User Guide Release 5.0

Transcription

1 April 15, 2011 User Guide Release 5.0

2 Revision/Update Information: April 15, 2011 Software Version: 5.0 Document Revision: 0 COPYRIGHT NOTICE Copyright BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. ( BeyondTrust ) or BeyondTrust s authorized remarketer, if and when applicable. TRADE SECRET NOTICE This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and when applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying, modification and use. DISCLAIMER BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULAR PURPOSE. LIMITED RIGHTS FARS NOTICE (If Applicable) If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. This software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture, duplication, distribution or disclosure. (FAR (g)(2)(Alternate II)) LIMITED RIGHTS DFARS NOTICE (If Applicable) If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject to limited rights and other restrictions, as set forth in the Rights in Technical Data Noncommercial Items clause at DFARS TRADEMARK NOTICES PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage, PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker for Desktops, PowerBroker for Virtualization, and PowerBroker Express are trademarks of BeyondTrust. SafeNet and SafeNet logo are registered trademarks of SafeNet, Inc. Copyright 2009, by SafeNet, Inc. All rights reserved. Product names of any third party remain the trademarks of such third party manufacturers and/or distributors, respectively. FICTITIOUS USE OF NAMES All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirely coincidental. OTHER NOTICES If and when applicable the following additional provisions are so noted: BeyondTrust is a registered trademark of BeyondTrust Software, Inc. This document is for informational purposes only. BeyondTrust offers no warranties, express or implied, in this document. Microsoft, Microsoft Outlook, Microsoft Exchange, Microsoft Internet Explorer, Microsoft Windows, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows Server 2008 R2, and Microsoft Windows 7 are trademarks of Microsoft Corporation. Other names mentioned herein may be trademarks of their respective owners. LIBRARY NOTICES cryptolib.lib Library Big Arithmetic routines coded by D. P. Mitchell and Jack Lacy December Copyright (c) 1991 AT&T Bell Laboratories. This is version 1.1 of CryptoLib.The authors of this software are Jack Lacy, Don Mitchell and Matt Blaze. Copyright 1991, 1992, 1993, 1994, 1995 by AT&T.

3 Permission to use, copy, and modify this software without fee is hereby granted, provided that this entire notice is included in all copies of any software which is or includes a copy or modification of this software and in all copies of the supporting documentation for such software. NOTE: Some of the algorithms in cryptolib may be covered by patents. It is the responsibility of the user to ensure that any required licenses are obtained. SOME PARTS OF CRYPTOLIB MAY BE RESTRICTED UNDER UNITED STATES EXPORT REGULATIONS. THIS SOFTWARE IS BEING PROVIDED AS IS, WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. detours.lib Library Microsoft Research Detours Package, Professional Version 2.1 Build_216. DISCLAIMER AND LICENSE: ======================= The entire Detours package is covered by copyright law. Copyright Microsoft Corporation. All rights reserved. Portions may be covered by patents owned by Microsoft Corporation. libtomcrypt.lib Library Tom St Denis, tomstdenis@iahu.ca, ziputil.lib Library - Copyright Jean-loup Gailly and Mark Adler. xmlparse.lib Library - Copyright 1998, 1999, 2000 Thai Open Source Software Center Ltd. and Clark Cooper. Copyright 2001, 2002, 2003, 2004, 2005, 2006 Expat maintainers. Other names mentioned herein may be trademarks of their respective owners. IPAddressControlLib - Copyright 2007 Michael Chapman

4

5 Contents Contents Introduction...9 Conventions Used in This Guide...9 Font Conventions...9 Linespacing Conventions...9 Where to Go Next?...10 Documentation Set for PowerBroker Desktops...10 Obtaining Support...10 Available Resources...10 Before Contacting Technical Support...10 Contacting Support...11 Product Overview How PowerBroker Desktops Works...12 PowerBroker Desktops Architecture...14 Licensing and Operating Modes...14 Demonstration Mode...15 Obtaining an Updated License Key for V Getting Started with PowerBroker Desktops Using the Management Dashboard...16 Interpreting Dashboard Reports...17 Rule Types and Tasks...19 About Permission Levels...21 About Privileges...21 About Item-Level Targeting...21 GPO Backup Files...23 GPO Backup File Name Format...23 Working with PowerBroker Desktops Rules Using the Rule Wizard to Create a Rule...24 Automatically Generating a Set of Rules...25 How Automatic Generation Works...26 Recommended Rule Generation Strategy...26 Credential Issues...26 Generated Files...27 Rule Generator User Interface...27 Rule Generation Options...28 Generated Rule XML Files...29 Viewing Rule Generation Reports...30 Using Generated Rules...30 BeyondTrust April 15, 2011 Page 5

6 Contents Troubleshooting Generation Problems...30 Invalid Name Space Errors...30 Access Denied Errors...31 RPC Server Errors...31 Manually Creating a Rule...32 Targeting an Application or a Process with a Rule...34 Using the Rule Properties Dialog...34 Using Wild Cards in Rules...35 Wild Cards and Subfolders...36 Path Rule - Target by Location...37 Path Rule Examples...40 Elevate IE for a Specific Web Site...40 Elevate a Visual Basic Script...41 Elevate a Registry Merge...42 Elevate a Batch File...43 Publisher Rule - Target by Digital Signature...44 Target by Publisher Only...45 Target by Any Digital Signature Element...46 Hash Rule - Target Regardless of Location...47 Folder Rule - Target Contents of a Folder...49 MSI Path Rule - Target Installation MSI Package by Location...52 MSI Folder Rule - Target All MSI Folder Contents...54 ActiveX Rule - Target Installations by Internet Explorer...57 Shell Rule - Elevate Applications on Demand...60 CD/DVD Rule - Target by Media...62 UAC Rule - Target Applications Started by UAC...64 Advanced Techniques Modifying Permissions...66 Modifying Privileges...68 Modifying Integrity Level...70 Using Rule Options...71 Common Options...71 Execution Options...72 Providing a Rule Description...72 Using Item-Level Targeting...72 Building an Item Collection...75 Completing a Rule...77 Working with Rule Collections...78 Rule Processing When a Collection Is Present...78 Avoid Rule Conflicts...79 Using Advanced Options in the Administrative Template...80 Installing the Administrative Template...81 Customizing Internet Explorer Restriction and Download Dialogs...82 Customizing UAC Information Dialog...85 Customizing On Demand (Shell Rule) Right-Click Menu Option...87 BeyondTrust April 15, 2011 Page 6

7 Contents Setting up Logging...87 Troubleshooting Rules Have No Effect...89 Compatibility Issues with Some Applications...90 Other Problems...90 Logging and Tracing...91 Tracing with Policy Monitor (polmon.exe)...91 Adding Logging and Tracing Options to a GPO...92 Logging and Tracing Options...94 Client Side Tracing...94 Event Logging...94 Using the Windows Event Viewer...94 Enabling Logging...95 Appendix A: Group Policy Primer Introduction to Group Policy...97 Organization...97 Group Policy Objects and Storage...97 Editing Group Policy...98 Applying Group Policy...98 Group Policy Reporting...98 Creating and Editing a GPO...99 Appendix B: Settings in the Administrative Templates Group Policy Settings Policy Processing Setting Sheet License Policy Processing Settings Sheet Security Driver Settings Sheet Glossary Index BeyondTrust April 15, 2011 Page 7

8 Contents BeyondTrust April 15, 2011 Page 8

9 Introduction Introduction This guide provides the instructions for using BeyondTrust PowerBroker for Desktops Windows Edition (PowerBroker Desktops), and contains information about product features, benefits, functions, unique concepts, and basic procedures. If you have not yet installed the product, see the PowerBroker Desktops Installation Guide. If you are upgrading from one version to a higher version, see the PowerBroker Desktops Upgrade Guide. The following sections include the document conventions, list of documentation for the product, and where to get additional product information and technical assistance. Conventions Used in This Guide Specific font and linespacing conventions are used in this book to ensure readability and to highlight important information such as commands, syntax, and examples. Font Conventions The font conventions used for this document are: Courier New Font is used for program names, commands, command arguments, directory paths, variable names, text input, text output, configuration file listings, and source code. For example: C:\Documents and Settings\All Users Courier New Bold Font is used for information that should be entered into the system exactly as shown. For example: pbdeploy.exe Courier New Italics Font is used for input variables that need to be replaced by actual values. In the following example, the variable MyServer, must be replaced by an actual environment server name and the variable MyFolder must be replaced by an actual folder name: \\MyServer\MyFolder\pbwdcl32.msi Bold is used for Windows buttons. For example: Click OK. Linespacing Conventions The linespacing of commands, syntax, examples, and computer code in this manual may vary from actual Windows and Unix/Linux usage because of space limitations. For example, if the number of characters required for a single line does not fit within the text margins for this book, the text is displayed on two lines with the second line indented as shown in the following sample: C:\windows\sysvol\domain\Policies\<GUID>\<Machine or User> \Privilege Manager BeyondTrust April 15, 2011 Page 9

10 Introduction Where to Go Next? For licensing information and installation instructions for PowerBroker Desktops, see the PowerBroker Desktops Installation Guide. For detailed information and advanced procedures for PowerBroker Desktops, see the PowerBroker Desktops User Guide. Documentation Set for PowerBroker Desktops The complete PowerBroker Desktops documentation set includes the following: PowerBroker Desktops Getting Started Guide PowerBroker Desktops User Guide PowerBroker Desktops Installation Guide PowerBroker Desktops Upgrade Guide PowerBroker Desktops online help Obtaining Support BeyondTrust provides an online knowledge base, as well as telephone and web-based support. In addition, when working with any PowerBroker Desktops item, you can click the Help button to view detailed information about available options. Available Resources The PowerBroker Desktops Knowledge Base provides information and solutions to many known problems and issues. Registered users can access the Knowledge Base at: To read about the other BeyondTrust products, see our corporate Web site at: Before Contacting Technical Support Be sure to read this section before contacting technical support. Tip: Is the PowerBroker Desktops Client Running? A computer must have the PowerBroker Desktops client installed and running to recognize rules. If a computer does not respond to a rule or a policy, make sure that the client is installed and activated on the computer. Run the polmon.exe utility on the computer to check for client activation and functionality. BeyondTrust April 15, 2011 Page 10

11 Introduction Obtain as much information about the problem as possible using PowerBroker Desktops troubleshooting tools, such as: Policy Monitor Trace options Event logging Resultant Set of Policy (RSoP) logging To expedite support, collect the following information: Image or the full text of any error messages Context of the problem, including affected platforms How to reproduce the problem For client problems: A copy of the XML configuration data that produces the problem, trace output, event log messages, and RSoP reporting data if available Contacting Support If you encounter problems during your installation that are not covered in the documentation, contact BeyondTrust technical support using at pbwd-support@beyondtrust.com or if you are located in the United States, you can call Telephone: Hours: Staffed 24 hours per day, seven days per week. Web: Use the following instructions to contact technical support from the BeyondTrust Web site: 1. Browse to: 2. Log into the BeyondTrust Support Web site. 3. Scroll down the page to the section and click Create Ticket to file an incident report. When contacting BeyondTrust technical support, provide the following information: Your company name Telephone and address where you can be contacted Description of the problem and the steps you have taken to resolve it BeyondTrust April 15, 2011 Page 11

12 Product Overview Product Overview In many organizations, higher levels of privileges are often given to common users so that they can run an application or perform mundane system tasks such as mounting a printer or setting the system clock. However, granting such privileges creates significant vulnerability to network security. When credentials are elevated, common users can perform a wide variety of tasks beyond the scope their responsibility and authority. In a truly secure environment, users are given rights to only the resources they need, and only when they need the resource. Ideally, all users are assigned Least Privileged User Accounts (LUA). This means that they have minimal rights in the overall network context. Unfortunately, in the Windows environment, many applications and processes require elevated rights in order to be launched and run. How PowerBroker Desktops Works PowerBroker Desktops allows you to create rules (group policy items) that define and govern how individual processes and applications are assigned rights. By creating a rule, you determine the specific permissions and privileges assigned to an application. When a user launches the application, the rule is communicated to the client computer as a matter of policy. The following illustration depicts the role of PowerBroker Desktops within the enterprise as it monitors launch events and adjusts privileges. BeyondTrust April 15, 2011 Page 12

13 Product Overview In addition to application rules, you can create rules that apply to system tasks and process, as well as to individual users. Using these rules, you might provide access to system clock functions for all users. You might also limit the ability to launch and run a spreadsheet application to users or computers in the Finance organizational unit (OU). By customizing access in this way, you match security restrictions to the needs of your organization. At the same time, you provide protection to the network while maintaining user productivity. PowerBroker Desktops communicates privilege configuration within the Windows Group Policy framework. When Group Policy is refreshed, PowerBroker Desktops rules take effect. They are enforced any time the related application or process launches. The PowerBroker Desktops user interface, running within the Windows Group Policy Management Editor (GPME), displays as shown in the following example: In this Windows GPME example, the PowerBroker Desktops node is selected under Computer Configuration, Policies, BeyondTrust. A second PowerBroker Desktops node is displayed under User Configuration, Policies, BeyondTrust. Because the Computer Configuration, Policies, BeyondTrust node is selected, the right pane lists various rules and policies that were created by the administrator to apply to a specific computer. These rules determine, on a specific machine, how a process or an application is accessed and run. BeyondTrust April 15, 2011 Page 13

14 Product Overview PowerBroker Desktops Architecture PowerBroker Desktops provides a kernel-mode security driver that resides on the client computer. This security driver is deployed and installed in a single installer package (.MSI) that also contains the Group Policy client-side extension (CSE) and the Windows Management Instrumentation (WMI) namespace for reporting the Resultant Set of Policy (RSoP), and machine state model data. Most organizations deploy this MSI by using Group Policy or their preferred software distribution technology. The security driver monitors process launches on the client machine and checks each launch against the rules communicated to the client through Group Policy. When a rule exists, the security driver intercepts the launch event and modifies the security token for that process according to the instructions contained in the rule. The benefits of this approach include: No secondary accounts are required (unlike Run As style solutions). Security exposure is not increased. Applications that need to write to HKEY_CURRENT_USER do not fail because the process still launches under the authenticated user. This enables a common user to perform specific tasks and operations that normally require administrator-level privileges. For more information about PowerBroker Desktops rules, review the product FAQ in the Knowledge Database on the BeyondTrust web site. Licensing and Operating Modes After registering with the Web site, you can access the knowledge base at: There are two types of PowerBroker Desktops licenses: Registered Product - You have purchased software licenses or obtained a license from BeyondTrust or an authorized reseller and have imported a registered license. The product is fully functional and can be used for multiple domains. Evaluation Product - You have installed PowerBroker Desktops with a temporary license. The product is fully functional, can be used across multiple domains, but has an expiration date encoded in the license. A fourteen (14) day grace period is implemented for license expiration. If the term of the license is exceeded, CSEs will report a warning to the event log while operating within 14 days of the last successful license check. If the grace period is exceeded, the CSEs will not process policy for the GPO and an error will be written to the event log. BeyondTrust April 15, 2011 Page 14

15 Product Overview Demonstration Mode When no license is present, PowerBroker Desktops runs in Demonstration mode. In this mode, all rules are fully functional within a Local GPO, but the product will process (enforce) only template rules from a network GPO. Template rules are preconfigured rules specific to an operating system. They are accessible from the ellipsis button on the Application tab of the Properties dialog in the Path, Shell, and UAC rules. The advantage of Demonstration mode is that it allows the configuration and deployment of template rules without the requirement of a license. In addition, it supports the creation of most rule types so you can gain familiarity with rules and policy making. However, even though most types of rules can be created, non-template rules are not functional at the domain level. When a license is eventually acquired, all rules (template and non-template) created in Demonstration mode become fully functional and can be deployed across the domain without modification. This leverages the time you invested and the experience you gained with PowerBroker Desktops. Note: In Demonstration mode, the following template rules are not available: Add Printers, Add Plug and Play Devices, and configuration of network settings. Obtaining an Updated License Key for V5.0 Version 5 of PowerBroker Desktops requires a unique license key. As a result, you cannot apply a license from a previous PowerBroker Desktops version to version 5. To acquire a version 5 license key, contact BeyondTrust using one of the following methods: - Send a key request to: sales@beyondtrust.com Phone - Contact your BeyondTrust sales representative directly by calling: Sales staff will authorize and create a license key for your PowerBroker Desktops installation. BeyondTrust April 15, 2011 Page 15

16 Getting Started with PowerBroker Desktops Getting Started with PowerBroker Desktops PowerBroker Desktops enables you to create rules in the Group Policy Management Editor (GPME). Each PowerBroker Desktops rule elevates or reduces the permissions and privileges of a Windows application or process at runtime. A rule can also elevate or reduce the permissions and privileges of an MSI package or an ActiveX control when they launch. Rules can be created manually using the rule Wizard or the Rule Properties dialog. Rules can also be generated automatically using the automatic rule generator. Rule generation is a good way to assemble a basic rule set for your organization. This set of rules can then be refined to meet your specific needs. For increased targeting granularity, you can use item-level targeting to apply rules to selected computers or specific users. Using the Management Dashboard The PowerBroker Desktops Management Dashboard is your gateway to a more secure enterprise. From the dashboard you can access information, tools, and reports related to rule application and operation. The dashboard contains three major sections: Getting Started - Provides links to online help and other useful information resources. Tools and Wizard - Provides access to rule creation and generation wizards, and the rule property sheet. Rule Summary- Provides access to summary-level information about the rules in use, including rule types, numbers of rules and more. It also provides access to individual rule settings reports and XML reports. A rule s settings report provides a quick picture of the rule s attributes and permissions. A rule s XML report displays the XML coding that represents a rule in the client s environment. To view the dashboard, select a BeyondTrust node in the Group Policy Management Editor. The dashboard will open in the right pane of the editor. In the dashboard shown in the following example, the Overview and Tools and Wizard sections are expanded. Note the Disable Wizard button in the Tools and Wizard section. This button allows you to turn off the wizard and thereby gain access to the rule property sheet for the manual rule creation. BeyondTrust April 15, 2011 Page 16

17 Getting Started with PowerBroker Desktops Interpreting Dashboard Reports The Rule Summary section of the dashboard provides reports that document the all the rules in use and the configuration of each rule. Two types of reports are available: Settings Report - The Settings report is an easy-to-read, HTML based, report that documents all the configuration parameters of all rules. Rules are presented by type (Path, Hash, and so forth) and listed in the order in which they appear in the application security file. Use the Settings report to gain an overview of how a rule is configured and the effect the rule has on its target application. BeyondTrust April 15, 2011 Page 17

18 Getting Started with PowerBroker Desktops XML Report - The XML report provides the actual XML notation that represents the rule. This notation specifies all the configuration parameters of a rule. Rules are presented by type (Path, Hash, and so forth) and listed in the order in which they appear in the application security file. Use the XML report to view the internal operation of a rule and to understand how it interacts with its target application. A typical dashboard Report Summary screen looks similar to the following. Clicking on the Settings Report icon in the Path rules row displays the settings report for each Path rule in the system. BeyondTrust April 15, 2011 Page 18

19 Getting Started with PowerBroker Desktops Rule Types and Tasks PowerBroker Desktops enables you to create rules with targeting options appropriate to many different situations and tasks. Use the following tables as a guide to creating the types of rules you need, based on what you want to accomplish In the following table, specific application limitations are listed in the left column and the rule types used to implement a limitation are suggested in the right column. Table 1. Security Situations and the Rules to Control Them To modify permissions and privileges of A Windows process A program in a specific location A specific program regardless of location All applications published by a specific company All programs in a specific folder A specific version of an application An MSI package in a specific location All MSI packages in a specific folder All installations initiated by Internet Explorer Specific installations initiated by Internet Explorer Installation of all ActiveX controls Installation of specific ActiveX controls All applications on a certain CD or DVD Any application that a user specifies An application that triggers a UAC prompt Select a Path rule Path rule Hash rule Publisher rule Folder rule Publisher rule MSI Path rule MSI Folder rule ActiveX rule ActiveX rule ActiveX rule ActiveX rule CD/DVD rule Shell rule UAC rule BeyondTrust April 15, 2011 Page 19

20 Getting Started with PowerBroker Desktops In the following table, various user management scenarios are listed in the left column. The right column lists the rule types that implement a solution. Table 2. Management Scenarios and Rules to Control Them I want to Elevate the permission level for restricted users performing a common Windows task or running an application requiring higher privileges Elevate the permission level for restricted users running any applications in a specific folder Reduce the permissions for administrators when using applications such as Internet Explorer and Outlook Elevate all applications from a specific company Elevate a specific version of an application Provide a self-service software installation point for restricted users Enable restricted users to use the Add Hardware wizard or prevent users from using the wizard Enable restricted users to add or remove plug and play hardware or prevent users from adding plug and play hardware Enable restricted users to shut down their computers Enable users to elevate applications on demand Enable users to elevate all applications on a certain CD or DVD Enable certain users to use credentials in UAC dialogs to initiate application launch Select a Path rule or Hash rule Folder rule Path rule or Hash rule Publisher rule Publisher rule Folder rule for executable and MSI Folder rule for MSI packages Path rule Path rule Path rule Shell rule CD/DVD rule UAC rule BeyondTrust April 15, 2011 Page 20

21 Getting Started with PowerBroker Desktops About Permission Levels In a given rule, you can make modifications to the permissions of an application or a process when it is run. Permissions are defined by the security groups listed in the process token. With each rule, you can add security groups to or remove security groups from the application s process token. The effect is the same as making changes to the end-user s group memberships but only for a specific application. About Privileges In a rule you can also make changes to the privileges of an application or a process. With each rule, you can grant or deny privileges to the application. About Item-Level Targeting The effect is the same as if the privileges were granted or denied to the end-user but only for the specific application. This is especially useful because Windows grants as standard privileges the ability to Shut down the system and Take ownership of files or other objects. These are not tasks administrators want users capable of performing. Item-level targeting allows you to restrict to selected users and computers a rule s application of permission and privilege modifications. Using item-level targets in conjunction with rules you can manage a wider variety of users and computers with a smaller number of GPOs. For example within a single GPO, you can include similar rules customized for selected users and computers, with each targeted rule to apply its settings only to the relevant users or computers. The item-level targeting editor, with the New Item menu open, looks similar to the following example. Note the various tool bar icons and menus. BeyondTrust April 15, 2011 Page 21

22 Getting Started with PowerBroker Desktops PowerBroker Desktops provides more than 25 items that fine tune and enhance the application of security configurations to users and computers. When multiple items are specified, the Item Options menu provides access to boolean operators such as AND/OR and IS/NOT. Using these operators you can conjoin multiple items in a logical expression. In addition, collections of items can be named and saved. This feature is helpful when frequently used constraints must be applied repeatedly. Using item-level targeting you can accomplish selective rule application such as: Elevate the security of application X, but only for members of the Domain Admins security group. Item-level targeting can be much more complex as you construct boolean-type expressions that determine how items are applied. For example: you might create the following item expression: Modify the security of version of application X, but only for members of the Domain Admins security group when they launch the application on a specific computer. BeyondTrust April 15, 2011 Page 22

23 Getting Started with PowerBroker Desktops GPO Backup Files The PowerBroker Desktops snap-in has the functionality to create up to three GPO backup files using standard GPO backup procedures. These files contain the rule XML code that defines each rule you have created. You might want to create a backup file to store in a source control system for version control or to import into a PowerBroker Desktops utility such as PBDeploy. Backup files are created in the Application Data directory. The directory path for the GPO backup files varies depending on the operating system, as shown in the following lists. For Windows Server 2003 and Windows XP C:\Documents and Settings\All Users\Application Data\ BeyondTrust\ PowerBroker Desktops\GPOBackupData For Windows 7 and Windows Vista C:\ProgramData\BeyondTrust\PowerBroker Desktops\GPOBackupData GPO Backup File Name Format The following formats are used for the GPO backup file names: AppSecComp_<GPOName>.xml AppSecUser_<GPOName>.xml Backup File Name Examples The following list shows examples of the GPO backup file names: AppSecUser_<GPOName>.xml AppSecUser_<GPOName>.xml.bk1 AppSecUser_<GPOName>.xml.bk2 AppSecUser_<GPOName>.xml.bk3 As a result of the Microsoft Application Data Folder Security rules when multiple non-administrator users create group policy rules on the same machine, only the snap-in user that created the GPO or the snap-in users with administrator permissions are allowed to update the backup files. To avoid permission problems, grant the user the appropriate permissions in the GPOBackupData folder. BeyondTrust April 15, 2011 Page 23

24 Working with PowerBroker Desktops Rules Working with PowerBroker Desktops Rules A PowerBroker Desktops rule can elevate or reduce the permissions and privileges of a Windows application or process at runtime. In addition, a rule can do the same to an MSI package or ActiveX control. Using Group Policy Objects and item-level targeting, you can apply these security changes to selected computers and individual users. A rule can be created in the following three ways: Using the Rule Wizard - By providing information to a multi-page wizard that creates a rule. Automatic Generation - By running the Rule Generator which analyzes client machine application use and builds a set of rules based on that analysis. Manually - By using the rule property sheet to specify rule parameters and settings. All three methods of rule creation are described in the following sections. Using the Rule Wizard to Create a Rule If you have a basic knowledge of rule types, the rule wizard provides an easy way to build a rule. The wizard guides you through all the steps required to configure and name a rule. Each wizard page corresponds to a tab in the rule property sheet. Helpful text prompts assist you in making configuration choices and selections. The wizard can be enabled or disabled on the management dashboard using a button. When enabled, the wizard starts any time Create New Rule is selected. When the wizard is disabled, clicking Create New Rule opens a rule property sheet. To create a rule using the rule wizard, do the following: 1. Open the management dashboard by selecting either of the BeyondTrust nodes in the Group Policy Management Editor. 2. Expand the Tools and Wizards section of the dashboard and ensure that the wizard is not disabled. BeyondTrust April 15, 2011 Page 24

25 Working with PowerBroker Desktops Rules 3. Click Create a New Rule. 4. On the first page of the wizard, select the type of rule you want to create. 5. Follow the prompts in the subsequent wizard pages to configure the rule. 6. On the last page of the wizard, provide a name for the rule, a description (optional), and click Create. The new rule is added to the bottom of the rule list, and you are prompted to create another rule or to exit the wizard. After you have created a rule, you can edit it by opening its property sheet and changing values on various pages of this tabbed dialog. Automatically Generating a Set of Rules Manually creating a set of rules to control application access in a large organization is a daunting task. The Automatic Rule Generator automates rule creation by gathering data from machines running the PowerBroker Desktops client. This data includes information about the applications being used, the privileges they require, how they are launched, and the frequency of their use. Based on the collected data, the generator creates a file containing a set of XML-based rules. The administrator can review the generated rules, delete any rules deemed unnecessary, and copy the remaining rules to a production instance of the snap-in. BeyondTrust April 15, 2011 Page 25

26 Working with PowerBroker Desktops Rules How Automatic Generation Works When application state modeling is enabled on a client by turning on a setting in the administrative template, the client stores information about the application launch and application usage in the local registry in the form of a state model. By examining a client s state model, the rule generator gathers information about the applications used on the client. The following general steps illustrate the rule generation process: 1. Access one or more target machines and collect state model data. 2. Store data in SQLite database. 3. Analyze stored data and eliminate duplicate application information. 4. Build an XML rules file based on the collected data. 5. Save the database and the rules file to the specified directory. Recommended Rule Generation Strategy To use the rule generator most effectively, target machines that contain a typical collection of the applications used in your enterprise. During this initial data collection operation, be sure to enable the Detailed Rules check box. Using this option provides the most complete and comprehensive data set because multiple application instances are detected for each launch argument combination used to launch the application. After this comprehensive data set is created, you can examine the resulting rules. In most cases, there will be redundant rules for a given application because of the variety of launch arguments used to start the application. The final step is pruning the rules to eliminate duplicates. To prune the rules, run the rule generator on the stored data in the database. Disable the Detailed Rules check box during this operation. The resulting rule set will be significantly smaller and will not contain duplicate rules. To further reduce the size of a rule set, include or eliminate applications from various companies. For example you can include only rules for all applications signed by Microsoft, or you can completely eliminate rules for all applications signed by Microsoft. To do this, enter Microsoft either in the Create Rules ONLY for Company field or Exclude Company from Rule Creation field. Credential Issues The rule generator must have administrative and remote access to any machine it inventories. As a result, when it is run on a large number of machines, it should be run with high-level administrative credentials to ensure that the generator can extract data from all the machines in the domain. Enter the credentials in the appropriate input fields. BeyondTrust April 15, 2011 Page 26

27 Working with PowerBroker Desktops Rules In addition, the rule generator relies on Windows Management Instrumentation (WMI) for data collection. Therefore, WMI must be enabled on all client machines, switches, and other devices on the network. Generated Files The rules generator creates several output files. By default, these files are placed in the C:/beyondtrust directory. However, you can specify an alternate location. Generated files include one or more of the following types of files, depending on the rule creation operations performed: [machine_name]-autorules.xml XML rule file that can be placed directly into the snap-in. PBDAutorules.db SQLite database containing raw rule data. PBDautorules-Detailed.xml Verbose version of generated rules in which application arguments were included during rule generation. Rules can be pasted directly into the snap-in. PBDutorules-Consolidated.xml Consolidated version of generated rules in which application arguments were ignored during rule generation. Rules are based on the application location (path). Rules can be pasted directly into the snap-in. Rule Generator User Interface The rule generator provides an easy-to-use interface in which you can enter information and make selections. The following screen illustrates the rule generator dialog with numbers corresponding to the following selections: 1. Input area for targeting information. 2. Rule generation status panel. 3. Detailed or consolidated rule generation control. 4. Directory path for generated rule files. 5. Exclude and Include text entry fields. 6. Rule XML report directory. 7. Computer and database generate buttons. 8. Close dialog or Stop generation button. BeyondTrust April 15, 2011 Page 27

28 Working with PowerBroker Desktops Rules Rule Generation Options Several options are available in the rule generator user interface that can be used when generating rules. The options you enable determine the type of rule set that you create. The following options can be used when generating rules: Auto Search Domain - When enabled, this check box directs the rule generator to detect all machines the native domain. Machine names are placed in the scrolling list to the right of the check box. You can select one or more machines directly from the list. Domain Name - Displays the name of the native domain of the snap-in machine. Login name - Name of valid admin-level account on target machine. Password - Password associated with login name. Create Rules from Computer - Initiates data collection and rule generation using the data obtained directly from the application inventory of the specified computer. Create Rules from Database - Initiates rule generation from previously inventoried data that resides in the rule generator database. Exclude Company from Rule - Allows you to ignore applications from one or more companies. The rule generator examines the company name in an application s certificate and skips the application if the name matches a name entered in the Exclude Company From Rule field. Use this feature to avoid creating rules for products from a specific company. Separate multiple names using a plus (+) sign. BeyondTrust April 15, 2011 Page 28

29 Working with PowerBroker Desktops Rules Create Rules ONLY for Company - Allows you to generate rules for applications from specific companies. The rules generator examines the company name in an application s certificate and builds a rule for the application only if the company name matches a name entered in the Create Rules ONLY for Company field. Use this feature to build a comprehensive rule set for a suite of applications from a single company, such as Microsoft. Separate names with a plus (+) sign. File Directory to Save Rules - By default, the rules generator saves its output to the location: C:\beyondtrust. However, you can direct the rules generator to save output to any location, including a mapped drive. When you click this field, a file explorer opens allowing you to navigate to an alternate location. View Reports - This field indicates the location of the rules generator output files. When you click this field, a file explorer opens enabling you to open and review the contents of XML rule files created by the rules generator. The resulting reports provide all the data necessary to understand how a rule is being applied. Detailed Rules -Enables verbose generation mode. By default, this feature is disabled. When enabled, the generator creates multiple rules for each launched instance of an application, based on the arguments used to launch the application. Detailed rules usually produce many more rules being created and also results in rule redundancy. However, it is useful because it allows you to detect every launch instance of a given application. and obtain an overview of how, where, and by whom an application is being used. Generated Rule XML Files The rule generator produces two types of XML files, depending on whether or not the Detailed Rules check box is enabled. These files are: Detailed Rule XML File - This file contains rules for every detected instance of an application. That means that multiple rules are often created for a single application because the application is started with different arguments. Consolidated Rule XML File - This file has been purged of duplicate rules and contains rules based ONLY on application location (path). The reduction in rules can be dramatic, often fifty percent or more. In most cases, these location-specific rules provide an acceptable level of security while simplifying rule tracking and management. BeyondTrust April 15, 2011 Page 29

30 Working with PowerBroker Desktops Rules Viewing Rule Generation Reports The rule generator provides two, easy to read, reports based on the XML rule file it has created. You can view these reports by placing the cursor on the View Reports field and double-clicking an XML report file name. A report opens in Internet Explorer that details the following for each rule: Rule Name - Name assigned to the rule by the rule generator. You can change this name. Rule Type - Type of rule generated. For example, Path indicates a path rule. Program - Name of the application or executable the rule targets as defined by the full path to the executable. For example: C:\Windows\system32\mmc.exe Args - Any launch arguments used to start the application or executable. For example: c:\windows\system32\gpedit.msc Hash - Hash code of the application or executable. Description - General information about how the application is used, including: first launch, last launch, number of launches, number of launches managed by, and the user security ID associated with the most recent launch. By reviewing the reports, you gain an understanding of the logic and operation of a generated rule. Using Generated Rules After you have successfully generated a rule set and reviewed the rules, you can place the generated rule XML file directly into the snap-in. The rules are then distributed to clients and take effect after the next group policy update. Troubleshooting Generation Problems The rule generator requires that several processes and programs are available on any machine it inventories. When an error occurs, the rule generator indicates the type of error in its status window. Some of the more common errors that may be encountered are discussed in the following sections. Invalid Name Space Errors The rule generator uses the client as a data collection engine. This means that the client must be running on any machine that is inventoried by the generator. If the client is not running, an error occurs when the generator attempts to connect to and survey the machine. The error reported in this situation is similar to the following: Targeting: [machine_name].[domain_name] Attempting to access and extract data from [machine_name] Failed to access WMI Application State data. Invalid namespaceerrors have been detected. BeyondTrust April 15, 2011 Page 30

31 Working with PowerBroker Desktops Rules When you see a namespace error, use the Policy Monitor utility on the client machine to check the operational status of the client. The client should be running with rules and policies loaded successfully. Access Denied Errors The rule generator relies on Windows Management Instrumentation (WMI) for data collection. If WMI is not enabled on the client machine and throughout the network, rule generation will fail. The error reported in this situation is similar to the following: Targeting: [machine_name].[domain_name] Attempting to access and extract data from [machine_name] Failed to access WMI Application State data. Access is denied. (Exception from HRESULT: 0x (E_ACCESSDENIED)) Errors have been detected. RPC Server Errors A Remote Procedure Call (RPC) error indicates that a machine is inaccessible. The cause of this error is usually one of the following: The machine is not powered on. The fire wall is blocking access to the machine. The network switch between the machine and the rule generator has WMI disabled. This issue can be verified by checking the status of TCP port 135. This port should not be blocking WMI. The error reported in this situation is similar to the following: Targeting: [machine_name].[domain_name] Attempting to access and extract data from [machine_name] Failed to access WMI Application State data. The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) Errors have been detected. BeyondTrust April 15, 2011 Page 31

32 Working with PowerBroker Desktops Rules Manually Creating a Rule You can use the rule property sheet to manually create a rule. The property sheet is a tabbed dialog that provides access to all rule settings and parameters. The general steps for creating a rule using the property sheet are: Disable rule wizard. Open the rule property sheet. Choose a rule type. Target an application or process for which to modify permissions and privileges. Modify the permissions for the targeted application or process. Optional. Modify the privileges for the targeted application or process. Optional. Specify the integrity levels for the targeted application or process. Optional. Apply item-level targeting the rule so that it is targeted at specific users and computers. The following section provides instructions for creating and configuring a rule. To manually create a rule, do the following: 1. Open the Group Policy Management Editor (GPME). For detailed instructions, see Creating and Editing a GPO, page 99.) 2. Access the management dashboard and disable the rule wizard by checking the Disable Wizard check box. 3. To create a rule that applies to a computer or user, use the appropriate instructions: For a computer - Click Computer Configuration, Policies, Beyondtrust, PowerBroker Desktops. For a user - Click User Configuration, Policies, BeyondTrust, PowerBroker Desktops. 4. Right-click the PowerBroker Desktops node and select Create New Rule. Note: When the wizard is disabled, clicking Create a new Rule on the dashboard opens the rule property sheet. BeyondTrust April 15, 2011 Page 32

33 Working with PowerBroker Desktops Rules 5. To modify an existing rule, right-click the rule and select Properties. 6. To continue, see Targeting an Application or a Process with a Rule, page 34. Tip: Duplicating a rule You can copy and paste (or drag and drop) a rule in the Group Policy Management Editor to create a duplicate rule. You can then modify the duplicate rule. BeyondTrust April 15, 2011 Page 33

34 Working with PowerBroker Desktops Rules Targeting an Application or a Process with a Rule To modify the security for an application or a process, you must first create a rule based on information about the target application or process. This rule modifies the security token associated with the application. Use the following rule types to define the targeted application: Path - Target an application by its file path location Publisher - Target an application by its digital signature Folder - Target all applications by its folder Hash - Target an application version regardless of location ActiveX - Target the installation of specific ActiveX control, all ActiveX controls, or any installation initiated by Internet Explorer CD/DVD - Target all applications on a CD or DVD MSI Path - Target an MSI package based by location MSI Folder - Target all MSI packages in a folder Shell - Enable users to elevate any application on demand UAC - Target all applications started by UAC For additional help in determining the type of rule you need, see Rule Types and Tasks, page 19 to view reference tables of tasks and appropriate rules. Using the Rule Properties Dialog The Rule Properties dialog contains all of the settings that can be applied to a rule. This dialog is where you select a rule type and customize the rule. Each tab in the dialog presents different settings and options. In the following screen, the Application tab is selected. Note: Context-sensitive help is available for each tab in the Properties dialog. BeyondTrust April 15, 2011 Page 34

35 Working with PowerBroker Desktops Rules In the following screen, the Rule drop-down menu displays the various rule types available and the Publisher rule is selected.. Using Wild Cards in Rules Two wild card characters are supported in various rule text input fields in the rule property sheet. Rules that support wild cards include: Publisher - In the Product name, File name, or Product version fields Shell - In the Arguments field Path - In Path and Arguments fields Hash - In Arguments field Folder - In Folder field MSI Path - In Package field MSI Folder - In Folder field UAC - In Path field Observe common conventions when using the following wild card characters: * - Replaces one or more characters in a string? - Replaces an individual character in a string The net effect of a wild card in the rule text input fields is to make a rule or an argument more generic, which may not always be in the best interest of the rule. BeyondTrust April 15, 2011 Page 35

36 Working with PowerBroker Desktops Rules For example, when using wild cards for path rules, you want to make the path as specific possible to keep the rule secure. Wild card placement in the following argument makes the rule very broad and can potentially allow abuse. However, by placing the wild card argument and using the following text, it narrows the wild card s reach: In this example, specifying as much as possible of the actual URL prevents a standard user from downloading unapproved files from unforeseen locations. Another typical use for a wild card is in a setting in which a naming convention is used to represent hardware. In this case, a wild card can be substituted for certain name elements. For example: \\corporateserver_accounting1 \\corporateserver_accounting2 \\corporateserver_sales \\corporateserver_engineering \\corporateserver_marketing can be addressed using the following wild card notation: \\corporateserver* Wild Cards and Subfolders A check box setting available in many rule types can change rule behavior when a wild card is used. The following setting allows a rule to traverse a directory structure: Apply rule to all programs in all subfolders of the specified folder. When this setting is enabled and a wild card is used, the rule behaves as described in Table 3. For this example, the rule path statement or argument uses the following statement: C\Folder1\*\my.exe where the wild card represents a folder.. Table 3. Rule Behavior for C:\Folder1\*\my.exe Subfolder Setting Is Enabled Executable Path Exe File Is Elevated No c:\folder1\my.exe No Yes C:\Folder1\my.exe No No C:\Folder1\Folder2\my.exe Yes BeyondTrust April 15, 2011 Page 36

37 Working with PowerBroker Desktops Rules Table 3. Rule Behavior for C:\Folder1\*\my.exe Subfolder Setting Is Enabled Executable Path Exe File Is Elevated Yes C:\Folder1\Folder2\my.exe Yes No C:\Folder1\Folder2\Folder3\my.exe No Yes C:\Folder1\Folder2\Folder3\my.exe Yes As shown in the previous table, when the subfolder setting is enabled, the rule searches through the subdirectory structure looking for a match until it finds one. In addition, if the * wild card is substituted for the executable name (*.exe), all executable files in the directory structure then have the rule applied. This technique is often used to apply a rule to multiple applications stored in a hierarchical directory structure. Path Rule - Target by Location To target an application or process based on its location so that you can modify its permissions or privileges when it is run, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog box, select Path rule to target an application by its program file path 2. Enter a path or click to select a process or application. Based on your operating system software, you can choose from a variety of template rules. BeyondTrust April 15, 2011 Page 37

38 Working with PowerBroker Desktops Rules 3. Select one of the following: A process running on your computer. A standard Windows process, such as Add or Remove Programs or Display. Select the specific Windows version (and in some cases the service pack) and whether to target the Control Panel, Desktop, or Task bar process. An application. An executable file. Click Select a File to navigate to an executable file, which can be either a local file or a file on a network share path. It is recommended that you create rules based on network share paths using the fully qualified UNC (universal naming convention) paths, such as \\MyServer\MyFolder\MyApp.exe. If necessary, mapped drives may be used. When you create a rule based on a mapped drive, check Allow use of mapped drive letter in path on the Options tab. Note: Because a limited user has the ability to change a mapped drive, checking this option presents a security risk because it can enable the user to elevate an unintended application. If the following Default Security Settings dialog displays, you can click Yes to automatically populate the permissions and privileges needed for this task: BeyondTrust April 15, 2011 Page 38

39 Working with PowerBroker Desktops Rules Selecting Yes is recommended to simplify identification of these permissions and privileges even if your intention is to restrict them. You can modify these security settings when you configure options on the Permissions and Privileges tabs. 4. Optional. Select additional targeting options: To target this application only if specific command line arguments are used when the application is launched, enter the Arguments. This field is not case-sensitive. Depending on your Path selection, the field may be automatically populated. To target this application regardless of any command line arguments specified when the application is launched, leave this field blank. To apply the rule only if the users type in their password, select Apply rule only if user can authenticate (must provide credentials). To require the users to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, the users are prompted to enter an explanation each time they elevate an application. To target all applications in subfolders of this folder, select Apply rule to all programs in all subfolders of the specified folder. To target this application only if it is a local file owned by the Administrators group, select Apply rule only if program is owned by the Administrators group. (To target a specific file regardless of location, use a Hash rule instead.) To cause processes launched by this application to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. BeyondTrust April 15, 2011 Page 39

40 Working with PowerBroker Desktops Rules 5. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. Tip: Using variables and partial command lines You can use variables in the Path and Arguments fields. For a list of variables, click the field and press F3, then double-click to select. You can also use wild card characters in the Path and Arguments fields. Two wild cards are supported: * - Can replace one or more characters? - Can replace any individual character You can use a partial command line in the Arguments field. A partial command line is considered a match as long as each character from left to right matches the beginning of the actual process command line. Path Rule Examples The path rule can be used in creative ways to target a variety of objects other than major applications. The following examples demonstrate how the Path rule can be applied to scripts, batch files, registry operations, and more. Elevate IE for a Specific Web Site A unique application of a Path rule is to elevate Internet Explorer when the users access a specified Web site. This functionality is available only for IE versions 7, 8, and 9. To elevate IE 7, 8, or 9 for a specific Web site, do the following: 1. Create a Path rule with the following settings: Path - Full path to the iexplore.exe file Arguments - URL of Web site to be elevated Permissions - Add BUILTIN\Administrators Integrity Level - Medium recommended When the user browses to the specified Web site, a second instance of IE will launch in a new window with elevated permissions. The title bar in the new window will reflect the fact that IE is running in an elevated state, and Rule Applied will display in the lower-left corner of the new window. If the users browses from one specified site to another, the rule is not reapplied. Another rule that includes the second URL is required for any additional Web sites. When multiple IE elevation rules are required, make sure that permissions, privileges and integrity levels are consistent for all rules. BeyondTrust April 15, 2011 Page 40

41 Working with PowerBroker Desktops Rules The following figure shows a typical IE elevation Path rule Properties dialog: Note: Elevation of Internet Explorer 9 - IE 9 elevation is not as obvious as elevation in other IE versions. In a default IE 9 installation, the only elevation indicator is BT on the page tab. Title bar & status bar elevation information is not displayed. You can set IE 9 preference to enable the status bar. Toggle the ALT key and the menu bar appears or disappears. To view the Status bar, right-click in a blank area and then enable Status Bar in the menu. Elevate a Visual Basic Script To elevate a script, create a rule to point to the scripting host. In the arguments field, target the rule to the specific script you would like to elevate to prevent the user from elevating any script. BeyondTrust April 15, 2011 Page 41

42 Working with PowerBroker Desktops Rules The following figure shows a Path rule that elevates a script: Taking another approach, you can enter WindowsServer\Netlogon in the Path field without a file specified. This approach elevates all scripts in the Netlogon folder. For another alternate, you can use a Folder rule. Elevate a Registry Merge To elevate a registry merge, add the path to regedit.exe. In the arguments field, scroll down to the registry file you wish to elevate as shown in the following example: Note: The elevation of the *.reg and script files are targeted to the item in the arguments field, the user cannot self elevate any script or *.reg file on their own when an argument is present. BeyondTrust April 15, 2011 Page 42

43 Working with PowerBroker Desktops Rules Elevate a Batch File A batch file is actually an application and can be treated as one with regard to elevation. As a result, you can elevate a batch file by specifying the path to (or hash of) the batch file as shown in the following example: BeyondTrust April 15, 2011 Page 43

44 Working with PowerBroker Desktops Rules Publisher Rule - Target by Digital Signature Use the Publisher rule to target a digitally signed file by any element of its digital signature. Note: As of V5.0, the Publisher rule replaced the Certificate rule. Existing Certificate rules are brought forward during an upgrade. However, to update these Certificate rules to the more advanced Publisher rules, you must open a Certificate rule in version 5 and then save it. After you do this, any additional version 4.x Certificate rules are updated to Publisher rules. Signed files can include executable files, MSI files, DLL files, and so forth. Signature elements can include the name of publisher (company), the application name, the file version number, the date of release, and more. After you have selected a signed file to target, the Publisher rule configuration dialog looks similar to the following: BeyondTrust April 15, 2011 Page 44

45 Working with PowerBroker Desktops Rules Use the slider control to add items to the rule or enable Use custom values and enter items directly in the input fields. Target by Publisher Only Targeting the Publisher element of a signed file has several advantages: The file can move to any location and the rule will still apply. In addition, the file can be updated to a newer version and still be managed by the same rule. To target a file by the Publisher element of its digital signature, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog, select Publisher rule. 2. Select a signed file to target. You can select either of the following: Process running on your computer (providing it is signed) File. Click Select a file and navigate to the file. 3. Select the file. The name of the publisher displays in the Publisher field. 4. Optional. Select additional targeting options from the following: To apply the rule only if the users authenticate using their Windows credentials, select Apply rule only if user can authenticate. To apply the rule only if the user enters in a justification for the elevation, select Require user to enter text justification. To target an application in this folder only if it is a local file owned by the Administrators group, select Apply rule only if program is owned by the Administrators group. To cause processes launched by this application to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. BeyondTrust April 15, 2011 Page 45

46 Working with PowerBroker Desktops Rules Target by Any Digital Signature Element You can make a rule that targets a very specific instance of a signed file. This enables you to build granular Publisher rules that are based on individual characteristics of a file signature. To target a file by an element of its digital signature, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog, select the Publisher rule. 2. Select a signed file to target. 3. In the Signature dialog, use the slider control to select one or more of the following signature elements: Publisher - Name of the specific software publisher Product name - Name of the software product File name - Name of signed file (EXE, DLL, MSI, and so forth) Product version - Version number of the specific product release Tip: Broaden a Publisher rule s scope by using a wild card. You can broaden the scope of a Publisher rule by using the (*) wildcard character. This character can be used in the following Publisher rule input fields: Product name, File name, and Product version. The * must be used to replace an entire string. Partial strings (str*) incorporating the * are not supported. 4. Optional. Enable the Use Custom Values check box to change or refine displayed signature information. For example, you may choose to do the following: Use the version widget to specify an earlier or later product version than the version displayed in the File version box. Change any value in the text input fields. 5. Click OK to return to the Property dialog. 6. Optional. Select any of the following targeting options: To apply the rule only if the user authenticates using their Windows credentials, select Apply rule only if user can authenticate. To apply the rule only if the user enters in a justification for the elevation, select Require user to enter text justification. To target an application in this folder only if it is a local file owned by the Administrators group, select Apply rule only if program is owned by the Administrators group. To cause processes launched by this application to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. BeyondTrust April 15, 2011 Page 46

47 Working with PowerBroker Desktops Rules Hash Rule - Target Regardless of Location To target a specific application regardless of its location so that you can modify its permissions or privileges when it is run, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog, select Hash rule to target an application by hash code. 2. Click to select an application. You can select any of the following: A process running on your computer. An executable file. Click Select a File to navigate to an executable file, which can be either a local file or a file on a network share path. It is recommended that you create rules based on network share paths using the fully qualified UNC paths, such as \\MyServer\MyFolder\MyApp.exe. If necessary, mapped drives may be used. When you create a rule based on a mapped drive, check Allow use of mapped drive letter in path on the Options tab. BeyondTrust April 15, 2011 Page 47

48 Working with PowerBroker Desktops Rules Note: Because a limited user has the ability to change a mapped drive, checking this option presents a security risk because it can allow the user to elevate an unintended application. An SHA1 hash code is calculated from the selected executable or process. 3. Optional. Select additional targeting options: To target this application only if specific command line arguments are used when the application is launched, enter the Arguments. This field is not case-sensitive. To target this application regardless of any command line arguments specified when the application is launched, leave this field blank. To apply the rule only if the user types in their password, select Apply rule only if user can authenticate (must provide credentials). To require the user to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, users are prompted to enter an explanation each time they elevate an application. To cause processes launched by this application to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. 4. To continue, see Modifying Permissions, page 66 or, Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 48

49 Working with PowerBroker Desktops Rules Tip: Using variables and partial command lines You can modify the Arguments field to include variables. For a list of variables, click the field and press F3, then double-click to select a variable. You can also use wild card characters in the Path and Arguments fields. Two wild cards are supported: * - Can replace one or more characters? - Can replace any individual character You can use a partial command line in the Arguments field. A partial command line is considered a match as long as each character from left to right matches the beginning of the actual process command line. Folder Rule - Target Contents of a Folder To target all applications in a specific folder so that you can modify their permissions or privileges when they are run, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog box, select Folder rule - Target all applications in a folder. 2. Enter a path or click to select a folder, which can be either a local folder or a folder on a network share path. Wild cards are supported in this field. BeyondTrust April 15, 2011 Page 49

50 Working with PowerBroker Desktops Rules It is recommended that you create rules based on network share paths using the fully qualified UNC paths, such as: \\MyServer\MyFolder\MyApp.exe. If necessary, mapped drives may be used. When you create a rule based on a mapped drive, check Allow use of mapped drive letter in path on the Options tab. Note: Since a limited user has the ability to change a mapped drive, checking this option presents a security risk because it could enable the user to elevate an unintended application. Tip: Using variables You can modify the Folder field to include variables. For a list of variables, click the field and press F3, then double-click to select the variable. You can also use wild card characters in a path and arguments fields. Two wild cards are supported: * - Can replace one or more characters? - Can replace any individual character 3. Optional. Select additional targeting options as shown in the following dialog: BeyondTrust April 15, 2011 Page 50

51 Working with PowerBroker Desktops Rules To apply the rule only if the user types in their password, select Apply rule only if user can authenticate (must provide credentials). To require the user to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, users are prompted to enter an explanation each time they elevate an application. To target an application in this folder only if it is a local file owned by the Administrators group, select Apply rule only if program is owned by the Administrators group. To target all applications in subfolders of this folder as well, select Apply rule to all programs in all subfolders of the specified folder. To cause processes launched by this application to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. 4. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 51

52 Working with PowerBroker Desktops Rules MSI Path Rule - Target Installation MSI Package by Location MSI Path rules modify msiexec.exe permissions and privileges, and enable you to set the target by MSI package. To target an MSI package based on its location so that you can modify its permissions or privileges when it is installed, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog, select MSI Path rule -Target Installations by MSI file path. 2. Enter a path or click to select an MSI package file, either a local file or a file on a network share path. It is recommended that you create rules based on network share paths using the fully qualified UNC paths, such as: \\MyServer\MyFolder\MyApp.exe. If necessary, mapped drives may be used. When you create a rule based on a mapped drive, check Allow use of mapped drive letter in path on the Options tab. Note: Since a limited user has the ability to change a mapped drive, checking this option presents a security risk because it could enable the user to elevate an unintended application. This field also supports wild card use. 3. Optional. Select additional targeting options: To apply the rule only if the user types in their password, select Apply rule only if user can authenticate (must provide credentials). To target all applications in subfolders of this folder as well, select Apply rule to all programs in all subfolders of the specified folder. BeyondTrust April 15, 2011 Page 52

53 Working with PowerBroker Desktops Rules To require the user to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, users are prompted to enter an explanation every time they elevate an application. To cause processes launched by this MSI package to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. Tip: Using variables You can use variables in the Package field, potentially targeting multiple files. For a list of variables, click the field and press F3, then double-click on one of them to select the variable. You can also use wild card characters in the Path and Arguments fields. The following two wild cards are supported: * - Can replace one or more characters.? - Can replace any individual character. 4. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 53

54 Working with PowerBroker Desktops Rules MSI Folder Rule - Target All MSI Folder Contents MSI Folder rules modify msiexec.exe permissions and privileges, and enable you to target MSI packages by folder. To target all MSI packages in a specific folder so that you can modify their permissions or privileges when they are installed, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog, select MSI Folder rule - Target installations by MSI file folder. 2. Enter a path or click to select a folder, which can be either a local folder or a folder on a network share path. BeyondTrust April 15, 2011 Page 54

55 Working with PowerBroker Desktops Rules It is recommended that you create rules based on network share paths using the fully qualified UNC paths, such as: \\MyServer\MyFolder\MyApp.exe. If necessary, mapped drives may be used. When you create a rule based on a mapped drive, check Allow use of mapped drive letter in path on the Options tab. Note: Since a limited user has the ability to change a mapped drive, checking this option presents a security risk because it could enable the user to elevate an unintended application. Tip: Using variables You can modify the Folder field to include variables. For a list of variables, click the field and press F3, then double-click to select the variable. You can also use wild card characters in a path and arguments fields. Two wild cards are supported: * - Can replace one or more characters? - Can replace any individual character 3. Select additional targeting options if desired: To apply the rule only if the user types in their password, select Apply rule only if user can authenticate (must provide credentials). To require the user to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, users are prompted to enter an explanation each time they elevate an application. BeyondTrust April 15, 2011 Page 55

56 Working with PowerBroker Desktops Rules To target all MSI packages in subfolders of this folder, select Apply rule to all packages in all subfolders of the specified folder. To cause processes launched by this package to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. 4. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 56

57 Working with PowerBroker Desktops Rules ActiveX Rule - Target Installations by Internet Explorer ActiveX rules are not limited to ActiveX controls, but apply in general to component installations initiated by Internet Explorer (IE). With IE running as a restricted user, control installations normally fail (often without proper feedback) because the installations occur within the IE process and therefore within the same restricted security context. An ActiveX rule causes a targeted control to install in a separate context that can have permissions and privileges individually modified by the rule. Tip: Elevate IE for Complete Security For more advanced ActiveX controls and web-based applications that install components beyond the standard Internet Explorer add-on, elevation of Internet Explorer is highly recommended. See Path Rule Examples, page 40 for information about how IE can be secured. To target the installation of a specific ActiveX control, the installation of all ActiveX controls, or installations initiated by Internet Explorer so that you can modify their permissions or privileges, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog, select ActiveX rule to target the installation of ActiveX controls or other component installations initiated by Internet Explorer. BeyondTrust April 15, 2011 Page 57

58 Working with PowerBroker Desktops Rules 2. Target all component installations or a specific component installation: To target all component installations, check Apply rule to all ActiveX control installations. To target a specific component installation, clear the Apply rule to all ActiveX control installations check box and enter any limitations desired. You can restrict the target for this rule to components with any of the following specific items: Source URL, such as: Archive file name, such as mycontrol.cab. (Enter the file name in the Control field.) CLSID, such as {AD787F30-34D1-43EB-BC61-968DDD60E1A8}. MIME, such as: application/pdf BeyondTrust April 15, 2011 Page 58

59 Working with PowerBroker Desktops Rules Version of a control. (A specific control must first be entered in the Control field.) The version range may be open-ended (such as: <1.00) or closed (such as: >=1.00 and <2.00). Tip: Customizing IE dialogs After completing this PowerBroker Desktops rule, see the Using Advanced Options in the Administrative Template, page 80, for information about how you can customize the text in dialogs related to installation and downloads through Internet Explorer. 3. Optional. Select additional targeting options. To cause processes launched by the targeted components to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted control. 4. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 59

60 Working with PowerBroker Desktops Rules Tip: Secure ActiveX rule To make an ActiveX rule secure, target a specific component and specify a source URL. Source URL is considered secure because to spoof a control s source URL, a malicious Web site would first have to compromise other network (or local computer) components such as the DNS. Other parameters used with a source URL provide configuration granularity. However, without a trusted source URL specified, use of any other ActiveX targeting parameter is not considered secure because a site can easily host a control with any of these parameters. Shell Rule - Elevate Applications on Demand A Shell rule enables users to elevate any EXE or MSI using a right-click option. When a Shell rule is applied to a computer, a user may elevate an MSI or EXE by right-clicking on it and selecting Install Elevated for an MSI, or Run Elevated for an EXE. The text that is displayed in the right-click menu for this option is configurable using a BeyondTrust ADM Template setting. Tip: Create only one Shell rule Only one Shell rule should be applied to each computer or to each user. Multiple applications can be elevated by a single rule. To enable users to elevate any applications and installations on demand, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog box, select Shell rule - Target any applications started from Explorer. BeyondTrust April 15, 2011 Page 60

61 Working with PowerBroker Desktops Rules. Tip: Using variables and partial command lines You can use variables in Arguments field. For a list of variables, click the field and press F3, then double-click a variable to select it. You can also use wild card characters in the Path and Arguments fields. The following two wild cards are supported: * - Can replace one or more characters? - Can replace any individual character You can use a partial command line in the Arguments field. A partial command line is considered a match as long as each character from left to right matches the beginning of the actual process command line. 2. Optional. Select additional targeting options: To apply the rule only if the user types in their password, select Apply rule only if user can authenticate. To require the user to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, users are prompted to enter an explanation each time they elevate an application. To target all applications in subfolders of this folder as well, select Apply rule to all programs in all subfolders of the specified folder. 3. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 61

62 Working with PowerBroker Desktops Rules CD/DVD Rule - Target by Media The CD/DVD rule enables you to elevate all executables on a specific CD or DVD, based on the serial number of the CD or DVD. To target all applications on a certain CD or DVD, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog box, select CD/DVD rule - Target a CD or DVD. 2. Click to select a CD or DVD. You must insert the CD or DVD in your local computer to select it. The serial number is detected from the selected CD or DVD. 3. Optional. Select additional targeting options: BeyondTrust April 15, 2011 Page 62

63 Working with PowerBroker Desktops Rules To apply the rule only if users type in their password, select Apply rule only if user can authenticate (must provide credentials). To require the user to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, users are prompted to enter an explanation each time they elevate an application. To cause processes launched by this application to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. 4. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 63

64 Working with PowerBroker Desktops Rules UAC Rule - Target Applications Started by UAC User Account Control (UAC) is a security component in Windows Vista and Windows 7 that enables users to perform common tasks that normally require administrative privileges. The UAC rule grants full administrative privileges to any application that presents a UAC prompt that PowerBroker Desktops is capable of intercepting. UAC prompts related to the operations performed by COM objects cannot be intercepted. Tip: Create only one UAC rule Only one UAC rule should be applied to each computer or user. To create a UAC rule, do the following: 1. Using the rule wizard or, on the Application tab in the Properties dialog, select UAC rule. BeyondTrust April 15, 2011 Page 64

65 Working with PowerBroker Desktops Rules 2..Optional. Select additional targeting options: Tip: Using variables and partial command lines You can use variables in the Path and Arguments fields. For a list of variables, click the field and press F3, then double-click a variable to select it. You can also use wild card characters in the Path and Arguments fields. The following two wild cards are supported: * - Can replace one or more characters.? - Can replace any individual character. You can use a partial command line in the Arguments field. A partial command line is considered a match as long as each character from left to right matches the beginning of the actual process command line. To apply the rule only if the user types in their password, select Apply rule only if user can authenticate (must provide credentials). To require the user to type a justification for the elevation, select Require user to enter text justification. If this check box is enabled, users are prompted to enter an explanation each time they elevate an application. To target an application in this folder only if it is a local file owned by the Administrators group, select Apply rule only if program is owned by the Administrators group. To target all applications in subfolders of this folder as well, select Apply rule to all programs in all subfolders of the specified folder. To cause processes launched by this application to inherit these permission or privilege changes, select Apply rule to all processes launched by the targeted application. 3. To continue, see Modifying Permissions, page 66 or Modifying Privileges, page 68. BeyondTrust April 15, 2011 Page 65

66 Advanced Techniques Advanced Techniques After you have mastered the basics of creating rules, you are ready to explore some of the advanced features available in PowerBroker Desktops. Using these features you can craft rules that manage application use in a very granular way. This chapter discusses some advanced techniques that give you ultimate control of how, when and by whom applications are used in your enterprise. Modifying Permissions After you have targeted an application or process, you can make modifications to the permissions of that application or process when it is run. Permissions are defined by the security groups listed in the process token. By default, this list includes all security groups to which the end-user (who launched the process) belongs. With each rule, you can add security groups to and/or remove security groups from the application s process token. The result is the same as making changes to the end-user s group memberships, but only for the specific application. Tip: Default security settings Depending on the selections that you made while targeting the application, some permissions may be pre-populated due to default security settings. You can modify the permissions as needed. To modify the permissions for an application or process that you have targeted, do the following: 1. In the Properties dialog box, click the Permissions tab. BeyondTrust April 15, 2011 Page 66

67 Advanced Techniques 2. Click Add to configure modifications to permissions for a new security group, whether adding a group to or removing a group from the permissions for the application. 3. In the Group dialog box, enter a group name or click to browse to a group. : 4. If entering a group name, use one of the following naming conventions. MyGroup (will be resolved during Group Policy processing using standard resolution logic, first searching the local host and then the network domain accounts for a match) MyDomain\MyDomainGroup MyComputer\MyGroup BUILTIN\MyGroup.\MyGroup (indicates a group on the local computer) About SID resolution: If browsing to select a group, the SID is resolved automatically when you make your selection and the name (although displayed) is ignored when permissions are determined. If entering a group name manually, the SID is resolved during Group Policy processing on client computers. 5. Select an Action for the group. To enable this group to use the application if the group has not been given permission to do so, select Add this group to the security token. To prevent this group from using the application if the group had previously been given permission to do so, select Remove this group from the security token. 6. Click OK to close the Group dialog box. 7. Repeat to configure modifications for additional security groups. BeyondTrust April 15, 2011 Page 67

68 Advanced Techniques Tip: Removing or changing modifications to permissions To delete a modification to permissions for a security group (whether adding a group to or removing a group from the permissions for the application), select the group and click Remove on the Permissions tab. To change the security group name or to change the action for a modification to permissions for a security group, select the group and click Change on the Permissions tab. Modifying Privileges 8. To continue, see Modifying Privileges, page Optional. For information about issues unique to members of the Administrators group, see Rules Have No Effect, page 89. After you have targeted an application or process, you can select modifications to be made to the privileges of that application or process when it is run. With each rule, you can grant and/or deny privileges to the application. The effect is the same as if the privileges were granted or denied to the end-user, but only for the specific application. Tip: Default security settings Depending on the selections that you made while targeting the application, some privileges may be pre-populated due to default security settings. You can modify the privileges as needed. BeyondTrust April 15, 2011 Page 68

69 Advanced Techniques To modify the privileges for an application or process that you have targeted, do the following: 1. In the Properties dialog box, click the Privileges tab. 2. Select a privilege or multiple privileges, then click an Action for the selected privileges. Move the cursor over a privilege to display a description. You can use the Shift or Ctrl keys to multi-select privileges: To grant the selected privileges to the application that has not been given them, click Grant. To deny the selected privileges to the application that has the privileges, click Deny. To remove an existing modification from any privileges, click Deselect. 3. Repeat to configure modifications for other privileges. 4. To continue, see Modifying Integrity Level, page 70. BeyondTrust April 15, 2011 Page 69

70 Advanced Techniques Modifying Integrity Level Windows Vista, Windows Server 2008, and Windows 7 have an additional security setting that PowerBroker Desktops enables you to adjust for applications. PowerBroker Desktops enables you to elevate or lower the Integrity Level under which an application runs. By default, most applications run under Medium Integrity Level. Tip: Earlier operating systems The Integrity Level setting will have no effect on operating systems prior to Windows Vista or Windows Server To modify the integrity level for a process, do the following: 1. In the Properties dialog box, click the Integrity Level tab. 2. Select the integrity level to use when running the process. BeyondTrust April 15, 2011 Page 70

71 Advanced Techniques Using Rule Options The Properties dialog includes an Options tab. Using the settings available on this tab, you can further define and specialize a rule. The following figure shows the Options tab: Common Options Common options are options that determine how a rule is applied. Common options include the following: Apply rule to file system browsing with targeted application - By default, this option is enabled. That means that the File Open/Save dialog box is elevated. Disabling this feature for an elevated application will cause admin rights to be dropped on the File Open/Save dialog box. If the rule removes admin rights from an appl;ication, this option has no effect. Admin rights will not be re-added to the File Open/Save dialog once they have been removed on a targeted application. Apply rule only if arguments match exactly - By default, application arguments are matched with a wild card on the end of the string. Select this option to require an exact match in order for the rule to be applied. This option does not apply to Shell and CD/DVD and types. BeyondTrust April 15, 2011 Page 71

72 Advanced Techniques Allow use of mapped drive letter in path - Enable this option to create and apply rules based on a mapped drive. Leaving this option disabled allows you to create UNC-based path or folder rules that will be applied to appropriate applications, regardless of the mapped drive from which the application is executed. This option only applies to Path, Folder, MSI Path, and MSI Folder rules In general, it is preferable to create Path and Folder rules based on the UNC path and leave this option unchecked. If you must create a rule based on a mapped drive, enable this option to make PowerBroker Desktops apply the rule based on the mapped drive, not on the UNC path. Note: Because a standard user has the ability to change a mapped drive, enabling this option could potentially allow them to elevate an unintended application. Execution Options In addition to Common options at the top of the dialog, the Options tab provides Execution options. These settings are applied at run time and include the ability to do the following: Apply a rule a fixed number of times. Apply a rule in a time-limited window (hours of the day, days of the week, and so forth). Apply a rule in various connection situations (connected locally, VPN/Dialup, disconnected, and so forth). Apply a rule after a specified time delay. Providing a Rule Description The Common tab provides a text input area in which you can document each rule you create. The descriptive text you enter in this tab is displayed in the Description field of the PowerBroker Desktops user interface when the rule is selected in the rule list. A description provides a quick way to identify the rule and also document any special conditions the rule may include. Using Item-Level Targeting The Common tab of the Properties dialog also provides access to item-level targeting. After you have targeted an application or process and specified modifications to be made to the permissions and privileges of that application or process, you can restrict the application of these security modifications to selected users and computers. BeyondTrust April 15, 2011 Page 72

73 Advanced Techniques Using item-level targeting, you can manage a wider variety of users and computers with a smaller number of GPOs. Within a single GPO, you can include rules customized for selected users and computers. Each rule can apply its settings only to the specified user or computer. Each targeting item results in a value of either true or false. You can select the logical operation (AND or OR) by which to combine each targeting item with the preceding one. If the combined value of all targeting items for a preference item is false, settings in the preference item are not applied to the user or computer. Many items are available, and each item requires specific information to become effective. The following graphic illustrates the targeting editor dialog and the menu of available items: BeyondTrust April 15, 2011 Page 73

74 Advanced Techniques To add item-level targeting to a rule so that its security modifications are applied to a specific user, group, or computer when the conditions of the item are met, do the following: 1. Open the Common tab and enable Item-Level Targeting. 2. Click Targeting. 3. In the Item-level targeting editor, open the New Item drop-down list and select an item. 4. Configure the item s settings in the lower portion of the editor window. In the following example, three items were selected: Operating System, Battery Present, and CPU Speed. Each item was configured as follows: Operating System: Is NOT Windows 7 on a Workstation. Battery Present: Yes. (This usually indicates a laptop computer.) CPU Speed: Greater than or equal to 3 Ghz. BeyondTrust April 15, 2011 Page 74

75 Advanced Techniques This selection of items causes a rule to be applied to all laptop computers not running Windows 7 with a 3Ghz or faster CPU. 5. Click OK to close the editor. Building an Item Collection A collection of items allows you create a parenthetical grouping of items within a larger targeting expression. You can nest one item collection within another to create more complex logical expressions. An item collection allows a preference item to be applied to computers or users only if the collection of targeting items specified results in a value of true. If Is Not is selected for the collection, it allows the preference item to be applied only if the collection of targeting items specified results in a value of false. You build a collection of items by right-clicking a collection and selecting from the menu to choose the items, as shown in the following graphic: BeyondTrust April 15, 2011 Page 75

76 Advanced Techniques To build a collection, do the following: 1. Begin creating a list of items using the Item Level Targeting Editor. 2. Click Add Collection to insert a collection point within the list of items. 3. Select the collection point and provide the following: a. AND/OR status - How the collection relates to other items in the list b. IS/IS NOT status - How items within the collection relate to each other c. Label - Name for the collection point 4. Add an item to the collection by right-clicking on the collection and using the menu to select an item. 5. Configure each item as needed. 6. After you are finished adding items to the collection, click OK in the Item-Level Targeting Editor. BeyondTrust April 15, 2011 Page 76

77 Advanced Techniques A typical collection embedded with a list of items might look as follows. In this example, a collection containing time, date and language items is embedded with a larger item list. Because the collection is set to evaluate to TRUE, the collection limits any rule it is affixed to being applied on Sunday, between 9 AM and 5 PM to systems on which the user language is set to traditional French. Completing a Rule After you have targeted an application or process, selected modifications to be made to the permissions and privileges when it is run, and added any item-level targets to restrict the application of these security modifications, click OK to close the Properties window. The rule takes effect on computers to which it is applied (after a Group Policy refresh). BeyondTrust April 15, 2011 Page 77

78 Advanced Techniques Tip: Changing the rule name You can change the name of a rule without affecting the settings within it. To change the name, right-click the rule, select Rename, and enter a new name. Working with Rule Collections You can organize rules in a group called a collection. This organization allows you to treat multiple rules as a single entity. Using collections is useful when you want to apply the same item-level target to several rules or when you want to organize rules into physical groupings for ease of maintenance or review. Rule Processing When a Collection Is Present In general, rules are processed according to their numbered order in the Order column of the PowerBroker Desktops UI. However, when a collection of rules is included among individual rules, the collection takes processing precedence. Keep in mind the following concepts that determine rule processing order: 1. Individual rules are processed in the order they appear in the Order list. 2. When a rule and a collection have the same order number, the individual rule is always processed before the collection. 3. When a rule collection contains a subcollection, rules in the outer collection are processed first, and then rules in the subcollection are processed. 4. Rule collections are automatically assigned an order number as they are created. (Collection 1, Collection 2, Collection 3, and so forth) 5. A collection number cannot be changed. 6. A collection is positioned in the Order list according to its number and cannot be moved. Consider the following example. Within the rule list, individual rules are intermixed with three rule collections. In addition, the Second Collection contains a sub-collection of rules. The Order column identifies the overall rule processing flow of this mix of rules and collections. Even if the rules are sorted based on other column headers, they will always be processed according to their numeric position in the Order column. BeyondTrust April 15, 2011 Page 78

79 Advanced Techniques Because an individual rule always takes processing precedence over a collection with the same order number, rule 1 (MyActiveXRule) is processed before any of the rules in First Collection are processed. After all the rules in First Collection are processed, rule 2 (UAC rule) is processed. Processing then moves to the Second Collection. The Second Collection contains a Subcollection. Here the rules in the outer most container are processed first, and then the rules in the inner container are processed. After Second Collection rule and Subcollection rules are processed, rule three (MyPathRule) is processed. Rules in the Third Collection are processed next. Processing then continues down the Order list to rules 4, 5, and 6. Avoid Rule Conflicts In most cases, the order in which rules are processed does not matter. However, there are cases when the processing order does matter, especially when collections are used. For example, if a Folder rule is created that elevates all applications in a folder, and a second rule is created that reduces permissions on an application in the same folder, the last rule to be processed determines how the individual application is treated. Because subcollections and collections are processed after an individual rule with the same order number, ensure that rules placed in a collection do not need to be processed before an individual rule of the same order number. BeyondTrust April 15, 2011 Page 79

80 Advanced Techniques Using Advanced Options in the Administrative Template Using the Administrative Template, you can configure advanced options for PowerBroker Desktops, such as enabling event logs, customizing the text on restriction and downloading dialog boxes that occur in Internet Explorer when certain ActiveX rule settings exist, and enabling shatterproof process isolation to protect high security environments against shatter attacks. Most settings are made in the Security Driver node of the administrative template. These settings control dialog box customization, logging and several other parameters. The Security Driver node is located under the Administrative Templates node of the GPME. A typical Security Driver settings list looks similar to the following: BeyondTrust April 15, 2011 Page 80

81 Advanced Techniques When you select an item in the list, a description of the item displays on the left side of the window. Double-clicking an item opens the item s configuration sheet. Installing the Administrative Template You do not need to add the ADMX Template on Windows Vista, Windows Server 2008, or Windows 7 because the BeyondTrust settings display automatically in the GPME. However, on earlier Windows versions, the template may need to be added. Although the Administrative Template is installed along with the PowerBroker Desktops application, you must add the template to the Group Policy Object Editor so that you can access template settings. If you have a previous version of the template installed, you should remove it and add the V5.0 ADM template to incorporate the features of this version. Tip: ADMX Template Be sure to add the Administrative template to the Group Policy Object Editor (GPOE) if you use a pre-windows Vista or Windows Server 2008 version of Windows software. To add or update the BeyondTrust Administrative Template: 1. In the GPME Editor, click Computer Configuration. Right-click Administrative Templates and select Add/Remove Templates. The Add/Remove Templates dialog opens and displays a list of Current Policy Templates. 2. If BeyondTrust is not in the list of Current Policy Templates, click Add and locate the template in the C:\windows\inf folder. BeyondTrust April 15, 2011 Page 81

82 Advanced Techniques 3. Double-click BeyondTrust.adm and then click Close. Customizing Internet Explorer Restriction and Download Dialogs Using ActiveX rules, you can restrict or enable component installations initiated by Internet Explorer (IE). With IE running as a restricted user, component installations normally fail (often without proper feedback) because the installations occur within the IE process and therefore within the same restricted security context. Using the Administrative Template, you can notify end-users when a component installation fails and even provide an interactive response through . Additionally, you can provide a customized progress dialog when component downloads are permitted. To customize Internet Explorer restriction or download dialogs, do the following: 1. Edit a GPO. For detailed instructions, see Creating and Editing a GPO, page In the GPME, click Computer Configuration, Administrative Templates, BeyondTrust, System, Security Driver. If this path is not available, see Installing the Administrative Template, page 81. BeyondTrust April 15, 2011 Page 82

83 Advanced Techniques 3. To customize the dialog that is displayed when an ActiveX control fails due to lack of permissions, double-click Customize IE Failure Dialog. 4. In the Properties window, click Enabled. 5. Configure dialog options. If you include an Administrator s address, it will appear as a link in the dialog. BeyondTrust April 15, 2011 Page 83

84 Advanced Techniques 6. Click OK. The resulting dialog displayed to the user looks like the following. 7. To customize the download progress dialog that is displayed when an end-user attempts to download, double-click Customize IE Download Dialog. 8. In the Properties window, click Enabled. 9. Configure other settings and click OK. The following dialog is displayed if a user browses in IE to a page containing an ActiveX control. BeyondTrust April 15, 2011 Page 84

85 Advanced Techniques Customizing UAC Information Dialog An option in the Administrative template allows you to display a dialog when a UAC prompt is detected. This dialog enables the user to the system administrator with an elevation request. To create a UAC information dialog, do the following: 1. Edit a GPO. See Creating and Editing a GPO, page 99 for detailed instructions. 2. In the GPME, click Computer Configuration, Administrative Templates, BeyondTrust, System, Security Driver. If this path is not available, see Installing the Administrative Template, page To customize the dialog that is displayed by UAC, double-click Customize UAC Information Dialog. 4. In the Properties window click Enable. 5. Configure dialog options. If you include an Administrator s address, it appears as a link in the dialog. BeyondTrust April 15, 2011 Page 85

86 Advanced Techniques. 6. Click OK. The following figure shows an example of a customized UAC information dialog: BeyondTrust April 15, 2011 Page 86

87 Advanced Techniques Customizing On Demand (Shell Rule) Right-Click Menu Option Using a Shell rule, you can enable users to elevate an application on demand using a right-click menu option. Using the BeyondTrust Administrative Template, you can customize or localize the text that displays in the right-click menu. To customize the On Demand Right-Click menu text, do the following: 1. Edit a GPO. For detailed instructions, see Creating and Editing a GPO, page In the GPM Editor, click Computer Configuration, Administrative Templates, BeyondTrust, System, Security Driver. If this path is not available, see Installing the Administrative Template, page To customize the right-click menu option that is displayed on EXE and MSI files, double-click Customize On-Demand Elevation Dialog. 4. In the Properties window, click Enabled. 5. Configure other settings and click OK. Setting up Logging PowerBroker Desktops includes tracing and logging options managed through the BeyondTrust Administrative Template. The following options are available in the Security Driver section of the template: Log all application launches - Enable this setting to log each time an application launches. Note that enabling this option generates a large volume of log information. BeyondTrust April 15, 2011 Page 87

88 Advanced Techniques Log application launch requiring elevated privileges - Enable this setting to log each time PowerBroker Desktops detects an executed application requiring elevated privileges above Standard User. Logs are stored in the System section of the local event log. Log application launch with rule applied - Enable this setting to log each time an application launches that has had its privileges modified by PowerBroker Desktops. Logs are stored in the System section of the local event log. Log application launch elevated by Shell rule - Log each time a user launches an application using the Shell Rule capability of PowerBroker Desktops. Log ActiveX install with rule applied - Log each time an ActiveX control installation has its privileges modified by PowerBroker Desktops. Log ActiveX install failure due to insufficient privileges - Log each time an ActiveX control fails to install due to insufficient privileges. Log application state data - Log all client activities of interest to PowerBroker Desktops. Required for automatic rule generation and SCCM integration. State model data is written to the local machine registry. Log UAC prompts - Log all client UAC prompts. This is useful for determining when user is asking for administrative privileges. UAC events are stored in the System Section of the local event log. Log Security Driver events - Log activities of security driver to event log. Useful for troubleshooting client-side problems and rule-application problems. There are many additional settings available in the administrative template. For more information about the available settings, see Security Driver Settings Sheet, page 104. BeyondTrust April 15, 2011 Page 88

89 Troubleshooting Troubleshooting This section answers common questions about using PowerBroker Desktops and provides information about performing logging and tracing. Rules Have No Effect If you have configured rules but they are having no effect, review the following questions. Have you deployed the Client? The PowerBroker Desktops client must be installed on a computer if the machine is to recognize rules and policies. The client is not installed by the snap-in installer. You must separately download the client from the BeyondTrust Web site and install and deploy it. In addition, if you have not rebooted the PC after installing the client, rules will not be recognized. You must reboot the client machine to complete the client installation process. Have you linked the GPO to an organizational unit and refreshed Group Policy? You must link a GPO to an organizational unit (OU) for rules in that GPO to be applied to users or computers in that OU. Also, Group Policy must be refreshed before new rules or changes to rules will take effect. Have you placed rules under Computer Configuration or User Configuration as required? Rules can be created for either the Computer Configuration or the User Configuration of a GPO. You must select the correct location for a rule. If the user is a member of Administrators, have you resolved process ownership issues? When the user launching an executable is a member of the Administrators security group, the process token may be owned by the Administrators group rather than by the user. On Windows XP and Windows Server 2003, this behavior is optional, and the default is to give the user ownership of processes. However, on these newer operating systems, this default may be changed by creating a PowerBroker Desktops policy. If the process token is owned by Administrators and the Administrators group is removed, BeyondTrust gives ownership of the process to the user who launched the process (if this is not already the case). By default, this does not result in any change on Windows XP or Windows Server If the Administrators group was the owner and ownership is changed to the user, any object (such as a file or registry setting) that is created by the process is owned by the user. BeyondTrust April 15, 2011 Page 89

90 Troubleshooting The newer behavior (implemented by default on Windows XP and Windows 2003 and as modified by BeyondTrust when necessary) provides an improved audit trail of object creation because new objects are associated with the specific user who created them. Have you ensured that multiple rules do not conflict? PowerBroker Desktops processes rules according to standard Group Policy processing rules. For two competing rules, the last rule applied takes effect. Additionally, if user and computer rules are competing for the same process, user policy takes precedence over computer policy. Two rules cannot be applied to the same process on a computer, so only the rule with the highest precedence is applied. Have you analyzed the situation using logging and tracing options? For information about logging and tracing, see Logging and Tracing, page 91. Compatibility Issues with Some Applications When some applications launch, they will attempt to unload a PowerBroker Desktops DLL file (bptload32.dll). Unloading this file can cause system instability and other problems and is not advised. To prevent this DLL from being unloaded by an application, you can add a special key to the Windows registry. This key blocks the unload operation even if the process name and path are found in the registry key value. To add this key to the registry, do the following: 1. Open the Security Driver section of the administrative template. 2. In the list of Security Driver options, select Prevent Btpload from being unloaded from the specified process. 3. Enter the path to the executable file that trys to unload Btpload. 4. Click OK. The application specified in the path setting will have the following DLLs loaded: btpload32.dll btprof32.dll privman32.dll. Other Problems This section provides information about other problems users occasionally have encountered. PowerBroker Desktops Components not displayed or installed If the prerequisites for a component are not met before installation, that component will not be installed nor will it be displayed under Custom Setup during installation. BeyondTrust April 15, 2011 Page 90

91 Troubleshooting Logging and Tracing For information about snap-in and client software requirements, see the PowerBroker Desktops Installation Guide. Installing client triggers antispyware warning Installing the client causes some anti-spyware programs to display warnings or errors because it installs a browser helper object. The BeyondTrust Browser Helper is required for ActiveX rules. You can configure anti-spyware to allow the BeyondTrust Browser Helper. It is located in the system32 folder and is named pmbho.dll. You can install the PowerBroker Desktops Client without the Browser Helper and therefore without the ActiveX rule functionality. For instructions, see the Knowledge Base on the BeyondTrust Web site: Unable to apply a rule to a 16-bit application When elevating 16-bit applications, the rule may not trigger when you run the application or you may see a RULE--NOT--APPLIED message in the Policy Monitor. The reason for this is that some 16-bit applications do not appear as distinct processes, but rather are run in the Windows 16-bit Virtual DOS Machine (ntvdm.exe). The 16-bit applications also need to be run in a separate memory space to properly adjust the application s process token. If the application is not displaying in Policy Monitor, it is likely that NTVDM.EXE is controlling the process. When this is the case, it may be necessary to write a rule for NTVDM.EXE. If you get a rule match but see a RULE--NOT--APPLIED message, set the process to run in a separate memory space by doing the following: 1. Create a shortcut to the application. 2. In the properties of the shortcut, click Advanced. 3. Toggle on the option: Run in Separate Memory Space. In addition to logging and tracing managed through the PowerBroker Desktops Administrative Template, you can use Policy Monitor as a troubleshooting utility. Tracing with Policy Monitor (polmon.exe) The client-side troubleshooting utility called Policy Monitor (polmon.exe) is run on a client computer. This utility monitors all processes running on the client and displays information about each process, including the full path of the launching process and other details pertinent to rule operation. BeyondTrust April 15, 2011 Page 91

92 Troubleshooting This utility is particularly useful for determining the state of the client, and for diagnosing problems when a rule does not function as expected on the client. The following figure shows a typical Policy Monitor trace: To use Policy Monitor, do the following: 1. Enable Security Driver Logging in the ADM Template and set Tracing to On. For instructions, see Adding Logging and Tracing Options to a GPO, page Navigate to: %windir%\system32 3. Double-click polmon.exe to launch Policy Monitor. An entry is displayed in Policy Monitor for each process running on the computer. 4. Run gpupdate/force from a command prompt. An entry displays in Policy Monitor for each rule applied, as well as for other processes. 5. Launch an application or process to which a rule has been applied. The full path of the launching process, any matches found, and any rules applied display in the Policy Monitor. If the path appears and there is no mention of a command line match or rule being applied, then the process was not recognized as one to which a rule should have been applied. This result typically occurs if the rule was not configured correctly. For more information on using Policy Monitor, see the Knowledge Base on the BeyondTrust Web site: Adding Logging and Tracing Options to a GPO On Windows 2003 and Windows XP, although the Administrative Template is installed along with the application, you must add it to each Group Policy Object. This will allow you to access the template s settings. BeyondTrust April 15, 2011 Page 92

93 Troubleshooting If you have a previous version of the template installed, remove it and add the latest PowerBroker Desktops Administrative Template to incorporate the features of the latest version. To add the Administrative Template, do the following: 1. Edit a GPO. See Creating and Editing a GPO, page 99 for detailed instructions. 2. In the GPOE, click Computer Configuration. Right-click Administrative Templates and select Add/Remove Templates.. 3. In the Add/Remove Templates window, click Add, double-click beyondtrust.adm. If you have previously installed the Administrative Template along with a previous version, confirm that the file was replaced and that existing file is older than the current one. 4. Click Close. For this GPO, the following paths have been added to the GPOE: Computer Configuration, Policies, Administrative Templates, BeyondTrust User Configuration, Policies, Administrative Templates, BeyondTrust Tip: Enable Tracing to Display Rules in Policy Monitor Security Driver logging must be enabled and tracing set to On for Policy Monitor to display the rules targeting the user or computer. BeyondTrust April 15, 2011 Page 93

94 Troubleshooting Logging and Tracing Options PowerBroker Desktops can be configured to log a variety of information to the System and Application sections of the Windows Event Log. These events can be viewed using the Windows Event Viewer. This information is useful when troubleshooting problems or analyzing the implementation of rules. In addition, clients have the ability to log state model data to their local registry. This data is used to automatically generate rules based on the applications being launched and used on the client. State model data collection and logging is enabled by default on all clients. Client Side Tracing CSE tracing is disabled by default, and may be enabled by utilizing the beyondtrust.adm within Microsoft s Administrative Templates policy extension. When the snap-in extensions are installed, the beyondtrust.adm is installed into the default location for administrative templates. Import this template into the Administrative Templates policy within a computer configuration. This template includes the policy settings for control of the standard CSE behaviors, the size and location of each CSE s trace file, and the quantity of event logging. Tracing provides detailed output on each CSE s operation in a simple text format. Event Logging CSE event logging of errors is always enabled. By using the beyondtrust.adm template, additional categories of event log messages can be enabled. This includes warnings and informational messages. An example of a typical event log warning is a policy that does not get applied due to an item-level target that returns FALSE. An example of a typical informational message is the success of an individual policy setting. Using the Windows Event Viewer PowerBroker Desktops events are written to the Windows Event Log and can be viewed by opening the Windows Event Viewer. Two sections of the Event Log are populated with events: the System section and the Application section. When logging is enabled in the Administrative Template, messages and errors are sent from a variety of components. The source of the error and the error message ID is included in the log. A typical Event Viewer log segment looks similar to the following. BeyondTrust April 15, 2011 Page 94

95 Troubleshooting In this case, an information message was sent from the Privman component with an Event ID of 28675, indicating the Security Driver loaded on the client correctly. To see additional information about an event, double-click the event row. Note: Refer to the PowerBroker Desktops online help topic, Event Log messages to view a table of all messages and their significance. Enabling Logging The following general steps are required to configure logging to the Windows Event Log: Access the BeyondTrust Administrative template in the GPME by opening: Computer Configuration, Policies, Administrative Templates, BeyondTrust, PBWD, System. To configure Group Policy logging, do the following: 1. Open the Group Policy node and select Policy Processing or Licensing Processing. 2. Use the configuration sheet to establish logging and other settings. BeyondTrust April 15, 2011 Page 95

96 Troubleshooting To configure Security Driver logging: 1. Open the Security Driver node. 2. Select a log-related setting to open its configuration sheet. 3. Configure the log setting, enable it and click OK to close the setting sheet. 4. Configure additional settings as required. BeyondTrust April 15, 2011 Page 96

97 Appendix A: Group Policy Primer Appendix A: Group Policy Primer Introduction to Group Policy If you are new to Group Policy, or are unfamiliar with how to create and edit a GPO, this appendix provides an introduction to Group Policy and instructions for creating and editing a Group Policy Object (GPO). Group Policy is a framework for user and computer configuration on Windows 2000 and later operating systems that use Active Directory. Group Policy makes certain fundamental assumptions about how users and computers should be configured in an enterprise environment. The primary assumption is that desired configurations are often common across multiple users and computers. These groupings often reflect organizational structure. Organization Active Directory organizational units (OUs) facilitate this grouping and to enable one unit to be members of other units. This organization is distinct from security group and domain organizations, which are both fundamentally oriented around security priorities and do not generally reflect an organization s hierarchy. Group Policy settings can be applied to sites, to domains, and to OUs. Group Policy Objects and Storage A Group Policy Object (GPO) is a collection of configuration settings that can be applied to certain users and/or computers based on their membership in a site, domain, or organizational unit. Each GPO has a name and a Globally Unique Identifier (GUID). A GPO consists primarily of data that is stored in two distinct locations on a network: Group Policy Container (GPC) - Holds system and policy settings data that is stored in the Active Directory and associated with the GPO by its GUID. Group Policy Template (GPT) - Stores the actual configuration settings. All GPO data is synchronized to all domain controllers on a given domain. BeyondTrust April 15, 2011 Page 97

98 Appendix A: Group Policy Primer Editing Group Policy The Group Policy Management Editor (GPME) is the primary tool for Group Policy administrators to configure settings within a GPO. The GPME is implemented as a Microsoft Management Console (MMC) snap-in that integrates various plug-ins known as Group Policy snap-in extensions. Configuration settings in the GPO are manipulated by a network administrator using graphical extensions that are integrated into the single GPME application. Applying Group Policy Policy settings are applied by Client-Side Extensions (CSEs). Processing GPO settings using CSEs is periodically initiated by the Winlogon operating system process. Settings are organized into user and computer configurations. Winlogon initiates processing of user settings during user logon, and computer settings during computer boot. This is known as foreground processing. Additionally, both user and computer configuration are initiated periodically, which is known as background processing. By default, background processing occurs every 90 minutes (with a random offset of 0 to 30 minutes), or every 5 minutes on domain controllers, although the parameters are subject to change by a Group Policy administrator. Some extensions support only user or computer configuration, and some support only foreground processing. CSEs are extensions to client computer policy processing capability and generally correspond to a snap-in extension counterpart. CSEs implement the settings that exist in one or more GPOs. Winlogon calculates which GPOs are to be applied based on various criteria and launches each CSE as necessary. Winlogon provides the CSE with the path to each GPO (GPT and GPC), and the CSE processes the GPO settings accordingly. Group Policy Reporting The architecture for Group Policy reporting is called Resultant Set of Policy (RSoP). RSoP consists of two distinct modes: Planning - Shows what the Group Policy does when it is activated Logging - Group Policy s reporting system. RSoP reports use data generated by CSEs that implement the RSoP reporting interface on Windows XP and later computers. The RSoP MMC snap-in is the primary tool for viewing Group Policy results. Like the GPME, the RSoP snap-in integrates various plug-ins known as RSoP snap-in extensions. Each extension reports on the configuration results from the last execution of its corresponding CSE for a particular computer or user. BeyondTrust April 15, 2011 Page 98

99 Appendix A: Group Policy Primer Creating and Editing a GPO You can create a Group Policy Object (GPO) using the Group Policy Management Console (GPMC). You can then use the Group Policy Management Editor (GPME) to edit the GPO. Within the GPME, you use the PowerBroker Desktops node to create and edit rules. To create and edit a Group Policy Object (GPO): 1. Click Start Control Panel Administrative Tools Group Policy Management to open the Group Policy Management Console (GPMC). Tip: If GPMC is not installed If you have not installed the GPMC (a free tool available at you can open the Group Policy Management Editor from Active Directory Users and Computers or from a custom Microsoft Management Console. 2. Click Forest Domains [MyDomain], then right-click Group Policy Objects and click New to create a new GPO. 3. Enter a name for the GPO and click OK. BeyondTrust April 15, 2011 Page 99

100 Appendix A: Group Policy Primer 4. To modify the configuration of an existing GPO, right-click a GPO and select Edit. 5. Right-click the GPO and click Edit to launch the Group Policy Management Editor so that you can configure settings for the GPO. For software installation, you must select a GPO other than the Local Policy GPO. BeyondTrust April 15, 2011 Page 100

101 Appendix B: Settings in the Administrative Templates Appendix B: Settings in the Administrative Templates The Administrative Templates enable you to configure PowerBroker Desktops extensions (including logging and tracing options) and manage administrator access to the Group Policy Management Editor (GPME) and Resultant Set of Policy (RSoP) snap-ins. There are three administrative templates files: Beyondtrust.pbwd.adm - This template provides all template settings and also the text displayed in the template user interface. Beyondtrust.pbwd.admx. - This template file stores all template settings. Beyondtrust.pbwd.adml - This template file is a language file and is used to display text in the template user interface. It is also used for internationalization purposes. It is stored under:...\windows\policydefinitions\en-us The administrative templates are installed with the application. However, you must add them to the GPME so that you can access the settings they contain. If you have a previous version of the template installed, you should remove it and add the latest version of the template. Doing so allows you to use new features in the latest versions. Note: If you have not added the Administrative Template to your installation, see Installing the Administrative Template, page 81. When added to the GPME, the Security Driver administrative template looks similar to the following graphic. In this screen, settings available in the Security Driver are listed in the right pane of the GPME. BeyondTrust April 15, 2011 Page 101

102 Appendix B: Settings in the Administrative Templates Group Policy Settings Two settings sheets are available in the Group Policy section of the administrative template. The following sections describe these settings sheets. Policy Processing Setting Sheet The following table provides the Policy Processing settings available in the Policy Processing settings sheet. Setting Sheet Setting Description Path to Options in the GPME PowerBroker Desktops Policy Processing PowerBroker Desktops client-side extension (CSE) policy processing settings and tracing and logging options. Available options include: Allow processing across a slow connection Configure background priority Configure event logging Turn tracing on or off Specify trace file locations and maximum size Computer Configuration Administrative Templates BeyondTrust System Group Policy BeyondTrust April 15, 2011 Page 102