Elevate Program rights

Contents

  1. Create Filter
  2. Create Policy
  3. Modify Policy settings and apply

Step1

Create a filter which identifies the application to elevate.  There are many options for doing this.  See also the documents on filters and also Reference System and Package Whitelists.  This is just one example.  This is a Windows Executable filter which can identify one or more executable depending on the values inserted.

These values (if specified) must all match for the filter to be true.  If a value is not specified (left blank) then it is not evaluated.

  • File name
  • File path (this can identify all files in the path given)
  • First discovered (usually left at Anytime)
  • Internal name (usually different from program to program but can be the same sometimes)
  • Original file name (file system name)
  • File version (can be the same from program to program. Can use wildcards)
  • Product name (usually different from program to program but can be the same)
  • Product version (can be the same)
  • Company name (frequenty the same from program to program by one company but can be different; i.e. Microsoft has many variations with different symbols) 
     
     

Step 2

Create a new Elevate Process Rights policy from Policies > Application Control > Application Control Tasks > Application Control Policies.  Right-click and select Elevate Process Rights as shown below.
 

Step 3

 
Give the policy a name that references the use (simply click on the New Elevate Process Rights Policy [at the top in bold blue] and you can edit the name)
 

 
Then click on Application:  Select an Item...  Then from the window which will come up as below select the filter(s) by highlighting on the left as shown below and clicking the > button to move to the right.  There maybe one or more filters selected.  Note also that you can click in the Search box and type a sub-string of the Filter name and the list of Available items will be filtered making it easier to find the filter you want.  Naming filters with the use case and also adding "filter" makes it easier to find, such as "Lotus Notes filter".

Multiple filters may be selected for this one policy.  For example, if a company has 10 applications to elevate with ACS and they are 10 very distinct programs (not signed by the same certificate or not running from the same directory) then 10 filters could be created to identify the application/process and then those 10 filters could all be added to the same policy.  This reduces the number of clicks and time to configure the system and also decreases the number of policies which make for less load on the system and easier maintenance of the system for an administrator.
 

 
Then click on the Appliation Actions tab and select the desired action(s).  Note:  more than one action can be applied by one policy.  Of course the actions need to be congruent (can't be conflicting) actions.  A common example is a rights action (elevation or removal) and a user message.  In this case the action is pre-populated because of the policy type selected.
 

 
Next set the Policy priority.  Policies should not have the same priority number as the results will be indeterminate.  Ordering Policy priority is a tool to increase the functionality of ACS as the order in which policies are evaluated is useful in how ACS functions.
 

 
Now adjust the Applied To if necessary and click the Off button to ON and click Save Changes and the policy will be active.
 

Labels

acs acs Delete
howto howto Delete
bestpractice bestpractice Delete
configuration configuration Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.