA Reporting Database
modifying connection settings
23
80, 82, 84
85
87
PA rule
creating
27-28, 31
deleting
58
editing
58
testing
54
user- vs. computer-based rules
41
PA Server installation
15
Proxy settings
68
R
Reporting
69
Deployed Privileges
71
Elevation Activity report
70
Reporting configuration wizard
76
Rule Configuration report
72
88
Download PDF
Similar pages