Product Guide. Version 10.1

Size: px

Start display at page:

Download "Product Guide. Version 10.1"

Robyn Chandler
6 years ago
Views:

1 Prduct Guide Versin 10.1

2 Table f Cntents Prduct Guide 1 Table f Cntents 2 What's new in Applicatin Cntrl 10.1? 5 Extended Audit Lgging 5 Windws Operating System Cnditin 5 Extended Metadata with Digital Certificate checking 5 Self-Elevatin Enhancements 5 Cmmand Line Matching 5 Prcess Prtectin 6 Enhanced Windws Stre App Supprt 6 Plicy Change Request per Rule 6 Prduct Overview 7 Functinality 7 Features 7 Benefits 10 Prduct Architecture 11 Applicatin Cntrl Cnsle 16 Applicatin Cntrl Security Methds 21 Licensing 30 Managing Licenses 30 Exprt License Files 31 Imprt License Files 31 Trubleshting 32 Service Packs 33 Installing Service Packs 33 Rlling Back Service Packs 33 Cnfiguratin 35 Cnfiguratin Elements 35 Default Cnfiguratins 36 Maintain Cnfiguratins 41 Glbal Settings 46 Trusted Owners 46 Extensin Filtering 49 Applicatin Terminatin 50 Message Settings 53 Archiving 64 Plicy Change Requests 68 Help Desk Prtal 72 Manage 76 Advanced Settings 76 Signature Hashing 95 Auditing 98 Cnfiguratin Prfiler 104 Page 2 f 344

3 Cnfiguratin Change Tracking 105 Privilege Discvery Mde 109 Privilege Discvery Results 113 Grup Management 118 Create a Grup 118 Add Items t a Grup 118 Add Grups t a Rule Item 120 Remve Grups frm a Rule Item 121 Delete a Grup 121 Capture Signatures in a Grup 121 Rules 123 Security Levels 124 Plicy Change Request Settings 126 Grup Rules 126 User Rules 127 Device Rules 128 Custm Rules 129 Scripted Rules 130 Prcess Rules 134 Rule Optins 138 Rules Items 159 Cntrl Applicatins 168 Use Prcess Rules t Restrict Access t FTP 170 Rules Examples 171 Cnditin Management 177 Create a Cnditin 179 Reusing Cnditins 180 Cnditin Variables 180 Field Validatin 180 Cmputer Cnditins 183 Scripted Rules 185 Directry Membership Cnditins 190 Scripted Cnditins 191 User Privileges 194 User Privileges Plicies 194 Create a User Privilege Management Plicy 195 Add Grup Membership t a Plicy 195 Assign Privileges t a Plicy 196 Privileges 197 User Privilege Management 203 System Cntrls 216 Self-Elevatin 222 Applicatin Netwrk Access Cntrl 228 Netwrk Cnnectin Items 228 Add a Netwrk Cnnectin 228 Page 3 f 344

4 Add a Netwrk Item Directly t a Rule 230 Edit a Netwrk Cnnectin Directly in a Rule 230 Assign a Netwrk Cnnectin Item t a Grup 230 Edit a Netwrk Cnnectin Item in a Grup 230 Applicatin Netwrk Access Cntrl and Reverse DNS Lkup 231 Cnfigure Reverse DNS Lkup Entries 231 Endpint Cnfiguratin Merging 232 Merge Cmpnents 232 ManifestGen Tl 233 Manifests 233 Merging Cnfiguratins 237 Merge Behavirs 239 Live Cnfiguratin Rules 240 Live Cnfiguratin Update Behavir 240 Endpint Cnfiguratin Merging Auditing Events 241 Endpint Analysis 242 Endpint Analysis Preparatin 243 Wrking with Endpint Analysis 244 Installed Applicatins Scans 244 Applicatin Usage Scans 245 Applicatin Data 246 Exprt an Endpint Analysis Data File 246 Add Files t Cnfiguratins 247 Rules Analyzer 248 Prerequisites 249 Set Up Lgging fr Rules Analyzer 250 Lg Files 251 Rules Analyzer Tasks 253 Sample Scripting Reference 254 Sample Script: Create UPM Plicies 284 Sample Script: Add User Privileges Cmpnent 288 Sample Script: Edit User Privileges Cmpnent 290 Cnfiguratin Object 292 Cnfiguratin Helper Object 320 Imprt and Exprt Scripted Rules 325 Appendix 326 Citrix XenApp 326 Applicatin Cntrl Web Services Cnfiguratin 327 Wildcards and Regular Expressins 339 Distributed File Systems 340 App-V5.0 Supprt 341 Cmpnents 341 Page 4 f 344

5 What's new in Applicatin Cntrl 10.1? Extended Audit Lgging Applicatin Cntrl Event Lgging has been extended t include the fllwing: New event fr stpped and started services by a user Parent prcess name nw included in 9000 events File wner nw included in 9000 events Determining rule nw included in events Fr further infrmatin abut Applicatin Cntrl Auditing, see Auditing. Windws Operating System Cnditin The Micrsft update mdel nw uses build numbers t identify feature releases and service packs. When yu are creating a cmputer perating system rule, the target build number can be specified and cnfigured t match the specific build number entered r t use it as the maximum r minimum build release. Fr mre infrmatin, see Cmputer Cnditins. Extended Metadata with Digital Certificate checking When verifying a file using metadata, administratrs can cmpare the entire certificate t determine the authenticity f the file and whether the metadata can be trusted. The feature als includes realtime certificate verificatin that helps yu diagnse any issues by selecting different cmbinatins r verificatin settings. As yu cnfigure the settings, the certificate status is updated. Fr mre infrmatin, see Metadata and Verify Optins. Self-Elevatin Enhancements Self-Elevatin has been extended t supprt all file types. Administratrs can als specify that certain file extensins can be elevated nly when pen with certain applicatins. Fr example, yu can specify that VBS files can be elevated nly with wscript.exe. Fr mre infrmatin, see Self-Elevatin. Cmmand Line Matching Applicatin Cntrl can nw apply rules based nt just n the applicatin being launched, but als any cmmand line arguments. This is useful if full access t an applicatin is nt required but specific users need t launch certain files r run applicatins under certain cnditins. Cmmand line arguments can be added fr File and Signature rule items. Page 5 f 344

6 This feature als includes tw new advanced settings - Validate PwerShell scripts and Validate Java archives. When these settings are turned n, pwershell.exe, pwershell_ise.exe, and java(w).exe are blcked and PS1 and JAR files are subject t trusted wnership checking. Specific files can then be added t rules which d nt require a trusted wner. Add pwershell.exe r java(w).exe t a rule t allw them fr specific users, while blcking them fr all ther users. Fr example, yu may want t allw pwershell.exe fr yur develpers s they can launch any PwerShell script. Fr further infrmatin, see Rule Items and Advanced Settings. Prcess Prtectin The System Cntrls feature f Applicatin Cntrl has been extended t include the prtectin f prcesses. Using this enhancement, a specified prcess - such as antivirus sftware - can be prtected frm terminatin by all users, including administratrs. Fr further infrmatin, see System Cntrls. Enhanced Windws Stre App Supprt Further supprt has been added t the cntrl f Windws Stre Applicatins. Applicatins can be blcked r allwed based n the applicatin's publisher. Using the publisher fr sideladed apps means multiple apps can be cntrlled. This makes it pssible t cnfigure a restrictin fr all Stre Apps while allwing thse sideladed by an rganizatin r IT department. Fr further infrmatin, see Rule Items. Plicy Change Request per Rule Administratrs can enable the Plicy Change Request feature n a per-rule basis. This allws the type f change request and the available request methds t be cnfigured differently fr different users r grups f users. Sme aspects f the feature, such as specifying the address and shared key, remain glbal. Fr further infrmatin, see Plicy Change Requests. Page 6 f 344

7 Prduct Overview Applicatin Cntrl prevents unauthrized cde executin and enfrces sftware licensing thrugh the trusted wnership mdel and uses an imprved apprach t traditinal whitelisting and blacklisting. It als manages user privileges and plicy at a granular level whilst allwing fr ptinal self-elevatin when exceptins ccur. Applicatin Cntrl keeps IT security requirements in balance with user prductivity needs, delivering endpint security thrugh privilege and applicatin cntrl, increased crprate cmpliance, imprved platfrm stability and cnsistency, and significant reductins in bth IT supprt and sftware licensing csts. Functinality Applicatin Cntrl main feature set includes: Applicatin Access Cntrl Applicatin Netwrk Access Cntrl Privilege Management Yu can turn ff any f these parts f functinality if they are nt required. Fr example, yu may nt want t use Applicatin Netwrk Access Cntrl. T enable r disable certain Applicatin Cntrl functinality: 1. In the Manage ribbn, Click Advanced Settings. The Plicy Settings tab is displayed. 2. In the Functinality regin, select t enable r deselect t disable ne r mre f the fllwing Applicatin Cntrl functinalities: Applicatin Access Cntrl Applicatin Netwrk Access Cntrl Privilege Management All the functinality ptins are selected by default. 3. Click OK. Features Applicatin Cntrl prvides the fllwing key features fr applicatin cntrl: Privilege Management Privilege Management allws yu t create reusable user privilege plicies which can be assciated with any rules and can elevate r restrict access t files, flders, drives, signatures, applicatin grups, and Cntrl Panel cmpnents. A mre granular level f cntrl allws yu t assign specific privileges Page 7 f 344

8 fr debugging r installing sftware, r t set integrity levels fr managing interperability between different prducts, such as Micrsft Outlk and Micrsft Wrd. Privileges Management cntains fur primary functins: Elevating user privileges fr applicatins. Elevating user privileges fr Cntrl Panel cmpnents and Management Snapins. Reducing user privileges fr applicatins. Reducing user privileges fr Cntrl Panel cmpnents and Management Snapins. Trusted Ownership By default, nly applicatin files wned by an administratr r the Lcal System are allwed t execute. Trusted Ownership is determined by reading the NTFS permissins f each file which attempts t run. Applicatin Manager autmatically blcks any file where wnership cannt be established, such as files lcated n nn-ntfs drives, remvable strage devices, r netwrk lcatins. These files can ptinally be allwed t run either by specifying them as Allwed Items r by cnfiguring a Self- Authrizing User rule. The Trusted Owner list can be cnfigured t suit each envirnment. Rules: User, Grup, Device, Custm, Scripted, and Prcess Extend applicatin accessibility by applying rules based n username, grup membership, cmputer r cnnecting device, scripts and parent prcesses, r cmbinatins f these. Allwed Items and Denied Items, Trusted Vendrs, and Privilege Management can be specified in each rule, and are applied t a user sessin based n the envirnment in which the user perates. Scripted Rules Scripted rules allw administratrs t apply Allwed Items, Denied Items, Trusted Vendrs, and Privilege Management plicies based n the utcme f a Windws PwerShell r VBScript. Scripts can be run fr each individual user sessin r run nce per cmputer. Prcess Rules Prcess rules apply t parent prcesses t manage access t child prcesses at the next level belw the parent prcesses. Prcess rules include Allwed Items, Denied Items, Trusted Vendrs and Privilege Management. The rule des nt manage access t the parent prcess. Trusted Vendrs Allw authentic applicatins t run when they have digital certificates signed by trusted surces, and are therwise prhibited by Trusted Ownership checking. Define a list f Trusted Vendr certificates fr each User, Grup, Device, Custm, Scripted, and Prcess rule in the cnfiguratin. Applicatin Terminatin Applicatin Terminatin allws yu t cntrl triggers, behavir, and warning messages fr terminating applicatins n managed cmputers. Yu can als cntrl the manner in which applicatins are terminated and hw the user is ntified. Netwrk Cnnectins Page 8 f 344

9 Blck access t certain applicatins accessed via IP, Universal Naming Cnventin (UNC) r hst name. Applicatin Cntrl can manage access based n the lcatin f the requester, fr example if they are cnnecting via a virtual private netwrk (VPN) r directly t the netwrk. Digital Signatures SHA-1, SHA-256 and Adler-32 signature checks may be applied t any number f applicatin cntrl rules, prviding enhanced security where NTFS permissins are weak r nn-existent, r fr applicatins n nn-ntfs frmatted drives. A digital signature wizard allws easy creatin and maintenance f large digital signature lists. Windws Stre Apps Access t Windws Stre apps can be cntrlled by Applicatin Cntrl. Grant r restrict access by applying grup rules t ne r mre Windws Stre apps. Applicatin snippets can als be imprted and rules cnfigured if the machine being used t create the cnfiguratin is nt cmpatible with Windws Stre apps. Endpint Analysis Allws an administratr t brwse t any endpint and retrieve a list f applicatins that have been installed n that endpint. Search fr any executable files and add them t the cnfiguratin. Applicatin Cntrl recrds which applicatins are started and by whm. The recrding f data is started and stpped by the administratr. Organize the files int authrized and unauthrized grups t quickly create a plicy. The cnfiguratins can be deplyed t a user, a grup f users, a machine, r a grup f machines. Endpint Analysis is n demand and inactive by default. Offline Entitlement Users are increasingly mbile. S it is imprtant that entitlement rules are enfrced when the user is nt cnnected t the crprate netwrk. Applicatin Cntrl ensures users nly access the applicatins and resurces t which they have permissin when ffline by using entitlement rules n the endpint device. Passive Mnitring Applicatin Cntrl can mnitr applicatin use withut preventing users running applicatins. Passive mnitring can be enabled r disabled n a per user, device, r grup basis and prvides a tl t track user behavir prir t full implementatin, r t understand applicatin use fr sftware license management. Self-Authrizing Users Prvides the ptin fr users t execute applicatins that they have intrduced int the system. Applicatins can be added t a secure machine while utside f the ffice withut relying n IT supprt. A cmprehensive audit can detail infrmatin such as the applicatin name and the time and date f executin and device. Additinally, a cpy f the applicatin can be taken and stred centrally fr examinatin. Applicatin Limits and Time Restrictins Page 9 f 344

10 Apply a plicy t cntrl the number f applicatin instances a user can run, alng with the times when it can run. Yu can create a plicy t cntrl r enfrce licensing mdels by cntrlling applicatin limits n a per user basis, but nt per device. Cnfiguratin Templates Best practice cnfiguratin templates are prvided that can be imprted int Applicatin Cntrl. Applicatin Cntrl can imprt a number f cnfiguratin files and use these in cmbinatin. Privilege Discvery Mde Allws yu t mnitr endpints t identify applicatins that use administrative rights. A web service is used t cllect the data and relays that data t the Privilege Discvery Mde wrk area in the Applicatin Cntrl Cnsle. Auditing Events are raised by Applicatin Cntrl accrding t the default Event Filtering cnfiguratin and audited directly t a lcal file lg r the Windws Event Lg. Alternatively, events can be frwarded fr auditing t the Management Center via the Deplyment Agent (CCA). The Applicatin Cntrl audit event reprts available in the Management Center can als be used t prvide details f current applicatin usage acrss the enterprise. Windws Scripting Hst Validatin The default cnfiguratin in Applicatin Cntrl validates all Windws Scripting Hst (WSH) scripts, such as VBS, against cnfiguratin rules. This ensures that uses can nly invke authrized scripts, eliminating the risk f intrducing WSH scripts that cntain viruses r malicius cde. The Validatin settings can be disabled in the Applicatin Cntrl Optins dialg, alng with validatin f cmd.exe, self-extracting ZIP files, registry files, and Windws installer (MSI) files. Only self-extracting EXEs frmatted using the ZIP specificatin are supprted. Fr additinal infrmatin, see ZIP Specificatins. Functinality Cut-ff Settings Enable and disable certain features in Applicatin Cntrl either when nt in use r when trubleshting issues in yur cnfiguratins. The functinality that yu can manage in this way includes: Applicatin Access Cntrl Applicatin Netwrk Access Cntrl Privilege Management Benefits The key benefits f using Applicatin Cntrl are: Page 10 f 344

Prtect against malicius cde. Selectively elevate r restrict administrative privileges t access r run specific applicatins r access system settings. Cntrl rle-based applicatin usage.

11 Prtect against malicius cde. Selectively elevate r restrict administrative privileges t access r run specific applicatins r access system settings. Cntrl rle-based applicatin usage. Prtect 'ut f the bx' against all unauthrized applicatin usage. Manage prcesses at a granular level t cntrl applicatin access t child prcesses. Stp unauthrized device license usage. Apply time restrictins n when applicatins can r cannt be run. Cntrl netwrk access frm within applicatins. Cntrl netwrk access based n lcatin. Prduct Architecture Sftware Agent Applicatin Cntrl is installed and run n endpints using a lightweight agent. The agent is installed directly nt the lcal cmputer. Bth agents and cnfiguratins are cnstructed as Windws Installer (MSI) packages and s can be distributed using any third party deplyment system that supprts the MSI frmat. The installers are delivered in separate 32-bit and 64-bit Micrsft Installer packages. Page 11 f 344

12 Fr Applicatin Cntrl t functin, the agent must be installed n the client endpint tgether with an assciated cnfiguratin. The installatin may be perfrmed manually r by means f a deplyment system such as the Management Center. Because agents and cnfiguratins are installed and stred lcally n the endpint, they cntinue t perate when the endpint is discnnected r ffline. The Applicatin Cntrl agent installs a Windws Service (the Applicatin Cntrl Service), a filter driver, and a hk. The hk sits abve the driver and intercepts all executables. It des nt intercept DLLs, unlike the driver. If an executable is nt intercepted by the hk it is intercepted by the driver. The driver intercepts executin requests that are made within the perating system that pass frm the I/O Manager t the drive and the device subsystems, fr example NFTS.SYS r the LanMan Redirectr fr Micrsft Netwrking Services. The driver des nt intercept rdinary file access such as the pening f a dcument r text file. Every intercepted create prcess request is intercepted by the hk. When the request is intercepted by the hk, the request is passed n t the Applicatin Cntrl Agent Service fr validatin against the cnfiguratin settings, which returns an executin granted r denied respnse that is dealt with by the hk r driver, depending n which sent the request. If the respnse is granted, the request is passed n t the relevant file system driver t cntinue with the applicatin lading frm disk. In the case f a denied executable r script, the agent replaces the riginal path with Applicatin Cntrl s custmizable message bx (AMMessage). This effectively blcks access t the riginal requested executable and instead displays a message t the user. In the event f a DLL being blcked, n message is displayed and the default perating system message is displayed. Agent Service The Applicatin Cntrl Agent Service runs as a SYSTEM service n each cmputer that is cntrlled using the Applicatin Cntrl cmpnent. The agent prvides the intelligence fr dealing with the executin requests passed frm the Applicatin Cntrl kernel level driver and the hk. Each and every executin request is validated against the cnfiguratin settings that are held n each lcal machine cntaining the Applicatin Cntrl agent sftware. Alng with the details f the applicatin request, the agent service checks wh the user is and which cmputer the request riginates frm s that this can be prcessed at the same time t enable user, grup, client, r custm rules t functin as expected. The cnfiguratin is stred in a lcal cnfiguratin file fr perfrmance and cntrl reasns. This means that all requests can be turned arund in minimum time and perhaps mre imprtantly, withut the need fr a netwrk link t a central server, which ensures that uncnnected machines, such as laptps, remain secured even when nt physically cnnected t the Lcal Area Netwrk. Agent Assist Agent Assist prvides supprt fr the agent. Instances f Agent Assist are started n demand by the agent and run using the SYSTEM accunt. Each Agent Assist is specific t a user sessin. If Agent Assist is initiated, n mre than ne instance runs in a sessin. Once started, Agent Assist typically remains running until the sessin lgs ff r the agent is stpped. Agent Assist des the fllwing: Page 12 f 344

13 Enfrces time limits n applicatins. Prmpts Self Authrizing Users t cnfirm whether t allw denied DLLs (applicatins are handled by Agent Assist). Perfrms auditing fr the events, 9006, 9007, Self-authrizatin decisin by user Self-authrized executin request An applicatin has been terminated by Applicatin Cntrl. On 64-bit systems, Agent Assist can start the 32-bit DLL cmpnent that installs the 32-bit Applicatin Hk int 32-bit applicatins running in the same user sessin. DLL Injectin Assist DLL Injectin Assist is a 32-bit cmpnent that is nly installed n 64-bit systems. It is used slely by Agent Assist t install the 32-bit applicatin hk int 32-bit applicatins running in the same user sessin. Filter Drivers The agent intercepts, then validates, all applicatin executin requests against the cnfiguratin. It then either grants r denies access t the executable cntent. The agent als triggers auditing events that are cllected by the AppSense Deplyment Agent. The driver nly intercepts executin requests placed against the perating system because it is cnnected between the I/O Manager (in the Executive Services) and the actual device drivers fr the file systems themselves (fr example, NTFS.SYS, CDROM.SYS, r LanMan Redirectr fr Micrsft Netwrking Services). The driver des nt intercept rdinary file access such as the pening f a text file, dcument, r presentatin. Every intercepted request is subsequently passed n t the Applicatin Management Agent Service fr validatin against the current cnfiguratin. The Agent Service returns an allwed r denied respnse that is dealt with by the filter driver. If the respnse is allwed, the request is passed n t the relevant file system driver t cntinue with the applicatin lading frm disk. If the request is denied, the filter driver replaces the request with Applicatin Cntrl s errr-handling system, which is respnsible fr the display f a fully custmized message bx t the end user. This errr handling effectively blcks access t the requested executable cde by advising the riginating prcess that all is successful, and the custmized message bx is displayed in place f the expected executable cde. This prevents the perating system displaying a File nt Fund r Access Denied message. The driver is a lightweight driver that filters file system requests fr files, but nt flders, with the Execute, Overwrite, and Rename permissins requests. The driver sends requests t the Applicatin Cntrl agent fr authrizatin. Depending n the respnse frm the agent, the driver allws, redirects, r denies the request. When it redirects, the driver redirects t ne f the Message Bx applicatins. The driver nly redirects as a fall back if the request is missed by the hk. Page 13 f 344

14 The filter driver can dynamically start but cannt be stpped withut a rebt. This can be fund in %systemdrive%\prgramfiles\applicatinmanager\agent\amfilterinstall and is called Fr mre infrmatin n the Deplyment Agent, see the Management Center Help. Mini Filter Driver The mini filter driver is a lightweight driver that filters file system requests fr bth files and flders n UNC paths, but nt fr lcal drives. The driver sends requests t the agent fr authrizatin. Depending n the respnse frm the agent, the driver allws r denies the request. This can be fund in %systemdrive%\prgram The mini filter driver can be dynamically started and stpped. Applicatin Hk This is a DLL that is laded int every user prcess. The Applicatin Hk sends create prcess and netwrk requests t the agent fr authrizatin. In the event f a blcked executable, the riginal request is replaced with a request fr AMMessage. In the event f a blcked netwrk request, access t the netwrk resurce is denied. If any tken mdificatin is required, as part f Privileges Management, an apprpriate request is sent t the agent. The agent sends back a mdified tken, which is used t launch the requested prcess. Where Applicatin Netwrk Access Cntrl (ANAC) is cncerned, because requests fr netwrk traffic is high, the results prvided by the agent are cached in the memry f the applicatin. This is essential t avid a dramatic perfrmance degradatin t netwrk traffic. Fr mre infrmatin n ANAC see Applicatin Netwrk Access Cntrl. Brwser Add-n CascadeBHO.dll is an Applicatin Cntrl Brwser Helper Object (BHO) laded by Internet Explrer that is used as part f the URL Redirectin and Elevated Web Sites features. If a cnfiguratin cntains any f these types f rules, the Cascade BHO is enabled, and therefre laded, by Internet Explrer. If there are n URL Redirectin r Elevated Web Sites rules, the BHO is disabled. The BHO is laded by nly Internet Explrer. A separate extensin that prvides the same functinality, AppSense Cascade, is laded by Chrme. There is n equivalent fr the Micrsft Edge brwser. Page 14 f 344

Check the CascadeBHO.dll Status 1. In Internet Explrer, select Tls >Manage add-ns. The Manage Add-ns dialg displays. 2. In the Add-n Types panel, ensure Tlbars and Extensins is selected.

15 Check the CascadeBHO.dll Status 1. In Internet Explrer, select Tls >Manage add-ns. The Manage Add-ns dialg displays. 2. In the Add-n Types panel, ensure Tlbars and Extensins is selected. Yu can view the status f the add-ns in the pane n the right. Cnfiguratin AppSense Applicatin Cntrl cnfiguratin files (AAMP files) cntain the rule settings fr securing yur system. The agent checks the cnfiguratin rules t determine the actin t take when intercepting file executin requests. Cnfiguratins are stred lcally in the All Users prfile and are prtected by NTFS security. In standalne mde, cnfiguratin changes are written directly t the file system frm the Applicatin Cntrl cnsle. In Enterprise mde, cnfiguratins are stred in the Management Center database, and distributed in MSI frmat using the Management Center cnsle. Cnfiguratins can als be exprted and imprted t and frm MSI file frmat using the Applicatin Cntrl cnsle. This is useful fr creating templates r distributing cnfiguratins using third party deplyment systems. Page 15 f 344

The cnsle includes the Cnfiguratin Prfiler, which yu can use t review the prbable effect f the cnfiguratin n users.

16 After creating r mdifying a cnfiguratin yu must save the cnfiguratin (and deply if necessary) t ensure that they are actined. Applicatin Cntrl Cnsle The cnsle enables yu t create, view, edit, and save cnfiguratins fr Applicatin Cntrl. The cnsle includes the Cnfiguratin Prfiler, which yu can use t review the prbable effect f the cnfiguratin n users. The Rules Analyzer functin allws yu t recrd the actual effect f the cnfiguratin n users n an endpint that has the Applicatin Cntrl agent installed and running. The Endpint Analysis tl allws yu t recrd applicatin usage, and t catalg installed applicatin usage n an endpint that has the Applicatin Cntrl agent installed. Cnsle Elements Page 16 f 344

File Tab Applicatin Menu The Applicatin menu prvides ptins fr managing cnfiguratins, including create new, pen existing, save, and t imprt and exprt cnfiguratins.

17 File Tab Applicatin Menu The Applicatin menu prvides ptins fr managing cnfiguratins, including create new, pen existing, save, and t imprt and exprt cnfiguratins. Optin New Open Save Descriptin Creates a new default cnfiguratin which is lcked fr editing. Opens an existing cnfiguratin (AAMP frmat) frm ne f the fllwing lcatins: Live cnfiguratin n this cmputer Cnfiguratin frm the Management Center Cnfiguratin file n a lcal r netwrk drive Cnfiguratin frm System Center Cnfiguratin Manager Cnfiguratin frm Grup Plicy A live cnfiguratin is lcated n a cmputer that has an Applicatin Cntrl agent installed and running. Saves the cnfiguratin in ne f the fllwing states: Save and cntinue editing - saves the cnfiguratin and keeps it lcked while pen fr editing. Any changes that have been made are nt cmmitted t the cnfiguratin and it cannt be deplyed while lcked. Page 17 f 344

18 Optin Descriptin Save and unlck - saves the cnfiguratin and unlcks it ready fr deplyment. The current cnfiguratin clses and a new default cnfiguratin pens. Unlck withut saving - unlcks the cnfiguratin withut saving changes. The current cnfiguratin clses and a new default cnfiguratin pens. Save As Saves the cnfiguratin with a new name t ne f the fllwing lcatins: Live cnfiguratin n this cmputer Cnfiguratin in the Management Center Cnfiguratin file n a lcal r netwrk drive Cnfiguratin in System Center Cnfiguratin Manager - Saves yur cnfiguratin t the specified System Center Cnfiguratin Manager server. Cnfiguratin in Grup Plicy - Creates the cnfiguratin in a selected Grup Plicy Stre. A live cnfiguratin is lcated n a cmputer that has an Applicatin Cntrl agent installed and running. If using a Micrsft Windws perating system with UAC enabled, yu must ensure that yu pen the cnsle with administratr privileges. Imprt & Exprt Imprts a cnfiguratin frm MSI frmat, usually legacy cnfiguratins which have been exprted and saved frm legacy cnsles. Exprts a cnfiguratin t MSI frmat. Exit Preferences Clses the cnsle. Yu are prmpted t save any changes yu have made t the current cnfiguratin. Allws yu t chse whether t shw the splash screen n startup. Quick Access Tlbar The Quick Access tlbar prvides quick functinality fr managing the cnfiguratin setup, such as Save, Save and Unlck, Und, Red, and navigatin t previusly and next displayed views. Quick Access Tlbar Optins Optin Descriptin Save Saves changes t the cnfiguratin. The cnfiguratin will remain lcked if pened frm the Management Center. Page 18 f 344

19 Optin Descriptin Save and unlck Saves changes and unlcks the cnfiguratin. These changes can nw be deplyed frm the Management Center. Und Clears the actin histry. Up t 20 previus actins are listed. Select the pint at which yu want t clear the actins. The actin selected and all prceeding actins are undne. Red Re-applies the cleared actin histry. Up t 20 cleared actins are listed. Select the pint at which yu want t red the actins. The actin selected and all subsequent actins are redne. Back Navigates back thrugh the views visited in this sessin. Frward Navigate frward thrugh the views visited this sessin. Manage the Quick Access Tlbar Yu can cnfigure the Quick Access tlbar t display the cmmands yu use the mst and t change its psitin in the cnsle: Help T add a cmmand t the Quick Access Tlbar, right-click the ribbn buttn r file menu ptin and select Add t Quick Access Tlbar. T remve a tlbar item, right-click it and select Remve Frm Quick Access Tlbar. T display the tlbar belw a ribbn, right-click a ribbn r the tlbar and select Shw Quick Access Tlbar Belw the Ribbn. The Help ribbn includes a Help buttn that launches the Help fr the prduct and displays the tpic relating t the current area f the cnsle in view. A smaller icn fr launching the Help displays at the far right f the cnsle, level with the ribbn tabs, fr cnvenience when the Hme ribbn is nt in view. Yu can als press F1 t launch the Help tpic fr the current view. The ribbn als cntains the Abut buttn, which yu click t display the prduct versin and build number, and buttns t visit the Ivanti website and t cntact Supprt. Page 19 f 344

20 Navigatin Pane The Navigatin pane cnsists f the navigatin tree and navigatin buttns. The navigatin tree is the area fr managing ndes f the cnfiguratin. The navigatin buttns allw yu t view the different areas f the cnsle. Page 20 f 344

21 Wrk Area The Wrk Area prvides the main area fr managing the settings f the cnfiguratin and prduct. The cntents f the wrk area vary accrding t the selected ndes in the navigatin tree and the selected navigatin buttns. Smetimes the wrk area is split int tw panes. Fr example, ne pane can prvide a summary f the settings in the ther pane. Additinal Cnsle Features: Shrtcut Menu right-click shrtcuts are available in the navigatin tree and sme areas f the cnsle. Drag and Drp this feature is available in sme branches f the navigatin tree. Cut/Cpy/Paste these actins can be perfrmed using the buttns in the Edit ribbn, shrtcut menu ptins, and als using keybard shrtcuts. Recmmended screen reslutin fr the cnsle is 1024 x 768 pixels. Applicatin Cntrl Security Methds Applicatin Cntrl ffers a number f security methds that yu can implement t prtect a system withut cmplex lists and cnstant management. These include the fllwing: Page 21 f 344

22 Trusted Ownership Trusted Vendrs Digital Signatures Whitelisting Blacklisting T get the mst value ut f an Applicatin Cntrl cnfiguratin, yu can use hybrid apprach in which yu cmbine the mst suitable cmpnents frm each security methd t prvide the ptimum security mdel, while minimizing verall management and cnfiguratin verheads. The Trusted Ownership apprach enables new applicatins t be installed by Trusted Owners withut any changes required t the Applicatin Cntrl cnfiguratin, yet still prvides full security against unknwn applicatin and script cntent intrduced by nn-trusted end users. S it's recmmended that this security methd be used fr the basis f mst Applicatin Cntrl cnfiguratins. This is why this functinality is enabled by default in all new Applicatin Cntrl cnfiguratins. The whitelist apprach is the mst secure but it is an administrative-intensive security mdel. If an enterprise des nt use NTFS security n their file systems, the whitelist methd is the recmmended ptin because Trusted Ownership relies n the file wner infrmatin that is nly fund in NTFS. Trusted Ownership is nly apprpriate fr lcally installed executable cntent; that is, applicatins that exist n lcal fixed drives in a cmputer. Any executable r script cntent that resides n netwrk lcatins r n remvable media, such as a CD r a DVDROM, is autmatically cnsidered untrusted, and is immediately blcked frm executing. Any such applicatin that must be executed by a user must be specifically added t the whitelist in the Applicatin Cntrl cnfiguratin, with a full UNC path t the relevant executable. It is pssible t ptinally disable Trusted Ownership checking n these items if necessary, r t ptinally select t take a SHA-1, SHA-256 r Alder-32 signature t check the file at runtime. It is cnsidered gd practice t use digital signature checking fr applicatins based n netwrks r remvable media because these files tend t be utside f the cntrl f the administratr respnsible fr the rganizatin's endpints. Trusted Vendr checking is recmmended fr develpment and test envirnments where end users may need t cnstantly install and test different versins f cmpany-wned applicatin and script cntent. By signing the desired executables with a digital certificate, Trusted Vendr checking can be cnfigured t allw all signed cmpnents t be executed as and when needed. Finally, yu shuld create a blacklist, preventing specific user access t applicatins that wuld typically be installed and therefre wned by Trusted Owners, including parts f the perating system such as registry editing tls, file sharing tls, and access t Cntrl Panel cmpnents. This blacklist can als be used fr applicatin license management, when used in cnjunctin with whitelists and the Applicatin Limits functinality. Page 22 f 344

23 Trusted Ownership Applicatin Cntrl uses secure filter drivers and Micrsft NTFS security plicies t intercept all executin requests. Executin requests g thrugh the Applicatin Cntrl hk and any unwanted applicatins are blcked. Applicatin entitlement is based n the wnership f the applicatin, with default trusted wnership typically being fr administratrs. By using this methd, current applicatin access plicy is enfrced withut the need fr scripting r list management. This is called Trusted Ownership. In additin t executable files, Applicatin Cntrl als manages entitlement t applicatin cntent such as VBScripts, batch files, MSI packages, and registry cnfiguratin files. Applicatin Cntrl nly supprts PwerShell frm versin 2.0 inward and must be installed in the endpint. Trusted Ownership is the default methd f cntrlling access t applicatins in Applicatin Cntrl. It uses the Discretinary Access Cntrl (DAC) mdel. It examines the wner attribute f the file and cmpares it t a predefined list f trusted wners. If the wner f the file appears in the list then executin f the file is granted, therwise it is denied. The decisin is made independently f the user actually trying t execute the file. An imprtant feature f this security methd is the ability t nt cnsider the file cntents itself. In this way, Applicatin Cntrl is able t cntrl bth knwn and unknwn applicatins. Cnventinal security systems such as anti-virus applicatins cmpare file patterns against thse in a knwn list t identify ptential threats. S the prtectin it ffers is directly prprtinal t the accuracy f the list that it uses fr cmparisn. Many malware applicatins are either never identified, r at best, identified nly after a perid f time while systems are left vulnerable. Applicatin Cntrl, by default, allws ALL lcally installed executable cntent t execute IF the wner f the executable is listed in the Trusted Owners list in the cnfiguratin. The administratr must then supply a list f applicatins that they d nt want t execute frm the lcal disk subsystem, which wuld typically be administrative applicatins such as mmc.exe, eventvwr.exe, setup.exe, and s n. If this apprach is taken, the administratr des nt have t find ut the full details f every piece f executing cde required fr the applicatin set t functin because the Trusted Ownership mdel allws / denies access as apprpriate. Althugh Applicatin Cntrl is able t stp any executable script based malware as sn as it is intrduced t a system, Applicatin Cntrl is nt intended t be a replacement fr existing malware remval tls, but shuld act as a cmplementary technlgy sitting alngside them. Fr example, althugh Applicatin Cntrl is able t stp the executin f a virus, it is nt able t clean if ff the disk. Applicatin Cntrl and Trusted Ownership Applicatin Cntrl maintains a trusted wners list that is defined in the Trusted Owners dialg. This dialg is accessed frm the Glbal Settings ribbn. Page 23 f 344

24 Users and grups can be deleted r added as required. D nt remve all Trusted Owners. This wuld result in n applicatin n the system being trusted and standard users unable t run anything. In the NTFS system, a file can be wned by either a user r a grup and therefre bth may be added. When the check fr Trusted Ownership is perfrmed the System Identifier (SID) f the file wner is determined and this is checked against the list f SIDs in the trusted wner cnfiguratin. Applicatin Cntrl des nt evaluate a grup r determine users f a grup. This ensures that Applicatin Cntrl cntinues t functin crrectly when machines are nt cnnected t a netwrk and this infrmatin is nt available. There are tw ptins in the Trusted Owners dialg: Enable Trusted Ownership checking - Select t switch n Trusted Ownership checking. If this is nt selected Applicatin Cntrl des nt perfrm any Trusted Ownership checking and Page 24 f 344

25 ther security methds must be cnfigured t give the desired security. Change a file s wnership when it is verwritten r renamed - The default fr certain perating systems is t retain file wnership when a file is verwritten r renamed. This can be seen as a security flaw as if NTFS permissins allw, a user may verwrite a legitimate file with a file that wuld therwise be blcked. Select this ptin t ensure that if a legitimate file is cmprmised in this way, the wnership changes t that f the user and Trusted Ownership prevents the file frm being executed. Trusted Ownership Rule Trusted Ownership des nt need t take int accunt the lgged-n user. It des nt matter whether the lgged-n user is a Trusted Owner, administratr, r nt. Trusted Ownership revlves arund which user (r grup) wns a file n the disk. This is typically the user wh created the file. It is cmmn t see the grup BUILTIN\Administratrs in the Applicatin Cntrl cnsle as the file wner. It is als pssible t find that the file wner is an individual administratr s accunt. This results in the fllwing situatins: The file wner is the grup BUILTINAdministratrs and this grup is a Trusted Owner. Trusted Ownership allws the file t execute. The file wner is an individual administratr and the individual administratr is a Trusted Owner. Trusted Ownership allws the file t execute. The file wner is an individual administratr and the individual administratr is nt a Trusted Owner, but the BUILTIN/Administratrs grup is a Trusted Owner. Trusted Ownership des nt allw the file t execute. In the last case, even thugh the administratr wh wns the file is in the BUILTIN/Administratrs grup, the file wner is nt trusted. The grup is nt expanded t find ut whether the individual wner shuld be trusted. In this case, t allw the file t execute, the file s wnership must be changed t that f the BUILTIN/Administratrs. Trusted Vendrs Trusted Vendrs can be specified in each Applicatin Cntrl rule nde. Trusted Vendrs are used fr listing valid digital certificates. A digital certificate is an electrnic dcument that uses a digital signature t bind tgether a public key with an identity. This includes infrmatin such as the name f a persn r rganizatin, address, and s n. Digital certificates are issued by a certificate authrity and used t verify that a public key belngs t an individual. Applicatin Cntrl queries each file executin t detect the presence f a digital certificate. If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendr list, the file is allwed t run, and verrides any Trusted Ownership checking. Yu can check whether a file has a digital certificate by displaying the Prperties dialg. A file has a digital certificate if there is a Digital Signatures tab in which yu can view details f the certificate including, signer infrmatin, advanced settings and an ptin t display the certificate.rusted_ Vendrs.htm Page 25 f 344

26 Fr mre infrmatin, see Add a Certificate t a Trusted Vendr Digital Signatures Digital Signatures prvide a means t accurately identify a file accrding t the actual cntents f the file itself. Each file is examined and accrding t its cntents, a digital hash, which may be likened t a fingerprint, is prduced. Applicatin Cntrl makes use f the industry standard SHA-1, SHA256 and Adler-32 hashes. If the file is altered in any way, then the SHA-1 hash is als altered. Other algrithms can be selected frm the Signatures drp-dwn n the Advanced Settings dialg. Digital hashing is seen as the ultimate security methd because it is accurate. It identifies each file independently f all ther factrs ther than the file itself. Fr example, an administratr takes a digital hash f all executables n a cmputer system and recrds them. A user then tries t execute an applicatin. The digital hash f the applicatin is calculated and then cmpared t the recrded values. If there is a match the applicatin is granted executin, therwise it is denied. This methdlgy als prvides zer-day prtectin because nt nly des it stp new applicatins frm being intrduced, it als blcks any applicatins that have been infected with malware. Althugh digital signatures prvide a similar prtectin t Trusted Ownership, yu must als cnsider the time and management invlved with respect t maintaining the security systems in place. Applicatins are cnstantly being updated with service packs, bug fixes, and vulnerability patches. This means that all assciated files are als cnstantly being updated. S if, fr example, a service pack is applied t Micrsft Office then fr the updated parts t wrk new digital hashes f the updated files must nw be taken. Take care t ensure that these are available when the update is available t eliminate dwntime. Additinally, it is recmmended that yu remve the ld signatures. Signature Wizard Applicatin Cntrl has a Signature Wizard that allws yu t apply digital signatures either t an individual file r a grup. Digital signatures can be gruped in ne f tw ways, by means f scanning flders and subflders, r by examining a running prcess. The Signature Wizard is available frm the Grups ribbn when yu select a grup beneath the Library > Grup Management nde. Page 26 f 344

27 The Search Flders ptin in the Signature Wizard scans all executable and script based files in selected flder and autmatically calculates the digital hashes. The Examine a running prcess ptin allws yu t select a prcess that is currently running. The prcess, alng with all executable files it has currently laded, is scanned and digital hashes calculated. If a file is fund fr which the signature has already been calculated a ntificatin f a duplicate is displayed. There is n need fr a duplicate hash in a cnfiguratin. If the files are updated by means f, fr example, a service pack, yu can select the signature file grup and chse t re-scan. All f the digital signatures are autmatically updated and the new cnfiguratin can be deplyed. Whitelists The whitelist apprach dictates that every single piece f executable cntent must be predefined prir t the user making the request fr the applicatin n the perating system. Details f all the cntent identified in this way is kept n a whitelist that must be checked each time an executin request ccurs. If the executable file is n the whitelist it is permitted; therwise it is denied. A small number f security technlgies wrk in this way, but they ften experience issues with the level f administratin required nce implemented. This is due t the necessity f adding and maintaining all patches, service packs, and upgrades t the whitelist. Page 27 f 344

28 Applicatin Cntrl fully supprts this mdel f cntrl, and adds significant steps t enable additinal security in the mdel. One such additin is the ability t include SHA-1, SHA-256, and Adler- 32 digital signatures, s that nt nly must the applicatin name and file path match up, but s must the digital signature f that executable t that f a signature in the database. Furthermre, Applicatin Cntrl als adds the full path f the executable t the list t ensure that all three items match prir t applicatin executin: Filename - fr example, winwrd.exe. File Path - fr example, C:\Prgram Files\Micrsft Office\Office\digital signature T take the technlgy int the next stage f cntrl, Applicatin Cntrl des nt nly take the details f the executables, but als requests that the administratr specify specific DLLs as well as all ther executable cntent such as ActiveX cntrls, Visual Basic Scripts, and Cmmand Scripts. In Applicatin Cntrl, whitelists are as Allwed Items. Items in the Allwed Items list include: Files Flders Drives Signature Items Netwrk Cnnectin Items Windws Stre Apps Grups Trusted Ownership Access Times Fr mre infrmatin, see Allwed Items and Rule Items. Blacklists In cntrast t whitelists, blacklists are a ptential lw security measure. A list is generated and then maintained that cntains the applicatins that are t be denied executin. This is the main failing f this methd, as it presumes that all dangerus applicatins are actually knwn abut. This is f little use in mst enterprises, specifically with and internet access and / r where the user can intrduce files and applicatins withut administratr interventin. Applicatin Cntrl des nt need t actively maintain a list f denied applicatins because any applicatins nt installed, and therefre wned by the administratr, are denied by use f Trusted Ownership. Page 28 f 344

29 One f the main reasns prhibiting applicatins via a blacklist is t enable Trusted Ownership t be used fr license management by nt allwing even knwn (and therefre trusted and wned) applicatins t run, until the administratr can later explicitly allw access t that very same applicatin by defining a certain user / grup r client rule. This prtectin needs n cnfiguratin, except t allw an utside applicatin. Additinally, a blacklist is useful fr denying access t files wned by trusted wners that can be deemed security risks. Fr example, regedit.exe, ftp.exe, and s n. Page 29 f 344

30 Licensing DesktpNw Licensing cnsle allws yu t manage DesktpNw prduct licenses. The Licensing cnsle allws yu t: Manage licenses fr single prducts, the DesktpNw Suite and Evaluatin licenses. Exprt license packages t MSI r LIC file frmat fr saving t the Management Center r ther cmputers which can be remtely accessed. Imprt and manage licenses frm LIC file frmat. Fr infrmatin abut license deplyment t endpints, see Management Center Help. Managing Licenses License details are included in the License Agreement which is issued when an rder fr ur sftware has been cmpleted. The License Agreement includes the fllwing infrmatin: Prduct, Feature, and Versin Details Issue Date Expiry Date Custmer Name Serial ID Tgether with the license agreement yu will receive either a TXT file r a LIC file. Use these in the Licensing Cnsle t add r imprt the license. Add a License 1. Open the Licensing cnsle. 2. Click Add. The Add License Key dialg displays. 3. Enter the License Key and click Add. If yu received a TXT license file, pen the file and cpy the license key, paste it in t the Add License Key dialg. If yu received a LIC license file, refer t "Imprt License Files" n the facing page. Details f the license are displayed in the cnsle and the license key is added t %ALLUSERSPROFILE%\AppSense\Licenses Page 30 f 344

31 Activate a License Once added, sme licenses require activating. 1. Select a license r add ne t the licensing cnsle. 2. Click Activate. 3. Type r cpy and paste the activatin cde. 4. Press Enter t accept the cde. The license cnsle saves the license key t the MS Windws registry n the lcal machine. The License Status field updates t shw the status f the license and the license details display in the lwer part f the cnsle. T check that the license is active n yur endpint, search the registry fr the license cde. If the search finds the cde, then the license is active. Remve a License 1. Highlight the required license and click Remve. A cnfirmatin dialg displays. 2. Click Yes t cnfirm. The selected license is deleted and remved frm the cnsle and the MS Windws registry r %ALLUSERSPROFILE%\AppSense\Licenses lcatin, whichever is applicable t the license type. Exprt License Files Exprt licenses t an MSI r LIC file t create a backup and enable distributin t ther endpints using the Licensing cnsle r the Management Center. 1. Highlight the license yu want t exprt. 2. Click Exprt t display Windws Save As dialg. 3. Brwse t the required lcatin t save the license file. 4. Enter a name fr the file. 5. Select the file type: MSI r LIC. 6. Click Save. A file is created and saved in the selected lcatin. This file can be cpied t any netwrk lcatin and laded via the DesktpNw Suite Licensing cnsle r in the Management Center cnsle. Imprt License Files Imprt a previusly exprted license t an endpint using the Licensing cnsle. Page 31 f 344

32 1. Open the Licensing cnsle. 2. Click Imprt t display the Windws Open dialg. 3. Navigate t the required LIC file. 4. Click Open. Details f the license are displayed in the cnsle and the license key is added t the fllwing lcatin: %ALLUSERSPROFILE%\AppSense\Licenses Trubleshting I received a license, what d I d? If yu have received a prduct license yu can lad the license by launching the DesktpNw Suite Licensing Cnsle n yur client cmputer and entering the license cde. I have entered a license, but it says it is nt activated, why? Sme licenses require activatin befre they can be used. Activatin cdes are prvided by Ivanti. Activate a license by entering the License and Activatin cdes int the cnsle. Page 32 f 344

33 Service Packs Service Packs are self-cntained packages r patches that are used t update specific files within a DesktpNw applicatin withut reinstalling the full applicatin. Service packs can be applied mre ften and reduce the need fr system restarts n yur endpints. Service packs are delivered as a Windws Installer patch (MSP) file and are ften referred t as patch files. Installing Service Packs Service Packs can be installed r deplyed using the same technlgy and techniques used when installing MSIs. Bth Micrsft System Center and the Management Center 8 FR4 can deply MSPs. If neither f these prducts are available, service packs can be installed using the cmmand line interface. Fr example, the cmmand: msiexec.exe /p ApplicatinManagerAgent64.msp installs any files that have been amended as part f the patch fr just Applicatin Cntrl 64-bit agent. The fllwing cmmand installs the base versin f the Applicatin Cntrl Agent (MSI) and the Applicatin Cntrl patch file (MSP) simultaneusly: msiexec.exe /i ApplicatinManagerAgent64.msi PATCH=c:\fullpath\ApplicatinManagerAgent64.msp A base versin must be installed befre the patch file can be applied. If the patch file cntains driver r hk files that are currently in use n the machine the patch is being applied t, yu are infrmed that a rebt is required. If yu chse t cntinue, the system is restarted when the patch has been applied. Fr further infrmatin abut installing and upgrading service packs using Management Center 8 FR4, see the Management Center Install and Upgrade Guide. Installatin Order and Dependencies It is recmmended that all cmpnents f a service pack are installed. Rlling Back Service Packs There are tw ways t rll back, r uninstall Service Packs: Using the Windws Cntrl Panel Using Management Center 8 FR4 If a service pack is uninstalled the installatin reverts t the previus latest build, whether a service pack r base versin. Page 33 f 344

34 Rll Back Service Packs Using Windws Cntrl Panel The prcedure used t rll back service packs varies depending n the Operating System: Fr Windws 7 Navigate t Cntrl Panel > Prgrams > Prgrams and Features > Installed Updates. Highlight the selected patch and click Uninstall. Rll Back Service Packs Using Management Center 8 FR4 1. In the Management Center cnsle, select Overview > Deplyment Grups tab > Deplyment Grups. 2. Highlight the Deplyment Grup and select Settings > Assigned Packages. The Assigned Packages wrk area displays a list f all the prducts and their assciated packages. 3. Highlight the required Applicatin Cntrl service pack and click Unassign frm the Actins menu. 4. Click Review and Submit. The Submit Changes dialg displays. 5. Check the details are crrect and click Submit. The patch is unassigned based n the deplyment grup Installatin Schedule. Page 34 f 344

35 Cnfiguratin Applicatin Cntrl cnfiguratin files (AAMP) cntain the rule settings fr securing yur system. The cnfiguratin files are installed n managed devices and serve as a plicy checklist fr the Applicatin Cntrl agent t assess hw t handle file executin requests. When a file is executed, Applicatin Cntrl intercepts the request and perfrms a check with the cnfiguratin t find the apprpriate matching rule and the required actin t take. Other default plicies specified in a cnfiguratin are als applied, fr example, event filtering r handling fr specific file extensin types as well as general plicies such as default rules, auditing rules, hw message ntificatins are displayed, and archiving ptins. Cnfiguratins are stred lcally in different lcatins depending n yur perating system and are prtected by NTFS security: Windws 7 and abve: C:\PrgramData\AppSense\Applicatin Manager\Cnfiguratin. In Standalne mde, cnfiguratin changes are written directly t the lcal AAMP file frm the Applicatin Cntrl cnsle. In Enterprise mde, cnfiguratins can be created and stred centrally in the Management Center database, and distributed t endpints in MSI frmat via the Management Server. Cnfiguratins can als be exprted and imprted t and frm MSI file frmat, which is useful fr creating templates r distributing cnfiguratins using third-party deplyment systems. After creating r mdifying a cnfiguratin, yu must save the cnfiguratin with the latest settings t ensure that they are implemented. Cnfiguratin Elements Libraries Applicatin manager Library nde allws yu t create grups f items that can be used in cnfiguratin rules. Use the library t create a grup f similar items t manage. Once yur libraries have been created they can be assigned t rules and used t gvern a grup f users. Library ndes prvide the fllwing: Grup Management - The Grup Management nde allws yu t grup a number f items such as Files, Flders, Drives, Signature Files, Windws Stre Apps, and Netwrk Cnnectins fr ne particular applicatin. Yu can then add this grup t the Allwed and Denied Items lists in a rule. User Privilege Plicies - The User nde allws yu t add User Privilege Plicies t selectively prmte r demte administrative rights fr individual applicatins. Page 35 f 344

36 Rules Rule ndes prvide default settings fr handling file executins and specific settings that apply t particular users, grups, r devices. Grup, User, Device, Custm, Scripted, and Prcess Rules allw yu t specify Security Level settings that specify restrictins that apply t users, grups, r devices matching the rule. Custm rules target cmbinatins f particular users r grups perating n specific cllectins f devices. Scripted rules allw administratrs t apply Allwed Items and Denied Items t users based n the utcme f a Windws PwerShell r VBScript script. Scripts can be run fr each individual user sessin r run nce per cmputer. Prcess rules allw yu t manage access fr the applicatin t run child prcesses that might therwise be managed differently in ther rules. Yu can add Allwed Items, Denied Items, Trusted Vendrs, User Privileges, and Brwser Cntrl t a rule. Allwed/ Denied Items A sub-nde list in each rule that yu can ppulate and maintain with specific files, flders, drives, and digital signatures t prvide an additinal level f granularity fr cntrlling file executin requests. Fr example, items that Trusted Ownership checking nrmally denies can be allwed fr the users r devices targeted in the rule. Likewise, files that wuld nrmally be allwed can be denied. Trusted Vendrs A sub-nde list in each rule that yu can ppulate with digital certificates issued by trusted surces. Files that fail Trusted Ownership checking are checked fr the presence f digital certificates and allwed t run when a match is made with the Trusted Vendrs list. Fr example, a highly restricted user might be prhibited under nrmal rule cnditins frm intrducing executable files n the system, but may be required t dwnlad and run sftware updates frm a particular surce frm time t time. If the dwnladed file includes a digital certificate that matches a certificate in the Trusted Vendrs list, the file is allwed t run. User Privileges - A sub-nde list in each rule that yu can ppulate with applicatins, cmpnents, and web installatins fr yu t apply User Privilege Plicies t. User Privilege Plicies allw yu t selectively prmte r demte administrative rights fr individual applicatins, cmpnents, and web installatins. Brwser Cntrl - A sub-nde list in each rule that yu can ppulate with URLs t which yu can apply URL redirectin. Yu can als specify URLs that pen an elevated instance f Internet Explrer, and allw the elevatin t administrative privileges fr ActiveX installers frm particular dmains. Default Cnfiguratins Applicatin Cntrl is ready t manage yur security as sn as yu install the agent and a cnfiguratin n client cmputers. A default cnfiguratin lads when yu run the cnsle and can be used fr immediate prtectin n all client cmputers t which the cnfiguratin is deplyed. This cnfiguratin blcks any file with an untrusted wner and prevents nn-administrative users accessing executables n nn-secure lcatins, including netwrk lcatins and remvable media. Page 36 f 344

37 The default cnfiguratin can be saved directly in Standalne mde t the client cmputer via the cnsle r saved t the database f the deplyment mechanism when perating in Enterprise mde ready fr deplyment. Prtectin All applicatin and prcess executin requests are checked against the Applicatin Cntrl rules befre access is granted. All applicatin and prcess netwrk access requests are prhibited unless allwed by Applicatin Cntrl rules. Members f the Lcal Administratrs grup are granted unrestricted access t applicatins. Members f nn-administrative user grups are granted restricted access t applicatins. CMD.exe is blcked except when run by batch files. MSI, WSH and Registry Files are validated against the Applicatin Cntrl rules. Windws Installer (msiexec.exe) is allwed t run all child prcesses with the DLL and EXE extensins. Default Cnfiguratin Settings Setting Value Descriptin Advanced Settings Plicy Settings General Features Make lcal drives allwed by default Ignre restrictins at lgn Allw cmd.exe fr batch files Allw self-extracting ZIP files Ignre restrictins during Active Setup Prhibit files n remvable media Ignre restrictins at lgn delays the implementatin f the Applicatin Cntrl rules until lgn is cmplete t avid disrupting r preventing the lgn prcess. This ptin allws lgn scripts t run. Page 37 f 344

38 Setting Value Descriptin While cmd.exe and selfextracting ZIP files are usually blcked as ptential lphles fr attempts t breach security, this ptin allws CMD and ZIP files t run fr legitimate files Applicatin Cntrl rules. Page 38 f 344

39 Setting Value Descriptin Validatin Validate MSI (Windws Installer) Packages Validate WSH (Windws Script Hsts) Validate registry files System prcess validatin can affect perfrmance and is disabled by default. Applicatin Cntrl validates MSIs, Registry files, and WSH files against the rules by default. Otherwise, they are ignred unless they are specified in the rules themselves. Turn these ptins ff nly if yu trust these types f files running r yu have adequate prtectins in place in the Applicatin Cntrl rules r by sme ther methd. Page 39 f 344

40 Setting Value Descriptin Functinality Enable Applicatin Access Cntrl Enable Applicatin Netwrk Access Cntrl Enable Privilege Management All Applicatin Cntrl functinality is enabled by default but yu can disable any f these as part f any trubleshting prcess. We recmmend disabling any functinality which yu d nt want t use. Applicatin Terminatin Settings fr clsing and terminating applicatins. Disabled by default. Set triggers, warning message behavir t users, and warning message ntificatins. Libraries Grup Management Nde Fr creating reusable grups f applicatins fr assigning t Rules. N default settings. User Privilege Plicies Reusable User Privilege Plicies that elevate r restrict user privileges. N default settings. Fr assigning t files, flders, signatures, drives and applicatin grups in Rules. Administratr Lcal Administratr Grup rule fr managing access t applicatins fr lcal administratrs. Security level set t Unrestricted. N ther default settings are applied. Everyne Grup rule fr all system users unless a user matches ther rules with higher pririty settings. Security level set t Restricted. Page 40 f 344

41 Setting Value Descriptin AppSense Prgram Files directries are added t Allwed Items. N ther default settings are applied. Prcess Windws Installer (msiexec.exe) *.EXE *.DLL All EXE and DLL files are allwed t run when spawned by msiexec. This rule des nt manage access t msiexec. Yu must manage access t msiexec in anther rule. Maintain Cnfiguratins Create Cnfiguratins T create a new cnfiguratin, click File > New. A new cnfiguratin displays and autmatically prvides the fllwing prtectin by default: Applicatins nt stred n lcal hard drives are prhibited. Fr example, applicatins n netwrk drives and remvable media are prhibited. Applicatins that are nt wned by the administratr are prhibited. Fr example, any applicatins cpied nt the cmputer's hard drives by a nn-administratr are prhibited. All administratrs can run any applicatins. Yu must save a new cnfiguratin befre the default settings are implemented. Imprt Cnfiguratins Cnfiguratins can be imprted in t Applicatin Cntrl. Page 41 f 344

42 1. Click File > Imprt & Exprt > Imprt Cnfiguratin frm MSI. The Open dialg displays. 2. Navigate t the lcatin f the MSI, select it and click Open. The cnfiguratin pens in the Applicatin Cntrl cnsle. Exprt Cnfiguratins Cnfiguratins can be exprted frm Applicatin Cntrl. 1. Click the File > Imprt & Exprt > Exprt Cnfiguratin as MSI. The Save As dialg is displayed. 2. Navigate t the lcatin t where yu want t save the MSI and click Save. Save Cnfiguratins The fllwing ptins fr saving cnfiguratins are available frm the File menu. Save Save and cntinue editing - Saves the cnfiguratin and keeps it lcked whilst pen fr editing. Any changes that have been made are nt cmmitted t the cnfiguratin and it cannt be deplyed while lcked. Save and unlck - Save the cnfiguratin and unlck it ready fr deplyment. Unlck withut saving - Unlcks the cnfiguratin withut saving any changes. Save As Live cnfiguratin n this cmputer - Replace/update the cnfiguratin n the lcal cmputer with the currently pen cnfiguratin. Cnfiguratin in the Management Center - Save the cnfiguratin in the package stre n the selected Management Server. Cnfiguratin in System Center Cnfiguratin Manager - Saves yur cnfiguratin t the specified System Center Cnfiguratin Manager server. Cnfiguratin in Grup Plicy - Allws yu t create the cnfiguratin in a selected Grup Plicy stre. Cnfiguratin file n disk - Save the cnfiguratin t disk. Test Cnfiguratins Set up a test user set up befre prceeding with this task. The test accunt must nt be ne f the Trusted Owners in the cnfiguratin. 1. Lg n, as the administratr, t an endpint with the relevant Applicatin Cntrl cnfiguratin installed. Page 42 f 344

43 2. Start Applicatin Cntrl. 3. In the navigatin tree, navigate t Rules > User. 4. Click Add Rule n the Rules ribbn and select User Rule. The Add User Rule dialg displays. 5. Click Brwse. The Active Directry Select Users dialg displays. 6. Click Advanced. 7. Click Find Nw. The search results display in the bttm part f the dialg. 8. Scrll dwn t lcate the test user, select and click OK. The Select Users dialg displays with the test user displayed in the bject name. 9. Click OK. The User rule wrk area displays the newly created test user. 10. Save the cnfiguratin. 11. Lg ff as the administratr. 12. Lg n as the test user t see Applicatin Cntrl wrking. Grup Plicy Cnfiguratins Grup Plicy prvides centralized management and cnfiguratin f perating systems, applicatins, and users' settings in an Active Directry envirnment. Applicatin Cntrl uses Grup Plicy functinality t save and deply cnfiguratins t any machine in a specified rganizatinal unit (OU) in a dmain withut the need fr additinal infrastructure. T use Grup Plicy yu must first install the Remte Server Administratin Tls. Fr mre infrmatin see Installing r Remving the Remte Server Administratin Tls Pack. T add an Applicatin Cntrl cnfiguratin file t a GPO, yu must first add a Dmain t the selectable list accessed frm the Select Dmain dialg. Fr mre infrmatin, see Adding Selectable Dmains t Yur List. If required, yu can use the fllwing cmmand t install the Grup Plicy Management Cnsle using PwerShell: Imprt-Mdule ServerManager (2008 Server and abve) Add-WindwsFeature -Name GPMC Add Selectable Dmains t Yur List Add a dmain t yur list f selectable dmains using the Select Dmain dialg. Once the dmain has been added yu can then apply the Cnfiguratin t a GPO (Grup Plicy Object) n that dmain. Page 43 f 344

44 1. Frm the File menu, chse Save As r Open and select Cnfiguratin in Grup Plicy. The Select Dmain dialg displays. 2. Select the Add icn frm the tlbar. The Add Dmain dialg displays. 3. Enter the name f the dmain t be added t the list. Yu must have the apprpriate rights n the dmain that yu are adding. 4. Click the Add buttn. The dmain is added t yur list and is ready t be selected. Deply Cnfiguratins Using Grup Plicy Objects When a cnfiguratin is cmplete and deplyed, the Client Side Extensin cpies the cnfiguratin int the Applicatin Cntrl %PrgramData% structure tgether with a merge_manifest.xml file. The Applicatin Cntrl Agent is ntified f the update and the merge_manfest.xml file cpied int the merge flder s merging can ccur. The cnfiguratin is then applied t yur endpints. Once the cnfiguratin is saved t the Grup Plicy Object (GPO), the deplyment f that cnfiguratin is dependent n yur rganizatin's Grup Plicy settings. Applicatin Cntrl supprts the merging f multiple cnfiguratins deplyed using Grup plicy. Each GPO may hld nly ne cnfiguratin; fr multiple cnfiguratins t be deplyed yu need the same number f GPOs. If all GPOs reside in the same level in Active Directry, link rder affects hw cnfiguratins are merged, with the lwest number being the Base Cnfiguratin. By default, cmputer Grup Plicy is updated in the backgrund every 90 minutes, with a randm ffset f 0 t 30 minutes. Save Cnfiguratins t a GPO T save cnfiguratins t a Grup Plicy bject, yu must have an accunt that has read and write permissins in the area within the Active Directry (AD) yu are wrking in. Yu can nly save t that area and the plicy applies nly t the cmputers in it. A cnfiguratin must be created with the Applicatin Cntrl cnsle and a GPO must have been created within an Organizatinal Unit (OU) in the selected dmain. 1. Create yur AppSense Applicatin Cntrl Cnfiguratin file (AAMP). 2. Select File > Save As > Cnfiguratin in Grup Plicy. The Select Dmain dialg displays. Page 44 f 344

45 3. Highlight yur selected Dmain and click Cnnect. If the dmain yu are saving t is nt available frm the list, the dmain needs t be added. See Add Selectable Dmains t Yur List. 4. Navigate t yur OU. Yu must have the apprpriate rights n the OU yu select. 5. Select the GPO and click Save. 6. If a GPO des nt exist, right-click n the target OU and select Create a GPO in this dmain, and link it here. On sme endpints, yu can experience a delay when saving the GPO t yur Active Directry (AD). This is because AD replicatin is required t run acrss multiple Dmain Cntrllers and Applicatin Cntrl will be unable t find the GPO until replicatin has been cmpleted. The GPO cntaining the cnfiguratin is stred in the fllwing lcatin and can be identified by its unique GUID. \\<Dmain Cntrller>\SysVl\<dmain.fqdn>\Plicies\<guid fr GPO>\Machine\AppSense If mre than ne cnfiguratin is deplyed t an endpint using Grup Plicy, Endpint Cnfiguratin Merging ccurs and the merged_cnfiguratin.aamp takes precedence ver any existing cnfiguratin. Fr further infrmatin. See Endpint Cnfiguratin Merging. Page 45 f 344

46 Glbal Settings Use the Glbal Settings ribbn t define which defaults are t be applied t an Applicatin Cntrl cntrlled endpint. These defaults frm part f the Applicatin Cntrl cnfiguratin file (AAMP). Glbal Settings ptins include the fllwing: Trusted Owners Extensin Filtering Applicatin Terminatin Message Settings Archiving Plicy Change Request Help Desk Prtal Trusted Owners During the rule matching prcess, Trusted Ownership checking is perfrmed n files and flders t ensure that wnership f the items is matched with the list f trusted wners specified in the default rule cnfiguratin. Fr example, if a match is made between the file yu want t run and an allwed item, an additinal security check ensures that the file wnership is als matched with the Trusted Owners list. If a genuine file has been tampered with r a file that is a security threat has been renamed t resemble an allwed file, trusted wnership checking identifies the irregularity and prevents the file executin. Netwrk flders/shares are denied by default. S, if the file resides n a netwrk flder, the file r flder must be added t the rule as an allwed item. Otherwise, even if the file passes Trusted Ownership checking, the rule will nt allw access. Trusted wnership checking is nt necessary fr items with digital signatures because these cannt be imitated. The list f Trusted Owners is maintained in the Trusted Owners dialg available frm the Glbal Settings ribbn. Applicatin Cntrl trusts the fllwing by default: SYSTEM BUILTIN/Administratrs %CmputerName%\Administratr NT Service\TrustedInstaller This means that, by default, Applicatin Cntrl trusts files wned by the BULTIN\Administratrs grup and the lcal administratr. Applicatin Cntrl des nt d grup lkups fr Trusted Owners users wh are members f the BUILTIN\Administratrs are NOT trusted by default. Other users, even if they are members f the Administratrs grup, must be explicitly added t becme Trusted Owners. Yu can extend the list abve t include ther users r grups. Page 46 f 344

47 When using Applicatin Cntrl fr the first time, we recmmend yu use the default settings. T avid cmplex custmizatins d nt extend the Trusted Owners list r change any default settings. The dialg cntains the fllwing ptins: File Overwrite and Rename - When the ptin Change a file's wnership when it is verwritten r renamed is selected, Applicatin Cntrl selectively changes the NTFS file wnership f executable files when they are verwritten r renamed. Attempts by a user wh is nt a Trusted Owner t verwrite a file that is allwed due t Trusted Ownership r an Allwed Item rule, culd cnstitute a security threat if the file cntents have changed. Applicatin Cntrl changes the wnership f an verwritten file t the user perfrming the actin, making the file untrusted and ensuring that the system is secure. Likewise, attempts t rename a denied file t the name f an allwed item culd als cnstitute a security threat. Applicatin Cntrl als changes the wnership f these files t the user wh perfrms the rename actin and ensures the file remains untrusted. Overwrite and rename actins are bth audited. File Overwrite and Rename - T ignre Trusted Ownership fr individual files d ne f the fllwing: Clear the Trust Ownership check bx in the Allwed Items sub-ndes. Assign self-authrizatin status t users and devices t allw the user t decide whether r nt t allw a file t run. Set the Self-Authrizing security level fr a rule in the Grup, User, Device, Custm, Scripted, and Prcess rule ndes. Trusted Applicatins verride restrictins resulting frm matches with Denied Items. Trusted Vendrs verride restrictins resulting frm Trusted Ownership checking. Whitelists If yu prefer t use a white list apprach where nthing is allwed t run by default, clear the Make lcal drives allwed by default check bx in the Plicy Settings dialg available frm Advanced Settings in the Glbal Settings ribbn. T make items allwed, add them t the Allwed Items flder f a cnfiguratin nde. If yu use a Whitelist apprach, ensure that yu allw imprtant system files t run by adding a Grup rule fr the Everyne grup in which all f the relevant files r flders have been added t Allwed Items. Otherwise, many crucial executable files and DLLs, such as thse that are stred in the system32 directry can be prevented frm running and adversely affect crrect system functining. Page 47 f 344

48 Enable Trusted Ownership T enable this feature, select Trusted Owners frm the Glbal Settings ribbn and cnfigure the required settings: Enable Trusted Ownership checking - Select t switch n Trusted Ownership checking. Selected by default. Change a file's wnership when it is verwritten r renamed - Select t change the wnership f any trusted allwed file which is verwritten by an untrusted user, wh is nt in the Trusted Owners list. When a denied file is renamed by an untrusted user, in an attempt t bypass a denied item rule, the wnership is changed t the untrusted user. Once the wnership has changed, Trusted Ownership checking then prevents the file frm being executed. Trusted Owner - The Trusted Owner details. Page 48 f 344

49 Textual SID - The Textual Security Identifier f the Trusted Owner. Fr example, S Add Trusted Owner buttn - Launches the Add Trusted Owners dialg. Enter r brwse t select an accunt t add t the Trusted Owner list. Delete Trusted Owner buttn - Deletes the selected Trusted Owner. Test Trusted Ownership 1. Intrduce ne r mre applicatins using a test user accunt. 2. Cpy ne r mre applicatins t the user s hme drive r anther suitable lcatin, such as calc.exe frm the System32 flder r cpy a file frm a CD. 3. Attempt t run a cpied file. The applicatin is denied because the files are wned by the test user and nt a member f the Trusted Owners list. Yu can verify the wnership f a file by viewing the Prperties using Windws Explrer. Extensin Filtering The Extensin Filtering feature is used t determine whether the cnfiguratin shuld check certain file types r if it shuld ignre certain file types. The default cnfiguratin in Applicatin Cntrl des nt have any extensin filtering cnfigured and therefre all executable cde - irrespective f file extensin - is checked. This is the mst secure ptin because nthing can get past the agent unless it has been expressly cnfigured in the remainder f the rules. Enable Extensin Filtering in the Extensin Filtering dialg, which yu access via the Glbal Settings ribbn. The Extensin Filtering dialg cnsists f the fllwing sectins: Prperties - Apply the required ptins: Exclude files with extensins in the list belw - Select t ensure that Applicatin Cntrl rules d nt apply t the file types listed in the Extensins list. Only check files with extensins in the list belw - Select t ensure that Applicatin Cntrl rules apply nly t the file types in the Extensins list. All ther file types are allwed t execute nrmally. Extensins - A list f file extensins t filter. Yu can add t and delete frm the list. Use the Add buttn t add the file extensins. Once the cnfiguratin is saved, the Applicatin Cntrl agent nly checks the files with the specified extensins against the rules when executin requests ccur against the cmputer that the cnfiguratin is deplyed t. Page 49 f 344

Applicatin Terminatin Applicatin Terminatin allws yu t cntrl triggers, behavir, and warning messages fr terminating applicatins n managed endpints.

50 Applicatin Terminatin Applicatin Terminatin allws yu t cntrl triggers, behavir, and warning messages fr terminating applicatins n managed endpints. Yu can terminate applicatins gracefully, allwing the user t save wrk befre clsing, r frce a terminatin. Yu can edit ntificatin messages fr each type f trigger individually. Triggers fr terminating an applicatin include the fllwing: The agent starts A new cnfiguratin is applied The cmputer IP address changes The cnnecting device changes When a trigger is activated, prcesses are evaluated against the rules t determine if an applicatin requires terminating. Rules with Self-Authrizing and Audit Only security levels are nt evaluated because Self-Authrizing rules allw user discretin ver applicatin cntrl and Audit Only rules d nt apply Applicatin Cntrl cntrl. Yu can cnfigure warning and terminate messages, but must abide by the fllwing: Page 50 f 344

51 The message captin must nt be left blank, be a single line, and can cntain up t 100 characters. The message bdy must nt be left blank, can cntain zer r mre line breaks, and can cntain up t characters. A separate message bx must be used fr each trigger type. Applicatin terminatins can be audited and are assciated with audit event Fr further infrmatin, see Auditing. Applicatin Terminatin is disabled by default. Enable the feature using the Enable Applicatin Terminatin ptin n the Applicatin Terminatin dialg, which yu access in the Glbal Settings ribbn. Cnfigure Applicatin Terminatin 1. Select Applicatin Terminatin n the Glbal Settings ribbn. 2. Select Enable Applicatin Terminatin. 3. Select the triggers t use fr applicatin terminatin: Cnfiguratin Applied - Select t terminate an applicatin accrding t the cnfiguratin that is applied. Cmputer IP address changed - Select t terminate an applicatin when the IP address f the cmputer changes, fr example, mving between secure and insecure envirnments. Cnnecting device changed - Select t terminate an applicatin when the cnnecting device has changed, fr example, changing frm a desktp t a laptp in the same sessin. 4. Select the Optins tab t define which actins are taken when an Applicatin is terminated: Display an initial warning message - Displays an initial warning message t infrm the user that the denied applicatin will be clsed and t save any wrk. The time t clse can be specified using the Wait fr... ptin. Use in cnjunctin with the Clse Applicatin and Terminate Applicatin ptins. If this is nt used in cnjunctin with these ptins, a message is displayed and the denied applicatin des nt clse. Clse the applicatin - Clses the applicatin fllwing the initial warning message, allwing the user time t save their wrk. Terminate the applicatin - Terminates the denied applicatin withut giving the user a warning message Wait fr... - Specifies the time perid, in secnds, between actins, and als the time between clsing and terminating. The maximum perid is 120 secnds. Page 51 f 344

52 5. T change the warning r terminatin message, select either the Cnfiguratin Applied Message, IP Address Changed Message, r Cnnecting Device Changed Message tabs, depending n the specified triggers. T cnfigure warning and terminatin messages, use the fllwing fields: 6. Click OK. Captin - The text t display fr the title f the warning r terminate message Message bdy - The text t display fr the bdy f the message. Nte Envirnment variables are supprted fr bth the captin and message bdy. Width - Specify the width f the Applicatin Terminatin message dialgs. The width is measured in pixels and applies t all messages. The default value is 0. Height - Specify the height f the Applicatin Terminatin message dialgs. The height is measured in pixels and applies t all messages. The default value is Save the cnfiguratin. Applicatin Cntrl als has the ability t terminate applicatins thrugh the Time Limits feature. Set Up Applicatin Terminatin fr an IP Address Change Use Applicatin Terminatin t terminate an applicatin when the IP address has changed. Fr example, when the IP address is ut f the cmpany range f IPs. Step 1 - Set up the Applicatin Terminatin Optins 1. Select Applicatin Terminatin n the Glbal Settings ribbn. The Applicatin Terminatin dialg displays. 2. Select the Enable Applicatin Terminatin ptin. This is turned ff by default. 3. Select the Cmputer IP address changed ptin n the Triggers tab. 4. Select the Optins tab. 5. D ne f the fllwing: Select Display an initial warning message and Clse applicatin ptins. This will display an initial warning message, allwing the user t save any wrk and then clse the dialg. Select the Terminate applicatin ptins. This will terminate the applicatin withut any warning. Yu can display an initial warning if required. Select all three ptins. 6. Select the IP Address Changed Message tab. 7. Change the message if required. 8. Click OK. Step 2 - Set up Device Rule fr Wrking in the Office Page 52 f 344

53 1. This step is t set up the IP address range that is allwed fr the wrk ffice. 2. Select the Rules nde in the navigatin pane. 3. Select the Add Rules drp-dwn arrw n the Rules ribbn and then select Device Rule. A new Device rule is created under the Device rule nde. 4. Right-click the new nde and select Rename. 5. Enter an intuitive name, fr example, In Office. 6. Right-click within the wrk area and select Add Client Device. 7. The Add a Client Device dialg is displayed. 8. Enter the IP address range that is allwed and click Add. Step 3 - Set up Device Rule fr Out f the Office 1. This step is t set up the IP address range that is nt allwed, fr example, when using VPN frm anther lcatin. 2. Select the Rules nde in the navigatin pane. 3. Select the Add Rules drp-dwn arrw n the Rules ribbn and select Device Rule. A new Device rule is created under the Device rule nde. 4. Right-click the new nde and select Rename. 5. Enter an intuitive name, fr example, Out f Office. 6. Right-click within the wrk area and select Add Client Device. 7. The Add a Client Device dialg is displayed. D ne f the fllwing: 8. Click Add. Enter the IP address range that is nt allwed. Enter *.*.*.* t imply all ther IP addresses. Step 4 - Save the Cnfiguratin Message Settings Message Settings are used t define hw message bxes are displayed t users and t specify the cntent f messages displayed when users attempt t launch applicatins in vilatin f a defined cnfiguratin. Applicatin Cntrl message bxes can be custmized t meet the requirements f an rganizatin by specifying cmpany clrs, lgs and fnts. Mre advanced styling can be achieved by using the Cascading Style Sheet (CSS), which is editable direct frm the Message Style tab. Styling is applied t all the Applicatin Cntrl message bxes but the cntent f the messages can be amended individually. Page 53 f 344

54 Use the ptins in the Message Settings dialg available frm the Glbal Settings ribbn t cnfigure settings fr messages issued t users. Yu can set up messages fr situatins where access is denied, applicatin limits have been exceeded, and fr self-authrizatin. Time limits fr applicatin behavir can be specified with warning and denied messages. Message Bx Variables The message bx captin and text may cntain user and system-wide envirnment variables, and include the fllwing envirnment variables. Envirnment variables are nt expanded during testing. Envirnment Variable %ExecutableName% %FullPathName% %DirectryName% %NetwrkLcatin% Descriptin Expands t the name f the denied applicatin. Expands t the full path f the denied applicatin. Expands t the directry where the denied applicatin is lcated. Expands t the reslved IP address f the given hstname. Cnfigure Message Bx Elements Fr each type f message, define the fllwing: Captin - The text t display at the tp f the message. Fr example, yu can change the default captin, Applicatin Cntrl, s that the user is nt aware that Applicatin Cntrl has intervened. Message bdy - Enter the text t display in the bdy f the message. Width - Specify the width f the message dialg. The width is measured in pixels and applies t all messages. The default value is 0. Height - Specify the height f the message dialg. The height is measured in pixels and applies t all messages. The default value is 0. When cnfiguring messages, cnsider the fllwing: Envirnment variables are supprted fr bth the captin and the message. In additin t system envirnment variables it als supprts the fllwing fr each file: %ExecutableName%, %DirectryName% and %FullPathName%. When using hyperlinks in the message bdy, the full HREF attribute tag must be entered. Fr example, a If less-than r greater-than angle brackets are t be displayed in the message bdy, use &lt and &gt respectively. JavaScript is nt supprted. Yu als have the ptin t view hw the message will appear t thers. Select Click here t see hw the message will appear t users - Displays the message with the captin and bdy specified. Page 54 f 344

55 Message Style Applicatin Cntrl message bxes can be custmized t meet the requirements f an rganizatin by specifying cmpany clrs, lgs and fnts. Mre advanced styling can be achieved by using the Cascading Style Sheet (CSS), which is editable direct frm the Message Style tab. Styling is applied t all the Applicatin Cntrl message bxes but the cntent is managed fr each message. Define the required settings fr all Applicatin Cntrl Message bxes: Fnt Style - Select the fnt type frm the drp-dwn list. Fnt Size - Select the size f the fnt t be displayed. Fr specific fnt sizing, yu can select the units by which the fnt is measured using the ptins available in the adjacent drp-dwn list. Fnt Clr - Select the fnt clr. Backgrund Clr - Select the backgrund clr f the message bxes. Lg - Use Select Lg t replace the default image n all Applicatin Cntrl message bxes. File sizes shuld be n larger than 100 kilbytes. Using lgs may have an impact n the deplyment f the cnfiguratin. Restre Defaults - Use Restre Defaults t und any changes that have been applied t yur message styles. Fr infrmatin n the ptins available, see Restre Defaults. Page 55 f 344

56 Use the Click here t see hw the message will appear t users link t display an example f hw the Access Denied message bx will lk when all the styles have been specified. Restre Defaults Use the Restre Defaults buttn t revert any changes that have been applied t yur message styles. There are tw ptins available: Restre t AppSense defaults - Select this ptin t restre the message bx styling t the default settings. When this ptin is selected, the CSS and lg cpied frm the Applicatin Cntrl installed lcatin verwrites any existing custmizatin. Restre t Cnfiguratin defaults - Select this ptin t restre the message bx styling t Advanced the styles specified in the cnfiguratin. Use the Advanced buttn t edit the message bx style directly using CSS. When this ptin is selected the Advanced dialg displays. The dialg cntains a basic CSS Editr, ptins t imprt, exprt and restre a CSS are als available. Page 56 f 344

57 It is recmmended that an experienced user mdifies the CSS. Any changes t styling will impact all Applicatin Cntrl message bxes. CSS3 is nt supprted. Click the Exprt buttn and select a lcatin t save the CSS file. When exprted, the CSS file can be edited using anther CSS editr and then re-imprted when the amendments have been made. Click the Imprt buttn and select the CSS file t pen and use. The styles specified in the imprted CSS will autmatically verwrite any existing styles. These styles will take immediate effect but will nt be applied until yu save a cnfiguratin. Self-Authrizatin Self-Authrizatin is a security level within Applicatin Cntrl. Sme applicatins require selfauthrizatin by a user befre they are allwed t run. Yu can specify the message displayed fr bth the initial message and the respnse. The self-authrizatin message displays when a self-authrizing user attempts t run a denied applicatin and the file requires a user decisin t run. The Respnse message displays when a self-authrizing user allws a DLL file that anther applicatin uses and the applicatin may need t be restarted. Page 57 f 344

Cnfigure the message that displays when self-authrizatin is required and the message that displays when an applicatin has been authrized. Fr mre infrmatin, see Security Level.

58 Cnfigure the message that displays when self-authrizatin is required and the message that displays when an applicatin has been authrized. Fr mre infrmatin, see Security Level. Access Denied Access t applicatins can be denied r restricted fr a user. Denied and restricted Items are specified in the Grup, User, Device, Custm, Scripted, and Prcess rules. Cnfigure the messages that display when a user attempts t access an applicatin that has been denied r when a user has insufficient privileges. Fr mre infrmatin, see Rules. Page 58 f 344

59 Netwrk Cnnectins The Netwrk Cnnectins message displays when a cnnectin is blcked. Cnfigure the fllwing settings t determine the actin taken when a netwrk cnnectin is blcked: Display a warning message fr blcked netwrk cnnectins - Displays a message bx fr all blcked netwrk cnnectins. This ptin is enabled by default. Selecting this ptin enables further settings and allws yu t cnfigure the cntent and dimensins f the cnnectin denied message. Display a warning n every cnnectin attempt - Displays a warning message every time a cnnectin is attempted. Display a warning message nce - Displays a message nly n the first attempt per applicatin within the same sessin. Wait... secnds between messages - Specifies the number f secnds t wait befre a new message is issued. Only ne message displays per applicatin within the specified perid. N message displays fr any subsequent attempts within the same perid. Fr mre infrmatin, see Applicatin Netwrk Access Cntrl. Page 59 f 344

60 Applicatin Limits Exceeded The Applicatin Limits Exceeded message displays when the user is denied access t an applicatin that has reached an applicatin limit. Cnfigure the cntent and dimensins f the message that is displays when applicatin limits are exceeded. Fr mre infrmatin, see Applicatin Limits. Page 60 f 344

61 Self-Elevatin Cnfigure the cntent and dimensins f the message that displays when a user requests selfelevatin. The messages are displayed if the Display a message bx requiring a reasn fr Self-Elevatin frm the user ptin is selected in the Self-Elevatin ptins. 1. In the Glbal Settings ribbn, select Message Settings. 2. Select the Self-Elevatin tab. 3. In the Name field, enter the text t display fr the self-elevatin shrtcut menu ptin. The menu ptin is displayed when a user right-clicks a file with an extensin n the Self- Elevatin file assciatins list. 4. Cnfigure the captin, cntent, and dimensins fr the message that displays when a user requests self-elevatin. 5. Click OK. Page 61 f 344

Time Limits In Applicatin Cntrl, yu can specify time limits fr when applicatins can be accessed. Fr example, certain applicatins can be allwed t run nly between 9 am and 5 pm, Mnday t Friday.

62 Time Limits In Applicatin Cntrl, yu can specify time limits fr when applicatins can be accessed. Fr example, certain applicatins can be allwed t run nly between 9 am and 5 pm, Mnday t Friday. Tw messages can be displayed: Warning Message: T infrm the user if they are attempting t run the applicatin utside f thse hurs. Denied Message: T infrm the user if the time perid has expired while the applicatin is still running. Yu can als specify whether the user is allwed t save their wrk befre clsing the applicatin, r t just clse the applicatin upn the warning: Display an initial warning message - Select t display an initial warning message t the user when an applicatin has exceeded time limits. Typically, this gives the user time t save their wrk and clse the applicatin. Use in cnjunctin with the Clse applicatin and Terminate applicatin ptins. If yu d nt use this in cnjunctin with these ptins, nly a message is displayed and applicatin des nt clse. Page 62 f 344

Clse the applicatin - Select t send a clse message t the applicatin. When mst applicatins receive a clse message they autmatically give the user a chance t save their wrk.

63 Clse the applicatin - Select t send a clse message t the applicatin. When mst applicatins receive a clse message they autmatically give the user a chance t save their wrk. Select alng with the Display an initial warning message ptin. Terminate the applicatin - Terminate the applicatin withut allwing the user t save their wrk. Typically, this is used after the applicatin has been sent a clse message but has failed t terminate. Chse t select the Display an initial warning message r nt, the applicatin will terminate regardless. Wait - Specify the number f secnds t wait between each f the selected terminatin ptins. Fr example, if the user selects all three f the terminatin ptins and then selects 20 secnds, the warning message will be displayed, fllwed 20 secnds later by the clse message and finally the applicatin terminates after a further 20 secnds. Cnfigure the cntent and dimensins f the message that displays when time limits are exceeded. System Cntrls System Cntrls are used t prevent users frm: Page 63 f 344

64 Stpping named services Clearing event lgs Uninstalling r mdifying specific applicatins A message is displayed when the uninstallatin f a prgram is restricted r when an event lg cannt be cleared. Cnfigure the cntent and dimensins f the message that displays fr bth messages. Fr mre infrmatin, see System Cntrls. Archiving Archiving is an ptinal functin that allws yu t cpy any denied executables int a secure flder. When a user attempts t run an unauthrized executable, r an executable specified in the prhibited items list, Applicatin Cntrl can take a cpy f each applicatin that attempted t execute and place them in a secured file system r archive. This infrmatin can be used by an administratr t inspect the kinds f executable cntent that Applicatin Cntrl has blcked. Blcked applicatins can ften be files with false names such as winwrd.exe. The name alne des nt tell the administratr much because these are typically ther executables that have been simply renamed in an attempt by the user t get the applicatin t run n the cmputer. Because Applicatin Cntrl takes a cmplete cpy f each executable, the administratr can accurately assess each applicatin and what impact they wuld have n the enterprise had they been allwed t run. It is recmmended that archived executables are checked in a secure envirnment t minimize the threat frm viruses and malware. Enable archiving by selecting Enable Archiving in the Archiving Settings dialg, which yu access via the Glbal Settings ribbn. Page 64 f 344

65 Glbal Prperties Use the Glbal Prperties tab in the Archiving Settings dialg t cntrl what is archived and t define the maximum r minimum size f the archives, by selecting ne r mre f the fllwing: D nt archive administratr wned files - Select t prevent Applicatin Cntrl frm adding administratr-wned files t the archive. An example f a use case fr this is when a user tries t execute regedit.exe and is blcked by the Applicatin Cntrl agent. It is unlikely yu wuld require an archive f this file. Hwever, it is useful t archive when the user attempts t execute their wn cpy f regedit.exe t determine what the applicatin is and what effect it culd have n the enterprise if it were t execute. D nt archive if the file already exists - Select t prevent Applicatin Cntrl frm adding files t the archive that already exist in the archive, especially if the archive resides n the netwrk. Duplicate entries are nt created when this ptin is deselected. The existing archive entry is verwritten. This helps t save space, althugh it may result in inaccurate archiving as nly ne cpy f an executable with the same name is ever retained. Page 65 f 344

66 Enable annymus archiving - Select t prevent Applicatin Cntrl frm adding any user names t the archive. Fr example, if a user runs a dwnladed file frm the $Hme drive, the wner f the file is that user and als the archived filename cntains the user s name as part f the path frm which it was executed. If Annymus archiving is selected, the wner f the file is changed t SYSTEM and any references t the user name are replaced with annymus. Maximum archive size fr all users cmbined - The maximum size in MB that cmbined users are allwed t reach befre files are verwritten. A limit setting f zer (0) is interpreted as n limit. Maximum archive size per-user - The maximum size in MB that a single user archive is allwed t reach befre files are verwritten. Fr example, if an archive path is specified as C:\archive\%username%, every user n the system has a separate archive under the C:\archive directry. It is this user archive that is subject t the user limit. The User Limit shuld nt exceed the Ttal Limit. A limit setting f zer (0) is interpreted as n limit. File Optins Page 66 f 344

67 Use the File Optins tab t specify file size threshlds and preservatin behavir what is archived and t define the maximum r minimum size f the archives by selecting ne r mre f the fllwing: Only archive files smaller than - Limits the size f the files that are cpied t the archive. This is particularly useful if a netwrk archive is specified because cpying large files t a netwrk lcatin is a ptentially time cnsuming peratin. When a user s archive is full allw the ldest files t be verwritten - Select t allw Applicatin Cntrl t verwrite the ldest files in the archive in cases where the archive size has reached either the Ttal limit r the User limit. This is an easy way t ensure that the enterprise captures the mst upt-date infrmatin withut using large amunts f data space fr unauthrized applicatins. Flders Use the flders tab t specify a list f flders that can be used fr archiving purpses, each f the flders can then be used t stre backups. The default lcatin t place all archived files int is: Page 67 f 344

68 %SystemDrive%\AppSenseLgs\ApplicatinManager\%UserName% This places all archived files fr a specific user in the same flder and the flder is named after the user making it easier t manage. Archive Flder - The list f flder paths t which archive files are cpied. Archiving attempts t write t the first listed flder, if unsuccessful an attempt is made t archive t the next flder, if there is ne in the list. This prcess cntinues until the flder list is empty r the archive actin succeeds. Mve Up - Mves the selected archive up the list f available archives. The rder f the archive list is imprtant as Applicatin Cntrl attempts t cpy the file t the first archive in the list. If this cpy fails, Applicatin Cntrl cntinues t make attempts t cpy the file t the next archive lcatin until it is successful. Mve Dwn - Mves the selected archive dwn the list f available archives. The rder f the archive list is imprtant as Applicatin Cntrl attempts t cpy the file t the first archive in the list. If this cpy fails, Applicatin Cntrl cntinues t make attempts t cpy the file t the next archive lcatin until it is successful. Add Flder - Add an archive lcatin t the list. The archive may cntain envirnment variables. Fr example, %SYSTEMDRIVE%\Archive\%USERNAME% is expanded when Applicatin Cntrl attempts t archive the file. Each user has a persnal archive. Delete Flder - Deletes the selected flder. Brwse - Brwse t the lcatin where yu want the archive t exist. Plicy Change Requests Desktp and mbile users can use the Plicy Change Request feature t request an update t an Applicatin Cntrl cnfiguratin via r telephne. Endpint users can make requests frm a link n the Applicatin Cntrl Access Denied dialg r by manually using the Applicatin Cntrl Plicy Change Request executable installed n their desktp. Plicy Change Request settings are cnfigured per rule and are evaluated at sessin cnnect and when a cnfiguratin changes. The address, telephne number, and text fr change requests is set glbally and used fr all grups with the apprpriate settings applied. The Plicy Change Request feature is nly cmpatible with 32-bit and 64-bit versins f Internet Explrer 9, 10 and 11. Upgrading Plicy Change Request Settings In 10.1 Plicy Change Request behavir changed frm being a glbal setting t being applied fr each rule. This change prevents 10.1 agents prcessing change requests frm endpints with pre-10.1 cnfiguratins. T ensure the Plicy Change Request feature cntinues t functin crrectly in 10.1, upgrade all cnfiguratins in the 10.1 Applicatin Cntrl cnsle and redeply. Page 68 f 344

69 Cnfigure Change Requests fr a Rule Cnfigure which request types and features are available t users fr each rule. Plicy Change Request settings are available fr all rule types, apart frm Prcess rules. 1. Select a rule in the navigatin pane. 2. Select the Plicy Change Requests tab. 3. Apply the required settings fr the selected grup: Allw Requests t be made Allw Immediate requests t be made via the Helpdesk Allw link frm AppSense Access Denied Message bx Shw the Plicy Change Request cntext menu Shw the Plicy Change Request desktp icn The detail fr each setting is cnfigured using the Plicy Change Requests dialg, accessed frm the Glbal Settings ribbn. Cnfigure Request Types and Methds T cnfigure request types and methds, select Plicy Change Requests frm the Glbal Settings ribbn. Page 69 f 344

70 Request Types Cnfigure and immediate plicy change requests in the Request Types tab n the Plicy Change Requests dialg. Requests When a user is prmpted t elevate their privileges t run an applicatin, they can click a link in the Access Denied message bx t request a permanent cnfiguratin change. When the user clicks the link, they are prmpted t enter the reasn fr the change request, which is sent t the address cnfigured in the Applicatin Cntrl cnsle. The Request functin uses Messaging Applicatin Prgramming Interface (MAPI) t send s. An Applicatin Cntrl administratr reviews the request, and if the request is granted, updates the cnfiguratin and deplys the AAMP file. T set up change requests, enter the address t which change requests are sent in the Mail T field. Page 70 f 344

71 Immediate Requests Immediate requests allw users, typically mbile users, t request a permanent r temprary cnfiguratin change. When users click the immediate request link, they are prvided with a phne number t call and issued with details f the request and a request cde. The request cde and the cnfiguratin change request are relayed t IT Supprt, wh enter the details in the Help Desk Prtal. IT Supprt generate a respnse cde and send it t the user t enter in the Plicy Change Request dialg. Users get three attempts t enter a respnse cde. After three incrrect attempts the dialg clses and the changes are nt applied. If cnfigured, when the dialg clses, a 9091 event is raised. If the user requires further cnfiguratin changes, they must restart the prcess. If the cde is entered crrectly, users have elevated access t the applicatin. Upn cnfirmatin, users are presented with details f the elevatin. Cnfigure the fllwing fields in the Request Types tab: Helpdesk Phne Number - The number users are prmpted t call t request the immediate cnfiguratin change. Shared Key - The shared key is an integral part in prcessing Immediate requests and is embedded in the cnfiguratin. The shared key must match in bth the Applicatin Cntrl Cnsle and the Help Desk Prtal. If the shared keys d nt match, a respnse cde cannt be created and cnfiguratin change will nt be authrized fr deplyment t the user's endpint. The shared key can be changed using the Help Desk Prtal, hwever if the shared key is amended in the Prtal, the same key must als be entered in the Applicatin Cntrl Cnsle. Once yu have cnfigured the Immediate Request settings in a cnfiguratin file, deply it t yur endpints. Befre the feature is fully activated, the Help Desk Administratr and Help Desk Operatr rles must be assigned t members f yur Supprt Team. Once yu have deplyed the cnfiguratin and assigned Help Desk Administratr rle, the Help Desk Administratr can assign r remve additinal Help Desk Operatrs and/r Administratrs. Page 71 f 344

72 Request Methds In the Request Methds tab, cnfigure the text fr plicy change request items: Message Bx Link Text - The text fr the request link in the Link frm Access Denied Message Bx. The default text is Click here t request access t this applicatin. Menu Item Text - The text fr the menu item, displayed when a user right-clicks an item that is eligible fr plicy change requests. Desktp Item Text - The name f the Plicy Change Request desktp icn. Users can use the icn t pen the Applicatin Cntrl Plicy Change Request dialg and create change requests. Help Desk Prtal The Help Desk Prtal is a brwser based interface that allws IT Supprt t prcess an immediate cnfiguratin change request. The immediate cnfiguratin change requests are as a result f yur endpint users attempting t use a file r prcess that is prevented by their existing Applicatin Manger cnfiguratin. The Prtal is accessed frm the fllwing URL and used t generate a respnse cde that will allw the cnfiguratin change t ccur nce the respnse cde is entered by the user. Page 72 f 344

73 The machine name is that f the endpint n which the service is deplyed. The Help Desk Prtal cnsists f tw tabs, access t which is determined by the rles yu have assigned t members f yur IT Supprt team: Cnfig Requests - This tab is used t generate the respnse cde when an endpint user cntacts IT Supprt t request an immediate change t a cnfiguratin. The Help Desk Operatr asks the endpint user fr all the details required t fill in the fields relevant t their request tgether with their request cde. When the endpint user is relaying the infrmatin relating t their change request t the Help Desk, they are t prvide the details as presented n their screen. If the endpint user s dialg has --Nt Available-- fr the Manufacturer, the Help Desk peratr must leave their crrespnding Manufacturer field blank. Administratin - Use this tab t add r remve rles assigned t IT Supprt. This tab als prvides administratrs with the facility t change the shared key. Althugh the shared key can be changed any time a new cnfiguratin is created, it is recmmended that yu d nt d this because it can adversely affect perfrmance. Help Desk Prtal Rles Tw prtal jb rles can be assigned t users in IT Supprt: Help Desk Administratr and Help Desk Operatr. When yur selected IT Users lgs in t the prtal using their Windws r Dmain credentials, they are autmatically redirected t the page n the Help Desk Prtal assciated with their assigned rle. Help Desk Administratrs (HDAs) The Help Desk Administratr rle grants the selected user the privileges t perfrm the fllwing tasks within the prtal: Add r remve Users r Grups t the list f Help Desk Administratrs. Add r remve Users r Grups t the list f Help Desk Operatrs Uplad a new shared key Help Desk Operatrs (HDOs) The Help Desk Operatr rle allws the selected user t grant a cnfiguratin change and prvide an activatin cde, fllwing the endpint user successfully answering a number f questins as specified in the Help Desk Prtal. By default, there are n users with the Help Desk Operatrs rle autmatically selected. Select the users by lgging int the Prtal as a Help Desk Administratr and assign the Rles. Page 73 f 344

74 Help Desk Prtal Cnfiguratin Use the Administratin tab n the Prtal t cnfigure the shared key, add additinal Help Desk Administratrs and Help Desk Operatrs. As the Administratr, yu are autmatically assigned the Help Desk Administratr rle as yu are in the Lcal Administratr Grup r a Dmain Administratr. Bth the Cnfig Requests tab and the Administratin tab are available. When the rles are assigned and the selected users access the Help Desk Prtal, they will be prmpted t enter their Windws Lgin credentials. The credentials cntain details f the assigned rle and pen the Prtal accrding t the privilege level granted t the user. Users with membership in the BUILTIN\Administratrs grup, have Administratr access t the Help Desk Prtal. This access is implicit and cannt be changed, therefre the BUILTIN\Administratrs grup des nt appear in the list f users r grups with access. Amending the Shared Key As a Help Desk Administratr, yu can amend the existing shared key using the Shared Key field. The shared key must match in bth the Applicatin Cntrl Cnsle and the Help Desk Prtal. If the shared keys d nt match, a respnse cde cannt be created and cnfiguratin changes will nt be authrized fr deplyment t the user s endpint. Any change made t the Shared key is lgged under audit number Assigning the Administrative User Rle Use the Add User link t find and select the additinal administrative users r remve an existing administratr by highlighting the username in the list and clicking Delete. The user will nt be remved frm yur rganizatin s Active Directry but will instead be remved frm the list f Help Desk Prtal Administratrs. Assigning the Help Desk Operatr Rle Select which users are t be granted the Help Desk Operatrs rle. Use the Add User link t find and select yur peratrs r remve them frm yur list by using the Delete buttn. Help Desk Prtal Request Lgging Applicatin Cntrl raises auditing events fr Plicy Change Request events perfrmed n Applicatin Cntrl Web Services, such as when a user lgs n t the Help Desk Prtal r when an administratr authrizes a Help Desk Operatr. The fllwing events are raised t the lcal event lg f the server that is hsting Applicatin Cntrl Web Services: Event ID Descriptin 9039 Help Desk User lgn is successful Shared key has been mdified. Page 74 f 344

Event ID Descriptin 9041 Help Desk respnse cde has been generated. 9042 Authrized Help Desk User has been added. 9043 Authrized Help Desk User has been added.

75 Event ID Descriptin 9041 Help Desk respnse cde has been generated Authrized Help Desk User has been added Authrized Help Desk User has been added Authrized Help Desk User infrmatin has been updated Help Desk User lgff is successful Help Desk User lgn failed 9047 Help Desk failed t get shared key Help Desk failed t generate respnse cde Help Desk User authrizatin was unsuccessful Help Desk failed t check lcal members f Administratrs grup. View Help Desk Prtal Request Events 1. On the server hsting Applicatin Cntrl Web Services, pen Event Viewer. 2. In Event Viewer, expand Applicatins and Service Lgs. 3. Select the AppSense lg. Event Viewer lists the AppSense events in the center pane. Page 75 f 344

76 Manage Use the Manage ribbn t manage which defaults are t be applied t all yur Applicatin Cntrl cnfiguratin. Yu can als use this ribbn t specify hw a deplyed cnfiguratin is t be mnitred. The Manage ribbn gives access t the fllwing features: Advanced Settings Signature Hashing Auditing Cnfiguratin Prfiler Change Tracking Privilege Discvery Mde Privilege Discvery Results Advanced Settings Advanced Settings are accessed frm the Manage ribbn and allw yu t assign glbal settings t the Applicatin Cntrl Cnfiguratin file. Specify the required glbal cmpnents using the Plicy Settings and Custm Settings tabs. Page 76 f 344

77 Plicy Settings Applicatin Cntrl Plicy Settings are available in the Advanced Settings dialg and prvide general Applicatin Cntrl settings t apply t all applicatin and prcess executin requests. General Features Optin Make lcal drives allwed by default Descriptin Select this ptin t make Applicatin Cntrl cnfiguratins blacklists. Everything n the lcal drive is allwed unless it specified in the Denied Items list, r it fails trusted wnership. Deselect this ptin t make the cnfiguratin a whitelist. Everything n the lcal drive is blcked unless it is specified in the Allwed Items list. Page 77 f 344

78 Optin Descriptin A whitelist cnfiguratin is the mst secure. Hwever, this type f cnfiguratin is time cnsuming t make and can affect the client stability as all unspecified applicatins are blcked. Allw cmd.exe fr batch files Ignre restrictins during lgn Extract selfextracting ZIP files It is expected that administratrs explicitly prhibit cmd.exe in their Applicatin Managers cnfiguratin. When cmd.exe is denied and 'Allw cmd.exe fr batch files' is disabled, batch files will be evaluated and blcked if they fail the Applicatin Managers plicy. If the ptin is nt selected and cmd.exe is explicitly denied, all batch files are blcked, they aren't even evaluated. If this ptin is selected and cmd is explicitly denied, cmd.exe still can't be run n its wn, but batch files are evaluated against Applicatin Cntrl rules. If cmd.exe is nt explicitly denied, all batch files run n matter whether this ptin is ticked r nt. During lgn the cmputer may execute a number f essential applicatins. Blcking these can cause the cmputer t functin incrrectly, r nt at all. Hence, this ptin is selected by default. A self-extracting file is an executable that cntains a ZIP file and a small prgram t extract it. These files are smetimes used as an alternative t installing an applicatin by an MSI file. A number f administratrs prefer applicatins t nly be installed by an MSI file. Only self-extracting EXEs frmatted using the ZIP specificatin are supprted. Fr additinal infrmatin, see ZIP Specificatins The Extract self-extracting ZIP files ptin allws a denied executable file, which is a self-extracting ZIP file, t be extracted by the ZIP Extractr. If this ptin is deselected (the default setting) the file is subject t the nrmal rule prcessing as thugh it is an executable file. Once the cntents have been extracted, any executable cntent it cntains is still subject t the nrmal Trusted Ownership checks and is prevented frm executing if the user is nt a Trusted Owner. This is useful fr scenaris where the self-extracting ZIP file may cntain nn-executable cntent such as a dcument that the user requires. By default, this ptin is deselected, and the self-extracting ZIP file is treated as a standard executable and can be prevented frm executing (and hence extracting its cntents) subject t the nrmal rule prcessing. Ignre Restrictins during Active Setup By default, all applicatins which run during Active Setup are subject t Applicatin Cntrl rules. Select this ptin t make these applicatins exempt frm rules checks during Active Setup phase. Page 78 f 344

79 Optin Prhibit files n remvable media Descriptin Deselect this ptin t remve the restrictins n remvable media. Remvable media is whatever the call t GetDriveType determines it t be. Due t the nature f remvable media, the drive letter may change depending n hw an endpint is setup. Fr example: On ne cmputer the remvable media drive may be identified as the E: drive and n anther F: Validatin Optin Validate System prcesses Validate WSH (Windws Script Hst) scripts Validate MSI (Windws Installer) packages Validate Registry files Descriptin Select this ptin t validate any files executed by the system user. Nte that it is nt recmmended t select this ptin as it increases the amunt f validatin ccurring n the endpint cmputer and can blck crucial applicatins frm running. Selecting this ptin means all executables launched by the system are subject t rule validatin. Selecting this ptin specifies that the cmmand line cntents f scripts ran using wscript r cscript are subject t rule validatin. Scripts can intrduce viruses and malicius cde. It is recmmended t validate WSH scripts. MSI files are the standard methd f installing Windws applicatins. It is recmmended that the user is nt allwed t freely install MSI applicatins. Selecting this ptin means all MSIs are subject t rule validatin. Deselecting this ptin means that nly the Windws installer itself, msiexec.exe, is validated by the Applicatin Cntrl rule prcessing, and nt the MSI file that it is trying t run. Select this ptin t enable rule validatin fr regedit.exe and regini.exe. Deselecting this ptin means that the regedit.exe and regini.exe, is n lnger blcked by default. Additinally, the.reg script, the regedit.exe and regini.exe it is trying t run is n lnger validated by Applicatin Cntrl rules prcessing. It is nt recmmended t allw users t access the registry r registry files. Validate PwerShell scripts Validate Java archives When enabled, this setting denies pwershell.exe and pwershell_ise.exe. Hwever, if a PwerShell script (PS1 file) is fund n the cmmand line, then, it is subjected t a full rules check t see if it is cnfigured fr elevatin, allwed, r denied. When enabled, this setting denies java.exe and javaw.exe. Hwever, if a Java archive (JAR file) is fund n the cmmand line, then, it is subjected t a full rules check t see if it is allwed r denied. Page 79 f 344

80 Functinality Optin Enable Applicatin Access Cntrl Enable Applicatin Netwrk Access Cntrl Enable User Privilege Management Enable URL Redirectin Descriptin Select t enable Applicatin Access Cntrl. Deselect t nt validate r blck executables. Select t enable the Applicatin Netwrk Access Cntrl feature. Deselect t nt validate r blck utbund netwrk cnnectins. Select t enable the User Privilege Management feature. Deselect t nt apply any User Privilege plicies. Disabling this ptin allws all applicatins t run with the permissins and privileges prvided by default, by perating system. Applicatin Cntrl ignres anything in the User Privileges sectin f the rules and will nt change r alter any f the user's privileges. Select t enable the URL Redirectin feature. If yu deselect this ptin, cnfigured redirectins are ignred and users are nt redirected when they enter a suspicius r unwanted URL. Deselecting this ptin has the same effect as having n items in the Brwser Cntrl plicy set and selecting this feature. When yu disable this feature the brwser extensins fr the Internet Explrer and Chrme brwsers are disabled. Signatures Optins Algrithm Descriptin Select the algrithm type. There are three ptins available: SHA1 SHA256 Adler32 Fr mre infrmatin, see Signature Hashing. Page 80 f 344

Custm Settings Custm Settings allw yu t cnfigure additinal settings which will be applied n managed endpints when an Applicatin Cntrl cnfiguratin is deplyed.

81 Custm Settings Custm Settings allw yu t cnfigure additinal settings which will be applied n managed endpints when an Applicatin Cntrl cnfiguratin is deplyed. If a new cnfiguratin is deplyed that cntains new custm settings, any pre-existing custm settings in place n the end pint will be deleted. Manage Custm Settings 1. Open a cnfiguratin in the Applicatin Cntrl Cnsle and navigate t the Manage ribbn. 2. Click Advanced Settings and select the Custm Settings tab. The Cnfigure Advanced Settings dialg displays. 3. Select the Custm Settings tab and click Add t display the list f advanced settings. 4. Select the settings yu want t cnfigure and click OK. Page 81 f 344

82 5. The selected settings are added t the Cnfigure Advanced Settings dialg. Settings which are added will be cnfigured n the endpint. Hwever, any setting which already exists n an endpint will be used. 6. Set the values as required. 7. Click OK. The settings are applied when the cnfiguratin is deplyed t yur managed endpints. Available Custm Settings Applicatin Cntrl cntains the fllwing cnfigurable Custm Settings. Setting Data Type Descriptin ADCmputerGrupMembershipTimeutSecs Numeric Timeut, in secnds, fr nested cmputer grup lkups. The default setting is 120 secnds and setting this value t 0 disables the timeut. ADQueriesEnabled Numeric This setting cntrls the types f AD queries used t determine the system's Distinguished Name and cmputer grup membership. A value f 0 disables queries made t AD and the use f cmputer grups and OU in the cnfiguratin. The default value f 1 causes the agent t perfrm bth the Distinguished Name and direct (nn-nested) cmputer grup AD queries. Nested cmputer grups in the cnfiguratin are ignred. A value f 2 causes the agent t perfrm the Distinguished Name, direct and nested cmputer grup AD queries. This setting culd cause perfrmance issues n the DC due t high CPU usage. AlternateTOCheck Numeric Trusted Ownership checks have ccasinally caused excessive CPU Page 82 f 344

83 Setting Data Type Descriptin usage in the SYSTEM prcess when third party filter drivers are installed n the system. Enabling this setting, using a value f 1, causes Applicatin Cntrl t use an alternative methd f lking up Trusted Ownership, which mitigates this issue in sme cases. AMFileSystemFilterFailSafe Numeric This setting cnfigures whether the file system filter driver perates in a Fail Safe r Fail Secure mde. If there is a prblem with the Agent and it stps respnding, the driver discnnects in Fail Safe mde and des nt intercept anymre requests. A value f 1 indicates Fail Safe, 0 indicates Fail Secure. Fail Safe is the default. Changing this setting requires an Agent restart t take effect. AppHkDelayLad Text This setting causes the AmAppHk Dll t lad after a cnfigurable number f millisecnds (ms) delay. This setting is cnfigured n a per filename basis. The frmat is <filename+extensin>,<delay>. The filename and extensin can cntain wildcards. Each pair is semi cln delimited. Fr example 'calc.exe,2000;nte*.exe,6000' AppHkEx Text Applicatin Cntrl utilizes a Windws hk as part f the Applicatin Netwrk Access Cntrl (ANAC) feature. In rare cases, applicatins can display unexpected behavir when hked. This setting is a list f applicatins in which ANAC specific functins are nt hked and therefre nt subject t the ANAC rules. Page 83 f 344

84 Setting Data Type Descriptin If an applicatin is named in bth AppHkEx and UrmHkEx, the AmAppHk.dll is nt laded. Multiple entries are delimited by a semi-cln (;). AppInitDllPsitin Numeric Use this setting t specify whether the AsMdLdr driver r the Appinit registry key is used t inject the Applicatin Cntrl hk. This setting is als used t determine the psitin f AMLdrAppinit.dll in the AppInit_DLL registry value. Set ne f the fllwing values: 0 - Psitins the AMLdrAppInit.dll at the beginning f the AppInit_DLLs list. 1 - Psitins the AMLdrAppInit.dll at the end f the AppInit_DLLs list Excludes the AMLdrAppInit.dll frm AppInit_ DLLs and ASMdLdr lists. When the AMLdrAppInit.dll is excluded frm bth lists, n autmatic injectin will ccur. 2 - Adds the AMLdrAppInit.dll t the ASMdLdr list f dlls t be injected. This is the default setting. This setting shuld nly be used under the guidance f the Ivanti Supprt Team. basecnfigmergebehavir Text Use t cntrl whether the new Page 84 f 344

85 Setting Data Type Descriptin cnfiguratin.aamp replaces r remerges the existing merged_ cnfiguratin.aamp. The accepted values fr this setting are replace and remerge. When yu merge using GPO the Replace value is ignred and autmatically defaults t Remerge. BrwserAppStrePrt Numeric Enter the prt used t allw the brwser cntrl Chrme extensin t be installed. BrwserCmmsPrt Numeric Enter the prt used fr cmmunicatins frm brwser extensins t the agent. BrwserExtensinInstallHive Numeric This engineering setting allws the administratr t chse which registry hive the Applicatin Cntrl Chrme Brwser Extensin will be installed in. Optins are: 0 - Extensin nt installed 1 - Install t HKLM 2 - Install t HKCU. 0 is where the administratr must manually cnfigure their wn enterprise appstre t deply the Applicatin Cntrl Chrme Extensin. The default behaviur is 2 - fr the chrme extensin t be installed in HKCU. BrwserHkEx Text A semi-cln delimited list f applicatins that will nt have the Applicatin Cntrl Brwser hk (BrwserHk.dll) injected. Applicatins in this list are nt subject t URL Redirectin, Web Installatin r Elevated Website functinality. BrwserNavigateEx Text A pipe ( ) delimited list f navigatin Page 85 f 344

86 Setting Data Type Descriptin URLs that bypass the navigate event prcessing. The URLs in this list are nt subject t URL redirectin. CmputerOUThrttle Numeric This setting limits an Active Directry lk-up per cnnecting client fr checking Organizatinal Unit membership by limiting the number f cncurrent queries. This thrttling helps reduce the amunt f querytraffic n a dmain if handling a large vlume f cnnecting clients. Set this value between 0 and CnfigFilePrtectin Numeric Lck cnfiguratin AAMP files and the merged cnfig flder t prevent cnfiguratins being updated by unauthrized users. This feature is disabled by default - set t a value t 1 t enable. Care shuld be taken when applying this setting in test envirnments - yu may nt be able t turn it ff as yur cnfiguratin cannt be updated. If this ccurs, cntact Ivanti Supprt. DFSLinkMatching Numeric DFS Link paths can be added t the rules. DFS Links and DFS Targets are treated as separate independent items t be matched. There is n cnversin frm Link t Target befre applying the rules. Set this value t 1 t enable DFS Link matching. DirectHkNames Text Applicatin Cntrl's Windws hk is laded int all prcesses that lad user32.dll by default. Applicatins which d nt lad this DLL are nt hked. Any applicatins which d nt lad user32.dll shuld be included in this setting as part f a semi-cln delimited Page 86 f 344

87 Setting Data Type Descriptin list f full paths r filenames. DisableAppV5AppCheck Numeric By default, any applicatin launched using AppV5 is exempt frm Trusted Ownership checking. Use this setting t disable this behavir with a value f 1. DisableCustmRulesPreCheck Numeric This setting imprves the perfrmance f Custm Rules checking by nly prcessing items that are cnfigured within the plicies f each custm rule cllectins. By default this setting is Off and set t '0'. Set the value t '1' t allw all ptential requests thrugh the custm rules. DisableDNSLkup Numeric The Applicatin Netwrk Access Cntrl (ANAC) cmpnent is nt cmpatible with all frms f prxy DNS servers. If set t 1, Applicatin Cntrl will nt perfrm DNS lkups, reducing unexpected slwdwns and errrs where a prxy DNS server is used. DisableSESecndDesktp Numeric By default, the auditing dialg fr Self- Elevatin displays n a secnd desktp. Set t 1 t display the dialg n the primary desktp. DNtWalkTree Numeric By default, prcess rules check the entire parent key fr a match. This setting instructs prcess rules t nly lk at the direct parent f the prcess and nt check the entire tree. A value f 1 enables this setting. DriverHkEx Text A semi-cln delimited list f applicatins that will nt have the Applicatin Cntrl Hk (AMAppHk.Dll) injected. Applicatin Cntrl requires the hk t be laded fr certain functinality t wrk. This Page 87 f 344

88 Setting Data Type Descriptin custm setting shuld nly be used under the guidance f the Ivanti Supprt Team. EnableCustmRulesDllChecking Numeric By default this setting if ff (set t 0) meaning nly executables and URLs are prcessed. This setting imprves the perfrmance f Custm Rules checking by cntrlling whether DLLs are allwed thrugh the rule cllectins. Set the value t 1 t allw all DLLs t be prcessed in additin t the default. EnableScriptPreCheck Numeric Whilst scripts within scripted rules are prcessing, they are treated as thugh they have returned a false value. The length f time scripts take, varies accrding t their cntent. This setting prvides the best perfrmance during cmputer start-up and user lgn because anything depending n the result f a script is nt delayed. Set the value t 1 t make prcesses wait until the relevant script has finished. This can significantly slw dwn cmputer startup and user lgin. Applicatin Cntrl des nt wait indefinitely fr scripts results - a 30 secnd timeut is applied. EnableSignatureOptimizatin Numeric This setting imprves the perfrmance f rules checking, when using signatures. Files that d nt match the full path are nt hashed as it is assumed they are nt the same file. Set t 1 t enable. Enabling this setting and ExtendedAuditInf will nt shw any hashed file name in auditing metadata. Page 88 f 344

89 Setting Data Type Descriptin ExplicitShellPrgram Text This setting is used by Applicatin Access Cntrl (AAC). Applicatin Cntrl treats the launch f the shell prgram (by default explrer.exe) as the trigger fr that sessin t be cnsidered lgged n. Different envirnments and technlgies can change the shell applicatin and the agent n ccasin can't detect what the shell prgram is. Applicatin Cntrl uses the applicatins in this list (in additin t the default shell applicatins) t determine when a sessin is deemed t have lgged n. This is a semi-cln delimited list f full paths r filenames. ExPrcessNames Text A list f space separated filenames that shuld be excluded frm the filter driver. Changing this setting requires an Agent restart t take effect. ExtendedAuditInf Numeric This setting extends the file infrmatin fr audited events. It reprts the Secure Hash Algrithm 1 (SHA-1) hash, file size, file and prduct versin, file descriptin, vendr, cmpany name, and prduct name fr each file in its audited events. The infrmatin is added immediately after the file name in the event lg. This setting is n by default. T turn it ff, enter a value f 0. The generatin f a hash r checksum is disabled when the EnableSignatureOptimizatin setting is enabled. ImageHijackDetectinInclude Text A list f prcess names against which all Page 89 f 344

90 Setting Data Type Descriptin child prcesses are verified t ensure the child image is running withut crruptin r mdificatin and is a match fr the ne that was initially requested. If the child prcess is nt verified, it is terminated. This is a semicln delimited list f full paths r file names. MultipleHstsSameIP Numeric Allws Applicatin Netwrk Access Cntrl (ANAC) t wrk with multiple hsts with the same IP Address. It takes ut the caching f dmain names t IP Addresses and allws different dmains t wrk when running frm the same server. Set t a value f 1 t enable. NetEnableRevDNS Numeric Used by Applicatin Netwrk Access Cntrl (ANAC), this setting glbally enables a reverse DNS lkup check n each request t access a netwrk resurce. Enabling this setting verrides the NetEnabledRevDNSList and RevDNSList settings. Set t a value f 1 t enable. This feature requires the administratr t enable and cnfigure Reverse Lkup Znes n the cmpany's DNS servers. NetEnableRevDNSList Numeric Used by Applicatin Netwrk Access Cntrl (ANAC), this setting enables a reverse DNS lkup check fr nly the IP addresses listed in the RevDNSList. This setting must be used in cnjunctin with the RevDNSList setting - set t a value f 1 t enable. Page 90 f 344

91 Setting Data Type Descriptin This feature requires the administratr t enable and cnfigure Reverse Lkup Znes n the cmpany's DNS servers. OwnershipChange Numeric Applicatin Cntrl detects if a trusted file is changed by a nn-trusted wner. In such a case, the file wner is changed t the untrusted user and any execute requests are blcked. Sme applicatins verwrite files in such a way that Applicatin Cntrl des nt detect it by default, therefre the wner f the file is nt changed. When enabled, Applicatin Cntrl perfrms additinal checks t catch all file changes and verwrites shuld be caught. Set t a value f 1 t enable. RdmHkEx Text A list f applicatins, used in Privilege Discvery Mde (PDM), in which PDM specific functins are nt hked by Applicatin Cntrl's Windws hk. The values shuld be a semi-cln delimited list f filenames. RemveDFSCheckOne Numeric When files are stred n a DFS drive, the Applicatin Cntrl agent uses a number f strategies t evaluate the crrect UNC path. One f these strategies can cause delays during lgin if large numbers f scripts and executables are stred in and replicated by, Active Directry. Set t a value f ne t enable, causing Applicatin Cntrl t ignre this strategy and increase perfrmance in this situatin. RevDNSList Varies This setting is nly applicable when used in cnjunctin with NetEnableRevDNSList and is used by Page 91 f 344

92 Setting Data Type Descriptin Applicatin Netwrk Access Cntrl (ANAC). It cntains IP addresses that will have a reverse DNS lkup check. The IP addresses shuld be in IPv4 dtted decimal frmat (n.n.n.n) and in a semi-cln delimited list. This setting requires the administratr t enable and cnfigure Reverse Lkup Znes n the cmpany's DNS servers. SECancelButtnText Text The text displayed by the cancel buttn n the Self-Elevatin dialg. SelfElevatePrpertiesEnabled Numeric Set this value t '1' t enable selfelevatin f prperties. This feature is disabled by default. SelfElevatePrpertiesMenuText Text The text in the cntext menu ptin fr self-elevatin f prperties. SEOkButtnText Text The text displayed by the OK buttn n the Self-Elevatin dialg. TVChecking Numeric Enabling this setting causes Applicatin Cntrl t ignre Trusted Vendr checking fr all files, even if the cnfiguratin cntains entries fr Trusted Vendrs. Set t a value f 0 t enable this setting. This setting is Intended fr trubleshting issues. UrlRedirectinSecPlicy Numeric By default, the security plicy is ignred by the URL Redirectin feature. This engineering setting allws the administratr t frce URL Redirectin t fllw the cnfigured security plicy. Set t a value f 1 t enable. Page 92 f 344

93 Setting Data Type Descriptin Self Authrizatin is nt supprted. UrmFrceMediumIntegrityLevel Text A User Privilege Management (UPM) custm setting used t verride the integrity level when user privileges are elevated applicatins, which by default sets the integrity level t high. When this setting is used, the level is reduced t medium. This value shuld be a semicln delimited list f file names. UrmHkEx Text Applicatin Cntrl utilizes a Windws hk as part f the User Privilege Management feature. In rare cases, applicatins display unexpected behavir when hked. This setting lists the applicatins where User Privilege Management specific functins are nt hked. If an applicatin is named in bth AppHkEx and UrmHkEx, the AmAppHk.dll is nt laded Multiple entries are delimited by a semi-cln. UrmPauseCnsleExit Text Used by the User Privilege Management feature. When a cnsle applicatin is elevated, a new applicatin can appear in a new cnsle windw. The applicatin runs t cmpletin then clses. This is a prblem if the user wants t see the utput f the prgram. This setting causes the applicatin t remain until a key is pressed. This is a semi-cln delimited list f full paths r filenames. UrmSecPlicy Numeric By default, the security plicy is mstly ignred by the User Privilege Management feature. User Privilege Page 93 f 344

94 Setting Data Type Descriptin Management rules are applied in all cases except fr when Audit Only mde is selected. This custm setting allws administratrs t frce User Privilege Management t fllw the cnfigured security plicy. Fr Unrestricted and Self-Authrize security levels, User Privilege Management rules are nt applied. Fr the Restricted level, User Privilege Management rules are applied. Set t a value f 1 t enable this setting. Additinal Engineering Key - GrupSidRefresh Applicatin Cntrl requires the Security Identifier (SID) f all Grup Rules t successfully perfrm rule matching. With this engineering key set, the agent will reslve the SID f the Grup Rule at runtime whilst the endpint is nline and write it back int the Cnfiguratin (AAMP file). This can be useful if the endpint is subsequently used ffline as the SID stred in the cnfiguratin will be used. The Applicatin Cntrl Cnsle will reslve the SID if pssible when the cnfiguratin is saved. This setting is nly needed if the cnsle culd nt perfrm the grup SID lkup. Settings HKLM\Sftware\Ivanti Technlgies\Applicatin Cntrl\Engineering Name GrupSidRefresh Type String (REG_SZ) Parameters 0 - Off 1 - nly reslve grups that currently have n SID values 2 - reslve all grup SIDs useful if the dmain is specified by an envirnment variable s t is subject t change. Self-Elevatin File Assciatins Fr further infrmatin, see Self-Elevatin File Assciatins. Page 94 f 344

95 Signature Hashing T uniquely identify applicatin files, a hash is taken f the file and stred in the cnfiguratin file. A hash is a unique digital signature fr a cnfigured applicatin file and is generated using ne f the fllwing algrithms. There are three supprted algrithms: SHA-1 - The default hashing algrithm applied t each signature item in the cnfiguratin. SHA A mre cmplex, but slwer hashing algrithm when cmpared with SHA-1. Adler-32 - A lighter weight hashing algrithm when cmpared t SHA-1. The hashing algrithm is a glbal ptin; this means nly ne can be set per cnfiguratin. This minimizes the amunt f hashing that takes place n an endpint running the cnfiguratin. If the hashing algrithm changes, r a file is updated, a rescan is required t generate a new hash cde. As it is a glbal setting, when Cnfiguratin Merging is being used, the algrithm in the base cnfiguratin is the ne that takes precedent. Fr further infrmatin n Cnfiguratin Merging, see Endpint Cnfiguratin Merging. Page 95 f 344

Rescan File Signatures When files are updated, fr example after a Windws Update, yu need t perfrm a rescan t align the hashing algrithm with the existing hash cde. 1.

96 Rescan File Signatures When files are updated, fr example after a Windws Update, yu need t perfrm a rescan t align the hashing algrithm with the existing hash cde. 1. On the Manage ribbn, in the General grup, select Advanced Settings. The Advanced Setting dialg displays. 2. T rescan all the updated files in a cnfiguratin, under Signatures, select the required algrithm and click Rescan. Page 96 f 344

97 3. The Signature Rescan dialg displays when the scan is cmplete. The dialg cntains three tabs: Actins Required - This tab displays when the signature rescan fails t find a previusly hashed file r when a file path des nt match the file stred in the cnfiguratin. All missing files must be remved r manually lcated befre the Signature Rescan dialg is clsed. Changed - This tab cntains an verview f all the applicatin files that the new hashing algrithm has been applied t and their assciated paths. Unchanged - This tab cntains an verview f all the applicatin files that already have the selected algrithm and have therefre nt been changed. 4. If the rescan finds missing files, d ne f the fllwing: T delete the missing file frm the cnfiguratin, select the filename frm the Actins Required tab and click Remve frm cnfiguratin. T lcate the missing file manually, click the ellipsis, adjacent t the missing file and navigate t the file lcatin. 5. Click OK. Click Exprt List t prduce a full reprt, in CSV frmat, that prvides details f any files that are missing, changed r remain unchanged. The reprt prvides details f the assciated Rule Name, File, Hash and Status f all the hashed signature items. The exprted reprt file can be pened in a spreadsheet s the data can be examined and queries run. Any missing files must be remved r manually lcated befre clicking OK. The new hashing algrithm is applied and saved t all updated files in the Applicatin Cntrl cnfiguratin. Apply a New Hashing Algrithm Hashing algrithms can be applied t all files listed in an Applicatin Cntrl Cnfiguratin t help imprve perfrmance r t cmply with lcalized rules and regulatins. The fllwing prcedure shws yu hw t apply a new algrithm. 1. In the Manage ribbn, in the General grup, select Advanced Settings. The Advanced Setting dialg displays. Page 97 f 344

98 2. T change the hashing algrithm fr all files in a cnfiguratin, select the algrithm type frm the Algrithm drp-dwn. When a new algrithm is selected frm the drp-dwn, a rescan f all files in the cnfiguratin is autmatically triggered. The Signature Rescan dialg displays when the rehashing is cmplete. This may take a few minutes, depending n the number f items being prcessed and the type f algrithm being applied. The dialg cntains three tabs: Actins Required - This tab displays when the signature rescan fails t find a previusly hashed file r when a file path des nt match the file stred in the cnfiguratin. All missing files must be remved r manually lcated befre the Signature Rescan dialg is clsed. Changed - This tab cntains an verview f all the applicatin files that the new hashing algrithm has been applied t and their assciated paths. Unchanged - This tab cntains an verview f all the applicatin files that already have the selected algrithm and have therefre nt been changed. 3. If the rescan finds missing files, d ne f the fllwing: T delete the missing file frm the cnfiguratin, select the filename frm the Actins Required tab and click Remve frm cnfiguratin. T lcate the missing file manually, click the ellipsis, adjacent t the missing file and navigate t the file lcatin. Click Exprt List t prduce a full reprt, in CSV frmat, that prvides details f any files that are missing, changed r remain unchanged. The reprt prvides details f the assciated Rule Name, File, Hash and Status f all the hashed signature items. The exprted reprt file can be pened in a spreadsheet s the data can be examined and queries run. 4. Click OK. Any missing files must be remved r manually lcated befre clicking OK. The new hashing algrithm is applied and saved t the Applicatin Cntrl cnfiguratin. Auditing The Applicatin Cntrl Auditing feature allws yu t define rules fr the capture f auditing infrmatin and t raise events, and includes a filter fr specifying the events yu wish t capture in the lg. Auditing is accessed frm the Manage ribbn. Page 98 f 344

Use the fllwing ptins t cntrl the general auditing behavir and select the events t be raised: Send events t the Applicatin Event Lg - Select whether t send events t the Applicatin Event Lg.

99 Use the fllwing ptins t cntrl the general auditing behavir and select the events t be raised: Send events t the Applicatin Event Lg - Select whether t send events t the Applicatin Event Lg. Send events t the AppSense Event Lg - Select whether t send events t the AppSense Event Lg. Yu can nly send the events t the Applicatin Event Lg r the AppSense Event Lg. Make events annymus - Specify whether events are t be annymus. If, Yes, the cmputer name and user name is mitted frm all events. Annymus lgging als searches the file path fr any instances where a directry matches the username and replaces the directry name with the string Send events t lcal file lg - Select whether t send events t the lcal file lg. If Yes, the events are sent t the lcal lg file specified in the Text bx. The default lcatin is: %SYSTEMDRIVE%\AppSenseLgs\Auditing\ApplicatinManagerEvents_%COMPUTERNAME% Lcal file lg frmat- Specify whether the event lg is t be saved in XML frmat r CSV frmat. In Enterprise installatins, events can be frwarded t the Management Center via the Deplyment Agent (CCA). When using this methd fr auditing, event data strage and filtering is cnfigured thrugh the Management Center cnsle. Fr mre infrmatin, see the Management Center Help. Page 99 f 344

100 Lcal Events Event Filtering allws yu t filter the file types that yu want t audit. This is particularly useful if yu chse a high vlume event. The Event filter table is accessed by clicking Event Filtering in the Auditing dialg. It is a cmprehensive list f all events and is used t select the events yu wish t audit. Yu can srt the table numerically by ID number, r alphabetically by Event Name r Event Descriptin. Selected events are highlighted in bld. Click Tggle t change the states between selected and cleared. 9001, 9007, 9014 and 9015 events are disabled by default as they can generate excessive event data n busy endpints. We recmmend these events are nly used fr trubleshting purpses, and nly fr shrt perids f time. T audit all file types, accrding t the events that are selected in the Auditing dialg, deselect the Enable event filtering ptin. This ptin is selected by default. Event ID Event Name Event Descriptin 9000 Denied Denied executin request. Page 100 f 344

101 Event ID Event Name Executin Event Descriptin 9001 Allwed Executin 9002 Overwrite Changed Owner 9003 Rename Changed Owner 9004 Applicatin Limit Denial 9005 Time Limit Denial 9006 Self- Authrizatin 9007 Self- Authrized allw 9009 Scripted Rule Timeut 9010 Scripted Rule Fail 9011 Scripted Rule Success 9012 Trusted Vendr Denial 9013 Netwrk Item denied Allwed executin request. A single request fr an applicatin can generate multiple 9001 events due t the way in which Windws respnds t executin requests. S it's gd practice t use event 9015 t accurately audit hw many times a user has run an applicatin. Overwrite f an allwed executable. Rename f a denied executable. Applicatin limit denial. Time limit denial. Self-authrizatin decisin by user. Self-authrizatin executin request. Script executin timed ut. Script failed t cmplete. This event is nly raised fr VB script failures. Script cmpleted successfully. Digital Certificate failed Trusted Vendr check. Denied Netwrk Item request Netwrk Item Allwed Netwrk Item request. Page 101 f 344

102 Event ID Event Name allwed Event Descriptin 9015 Applicatin Started 9016 Unable t change wnership 9017 Applicatin Terminatin 9018 Applicatin User Privileges Changed 9019 Web Installatin allwed 9020 Web Installatin restricted 9021 Web Installatin restricted 9022 Web Installatin fail 9023 Self-Elevatin allwed 9024 URL Redirectin 9051 Plicy Change granted An allwed applicatin started running. A single request fr an applicatin can generate multiple 9001 events due t the way in which Windws respnds t executin requests. S it's gd practice t use event 9015 t accurately audit hw many times a user has run an applicatin. The file's wnership culd nt be changed. A denied applicatin has been terminated by Applicatin Cntrl. The applicatin's user privileges have changed. Allwed Web Installatin request. Restricted Web Installatin request. Windws Restricted Web Installatin request. Web Installatin failed t cmplete. Self-Elevatin request. URL Redirectin has ccurred. A Plicy Change Request has been granted Page 102 f 344

103 Event ID Event Name Event Descriptin 9052 Plicy Change invalid respnse cde 9053 Userrequested allw 9054 Userrequested elevate 9055 Service start/stp 9056 Untrusted file with metadata match 9096 Cnfiguratin merge success 9097 Cnfiguratin merge fail 9098 Cnfiguratin merge timeut 9099 Agent nt licensed An invalid respnse cde has been entered fr a Plicy Change Request An allwed Plicy Change applicatin has started An elevated Plicy Change applicatin has started A service has been started r stpped. Failed t verify the certificate f a signed file when matching metadata The cnfiguratin merge has cmpleted successfully. The cnfiguratin merge has failed. The cnfiguratin merge has timed ut waiting fr expected files. Applicatin Cntrl is nt licensed. A single request fr an applicatin can generate multiple 9001 events due t the way in which Windws respnds t executin requests. S it's gd practice t use event 9015 t accurately audit hw many times a user has run an applicatin. Lcal Event Filter The fllwing ptins are available fr filtering lcal events: Lg Lcally - Select the events t lg lcally. Tggle Selected - Select any number f events frm ne t all. Tggle t switch the Lg Lcally check bx between being selected and cleared. Page 103 f 344

104 Event Filtering - Select t display the Event Filtering dialg. File Event Filtering Enable event filtering - Select t enable event filtering. Enabled by default. File and Event ID s - Select the files t audit fr each event. Yu can add r delete files frm the list. System Events The fllwing are nn-cnfigurable system events: Event ID Event Name Event Descriptin 8000 Service Started Applicatin Cntrl Agent: Service Started Service Stpped Applicatin Cntrl Agent: Service stpped N Cnfiguratin fund Applicatin Cntrl cannt find a valid cnfiguratin Invalid License Applicatin Cntrl sftware is nt licensed. Cnfiguratin Prfiler The Cnfiguratin Prfiler allws yu t create a full reprt based n yur current cnfiguratin r a reprt that fcuses n a specific cnfiguratin items that match defined criteria such as the File, Flder, Netwrk Cnnectin, User, Grup, and Device rule items. A full reprt als cntains any cnditins set fr custm rules. Reprts can be created whether cnfiguratins are stred lcally r in a central database. Use general reprts t assist auditing and cmpliance requirements such as Sarbanes When yu create a Cnfiguratin Prfiler reprt, the cnfiguratin must be laded int the Applicatin Cntrl cnsle. It des nt need t be deplyed. Create a reprt with Cnfiguratin Prfiler 1. In the Manage ribbn, click Cnfiguratin Prfiler. 2. The Cnfiguratin Prfiler dialg displays. 3. Select the reprt type. 4. If required define the criteria fr the reprt. 5. Click Create. Reprt Types Select ne f the fllwing types f reprt: Cmplete Reprt - Prduces a reprt which includes all aspects f the cnfiguratin, including any cnditins set fr custm rules. Page 104 f 344

105 Reprt based n specific criteria - Prduces a reprt which is based n the specified criteria as selected in the Reprt Criteria sectin. Reprt Criteria Reprt criteria are used when yu want t create a reprt that fcuses n specific cnfiguratin. In the Define Criteria sectin f the dialg, select frm the fllwing: User Grup File Flder Netwrk Cnnectin Device Enter value t match - Enter the value t match fr the assciated criteria. Reprt Output When a reprt is created, the reprt is autmatically displayed in a preview windw where yu can change the fllwing: Paper Size Watermarks When the changes have been applied, yu are given the ptin t save the reprt in varius frmats, such as, PDF and Print. Cnfiguratin Change Tracking When Change Tracking is enabled, Applicatin Cntrl recrds any activity that ccurs in the cnfiguratin. The infrmatin is stred in the Applicatin Cntrl package (AAMP) cnfiguratin file. Cnfiguratin changes that are recrded include adding and remving User Grups, User Privilege Plicies and changes t Grup Rules. Cnfiguratins generated thrugh the scripting interface are nt subject t cnfiguratin change tracking. Enable r Disable Cnfiguratin Change Tracking Change tracking is disabled by default fr a new cnfiguratin. When a cnfiguratin is saved, s is the setting which becmes the default psitin. Page 105 f 344

Frm the Manage tab, select Enable Change Tracking and enter yur passwrd. Yu have the ptin t passwrd prtect the feature when yu initially click the Enable Change Tracking buttn.

106 Frm the Manage tab, select Enable Change Tracking and enter yur passwrd. Yu have the ptin t passwrd prtect the feature when yu initially click the Enable Change Tracking buttn. The passwrd is used t prevent unauthrized users frm perfrming task such as enabling and disabling the feature as well as deleting any Cnfiguratin Change Tracking histry. Once enabled, details f each change t the cnfiguratin are saved in the histry and versining is enabled. When enabled, t stp recrding cnfiguratin histry, select Disable Change Tracking and enter yur passwrd. When Change Tracking is disabled, the histry remains but n further changes are recrded. If yu disable Change Tracking and make changes t a cnfiguratin, when re-enabled, the cnfiguratin histry shws that changes have been made whilst change tracking was disabled. It will nt shw any details f what has changed. Cnfiguratin Change Tracking Histry Frm the Manage ribbn, select Cnfiguratin Histry t display details f all the changes made t a cnfiguratin while change tracking is enabled. Whenever a cnfiguratin is saved, a new versin f the histry is created, utlining the changes made since the last save. The Cnfiguratin Histry shws the fllwing infrmatin fr each change: Type - The change versin and any actins that have been perfrmed, fr example, if yu have enabled the Change Tracking feature, the Change actin type wuld be lgged in the histry. Page 106 f 344

Change - An verview f the change, fr example Inf --> Change Tracking Enabled: Yes. Duble-click any entry in the histry t access mre details abut a change.

107 Change - An verview f the change, fr example Inf --> Change Tracking Enabled: Yes. Duble-click any entry in the histry t access mre details abut a change. Old Value - Prvides a brief descriptin f what the riginal cnfiguratin was befre any changes were applied. Cnfiguratin Change Details Access mre detailed infrmatin abut each change by selecting the entry and clicking the Shw Details buttn r duble-clicking any histry item frm the fllwing areas: Cnfiguratin Histry Review Changes dialg when saving a cnfiguratin The Change field displays a high level verview, fr example, "Change Tracking has been enabled". This is the same text that appears in the Cnfiguratin Histry dialg. The Details field prvides mre detailed infrmatin abut the change. Fr example, if a line in a scripted rule is changed, the change histry will display infrmatin n what the line was and what it has been changed t. Page 107 f 344

108 Exprt Change Tracking Histry Cnfiguratin Histry can be exprted t a CSV file. Yu can exprt the whle histry f the cnfiguratin since change tracking was enabled r yu can chse t exprt the histry up t a certain date r cnfiguratin versin. By creating a backup, yu can delete all r part f the histry t reduce the cnfiguratin file size whilst ensuring that yu still have access t the change tracking data. The exprted histry file can be pened in a spreadsheet s the data can be examined and queries run. 1. Frm the Manage tab, select Exprt Histry. 2. Select and cnfigure the histry yu want t delete: 3. Click OK. All Histry - Exprt the entire cnfiguratin histry. Histry lder than date - Exprt the cnfiguratin histry up t the entered date. Histry up t and including selected versin - Exprt the cnfiguratin histry up t the specified versin number. 4. Select a lcatin t save the CSV file and click Save. Delete Change Tracking Histry Change histry can be deleted when required and the amunt f histry yu delete can be defined by date r versin number. Yu are given the ptin t exprt the histry prir t deleting. 1. Frm the Manage tab, select Delete Histry. If yu specified a passwrd when enabling Cnfiguratin Change Tracking, yu will be prmpted fr this passwrd. 2. Select and cnfigure the histry yu want t delete: All Histry - Delete the entire cnfiguratin histry. Histry lder than date - Delete the cnfiguratin histry up t the entered date. Histry up t and including selected versin - Delete the cnfiguratin histry up t the specified versin number. 3. Click OK and select whether yu want t Exprt then Delete r just Delete the histry. If yu exprt prir t the delete the selected histry is exprted t CSV file at a selected lcatin. Deleting the histry des nt change r remve versin numbers. When the histry is deleted, the versin numbers stay the same but increment as nrmal n future saves. Und and Red Changes If yu und a cnfiguratin change using the buttns in the quick access menu, the histry f that change is remved. If an undne change is redne, the histry is restred. Page 108 f 344

109 Save a Cnfiguratin When yu save a cnfiguratin t disk, the Management Center, Grup Plicy, SCCM r as the live cnfiguratin n an endpint, an verview f the changes yu have made since the last save is displayed. Each time a cnfiguratin is saved, its versin number is incrementally increased and displayed at the bttm right f the cnsle - regardless f whether change tracking is enabled r nt. Privilege Discvery Mde The Privilege Discvery Mde is accessed frm the Cnfiguratin navigatin buttn, Privilege Discvery Mde nde and prvides the functinality t mnitr endpints in rder t identify applicatins that use administrative privileges. An Applicatin Cntrl Web Service is used t cllect the data and relay that data t the Privilege Discvery Results wrk area in the Applicatin Cntrl Cnsle. The data listed in the reprts can be used t simplify the creatin f an apprpriate Applicatin Cntrl cnfiguratin and t prduce reprts. Privilege Discvery Mde is intended fr use during a discvery r pilt phase, s a maximum f 500 endpints is recmmended, depending n hardware specificatins. Applicatin Cntrl Web Services Applicatin Cntrl Web Services are installed n any selected machine as part f the Applicatin Cntrl installatin. It is a lightweight cmpnent that des nt require typical server tls such as IIS r SQL Server. Althugh Applicatin Cntrl Web Services installs withut any need t cnfigure it, the default cnfiguratin can be amended using HttpCfg r Netsh Tls. When installed, the Service runs in the backgrund when Privilege Discvery is cnfigured and mnitrs client endpint activity tracking details such as the applicatins that use administrative rights, the names f users using the applicatin, and the name f the endpint it was launched frm. The results f the tracking are displayed in the Applicatins Manager Cnsle using the Privilege Discvery Results wrk areas and they can be used t generate reprts and create Applicatin Cntrl cnfiguratins. Fr mre infrmatin, see Applicatin Cntrl Web Services Cnfiguratin. Cnfigure Privilege Discvery Privileges Discvery is cnfigured using the Privileges Discvery Mde nde accessed frm the Cnfiguratin buttn in the navigatin pane and is activated by selecting Enable Privileges Discvery Mde. The Privileges Discvery Mde wrk area cntains: Page 109 f 344

110 Setup - Use the Setup area t determine the server name and lcatin fr the Applicatin Cntrl Agent t cntact the Service. Yu can als chse when data cllectin is t finish by selecting the date and time frm the End Time field. It is recmmended that the time perid is set far enugh ahead t maximise the number f applicatins captured and therefre, imprve cntrl f administrative rights used n yur netwrk. Endpints - Allws yu t specify the endpints frm which the data is cllected. T specify endpints frm individual deplyment grups r wrk grups, right-click in the Endpint area and select Add Endpint. Advanced Buttn - Use the Advanced buttn t cnfigure the Privileges Discvery advanced features. These include cnfiguring the cmmunicatin prt t be used by the Privileges Discvery Mde and the frequency by which the cllected data is fed back t the Applicatin Cntrl Web Service. The Privilege Discvery Mde ribbn allws yu t add r remve endpints when the Privilege Discvery Mde nde is selected in the Cnfiguratin navigatin pane. Use the Add Endpint buttn t specify an endpint t cllect data frm. The Remve Endpints ptin prvides yu with the facility t remve a highlighted endpint s that it will n lnger be mnitred. Page 110 f 344

Cnfigure Privilege Discvery Mde 1. Select the Cnfiguratin navigatin buttn. 2. Select the Privilege Discvery Mde nde. 3. In the wrk area, select Enable Privilege Discvery Mde.

111 Cnfigure Privilege Discvery Mde 1. Select the Cnfiguratin navigatin buttn. 2. Select the Privilege Discvery Mde nde. 3. In the wrk area, select Enable Privilege Discvery Mde. The Privilege Discvery Mde ptins becmes available. 4. In the Server name field, select the ellipsis (...) t brwse fr the Applicatin Cntrl Web Server t be used. The name f the server can als be entered manually int the field. 5. In the End Time field, specify the date and time that the server will stp gathering applicatin infrmatin. 6. T specify particular endpints t be mnitred, right-click in the Privilege Discvery wrk area and d ne f the fllwing: Select Brwse Deplyment Grup t lcate the deplyment grup t be mnitred. Select Brwse Dmain/Wrkgrup t lcate the dmain r specific wrkgrup t be mnitred. If n endpints are added t the wrk area, data will be cllected frm every cnfigured endpint. Page 111 f 344

112 7. If required, advanced settings can be cnfigured using the Advanced buttn. 8. Save the cnfiguratin. Cnfigure Privilege Discvery Advanced Settings Advanced settings are ptinal and allw yu t cnfigure Privilege Discvery further by prviding the facility t specify the types f cnnectin and the specific cmmunicatin prts. Yu can als chse hw ften the Applicatin Cntrl Agent updates the Analysis Server with the gathered data by entering the time in minutes. 1. In the Privilege Discvery Mde wrk area, select the Advanced buttn. The Privilege Discvery Advanced Setup dialg displays. 2. Select ne f the fllwing ptins: HTTP - Select this t use the standard applicatin prtcl and enter the prt number yu require. HTTPS - Select this t use the secure applicatin prtcl and enter the prt number yu require. 3. T amend the time by which the agent is t update the Applicatin Cntrl Web Server, enter r select the time in the Update Every field. The default setting is 60 minutes. 4. Click OK. Begin gathering the privilege discvery infrmatin by deplying the cnfiguratin t each f yur endpints. Page 112 f 344

Privilege Discvery Results The results frm the Privilege Discvery are viewed using the Privilege Discvery Results navigatin buttn accessed frm the Applicatin Cntrl cnsle.

113 Privilege Discvery Results The results frm the Privilege Discvery are viewed using the Privilege Discvery Results navigatin buttn accessed frm the Applicatin Cntrl cnsle. The results are separated int the fllwing ndes: Applicatins - The Applicatins nde pens the Applicatin Summary wrk area and prvides access t Applicatin Details. The infrmatin in the Applicatin Summary page can be viewed by applicatin icn r as a list by clicking the Switch t List View buttn and prvides details f applicatins that used administrative privileges t run. Further infrmatin such as the endpint n which the applicatin was run, the name f the user, the cmmand line that was used t execute the applicatin and the time it was launched, can be accessed when yu duble-click n a specific applicatin in the summary wrk area. Applicatin Details can als be used t create an Applicatin Cntrl cnfiguratin that can then be applied t user privileges fr specific grups r users. Page 113 f 344

114 Endpints - The Endpints nde pens the Endpint Summary wrk area and prvides access t Endpint Details. The Endpint Summary page displays the name f the endpint, the number f unique applicatins run frm the endpint, the number f users with administrative privileges that used that endpint and the hw many times a particular applicatin was run. Further infrmatin such as user details, name f the applicatins used, the cmmand line that was used t execute the applicatin and the time applicatins n the endpint were launched can be accessed when yu duble-click n a specific endpint in the summary wrk area. Endpint details can als be used t create an Applicatin Cntrl cnfiguratin that can then be applied t user privileges fr specific grups r users. Users - The Users nde pens the User Summary wrk area and prvides access t User Details wrk area. The infrmatin in the Users Summary page cnsists f the username, the number f times unique applicatins were run, hw many endpints a particular user accessed and hw many instances f an applicatin were run. Further infrmatin such as user details, the number f times a unique applicatin was run with Administrative privileges, the endpints used and the number f instances applicatins were run are displayed. The User Details can als be used t create an Applicatin Cntrl cnfiguratin that can then be applied t user privileges fr specific grups r users. Each f the ndes can be used t create user rules fr specific grups r users based n the results yu have selected. They are then added t an Applicatin Cntrl cnfiguratin t be distributed t the endpints n yur netwrk. The server details are als accessed frm the Privilege Discvery Results navigatin tree. The details displayed allw yu t keep a track f the endpints being mnitred tgether with details f when mnitring started and the predicted time f cmpletin. Add a User Rule frm the User Results When the Privilege Discvery mnitring perid elapses, the results are cllected n the Applicatin Cntrl Web Server and can be viewed using the Privilege Discvery Results navigatin buttn. These results can be used t create rules that be included and distributed t endpints n yur netwrk. 1. Click the Privilege Discvery Results navigatin buttn and select Users. 2. D ne f the fllwing: T view detailed infrmatin abut the selected user, g t Step 3. T add an applicatin r cntrl panel applet used by a user straight t a rule, g t Step Duble-click the selected user t display the infrmatin. The User Details wrk area displays 4. Expand and cllapse the ndes as required, t access further infrmatin. Page 114 f 344

115 5. Right-click n the applicatin r cntrl panel applet t be added t a user rule. 6. Select Add t Rule and specify where the rule shuld be added. 7. D ne f the fllwing: Select as file name t add as a file name t the designated User Privileges nde. Select as signature t add as a signature t the designated User Privileges nde. Select as full cmmand line t add cmmand line cntrl t the designated User Privileges nde. Yu can check that the applicatin r cntrl panel applet has been added t the crrect nde by navigating t it in the Cnfiguratin navigatin tree. 8. Save the cnfiguratin. Add a User Rule frm the Endpint Results When the Privilege Discvery mnitring perid is underway, yu can add applicatin items, specific endpints r assciated user cmpnents directly t an Applicatin Cntrl cnfiguratin and then distribute the cnfiguratin file t all the cnfigured endpints n yur netwrk. It is recmmended that, where pssible, yu wait fr the Privilege Discvery perid t elapse in rder t create the cnfiguratin file. 1. Click the Privilege Discvery Results buttn in the navigatin pane and select Endpints. 2. D ne f the fllwing: T view detailed infrmatin abut the selected endpint, g t Step 3. T add an applicatin r cntrl panel applet used by an endpint straight t a rule, g t Step Duble-click the selected endpint t display the infrmatin. The Endpint Details wrk area displays 4. Expand and cllapse the ndes as required t access further infrmatin. 5. Right-click n the applicatin r cntrl panel applet t be added t a user rule. 6. Select Add t Rule and specify where the rule shuld be added. 7. D ne f the fllwing: Select as file name t add as a file name t the designated User Privileges nde. Select as signature t add as a signature t the designated User Privileges nde. Select as full cmmand line t add cmmand line cntrl t the designated User Privileges nde. Yu can check that the applicatin r cntrl panel applet has been added t the crrect nde by navigating t it in the Cnfiguratin navigatin tree. 8. Save the cnfiguratin. Page 115 f 344

116 Add Discvered Applicatins t a User Rule When the privilege discvery mnitring perid is underway, yu can add applicatin items, specific endpints r assciated user cmpnents directly t an Applicatin Cntrl cnfiguratin and then distribute the cnfiguratin file t all the endpints n yur netwrk. It is recmmended that, where pssible, yu wait fr the Privilege Discvery perid t elapse befre creating the cnfiguratin file. 1. Click the Privilege Discvery Results Navigatin buttn and select Applicatins. 2. D ne f the fllwing: T view detailed infrmatin abut the selected applicatin, g t Step 3. T add the applicatin r cntrl panel applet straight t a rule, g t Step Duble-click the selected applicatin t display the infrmatin The Applicatin Details wrk area displays 4. Expand and cllapse the ndes as required, t access further infrmatin. 5. Right-click n the applicatin r cntrl panel applet t be added t a user rule. 6. Select Add t Rule and specify where the rule shuld be added. 7. D ne f the fllwing: Select as file name t add as a file name t the designated User Privileges nde. Select as signature t add as a signature t the designated User Privileges nde. Select as full cmmand line t add cmmand line cntrl t the designated User Privileges nde. Yu can check that the applicatin r cntrl panel applet has been added t the crrect nde by navigating t it in the Cnfiguratin navigatin tree. 8. Save the cnfiguratin. Add Knwn Applicatins t the Hidden Applicatins list Once yu have dealt with a discvered applicatin, either by adding it t the cnfiguratin s that it will run elevated with administrative rights, r by deciding that end users shuld nt be able t run the applicatin with administrative rights, then yu can hide the applicatin frm displaying in any f the reprt views. Yu d this by adding the knwn applicatins t an autmatic exclusin list called Hidden Applicatins. When applicatins are added t this list they are autmatically ignred in any future Privilege Discvery Reprts and are n lnger displayed as part f yur results. T add applicatins t this list, highlight ne r mre f the applicatins, right-click and select Hide Applicatin frm the cntext menu. The Hidden Applicatins list is accessed using the Hidden Applicatins buttn in the Privilege Discvery Mde ribbn and allws yu t view and restre previusly excluded applicatins using the Restre and Restre All buttns. Page 116 f 344

117 Privilege Discvery Status The server details are displayed when yu first select the Privilege Discvery Results navigatin buttn. The details include the server infrmatin, current and maximum allwable database size, and details f the endpint usage. The Endpint status nde prvides details f the endpints currently being mnitred with infrmatin such as the date and time f the last update tgether with the time the privilege discvery reprt is scheduled t finish. Page 117 f 344

118 Grup Management Grup Management is a library fr cmpiling reusable grups f files, flders, drives, signatures and netwrk cnnectins that can be assciated with rules in the cnfiguratin. Fr example, Grups can be used t manage licenses fr a suite f sftware r cmmn sets f applicatins fr assigning t certain user grups. Use Grups t help manage lng lists f related items fr an applicatin, fr example, all the File, Flder, Drive, Signature, Windws Stre Apps, and Netwrk Items. Add the grups t rules t allw r restrict access. Grups can include any cmbinatin f these items. Fr example, yu can grup a number f items fr ne particular applicatin and then add the grup t the Allwed r Denied Lists. If the Grup Name is amended, it autmatically updates in any rule where the grup is applied. Create a Grup Tw grups cannt have the same time. Naming tw grups the same will display an errr message infrming that a grup with the same name exists. Yu cannt save the grup until yu specify a unique name. Renaming a grup reflects in all rules that use that grup. 1. Navigate t the Grup Management nde. 2. Select Add Grup n the Grups ribbn. 3. The new grup with the default name, New Grup, is added belw the Grup Management nde. 4. T rename the grup, duble-click it t make the name editable and enter a new meaningful name, fr example, Micrsft Applicatins. 5. T srt the grups, right-click the Grup Management nde and select Srt Ascending r Srt Descending. Add Items t a Grup 1. Any cmbinatin f Files, Flders, Drives, Signature Files, Windws Stre Apps and Netwrk Cnnectins can be added t a grup. Fr example, all items that belng t a single applicatin. 2. Navigate t the Grup Management nde and select the grup yu want t add items t. Page 118 f 344

119 3. Click the Add Item drp-dwn arrw n the Grups ribbn. 4. D ne r mre f the fllwing: T add a file, select Add > File T add a flder, select Add > Flder T add a drive, select Add > Drive T add a signature file, select Add > Signature File T Add a Netwrk Cnnectin item, select Add > Netwrk Cnnectin Item T Add a Windws Stre App, select Add > Windws Stre App T ppulate a grup, yu can als d the fllwing: Right-Click a grup and select Add Items. Add multiple files at nce. Drag and drp items frm Internet Explrer. Nte dragging and drpping files als includes any dependencies. Cut, cpy and paste between grups. Yu cannt add duplicate items t a grup. Page 119 f 344

Add Grups t a Rule Item Grups can cntain a number f items, fr example, all the File, Flder, Drive, Signatures, Windws Stre Apps and Netwrk Items fr a single applicatin.

120 Add Grups t a Rule Item Grups can cntain a number f items, fr example, all the File, Flder, Drive, Signatures, Windws Stre Apps and Netwrk Items fr a single applicatin. Yu can add grups t the Allwed Items, Denied Items, and User Privileges rule items, eliminating the need t add items individually t the lists. 1. Select either an Allwed Items, Denied Items r User Privileges rule item. The rule item wrk area displays. 2. Click Add Item, and then select the menu path t add a grup as fllws: T add an Allwed Item, select Allwed > Grup. T add a Denied Item, select Denied > Grup. T add a User Privileges Item, select either Applicatin > Grup r Self-Elevatin > Grup. The grup selectin dialg displays. 3. Select the grup yu want t add and click OK. The grup is added t the rule. Page 120 f 344

121 Remve Grups frm a Rule Item Yu can remve a grup frm a rule. All items within the grup are als remved frm the rule item. The grup is nt deleted and still remains under the Grup Management nde. 1. Select the Allwed Items, Denied Items r Privilege Management rule item within the rule that cntains the grup yu want t remve. The wrk area displays. 2. Select the grup yu want t remve and select Remve Item in the Rule Items ribbn. The Remve Items dialg bx displays. 3. Click Yes. The grup is remved. Delete a Grup Yu can delete a grup. When a grup is deleted all items within the grup are als deleted. If yu try t delete a grup that is currently used by a rule, a dialg displays that tells yu where the rule where the rule is used. Remve the grup frm the rule befre yu delete the grup. A message is displayed when the grup cntains items such as File, Flder, Drive, Signatures, Windws Stre Apps, and Netwrk Items. 1. Select the grup yu want t delete. 2. Select Remve Grup n the Grups ribbn. 3. One f the fllwing ccurs: The Cnfirm Remval dialg displays. Click Yes. The grup and the items it cntains are deleted. The Grup in use dialg displays prviding the lcatin f the rules that reference the grup. Click OK and remve the grup frm the rule. Select Remve Grup n the Grups ribbn, and click OK in the Cnfirm Remval dialg. Capture Signatures in a Grup Use the Signature Wizard t capture multiple signature files. 1. Select the grup that yu want t add signatures t. 2. Select Launch Signature Wizard n the Grups ribbn. The Signature Wizard displays. 3. Click Next. The Search methd windw displays. Page 121 f 344

122 4. D ne f the fllwing: T search fr files in a particular flder, g t Step 5. If yu wish t examine a specific prcess, make sure yu have launched the relevant applicatin befre prceeding. T examine files used by ne f the prcesses running n the cmputer, g t Step Select Search Flders and click Next. The Searching Flders windw displays. 6. Brwse t and select the flder yu wish t search and click OK. 7. Select the Include subflders ptin as required and click Next t begin the search. The Review Files windw displays. 8. Review the files and click Next t capture the signatures. The Signature Generatin windw displays 9. G t Step Select Examine a running prcess. 11. Click Next. The Examine a running prcess windw displays shwing all the running prcesses. 12. Select the prcess t examine and click Next. The Review Files windw displays 13. Review the files and click Next t capture the signatures. 14. Allw the generatin t cmplete then click Next and Finish. Page 122 f 344

Rules Rule ndes allw yu t create rules targeting specific users, grups, and devices, and assign security level plicies, resurce access, and resurce restrictins that apply t the users, grups, and

123 Rules Rule ndes allw yu t create rules targeting specific users, grups, and devices, and assign security level plicies, resurce access, and resurce restrictins that apply t the users, grups, and devices that match the rules. There are six rule types: Grups Rules User Rules Device Rules Custm Rules Scripted Rules Prcess Rules Rule ndes prvide Security Level settings fr specifying the levels f restrictins t execute files. Applicatin Cntrl cnfiguratin rule settings security levels specify hw t manage requests t run unauthrized applicatins by the users, grups, r devices that a rule matches: Restricted - Only authrized applicatins can run. These include files wned by members f the Trusted Owners list and files listed in Allwed Items, Trusted Vendrs, and Trusted Applicatins. Page 123 f 344

124 Self-Authrizing - Users are prmpted fr decisins abut blcking r running unauthrized files n the hst device. Audit nly - All actins are permitted but events are lgged and audited, fr mnitring purpses. Unrestricted - All actins are permitted withut event lgging r auditing settings fr specifying the levels f restrictins t execute files. Rule ndes als prvide a further layer f granularity fr cntrlling applicatin use with Allwed Items, Denied Items and Trusted Vendrs fr specifying lists f files, flders, drives and signature items, netwrk cnnectin items, Windws stre apps, and grups that are allwed r prevented frm running. Fr mre infrmatin fr the relevant ptins fr each Rule Type, see Rule Optins. T display all rules in the cnfiguratin, click Rules in the navigatin tree. A summary displays all rules listed under the relevant rule type. The security level assigned t each rule is seen and can als be amended. Security Levels Apply security levels t cntrl whether the user, grup, and devices specified in a rule are fully restricted by Applicatin Cntrl rules, unrestricted, audited nly, r granted self-authrizatin status entitling the user t decide whether t run an applicatin. Self-authrized users can be audited by raising events in the Auditing cmpnent and the Windws Event Lg. Set the Security Level T set the Security Level, select the required nde and, using the slider, apply the required security level. Restricted Select t restrict users, grups, and devices in the rule t run nly authrized applicatins. These include files wned by members f the Trusted Owners list and files listed in the Allwed Items nde. Page 124 f 344

125 Self-Authrize Select t prmpt users, grups, and devices in the rule t decide whether t allw execute requests fr each unauthrized file. Unauthrized files either d nt belng t the Trusted Owners list r are nt specified in the Allwed Items list f a given rule. A self-authrizing user prmpt includes the fllwing ptins: Allw - Allws the applicatin t run. Blck - Blcks the applicatin frm running. When a DLL file is allwed t run, a message ntifies the user that the applicatin which uses the DLL may need t be restarted. The default message which displays can be mdified in the Message Settings dialg n the Glbal Settings ribbn. Users can als decide hw lng the setting is applied fr: Remember my decisin fr this sessin nly - The authrizatin decisin is upheld nly fr the current sessin. The user is prmpted again fr an authrizatin decisin when attempting t run an applicatin in any future sessins. Remember my decisins permanently - The user decisin is upheld fr all future sessins. If neither f these ptins are selected, the decisin is upheld nly fr the current instance the user is attempting t run. The self-authrizatin prmpt is reissued fr any future attempts t run instances f the applicatin. Audit Only Select t permit all actins but lg and audit events fr mnitring purpses, accrding t the plicy settings in Auditing. Unrestricted Select t permit all actins withut even lgging r auditing. Example: Testing Self-Authrizatin Yu can test whether Security Levels are being implemented crrectly. The fllwing example shws yu hw t test the Self-Authrizing level. 1. Create a rule in the User rules nde that applies t a test user accunt that is nt a member f a grup that belngs t the Trusted Owners list. 2. Set the security cntrl level t Self-Authrizing t allw the test user t self-authrize applicatins t run. 3. Save the cnfiguratin. 4. Run the Registry Editr. The applicatin is prhibited and a message bx displays with a prmpt fr a decisin t allw the file t run and infrming that the actin will be lgged. Example: Change the Security Level fr a Prcess Rule Yu can apply security levels t cntrl whether applicatins specified in the prcess rule are fully Page 125 f 344

126 restricted by Applicatin Cntrl rules, unrestricted, r audited nly. 1. Select the required prcess rule. The Prcess Rule wrk area displays. 2. Click and drag the Security Level slider t the required level. Plicy Change Request Settings Cnfigure which request types and features are available t users fr each rule. Plicy Change Request settings are available fr all rule types, apart frm Prcess rules. 1. Select a rule in the navigatin pane. 2. Select the Plicy Change Requests tab. 3. Apply the required settings fr the selected grup: Allw Requests t be made Allw Immediate requests t be made via the Helpdesk Allw link frm AppSense Access Denied Message bx Shw the Plicy Change Request cntext menu Shw the Plicy Change Request desktp icn The detail fr each setting is cnfigured using the Plicy Change Requests dialg, accessed frm the Glbal Settings ribbn. Grup Rules The Grup rules nde allws yu t match security cntrl rules with specific user grups within the enterprise. Page 126 f 344

127 The Grup summary displays the grup name, Textual Security Identifier (SID) and Security Level f the rule. Applicatin Cntrl allws yu t assign fur distinct security levels t the grup rules. An SID is a data structure f variable length that identifies user, grup, and cmputer accunts. Every accunt n a netwrk is issued a unique SID when the accunt is first created. Internal prcesses in Windws refer t an accunts SID rather than the accunts user r grup name. Likewise, Applicatin Cntrl als refers t a user r grup SID unless the SID culd nt be fund when added t the cnfiguratin. There are tw predefined Grup rules: BUILTIN\Administratrs - Users in BUILTIN\Administratrs are assigned the Unrestricted security level. The BUILTIN\Administratrs grup is fr managing access t the applicatins fr lcal administratrs. Everyne - The Everyne grup rule and all additinal grup rules have a security level f Restricted, unless a user matches ther grup r user rules with higher pririty settings. All users, including administratrs are part f the Everyne grup. This means administratrs are part f tw grup rules: the BUILTIN\Administratrs grup, which is unrestricted, and the Everyne grup, which is restricted. Applicatin Cntrl uses the least restrictive rules; therefre, all administratr requests are unrestricted. Typically, yu specify all the files, flders, drives, signature items, netwrk cnnectin items, and grups t prhibit fr Everyne. Yu can then create a new grup r user and specify the items yu want t be accessible fr that grup r user. This enables yu t cntrl what users have access t. Manage grup rules as fllws: T add a grup rule, click the Add Rule n the Rules ribbn and select Grup Rule. The Add Grup Rule dialg displays. Enter r brwse t select an accunt. T remve a grup rule, highlight a rule and click Remve Rule n the Rules ribbn. A cnfirmatin message displays. Click Yes t cnfirm the remval. Yu can als add items t the Allwed Items, Denied Items, Trusted Vendrs, User Privileges, and Brwser Cntrl ndes in each grup rule nde Fr mre infrmatin, see Rule Items. User Rules The User rules nde allws yu t match security cntrl rules with specific users within the enterprise. Page 127 f 344

128 The User summary displays the User, Textual Security Identifier (SID) and Security Level f the rule. An SID is a data structure f variable length that identifies user, grup, and cmputer accunts. Every accunt n a netwrk is issued a unique SID when the accunt is first created. Internal prcesses in Windws refer t an accunts SID rather than the accunts user r grup name. Likewise, Applicatin Cntrl als refers t a user r grup SID unless the SID culd nt be fund when added t the cnfiguratin. T add a user rule, click the Add Rule n the Rules ribbn and select User Rule. The Add User Rule dialg displays. Enter r brwse t select an accunt. T remve a user rule, select a rule and click Remve Rule n the Rules ribbn. A cnfirmatin message displays. Click Yes t cnfirm the remval. Yu can als add items t the Allwed Items, Denied Items, Trusted Vendrs, User Privileges, and Brwser Cntrl ndes in each user rule nde. Fr mre infrmatin, see Rule Items. Device Rules Device rules allw security cntrl rules t be matched with specific devices. Device rules can apply the rule settings either t the device hsting the Applicatin Cntrl Agent and cnfiguratin, r t cnnecting devices. Fr example, a cnfiguratin rule can allw certain applicatins t run n a server but prhibit thers frm running when launched frm a device listed in the rule. Device rules als prvide the ability t perfrm per-device license management in a server-based cmputing envirnment. T add a device rule, click Add Rule n the Rules ribbn and select Device Rule. T remve a device rule, select a rule and click Remve Rule n the Rules ribbn. A cnfirmatin message displays, click Yes t cnfirm the remval. Yu can als add items t the Allwed Items, Denied Items, Trusted Vendrs, User Privileges, and Brwser Cntrl ndes in each device rule nde. Fr mre infrmatin, see Rule Items. Device Rule Validatin Type Hst Name r IP Address Rule Use this device client rule t apply Allwed Items, Denied Items, Trusted Vendrs, and User Privileges rules t a third party device when a user attempts t access their endpint frm a specific Hst Name r IP Address. If the Hst Name r IP Address is matched t the third party device, Applicatin Cntrl rules specific t the device are applied. Page 128 f 344

129 Type Cmputer Grup Membership Rule Use this device client rule t apply Allwed, Denied, Trusted Vendrs, and User Privileges rules t a third party device that is a member f a specific security grup. Applicatin Cntrl checks t see if the cmputer is a member f the specified security grup befre applying the rules. If entering the Cmputer Grup Membership details manually, yu must use the fully qualified name. Fr example, CN=CmputerGrup, OU=Department, OU=Crpratin, DC=CreDmain. OU Membership Use this device client rule t apply Allwed, Denied, Trusted Vendrs and User Privileges rules t a third party device that is a member f a specified Organizatinal Unit (OU). Custm Rules Custm rules apply settings t devices hsting the Applicatin Cntrl Agent and cnfiguratin. Yu can add items t the Allwed Items, Denied Items, Trusted Vendrs, User Privileges, and Brwser Cntrl ndes in each grup rule nde. Fr mre infrmatin, see Rule Items. Custm rules allw security cntrl rules t be applied when certain cnditins are met. Yu can specify cnditins fr the fllwing: Cmputer Directry membership Envirnment Files and flders Registry Sessin and client The user Yu can als create custm scripted cnditins using Visual Basic r Java Script. Fr mre infrmatin n cnditins fr custm rules, see Cnditin Management. Fr example, yu can create a custm rule that allws nly users wh belng t the Finance OU and wh are nt wrking n laptps t self-elevate t install a specific accunting applicatin. If yu select the Custm Rules nde, the All Custm Rules summary displays the Rule Name and the Security Level. Page 129 f 344

130 T add a custm rule, click the Add Rule drp-dwn arrw n the Rules ribbn and select Custm Rule. T remve a custm rule, select a rule and click Remve Rule n the Rules ribbn. A cnfirmatin message displays. Click Yes t cnfirm the remval. Supprt fr Custm Rules frm Earlier Versins Custm rules in versin 10.0 differ cnsiderably frm Custm rules in versin 8.8 and 8.9. Yu can upgrade versin 8.8 and 8.9 cnfiguratins that cntain Custm rules by pening them in a versin 10.0 cnsle and saving them. This recreates the Custm rules by using the new versin 10.0 cnditins, matching the behavir f the earlier versin rules. If yu d nt upgrade a versin 8.8 and 8.9 cnfiguratin, the Applicatin Cntrl Agent versin 10.0 still reads the cnfiguratin, but the URL Redirectin and Custm rules are ignred. The rest f the cnfiguratin still applies. Scripted Rules Scripted rules allw custm rules t be created using Windws PwerShell r VB Scripts. The success r failure f the Script determines whether the security level, Allwed Items, and Denied Items that are part f the rule apply t the user. Scripted rules can take advantage f any interface accessible via PwerShell r VBScript, such as COM (Cmpnent Object Mdel) and Each script is evaluated under the fllwing circumstances: When a new cnfiguratin is deplyed t the cmputer. When a user lgs n. Yu create and edit scripts in the Scripted Rule dialg, which yu access as fllws: 1. In the Rules ribbn, select Add Rule. 2. In the drp dwn menu, select Scripted Rule. The Scripted Rule wrk area displays. Yu can define when the script is t be run using the fllwing Scripted Rule Optins: Run script nce per lgn sessin as the lgged n user - The script runs fr each user lgging n. Settings are nly applied fr the duratin f the user sessin. Run script nce per lgn sessin as the SYSTEM user - The script runs with SYSTEM accunt permissins nce fr each user lgging n. Settings are nly applied fr the duratin f the user sessin. Page 130 f 344

131 Run script nce per cmputer as the SYSTEM user - The script runs with SYSTEM accunt permissin nce at cmputer startup. Settings are applied t all user sessins until the cmputer restarts, the Applicatin Cntrl agent restarts r there is a cnfiguratin change. Cautin: Running scripts as the SYSTEM user can cause serius damage t yur cmputer and shuld nly be enabled by experienced script authrs. D nt execute script until user lgn is cmplete - Select t prevent the script frm running until user lgn is cmplete. Wait fr <n> secnds befre script timeut - Allws yu t specify the number f secnds t allw a script t cntinue running befre the script times ut. A setting f zer (0) secnds prevents the script timeut. If a timeut ccurs the result is fail and settings cannt be applied. VBScripts Each script is run within a hsted script engine allwing greater cntrl ver the script executin whilst prviding a high degree f input and utput cntrl. N VBS file is used. N separate prcess is spawned. A script must be written as a functin and can cntain many functins, but a main start functin must be specified. The start functin is run by the Applicatin Cntrl agent and can be used t call ther functins. The AMScriptRule COM bject is built int the scripting engine and prvides access t the fllwing methds: strusername = AMScriptRule.UserName struserdmain = AMScriptRule.UserDmain strsessinid = AMScriptRule.SessinID strstatinname = AMScriptRule.WinStatin The Micrsft standard in this instance means that WinStatin returns the value f the name f the Terminal Services Sessin, which is determined by the type f sessin with typical values being Cnsle r RDP-Tcp#34, instead f the Windw Statin name which is typically WinSta0. The AMScriptRule COM bject als includes the fllwing methds: strlg = AMScriptRule.Lg "My Lg Statement" Allws yu t utput lgging strings t the agent lg file fr use with debugging scripted rules. Page 131 f 344

132 strenvirnmentvar = AMScriptRule.ExpandEnvirnment ("%MyEnvirnmentVariables%") Expands envirnment variables f the user running the script. Using WScript. shell t expand envirnment variables nly returns SYSTEM variables. Windws PwerShell Scripts If the script returns (exits) with a value f 0, the script will pass and the rules are applied. If any nnzer value is returned, the script will fail and the rules will nt apply. Each PwerShell script is executed in an instance f PwerShell.exe and as such Applicatin Cntrl neither enfrces nr adds any specific syntax all crrectly frmed PwerShell will wrk. PwerShell must be installed n any endpints that will be using the script. Add a Scripted Rule 1. Click the Add Rule drp-dwn arrw n the Rules ribbn and select Scripted Rule. A new rule is added t the All Scripted Rules wrk area. The Scripted Rule dialg displays. 2. T enter a script, d ne f the fllwing: Type the script in the Current Script area. Open an existing script in a script editr and cpy/cut the cntent and paste. 3. Select Click here t edit the script. Click Imprt t imprt an existing script. Edit a Scripted Rule 1. Use the Scripted Rule dialg t create and maintain rules based n custm VB and PwerShell Scripts that are run whenever a user lgs n. 2. T pen the Scripted Rule dialg fr a specific rule, yu can either: Navigate t the scripted rule in the navigatin pane and select it. Select the Rules nde in the navigatin tree. In the All Rules dialg, duble-click the rule that yu want t edit. The Scripted Rule dialg displays. 3. Click Click here t edit the script. The Cnfigure this Scripted Rule dialg displays. 4. In the Script tab, add r amend the script t be used when yur users lg n. 5. In the Optins tab, select the script executin setting frm the list f available ptins in the Define the executin settings sectin. Page 132 f 344

133 6. T specify the script time settings, select the apprpriate ptins in the Define the script time settings sectin. 7. Click OK. Sample scripts Scriptable rule t determine if an AAC filter has been passed Using VBScript The fllwing VBscript demnstrates hw t cntrl the applicatins t which a user has access. Functin ScriptedRule() Name f Filter scan expected t pass ExpectedFilter = "FWALL" Get Server Name Set bjntinf = CreateObject ("WinNTSystemInf") ServerName = lcase (bjntinf.cmputername) Set initial return value ScriptedRule = False Create MetaFrame Sessin Object Set MFSessin = Createbject ("MetaFrameCOM.MetaFrameSessin") Initialize the sessin filters fr this sessin Fr Each x in MFSessin.SmartAccessFilters return true if ur filter is fund If x = ExpectedFilter Then ScriptedRule=True AMScriptRule.Lg "SmartAccessFilter match fund." End If Next End Functin Scriptable rule t determine if a cmputer is in a Cmputer OU Using VBScript The fllwing VBscript can be used t determine if a cmputer is in a Cmputer Organizatinal Unit: Functin ScriptedRule() ScriptedRule = vbfalse strcmpname = AMScriptRule.StatinName Set RtDSE = GetObject("LDAP://RtDSE") strdnsdmain = RtDSE.Get("DefaultNamingCntext") Set OU = GetObject("LDAP://OU=TheOUyuAreSearching,OU=Parent,OU=Parent," & strdnsdmain) OU.GetInf Fr each member in OU If UCase(strCmpName) = UCase(member.CN) Then ScriptedRule = vbtrue Exit Fr End If Next End Functin Scriptable rule t determine if a user is a member f a certain OU Using VBScript The fllwing sample VBScript shws the main cmpnents f a script and demnstrates hw t access infrmatin abut the username f the user lgging n t the system, and match with a specific dmain and rganizatinal unit: Functin MyScript() 'Get the username f the user lgging in (als wrks when running as SYSTEM) strusername = AMScriptRule.UserName 'Get the dmain f the user lgging in (als wrks when running as SYSTEM) struserdmain = AMScriptRule.UserDmain 'Lk up user envirnment variables (when running as SYSTEM, nly SYSTEM variables are available) Page 133 f 344

134 strclientname = AMScriptRule.ExpandEnvirnment ("%ClientName%") 'Lg the utput AMScriptRule.Lg strusername & " lgged in n " & strclientname 'Check if the user is a member f the dmain If struserdmain = "MyDmain" Then 'If s, see if the user is in the MyOU OU Set bjou = GetObject ("LDAP://u=MyOU,dc=MyDmain,dc=cm") bjou.filter = Array("user") Fr Each bjuser In bjou 'Check if there is a match with the user lgging n If bjuser.samaccuntname = strusername Then 'if there is, then set the functin t True MyScript = True End If Next End If 'Unless there is a username match, the functin defaults t False End Functin Scriptable rule t determine if a user is a member f a certain OU Using Windws PwerShell The fllwing sample Windws PwerShell script shws the main cmpnents f a script and demnstrates hw t access infrmatin abut the username f the user lgging n t the system, and match with a specific dmain and rganizatinal unit: #Script checks if the current user is a member f the OU specified # Return 0 if TRUE # 1 therwise $lgnuser = $env:username $bindpt = [adsi] "LDAP://OU=TS_Users,OU=Users,OU=MyUser,OU=MyOU,DC=MyDmain,DC=cm" $users = New-Object System.DirectryServices.DirectrySearcher $bindpt $users.filter = "(&(bjectclass=user)(samaccuntname=$lgnuser))" $bj = $users.findone() if($bj -eq $null) { #" Nt a Member" exit 1 } Prcess Rules The Prcess nde allw security cntrl rules t be matched with specific requesting prcesses. Prcess rules allw yu t manage access fr an applicatin t run child prcesses which might therwise be managed differently in ther rules. Yu can add Allwed Items, Denied Items, Trusted Vendrs and User Privilege Management t the rule. Fr further infrmatin, see Rule Items. Yu can add files, flders, drives, signature items, netwrk cnnectin items and applicatin grups as managed items int the Allwed Items and Denied Items lists f a prcess rule. The Prcess Rule nly manages the first level f child prcess run by the applicatin, nt the children f child prcesses. The Prcess des nt manage the applicatin. This must be managed by ther rules unless the applicatin is managed as a child prcess in anther Prcess Rule. Page 134 f 344

135 Create a Prcess Rule The prcess rule applies t the applicatin that is attempting t start an applicatin, lad a cmpnent, r access a netwrk resurce. The prcess rule can allw certain applicatins t run but prhibit it frm running when launched by specific prcesses. Rules are displayed in the rder they are created and are nt alphabetical. Prcess rule names must be unique. Yu cannt create tw prcess rules with the same name. Yu cannt have duplicate prcesses. Yu cannt cut, cpy and paste prcess rules. 1. Frm the Rules ribbn, select the Add Rule > Prcess Rule. A prcess rule is created and cnsists f fur rule items: Allwed Items, Denied Items, Trusted Vendrs, and User Privileges. 2. Right-click the new prcess rule and select Rename. 3. Give the rule an intuitive name. 4. Apply the required security level: Restricted, Audit Only r Unrestricted. Fr mre infrmatin, see Security Levels. 5. Add a prcess t the rule. 6. Add an item t a rule item. Add a Prcess t a Prcess Rule Use the Prcess Rule wrk area t add prcesses t a prcess rule. The prcesses listed within this area are used during rules prcessing t match the rule t a request's prcess riginatr. The first clumn displays the name and lcatin f the prcess file r signatures, the secnd cntains the signature fr the prcess, if applicable, and the third clumn displays the descriptin f the prcess, if present. 1. Select the prcess rule. The Prcess Rule wrk area is displayed. 2. In the Rules ribbn, select the Add Prcess drp-dwn arrw and d ne f the fllwing: T add a file, select Add > File T add a signature, select Add > Signature Yu can add multiple files at nce. Yu can drag and drp files frm Windws Explrer r anther file manager, and cut, cpy, and paste. Yu cannt have duplicate prcesses. 3. Use the Rescan Signature buttn n the Rules ribbn t Page 135 f 344

136 Add an Allwed r Denied Item t a Prcess Rule Allwed Items and Denied Items can cntain files, flders, drives, signatures, Windws Stre Apps, and netwrk cnnectin items. They can als include grups. 1. Select the required Allwed r Denied Item. 2. Click the Add Item drp-dwn arrw n the Rule Items ribbn and select either Allwed r Denied. 3. Once yu have selected the item type t add t the prcess rule, d ne r mre f the fllwing: T add a file, select Add > File T add a flder, select Add > Flder T add a drive, select Add > Drive T add a signature item, select Add > Signature Item T Add a Netwrk Cnnectin item, select Add > Netwrk Cnnectin Item T Add a Windws Stre App, select Add > Windws Stre App T add a grup, select Add > Grup 4. Grups can cnsist f a number f items. Fr example, all the File, Flder, Drive, and Signature File items fr a particular applicatin. Example: Using a Prcess Rule t Restrict Access t FTP Yu can use prcess rules t allw, fr example, nly certain applicatins t access FTP. This example shws hw t use prcess rules t allw nly a specific applicatin t access FTP prts 20 and 21. The first step is t create a grup t specify the Step 1 - Create a Grup 1. Select the Grup Management nde. 2. Select Add Grup n the Grups ribbn. 3. Select and right-click the new grup and select Rename. 4. Rename the grup with an intuitive name, fr example, Specify FTP Prts. 5. Select the Add Item drp-dwn arrw n the Grups ribbn and select Netwrk Cnnectin. The Add a Netwrk Cnnectin dialg displays. 6. Specify the hst in the Hst field. 7. Select the Prts buttn n the right hand-side f the Prts field. The Cmmn Prts dialg displays. 8. Select prts 20 and 21: FTP - Data Prt and FTP - Cntrl prt, and click Add. 9. Select the Text cntains wildcard characters ptin and click Add. Step 2 - Create a Prcess Rule t Blck Access t FTP Prts 20 and 21 Page 136 f 344

137 1. Select the tp level Prcess rule nde. 2. Select the Add Rule drp-dwn arrw n the Rules ribbn and select Prcess Rule. 3. Select and right-click the new prcess rule and select Rename. 4. Give the rule an intuitive name, fr example, Cannt access FTP. 5. Right-click within the Prcesses wrk area, and select Add > File. The Add a File dialg displays. 6. Enter * in the File field and click Add. This dentes that all files are blcked frm accessing prts FTP 20 and 21. The use f 7. Expand the new prcess rule nde. 8. Select the Denied Items nde. 9. Select the Add Item drp-dwn arrw and select Denied > Grup. The Grup selectin fr dialg bx displays. 10. Select the grup created in the Create a Grup prcedure and click Add. This rule nw prhibits all applicatins frm accessing the FTP prts 20 and 21. Step 3 - Create a Prcess Rule t Allw Access t FTP Prts 20 and Select the tp level Prcess rule nde. 2. Select the Add Rule drp-dwn arrw n the Rules ribbn and select Prcess Rule. 3. Select and right-click the new prcess rule and select Rename. 4. Give the rule an intuitive name, fr example, Can access FTP. 5. In the Prcesses wrk area, right-click and select Add > File. The Add a File dialg displays. 6. Brwse t and select the file that yu want t access FTP, fr example, Internet Explrer. 7. If required, expand the new prcess rule nde. 8. Select the Allwed Items nde. 9. Select the Add Item drp-dwn arrw and select Allwed > Grup. The Grup selectin fr dialg displayed. 10. Select the grup created in the Create a Grup prcedure and click OK. This rule nw allws the specified applicatin t access the FTP prts 20 and 21. Step 4 - Set the Grup Rule t Restricted 1. Expand the Grup nde and select BUILTIN\Administratrs. The Grup Rule wrk area displays. 2. Drag the Security Level slider t Restricted. Step 5 - Save the cnfiguratin Save the cnfiguratin. Only the applicatin specified in the prcedure can access FTP prts 20 and 21. Page 137 f 344

Apps, and Grup Items. See Rule Items fr mre details n adding items. Each rule ptin must be assciated with ne r mre Rule Type.

138 All ther applicatins cannt. Rule Optins Allwed Item, Denied Item, Trusted Vendr, and User Privileges Rule types can be applied t Files, Flders, Drives, Digital Signatures, Signature Items, Netwrk Cnnectin Items, Windws Stre Apps, and Grup Items. See Rule Items fr mre details n adding items. Each rule ptin must be assciated with ne r mre Rule Type. Rule Matching Rule matching takes place when Applicatin Cntrl intercepts a file executin request and checks the cnfiguratin plicy t determine whether a file is allwed t run. Applying Rule Plicies The mst lenient security plicy is applied t a user prfile that is affected by mre than ne rule. Fr example, a user wh matches bth a user rule assigned the Restricted security level and als a grup rule that assigns the Self-Authrizing security level is granted self-authrizing privileges fr all decisins and applicatin use. Matching Files and Rules The Applicatin Cntrl agent applies rules by making a suitable match fr the file type. Page 138 f 344

139 Matching is based n a three stage apprach that cnsiders security, matching rder, and plicy decisins: 1. Security: 2. Matching: 3. Plicy: Is the user restricted? Trusted Ownership Checking Is wnership f the executable item trusted? Where is the executable lcated? Des the executable match a signature? Des the executable match an allwed r denied Item? Is Trusted Ownership checking enabled? Is there a timed exceptin? Is there an applicatin limit? During the rule matching prcess, Trusted Ownership checking is perfrmed n files, flders, and drives t ensure that wnership f the items is matched with the list f trusted wners in the default rule cnfiguratin. If the check fails, a Trusted Vendr check is initiated. If cnfigured, when an executed file matches the predefined list f Allwed items, an additinal security check ensures the wnership matches a user in the trusted wners list. If this check fails, Applicatin Cntrl attempts t match the digital signature f the file with the Trusted Vendr list. If a match still cannt be fund the executin will be blcked. Trusted Ownership checking is nt necessary fr items with digital signatures as these cannt be imitated. When a default cnfiguratin is used, any new r existing file intrduced t the system that is verwritten r renamed has its wnership changed t the current user. As a result, if the change is made by an untrusted user, any future executin requests will fail the trusted wners check. Trusted Ownership checking can be used as a glbal rule r n a per item basis. T stp Applicatin Cntrl checking fr trusted wnership, ensure Enable Trusted Ownership Checking is nt selected in Glbal Settings > Trusted Owners. Apply and Remve Rules The Grup rules nde allws yu t match security cntrl rules with specific user grups within the enterprise. Page 139 f 344

140 The Grup summary displays the grup name, textual Security Identifier (SID) and security level f the rule. An SID is a data structure f variable length that identifies user, grup, and cmputer accunts. Every accunt n a netwrk is issued a unique SID when the accunt is first created. Internal prcesses in Windws refer t an accunts SID rather than the accunts user r grup name. Likewise, Applicatin Cntrl als refers t a user r grup SID unless the SID culd nt be fund when added t the cnfiguratin. Apply Rules 1. Frm the Rules Items ribbn, click Add. 2. Select the type f rule t be created: Grup User Device Custm Scripted Prcess The Add Rule dialg displays. 3. Enter the relevant infrmatin and click OK. Remve Rules 1. T remve a grup rule, highlight a rule and click Remve Rule n the Rules ribbn. A cnfirmatin message displays 2. Click Yes t cnfirm the remval. Page 140 f 344

141 Metadata Metadata adds additinal criteria fr matching files and flders, nce a match has been made with the file r flder prperties. Fr example, adding metadata fr a vendr, allws yu t verify that a file is signed by a particular verified publisher. Metadata is available fr files and flders in allwed, denied, and user privilege applicatin rule items. Metadata can be entered manually r added frm an existing file. Select the Metadata tab fr a file r flder fr a cmpatible rule item: T add metadata frm a file, select the Metadata tab and click Ppulate metadata frm file and select the file frm which yu want t use the metadata. Select the check bxes fr the required metadata. T add metadata manually, select a check bx and add the required data. T view the metadata fr a file using Windws Explrer, right-click the file and select Prperties. Metadata is displayed in the Details tab. The fllwing metadata can be cnfigured fr file and flder items: Page 141 f 344

142 General Prduct Name - The name f the prduct. Vendr - If the file has been digitally signed, the vendr name assciated with the signature. A further ptin is available t test that the vendr metadata f the file can be trusted. If Vendr metadata is enabled, a further ptin becmes available - Verify certificate at runtime. When this ptin is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Optins t access a further set f criteria, used during file matching. Fr further infrmatin, see Verify Optins. Cmpany Name - The name f the cmpany that prduced the prduct. File Descriptin - The file r flder descriptin as defined by the vendr r cmpany. The infrmatin displayed can be amended t criteria, which can include segments f the metadata, wildcards (*) can be used. File Versin Minimum - Displays the minimum versin number fr the selected file. Maximum - Displays the maximum versin number fr the selected file. The infrmatin displayed can be amended t intrduce a versin range, where the maximum and minimum versin number can be defined using wildcards and all versins f the file that falls between the range can be mnitred. Prduct Versin Minimum - Displays the minimum prduct versin number fr the selected file. Maximum - Displays the maximum prduct versin number fr the selected file. The infrmatin displayed can be amended t intrduce a versin range, where the maximum versin number can be defined using wildcards and all versins f the versins f the prduct that falls between the range can be mnitred. Wildcards can be used t substitute parts f the metadata infrmatin t allw yu specify a required match based a segment f the selected metadata. Fr Example, if yu had a vendr f Micrsft Crpratin, but wanted anything assciated with Micrsft, yu culd replace the wrd Crpratin with a wildcard (*) t match anything assciated with Micrsft nt specifically Micrsft Crpratin. Rule items will nly apply t files that match the selected metadata. Page 142 f 344

143 Allwed Items Abut Allwed Items Add Allwed items t grup rules t grant users access t specific items withut prviding them with full administrative privileges. The Allwed items are displayed in the Allwed Items list under a selected grup rule: Files If a filename alne is specified, fr example, myapp.exe, then all instances f this are allwed regardless f the lcatin f the applicatin. If the file is specified with the full path, fr example, \\servername\sharename\myapp.exe, then nly this instance f the applicatin is allwed. Other instances f this applicatin need t satisfy ther Applicatin Manager rules t be granted executin. Fr the files and flders in Applicatin Manager that refer t items n a DFS share yu need t specify the target server, rather than the Namespace server in the UNC path. Fr mre infrmatin, see Distributed File Systems. Flder A cmplete flder may be specified, fr example, \\servername\servershare\myflder, and all applicatins within this flder, and all subflders if required, allwed t execute. N checks are made n the files within the flder and as such any file cpied int this flder will be allwed t execute. Select Include subdirectries t include all directries beneath the specified directry. If yu add a netwrk file r flder path yu must use the UNC name, as the Applicatin Manager agent ignres any paths that are cnfigured where the Drive letter is nt a lcal fixed disk. The user can access the netwrk applicatin thrugh a netwrk mapped drive letter, as the path is cnverted t UNC frmat befre validating it against the cnfiguratin settings. T autmatically apply envirnment variables, select Substitute envirnment variables where pssible in the Add a file r Add a flder dialgs. This makes the paths mre generic fr applying n different machines. Wildcards supprt prvides an additinal level f cntrl fr specifying generic file paths. Drive Yu can specify a cmplete drive, fr example, W, and all the applicatins n this drive are allwed t execute, including subflders. N checks are made n the files in the drive s any file cpied int any flder n this drive is allwed t execute. Signature Item A file may be added alng with a digital hash f the file. This ensures that nly that particular file may be executed but frm any lcatin. Fr mre infrmatin, see Signature Hashing. Netwrk Cnnectin Item A Netwrk Cnnectin Item can be specified. All files n the netwrk are allwed t execute. Windws Stre Chse which Windws Stre apps are allwed. Yu can select ne f the fllwing: Page 143 f 344

144 Grups Allw All Installed Apps Allw the selected Individual Apps Allw all apps by a named Publisher Grups can cntain any number and cmbinatin f items, fr example, the File, Flder, Drive, Signature, and Netwrk fr a particular applicatin. All files are allwed t execute. Add an Allwed Item 1. Select the Allwed Items nde in Rules > Grup > Everyne. 2. Click Add Item and frm the drp-dwn arrw select Allwed. 3. Select the item that yu want t make allwed, fr example File. The Add a File dialg displays. 4. Enter r brwse fr the file t be made allwed. The Substitute envirnment variables where pssible checkbx is selected by default. If it is nt selected, envirnment variables will nt be replaced with a generic envirnment variable. 5. If applicable, enter any further infrmatin relating t the allwed item, in the Descriptin field. 6. Check Allw file t run even if it is nt wned by a trusted wner if yu want the file t run regardless f the wner. The selected applicatin is listed in the Allwed Items wrk area. Remve an Allwed Item 1. Select the Allwed Items nde in Rules > Grup > Everyne. 2. Highlight the item t be remved. 3. Click Remve Item in the Rule Items ribbn. The Remve Items dialg displays. 4. Click Yes t remve the item r N t abrt the task. The selected applicatin is listed in the Allwed Items wrk area. Access Times Access times allw yu t specify what time and n what days a particular applicatin is allwed t be run and can be applied t Allwed Items in Grups, Users, Devices, Custm Scripts, and Prcess Rules. Access perids can nly be assigned when yu check the Only allw files t run at certain access times ptin in the Access Times tab when adding r amending an allwed Item. Times can be amended using the Access Times ptin frm the Rule Items ribbn. Access times can be added fr file, flder and signature allwed items. Page 144 f 344

145 Assign Access Times This task explains hw t assign access times t an allwed item: 1. Select the Allwed Items nde in Rules > Grup > Everyne. Fr the purpse f this example, the Everyne grup is being used. This will vary depending n the grup yu select. 2. Click Add Item and frm the drp-dwn arrw select Allwed. 3. Select the item that yu want t make allwed, fr example File. The Add a File dialg displays. 4. Enter r brwse fr the file t be made allwed. 5. Frm the Access Times tab, select Only allw files t run at certain access times. 6. Right-click n the time and day an item can be accessed and select New Allwed Perid. Repeat this step abve t add any ther access times. 7. When the allwable perids have been selected, click Add. Page 145 f 344

146 Applicatin Limits Applicatin Limits allw yu t specify hw many times an applicatin can be run by a user during a sessin. Yu can cnfigure limits when yu check the Enable applicatin limits ptin lcated in the Applicatin Limits tab when yu add r edit an Allwed item. Yu can use the Applicatin Limits ptin frm the Rule Items ribbn nce yu have added an item t a rule. Sessin-based Applicatin limits can nly be applied t Allwed Items in the Grup, User, Device, Custm, Scripted, and Prcess rules. Yu can cnfigure a message t displays t the user when the time limit is exceeded by using the Message Settings dialg, which yu can access frm the Glbal Settings ribbn. Apply Applicatin Limits 1. Select the Allwed Items nde in Rules > Grup > Everyne. Fr the purpse f this example, the Everyne grup is being used. 2. Click Add Item and frm the drp-dwn arrw select Allwed. 3. Select the item that yu want t make allwed, fr example, File. The Add a File dialg displays. 4. Enter r brwse fr the file t be made allwed. Page 146 f 344

147 5. Frm the Applicatin Limits tab, select Enable applicatin limits. 6. Select the applicatin limit. 7. Click Add. Allwed Items and Trusted Ownership By default, trusted wnership checking is enabled, therefre an applicatin must always pass trusted wnership checking if it is enabled, even if the applicatin is an allwed item. Althugh trusted wnership checking can be disabled cmpletely, this is nt recmmended. Hwever, if yu need t prvide a user with access t file, flders r grups that are nt wned by a trusted user then yu can disable the trusted wnership check when creating r editing the item by checking the Allw File t run even if it is nt wned by a trusted wner ptin. Denied Items Abut Denied Items Denied Item ndes are sub-ndes autmatically created in any Rule nde when yu create a new rule. They allw yu t add items t which the grups, users and devices specified in the rule are refused access. If yu are using the default ptin, which trusts all lcally installed Trusted Owner applicatins, yu nly need t add specific applicatins that yu d nt want users t run. Fr instance, yu can add administrative tls, such as management and registry editing tls. Yu d nt need t use this list t deny applicatins that are nt wned by an administratr because they are blcked by trusted wnership checking. Applicatin Cntrl drag and drp functinality can be used t add files, flders, drives and signature items frm Windws Explrer r cpy r mve items between the Allwed Items nde and Denied Items ndes in each f the main cnfiguratin ndes. Yu can add the fllwing items: Files If a filename alne is specified, fr example, myapp.exe, then all instances f this are denied regardless f the lcatin f the applicatin. If the file is specified with the full path, fr example, \\servername\sharename\myapp.exe, then nly this instance f the applicatin is denied. Other instances f this applicatin need t satisfy ther Applicatin Cntrl rules t be granted executin. Fr the files and flders in Applicatin Cntrl that refer t items n a DFS share yu need t specify the target server, rather than the Namespace server in the UNC path. Fr mre infrmatin, see Distributed File Systems. Flder A cmplete flder may be specified, fr example, \\servername\servershare\myflder, and all applicatins within this flder, and all subflders are denied. N checks are made n the files within Page 147 f 344

148 the flder and as such any file cpied int this flder will be denied. Select Include subdirectries t include all directries beneath the specified directry. If yu add a netwrk file r flder path yu must use the UNC name, as the Applicatin Cntrl agent ignres any paths that are cnfigured where the Drive letter is nt a lcal fixed disk. The user can access the netwrk applicatin thrugh a netwrk mapped drive letter, as the path is cnverted t UNC frmat befre validating it against the cnfiguratin settings. T autmatically apply envirnment variables, select Substitute envirnment variables where pssible in the Add a file r Add a flder dialgs. This makes the paths mre generic fr applying n different machines. Wildcards supprt prvides an additinal level f cntrl fr specifying generic file paths. Drive Yu can specify a cmplete drive, fr example, W, and all the applicatins n this drive, including subflders, are denied. N checks are made n the files in the drive s any file cpied int any flder n this drive is denied. Signature Item A file may be added alng with a digital hash f the file. This ensures that nly that particular file may be executed but frm any lcatin. Fr mre infrmatin, see Signature Hashing. Netwrk Cnnectin Item A Netwrk Cnnectin Item can be specified. All files n the netwrk are denied. Windws Stre Chse which Windws Stre apps are denied. Yu can select ne f the fllwing: Grups Allw All Installed Apps Allw the selected Individual Apps Allw all apps by a named Publisher Grups can cntain any number and cmbinatin f items, fr example, the File, Flder, Drive, Signature, and Netwrk fr a particular applicatin. All files are denied. Add a Denied Item T add an item, select the Denied Items nde and click the Add Itemdrp-dwn arrw n the Rule Items ribbn, select Deniedand select the type f Denied Item yu want t add. This task prevents all users accessing an applicatin n a netwrk share: 1. Select the Denied Items nde in Rules > Grup > Everyne. 2. Click Add Item in the Rule Items ribbn and select Denied. 3. Select File. The Add a File dialg displays Page 148 f 344

149 4. Enter r brwse fr an applicatin, fr example, regedit.exe. The selected applicatin is listed in the Denied Items wrk area. 5. Attempt t run the selected applicatin. The applicatin is denied and a message bx displays with the ntificatin that the applicatin is nt authrized. Remve a Denied Item 1. Select the item t remve in the Denied Items nde. 2. In the Rule Items ribbn, click Remve Item. 3. Click Yes in the cnfirmatin dialg. The item is remved frm the nde. Trusted Vendrs Abut Trusted Vendrs Trusted Vendrs can be specified in each Applicatin Cntrl rule nde. Trusted Vendrs are used fr listing valid digital certificates. A digital certificate is an electrnic dcument that uses a digital signature t bind tgether a public key with an identity. This includes infrmatin such as the name f a persn r rganizatin, address, and s n. Digital certificates are issued by a certificate authrity and used t verify that a public key belngs t an individual. Applicatin Cntrl queries each file executin t detect the presence f a digital certificate. If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendr list, the file is allwed t run, and verrides any Trusted Ownership checking. Yu can check whether a file has a digital certificate by displaying the Prperties dialg. A file has a digital certificate if there is a Digital Signatures tab in which yu can view details f the certificate including, signer infrmatin, advanced settings and an ptin t display the certificate. The Trusted Vendrs sub nde is available in each rule nde, fr listing valid digital certificates. Add a Certificate t a Trusted Vendr 1. Select the Trusted Vendrs nde t which yu want t add the certificate. 2. Click the Add drp-dwn arrw n the Rule Items ribbn and select the required ptin: Frm Signed File - Select a knwn file that has already been signed by the vendr whm yu want t trust. Applicatin Cntrl can then identify the vendr s specific signature t identify additinal cde frm that same vendr. Imprt File-based Stre - Add certificates frm a P7B file, created in a file-based stre, such as Certificate Manager. Page 149 f 344

150 3. Navigate t the required file and click Open. The Verify Certificates dialg lists the name(s) f all added certificates. The Status clumn shws whether the certificate has been validated successfully r if any errrs have been detected. Further ptins are available fr the listed certificates. Highlight the required certificate and select the ne f the fllwing: Verify Optins - Check the status f the certificate, enfrce the certificate's expiry date and apply advanced certificate ptins. 4. Click OK. Fr further infrmatin, see Verify Optins. View Certificate - View mre infrmatin abut the selected certificate. Remve - Remve the selected certificates and prevent them frm being added t the trusted vendr. Multiple certificates can be select and remved using the Shift and Ctrl keys. The listed certificates are added t the Trusted Vendrs wrk area. Page 150 f 344

151 Verify Optins Verify ptins fr Trusted Vendrs allw yu t specify parameters fr validating a certificate by ignring r allwing specific attributes. The certificate must be valid fr the rule t be applicable, but there are different levels f validatin with which yu can cnfigure a certificate. The advanced ptins are available when adding metadata fr files, by clicking Verify Optins. Altering the settings using the Advanced Certificate Optins culd reduce the level f security required t validate a certificate. The Verify Optins dialg displays the current status f a certificate and gives access t Expiry Date and Advanced Certificate ptins. The verify ptins are available frm: Certificates fr trusted vendrs Metadata fr allwed r denied files and flders When yu add a certificate, Applicatin Cntrl checks t see if it is valid and displays the result f the check in the Current Verificatin Status message bx. The check is perfrmed each time an ptin in this dialg is updated. Fr example, the certificate culd be invalid due t an untrusted rt certificate. If the Allw untrusted rts ptin is subsequently selected, Applicatin Cntrl checks the certificate again and updates the status t shw that certificate validatin is successful. Page 151 f 344

152 Yu can als chse whether t enfrce the expiry date f the certificate. The default setting is that Applicatin Cntrl ignres the expiry date f certificates s they remain valid indefinitely. If yu chse t enfrce the expiry date, the certificate is unverified after that date and the vendr is n lnger trusted. Advanced Certificate Optins Advanced certificate ptins allw yu t specify parameters fr validating a certificate by ignring r allwing specific attributes. The certificate must be valid fr the rule t be applicable, but there are different levels f validatin with which yu can cnfigure a certificate. Altering the settings using the Advanced Certificate Optins culd reduce the level f security required t validate a certificate and present a security risk. Apply the fllwing settings when determining certificate verificatin: Ignre CTL revcatin errrs - Ignre errrs when btaining Certificate Trust List (CTL) revcatin. Ignre CA revcatin errrs - Ignre errrs when btaining Certificate Authrity (CA) revcatin. Ignre end Certificate revcatin errrs - Ignre errrs when btaining the end certificate, r user certificate, revcatin is unknwn. Ignre rt revcatin errrs - Ignre errrs when btaining valid rt revcatin. Ignre CTL nt time valid errr - Ignres that the certificate trust list is nt valid, fr example, the certificate may have expired. Ignre time nesting errrs - Ignres that the Certificate Authrity (CA) certificate and the issued certificate have validity perids that are nt nested. The CA certificate may be valid frm January 1st t December 1st, and the issued certificate frm January 2nd t December 2nd. This means that the validity perids are nt nested. Ignre basic cnstraint errrs - Ignres that the basic cnstraints are nt valid. Ignre invalid name errrs - Ignres that the certificate has an invalid name. Ignre invalid plicy errrs - Ignres that the certificate has an invalid plicy. Ignre invalid usage errrs - Ignres that the certificate was nt issued fr the current use. Allw untrusted rts - Ignres that the rt cannt be verified due t an unknwn certificate authrity. Page 152 f 344

153 User Privilege Rules In the User Privileges nde fr any rule, yu can select the User Privilege Plicies t be applied t files, flders, signatures, grups, and Windws Cmpnents when the rule is matched. Yu can cnfigure self-elevatin t allw a user t run an item with elevated user privileges. Yu can als use system cntrls t cntrl the uninstallatin r mdificatin f selected applicatins, the management f specified services, and the clearing f event lgs. Select the User Privileges nde fr a rule and the wrk area includes fur tabs - Applicatins, Cmpnents, Self-Elevatin and System Cntrls. Applicatins Click Add Item in the Privilege Management ribbn t add a file, flder, signature, r grup t the Applicatins tab. The item is listed in the tab under the clumns Item, Plicy, and Descriptin. T change the plicy applied t the file, flder, r signature, duble-click the item t access the edit dialg bx. Select the plicy t apply frm the Plicy drp-dwn list. Fr mre infrmatin n adding items, see Rule Items. Cmpnents Because Management Cnsle snap-ins and Cntrl Panel Applets are nt executables, they cannt be elevated using a single executable but instead must be elevated using cmmand line matching. The User Privileges Management (UPM) cmpnents sectin prvides easy shrtcuts t cnfiguring these items that are equivalent t an Add File UPM plicy with specified arguments. Cmmand line arguments and spawning mechanisms will vary depending n the Operating system yur individual users are using. Cntrl Panel cmpnents and Netwrk Adapter features and functins are typically cntrlled by explrer.exe. Elevating explrer.exe t run in the cntext f a Lcal Administratr is nt ideal as this can pen up a range f security issues. T reslve this and enable the user t access the functinality under the cntext f an administratr withut pening the entire explrer shell, User Privileges Management places the AppSense Cntrl Panel cmpnents in the Windws Cntrl Panel alngside existing cmpnents. These can nw be cntrlled at an access level specific t the functin, withut changing any rights assciated with explrer.exe. Use the filter in the Select Cmpnents dialg t filter the supprted cmpnents by perating system. Fr mre infrmatin, see the Cmpnents table fr a list f cmpnents that are specific t particular perating system. Example: Applying a User Rights Plicy t a Cntrl Panel Cmpnent 1. Expand the applicable Grup rule in the navigatin pane and select the User Privileges nde. Page 153 f 344

154 2. Select the Cmpnents tab in the wrk area. 3. In the Privileges Management ribbn, select Add Item > Add Cmpnent. The Select Cmpnents dialg displays. 4. Select the cmpnents yu want the user t run as an administratr, fr example, Add and Remve Prgrams\Prgrams and Features. 5. Click OK. The cmpnent is nw listed in the Cmpnents tab. 6. D ne f the fllwing: T elevate the privileges fr the selected cmpnent, select Builtin Elevate frm the drp-dwn in the User Rights Plicy clumn. T restrict the privileges fr the selected cmpnent, select Builtin Restrict frm the drp-dwn in the User Rights Plicy clumn. 7. Save the cnfiguratin. Self-Elevatin Self-Elevatin can be applied t signatures, files and flders items that wuld usually require administrative privileges t run and functin. Self-Elevatin prvides an ptin frm the Windws Explrer cntext menu t run an item with elevated rights. When a user attempts t elevate a specified item, a prmpt can be cnfigured t request that the user enters a reasn fr the elevatin befre it is applied. Fr mre infrmatin, see Self-Elevatin. System Cntrls System Cntrls are used t allw r prevent named services being stpped, event lgs being cleared and specific applicatins being uninstalled r mdified. Fr mre infrmatin, see System Cntrls. Brwser Cntrl Abut Brwser Cntrl In the Brwser Cntrl nde, yu can: Cnfigure URL redirectin Add elevated websites Add web installatins Imprt snippets Page 154 f 344

155 When a new cnfiguratin cntaining Brwser Cntrl items, such as URL Redirectin, is deplyed t endpints, users need t clse and re-pen brwsers befre the cnfiguratin can take effect. Clsing and re-pening the brwsers enables the brwser extensins. If an existing cnfiguratin with Brwser Cntrl is updated with additinal Brwser Cntrl items, the updated cnfiguratin takes effect as sn as it is deplyed. The brwser extensins are already enabled, s it's nt necessary t clse and repen brwsers. Cnfigure URL Redirectin Use this feature t autmatically redirect users when they attempt t access a sensitive URL. By defining a list f denied r sensitive URLs, yu redirect any user attempting t access a listed URL t a default warning page r a custm page. Befre yu cnfigure this feature fr Internet Explrer, yu must enable third-party brwser extensins using Internet Optins fr each f yur endpints. Alternatively, this can be applied via Grup Plicy. URL Redirectin is cmpatible with Internet Explrer 8, 9, 10, and 11. When using Chrme, all managed endpints must be part f a dmain. URL Redirectin is cnfigured in the Add URL t Redirect dialg accessed frm the Brwser Cntrl ribbn. The URL Redirectin functinality is enabled r disabled fr the applicatin in Advanced Settings, accessible via the Manage ribbn. In versins prir t Applicatin Cntrl 10.0, URL Redirectin was a glbal setting accessed via the Manage ribbn. Cnfiguratins cntaining URL Redirectins that were created in versins 8.8 and 8.9 f the prduct can be pened in the cnsle and autmatically upgraded in versin The URL Redirectins are cnverted t Custm rules that cntain the fllwing: Matching cnditins fr cnnectin types, IP addresses, and prt numbers. Brwser Cntrl items fr the sensitive URLs (listed n the URL Redirectin tab). If yu dn't upgrade the cnfiguratin, the versin 10.0 agent still reads the cnfiguratin, but the URL Redirectin and Custm rules are ignred. The rest f the cnfiguratin still applies. Enable r Disable URL Redirectin 1. In the Manage ribbn, click Advanced Settings. The Advanced Settings dialg displays. 2. In the Plicy Settings tab, g t the Functinality sectin and either select r deselect the Enable URL Redirectin checkbx. 3. Click OK. Page 155 f 344

156 Add URL Redirectin t a Rule 1. In the Applicatin Cntrl navigatin pane, select the Brwser Cntrl nde fr the rule t which yu want t add URL redirectin. 2. In the Brwser Cntrl ribbn, select Add Item > Add URL. The Add URL t Redirect dialg displays. 3. Enter the denied URL. 4. Chse the respnse when a user attempts t access the prhibited URL: Display the default warning page when a URL is redirected - the user is directed t the default "Access is denied" page. Display a custm page when a URL is redirected -specify an alternative lcatin instead f displaying the default warning page. Fr example, this culd be a lcatin within yur rganizatins netwrk, a file n a disk, yur intranet r anther website. 5. Enter an ptinal descriptin fr yur future reference. 6. Click Add. The prhibited URL, the redirectin URL, and any descriptin yu added are nw listed in the clumns n the URL Redirectin tab f the Brwser Cntrl wrk area. An AAMP cnfiguratin is created with the Elevated Website feature cnfigured and can be deplyed t yur endpints. When a User accesses the specified webpage, the riginal brwser will be redirected t a warning page and a new instance f IE is spawned. The new brwser with have full administrative rights and permit any cmpnents t be run. Add a Web Installatin A number f Web Installatins require the end user t have administrative rights. Fr example, an ActiveX cntrl such as Adbe Flash Player r a web dwnlad such as Micrsft Silverlight. The Web Installatin feature f Brwser Cntrl allws the elevatin t administrative privileges fr ActiveX installers frm a particular dmain. Yu can create a basic cnfiguratin whereby yu enter the name f the dmain nly, r yu can create an advanced cnfiguratin and specify the CAB file fr an item, its Class ID, and the minimum and maximum versins. Yu can als specify that nly signed cntrls frm the dmain can be installed. 1. Navigate t the Brwser Cntrl nde under yur selected rule. 2. In the Brwser Cntrl ribbn, select Add Item > Add Web Installatin. The Add New Web Installatin dialg displays. 3. Enter a descriptive Name fr the web installatin. 4. If yu want t allw nly signed cntrls, select the relevant checkbx. 5. Enter the Website URL fr the installatin. Fr example, enter adbe.cm t allw installatins Page 156 f 344

157 frm all f adbe.cm. 6. Click Add. The Websites tab in the Brwser Cntrl wrk area displays the name f the new web installatin. Add a Web Installatin (Advanced Settings) 1. Navigate t the Brwser Cntrl nde under yur selected rule. 2. In the Brwser Cntrl ribbn, select Add Item > Add Web Installatin. The Add New Web Installatin dialg displays. 3. Enter a descriptive Name fr the web installatin. 4. If yu want t allw nly signed cntrls, select the relevant checkbx. 5. Select Use advanced settings. The Advanced Settings sectin becmes active. 6. Enter the Installer URL, fr example 7. Cmplete the fllwing fields, r leave them blank t be ignred: Class ID, Minimum Versin, and Maximum Versin 8. Click Add. The Websites tab in the Brwser Cntrl wrk area displays the name f the new web installatin. Example: Create a Cnfiguratin that Allws the Installatin f Adbe Flash Player A cmmn scenari is a standard user attempting t dwnlad and install Adbe Flash Player. This requires administrative privileges. When an attempt is made, the User Accunt Cntrl (UAC) dialg is displayed requesting the user t enter an administrative passwrd. Many rganizatins d nt want t give the users administrative privileges. 1. Select the Brwser Cntrl nde under yur selected rule. 2. In the Brwser Cntrl Ribbn, select Add Item > Add Web Installatin. The Add New Web Installatin dialg displays. 3. Enter a name fr the Web Installatin in the Name field, fr example, Adbe Flash. 4. Enter the URL in the Website URL field. Fr example, adbe.cm, t allw installatins frm all f adbe.cm. 5. Ensure the Only allw signed cntrls ptin is selected. 6. Click Add. The Websites tab in the Brwser Cntrl wrk area displays the name f the new web installatin. 7. Ensure the default Builtin Elevate plicy is selected in the Plicy clumn f the Websites tab. Page 157 f 344

158 8. Save the cnfiguratin. All dwnlads that are signed and are frm the specified website are allwed. Alng with the abve prcedure ther cnfigurable items need t be cnsidered. Fr example, fr an ActiveX installatin yu wuld need t allw the ActiveX file t run, and any executables that the cntrl calls. Yu need t cnsider Prcess rules, Trusted Vendrs, any Digital Certificates, Allwed Items, Elevated items, and s n. Imprt Snippets Snippets give Applicatin Cntrl the ability t imprt and merge partial cnfiguratins int a currently pen cnfiguratin in the cnsle. This is particularly useful fr web installatins because, alng with creating the web installatin part f the cnfiguratin, a number f ther cnfigurable items need t be cnsidered. These include Prcess Rules, Allwed Items, Trusted Vendrs, any Digital Certificates, Elevated items, and s n. The latest snippets can be dwnladed by lgging nt the Supprt Prtal. Dwnlad Recent Snippets frm MyAppSense 1. Select a rule. 2. In the Brwser Cntrl ribbn, select Imprt Snippet. The Imprt Snippet dialg displays. 3. Click the Supprt Prtal link in the dialg. The mst recent snippets are displayed. 4. Select a snippet and save it t C:\Prgram Files\AppSense\Applicatin Cntrl\Cnsle\Snippets. This is the default lcatin. The snippet is nw available in the Imprt Snippet dialg. 5. Select the snippet and click Add. 6. T view what is included in the snippet click the View the items that will be added t the cnfiguratin link. A cnfiguratin reprt displays. 7. Click Cntinue. The snippet is imprted and yu can view the items in the varius ndes in the cnsle. Add Elevated Websites This feature is nly supprted in 32-bit versins f Internet Explrer 8, 9, 10 and 11. Page 158 f 344

159 The Elevated Website feature allws yu t define a particular URL which pens in a separate secured, but elevated, instance f Internet Explrer. When elevated, the user is granted administrative privileges allwing them t install and execute cmpnents such as additinal sftware r ActiveX cntrls specific t the site. Befre yu cnfigure this feature, yu must enable third-party brwser extensins using Internet Optins fr each f yur endpints, alternatively this can be applied via Grup Plicy. It is recmmended that this feature is nly used fr internal websites which require elevatin t run cntent such as diagnstic tls r a mderated prtal cntaining administratr apprved sftware. Yu shuld nt elevate websites that may allw users t btain sftware which may pse a security risk t yur netwrk; such as pp-ups, search bars r external links. 1. Select the Brwser Cntrl nde under yur selected grup. 2. Select the Brwser Cntrl ribbn. 3. Click Add Item and select Add Elevated Website. The Add New Elevated Website dialg displays. 4. Enter a meaningful descriptin fr yur reference. 5. Enter the web address in the Website URL field. Yu can use regular expressins t define websites. T use this functinality, select Use regular expressin and enter the website URL criteria. Fr example, elevates and redirects any secure websites with the.cm extensin - such as but des nt elevate and redirect Fr mre infrmatin, see Wildcards and Regular Expressins. 6. Click Add. 7. Save the AAMP file. Rules Items Rule items include files, flders, netwrk drives and cnnectins, signature files, Windws Stre Apps, and grups, which yu can add t rule ndes, such as Allwed Items and User Privileges. Files Add Files t Allwed r Denied Item fr a Rule 1. In the navigatin pane, select the Allwed Item r Denied Item nde fr a rule. Page 159 f 344

160 2. In the Rule Items ribbn, select either: Add Item > Allwed > File. Add Item > Denied > File. The Add a File dialg displays. 3. In the Prperties tab, click the ellipsis (...) in the text bx, navigate t the file that yu want t add and click OK. 4. If required, yu can select the fllwing: Substitute envirnment variables where pssible Use regular expressins 5. Enter ptinal cmmand line arguments in the Arguments text bx. Enter all arguments as they appear in Prcess Explrer. Cmmand line arguments extend the matching criteria beynd what is entered in the File field. If an argument is added, bth file and argument must be satisfied fr a match t ccur. Any argument that appears n the cmmand line fr a prcess, such are flags, switches, files, and guids, can be added. Fr examples f valid argument, see Arguments Example. 6. T add metadata t the file, select the Metadata tab: 1. Click Ppulate metadata frm file. 2. The fllwing fields can be ppulated: Prduct Name, Vendr, Cmpany Name, File Descriptin, File Versin, and Prduct Versin. 3. Select the checkbxes fr the metadata t refine criteria fr the file. If Vendr metadata is enabled, a further ptin becmes available - Verify certificate at runtime. When this ptin is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Optins t access a further set f criteria, used during file matching. Fr further infrmatin, see Verify Optins. 7. T specify that the file may run at specific access times nly, select the Access Times tab: 1. Select Only allw files t run at certain access times. 2. T specify a specific allwed perid, right-click the time perid in the calendar area, and select New Allwed Perid. 8. T limit the number f instances f an applicatin a user can have, select the Applicatin Limits tab: 1. Select Enable Applicatin Limits. 2. Enter the limit in the spinbx. 9. Click Add t add the file t the Allwed/Denied Items fr the rule. Add a File fr User Privilege Management fr a Rule Page 160 f 344

161 1. In the navigatin pane, select the User Privileges nde fr a rule. 2. In the User Privileges ribbn, select Add Item > Applicatin > File. The Add a File fr User Privilege Management dialg displays. 3. In the Prperties tab, click the ellipsis (...) in the text bx: 1. In the Open dialg, navigate t the file that yu want t add and click OK. 2. If required, yu can select the fllwing: Substitute envirnment variables where pssible Use regular expressins Make file an Allwed Item 4. Enter ptinal cmmand line arguments in the Arguments text bx. Enter all arguments as they appear in Prcess Explrer. Cmmand line arguments extend the matching criteria beynd what is entered in the File field. If an argument is added, bth file and argument must be satisfied fr a match t ccur. Any argument that appears n the cmmand line fr a prcess, such as flags, switches, files, and guids, can be added. Fr examples f valid argument, see Arguments Examples. 5. T apply a plicy, select the plicy frm the drp-dwn in the Plicy sectin. Yu can select the fllwing ptins fr the plicy: Apply t child prcesses Apply t cmmn dialgs Install as a trusted wner 6. If required, enter an ptinal descriptin f the file fr yur future reference. 7. T add metadata t the file, select the Metadata tab: 1. Click Ppulate metadata frm file. 2. The fllwing fields can be ppulated: Prduct Name, Vendr, Cmpany Name, File Descriptin, File Versin, and Prduct Versin. 3. Select the checkbxes fr the metadata t refine criteria fr the file. If Vendr metadata is enabled, a further ptin becmes available - Verify certificate at runtime. When this ptin is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Optins t access a further set f criteria, used during file matching. Fr further infrmatin, see Verify Optins. 8. Click Add t add the file t the User Privilege Management fr the rule. Arguments Example Page 161 f 344

162 Denied File Allwed File Result shutdwn.exe shutdwn.exe Arguments: -r -t 30 shutdwn.exe runs nly when -r -t 30 is n the cmmand line - anything else run by shutdwn.exe is denied. T cnfigure the arguments f an allwed r denied item crrectly, they must appear as they d in Prcess Explrer fr example: File: C:\Prgram Files\Micrsft Office\Rt\Office16\WINWORD.EXE Cmmand line: "C:\Prgram Files\Micrsft Office\Rt\Office16\WINWORD.EXE" /n C:\example.dcx Wuld be cnfigured as: File: Abslute r relative path f winwrd.exe Arguments: /n C:\example.dcx Flders Add a Flder t Allwed r Denied Items List fr a Rule In the navigatin pane, select the Allwed Item r Denied Item nde fr a rule. 1. In the Rule Items ribbn, select either: Add Item > Allwed > Flder. Add Item > Denied > Flder. The Add a Flder dialg displays. 2. In the Prperties tab, click the ellipsis (...) in the text bx, navigate t the flder that yu want t add and click OK. 3. If required, select the fllwing: Substitute envirnment variables where pssible Use regular expressins Include subflders Page 162 f 344

163 4. T add metadata t the flder, select the Metadata tab: 1. Click Ppulate metadata frm file. 2. The fllwing fields can be ppulated: Prduct Name, Vendr, Cmpany Name, File Descriptin, File Versin, and Prduct Versin. 3. Select the checkbxes fr the metadata t refine criteria fr the file. If Vendr metadata is enabled, a further ptin becmes available - Verify certificate at runtime. When this ptin is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Optins t access a further set f criteria, used during file matching. Fr further infrmatin, see Verify Optins. 5. Click Add t add the flder t the Allwed/Denied Items fr the rule. Add a Flder fr User Privilege Management fr a Rule 1. In the navigatin pane, select the User Privileges nde fr a rule. 2. In the User Privileges ribbn, select Add Item > Applicatin > Flder. The Add a Flder fr User Privilege Management dialg displays. 3. In the Prperties tab, click the ellipsis (...) in the text bx: 1. In the Open dialg, navigate t the file that yu want t add and click OK. 2. If required, yu can select the fllwing: Substitute envirnment variables where pssible Include subflders Use regular expressins Make flder an Allwed Item 4. T apply a plicy, select the plicy frm the drp-dwn in the Plicy sectin. Yu can select the fllwing ptins fr the plicy: Apply t child prcesses Apply t cmmn dialgs Install as a trusted wner 5. If required, enter an ptinal descriptin f the flder fr yur future reference. Page 163 f 344

164 6. T add metadata t the file, select the Metadata tab: 1. Click Ppulate metadata frm file. 2. The fllwing fields can be ppulated: Prduct Name, Vendr, Cmpany Name, File Descriptin, File Versin, and Prduct Versin. 3. Select the checkbxes fr the metadata t refine criteria fr the flder. If Vendr metadata is enabled, a further ptin becmes available - Verify certificate at runtime. When this ptin is enabled, the agent verifies the certificate whilst it is matching the file. Click Verify Optins t access a further set f criteria, used during file matching. Fr further infrmatin, see Verify Optins. 7. Click Add t add the file t the User Privilege Management fr the rule. Drives Add a Drive t the Allwed r Denied Items Lists fr a Rule 1. Select the Allwed Items r Denied Items nde fr a rule. 2. In the Rule Items ribbn, select either: Add Item > Allwed > Drive. Add Item > Denied > Drive. 3. The Add a Drive dialg displays. 4. Enter the drive letter and an ptins descriptin fr yur future reference. 5. Click Add t add the drive t the list f allwed r denied items fr the rule. Signatures and Signature Items Add a Signature t the Allwed r Denied Items List fr a Rule. 1. In the navigatin pane, select the Allwed Item r Denied Item nde fr a rule. 2. In the Rule Items ribbn, select either: Add Item > Allwed > Signature Item. Add Item > Denied > Signature Item. The Add a Signature dialg displays. 3. In the Prperties tab, click the ellipsis (...) in the text bx. In the Open dialg, navigate t the file, fr example an EXE file, that yu want t add and click OK. The Signature Hash Value field is ppulated with the signature hash value f the file. Page 164 f 344

165 4. T specify that the file may run at specific access times nly, select the Access Times tab: 1. Select Only allw files t run at certain access times. 2. T specify a specific allwed perid, right-click the time perid in the calendar area, and select New Allwed Perid. 5. Click Add t add the signature file t the Allwed/Denied Items fr the rule. Add a Signature File t User Privilege Management fr a Rule 1. In the navigatin pane, select the User Privileges nde fr a rule. 2. In the User Privileges ribbn, select Add Item > Applicatin > Signature. The Add a Flder fr User Privilege Management dialg displays. 3. In the Prperties tab, click the ellipsis (...) in the text bx: 4. In the Open dialg, navigate t the file that yu want t add and click OK. 5. If required, yu can select Make signature file an Allwed Item 6. Enter ptinal cmmand line arguments in the Arguments text bx. 7. T apply a plicy, select the plicy frm the drp-dwn in the Plicy sectin. Yu can select the fllwing ptins fr the plicy: Apply t child prcesses Apply t cmmn dialgs Install as a trusted wner 8. If required, enter an ptinal descriptin f the flder fr yur future reference. 9. Click Add t add the signature file t the User Privilege Management fr the rule. Netwrk Cnnectin Items Netwrk Cnnectin Items can be created fr any netwrk resurce and can be added directly t a Rule. Adding single Netwrk Cnnectin Items t Allwed and Denied Item lists is useful when a mre granular level f cntrl is required, r when nly a few items are required. Hwever, using this methd culd prve time-cnsuming. Netwrk Cnnectin Items can be cut, cpied r dragged and drpped between rules. There are n default Netwrk Cnnectin Items in a cnfiguratin. The full path f the Netwrk Cnnectin Item cannt exceed 400 characters. Add a Netwrk Cnnectin Item t the Allwed r Denied Item List fr a Rule 1. In the navigatin pane, select the Allwed Item r Denied Item nde fr a rule. Page 165 f 344

166 2. In the Rule Items ribbn, select either: Add Item > Allwed > Netwrk Cnnectin. Add Item > Denied > Netwrk Cnnectin. The Add a Netwrk Cnnectin dialg displays. 3. Select the cnnectin type: IP Address - Select t cntrl access t a specific IP Address. Netwrk Share - Select t cntrl access t UNC paths. The prefix \\ is added t the Hst field. Hst Name - Select t cntrl access t a specific Hst Name. 4. Cmplete the cnnectin details. The cmbined number f characters fr all three fields, Hst, Prt and Path must nt exceed 400. Hst - The IP Address r Hst Name fr the netwrk cnnectin. This depends n the type f cnnectin selected. Yu can use the? and * wildcards. Additinally, ranges can be used fr IP Addresses, which are indicated by use f a hyphen (-). An IP Address must be in IP4 ctal frmat, fr example, n.n.n.n. If Netwrk Share is selected as the cnnectin type, the \\ prefix is required. The full path fr the target resurce can be entered in Hst, fr example Mve fcus away frm Hst and the path is autmatically split int the separate cnnectin ptins: is remved frm the Hst field and server1.cmpany.lcal remains. : is remved and 80 is mved t Prt. /resurce1/ is mved t Path. Prt - The prt number f the netwrk cnnectin. This can be used in cmbinatin with IP Address r Hst Name t cntrl access t a specific prt. Ranges and cmma separated values are allwed as a part f the prt number. Click Prts t display a list f cmmnly used prts. Select as many prts as required. Path - The path f the netwrk cnnectin. Yu can use the? and * wildcards. T use wildcards in the path, select the Text cntains wildcard characters ptin. The path is nly relevant fr cntrlling HTTP and Descriptin - Enter a meaningful descriptin t describe the netwrk cnnectin. 5. Click Add t add the netwrk cnnectin t the list f Allwed r Denied Items fr the rule. Windws Stre Apps Add a Windws Stre App t the Allwed r Denied Item List fr a Rule Page 166 f 344

167 1. In the navigatin pane, select the Allwed Items r Denied Items nde fr a rule. 2. In the Rule Items ribbn, select either: Add Item > Allwed > Windws Stre App. Add Item > Denied > Windws Stre App. 3. Select the required ptin: 4. Click OK. Grups All Installed Apps - Include any app that users have installed. Individual Apps - Include specific apps selected frm built-in snippets and snippets dwnladed frm appsense.cm. Use the Versin Matching drp-dwn t target the required app versins. Publisher - Include all apps frm a named publisher. Yu can enter publisher details manually r extract details frm a lcally installed app. Grups can be added t User Privileges t hld and manage lgical cllectins f files, flders, drives, signature files, and netwrk cnnectin items. Yu can als add them t the lists f Allwed r Denied Items fr a rule. Add a Grup t the Allwed r Denied Items List fr a Rule 1. In the navigatin pane, select the Allwed Item r Denied Item nde fr a rule. 2. In the Rule Items ribbn, select either: Add Item > Allwed > Grup. Add Item > Denied > Grup. The Grup Selectin dialg displays listing the available grups. 3. Select the grups yu want t add. 4. If yu want t execute all the listed rule items regardless f the wner, select the Allw Untrusted Owner checkbx fr the app. 5. Click OK. Add a Grup t User Privilege Management fr a Rule 1. In the navigatin pane, select the User Privileges nde fr a rule. 2. In the User Privileges ribbn, select Add Item > Applicatins > Grup. The Grup Selectin dialg displays. The available grups are listed. 3. T assign the User Privileges rules t the selected grup, select Add T Rule. Page 167 f 344

168 4. Yu can als select the fllwing ptins: 5. Click OK. Plicy - Select the plicy - fr example Builtin Elevate - frm the drp-dwn list. Make Allwed - Make the selected grup allwed and verwrite any assciated allwed items. Allw Untrusted wner - Execute all the listed rule items regardless f the wner. This ptin becmes available when Make Accessible is selected. Apply t Child Prcesses - Apply the plicy t all the children and ther descendants f the parent prcess. Apply t Cmmn Dialgs - Allw the pen and save dialgs t run with administrative privileges when selected frm an elevated prcess. Install as Trusted Owner - Make lcal administratrs the wner f all files created by the defined applicatin. Cntrl Applicatins Yu can cmbine Applicatin Cntrl's security methds - such as Trusted Ownership Checking - with rules in a cnfiguratin t cntrl which users can install and run applicatins. Applicatin Cntrl uses a methd knwn as Trusted Ownership checking t prevent the executin f any user-intrduced executable. Only applicatins installed by Trusted Owner - fr example, administratrs - are allwed t run by default. In the case f Micrsft applicatins such as Prject and Visi that have been installed in a multi user envirnment, yu can use Applicatin Cntrl t allw access nly t these applicatins by specified licensed device. The Applicatin Cntrl cnfiguratin cntains tw Grup rules. These are BuiltIn\Administratrs, wh are unrestricted and can run any executable, and Everyne, wh can nly run executables wned by Trusted Owners. Each rule created has an Allwed Items and Denied Items list. The Allwed Items list allws administratrs t give access t executables that wuld nrmally be blcked by default rules, fr example Trusted Ownership failure r Netwrk Executables. The Denied Items list allws administratrs t deny access t executables that wuld nrmally be allwed by default rules. Because Micrsft applicatins will ften be licensed t run n nly a few devices, it is best practice t use Applicatin Cntrl t initially deny access t the applicatin fr everyne, then allw access t the few, based n the allwed device. Step 1 Restrict Access t an Applicatin fr Everyne 1. Expand the Grup > Everyne nde. 2. Right-click the Denied Items nde and select Add Item > Denied > File. The Add a File dialg displays. Page 168 f 344

169 3. Brwse t and select the applicatin t restrict access t, r enter the name in the File field, and click Add. All standard users are nw denied frm using the specified applicatin. The abve cnfiguratin denies access t everyne, therefre yu must create an exceptin rule t allw named licensed devices t run the applicatin. The devices can be specified using an IP address range r NetBIOS name. These devices are the cnnecting client machine in a terminal server/citrix envirnment. Applicatin Cntrl rules perate differently t Micrsft Grup Plicies in that an Allwed Item rule verrides any Denied Item rule. Step 2 Create an Exceptin Rule 1. In the Rules ribbn, select Add Rule > Device Rule. A new rule is created. 2. Right-click the new rule and select Rename. 3. Type an intuitive name such as Visi Licensed Devices. 4. Expand the new rule. 5. Select the Allwed Items nde. 6. In the Rule Items ribbn, select Add Item > Allwed > File. The Add a File dialg displays. 7. Brwse t and select the applicatin t make allwed t authrized devices, r enter the name in the File field, and click Add. This is the same applicatin that yu have restricted in Step 1. Step 3 Specify Authrized Devices 1. Select the new Device rule. 2. Select Add Client Device n the Rules ribbn. The Add a Client Device dialg displays 3. Brwse t and select the devices t authrize fr the specified applicatin and click Add. Yu can als specify the devices by directly typing: IP Address (fr example, ) IP Address Range (fr example, ) NetBIOS name (fr example, Ivanti-PC1) Yu can include any cmbinatin f the abve. Page 169 f 344

170 4. T specify that the devices are the cnnecting devices and nt the physical devices that are running the applicatin, select Cnnecting Device in the Device Type clumn fr each device. Step 4 Save the Cnfiguratin Save the Cnfiguratin. When the cnfiguratin is deplyed t a Citrix/Terminal Server nly the specified devices are allwed t launch the Micrsft 'per device' licensed applicatin Use Prcess Rules t Restrict Access t FTP Yu can use prcess rules t allw, fr example, nly certain applicatins t access FTP. This task shws hw t use prcess rules t allw nly a particular applicatin t access FTP prts 20 and 21. The first step is t create a grup t specify the Step 1 Create a Grup 1. Select the Grup Management nde. 2. Select Add Grup n the Grups ribbn. 3. Select and right-click the new grup and select Rename. 4. Rename the grup with an intuitive name, fr example, Specify FTP Prts. 5. Select the Add Item drp-dwn arrw n the Grups ribbn and select Netwrk Cnnectin. The Add a Netwrk Cnnectin dialg displays. 6. Specify the hst in the Hst field. 7. Select the Prts buttn n the right hand-side f the Prts field. The Cmmn Prts dialg displays. 8. Select prts 20 and 21: FTP - Data Prt and FTP - Cntrl prt, and click Add. 9. Select the Text cntains wildcard characters ptin and click Add. Step 2 Create a Prcess Rule t Blck Access t FTP Prts 20 and Select the tp level Prcess rule nde. 2. Select the Add Rule drp-dwn arrw n the Rules ribbn and select Prcess Rule. 3. Select and right-click the new prcess rule and select Rename. 4. Give the rule an intuitive name, fr example, Cannt access FTP. 5. Right-click within the Prcesses wrk area, and select Add > File. The Add a File dialg displays. 6. Enter * in the File field and click Add. This dentes that all files are blcked frm accessing prts FTP 20 and 21. The use f 7. Expand the new prcess rule nde. 8. Select the Denied Items nde. Page 170 f 344

171 9. Select the Add Item drp-dwn arrw and select Denied > Grup. The Grup selectin fr dialg bx displays. 10. Select the grup created in the Create a Grup prcedure and click Add. This rule nw prhibits all applicatins frm accessing the FTP prts 20 and 21. Step 3 Create a Prcess Rule t Allw Access t FTP Prts 20 and Select the tp level Prcess rule nde. 2. Select the Add Rule drp-dwn arrw n the Rules ribbn and select Prcess Rule. 3. Select and right-click the new prcess rule and select Rename. 4. Give the rule an intuitive name, fr example, Can access FTP. 5. In the Prcesses wrk area, right-click and select Add > File. The Add a File dialg displays. 6. Brwse t and select the file that yu want t access FTP, fr example, Internet Explrer. 7. If required, expand the new prcess rule nde. 8. Select the Allwed Items nde. 9. Select the Add Item drp-dwn arrw and select Allwed > Grup. The Grup selectin fr dialg displayed. 10. Select the grup created in the Create a Grup prcedure and click OK. This rule nw allws the specified applicatin t access the FTP prts 20 and 21. Step 4 Set the Grup Rule t Restricted 1. Expand the Grup nde and select BUILTIN\Administratrs. The Grup Rule wrk area displays. 2. Drag the Security Level slider t Restricted. Step 5 Save the cnfiguratin Save the cnfiguratin. Only the applicatin specified in the prcedure can access FTP prts 20 and 21. All ther applicatins cannt. Rules Examples Allw Access t Selected Windws Stre apps Scenari Yu are an IT Administratr using Windws 8 Yu are creating an Applicatin Cntrl cnfiguratin Yu have created a Crprate\CallCenter nde Yu want t grant access the certain Windws Stre apps Page 171 f 344

172 Prcess 1. Expand the Grup > Crprate\CallCenter nde. 2. Select Denied Items. 3. Right-click in the wrk area and select Add > Windws Stre App. The Brwse Windws Stre Apps dialg displays. 4. Select Apply t all Windws Stre Apps n the endpint. 5. Click OK t deny access t all Windws Stre apps. 6. T specify the Windws Stre apps t be made allwed, select Allwed Items. 7. Right-click in the wrk area and select Add > Windws Stre App. The Brwse Windws Stre Apps dialg displays. The dialg is ppulated with all the available Windws Stre apps and cntains three clumns: Display Name - This clumn displays the full name f the Windws Stre app. Publisher - This clumn displays the registered cmpany name fr any Windws Stre apps. Versin Matching - This clumn displays the versin f the Windws Stre app and the default matching rule f and abve. 8. Select Apply nly t the Windws Stre Apps selected belw. Select this ptin t grant access t all Windws Stre apps available n the machine being used t create the cnfiguratin file and the endpints where the cnfiguratin is deplyed. 9. Select the Windws Stre apps t be allwed. If the machine being used t create the Applicatin Cntrl cnfiguratin file is nt cmpatible with Windws Stre Apps, a predefined list can be imprted. Fr mre infrmatin, see Cnfigure Grup Rules fr Windws Stre Apps Using Snippets. Page 172 f 344

173 10. Frm the Versin Matching drp-dwn, use the versin filter ptins t select the versin criteria t be met befre the selected apps can be accessed. There are fur rules ptins available: and abve - Select this ptin t grant access t the current versin f the applicatin and any future versins. and belw - Select this ptin t grant access t the applicatin up t and including the current versin nly. exactly - Select this ptin t grant access t the current versin f the applicatin nly. all versins - Select this ptin t grant access t all versins f the applicatin. 11. Click OK. When the criteria specified in the Versin Matching drp-dwn is matched, the Allwed r Denied Item rules are then applied. When the cnfiguratin is saved and deplyed access t the selected applicatins is granted n endpints using Windws 8 and abve. Denied Access t Selected Windws Stre apps Scenari Prcess Yu are an IT Administratr Yu are creating an Applicatin Cntrl cnfiguratin Yu have created a Crprate\CallCenter nde Yu want t prhibit access t sme Windws Stre apps 1. Expand the Grup > Crprate\CallCenter nde. 2. Select Denied Items. Page 173 f 344

174 3. Right-click in the wrk area and select Add > Windws Stre App. The Brwse Windws Stre Apps dialg displays. The dialg is ppulated with all the available Windws Stre apps and cntains three clumns: Display Name - This clumn displays the full name f the Windws Stre app. Publisher - This clumn displays the registered cmpany name fr any Windws Stre apps. Versin Matching - This clumn displays the versin f the Windws Stre apps and the default matching rule f and abve. If multiple users have the same app installed n the machine being used t create the cnfiguratin, each versin is listed and the versin number detailed in the Versin Matching clumn. 4. Select Apply nly t the Windws Stre Apps selected belw. 5. Select which apps are t be explicitly denied. If the perating system n the machine being used t create the Applicatin Cntrl cnfiguratin file is nt cmpatible with Windws Stre Apps, applicatin snippets can be imprted. Fr mre infrmatin, see Cnfigure Grup Rules fr Windws Stre Apps Using Snippets. 6. Frm the Versin Matching drp-dwn, use the versin filter ptins t select which f the selected apps are t be denied. There are fur rules ptins available: and abve - Select this ptin t prhibit access t the current versin f the applicatin and any future versins. and belw - Select this ptin t prhibit access t the applicatin up t and including the current versin nly. exactly - Select this ptin t prhibit access t the current versin f the applicatin nly. all versins - Select this ptin t prhibit access t all versins f the applicatin. 7. When the criteria specified in the Versin Matching drp-dwn is matched, the Denied Item rule are then applied. 8. Click OK. When the cnfiguratin is saved and deplyed, users in the Crprate\CallCenter grup will nly have access t all Windws Stre apps but denied frm using a select few. Cnfiguring Grup Rules fr Windws Stre apps Using Snippets Scenari Yu are an IT Administratr Yu have created a Crprate\CustmerServices grup rule Page 174 f 344

175 Prcess Yu are creating a cnfiguratin n a machine that is nt cmpatible with Windws Stre Apps fr users in the grup rule. Yu want t use the applicatin snippets t grant access t certain Windws Stre apps fr endpints using Windws 8 and abve. 1. Expand the Crprate\CustmerServices grup rule. 2. Select Allwed Items. 3. Right-click in the wrk area and select Add > Windws Stre App. The Brwse Windws Stre Apps dialg displays all the available Windws Stre apps and cntains three clumns: Display Name - This clumn displays the full name f the Windws Stre apps. Publisher - This clumn displays the registered cmpany name fr any Windws Stre apps. Versin Matching - This clumn displays the versin f the Windws Stre apps and the default matching rule f and abve. 4. Click Imprt Snippet. The Imprt Windws Stre App Snippet File dialg displays. A list f cmmn Windws Stre app snippets are included as part f the Applicatin Cntrl cnsle installatin and can be fund in the cnsle flder within the Applicatin Cntrl installed lcatin. Other snippets are available frm which is pened when yu click Lgin t myappsense.cm Snippets page fr the latest snippets. 5. Select the applicatin snippets t be added and click Open. Hld dwn the Ctrl buttn n yur keybard t select mre than ne snippet. Page 175 f 344

176 6. Frm the Versin Matching drp-dwn, use the versin filter ptins t select which f the selected apps are allwed. There are fur rules ptins available: and abve - Select this ptin t grant access t the current versin f the applicatin and any future versins. and belw - Select this ptin t grant access t the applicatin up t and including the current versin nly. exactly - Select this ptin t grant access t the current versin f the applicatin nly. all versins - Is applied by default t grant access t all versins f the applicatin. When the criteria specified in the Versin Matching drp-dwn is matched, the Allwed r Denied Item rules are then applied. 7. Click OK. When the cnfiguratin is saved and deplyed, users n machines that supprt Windws Stre apps can access the specified apps. Page 176 f 344

177 Cnditin Management Cnditins are used in Custm Rules t apply security cntrls based n a number f factrs. Yu can set cnditins based n the fllwing: Cmputer Scripted Directry membership Envirnment Files and flder Registry Sessin and client User Yu can als create custm scripted cnditins using VBScript r JScript, t handle scenaris that are nt supplied as standard frm the Applicatin Cnsle. The security cntrls set in the rule items such as Allwed Items and Privilege Management are applied when the criteria in the cnditin are true r false. Yu can als use regular expressins and ranges t create advanced cnditins that apply t multiple matches. In cnditins that supprt regular expressins, yu can use simple regular expressins, such as entering [abc] t match anything that includes any f the characters within the brackets. Yu can als use mre cmplex queries, fr example ^[a-f]+ matches any user name that begins with a letter frm a t f. Fr further infrmatin, see Wildcards and Regular Expressins. When yu create a custm rule with cnditins, remember that Applicatin Cntrl applies a timeut f 10 secnds t evaluate all the cnditins fr a rule. If the cnditins are nt evaluated within 10 secnds, the custm rule is nt applied. This is especially imprtant when creating scripted cnditins, because a script that takes lnger than 10 secnds t cmplete causes the evaluatin t time ut. T view the cnditins fr a Custm rule, select the nde fr an individual Custm rule in the navigatin pane. The wrk area displays the security level fr the rule, and beneath it, a list f the cnditins fr the rule and whether the rule is enabled. At the tp f the list is the Cnditins drp-dwn menu, frm which yu create new cnditins. Alngside the menu are the fllwing ptins t manage the cnditins: Mve Left Mve Right Mve Dwn Mve Up Page 177 f 344

Edit Delete Use the Mve arrws t arrange the cnditins in the list. Yu can mve cnditins up and dwn the list r indent them t the left r right t make them children r parents f ther cnditins.

A cnditin that is a child f anther cnditin evaluates nly nce the parent cnditin has been successfully executed (an AND cnditin).

178 Edit Delete Use the Mve arrws t arrange the cnditins in the list. Yu can mve cnditins up and dwn the list r indent them t the left r right t make them children r parents f ther cnditins. The psitin f a cnditin in the list hierarchy determines hw it is applied. Cnditins at the same level are evaluated simultaneusly (an OR cnditin). A cnditin that is a child f anther cnditin evaluates nly nce the parent cnditin has been successfully executed (an AND cnditin). In the fllwing example, the user either must be an administratr OR must be a member f the Finance user grup AND using a laptp befre the custm rule items can apply: Fr any cnditin that queries the Active Directry, the Applicatin Cntrl administratr must be a member f the target dmain r have sufficient permissins t access and query the dmain. If cnditins are part f a live cnfiguratin, they are included in the reprt when yu create a full reprt using Cnfiguratin Prfiler. The reprt lists the relevant cnditin beneath each individual custm rule, using the same cnditin text as in the custm rule wrk area: Page 178 f 344

Create a Cnditin This sectin applies t creating Directry Membership, User, Cmputer and Sessin & Client cnditins nly, as the dialg bxes these cnditins use fllw the same frmat. 1.

179 Create a Cnditin This sectin applies t creating Directry Membership, User, Cmputer and Sessin & Client cnditins nly, as the dialg bxes these cnditins use fllw the same frmat. 1. Select the nde fr a Custm rule. 2. In the wrk area fr the rule, pen the Cnditins drp-dwn menu and select the cnditin yu want t apply, fr example Cnditins > User > User Grup. In the cnditin dialg, the cnditin tab specific t the cnditin type displays by default. This tab allws the parameters t be set using a cmmn grup f ptins and fields. See Cnditin Variables fr further details. 3. Define the cnditin using the available fields and checkbxes. 4. Select the General tab. 5. Enter a descriptin and any ptinal ntes. The descriptin is used as the display name fr cnditins. If this field is left blank the display name is autmatically set frm the cnfigured cnditin. 6. Click OK t save the cnditin. Page 179 f 344

180 The Applicatin Cntrl agent uses the cnditin t find a match with the same criteria fr a lgged n user. If a match is fund, the rule and rule items attached t the cnditin are applied. Reusing Cnditins Yu can reuse cnditins yu have already created by cpying and pasting them frm ne Custm Rule t anther. Yu can cut, cpy, and paste whle cnditins using the ptins in the Edit Ribbn. Cnditin Variables Each type f cnditin can be specified using variatins f the fllwing fields, drp-dwns, and checkbxes: Equal - A cmparisn is made against the cntents f the Match field t target the users r cmputers that fulfill thse criteria. Enter the criteria int the Match field r use the ellipsis (...) t search r select as required. Nt Equal - Targets all users r cmputers that d nt fulfill the criteria in the Match field. Enter the criteria in the Match field r use the ellipsis t search r select as required. Query - Targets all users r cmputers that match the criteria specified in the Query field. Using wildcards in the query allws a wide range f matches, fr example: *Windws - target users r cmputers ending in the text Windws. Windws* - target users r cmputers starting with the text Windws. *Windws* - target users r cmputers cntaining the text Windws. Regular Expressin - Use regular expressins t specify advanced queries fr users r cmputers. Between - Used fr cnditins where a range f values can be set. Fr example, a cnditin can be created t apply t a selected range f IP addresses. Evaluate nce per sessin - When selected, a cnditin is evaluated and the result is cached. If the cnditin is run again, the result is btained frm the cache rather than evaluating the cnditin again. Field Validatin The table belw lists the strings that are acceptable in the fields f the varius cnditins. Cnditin Field Allwed String Example User Grup Match dmain\grup appsense/sales matches the grup sales in the appsense dmain. LDAP CN=sales, matches the sales grup in the appsense.cm dmain. Page 180 f 344

181 Cnditin Field Allwed String Example Query dmain\gr* appsense\sal* matches grup names starting with 'sal' in the appsense dmain. dmain\*gr dmain\*gr* appsense\*les matches grup names ending with 'les' in the appsense dmain. appsense\*ale* matches grup names cntaining 'ale' in the appsense dmain. User Name Match dmain\user appsense\smithj matches the user name 'smith'j in the appsense dmain. Query dmain\use* appsense\smit* matches grup names starting with 'smit', in the appsense dmain. dmain\*use dmain\*use* appsense\*ith matches grup names ending with 'ith', in the appsense dmain. appsense\*ith* matches grup names cntaining 'ith', in the appsense dmain. Cmputer Grup Match dmain\grup appsense/sales matches the grup sales in the appsense dmain. LDAP CN=sales, matches the sales grup in the appsense.cm dmain. Query dmain\gr* appsense\sal* matches grup names starting with 'sal' in the appsense dmain. dmain\*gr dmain\*gr* appsense\*les matches grup names ending with 'les' in the appsense dmain. appsense\*ale* matches grup names cntaining 'ale' in the appsense dmain. Cmputer Name Match cmputer SalesDesk01 matches the cmputer name 'SalesDesk01'. Query cmp* SalesDesk* matches all cmputer names starting 'SalesDesk'. *cmp *cmp* Desk01* matches all cmputer names ending with 'Desk01'. Desk* matches all cmputer names cntaining Page 181 f 344

182 Cnditin Field Allwed String Example 'Desk'. Cmputer Dmain Match dmain appsense matches the dmain name 'appsense'. dmain appsense.cm matches the dmain name 'appsense.cm'. Query dm* app* matches all cmputer dmains starting ' app'. *dm *dm* *sense matches all cmputer dmains ending 'sense'. *sen* matches the dmains cntaining 'sen'. Cmputer NETBIOS Match cmputer SalesDesk01 matches the cmputer NETBIIOS name 'SalesDesk01'. Query cmp* SalesDesk* matches all cmputer names starting 'SalesDesk'. *cmp *cmp* Desk01* matches all cmputer names ending with 'Desk01'. Desk* matches all cmputer names cntaining 'Desk'. Cmputer IP Address User OU Membership Match xxxx.xxxx.xxxx.xxxx matches the IP address Between xxxx.xxxx.xxxx.xxxx IP Address 1: , IP Address 2: matches all IP addresses between " " and " ". Match LDAP CN=sales, matches the directry membership f user OU 'sales', in the appsense.cm dmain. Query u* sales* matches user OU names starting with 'sales'. *u *u* *sales matches user OU names ending with 'sales'. *sales* matches user OU names cntaining 'sales'. Cmputer OU Membership Match LDAP CN=sales, matches the directry membership f cmputer OU 'sales' in the appsense.cm dmain. Query u* sales* matches cmputer OU names starting with 'sales'. Page 182 f 344

183 Cnditin Field Allwed String Example *u *u* *sales matches cmputer OU names ending with 'sales'. *sales* matches cmputer OU names cntaining 'sales'. Directry Site Match sitename testsite matches the site name 'testsite'. Cmputer Cnditins These cnditins target individual cmputers r grups f cmputers using varius identifiers. Rules can be applied t a cmputer regardless f wh is using it. The Applicatin Cntrl agent checks the specified criteria against that f the managed cmputer and applies any assciated cnditins t the cmputer r grup f cmputers. LSA supprt is nt available n Cmputer cnditins. Page 183 f 344

184 Cnditin Is Laptp Cmputer Name Cmputer Dmain Cmputer NETBIOS Name Cmputer Grup Cmputer IP Address Descriptin A cnditin t check whether the endpint is a laptp. The agent checks the endpint fr a battery. If ne exists, the cnditin returns true. A cnditin fr a specific cmputer. Enter the cmputer name directly r search using specified criteria n selected lcatins. A cnditin fr a defined netwrk f cmputers. Use the Name Reslutin Type drp-dwn t specify whether the cnditin uses the DNS Dmain r Windws Dmain naming cnventins. The dmain entered in the Match field must be in the frmat used in yur rganizatin fr the selected naming cnventin. Fr example, a DNS dmain name is testing.xyz.lcal, whereas the Windws dmain name is testing. A cnditin fr a cmputer identified by its NETBIOS name. A cnditin based n a user grup fr a particular cmputer. The agent checks whether the specified active directry grup r grups exist and cmpares the Security Identifier (SID) against the SID f the user s cmputer fr a match. The cnditin nly matches cmputers in the specified grup - t include nested grups, select the Search nested grups checkbx. A cnditin based n an IP address entered int the Address field. A range f IP addresses can be defined using the Between ptin and the tw Address fields. Fr ranges, the IP address is nt treated as a whle number but based upn the value f each ctet. Fr example, if the range was frm t , wuld pass but wuld nt as the third ctet is nt within the set range. MAC Address Operating System A cnditin defined by the Media Access Cntrl (MAC) address f the netwrk cards within a cmputer. A cnditin that applies nly when the specified perating system is matched. The perating system can be further defined by versin, service pack, build number, editin, CPU architecture and Terminal Services enabled. Page 184 f 344

185 Cnditin Descriptin The Versin text bx prvides a drp-dwn t select the perating system versin. It als supprts free text, allwing yu t enter any RTM number. Fr example, if yu wanted t specify Windws 8, enter the RTM number Fr Build Number, select a cnditin, such as Greater than r Equal t in the drp-dwn, then enter a build number in the field. Yu cannt include a dt character(.) in the build number. If the build number is , fr example, yu enter T ensure yu have the crrect build number, yu can check the relevant Micrsft release infrmatin. Fr example, t view build numbers fr Windws 10 releases, g t Is VDI A cnditin which applies actins nly when the endpint is ne f the fllwing virtual desktps: Xen Desktp 5 Xen Desktp 7 VMware view Quest vwrkspace Scripted Rules Scripted rules allw custm rules t be created using Windws PwerShell r VB Scripts. The success r failure f the Script determines whether the security level, Allwed Items, and Denied Items that are part f the rule apply t the user. Scripted rules can take advantage f any interface accessible via PwerShell r VBScript, such as COM (Cmpnent Object Mdel) and Each script is evaluated under the fllwing circumstances: When a new cnfiguratin is deplyed t the cmputer. When a user lgs n. Yu create and edit scripts in the Scripted Rule dialg, which yu access as fllws: 1. In the Rules ribbn, select Add Rule. 2. In the drp dwn menu, select Scripted Rule. The Scripted Rule wrk area displays. Yu can define when the script is t be run using the fllwing Scripted Rule Optins: Run script nce per lgn sessin as the lgged n user - The script runs fr each user lgging n. Settings are nly applied fr the duratin f the user sessin. Page 185 f 344

186 Run script nce per lgn sessin as the SYSTEM user - The script runs with SYSTEM accunt permissins nce fr each user lgging n. Settings are nly applied fr the duratin f the user sessin. Run script nce per cmputer as the SYSTEM user - The script runs with SYSTEM accunt permissin nce at cmputer startup. Settings are applied t all user sessins until the cmputer restarts, the Applicatin Cntrl agent restarts r there is a cnfiguratin change. Cautin: Running scripts as the SYSTEM user can cause serius damage t yur cmputer and shuld nly be enabled by experienced script authrs. D nt execute script until user lgn is cmplete - Select t prevent the script frm running until user lgn is cmplete. Wait fr <n> secnds befre script timeut - Allws yu t specify the number f secnds t allw a script t cntinue running befre the script times ut. A setting f zer (0) secnds prevents the script timeut. If a timeut ccurs the result is fail and settings cannt be applied. VBScripts Each script is run within a hsted script engine allwing greater cntrl ver the script executin whilst prviding a high degree f input and utput cntrl. N VBS file is used. N separate prcess is spawned. A script must be written as a functin and can cntain many functins, but a main start functin must be specified. The start functin is run by the Applicatin Cntrl agent and can be used t call ther functins. The AMScriptRule COM bject is built int the scripting engine and prvides access t the fllwing methds: strusername = AMScriptRule.UserName struserdmain = AMScriptRule.UserDmain strsessinid = AMScriptRule.SessinID strstatinname = AMScriptRule.WinStatin The Micrsft standard in this instance means that WinStatin returns the value f the name f the Terminal Services Sessin, which is determined by the type f sessin with typical values being Cnsle r RDP-Tcp#34, instead f the Windw Statin name which is typically WinSta0. The AMScriptRule COM bject als includes the fllwing methds: Page 186 f 344

187 strlg = AMScriptRule.Lg "My Lg Statement" Allws yu t utput lgging strings t the agent lg file fr use with debugging scripted rules. strenvirnmentvar = AMScriptRule.ExpandEnvirnment ("%MyEnvirnmentVariables%") Expands envirnment variables f the user running the script. Using WScript. shell t expand envirnment variables nly returns SYSTEM variables. Windws PwerShell Scripts If the script returns (exits) with a value f 0, the script will pass and the rules are applied. If any nnzer value is returned, the script will fail and the rules will nt apply. Each PwerShell script is executed in an instance f PwerShell.exe and as such Applicatin Cntrl neither enfrces nr adds any specific syntax all crrectly frmed PwerShell will wrk. PwerShell must be installed n any endpints that will be using the script. Add a Scripted Rule 1. Click the Add Rule drp-dwn arrw n the Rules ribbn and select Scripted Rule. A new rule is added t the All Scripted Rules wrk area. The Scripted Rule dialg displays. 2. T enter a script, d ne f the fllwing: Type the script in the Current Script area. Open an existing script in a script editr and cpy/cut the cntent and paste. 3. Select Click here t edit the script. Click Imprt t imprt an existing script. Edit a Scripted Rule 1. Use the Scripted Rule dialg t create and maintain rules based n custm VB and PwerShell Scripts that are run whenever a user lgs n. 2. T pen the Scripted Rule dialg fr a specific rule, yu can either: Navigate t the scripted rule in the navigatin pane and select it. Select the Rules nde in the navigatin tree. In the All Rules dialg, duble-click the rule that yu want t edit. The Scripted Rule dialg displays. 3. Click Click here t edit the script. The Cnfigure this Scripted Rule dialg displays. Page 187 f 344

188 4. In the Script tab, add r amend the script t be used when yur users lg n. 5. In the Optins tab, select the script executin setting frm the list f available ptins in the Define the executin settings sectin. 6. T specify the script time settings, select the apprpriate ptins in the Define the script time settings sectin. 7. Click OK. Sample scripts Scriptable rule t determine if an AAC filter has been passed Using VBScript The fllwing VBscript demnstrates hw t cntrl the applicatins t which a user has access. Functin ScriptedRule() Name f Filter scan expected t pass ExpectedFilter = "FWALL" Get Server Name Set bjntinf = CreateObject ("WinNTSystemInf") ServerName = lcase (bjntinf.cmputername) Set initial return value ScriptedRule = False Create MetaFrame Sessin Object Set MFSessin = Createbject ("MetaFrameCOM.MetaFrameSessin") Initialize the sessin filters fr this sessin Fr Each x in MFSessin.SmartAccessFilters return true if ur filter is fund If x = ExpectedFilter Then ScriptedRule=True AMScriptRule.Lg "SmartAccessFilter match fund." End If Next End Functin Scriptable rule t determine if a cmputer is in a Cmputer OU Using VBScript The fllwing VBscript can be used t determine if a cmputer is in a Cmputer Organizatinal Unit: Functin ScriptedRule() ScriptedRule = vbfalse strcmpname = AMScriptRule.StatinName Set RtDSE = GetObject("LDAP://RtDSE") strdnsdmain = RtDSE.Get("DefaultNamingCntext") Set OU = GetObject("LDAP://OU=TheOUyuAreSearching,OU=Parent,OU=Parent," & strdnsdmain) OU.GetInf Fr each member in OU If UCase(strCmpName) = UCase(member.CN) Then ScriptedRule = vbtrue Exit Fr End If Next End Functin Scriptable rule t determine if a user is a member f a certain OU Using VBScript The fllwing sample VBScript shws the main cmpnents f a script and demnstrates hw t access infrmatin abut the username f the user lgging n t the system, and match with a specific dmain and rganizatinal unit: Functin MyScript() Page 188 f 344

189 'Get the username f the user lgging in (als wrks when running as SYSTEM) strusername = AMScriptRule.UserName 'Get the dmain f the user lgging in (als wrks when running as SYSTEM) struserdmain = AMScriptRule.UserDmain 'Lk up user envirnment variables (when running as SYSTEM, nly SYSTEM variables are available) strclientname = AMScriptRule.ExpandEnvirnment ("%ClientName%") 'Lg the utput AMScriptRule.Lg strusername & " lgged in n " & strclientname 'Check if the user is a member f the dmain If struserdmain = "MyDmain" Then 'If s, see if the user is in the MyOU OU Set bjou = GetObject ("LDAP://u=MyOU,dc=MyDmain,dc=cm") bjou.filter = Array("user") Fr Each bjuser In bjou 'Check if there is a match with the user lgging n If bjuser.samaccuntname = strusername Then 'if there is, then set the functin t True MyScript = True End If Next End If 'Unless there is a username match, the functin defaults t False End Functin Scriptable rule t determine if a user is a member f a certain OU Using Windws PwerShell The fllwing sample Windws PwerShell script shws the main cmpnents f a script and demnstrates hw t access infrmatin abut the username f the user lgging n t the system, and match with a specific dmain and rganizatinal unit: #Script checks if the current user is a member f the OU specified # Return 0 if TRUE # 1 therwise $lgnuser = $env:username $bindpt = [adsi] "LDAP://OU=TS_Users,OU=Users,OU=MyUser,OU=MyOU,DC=MyDmain,DC=cm" $users = New-Object System.DirectryServices.DirectrySearcher $bindpt $users.filter = "(&(bjectclass=user)(samaccuntname=$lgnuser))" $bj = $users.findone() if($bj -eq $null) { #" Nt a Member" exit 1 } Page 189 f 344

190 Directry Membership Cnditins These cnditins check Organizatinal Unit (OU) membership in Active Directry. Applicatin Cntrl cnnects t Active Directry and cmpares the OU specified in the cnditin with that f the current user r cmputer. If a match is made, any assciated custm rules are applied. Match criteria are selected using the brwse buttn that brwses fr OU cntainers. Yu must be a member f an Active Directry dmain t brwse fr an OU cntainer. This cnditin can be used t ensure that nly users in certain OUs can undertake certain actins. Select the Include sub-ous in match checkbx t search all sub-ous f any specified OU. Withut this checkbx selected, the sub-ous are ignred and nly the OU in questin is included in the cnditin. Cnditin User OU Membership Cmputer Descriptin A cnditin based n a user s membership f a specified OU. Select whether the cnditin shuld equal r nt equal the entered OU r enter a query t apply the cnditin t OUs. A cnditin based n a cmputer s membership f a specified OU. Uses the same Page 190 f 344

191 Cnditin OU Membership Client Cmputer OU Membership Site Membership Descriptin criteria as User OU Membership. A cnditin based n the membership f a specified OU fr a server based r virtual client cmputer. Uses the same criteria as User OU Membership. A cnditin based n the membership f a specific Active Directry Dmain Site. This typically relates t an rganizatin s departments r a gegraphical lcatin which hsts netwrks. Envirnment Manager interrgates the dmain t lcate sites, prviding them fr selectin frm the brwse buttn in the Match field. T brwse fr sites, yur lcatin must be assciated with an Active Directry dmain. The OU name in the Match field fr the User, Cmputer and Client Cmputer OU Membership cnditins are case sensitive. OU names entered with incrrect case will nt match. Scripted Cnditins Use the Scripted cnditin t create, imprt, and exprt cnditins using VBScript r JScript. Yu can use Scripted cnditins t cater fr scenaris that are nt available as standard frm the Applicatin Cntrl cnsle. Fr example, t check if the Windws Firewall is switched n. The scripts are held in the AAMP cnfiguratin, cpied t disk at runtime, executed, and then deleted upn cmpletin. Scripts can be imprted and exprted t enable reuse. Cautin: Large scripts and high numbers f scripts increase the size f an AAMP cnfiguratin, which can impact the time required t deply cnfiguratins t endpints and affect cnfiguratin executin time. Because the cnditin scripts are run in batch mde, any prmpts r message bxes are nt displayed and the script times ut withut being executed. T ensure that a cnditin script runs crrectly, remve r cmment ut any prmpts r message bxes frm the script. Page 191 f 344

192 When creating scripted cnditins, make sure that there is sufficient time fr the script t run and any additinal cnditins t be evaluated. Applicatin Cntrl has a timeut perid f 10 secnds t evaluate any cnditins fr a custm rule. If all the cnditins are nt evaluated within 10 secnds, the custm rule is nt applied. In additin, cnditins are evaluated synchrnusly. That is, when expressin evaluatin is triggered, the agent waits fr the script t cmplete befre evaluating the next cnditin. The agent stalls the applicatin f a custm rule until evaluatin f all cnditins is cmplete r has timed ut. S even if yu cnfigure the Scripted cnditin t run fr less than 10 secnds, if there are ther cnditins t evaluate and nt enugh time left t d it, it is still pssible fr evaluatin t time ut. Exit Cdes All scripts fr scripted cnditins must specify an exit cde, which when returned, is used by the Applicatin Cntrl agent t determine whether the script has passed r failed. Fr scripts withut an exit cde, a success (0 value) is assumed by the agent. Each script type must use a specific exit statement: VBScript: WScript.Quit [value] JScript - WScript.Quit([value]) Replace [value] with the exit cde fr the script: 0 fr success and 1 fr failure. Fr example: WScript.Quit 0, WScript.Quit(0), exit (0). Create a Scripted Cnditin 1. Select the nde fr a Custm rule. 2. In the wrk area fr the rule, pen the Cnditins drp-dwn menu and select Scripted. The Scripted Cnditin dialg displays. 3. Select the Type f scripting: VBScript r JScript. 4. In the Run fr scrll bx, set the time fr which the script is allwed t run. This is the number f secnds after which the script is terminated. The maximum value yu can enter is 10 secnds. Setting the value t zer r leaving the field blank gives the script infinite time t cmplete. Hwever, if the script exceeds the 10 secnd timeut t evaluate cnditins; it times ut and the custm rule is nt applied. Scripted cnditins verride default nde and cnditin timeuts, but d nt verride the 10 secnd timeut t evaluate cnditins. This value is hard cded Page 192 f 344

193 5. Click the Optins drp-dwn and cnfigure the fllwing ptins as required: Evaluate Once Per Sessin - Select this ptin t run the cnditin nce and cache the result fr the duratin f the sessin. Otherwise, the cnditin is evaluated each time it is called n in a cnfiguratin. Run As System User - Select this ptin t enable the script t use functinality that wuld nt therwise be accessible t the currently lgged n user. 6. Enter the script using ne f the fllwing methds: Type directly int the field Drag and drp r cpy and paste frm anther lcatin. Click the imprt buttn and select a file t pen and use in the script field. 7. Click OK t save the script. When triggered, the script runs t its cmpletin and the resulting success r failure f the cnditin is detailed in the debug lg files. Scripts that time ut are classed as failing and any child ndes and their assciated actins will nt run. Exprt Cnditin Scripts Scripts can be exprted and saved frm the Scripted Cnditin dialg and imprted int ther cnditins and cnfiguratins. 1. Click the exprt buttn and select a lcatin t save the file. 2. Click Save t cmplete the exprt. Page 193 f 344

User Privileges A privilege is the right f a user accunt t perfrm a particular system-related peratin, such as shutting dwn the cmputer r changing the system time.

194 User Privileges A privilege is the right f a user accunt t perfrm a particular system-related peratin, such as shutting dwn the cmputer r changing the system time. Yu can use the Privilege Management feature t assign (enable) r deny (disable) privileges. User Privileges Plicies The Elevate plicy is applied t new rule items by default. When an item is elevated the selected item will be given increased privileges and will nt require an administratr t run it. User privileges plicies ffer an alternative t using the default Elevate rule and can be custmized t meet the needs f yur rganizatin. Plicies can range frm making an individual user a member f a "Pwer User" grup t remving user membership frm the Administratrs grup. When a User Privileges Plicy is created, yu can custmize yur plicy using the fllwing three tabs: Grup Membership - Grup Membership allws yu t specify Windws user grups t be drpped r added when a plicy is applied. Yu add a grup actin t the plicy cntents and then specify whether r nt the selected grup is t be applied t the newly created plicy r whether their membership is t be drpped. Page 194 f 344

195 When yu assign membership t a user grup, yu will nly add the grup that yu have selected, any nested grups will nt be included. Fr example, if yu assign grup membership t Dmain Administratrs this will nt autmatically include the Lcal Administratr grup and they will therefre need t be added separately. Privileges - A privilege is the right f a user accunt t perfrm a particular system-related peratin, such as shutting dwn the cmputer r changing the system time. Yu can use the User Rights Management feature t enable, disable r remve privileges: N change - Leaves the privilege as it is with its riginal tken. Enabled - Sets the flag in the tken t enabled. Disabled - Sets the flag in the tken t disabled. Remve - Remves the privilege frm the tken. Yu cannt und this ptin. Prperties - Add a descriptin fr the plicy in the Prperties tab. Create a User Privilege Management Plicy 1. Select the Library > User Privilege Plicies nde. 2. Select Add Plicy n the Privilege Management ribbn. 3. Select and right-click the new plicy and select Rename. 4. Give the plicy an intuitive name. 5. D ne r mre f the fllwing: Use the Grup Membership tab t specify the credentials an applicatin can run under, fr example, what grup and whether t add r drp membership fr the grup. Adding membership allws users t run an applicatin as if they were a member f the grup. Use the Privileges tab fr granular cntrl f the privileges the user will have ver an applicatin. Use the Prperties tab t specify the integrity level. Applicatins with a lw integrity level cannt interperate with applicatins that have a high integrity level. User Privileges Management plicies are reusable. Add Grup Membership t a Plicy Standard users typically have n administrative rights. The fllwing prcess demnstrates hw t create a User Privileges Plicy fr a Supprt Desk perative. User privileges management prvides the ability t add membership t a selected grup r t drp membership. The first step in creating the cnfiguratin is t create a User Privileges Plicy and t specify the membership, in this case, t add membership. Page 195 f 344

196 1. In the Applicatin Cntrl cnsle, select the User Privileges Plicies nde under Library. 2. In the Privilege Management ribbn, click Add Plicy. The new plicy is added under the User Privileges Plicies nde in the navigatin pane. T srt plicies under the User Privileges Plicies nde, right-click the nde and select Srt Ascending r Srt Descending. 3. In the wrk areas, click the new plicy name t make the name editable. 4. Enter a name fr the plicy, fr example, SupprtDesk. 5. In the Privilege Management ribbn, click Add Grup Actin. The Accunt Selectin dialg displays. 6. Enter r navigate t the SupprtDesk grup and click OK. The grup is added t the Grup Membership tab in the wrk area fr the plicy. 7. In the tab, ensure that Add Membership is visible in the Actin clumn. This is the default setting Assign Privileges t a Plicy 1. Select the Library > User Privilege Plicies nde. 2. Select Add Plicy n the Privilege Management ribbn. 3. Select and right-click the new plicy and select Rename. 4. Give the plicy an intuitive name. 5. Select the Privileges tab fr granular cntrl f the privileges the user will have ver an applicatin. 6. Identify the privilege yu want t assign. 7. Click the drp-dwn arrw in the Actins clumn fr the privilege and select Enable. Example: Create a Cnfiguratin that Allws Micrsft Silverlight t be Dwnladed Step 1 Create a Plicy t Elevate t Administratr 1. Navigate t Library > User Privilege Plicies nde. 2. Select Add Plicy ribbn buttn. 3. Select and right-click the new plicy beneath the User Privilege Plicies nde and select Rename. 4. Enter an intuitive name fr the plicy, fr example, Elevate. 5. Select Add Grup Actin ribbn buttn. Page 196 f 344

197 6. Enter the name f the administratr user grup r use the Brwse buttn t navigate t the accunt. 7. Ensure Add Membership is selected in the Actin clumn. Step 2 Add the Applicatin t the User Privileges Nde 1. Select User Privileges nde fr a particular grup, fr example, the Everyne grup. 2. Select Add Item > Applicatin > File. The Add a File fr User Privilege Management dialg displays. 3. Enter the name f the web installatin yu want t add in the File field fr example silverlight.exe r use the Brwse buttn t lcate the file. 4. Select Apply plicy t child prcesses. 5. Select Install as trusted wner. 6. Click Add. 7. Ensure the plicy created in the first step prcedure, Elevate, is selected in the User Privileges Plicy clumn. Step 3 Add a Signature t the Allwed Items List 1. Select the Allwed Items nde fr the same grup. 2. Select Add Item > Allwed > Signature Item. The Add a Signature dialg displays. 3. Navigate t the web installatin and click Open. 4. Save the cnfiguratin. Other cnfigurable items als need t be cnsidered. Fr example, fr an ActiveX installatin yu need t allw the ActiveX file t run, and any executables that the cntrl calls. Yu need t cnsider Prcess rules, Trusted Vendrs, any Digital Certificates, Allwed Items, Elevated items, and s n. Privileges The fllwing table prvides the full list f privileges and describes hw and when system cmpnents check fr them. Privilege User Right Privilege Usage SeAssignPrimaryTkenPrivilege Replace a prcesslevel tken Checked fr by varius cmpnents, such as NtSetInfrmatinJb, that set a prcess' tken. Page 197 f 344

198 Privilege User Right Privilege Usage SeAuditPrivilege SeBackupPrivilege Generate security audits Backup files and directries Required t generate events fr the Security event lg with the ReprtEvent API. Causes NTFS t grant the fllwing access t any file r directry, regardless f the security descriptr that is present. READ_CONTROL ACCESS_SYSTEM_SECURITY FILE_GENERIC_READ FILE_TRAVERSE When pening a file fr the backup, the caller must specify the FILE_FLAG_BACKUP_ SEMANTICS flag. Als allws crrespnding access t registry keys when using. SeChangeNtifyPrivilege SeCreateGlbalPrivilege Bypass traverse checking Create glbal bjects Used by NTFS t avid checking permissins n intermediate directries f a multilevel directry lkup. Als used by file systems when applicatins register fr ntificatin f changes t the file system structure. Required fr a prcess t create sectin and symblic link bjects in the directries f the bject manager namespace that are assigned t a different sessin than the caller. SeCreatePagefilePrivilege Create a pagefile Checked fr by NtCreatePagingFile, which is the functin used t create a new paging file. Page 198 f 344

199 Privilege User Right Privilege Usage SeCreatePermanentPrivilege SeCreateSymblicLinkPrivilege Create permanent shared bjects Create symblic links Checked fr by the bject manager when creating a permanent bject (ne that des nt get de-allcated when there are n mre references t it). Checked fr by the NTFS when creating symblic links n the file system with the CreateSymblicLink API. SeCreateTkenPrivilege Create a tken NtCreateTken, the functin that creates a tken bject, checks fr this privilege. SeDebugPrivilege Debug prgrams If the caller has this privilege enabled, the prcess manager allws access t any prcess r thread using NtOpenPrcess r NtOpenThread, regardless f the prcess's r thread's security descriptr (except fr prtected prcesses). SeEnableDelegatinPrivilege SeImpersnatePrivilege SeIncreaseBasePrirityPrivilege SeIncreaseQutaPrivilege Enable cmputer and user accunts t be trusted fr delegatin Impersnate a client after authenticatin Increase scheduling pririty Adjust memry qutas fr a prcess Used by Active Directry services t delegate authenticated credentials. The prcess manager checks fr this when a thread wants t use a tken fr impersnatin and the tken represents a different user than that f the thread's prcess tken. Checked fr by the prcess manager and is required t raise the pririty f a prcess. Enfrced when changing a prcess's wrking set threshlds, a prcess's paged and nnpaged pl qutas, and a prcess's CPU rate quta. Page 199 f 344

200 Privilege User Right Privilege Usage SeIncreaseWrkingSetPrivilege SeLadDriverPrivilege SeLckMemryPrivilege SeMachineAccuntPrivilege SeManageVlumePrivilege SePrfileSinglePrcessPrivilege SeRelabelPrivilege SeRemteShutdwnPrivilege SeRestrePrivilege Increase a prcess wrking set Lad and unlad device drivers Lck pages in memry Add wrkstatins t the dmain Perfrm vlume maintenance tasks Prfile single prcess Mdify an bject label Frce shutdwn frm a remte system Restre files and directries Required t call SetPrcessWrkingSetSize t increase the minimum wrking set. This indirectly allws the prcess t lck up t the minimum wrking set f memry using VirtualLck. Checked fr by the NtLadDriver and NtUnladDriver driver functins. Checked fr by NtLckVirtualMemry, the kernel implementatin f VirtualLck. Checked fr by the Security Accunts Manager n a dmain cntrller when creating a machine accunt in a dmain. Enfrced by file system drivers during a vlume pen peratin, which is required t perfrm disk checking and defragmenting activities. Checked by Superfetch and the prefetcher when requesting infrmatin fr an individual prcess thrugh the NtQuerySystemInfrmatin API. Checked fr by the SRM when raising the integrity level f an bject wned by anther user, r when attempting t raise the integrity level f an bject higher than that f the caller's tken. Winlgn checks that remte callers f the functin have this privilege. This privilege causes NTFS t grant the fllwing access t any file r directry, regardless f the security descriptr that's present: Page 200 f 344

201 Privilege User Right Privilege Usage WRITE_DAC WRITE_OWNER ACCESS_SYSTEM_SECURITY FILE_GENERIC_WRITE FILE_ADD_FILE FILE_ADD_SUBDIRECTORY DELETE When pening a file fr the backup, the caller must specify the FILE_FLAG_BACKUP_ SEMANTICS flag. Als allws crrespnding access t registry keys when using. SeSecurityPrivilege Manage auditing and security lg Required t access the SACL f a security descriptr, read and clear the security descriptr, read and clear the security event lg. SeShutdwnPrivilege SeSyncAgentPrivilege Shut dwn the system Synchrnize directry service data This privilege is checked fr by NtShutdwnSystem andntraiseharderrr, which presents a system errr dialg bx n the interactive cnsle. Required t use the LDAP directry synchrnizatin services and allws the hlder t read all bjects and prperties in the directry, regardless f the prtectin n the bjects and prperties. Page 201 f 344

202 Privilege User Right Privilege Usage SeSystemEnvirnmentPrivilege SeSystemPrfilePrivilege SeSystemtimePrivilege SeTakeOwnership SeTcbPrivilege SeTimeZnePrivilege SeTrustedCredManAccessPrivilege SeUndckPrivilege SeUnslicitedInputPrivilege Mdify firmware envirnment variables Prfile system perfrmance Change the system time Take wnership f files and ther bjects Act as part f the perating system Change the time zne Access credential manager as a trusted caller Remve cmputer frm a dcking statin Receive unslicited data frm a terminal device Required by NtSetSystemEnvirnmentValue and NtQuerySystemEnvirnmentValue t mdify and read firmware envirnment variables using HAL. Checked fr by NtCreatePrfile, the functin used t perfrm prfiling f the system. This is used by the Kernprf tl, fr example. Required t change the time r date. Required t take wnership f an bject withut being granted discretinary access. Checked fr by the security reference mnitr when the sessin ID is set in a tken, by the Plug and Play manager fr Plug and Play event creatin and management, BradcastSystemMessageEx when called with Required t change the time zne. Checked by the credential manager t verify that it shuld trust the caller with credential infrmatin that can be queried in plain text. Is nly granted t Winlgn by default. Checked fr by the user-mde Plug and Play manager when either a cmputer undck is initiated r a device eject request is made. This privilege is nt currently used by Windws. Page 202 f 344

203 User Privilege Management Many user envirnments are very restrictive in rder t limit user access t sensitive data and key applicatins. Hwever, users ften require administrative privileges t perfrm their rle. Fr example, the many prprietary systems, system updates, and applicatins that allw the installatin f drivers fr devices such as printers, antivirus scans, and s n all require administrative privileges. S users typically have full administrative privileges r n administrative privileges at all. Applicatin Cntrl secures and prtects many crprate desktps by cntrlling applicatin and netwrk access. Applicatin Cntrl 8.1 and higher extends plicy management capabilities by prviding cmprehensive user privilege management functinality. User privilege management allws yu t create reusable user privilege plicies that can be assciated with any rules and can elevate r restrict access t files, flders, drives, signatures, Windws Stre Apps, applicatin grups, and supprted Cntrl Panel cmpnents specific t an perating system. User privilege management enables enterprise IT departments t reduce access cntrl privileges n a per user, grup, applicatin, r business rule basis. It ensures users have nly the rights they need t fulfill their jb and access the applicatins and cntrls they require, and nthing else, thus ensuring desktp stability, and imprving security and prductivity. The perfect balance between user prductivity and security is t cntrl user privileges, nt at a sessin r accunt level, but at the level f an applicatin r individual task. With user privileges management, access t applicatins and tasks is managed dynamically by managing user privileges n demand, in respnse t user actins. Fr example, administratr privileges can be applied t a named applicatin r Cntrl Panel cmpnent fr a particular user r user grup by either elevating the privileges f a standard user t an administratr level, r drpping the privileges f an administratr t that f a standard user accunt. By cntrlling user privileges thrughut the user sessin, IT can prvide users with the accessibility they require t perfrm their jb, while prtecting the desktp and the envirnment and reducing management csts. User privileges management prvides a granular apprach t delegating administrative rights t users and applicatins by assigning rights accrding t merit. This level f cntrl can be deplyed t elevate r restrict privileges n a case by case basis accrding t the preferred apprach taken in the envirnment. User privileges management allws yu t create a library f reusable plicies that can be assciated with any available Applicatin Cntrl rule, t assign the relevant privileges t files, flders, signatures, and applicatin grups. User privileges plicies include dmain user grup membership and a range f administrative privileges that yu can apply t each plicy. If a new applicatin is spawned frm an existing applicatin with administrative privileges the new applicatin des nt autmatically receive the same privileges. Instead it is evaluated t determine whether r nt is shuld receive administrative privileges. Page 203 f 344

204 Least Privilege Many users run their cmputer with administrative privileges. Users running with these privileges can intrduce viruses, malware, and spyware. This can affect an entire enterprise, causing security breaches and dwntime. Access t private data can als be at risk. User privileges management allws yu t apply the principle f least privilege. This principle requires that users are prvided the minimum privileges t d their jb, withut giving the user full administratr privileges. The experience is seamless t the user. Fr the cmplete definitin f least privilege refer t the Department f Defense Trusted Cmputer System Evaluatin Criteria, (DOD STD), als knwn as the Orange Bk. This is lcated at With user privileges management, any dwntime, cupled with the number f calls made t IT Supprt due t viruses and s n, is greatly reduced because cmputers are made secure against the prblems that ccur when a user has full administrative privileges. This means IT Supprt can fcus n mre imprtant tasks rather than spending large amunts f time trubleshting cmputers t find ut the prblem. Licensing is als easier t cntrl, fr example, by allwing users t install nly authrized applicatins. Cmmn Tasks that Require Administrative Privileges In rder t fulfil their rles, users may need t perfrm a number f tasks that need administrative privileges. A slutin must be prvided t allw these tasks t be perfrmed; therwise the user must fulfil their rle withut accmplishing these specific tasks. These tasks can include: Installing printers Installing certain hardware Installing particular applicatins Operating applicatins that require administrative privileges Changing system time Running legacy applicatins User privileges management allws the user t perfrm these tasks by elevating a user t have specific administrative privileges. User Privileges Management vs Run As Many users, particularly knwledge wrkers, use the Run as cmmand t run applicatins. Users can perfrm their daily tasks running with least privilege but can als, as required, use the Run as cmmand t elevate their credentials, thus perfrming a task under the cntext f a different user. This, hwever, requires that a user has tw accunts: ne fr least privileges and ne fr elevatin. Page 204 f 344

205 A cmmn prblem when using Run as is allwing the administrative passwrd t becme knwn thrughut an rganizatin. Fr example, an administratr may cmmunicate the administratr passwrd t a user t enable them t use the Run as cmmand t fix a prblem with their cmputer. Unfrtunately, the passwrd cmmnly gets passed arund, causing unfreseen security risks. An additinal prblem with Run as is hw sftware actually interacts with it. Run as executes an applicatin r prcess under the cntext f a different user. Therefre, that applicatin r prcess des nt have access t the crrect HKEY_CURRENT_USER hive in the registry. This hive is where all the prfile data is stred and is prtected space. S the applicatin r prcess running under the cntext f a different user cannt read r write t this surce, causing sme applicatins t nt functin. Running under the cntext f a different user can als cause prblems reading and writing t a netwrk share. This is because netwrk shares are based n the accunt under the cntext yu are running. S yur lcal accunt and the Run as accunt may nt have the same access t resurces. Run As and UAC Sme perating systems, such as Windws 7 and Windws 8, have features that allw a user t run applicatins r prcesses withut administrative privileges. These are the Run as cmmand and User Accunt Cntrl (UAC). ( These features als apply t Server 2008 and 2012 versins. Althugh these features d allw users t run withut administrative privileges, they still require the user t have access t an administratr accunt t perfrm administrative tasks. Unfrtunately, this limitatin means these features are mre apprpriate fr administratrs. It enables them t lg n as a standard user and use the administratr accunt t perfrm administrative tasks nly. Because the user must prvide the credentials fr a lcal administratr t use Run as and UAC, this creates a number f cncerns. Fr example: A user with access t an administratr accunt must be trusted nt t abuse these privileges. Applicatins running with administrative privileges are nw running under the cntext f a different user. This can cause prblems, fr example, these particular applicatins d nt have access t the actual user s prfile r netwrk shares, as stated in the User Privileges Management vs. Run As sectin. Tw passwrds are required. One fr the standard accunt and ne fr the administratr accunt. The user must remember bth. Security required fr ne accunt is challenging, and fr tw accunts mre s. Technlgy In a Micrsft Windws cmputing envirnment, as part f the applicatin launch prcess, when an executin request is made, the applicatin requests a security tken as part f the applicatin launch apprval prcess. This tken details the rights and permissins given t the applicatin and these rights can be used t interact with the perating system r ther applicatins. Page 205 f 344

206 When Users privileges management is cnfigured t manage an applicatin, the security tken that is requested is dynamically mdified t have permissins elevated r restricted, thus allwing the applicatin t be run r blcked. 1. The User Rights Management mechanism handles prcess startup requests as fllws: A User Rights Plicy is defined in the cnfiguratin rule and applies t applicatins r cmpnents. The Applicatin list can include files, flders, signatures r applicatin grups. 2. The Cmpnents list can include Cntrl Panel cmpnents. 3. When a prcess is created by the launch f an applicatin r ther executable, the Applicatin Cntrl hk intercepts the prcess and queries the Applicatin Cntrl agent whether elevated r restricted rights are required t run the prcess. 4. The agent cnfirms whether the cnfiguratin assigns elevated r restricted rights and if required, the agent requests a mdified user tken frm the Windws Lcal Security Authrity (LSA). 5. The hk receives the mdified user tken frm the Windws LSA granting the necessary privileges. Otherwise, the prcess runs with the existing user tken accrding t the definitins f the nrmal user rights. Benefits f User Privilege Management The main benefits f User Privileges Management are: Discver User Applicatins that Require Elevated Privileges - Use the Privilege Discvery Mde t mnitr and generate reprts n applicatins that require administrative privileges. Use the data listed in the reprts t create Applicatin Management cnfiguratins. Elevatin f User Privileges fr Running Applicatins - Use User Privileges Management t specify the applicatins t be run with administrative credentials. The user des nt have administrative credentials but is able t run the applicatin. Fr mre infrmatin, see Elevate User Privileges fr Running Applicatins. Elevatin f User Privileges fr Running Cntrl Panel Applets - Many raming users need t d varius tasks that need administrative privileges. Fr example, t install printers, t change netwrk and firewall settings, change the time and date, and t add and remve prgrams. All f these tasks require certain cmpnents t run as administratr. Use User Privileges Management t elevate privileges fr individual cmpnents s that the nnadministrative standard user can make the changes t perfrm their rle. Fr mre infrmatin, see Elevate User Privileges fr Running Cntrl Panel Applets. Page 206 f 344

207 Reducing Privileges t Restrict Applicatin Privileges - By default, users have certain administratin credentials, but are enfrced t run specific applicatin as a nn-administratr. By running certain applicatins as an administratr, fr example, Internet Explrer, the user is able t change many undesirable settings, install applicatins and ptentially pen up the desktp t the Internet. Use User Privileges Management t restrict an administratr level user frm running, fr example, Internet Explrer in a standard user mde, thus safe-guarding the desktp. Fr mre infrmatin, see Reduce Privileges t Restrict Applicatin Privileges. Reducing Privileges t Restrict Access t System Settings - Use User Privileges Management t give a higher level system administratr the ability t stp an administrative user frm altering settings that they shuld nt change, fr example, firewalls and certain services. Use User Privileges Management t reduce administrative privileges fr certain prcesses. Althugh the user has administrative privileges, the system administratr retains cntrl f the envirnment. Fr mre infrmatin, see Reduce User Privileges fr Running Cmpnents. Use Cases User privileges management has many use cases and slves prblems that many enterprises have until nw been unable t address. A small number f scenaris are given belw: Organizatins that use lcal administratr accunts fr their users may need t lck dwn elements f the desktp, such as the Cntrl Panel cmpnent, Add Hardware, r Add and Remve Prgrams \ Prgrams and Features. By dynamically drpping the user accunt frm administratr t a standard user fr specific cntrls, the user is nw prhibited frm accessing the cntrl and executing an unwanted task. Sme applicatins require administratr rights because the applicatin itself interacts with certain parts f the desktp perating system r registry. Hwever, the rganizatin des nt wish t prvide users with full administratr accunts. User privileges management can elevate the user rights fr the named applicatin t an administratr level, enabling the user t run their applicatin while prtecting the desktp. Autmatic update elements f sme applicatins can require administratr rights t perfrm the update actins and therefre nt functin in the cntext f a standard user. User privileges management can enable the named applicatin t run under the cntext f an administratr accunt while all ther applicatins remain in standard user cntext. Mbile users may need t manually change their IP address, cnfigure a wireless netwrk, r change date and time prperties, all f which require administrative rights. User privileges management can elevate the user rights t administratr level fr named tasks, enabling the user t make the changes they require. Page 207 f 344

208 Elevate User Privileges fr Running Applicatins Users ften require administrative rights t perfrm their rle. User Privilege Management allws yu t elevate a user s that they have administrative rights fr specified applicatins. T elevate user privileges, yu must first create a plicy and then apply this t a rule. Step 1 - Create a User Privilege Management Plicy 1. Navigate t the Library > User Privilege Plicies nde. 2. On the Privilege Management ribbn select Add Plicy. 3. Select and right-click the new plicy and select Rename. 4. Give the plicy an intuitive name, fr example, Elevate Admin Rights. 5. Select the new plicy and in the Privilege Management ribbn click Add Grup Actin. The Accunt Selectin dialg displays 6. Brwse t and select the grup yu want t add t the plicy. 7. The grup is listed in the Grup Membership tab in the User Privilege Plicy wrk area. Ensure that Add Membership is specified in the Actin clumn. This allws users t run an applicatin as if they were a member f the grup. The Grup Membership tab is used t specify the credentials an applicatin can run under. The Privileges tab prvides granular cntrl f the privileges the user will have ver an applicatin. The Prperties tab is used t specify the integrity level. Applicatins with a lw integrity level cannt interperate with applicatins that have a high integrity level. Step 2 - Apply the Plicy t the Everyne Rule 1. Select Rules > Grup > Everyne > User Privileges in the navigatin pane. 2. On the Privilege ribbn select the Add Item drp-dwn arrw, highlight Applicatin and then select ne f File, Flder, Signature r Grup. 3. Select the item yu want t add. 4. Set the User Privilege Plicy t the plicy created in the Create a User Privilege Management Plicy step abve. 5. Select the Everyne nde. 6. Mve the Security Level slider t Unrestricted t prevent Applicatin Cntrl frm blcking. 7. Save the cnfiguratin. Event 9018 audits when the user privileges t an applicatin change. Page 208 f 344

209 Example: Allw Users t Run Visual Studi and Debug Applicatins Users ften require administrative privileges t run, fr example, Visual Studi, and t debug applicatins. Use user privilege management t elevate administrative rights fr the specified applicatins. T elevate user privileges, yu need t first create ne r mre reusable plicies and apply these t a rule. Step 1 - Create a Plicy t Elevate User Privileges 1. Select the Library > User Privilege Plicies nde. 2. Select Add Plicy n the Privilege Management ribbn. 3. Select and right-click the new plicy and select Rename. 4. Enter an intuitive name fr the plicy, fr example, Elevate Visual Studi. 5. In the Privilege Management ribbn, click Add Grup Actin. The Accunt Selectin dialg displays. 6. Brwse t and select the grup yu want t add t the plicy. The grup is added t the Grup Membership tab in the rule wrk area. 7. In the tab, ensure that Add Membership is specified in the Actin clumn. This allws users t run an applicatin as if they were a member f the grup. Step 2 - Create a Plicy t Set Privileges fr Debugging 1. Select the Library > User Privilege Plicies nde. 2. Select Add Plicy n the Privilege Management ribbn. 3. Select and right-click the new plicy and select Rename. 4. Enter an intuitive name fr the plicy, fr example, Run Debug. 5. Select the Privileges tab. The Privileges wrk area displays. 6. Select the drp-dwn menu fr the debugging privilege in the Actin clumn and select Enable. Step 3 - Create a Grup Rule 1. Select Rules > Grup in the navigatin pane. 2. Select the Add Rule drp-dwn arrw n the Rules ribbn and select Grup Rule. The Add Grup Rule dialg displays. 3. Enter the dmain name int the Accunt field. Page 209 f 344

210 4. Click Add. Step 4 - Apply the Elevate Visual Studi Plicy t the Rule 1. Select the User Privileges nde beneath the rule yu have created. The User Privilege wrk area displays. 2. In the Privileges Management ribbn, select Add Item > Applicatin > File. The Add a File fr User Privilege Management dialg displays. 3. Brwse t and select the visual studi applicatin file. 4. Select the Apply plicy t child prcesses ptin. 5. Click Add. The file path and name f the executable file is added t the Applicatins tab in the wrk area. 6. In the tab, select the Elevate Visual Studi plicy in the User Privileges Plicy clumn. This is the plicy created in Step 1. Step 5 - Apply the Run Debug Plicy t the Rule 1. In the User Privileges wrk area, select Add Item > Applicatin > File frm the Privileges Management ribbn. The Add a File fr User Privilege Management dialg displays. 2. Enter * in the File field. This is t allw fr all debug applicatins. 3. Click Add. 4. Select the Run Debug plicy in the User Privileges Plicy clumn. Step 6 - Save This is the plicy created in Step 4. Save the Cnfiguratin. Elevate User Privileges fr Running Cntrl Panel Cmpnents Many raming users need t d varius tasks that need t be run as an administratr, fr example: T install printers T change netwrk and firewall settings T change the time and date T add and remve prgrams. All f these tasks require cmpnents t run as administratr. Use user privilege management t elevate privileges fr individual cmpnents s that the nnadministrative standard user can make the changes t perfrm their rle. Page 210 f 344

211 Elevate privileges fr a Cmpnent 1. Select the User Privileges nde beneath the applicable Rules nde, fr example, the Grup > Everyne nde. 2. On the Privilege Management ribbn select Add Item > Add Cmpnent. The Select Cmpnents dialg displays. 3. Select ne r mre cmpnents that yu want t elevate, and click OK. Use the filter at the tp f the Select Cmpnents dialg t filter cmpnents by perating system. The cmpnent is nw listed n the Cmpnents tab in the plicy wrk area. 4. Ensure the Builtin Elevate plicy is selected in the User Privilege Plicy clumn. 5. Save the cnfiguratin. Example: Allw Users t Defragment Disks The ability t defragment a disk requires administrative privileges and is gverned by a particular cmpnent. Use privileges management t elevate user privileges fr this cmpnent, thus allwing them t defragment a disk. 1. Select the applicable Rules nde, fr example, the Grup > Everyne nde. 2. In the Privileges Management ribbn, select Add Item > Add Cmpnent. The Select Cmpnents dialg displays. 3. Select the Defragment cmpnent, and click OK. Use the filter at the tp f the Select Cmpnents dialg t filter cmpnents by perating system. The cmpnent is added t the Cmpnents tab in the wrk area fr the rule. 4. Select the drp-dwn arrw in the User Privileges Plicy clumn, and select the Builtin Elevate plicy. 5. Save the cnfiguratin. Example: Allw Users t Perfrm Windws Update The ability t update Micrsft Windws is gverned by a particular cmpnent. Use privilege management t elevate privileges fr this cmpnent s that the nn-administrative standard user can make the changes t perfrm their rle. T elevate privileges fr the applet: Page 211 f 344

212 1. Select the applicable Rules nde, fr example, the Grup > Everyne nde. 2. In the Privileges Management ribbn, select Add Item > Add Cmpnent. The Select Cmpnents dialg displays. 3. Select the Autmatic Update\Windws Update cmpnent, and click OK. Use the filter at the tp f the Select Cmpnents dialg t filter cmpnents by perating system. The cmpnent is added t the Cmpnents tab in the wrk area fr the rule. 4. Select the drp-dwn arrw in the User Privileges Plicy clumn, and select the Builtin Elevate plicy. 5. Save the cnfiguratin. Reduce Privileges t Restrict Applicatin Privileges Running applicatins as an administratr enables a user t change many undesirable settings, install applicatins, and ptentially pen up the desktp t the Internet. Use user privilege management t restrict an administratr level user t running, fr example, Internet Explrer in a standard user mde, thus safe-guarding the desktp. T elevate user privileges, yu need t first create a plicy and then apply this t a rule. Step 1 - Create a User Privilege Management Plicy 1. Navigate t the Library > User Privilege Plicies nde. 2. On the Privilege Management ribbn select Add Plicy. 3. Select and right-click the new plicy and select Rename. 4. Give the plicy an intuitive name, fr example, Reduce Admin Privileges. 5. Select the new plicy and n the Privilege Management ribbn select Add Grup Actin. The Accunt Selectin dialg displays 6. Brwse t and select the grup yu want t add t the plicy. These are the accunt credentials t run the applicatin. Click Add. The grup is listed in the Grup Membership tab f the plicy wrk area. 7. Select Drp Membership in the Actin clumn. The Grup Membership tab is used t specify the credentials an applicatin can run under. The Privileges tab prvides granular cntrl f the privileges the user will have ver an applicatin. The Prperties tab is used t specify the integrity level. Applicatins with a lw integrity level cannt interperate with applicatins that have a high integrity level. Page 212 f 344

213 Step 2 - Apply the Plicy t the Everyne Rule 1. Navigate t the Rules > Grup > Everyne > User Privileges nde. 2. On the Privilege Management ribbn select the Add Item drp-dwn arrw pint t Applicatin and then select ne f the fllwing: File Flder Signature Grup 3. Select the item yu want t add. 4. Set the User Privileges Plicy t the plicy created in the Step Select the Everyne nde. 6. Mve the Security Level slider t Restricted. 7. Save the cnfiguratin. Event 9018 audits when the user privileges t an applicatin change. Reduce User Privileges fr Running Cmpnents Use user privilege management t reduce privileges fr individual cmpnents s that the nnadministrative standard user cannt make certain changes. Reduce Privileges fr a Cmpnent 1. Select the User Privileges nde beneath the applicable Rules nde, fr example, the Grup > Everyne nde. 2. On the Privilege Management ribbn select Add Item > Add Cmpnent. The Select Cmpnents dialg displays. 3. Select ne r mre cmpnents that yu want t reduce privileges fr, and click OK. Use the filter at the tp f the Select Cmpnents dialg t filter cmpnents by perating system. The selected cmpnent nw displays n the Cmpnents tab in the wrk area. 4. Select the drp-dwn arrw in the User Privileges Plicy clumn and select the Builtin Restrict plicy. 5. Save the cnfiguratin. Example: Restrict Users frm Starting and Stpping Services Services is a Cntrl Panel cmpnent. Use user privilege management t reduce privileges fr the Page 213 f 344

214 Services cmpnent s that the nn-administrative standard user cannt start and stp Services. 1. Select the User Privileges nde beneath the applicable Rules nde, fr example, the Grup > Everyne nde. 2. On the Privilege Management ribbn select the Add Item > Add Cmpnent. The Select Cmpnents dialg displays. 3. Select the Services cmpnent, and click OK. Use the filter at the tp f the Select Cmpnents dialg t filter cmpnents by perating system. The selected cmpnent is nw displayed in the Cmpnents tab in the wrk area. 4. Select the drp-dwn arrw in the User Privilege Plicy clumn and select the Builtin Restrict plicy. 5. Save the cnfiguratin. Secure Dialgs An administratr can use Applicatin Cntrl and Privilege Management t elevate a standard user t have administrative privileges. Allwing a user t have administrative privileges grants them access t all files, including imprtant system files, and the ability t, fr example, delete r rename them. These actins can cmprmise a system. Applicatin Cntrl and Privilege Management prvides a Secure Cmmn Dialgs feature prhibiting users frm manipulating files. The dialg bxes still pen and prvide access t files but the files cannt be deleted r renamed. Applicatin Cntrl des nt restrict access t areas that a user rdinarily has access t. Page 214 f 344

215 Elevate t Administratr and Secure Cmmn Dialgs Scenari Prcess Yu are an IT Administratr Yu are creating a new User Privilege plicy 1. Navigate t the Library > User Privileges Plicies nde and select Add Plicy n the Privilege Management ribbn. A new plicy is created. 2. Right-click the new plicy and select Rename. 3. Enter an intuitive name fr the plicy, fr example, Elevate t Administratr. 4. Select the new plicy and select Add Grup Actin n the Privilege Management ribbn. The Accunt Selectin dialg displays. 5. Type the administratr accunt int the Accunt field r use the Brwse buttn t search fr an accunt. Click Add. Page 215 f 344

216 6. Ensure Add Membership is selected in the Actin clumn. This is the default setting. The Add Membership ptin allws users t run an applicatin as if they were part f the specified grup. The Drp Membership ptin des nt allw the users t run an applicatin. 7. Select the User Privileges nde fr the applicable grup, fr example, the Everyne grup. 8. On the Privilege Management ribbn, select Add Item > Applicatin > File. 9. The Add a File fr User Privilege Management dialg displays. 10. Enter the name f the applicatin that yu want t secure cmmn dialgs fr r click the Brwse buttn and brwse t the applicatin. 11. Ensure that the Apply t cmmn dialgs ptin is selected. This is selected by default. 12. Click Add. 13. Ensure the plicy created in steps 1 t 6 is selected in the User Privilege Plicy clumn. 14. Save the cnfiguratin. System Cntrls Use System Cntrls t cntrl the remval r mdificatin f applicatins and prcesses, the management f specific services and the clearing f named event lgs. Cntrls can be applied t elevate r restrict access t the specified item. System Cntrls are available n User Privilege nde fr each rule grup. Add System Cntrls 1. Select the User Privileges nde fr the required rule grup. 2. Select the System Cntrls tab 3. Click Add Item and select the required system cntrl: Uninstall Service Event Lg Prcess Terminatin Fr Prcess Rules, nly Prcess Terminatin items can be added. 4. Cmplete the required details and click OK. 5. Frm the plicy clumn, select the required ptin: Builtin Restrict - Always restrict access t the named item. Builtin Elevate - Always allw access t the named item. 6. Cnfigure further items by clicking Add Item in the Privilege Management ribbn and selecting the required ptin. Page 216 f 344

7. Click the Click here t set the messages displayed when a user is restricted frm accessing system cntrls link t cnfigure the messages that display when a user attempts t uninstall a restricted

217 7. Click the Click here t set the messages displayed when a user is restricted frm accessing system cntrls link t cnfigure the messages that display when a user attempts t uninstall a restricted prgram r clear a restricted event lg. Fr further infrmatin, see Message Settings. Click the Add AppSense Cmpnents and Dependencies buttn t autmatically pre-ppulate the Uninstall, Service, and Event Lg cntrl items cnfiguratins with an AppSense*. Other required dependencies are als added. Uninstall Cntrl Items Applicatin Access Cntrl must be enabled befre cnfiguring an Uninstall Cntrl Item. Fr further infrmatin, see Plicy Settings. Use this ptin t allw r restrict installed applicatins frm being uninstalled when the rule cnditins have been matched. Uninstall Cntrl Items are cnfigured by defining which applicatins are cntrlled. Further validatin can be applied t target a named publisher and specific applicatin versins. T allw r restrict all applicatins frm a publisher, enter a * in the Applicatin field cmbined with the publisher name. Fr an example f using the Uninstall Cntrl Item, see Elevating a Grup t Allw Micrsft Silverlight t be Uninstalled. Uninstall Cntrl Items are nt supprted n Windws XP r Windws Server Page 217 f 344

Service Cntrl Items Use this ptin t select which services can be mdified, stpped, started and restarted when the Rule cnditins have been matched.

The service display name may differ between different lcalized Operating Systems. Fr an example f using the Service Cntrl Items, see Preventing the Windws Firewall Service frm Being Stpped.

218 Service Cntrl Items Use this ptin t select which services can be mdified, stpped, started and restarted when the Rule cnditins have been matched. The Agent Service is the nly service that cannt be restarted nce stpped. Service Cntrl Items are cnfigured by specifying the service name r the name by which the service is knwn. The service display name may differ between different lcalized Operating Systems. Fr an example f using the Service Cntrl Items, see Preventing the Windws Firewall Service frm Being Stpped. Event Lg Cntrl Items Use this ptin t select which event lgs can r cannt be cleared when the Rule cnditins have been matched. Event lg cntrl items are cnfigured by selecting the name f the lg r lgs t be cntrlled. Fr an example f using the Event Lg Cntrl Items, see Preventing the System Lg frm being cleared. Page 218 f 344

219 Prcess Terminatin Cntrl Item Use this ptin t prtect prcesses, such as antivirus sftware frm terminatin by all users, including administratrs. Users can still stp prcesses gracefully, fr example, by clicking clse in an applicatin UI, but they cannt frcibly terminate a prcess, such as ending a task frm the Details tab in Task Manager. An individual file can be specified r all prcesses in a particular flder can be targeted. Optinally, add Metadata t include additinal criteria fr matching files and flders. Fr further infrmatin, see Metadata. Elevate a Grup t allw Micrsft Silverlight t be uninstalled Scenari Yu are an IT Administratr Yu are creating an Applicatin Cntrl cnfiguratin Yu have created a Crprate\ITSupprt-Level 1 grup Page 219 f 344

220 Yu want t elevate the Crprate\ITSupprt-Level 1 grup t allw them t uninstall Micrsft Silverlight Prcess 1. In the Crprate\ITSupprt-Level1 grup rule, select the User Privileges nde. 2. Select the System Cntrls tab. 3. In the wrk area, right-click and select Uninstall Cntrl Item. The Add Uninstall Cntrl Item dialg displays. 4. Use the ellipsis in the Applicatin field t navigate t the Brwse Installed Applicatins dialg and select Micrsft Silverlight. Alternatively, enter the name f the applicatin in the field prvided. Wildcards can be used if required. Fr example, t specify Micrsft Silverlight, yu might input *silverlight. Fr further infrmatin n wildcards, see Wildcards and Regular Expressins. If the applicatin t uninstall is lcated n anther endpint, click the Cnnect buttn and enter the endpint name and yur credentials. Select the required applicatin frm the list. T select mre than ne applicatin, hld dwn the Ctrl buttn n yur keybard and select the required applicatins. If yu are cnnected remtely t anther endpint, click the My Cmputer buttn t view the list f installed applicatins n yur lcal machine. 5. Click Add. The Applicatin, Publisher and Versin details are autmatically ppulated in the Add Uninstall Cntrl dialg. 6. Click Add. T apply the cntrl item t all versins f Micrsft Silverlight, replace the versin number with a *. 7. Select Builtin Elevate frm the drp-dwn list in the Plicy Clumn. By selecting the BuiltIn Elevate ptin, yu are granting the applicatin r cmpnent the privileges t cmplete a specific actin that wuld therwise need t be perfrmed by an Administratr. Alternatively, select the BuiltIn Restrict ptin t restrict the applicatin r cmpnent frm autmatically cmpleting the actin. Page 220 f 344

221 When any user within the Crprate\ITSupprt-Level1 grup attempts t uninstall a versin f Micrsft Silverlight, bth the Publisher name and the Versin number must match befre the uninstallatin actin can be perfrmed. If the criteria fr the applicatin des nt match, users will be prevented frm cmpleting the actin, unless an Active Directry Plicy dictates therwise. Prevent the Windws Firewall Service frm being stpped Scenari Prcess Yu are an IT Administratr Yu are creating an Applicatin Cntrl cnfiguratin Yu want t prevent the Windws Firewall service frm being stpped by everyne in the rganizatin 1. In the Everyne grup, select the User Privileges nde. 2. Select the System Cntrls tab. 3. In the wrk area, right-click and select Service Cntrl Item. 4. The Add Service Cntrl Item dialg displays. 5. Use the ellipsis in the Display Name field t navigate t the Brwse Installed Services dialg and select Windws Firewall. Alternatively, enter the name f the service in the field prvided. Wildcards can be used if required. Fr further infrmatin n wildcards, see Wildcards and Regular Expressins. If the service is lcated n anther endpint, click the Cnnect buttn and enter the endpint name and yur credentials. Select the required service frm the list f installed services. T select mre than ne service, hld dwn the Ctrl buttn n yur keybard and select the required services. If yu are cnnected remtely t anther endpint, click the My Cmputer buttn t view the list f services n yur lcal machine. 6. Click Add. The Display Name and Service Name details are autmatically ppulated in the Add Service Cntrl Item dialg. 7. Click Add. 8. Select Builtin Restrict frm the drp-dwn list in the Plicy Clumn. By selecting this ptin, yu are granting the applicatin r cmpnent the privileges t cmplete a specific actin that wuld therwise need t be perfrmed by an Administratr. Alternatively, select the BuiltIn Restrict ptin t restrict the applicatin r cmpnent frm autmatically cmpleting the actin. 9. Users are prevented frm stpping the Windws Firewall service. Page 221 f 344

222 Prevent the System Lg frm being cleared Scenari Prcess Yu are an IT Administratr Yu are creating an Applicatin Cntrl cnfiguratin Yu want t create a Crprate\ITSupprt-Level 2 grup rule Yu want t prevent members f this grup frm clearing the System lg 1. Select the Grup Rules nde. 2. In the wrk area, right-click and select Add Grup Rule. 3. In the Add Grup Rule dialg, enter Crprate\ITSupprt-Level2 and click Add. The ITSupprt-Level2 grup is created. 4. Select the User Privileges nde. 5. Select the System Cntrls tab. 6. Right-click in the wrk area and select Event Lg Cntrl Item. The Add Event Lg Cntrl Item dialg displays. 7. Use the ellipsis t navigate t the Brwse Installed Event Lgs dialg. 8. Select System frm the event lg list and click Add. T select mre than ne lg, hld dwn the Ctrl buttn n yur keybard and select the required lgs. 9. On the Add Event Lg Cntrl Item dialg, click Add. The System event lg is added as a cntrlled item. 10. Select Builtin Restrict frm the drp-dwn list in the Plicy Clumn. This ptin lwers the privileges f the users within the grup. By restricting users in this way, yu are preventing them frm perfrming administrative actins such as clearing event lgs. Alternatively, select the BuiltIn Elevate ptin t grant access t clear the event lgs. Members f the Crprate\ITSupprt-Level2 grup are prevented frm clearing the System event lg. Self-Elevatin Self-Elevatin can be applied t signatures, files, and flders that usually require administrative privileges t run and functin. Self-Elevatin prvides an ptin frm the Windws Explrer shrtcut menu t run an item with elevated rights. When a user attempts t elevate a specified item, a prmpt displays t request that the user enters a reasn fr the elevatin befre it is applied. Self-Elevatin is audited s yu can mnitr the types f applicatins that users typically want t selfelevate. Yu can add these items t the apprpriate User Privileges nde in a cnfiguratin s users can access them withut request. Page 222 f 344

In envirnments where User Access Cntrl (UAC) is disabled, yu can enable the self-elevatin f Windws Explrer file and flder prperties using the custm setting, SelfElevatePrpertiesEnabled.

223 In envirnments where User Access Cntrl (UAC) is disabled, yu can enable the self-elevatin f Windws Explrer file and flder prperties using the custm setting, SelfElevatePrpertiesEnabled. In this case, yu can custmize the Windws Explrer shrtcut menu ptin text using the custm setting, SelfElevatePrpertiesMenuText. Cnfigure Self-Elevatin 1. Select the User Privileges nde fr the applicable grup, fr example, the Everyne grup. 2. Select the Self-Elevatin tab. 3. Select Enable Self-Elevatin and apply the required setting: Only apply Self-Elevatin t items in the list belw Apply Self-Elevatin t all items except thse in the list belw 4. In the Manage ribbn, select Add Item > Self-Elevatin and enter r chse a file, flder, signature, r grup. Any file type can be self-elevated if it is included n the Self-Elevatin File Assciatins list. Page 223 f 344

224 5. T add further validatin, click the Metadata tab and enter details abut the descriptin, vendr, and versin number f the file and prduct. Leave the fields blank if yu d nt want t restrict which files can be self-elevated. Where metadata has been applied, items must match that metadata t be self-elevated. 6. Save the cnfiguratin. Self-Elevatin Optins Cnfigure the Self-Elevatin ptins fr the rule items by specifying hw an applicatin runs nce it has been elevated. Yu can als define hw the elevatin is t affect any child prcesses r cmmn dialgs. In the Privilege Management ribbn, select Self-Elevatin Optins and cnfigure the required settings: Make item(s) Allwed - Make the rule items allwed and verwrite any assciated allwed items. Allw items t run even if it is nt wned by a trusted wner - This ptin is available when Make item(s) Allwed is selected. When selected, all the rule items listed are executed regardless f the wner. Apply t child prcesses - By default, the Self-Elevatin Plicy applied t rule items is nt inherited by child prcesses. Select this ptin t apply the plicy t the direct children f the parent prcess. Page 224 f 344

Apply t cmmn dialgs - Elevate access t the Open File and Save File Windws menu ptins when a file r flder has been elevated. By default, any cmmn dialgs are nt elevated.

225 Apply t cmmn dialgs - Elevate access t the Open File and Save File Windws menu ptins when a file r flder has been elevated. By default, any cmmn dialgs are nt elevated. Install as trusted wner - Make the lcal administratr the wner f all files created by the defined applicatin. This ptin is nt applied t regular applicatins, nly installer packages. Hide the Run as Administratr Windw ptins fr Self-Elevated items - Hide the Run as Administratr ptin frm the Windws shrtcut menu. Display a message bx requiring a reasn fr Self-Elevatin frm the user - Prmpt users t prvide a reasn when they self-elevate. Set the cntent and dimensins f the message in the Self-Elevatin Message Settings. Self-Elevatin File Assciatins Cnfigure a list f file types and assciated applicatins that users can pen with elevated r administrative privileges. When a user right-clicks a file, Applicatin Cntrl perfrms the fllwing checks t determine whether the user can elevate the applicatin assciated with the file: Page 225 f 344

226 Is the file type n the file assciatins list? N - the file cannt be self-elevated. Yes - check the assciated applicatin. Is there an assciated applicatin? N - the file is self-elevated using the assciated applicatin n the user's endpint. Yes - the file can be self-elevated nly if pened with the applicatin specified in the file assciatins list. If the applicatin can be self-elevated, a crrespnding ptin is available frm the shrtcut menu and the user accesses the applicatin with elevated privileges. If a user changes a default prgram t ne that differs t the assciated applicatin set in the cnfiguratin, the self-elevatin ptin is n lnger available frm the shrtcut menu. Update Files Assciatins 1. In the Manage ribbn, click Advanced Settings and select the Self-Elevatins File Assciatins tab. 2. Update the list f extensins and assciated applicatins using the Add and Remve buttns. Any file extensin can be added. The fllwing extensins are included by default: File Extensin Assciated Applicatin EXE BAT CMD VBS WSF VBE MSI MSP PS1 MSC REG wscript.exe wscript.exe wscript.exe msiexec.exe msiexec.exe pwershell.exe mmc.exe regedit.exe Page 226 f 344

227 Self-Elevatin Message Settings Cnfigure the cntent and dimensins f the message that displays when a user requests selfelevatin. The messages are displayed if the Display a message bx requiring a reasn fr Self-Elevatin frm the user ptin is selected in the Self-Elevatin ptins. 1. In the Glbal Settings ribbn, select Message Settings. 2. Select the Self-Elevatin tab. 3. In the Name field, enter the text t display fr the self-elevatin shrtcut menu ptin. The menu ptin is displayed when a user right-clicks a file with an extensin n the Self- Elevatin file assciatins list. 4. Cnfigure the captin, cntent, and dimensins fr the message that displays when a user requests self-elevatin. 5. Click OK. Page 227 f 344

228 Applicatin Netwrk Access Cntrl Applicatin Netwrk Access Cntrl (ANAC) prvides the ability t cntrl utbund netwrk cnnectins by IP Address, Hst name, URL, UNC, r Prt, based n the utcme f the rules prcessing. Fr example, access based n lcatin f requestr - cnnecting thrugh VPN r directly t netwrk. Applicatin Netwrk Access Cntrl is designed t cntrl access within a cmpany netwrk infrastructure. This cntrl is achieved by intercepting applicatin requests made thrugh the WINSOCK layer. Fr example, Netwrk Cnnectin Items can be created individually r as part f a Grup. Grups and Items can be applied t any rule in Allwed Items t allw access r in Denied Items t deny access. Applicatin Cntrl intercepts and blcks netwrk access if requests are made t deny netwrk resurces. The executin f applicatins is nt cntrlled. Access is allwed t all netwrk resurces until actively denied. Netwrk Cnnectin Items Netwrk Cnnectin Items can be created fr any netwrk resurce and can be added t a cnfiguratin in the fllwing ways: Directly t a Rule - Adding single Netwrk Cnnectin Items t Allwed and Denied Item lists are advantageus when a mre granular level f cntrl is required, r when nly a few items are required. Hwever, using this methd culd prve time cnsuming. Assign t Grup - Duplicate Netwrk Cnnectin Items are nt allwed in the same Grup. Cpy and Paste - Netwrk Cnnectin Items can be cut, cpied, r dragged and drpped between rules. There are n default Netwrk Cnnectin Items in a cnfiguratin. The full path f the Netwrk Cnnectin Item cannt exceed 400 characters. Add a Netwrk Cnnectin Cnnectin Type Select ne f the fllwing types: IP Address - Select t cntrl access t a specific IP Address. Netwrk Share - Select t cntrl access t UNC paths. The prefix \\ is added t the Hst field. Hst Name - Select t cntrl access t a specific Hst Name. Cnnectin Optins The cmbined number f characters fr all three fields, Hst, Prt and Path must nt exceed 400. Page 228 f 344

229 Hst The IP Address r Hst Name fr the netwrk cnnectin. This depends n the type f cnnectin selected. The? and * wildcards can be used. Additinally, ranges can be used fr IP Addresses, which are indicated by use f a hyphen (-). An IP Address must be in IP4 ctal frmat. Fr example, n.n.n.n If Netwrk Share is selected as the cnnectin type, the \\ prefix is required. The full path fr the target resurce can be entered in Hst. Example: Enter in the Hst field. Mve fcus away frm Hst and the path is autmatically split int the separate cnnectin ptins: is remved frm the Hst field and server1.cmpany.lcal remains. : is remved and 80 is mved t Prt. /resurce1/ is mved t Path. This allws a full path t be cpied and pasted with ease. Prt The prt number f the netwrk cnnectin. This can be used in cmbinatin with IP Address r Hst Name t cntrl access t a specific prt. Ranges and cmma separated values are allwed as a part f the prt number. Click Cmmn Prts t display a list f cmmnly used prts. Select as many prts as required. Path The path f the netwrk cnnectin. The? and * wildcards can be used. T use The Path is nly relevant fr cntrlling HTTP and Text cntains wildcard characters - Select t use the characters? and * as wildcards in the Path. If nt selected,? and * are treated as URL delimiters. Use Regular Expressins - Select this ptin t use regular expressins fr the selected path. Include subdirectries - Select t include subdirectries in the rules prcessing. Only applicable if the cnnectin type Netwrk Share is selected. Descriptin Enter a meaningful descriptin t describe the netwrk cnnectin. Page 229 f 344

230 Add a Netwrk Item Directly t a Rule Netwrk Items can be added t any Allwed Items r Denied Items nde. Fr example, A Netwrk Cnnectin Item is set up fr an IP Address. The Netwrk Cnnectin Item is assigned t Denied Items, in a Grup Rule. The grup members f that rule, will nt have access t any netwrk resurces with that IP Address. 1. Navigate t the required nde, fr example, Denied Items r Allwed fr a specific user grup. 2. Frm the Rule Items ribbn, select Add Item > Denied (r Allwed) > Netwrk Cnnectin Item. The Add a Netwrk Cnnectin dialg displays. 3. Fill in the details f the cnnectin type. 4. Click Add. Edit a Netwrk Cnnectin Directly in a Rule 1. Navigate t the Rule nde in the navigatin tree where the Netwrk Cnnectin Item t be amended is lcated. 2. The relevant wrk area displays. 3. Click n the Netwrk Cnnectin Item t be amended, listed under Netwrk Cnnectins. 4. Select Edit Netwrk Cnnectin n the Rule Items ribbn. 5. The Edit a Netwrk Cnnectin dialg displays. 6. Make the required amendments. 7. Click OK t save the changes and clse the dialg. Assign a Netwrk Cnnectin Item t a Grup 1. Navigate t the Grup Management nde. 2. Select the grup, t which t add the Netwrk Cnnectin Item, in the navigatin tree. 3. Right-click within the wrk area and select Add > Netwrk Cnnectin. The Add a Netwrk Cnnectin dialg displays. 4. Specify the Netwrk Cnnectin details and click Add. Edit a Netwrk Cnnectin Item in a Grup 1. Navigate t relevant Grup in the navigatin tree. The Grup Management wrk area displays. 2. Select the Netwrk Cnnectin Item t be amended, listed under Netwrk Cnnectins. Page 230 f 344

231 3. Select Edit Item n the Grups ribbn. The Edit a Netwrk Cnnectin dialg displays. 4. Make the required amendments. 5. Click OK t save the changes and clse the dialg. Applicatin Netwrk Access Cntrl and Reverse DNS Lkup The Applicatin Netwrk Access Cntrl feature can use reverse DNS lkups when evaluating Netwrk Cnnectin rules. The feature is turned ff by default, as the time it takes t retrieve this infrmatin frm DNS servers, may degrade the perfrmance f netwrk applicatins. Enabling this feature ensures the netwrk rules are mre effective, in situatins when users r applicatins make requests fr netwrk resurces, using IP addresses when the cnfiguratin is based upn hst names. The reverse DNS lkups can be enabled by cnfiguring a set f engineering keys. This feature requires an administratr t enable and cnfigure Reverse DNS Znes n the DNS servers. Fr further infrmatin, refer t the Applicatin Cntrl Engineering Settings Guide. Cnfigure Reverse DNS Lkup Entries If using the engineering keys t cnfigure reverse DNS lkup entries nly add IP Addresses that are within the cmpany netwrk infrastructure t the relevant engineering key. Page 231 f 344

232 Endpint Cnfiguratin Merging Endpint Cnfiguratin Merging uses the Applicatin Cntrl Agent t cmbine multiple AAMP cnfiguratin files, saved n ne endpint, int a single cnfiguratin. Attributes such as grup, user, custm and ther rule types alng with applicatin and plicy libraries frm each cnfiguratin are added t the merged cnfiguratin. The merge is dne by adding the individual cnfiguratins t a directry n the endpint and specifying, in a manifest file, the cnfiguratins which are t be merged. The Agent mnitrs the merge directry and autmatically merges cnfiguratins when a manifest file is added t the directry. Endpint Cnfiguratin Merging allws different areas f a business t wrk independently n a particular area f a cnfiguratin, which can then be merged t create a single cnfiguratin. System Center Cnfiguratin Manager Integratin is nt supprted in Endpint Cnfiguratin Merging. Merge Cmpnents Base Cmpnents Every merge must have a base cnfiguratin - this is the first cnfiguratin in the merge nt which the ther cnfiguratins are added. A merged cnfiguratin takes the glbal attributes such as Message Settings, Auditing, and any Default settings, frm the base cnfiguratin. It is therefre essential that the settings that are nt merged are defined in the base. By default, the base cnfiguratin is set as the AAMP file that is created when a live cnfiguratin is saved n an endpint: %PROGRAMDATA%\AppSense\Applicatin Manager\Cnfiguratin\cnfiguratin.aamp Hwever, any cnfiguratin in the merge can be set as the base cnfiguratin. Only AAMP files which are at the latest versin can be included in a merge. Cmpnent Cnfiguratins A merged cnfiguratin is made up f a base cnfiguratin and ne r mre cmpnent cnfiguratins. Cmpnent cnfiguratins are AAMP files that are added t the base cnfiguratin during a merge. T be part f a merge, cmpnent cnfiguratins must be stred in the MergeCnfigs directry. Page 232 f 344

233 MergeCnfigs Directry This directry is where cmpnent cnfiguratins fr merging are stred and where a merge is triggered when a valid manifest is detected. When yu start the AMAgentService n an endpint, the MergeCnfigs directry is created: %PROGRAMDATA%\AppSense\Applicatin Manager\MergeCnfigs This directry is secured s nly administratrs can write t it. This ensures that end users cannt affect the merge cnfiguratins ManifestGen Tl Applicatin Cntrl includes a cmmand line tl t assist when merging cnfiguratins and snippets. The ManifestGen tl creates the XML manifest file used t define and trigger a cnfiguratin merge. The XML file cntains details f the AAMP files t be merged and can dictate whether the system cnfiguratin.aamp r a cmpnent cnfiguratin is used as the base in the merge. T make using the tl easier, add it lcatin t Advanced System Prperties > Envirnment Variables > Path: %PROGRAMFILES%\AppSense\Applicatin Manager\Cnsle\ManifestGen.exe Manifests The manifest is an XML file that includes details f the cnfiguratins t be merged and dictates whether r nt the base cnfiguratin is included. The manifest initiates the merge when detected in the MergeCnfigs directry - if detected by the agent, the merge begins. Manifests are created using the ManifestGen cmmand line tl. The table belw shws the attributes and tags which make up a manifest XML file: Attribute/Tag MergeManifest MergeFiles FileEntry Name UseSystemBase Descriptin The rt nde f the cnfiguratin. The cntainer tag fr the list f AAMP files that are t be included in the merge. Identifies a cnfiguratin t be included in the merge. The file must be present in the MergeCnfigs directry t be included in a merge UseSystemBase is set t "true" by default if nt present in the manifest. It can be set t "true" r "false", and instructs t either include r exclude the default Cnfiguratin.aamp in the merge. This is the live Cnfiguratin.aamp Page 233 f 344

234 Attribute/Tag Descriptin file fund in %PrgramData%\AppSense\Applicatin Manager\Cnfiguratin\cnfiguratin.aamp. If set t "true", the base cnfiguratin must already be present n endpints when the manifest is deplyed, therwise the merge will fail. If set t "false" the first cnfiguratin in the MergeFiles list is used as the base cnfiguratin unless therwise defined by the BaseCnfig attribute. WaitFrCnfigs Determines the behavir when a manifest.xml is detected in the MergeCnfigs directry and nt all named cnfiguratins are present. Can be set t: True - This is the default setting if it is nt already present in the manifest. The merge will wait indefinitely until all cnfiguratins referenced in the manifest are present and then cmplete the merge. This is ideal if yu are deplying the manifest with the cnfiguratins and yu cannt be sure in what rder they will be added t the directry. Fr example, when yu are using an MSI. False - The merge will fail if a manifest is detected in the MergeCnfigs directry which references a cnfiguratin which is nt present. If yu are using an installer, such as an MSI, t push ut cnfiguratins and a manifest t endpints, it is recmmended that yu set this t "true" as yu cannt guarantee in what rder the cnfiguratins and manifest will be added. This des nt apply if using the SystemBase Cnfiguratin.aamp file. If the manifest merge is triggered and the Cnfiguratin.aamp is nt present, the merge will fail - it will nt wait fr the base Checksum (Optinal) An MD5 checksum unique t an AAMP file. If included in the manifest, the AAMP file in the MergeCnfigs flder must have the same checksum t be included in the merge. Base cnfiguratins are nt referenced by a checksum. Create a Manifest 1. Save the cnfiguratins yu want t be merged in the MergeCnfigs directry: %PROGRAMDATA%\AppSense\Applicatin Manager\MergeCnfigs 2. Open the Cmmand Line Interface. 3. Enter cd %prgramdata%\appsense\applicatin Manager t change the directry. Page 234 f 344

235 4. Enter manifestgen "C:\PrgramData\AppSense\Applicatin Manager\MergeCnfigs\*.aamp". If yu run manifestgen in the MergeCnfigs flder, the agent picks up the manifest as sn as it is created and immediately start the merge. If successful, a merge_manifest.xml file is created in: %PROGRAMDATA%\AppSense\Applicatin Manager The manifest can nw be used t trigger the merge and create a cnfiguratin. If a merge_manifest.xml already exists in the utput directry, the tl fails and a new manifest is nt created - the current ne is nt verwritten. Additinal Cmmands Suffix Descriptin and Usage - Output file - Specify where the merged cnfiguratin is generated, fr example, manifestgen "C:\PrgramData\AppSense\Applicatin Manager\MergeCnfigs\*.aamp" - C:\Cnfigs creates a manifest that will create a merged cnfiguratin in the Cnfigs flder n the C drive. -b Base cnfiguratin - Identify the base cnfiguratin and exclude the system base cnfiguratin. Fr example, manifestgen "C:\PrgramData\AppSense\Applicatin Manager\MergeCnfigs\*.aamp" -b Cnfig1.aamp creates a manifest that will create a merged cnfiguratin with Cnfig1.aamp set as the base cnfiguratin. -nc N checksum entries - By default, each cnfiguratin listed in the manifest has an MD5 checksum which allws unique identificatin f a cnfiguratin. If the checksum in the manifest des nt match that f the cnfiguratin the merge will fail. Using the -nc suffix with the ManifestGen tl will nt list checksums in the manifest and means that merges will succeed if the cnfiguratin file names are crrect, regardless f the checksum value. Fr example: manifestgen "C:\PrgramData\AppSense\Applicatin Manager\MergeCnfigs\*.aamp" -nc -nw The default behavir when a manifest is added t the MergeCnfigs directry is t wait indefinitely until all cnfiguratins in the manifest are present and then perfrm the merge. Hwever, the merge des nt wait when a basecnfig and layer is missing and will fail immediately. Page 235 f 344

236 Suffix Descriptin and Usage Using the -nw suffix, a merge will fail if the cnfiguratins listed are nt present when the manifest is added t the MergeCnfigs directry. Fr example: manifestgen "C:\PrgramData\AppSense\Applicatin Manager\MergeCnfigs\*.aamp" -nw If the manifest lists five cnfiguratins and nly fur are present when the manifest is added t the MergeCnfigs directry, the merge will fail. If yu are using an installer, such as an MSI, t push ut cnfiguratins and manifests t endpints, it is recmmended that yu d nt use this suffix as yu cannt guarantee in what rder the cnfiguratins and manifests will be added. Edit a Manifest Once created, a manifest file can be edited t change the attributes such as the base cnfiguratin and the rder in which the merge shuld take place. Althugh manifests can be edited and created in a text editr, it is recmmended that yu use the ManifestGen tl because it ensures the merge_manifest.xml file is in the crrect frmat. If, fr example, yu have an "&" in a file name, the ManifestGen tl will escape this t make sure it is a valid XML file. Fr example, the cmmand: manifestgen "C:\PrgramData\AppSense\Applicatin Manager\MergeCnfigs\*.aamp" -b mergecnfigs\cnfig3.aamp creates a manifest in which the system base cnfiguratin is nt included and cnfig3.aamp is set as the base. <MergeManifest UseSystemBase="false" WaitFrCnfigs="true"> <MergeFiles> <FileEntry Name="cnfig3.aamp" BaseCnfig="true" Checksum="e899e0f9a5afee4eb502072a61c2e" /> <FileEntry Name="cnfig2.aamp" Checksum="e899e0f9a5afef5e4eb502072ac2e0" /> <FileEntry Name="cnfig1.aamp" Checksum="b50576a6d743cf361c37b64bcaca75" /> </MergeFiles> </MergeManifest> T edit the manifest, pen the manifest in a text editr, make the required changes and save the file. In this example, UseSystemBase is set t "true" and the BaseCnfig-"true" cmmand has been remved frm cnfig3.aamp. The rder f the merge has als been changed. Page 236 f 344

237 <MergeManifest UseSystemBase="true" WaitFrCnfigs="true"> <MergeFiles> <FileEntry Name="cnfig1.aamp" Checksum="b50576a6d743cf361c37b64bcaca75" /> <FileEntry Name="cnfig2.aamp" Checksum="e899e0f9a5afef5e4eb502072ac2e0" /> <FileEntry Name="cnfig3.aamp" Checksum="e899e0f9a5afee4eb502072a61c2e" /> </MergeFiles> </MergeManifest> When merged, the system base cnfiguratin.aamp file is included in the merge as the base cnfiguratin and the rder in which the cmpnent cnfiguratins are merged nt the base is reversed. Setting BaseCnfig="true" fr a cnfiguratin and UseSystemBase="true" in the same manifest will cause a cnflict and the merge will fail. Empty Manifest Adding an empty manifest t the MergeCnfigs directry autmatically merges all AAMP cnfiguratins within that directry. It will merge all cnfiguratins in alphabetical rder and set the base as the cnfiguratin.aamp fund in: %PrgramData%\AppSense\Applicatin Manager\Cnfiguratin If this AAMP is nt present, the merge will fail. T create an empty manifest, pen a new file in a text editr, create a zer-byte file and save as merge_ manifest.xml. The same merge can be achieved using a manifest that, whilst nt ttally empty, des nt include details f the AAMP files t be merged: <MergeManifest UseSystemBase="true" WaitFrCnfigs="true" </MergeManifest> This prvides the same results as a blank manifest but allws yu t use the UseSystemBase attribute. If yu set this t "false" the merge will use the cnfiguratin which is first alphabetically in the MergeCnfigs directry, as the base. Merging Cnfiguratins Once yu have created a manifest and have yur cnfiguratins n yur endpints in place fr merging, yu can trigger the merge and create a new cnfiguratin. Page 237 f 344

238 A merge is triggered when a merge_manifest.xml is detected in the MergeCnfigs directry which shuld cntain all the cnfiguratins yu want t merge. If the manifest lists cnfiguratins which are nt in the MergeCnfigs directry, the merge will be delayed until all cnfiguratins are present. Using the -nw tag, a manifest can be created which will fail a merge if all cnfiguratins are nt present Successful Merges If the manifest is crrect and the cnfiguratins listed are present in the MergeCnfigs directry, the merged_cnfiguratin.aamp is created and used as the live cnfiguratin n endpints. In additin t the new cnfiguratin (merged_cnfiguratin.aamp) a cpy f the successful manifest (last_merge_manifest.xml) is added t the flder t prvide a recrd f the merge and a backup f the manifest. The riginal merge_manifest.xml file is deleted when the merge is cmplete. The cnfiguratin.aamp file is nt altered during a merge and is n lnger used by the agent unless updated r the Merged_Cnfiguratin.aamp is nt present. Unsuccessful Merges If an errr ccurs during the merge, it will fail and a new cnfiguratin file will nt be created. Merges can fail if: The checksums specified in the manifest d nt match thse f the actual cnfiguratins and WaitFrCnfigs is set t "false". The manifest includes the -nw cmmand and ne r mre cnfiguratins listed in the manifest are nt present in the MergeCnfigs directry when it is added. Friendly names are the same in tw f the cnfiguratins being merged. UseSystemBase is set t "true" and a base Cnfiguratin.aamp is nt present when the merge is triggered. A manifest is invalid. One r mre cnfiguratins are crrupt. Fllwing an unsuccessful merge, the merge_manifest.xml file is deleted and a cpy f the unsuccessful manifest (failed_merge_manifest.xml) is added t the directry. Further details abut merging errrs can be fund by using Windws Event Viewer (select Windws Lg > Applicatins). The event will shw the reasn fr the failure and which cnfiguratin is causing the merge t fail. Page 238 f 344

239 Merge Behavirs The table belw lists the cnfiguratin attributes which are merged and gives an explanatin f their behavir. Cnfiguratin Attribute Rules (Grups, Users, Scripted, Custm, Device and Prcess) Applicatin Grups Merged? Yes Yes Behavir The merged cnfiguratin cntains all the Rules frm each f the separate cnfiguratins. If tw rules which affect the same applicatin exist in the same trigger, they will run in parallel. The cntents f individual rules are nt merged. The merged cnfiguratin will cntain all Applicatin Grups frm the cnfiguratin layers. Applicatin Grups remain unique t the nn-base cnfiguratin and are all merged int the final merged cnfiguratin. URM Plicies Yes The merged cnfiguratin will cntain all URM Plicies frm the cnfiguratin layers. URM Plicies remain unique t the nn-base cnfiguratins and are all merged int the final merged cnfiguratin. Auditing N The events frm the base are used in the merged cnfiguratin whilst the events frm the cmpnent cnfiguratins are ignred. Engineering Keys Default Optins Message Settings N N N Merged cnfiguratins inherit their Engineering Keys frm the base cnfiguratin. Settings frm any cmpnent cnfiguratin in the merge are discarded. It is therefre imprtant that the Engineering Keys yu require in the merged cnfiguratin are added t the base cnfiguratin. Merged cnfiguratins inherit their Default Optins frm the base cnfiguratin, fr example Enabling User Privilege Management. Settings frm any cmpnent cnfiguratin in the merge are discarded. It is therefre imprtant that the Default keys yu require in the merged cnfiguratin are added t the base cnfiguratin. Merged cnfiguratins inherit their Settings frm the base cnfiguratin, fr example the message a user will see when a user self-elevates an item. Settings frm any cmpnent cnfiguratin in the merge are discarded. Archive N Merged cnfiguratins inherit their Archive Settings frm the base Page 239 f 344

240 Cnfiguratin Attribute Settings Privilege Discvery Mde Cnfiguratins URL Redirectin Setting Audit Event Filtering Settings Merged? N N N Behavir cnfiguratin, fr example Enabling archiving. Settings frm any cmpnent cnfiguratin in the merge are discarded. Merged cnfiguratins inherit their Privilege Discvery Mde Settings frm the base cnfiguratin, fr example hidden applicatins and files. Settings frm any cmpnent cnfiguratin in the merge are discarded. Merged cnfiguratins inherit any URL Settings frm the base cnfiguratin, fr example cnfigured cnnectin types r IP ranges. Settings frm any cmpnent cnfiguratin in the merge are discarded. Merged cnfiguratins inherit their Audit Event Filtering Settings frm the base cnfiguratin. Settings frm any cmpnent cnfiguratin in the merge are discarded. Live Cnfiguratin Rules When a live cnfiguratin is pened r saved n an endpint, it is referred t: %PrgramData%\AppSense\Applicatin Manager\Cnfiguratin\cnfiguratin.aamp T allw fr cnfiguratin merging, the live cnfiguratin can als refer t: %PrgramData%\AppSense\Applicatin Manager\Cnfiguratin\Merged_Cnfiguratin.aamp The agent mnitrs the %PrgramData%\AppSense\Applicatin Manager\Cnfiguratin directry fr new cnfiguratins. When a change is detected the agent lads a new cnfiguratin using the fllwing rder f precedence: 1. Merged_Cnfiguratin.aamp 2. cnfiguratin.aamp If a Merged_Cnfiguratin.aamp exists in the directry, it will be the live cnfiguratin. If remved, the agent cntinues t use the in-memry versin - it will nt switch t the cnfiguratin.aamp file until the agent is restarted. Live Cnfiguratin Update Behavir The BaseCnfigMergeBehavir engineering key allws yu t define hw the live cnfiguratin is affected when a Cnfiguratin.aamp file is pushed ut t endpints by the Management Center r ther deplyment methd. Page 240 f 344

241 By defining the BaseCnfigMergeBehavir engineering key, yu can mdify the live cnfiguratin behavir: Remerge - When the cnfiguratin is detected n an endpint by the agent, a merge, based n the last_merge_manifest.xml, is triggered and includes the new cnfiguratin.aamp. The merge creates a new Merged_Cnfiguratin.aamp which replaces the current live cnfiguratin. A last_merge_manifest.xml must be present therwise the merge will fail. Replace - When the cnfiguratin is detected n an endpint by the agent, it replaces the Merged_Cnfiguratin.aamp as the live cnfiguratin. Fllwing the successful deplyment f the new Cnfiguratin.aamp, the Merged_Cnfiguratin.aamp is deleted frm the directry. Endpint Cnfiguratin Merging Auditing Events New auditing events fr Cnfiguratin Endpint Merging have been added t Applicatin Cntrl. When viewed in Windws Event Viewer (select Windws Lg > Applicatins), the events prvide further details such as what has caused a merge failure Page 241 f 344

242 Endpint Analysis Endpint Analysis (EPA) allws yu t scan single r multiple endpints, t prvide a list f applicatins that are present and that have run n a particular cmputer. Endpint Analysis helps t simplify the creatin f an apprpriate Applicatin Cntrl cnfiguratin. This feature is used n demand and is inactive by default. There are tw ways t analyze the data n endpints with the Applicatin Cntrl Agent installed: Endpint Scans - Endpint Analysis files fr a given endpint are stred n the cmputer that has the Applicatin Cntrl cnsle installed under the fllwing lcatin: C:\PrgramData\AppSense\Applicatin Manager\EndpintAnalysis. The Endpint Scan searches the endpint fr any applicatins that are present. These applicatins may have been fficially installed by an administratr, r be an esteric piece f virus-ridden freeware installed by an unsuspecting end user. The fllwing directry and registry lcatins are scanned: HKLM\SOFTWARE\Micrsft\Windws\Current\CurrentVersin\Installer\Flders HKLM\SOFTWARE\Micrsft\Windws\CurrentVersin\Uninstall Prgram Files Applicatin Usage Scans - The Applicatin Usage Scan is used t detect all applicatins in use n an endpint. When an Applicatin Usage Scan is in prgress, all execute requests are passed thrugh fr Endpint Analysis prcessing nce the standard Applicatin Cntrl rules checking has been perfrmed n that request. The details f requests are held in memry. When the scan is stpped, all the request data is saved t file. If the endpint is rebted while a scan is in prgress, fr example, if a user takes their laptp frm the wrkplace and switches it n at hme, the Endpint Analysis runtime detects that it shuld be recrding applicatin usage and restarts the recrding. This is dne n agent startup. An Endpint Scan can take several minutes. The reasn fr this is that Applicatin Cntrl nt nly scans the Prgram Files flder and the registry keys, but als each dependent file and digital signatures. Applicatin Cntrl recrds all this infrmatin. During an Endpint Scan, 100% f the CPU n the endpint can be used. Hwever, if user tasks need t be perfrmed, the Applicatin Cntrl agent uses built-in smart scheduling technlgy t allw tasks t take precedence ver the scan itself, s the end-user perceptin f perfrmance is unaffected. Typically, the Endpint Scan is run first t determine which applicatins are installed n the endpint. This can be fllwed by the Applicatin Usage Scan t track the applicatins that have been run n an endpint ver a perid f time. By highlighting which applicatins are being used and which are nt, unlicensed sftware can be identified and restricted and unlicensed sftware can be remved. Befre either scan is run, endpints must be specified in the Endpint Analysis tree. Page 242 f 344

243 Endpint Analysis Preparatin Fr Endpint Analysis t functin the fllwing must be installed: Applicatin Cntrl agent installed n the endpint. License installed n the endpint. Applicatin Cntrl cnfiguratin installed n the endpint. Administrative share rights t the endpint. Remte registry access t the endpint. Test that the Agent is Installed n the Endpint 1. On the Start menu select Cntrl Panel. 2. Select Administrative Tls. 3. Duble-click Services. 4. Lcate the Applicatin Cntrl Agent. Test that the License is Installed n the Endpint 1. Launch the Registry Editr n the managed endpint. 2. Lcate the license under HKLM\Sftware\AppSense Technlgies\Licensing. Test that the Cnfiguratin is Installed n the Endpint Cnfiguratins are stred in the fllwing lcatin: C:\PrgramData\AppSense\ApplicatinManager\Cnfiguratin. PrgramData is a hidden flder. Open up explrer and type C:\PrgramData in the Address bar. Press Enter t pen the flder. Test that the Endpint has Admin Share Rights 1. Open Windws Explrer n the cmputer that has the Applicatin Cntrl cnsle installed. 2. In the Address bar enter \\<cmputername>\c$ and press Enter. If yu can brwse the flders, yu have access rights. If nt, yu are prmpted fr user credentials that allw access. Test that Remte Registry Access is Available 1. Open the Registry Editr n the cmputer that has the Applicatin Cntrl cnsle installed. 2. Select File > Cnnect Netwrk Registry. 3. The Select Cmputer dialg is displayed. Page 243 f 344

244 4. Lcate the cmputer and click OK. If yu can see the registry keys, yu have access. On remte cmputers running Windws 7 and abve, File Sharing and Remte Registry Service are disabled by default and must be enabled. 5. Turn n File Sharing in Start > Cntrl Panel > Netwrk and Sharing Center. 6. Start the Remte Registry Service in Start > Cntrl Panel > Administrative Tls > Services. Wrking with Endpint Analysis This feature prvides the ability t perfrm the endpint and Applicatin Usage scans and t shw all laded files (child prcesses) fr scanned applicatins and any digital certificates fr the discvered applicatins. It is recmmended t include all laded files in the cnfiguratin fr an Accessible Item s that the applicatin functins crrectly. It is als useful t add any digital certificates t the Trusted Vendrs in yur cnfiguratin. Add Endpints Endpints must be specified befre they can be scanned. 1. Click the Endpint Analysis navigatin buttn. 2. The Endpint Analysis navigatin tree displays. 3. Frm the Endpint Analysis ribbn, click Add Endpint and select ne f the fllwing: Brwse Deplyment Grup - The Select Management Server dialg displays. Navigate t the deplyment grup lcatin and select the required endpints. Brwse Dmain / Wrkgrup - The Add Endpints fr Analysis dialg displays. Enter the name r IP address r use the ellipsis (...) in the Cmputer field t select the required endpints and click Add. The endpint displays in the Endpint Analysis navigatin tree. Once added, an endpint can be used in Endpint Analysis. T remve an endpint, highlight it and click the Remve Endpint buttn in the Endpint Analysis ribbn. Installed Applicatins Scans Run scans n selected endpints within a specified dmain. The scan checks the fllwing directries and registry lcatins: HKLM\SOFTWARE\Micrsft\Windws\Current\CurrentVersin\Installer\Flders HKLM\SOFTWARE\Micrsft\Windws\CurrentVersin\Uninstall Prgram Files Page 244 f 344

245 Once the scan is cmplete, a reprt is generated detailing applicatins and files installed n scanned endpints. Other infrmatin, such as DLLs and digitally signed files that are spawned as a result f running an applicatin executable, are als captured. Run an Endpint Scan Perfrm an Endpint Scan n endpints where the Applicatin Cntrl Agent is installed. 1. Select the Endpint Analysis navigatin buttn. T run the Endpint Scan, yu must first add endpints. Fr infrmatin, see Add Endpints. 2. Select an endpint and click Run Endpint Scan. T scan all the endpints within selected dmain, click Run Scan fr all Endpints. 3. The Endpint Scan checks the fllwing directries and registry lcatins: HKLM\SOFTWARE\Micrsft\Windws\Current\CurrentVersin\Installer\Flders HKLM\SOFTWARE\Micrsft\Windws\CurrentVersin\Uninstall Prgram Files The results f the Endpint Scan display in the Installed Applicatins nde, nested under the relevant endpint. Details such as the Applicatin Name, Applicatin Descriptin and Owner are available. Fr additinal file infrmatin, use the fllwing Endpint Analysis ribbn buttns: Shw Laded Files - Displays details f ther files that are laded by applicatins. Shw Digital Certificates - Displays details f certificates assigned t applicatins. Applicatin Usage Scans Applicatin Usage Scans detect all applicatins that are running during the scan perid that have nt been installed using Windws Installer technlgy (MSIs and MSPs), such as an executable that runs whilst extracting a ZIP file, in-huse sftware, r Firefx. Start Applicatin Usage scans at any time t mnitr actively used applicatins when users are lgged n t an endpint. Stp the usage scan at any time t generate a reprt and save it as an XML data file. The data file cntains details f applicatins used n scanned endpints. Exprt the XML data file fr archiving purpses r imprt the file t ther endpints. Fr example, as data frm scans is nly available n the endpint that ran the scan, anther administratr can imprt the exprted data file and use the data t create an Applicatin Cntrl cnfiguratin. Alternatively, the data file can be imprted int the Rules Analyzer t trublesht the behavir f Applicatin Cntrl by using the infrmatin cntained in the data file. Fr infrmatin n cnfiguring and analyzing rules, see Abut Rules Analyzer. Run an Applicatin Usage Scan Perfrm an Applicatin Usage Scans n a managed endpint when a user is lgged in. Page 245 f 344

246 1. Click the Endpint Analysis navigatin buttn. The Endpint Analysis navigatin tree displays. T run the Applicatin Usage Scan, yu must first add endpints. Fr infrmatin, see Adding Endpints. 2. In the navigatin tree, select the endpint t be scanned. The Endpint Summary wrk area displays. 3. Frm the Endpint Analysis ribbn, click Start Applicatin Usage Scan. The Applicatin Scan begins. The scan can be run fr hwever lng it takes fr yu t cllect the required data and stpped when enugh data has been cllected. 4. Click Stp Applicatin Usage Scan t stp the scan and generate a reprt. The Save Reprt dialg displays. 5. Enter a name fr the reprt and click OK t save the data file. The file is saved in XML frmat and created under the Recrded Data nde fr the selected endpint. Applicatin Data The applicatin data can be seen in detail fr bth the Installed Applicatins Scan and the Applicatin Usage Scan. Yu can select t display the assciated laded files r the digital certificates: Shw Laded Files - displays the Laded files dialg. Drag and drp any f the files t add t the cnfiguratin. Shw Digital Certificates - displays the Certificates dialg. Drag and drp any f the certificates t add t any f the Trusted Vendrs nde in the cnfiguratin. On ccasin a duplicate certificate will be present, fr example: Calc.exe lads Msvcrt.dll, Ntdll.dll and Msutil.dll. Calc.exe is signed with Micrsft Certificate A and Ntdll.dll is als signed with Micrsft Certificate A. Refer t the Signed File clumn t clearly identify which file has been signed with which certificate. Exprt an Endpint Analysis Data File Exprt data files t be imprted int ther endpint r the Rules Analyzer. 1. Select the endpint frm which the data file is t be exprted. 2. Frm the Endpint Analysis ribbn, click Exprt. The Exprt brwser dialg displays. Page 246 f 344

247 3. Select a lcatin t save the file. 4. Click Save. The data file is saved t the selected lcatin and can be imprted int ther Applicatin Cntrl cnsles r the Rules Analyzer. Add Files t Cnfiguratins Use the results f Endpint Analysis t add rules, fr applicatins and files, t the Applicatin Cntrl Cnfiguratin file. Drag and drp applicatins, files, DLLs, r certificates int the Grup Rules available frm the Rules nde, accessed frm the Cnfiguratin navigatin buttn. If yu drag and drp files int any f the Accessible r Prhibited Items lists they are drpped in as files. If files are placed in Accessible Items, any assciated laded files are autmatically included. If files are placed in Prhibited Items, any assciated laded files are nt included, nly the main applicatin executable. T add a certificate t any f the Trusted Vendrs yu can either drag and drp a file n t a Trusted Vendrs nde (if any certificates exist fr that file they are added) r yu can select Shw Digital Signatures n the Endpint Analysis ribbn t display the Certificates dialg. Yu can then drag and drp frm that dialg int the cnfiguratin. When yu drag and drp files int a cnfiguratin, the digital signature fr the file is always cpied ver as this is the mst secure methd fr authenticating an applicatin. Page 247 f 344

248 Rules Analyzer Standard auditing can be used t track unauthrized applicatin usage r t track when users are verwriting \ renaming applicatins. It is a simple mechanism t use and can functin withut interactin. The standard auditing mechanism advises yu when an applicatin has nt, fr example, been allwed t execute but des nt advise why this was the case. Therefre, an additinal tl is required s yu can analyze the rules base in real time, and determine exactly why an applicatin is r is nt allwed t execute. Rules Analyzer examines managed endpints t cllect infrmatin abut hw Applicatin Cntrl Rules are applied and prvides details f any incnsistencies r inaccuracies in rules as they are prcessed. Rules Analyzer prvides yu with a graphical interface that can be used t manually trublesht and fine tune Applicatin Cntrl cnfiguratins in real time anywhere acrss the enterprise. All that is required is a netwrk link t a remte Applicatin Cntrl managed endpint s the Rules Analyzer can cnnect t the agent sftware and start lgging n the lcal endpint. When the lgging has cmpleted yu can use the Rules Analyzer t autmatically pull the lg file acrss the netwrk back t the cmputer where the analysis is ccurring fr investigatin. All lgging infrmatin is held in XML frmat and each executin request that the Applicatin Cntrl agent prcessed is listed alng with the details f what ccurred during prcessing, including if the prcess was allwed t execute r nt and the reasn fr the utcme. Page 248 f 344

The Cnsle The Rules Analyzer is accessed frm the navigatin pane within the Applicatin Cntrl cnsle and is used t create, retrieve and examine the lg files.

249 The Cnsle The Rules Analyzer is accessed frm the navigatin pane within the Applicatin Cntrl cnsle and is used t create, retrieve and examine the lg files. An Endpint nde allws yu t cntrl lgging n t a specific managed endpint t retrieve the lg files. Belw each Endpint nde is a nde fr each Retrieved Lg Files nde. Yu can review a summary page, view all requests, r view the requests fr a specific user. Yu can restrict the view t the denied r allwed requests. Within the analysis panel yu can navigate t a specific request and view the full details f that request, including which rules were applied by Applicatin Cntrl. Yu must be lgged n with an accunt that allws read and write access t the registry f any managed endpint fr which yu wish t generate lgs fr using Rules Analyzer, and have read and write access t the lcal registry f the cmputer n which the cnsle perates. Prerequisites Test that the fllwing are in place: The Applicatin Cntrl agent is installed n the endpint. Page 249 f 344

250 1. On the Start menu select Cntrl Panel. 2. Select Administrative Tls. 3. Duble-click Services. 4. Lcate the Applicatin Cntrl Agent. A license is installed n the endpint. 1. Launch the Registry Editr n the managed endpint. 2. Lcate the license under HKLM\Sftware\AppSense Technlgies\Licensing. An Applicatin Cntrl cnfiguratin is installed n the endpint. 1. Cnfiguratins are stred in the fllwing lcatin: 2. Navigate t C:\PrgramData\AppSense\ApplicatinManager\Cnfiguratin. PrgramData is a hidden flder. Open Windws explrer and type C:\PrgramData in the Address bar. Press Enter t pen the flder. Yu have Admin share privileges n the endpint. 1. Open Windws Explrer n the cmputer that has the Applicatin Cntrl cnsle installed. 2. In the Address bar enter \\<cmputername>\c$ and press Enter. If yu can brwse the flders, yu have access rights. If nt, yu are prmpted fr user credentials that allw access. Remte registry access is available n the endpint 1. Open the Registry Editr n the cmputer that has the Applicatin Cntrl cnsle installed. 2. Select File > Cnnect Netwrk Registry. 3. The Select Cmputer dialg is displayed. 4. Lcate the cmputer and click OK. If yu can see the registry keys, yu have access. On remte cmputers running Windws 7 and abve, File Sharing and Remte Registry Service are disabled by default and must be enabled t ensure Rules Analyzer can access r create lg files: 1. Turn n File Sharing in Start > Cntrl Panel > Netwrk and Sharing Center. 2. Start the Remte Registry Service in Start > Cntrl Panel > Administrative Tls > Services. Set Up Lgging fr Rules Analyzer The first requirement is t add an endpint t the list f endpints that the Rules Analyzer can interact with. Add an Endpint Endpints must be specified befre rules are analyzed. Page 250 f 344

251 1. Click the Rules Analyzer navigatin buttn. The Rules Analyzer navigatin tree displays. 2. Frm the Rules Analyzer ribbn, click Add Endpint and select ne f the fllwing: Brwse Deplyment Grup - The Select Management Server dialg displays. Navigate t the deplyment grup lcatin and select the required endpints. Brwse Dmain / Wrkgrup - The Add Rules Analyzer Endpints dialg displays. Enter the name r IP address r use the ellipsis (...) in the Cmputer field t select the required endpints and click Add. 3. The endpint displays in the Rules Analyzer navigatin tree. Once added, an endpint can be analyzed by the Rules Analyzer. 4. T remve an endpint, highlight it and click the Remve Endpint buttn in the Rules Analyzer ribbn. Start and Stp Lgging 1. Select the endpint in the navigatin tree. 2. Select Start Lgging n the Rules Analyzer ribbn. 3. When required, fr example, after yu have recreated a prblem n the endpint, select Stp Lgging n the Rules Analyzer ribbn. The File dialg is displayed. 4. Enter a name fr the lg file and click OK. 5. The XML file is displayed in the navigatin tree. Rules Analyzer files can be large s this feature shuld nly be used when a prblem manifests itself and investigatin is required. Once yu have created the lg files, yu can exprt them r delete them by selecting the files and using the Exprt and Delete buttns in the Rules Analyzer ribbn. Yu can als imprt lg files in XML frmat by selecting an endpint and clicking Imprt in the Rules Analyzer ribbn. Lg Files All lg files fr a given cmputer are stred n the lcal machine during lgging and are temprarily stred in the fllwing lcatin: C:\Dcuments and Settings\All Users\Applicatin Data\AppSense\ApplicatinManager\Rules Analyzer\RulesAnalyzerLg.xml. Page 251 f 344

252 When lgging is stpped n the specific endpint, the lg file is clsed and transferred t the cmputer that is running the Rules Analyzer, where it is stred in the cache fr the endpint in questin. The cache is held in the fllwing lcatin: C:\Dcuments and Settings\All Users\Applicatin Data\AppSense\ApplicatinManager\Rules Analyzer\ The naming cnventin fr the files is CmputerName^enteredname. Fr example, C:\Dcuments and Settings\All Users\Applicatin Data\AppSense\ApplicatinManager\Rules Analyzer\APPUKTECHPUBS2^Regedit.xml. The cmputer name is the name f the endpint as it is entered in the user interface. Therefre, if it is an IP address it is stred as IPAddress^enteredname.xml. The entered name is the name given t the XML file in the Rules Analyzer. The Rules Analyzer cnsle displays the infrmatin regarding executin requests in a number f ways t enable easy access t the details: Lg File Cntents Summary The Endpint Summary page displays when yu select a lg file nde in the navigatin tree. It shws the number f requests prcessed by Applicatin Cntrl. The tp rw f the table shws the ttal number f requests fr all users. The remaining rws shw the number f requests fr each user. The Ttal clumn shws the ttal number f requests, allwed and denied. The Allwed/Denied clumn shws the number f allwed r denied requests. Click n any Ttal link t display the Lg File Cntents Request List. T exprt the lg file in XML frmat, select Exprt n the Rules Analyzer ribbn. Yu can select View the requests by prcessing time n the Summary page t display a Request List page shwing requests srted with the lngest running request first. Lg File Cntents Request List The Request List page displays a list f Applicatin Cntrl requests when yu click a Ttal link in the Summary page. The requests are listed in the rder in which they were prcessed by Applicatin Cntrl. Each request displays a green tick r red crss indicating t indicate whether the request was allwed r denied. Click n a request link t display the Lg File Cntents Request Details. Lg File Cntents Request Details The Request Detail page displays details f a particular request when yu click a request in the Request List page. Page 252 f 344

253 The Request Detail page displays each rule applied by Applicatin Cntrl in prcessing the request. The rules are listed in the rder applied. The last rule in the list determines the final result allw r deny. The rule infrmatin includes links which, when selected, display ppup messages prviding explanatins explanatin fr the rule item. Use the Return link at the tp f the page t navigate t the previus page and the Summary link t return t the Summary page. The Back buttn n the cnsle tlbar is fr navigating the navigatin tree. Rules Analyzer Tasks Cmmn Rules Analyzer tasks include: Analyze a lg file - T analyze a lg file, select the lg file nde. The first page shwn in the analysis wrk area is the summary page. Yu navigate inside the analysis panel by fllwing links. Use the Return link at the tp f the page t g back t the previus page. View requests fr a specific user - T view the requests fr a specific user click ne f the links in the table n the summary page. Yu can click in the Ttal clumn t see all the requests fr the user and yu can click in the Allwed clumn r the Denied clumn t see nly the allwed r denied requests. Find requests that take a lng time - T find requests that take a lng time click View the requests by prcessing time n the summary page. This shws the requests srted, with the lngest running request first. The prcessing time shwn is the elapsed time taken by the AppSense Applicatin Cntrl agent t prcess the request. Page 253 f 344

254 Sample Scripting Reference The fllwing are Visual Basic script examples shwing cmmn peratins that can be perfrmed with the Applicatin Cntrl scripting interface: Creating New Cnfiguratins Create a new cnfiguratin and save t file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the default cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.DefaultCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml CnfiguratinHelper.SaveLcalCnfiguratin "C:\Cnfiguratin.aamp",Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Create a new cnfiguratin and save t live cnfiguratin 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the default cnfiguratin Cnfiguratin.ParseXML CnfiguratinHelper.DefaultCnfiguratin 'Save the blank cnfiguratin t file. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Lading Live Cnfiguratins Lad cnfiguratin frm file and save t file ''Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the Live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the cnfiguratin frm file Dim CnfiguratinXml Page 254 f 344

255 CnfiguratinXml = CnfiguratinHelper.LadLcalCnfiguratin("C:\Cnfiguratin.aamp") Cnfiguratin.ParseXML CnfiguratinXml CnfiguratinHelper.SaveLcalCnfiguratin "C:\Cnfiguratin.aamp", Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Default Rules Edit a default rules cnfiguratin 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.DefaultRules.AllwCMDFrBatchFiles = True Cnfiguratin.DefaultRules.ValidateSystemPrcesses = False 'Add a trusted wner t the cnfiguratin Dim thetrustedowner Set thetrustedowner = Cnfiguratin.CreateInstanceFrmClassName("AM.TrustedOwner") thetrustedowner.displayname = "%COMPUTERNAME%\Guest" thetrustedowner.sid = "S-1-5-Dmain-501" Cnfiguratin.DefaultRules.TrustedOwners.Add thetrustedowner.xml 'Save the cnfiguratin t file. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing The DefaultCnfiguratin( ) methd nly returns a cnfiguratin in the English language. This means that sme grup names and ther text in the cnfiguratin may nt be in the native language f the perating system, which can result in the cnfiguratin nt being applied crrectly. Fr nn-english perating systems it is necessary t exprt the default cnfiguratin frm the prduct cnsle n a native perating system. This can be stred as a file n the netwrk r distributed t the machine where the cnfiguratin scripting will be perfrmed. Once this is dne, use the LadLcalCnfiguratin( ) methd in place f the DefaultCnfiguratin( ). This will prduce the same cnfiguratin but in the crrect native language. Grup Rules Create a grup rule Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Dim GrupRule Page 255 f 344

256 Set GrupRule = Cnfiguratin.CreateInstanceFrmClassName("AM.GrupRule") GrupRule.DisplayName = "BUILTIN\Remte Desktp Users" GrupRule.Name = GrupRule.DisplayName GrupRule.SID = "S " Set GrupRule = Cnfiguratin.GrupRules.Add(GrupRule.Xml) CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a grup rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Change the SID f the Everyne grup Cnfiguratin.GrupRules.Item("Everyne").SID = "S-1-1-0" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a grup rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create the grup rule Dim GrupRule Set GrupRule = Cnfiguratin.CreateInstanceFrmClassName("AM.GrupRule") GrupRule.DisplayName = "BUILTIN\Remte Desktp Users" GrupRule.Name = GrupRule.DisplayName GrupRule.SID = "S " Cnfiguratin.GrupRules.Add GrupRule.Xml 'Delete the rule Cnfiguratin.GrupRules.Remve "BUILTIN\Remte Desktp Users" CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing User Rules Create a user rule Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Page 256 f 344

257 'Create and add the new user rule Dim UserRule Set UserRule = Cnfiguratin.CreateInstanceFrmClassName("AM.UserRule") UserRule.DisplayName = "%COMPUTERNAME%\Guest" UserRule.Name = UserRule.DisplayName UserRule.SID = "S-1-5-Dmain-501" Cnfiguratin.UserRules.Add UserRule.Xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a user rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the user rule Dim UserRule Set UserRule = Cnfiguratin.UserRules.Item("%COMPUTERNAME%\Guest") UserRule.SID = "S-1-5-Dmain-501" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a user rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the user rule Dim UserRule Set UserRule = Cnfiguratin.UserRules.Item("%COMPUTERNAME%\Guest") UserRule.SID = "S-1-5-Dmain-501" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Device Rules Create a device rule ' Cnstant definitins fr the AM.HstType enumeratin. cnst AM_DeviceType_Cmputer = 0 cnst AM_DeviceType_CnnectingDevice = 1 cnst AM_DeviceType_Either = 2 ' Cnstant definitins fr the AM.HstNameType enumeratin. cnst AM_HstNameType_HstName = 0 cnst AM_HstNameType_IPAddress = 1 Page 257 f 344

258 cnst AM_HstNameType_CmputerGrup = 2 cnst AM_HstNameType_OU = 3 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create a device rule Dim DeviceRule Set DeviceRule = Cnfiguratin.CreateInstanceFrmClassName("AM.DeviceRule") DeviceRule.Name = "Device Rule (1)" Cnfiguratin.DeviceRules.Add DeviceRule.Xml 'Add a device t the rule Dim Device Set Device = Cnfiguratin.CreateInstanceFrmClassName("AM.Device") Device.Hst = "MyCmputer" Device.NameType = AM_HstNameType_HstName Cnfiguratin.DeviceRules.Item("Device Rule (1)").Devices.Add Device.Xml 'Add anther device t the rule Dim AntherDevice Set AntherDevice = Cnfiguratin.CreateInstanceFrmClassName("AM.Device") AntherDevice.Hst = " " AntherDevice.NameType = AM_HstNameType_IPAddress Cnfiguratin.DeviceRules.Item("Device Rule (1)").Devices.Add AntherDevice.Xml Cnfiguratin.DeviceRules.Item("Device Rule (1)").Devices.Item(" ").HstType = AM_DeviceType_CnnectingDevice 'Add device using Cmputer Grup Dim CmputerGrupMembership Set CmputerGrupMembership = Cnfiguratin.CreateInstanceFrmClassName("AM.Device") CmputerGrupMembership.Hst = "CN=Finance,OU=Administratin,OU=Crprate,DC=myDmain" CmputerGrupMembership.NameType = AM_HstNameType_CmputerGrup Cnfiguratin.DeviceRules.Item("Device Rule (1)").Devices.Add CmputerGrupMembership.Xml 'Add device using OU Dim OUMembership Set OUMembership = Cnfiguratin.CreateInstanceFrmClassName("AM.Device") OUMembership.Hst = "OU=HR,OU=Administratin,OU=Crprate,DC=myDmain" OUMembership.NameType = AM_HstNameType_OU Cnfiguratin.DeviceRules.Item("Device Rule (1)").Devices.Add OUMembership.Xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a device rule ' Cnstant definitins fr the AM.SecurityLevel enumeratin. cnst AM_SecurityLevel_Restricted = 0 cnst AM_SecurityLevel_SelfAuthrizing = 1 cnst AM_SecurityLevel_Unrestricted = 2 cnst AM_SecurityLevel_AuditOnly = 3 ' Cnstant definitins fr the AM.HstType enumeratin. cnst AM_DeviceType_Cmputer = 0 cnst AM_DeviceType_CnnectingDevice = 1 cnst AM_DeviceType_Either = 2 ' Cnstant definitins fr the AM.HstNameType enumeratin. cnst AM_HstNameType_HstName = 0 cnst AM_HstNameType_IPAddress = 1 cnst AM_HstNameType_CmputerGrup = 2 Page 258 f 344

259 cnst AM_HstNameType_OU = 3 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create a device rule Dim DeviceRule Set DeviceRule = Cnfiguratin.CreateInstanceFrmClassName("AM.DeviceRule") DeviceRule.Name = "Device Rule (1)" Cnfiguratin.DeviceRules.Add DeviceRule.Xml Cnfiguratin.DeviceRules.Item("Device Rule (1)").Name = "My Device Rule" Cnfiguratin.DeviceRules.Item("Device Rule (1)").SecurityLevel = AM_SecurityLevel_AuditOnly 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a device rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Remve "Device Rule(1)" Cnfiguratin.DeviceRules.Remve "Device Rule (1)" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Scripted Rules Create a scripted rule ' Cnstant definitins fr the AM.ExecutinCntext enumeratin. cnst AM_ExecutinCntext_PerSessinAsUser = 0 cnst AM_ExecutinCntext_PerSessinAsSystem = 1 cnst AM_ExecutinCntext_PerCmputerAsSystem = 2 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create the scripted rule. Dim ScriptedRule Set ScriptedRule = Cnfiguratin.CreateInstanceFrmClassName("AM.ScriptedRule") ScriptedRule.Name = "Scripted Rule (1)" Page 259 f 344

260 Cnfiguratin.ScriptedRules.Add ScriptedRule.Xml Cnfiguratin.ScriptedRules.Item("Scripted Rule (1)").WaitFrLgin = True Cnfiguratin.ScriptedRules.Item("Scripted Rule (1)").Script = "Functin ScriptedRule()" & Chr(10) & "'Test scripted rule" & Chr(10) & "ScriptedRule=TRUE" & Chr(10) & "End Functin" Cnfiguratin.ScriptedRules.Item("Scripted Rule (1)").EntryFunctin = "ScriptedRule" Cnfiguratin.ScriptedRules.Item("Scripted Rule (1)").Timeut = 6 Cnfiguratin.ScriptedRules.Item("Scripted Rule (1)").Cntext = AM_ExecutinCntext_PerSessinAsSystem 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a scripted rule ' Cnstant definitins fr the AM.ExecutinCntext enumeratin. cnst AM_ExecutinCntext_PerSessinAsUser = 0 cnst AM_ExecutinCntext_PerSessinAsSystem = 1 cnst AM_ExecutinCntext_PerCmputerAsSystem = 2 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create the scripted rule. Dim ScriptedRule Set ScriptedRule = Cnfiguratin.CreateInstanceFrmClassName("AM.ScriptedRule") ScriptedRule.Name = "Scripted Rule (1)" Cnfiguratin.ScriptedRules.Add ScriptedRule.Xml Dim CurrentScriptedRule Fr Each CurrentScriptedRule in Cnfiguratin.ScriptedRules If CurrentScriptedRule.Name = "Scripted Rule (1)" Then CurrentScriptedRule.Timeut = 7 End If Next 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a scripted rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Remve the scripted rule. Cnfiguratin.ScriptedRules.Remve "Scripted Rule (1)" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Page 260 f 344

261 Brwser Cntrl Add URL Redirectin Item 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Applicatin Mananger cnfiguratin files have the aamp file extensin. This file cntains many different files which tgether 'becme ur Cnfiguratin file. One f these is the CnfiguratinXml. This is the file where all f AM's rules are cnfigured. 'Hwever the aamp file cntains ther files which play a smaller part in the cnfiguratin. 'We are nw prviding a Save/Lad rutine cmbinatin which will allw the user t verwrite the cnfiguratinxml whilst preserving the 'ther files unchanged in the aamp file. The nrmal Lad/Save rutines wuld cause a new file t be created cntaining nly the cnfiguratinxml 'Calling the LadLcalCnfiguratinHandleWithAuditing rutine passes back the cnfiguratin xml as the return value, but als the Auditing xml ' and a FileHandle. 'use this file handle in the equivalent save rutine and it will preserve any nn-cnfiguratin files - in the aamp file. Dim FileHandle Dim CnfiguratinXml Dim AuditingXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratinHandleWithAuditing(AuditingXml, FileHandle) Cnfiguratin.ParseXML CnfiguratinXml ' Create a new URL Redirectin item Dim UrlItem Set UrlItem = Cnfiguratin.CreateInstanceFrmClassName("AM.URLRedirectinItem") UrlItem.Path = "bbc.c.uk" UrlItem.CustmRedirectinUrl = " UrlItem.RedirectTCustmUrl = True UrlItem.UseRegularExpressin = False UrlItem.Descriptin = "Add descriptin here" ' Add the URL Redirectin item t the Everyne grup Cnfiguratin.GrupRules.Item("Everyne").UrlRedirectinURLs.Add UrlItem.xml 'Saves the CnfiguratinXml and Auditing xml t the cnfiguratin aamp file whilst preserving any ther existing files cntained in it. CnfiguratinHelper.SaveLiveCnfiguratinHandleWithAuditing Cnfiguratin.Xml, AuditingXml, FileHandle Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Cnfigure Prperties Message settings ' Cnstant definitins fr the AM.ANACMessageFrequencyType enumeratin. cnst AM_ANACMessageFrequencyType_EveryCnnectinAttempt = 0 cnst AM_ANACMessageFrequencyType_Once = 1 cnst AM_ANACMessageFrequencyType_UseDelayBetweenMessages = 2 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Page 261 f 344

262 CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the message settings Cnfiguratin.MessageSettings.AccessDeniedMessageCaptin = "Warning" Cnfiguratin.MessageSettings.AccessDeniedMessageBdy = "File has been blcked" Cnfiguratin.MessageSettings.ApplicatinLimitsExceededMessageCaptin = "Warning" Cnfiguratin.MessageSettings.ApplicatinLimitsExceededMessageBdy = "T many files" Cnfiguratin.MessageSettings.DisplayInitialWarningMessage = False Cnfiguratin.MessageSettings.ClseApplicatin = False Cnfiguratin.MessageSettings.TerminateApplicatin = False Cnfiguratin.MessageSettings.WaitTime = 120 Cnfiguratin.MessageSettings.TimeLimitsWarningMessageCaptin = "Warning" Cnfiguratin.MessageSettings.TimeLimitsWarningMessageBdy = "Out f time" Cnfiguratin.MessageSettings.TimeLimitsDeniedMessageCaptin = "Warning" Cnfiguratin.MessageSettings.TimeLimitsDeniedMessageBdy = "Wrng time" Cnfiguratin.MessageSettings.SelfAuthrizatinMessageCaptin = "Warning" Cnfiguratin.MessageSettings.SelfAuthrizatinMessageBdy = "Needs authrizatin" Cnfiguratin.MessageSettings.SelfAuthrizatinRespnseCaptin = "Authrized File" Cnfiguratin.MessageSettings.SelfAuthrizatinRespnseBdy = "File is nw authrized." Cnfiguratin.MessageSettings.ANACMessageBxEnabled = True Cnfiguratin.MessageSettings.ANACMessageFrequency = AM_ANACMessageFrequencyType_Once Cnfiguratin.MessageSettings.ANACMessageDelayBetweenMessageBxes = 60 Cnfiguratin.MessageSettings.ANACMessageBxCaptin = "Applicatin Manager - Applicatin Netwrk Access Cntrl" Cnfiguratin.MessageSettings.ANACMessageBxBdy = "%ExecutableName% has been denied access t %NetwrkLcatin%." 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Archive ptins 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the archiving settings Dim ArchiveFlder Set ArchiveFlder = Cnfiguratin.CreateInstanceFrmClassName("AM.ArchiveFlder") ArchiveFlder.Path = "C:\ArchiveBackup" Set ArchiveFlder = Cnfiguratin.ArchivingSettings.ArchiveFlders.InsertBefre(ArchiveFlder.Xml, 1) Cnfiguratin.ArchivingSettings.ArchivingEnabled = True Cnfiguratin.ArchivingSettings.AnnymusEnabled = True Cnfiguratin.ArchivingSettings.UserLimit = 26 Cnfiguratin.ArchivingSettings.TtalLimit = 51 Cnfiguratin.ArchivingSettings.NAdminOwnedFiles = True Cnfiguratin.ArchivingSettings.OverwriteExistingFiles = False Cnfiguratin.ArchivingSettings.ArchiveLessThanEnabled = True Cnfiguratin.ArchivingSettings.OverwriteOldest = True Cnfiguratin.ArchivingSettings.ArchiveLessThanAmunt = 10 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Applicatin terminatin Page 262 f 344

263 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the Applicatin Terminatin Settings Cnfiguratin.ApplicatinTerminatinSettings.Enabled = True Cnfiguratin.ApplicatinTerminatinSettings.DisplayInitialWarningMessage = True Cnfiguratin.ApplicatinTerminatinSettings.ClseApplicatin = True Cnfiguratin.ApplicatinTerminatinSettings.TerminateApplicatin = True Cnfiguratin.ApplicatinTerminatinSettings.WaitTime = 60 'Mdify the Applicatin Terminatin Triggers Cnfiguratin.ApplicatinTerminatinSettings.Triggers.TerminateOnCnfiguratinChange = True Cnfiguratin.ApplicatinTerminatinSettings.Triggers.TerminateOnCmputerIPAddressChanged = False Cnfiguratin.ApplicatinTerminatinSettings.Triggers.TerminateOnCnnectingDeviceChanged = True ' Mdify the Applicatin Terminatin Messages Cnfiguratin.MessageSettings.ApplicatinTerminatinMessages.CnfigAppliedWarningMessageCaptin = "New Cnfiguratin Applied Message Captin" Cnfiguratin.MessageSettings.ApplicatinTerminatinMessages.CnfigAppliedWarningMessageBdy = "New Cnfiguratin Applied Message Bdy" ' The ther Terminatin Message bjects are: ' ' CnfigAppliedTerminateMessageCaptin ' CnfigAppliedTerminateMessageBdy ' IPAddressChangedWarningMessageCaptin ' IPAddressChangedWarningMessageBdy ' IPAddressChangedTerminateMessageCaptin ' IPAddressChangedTerminateMessageBdy ' CnnectingDeviceChangedWarningMessageCaptin ' CnnectingDeviceChangedWarningMessageBdy ' CnnectingDeviceChangedTerminateMessageCaptin ' CnnectingDeviceChangedTerminateMessageBdy 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add Engineering Key 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Add an Engineering key Dim EngineeringKey Set EngineeringKey = Cnfiguratin.CreateInstanceFrmClassName("AM.EngineeringKey") EngineeringKey.Name = "UrmSecPlicy" EngineeringKey.Value = "1" Cnfiguratin.EngineeringKeys.Add EngineeringKey.Xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Page 263 f 344

264 Netwrk Cnnectins Add netwrk cnnectin 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Add a cnnectin t the list f accessible cnnectins. Dim AccessibleCnn Set AccessibleCnn = Cnfiguratin.CreateInstanceFrmClassName("AM.NetwrkCnnectin") AccessibleCnn.Path = " AccessibleCnn.Address = " AccessibleCnn.Prt = 80 AccessibleCnn.Resurce = "/f/*" AccessibleCnn.UseWildcards = True AccessibleCnn.AddressType = 0 Cnfiguratin.GrupRules.Item("Everyne").AccessibleNetwrkCnnectins.Add AccessibleCnn.Xml 'Add a cnnectin t the list f prhibited cnnectins. Dim PrhibitedCnn Set PrhibitedCnn = Cnfiguratin.CreateInstanceFrmClassName("AM.NetwrkCnnectin") PrhibitedCnn.Path = " PrhibitedCnn.AddressType = 0 PrhibitedCnn.Descriptin = " Cnfiguratin.GrupRules.Item("Everyne").PrhibitedNetwrkCnnectins.Add PrhibitedCnn.Xml 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a netwrk cnnectin 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the prt number f the netwrk cnnectin Cnfiguratin.GrupRules.Item("Everyne").AccessibleNetwrkCnnectins.Item(" gle.cm:80/f/*").prt = 8080 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a netwrk cnnectin 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Page 264 f 344

265 Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Remve netwrk cnenctin Cnfiguratin.GrupRules.Item("Everyne").PrhibitedNetwrkCnnectins.Remve " 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Prcess Rules Create a prcess rule Create a Prcess Rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create a prcess rule Dim PrcessRule Set PrcessRule = Cnfiguratin.CreateInstanceFrmClassName("AM.PrcessRule") PrcessRule.Name = "Prcess Rule (1)" Cnfiguratin.PrcessRules.Add PrcessRule.Xml 'Add a file prcess t the rule Dim FilePrcess Set FilePrcess = Cnfiguratin.CreateInstanceFrmClassName("AM.File") FilePrcess.Path = "c:\windws\system32\ntepad.exe" FilePrcess.CmmandLine = "c:\windws\system32\ntepad.exe" Cnfiguratin.PrcessRules.Item("Prcess Rule (1)").FilePrcessItems.AddFilePrcess.Xml 'Add anther file t the rule Dim AntherFile Set AntherFile = Cnfiguratin.CreateInstanceFrmClassName("AM.File") AntherFile.Path = "c:\windws\system32\cmd.exe" AntherFile.CmmandLine = "c:\windws\system32\cmd.exe" Cnfiguratin.PrcessRules.Item("Prcess Rule (1)").FilePrcessItems.AddAntherFile.Xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a prcess rule ' Cnstant definitins fr the AM.SecurityLevel enumeratin. cnst AM_SecurityLevel_Restricted = 0 cnst AM_SecurityLevel_SelfAuthrizing = 1 cnst AM_SecurityLevel_Unrestricted = 2 cnst AM_SecurityLevel_AuditOnly = 3 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Page 265 f 344

266 Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.PrcessRules.Item("Prcess Rule (1)").Name = "My Prcess Rule" Cnfiguratin.PrcessRules.Item("My Prcess Rule").SecurityLevel = AM_SecurityLevel_AuditOnly 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a prcess rule 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Remve "Prcess Rule(1)" Cnfiguratin.PrcessRules.Remve "Prcess Rule (1)" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Rules List Items Add a file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Add a file t the list f accessible files. Dim AccessibleFile Set AccessibleFile = Cnfiguratin.CreateInstanceFrmClassName("AM.File") AccessibleFile.Path = "calc.exe" AccessibleFile.Cmmandline = "calc.exe" Cnfiguratin.GrupRules.Item("Everyne").AccessibleFiles.Add AccessibleFile.Xml 'Add a file t the list f prhibited files. Dim PrhibitedFile Set PrhibitedFile = Cnfiguratin.CreateInstanceFrmClassName("AM.File") PrhibitedFile.Path = "regedit.exe" PrhibitedFile.CmmandLine = "regedit.exe" Cnfiguratin.GrupRules.Item("Everyne").PrhibitedFiles.Add PrhibitedFile.Xml 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") Page 266 f 344

267 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Edit calc.exe. Cnfiguratin.GrupRules.Item("Everyne").AccessibleFiles.Item("calc.exe").TrustedOw nershipchecking = False Cnfiguratin.GrupRules.Item("Everyne").AccessibleFiles.Item("calc.exe").Applicati nlimit = 5 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Remve files Cnfiguratin.GrupRules.Item("Everyne").AccessibleFiles.Remve "calc.exe" Cnfiguratin.GrupRules.Item("Everyne").PrhibitedFiles.Remve "regedit.exe" 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add a flder 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Dim AccessibleFlder Set AccessibleFlder = Cnfiguratin.CreateInstanceFrmClassName("AM.Flder") AccessibleFlder.Path = "%ALLUSERSPROFILE%" Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Add AccessibleFlder.Xml Dim PrhibitedFlder Set PrhibitedFlder = Cnfiguratin.CreateInstanceFrmClassName("AM.Flder") PrhibitedFlder.Path = "%SystemDrive%\Utilities" Cnfiguratin.GrupRules.Item("Everyne").PrhibitedFlders.Add PrhibitedFlder.Xml 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a flder 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") Page 267 f 344

268 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).Recursive = False Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.MndayTimeRangeCllectin.Clear() Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.TuesdayTimeRangeCllectin.Clear() Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.WednesdayTimeRangeCllectin.Clear() Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.ThursdayTimeRangeCllectin.Clear() Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.FridayTimeRangeCllectin.Clear() Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.SaturdayTimeRangeCllectin.Clear() Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.SundayTimeRangeCllectin.Clear() Dim TimeRange Set TimeRange = Cnfiguratin.CreateInstanceFrmClassName("AM.TimeRange") TimeRange.StartHur = 9 TimeRange.EndHur = 13 Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).AccessTimes.MndayTimeRangeCllectin.InsertBefre TimeRange.Xml, 0 Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Item("%ALLUSERSPROFILE%" ).ApplyAccessTimes = True 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a flder 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Remve the accessible flder Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Remve "%ALLUSERSPROFILE%" 'Remve the prhibited flder Cnfiguratin.GrupRules.Item("Everyne").PrhibitedFlders.Remve "%SystemDrive%\Utilities" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add a digital signature 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Page 268 f 344

269 Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create new signature item Dim SignatureFile Set SignatureFile = Cnfiguratin.CreateInstanceFrmClassName("AM.SignatureFile") SignatureFile.SHA1Hash = CnfiguratinHelper.ReadSha1HashFrmFile("C:\WINDOWS\regedit.exe") SignatureFile.Path = "C:\WINDOWS\regedit.exe" SignatureFile.CmmandLine = SignatureFile.SHA1Hash 'Add the signature t the rule Cnfiguratin.GrupRules.Item("Everyne").AccessibleSignatures.Add SignatureFile.Xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a digital signature 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Digital signatures are keyed by CmmandLine, cntaining the SHA1 hash, s btain the hash value t access the required item. Dim sha1hash sha1hash = CnfiguratinHelper.ReadSha1HashFrmFile("C:\WINDOWS\regedit.exe") Cnfiguratin.GrupRules.Item("Everyne").AccessibleSignatures.Item(sha1Hash).ApplyAccessTimes = False 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a digital signature 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Digital signatures are keyed by SHA1 hash, s btain the hash value t access the required item. Dim sha1hash sha1hash = CnfiguratinHelper.ReadSha1HashFrmFile("C:\WINDOWS\regedit.exe") Cnfiguratin.GrupRules.Item("Everyne").AccessibleSignatures.Remve sha1hash 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add and delete drives Page 269 f 344

270 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Add first drive Dim FirstDrive Set FirstDrive = Cnfiguratin.CreateInstanceFrmClassName("AM.Drive") FirstDrive.Path = "H" Cnfiguratin.GrupRules.Item("Everyne").AccessibleDrives.Add FirstDrive.Xml 'Add a secnd drive Dim SecndDrive Set SecndDrive = Cnfiguratin.CreateInstanceFrmClassName("AM.Drive") SecndDrive.Path = "I" Cnfiguratin.GrupRules.Item("Everyne").AccessibleDrives.Add SecndDrive.Xml 'Remve the first drive that was added Cnfiguratin.GrupRules.Item("Everyne").AccessibleDrives.Remve "H" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add a trusted vendr 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Use the helper bject t read the certificate frm the signed file Dim CertificateData CertificateData = CnfiguratinHelper.ReadCertificateFrmFile("C:\Prgram Files\Internet Explrer\iexplre.exe", 0) Dim DigitalCertificate Set DigitalCertificate = Cnfiguratin.CreateInstanceFrmClassName("AM.DigitalCertificate") DigitalCertificate.RawCertificateData = CertificateData DigitalCertificate.Descriptin = "Micrsft Crpratin - Internet Explrer Certificate" Set DigitalCertificate = Cnfiguratin.GrupRules.Item("Everyne").TrustedVendrs.Add(DigitalCertificate.Xml) 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add a trusted vendr and their certificate expiry date 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Page 270 f 344

271 CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Use the helper bject t read the certificate and expiry date frm the signed file Dim CertificateData Dim dtmydate CertificateData = CnfiguratinHelper.ReadCertificateDateFrmFile("C:\Prgram Files\Internet Explrer\iexplre.exe", 0, dtmydate) 'Add the certificate infrmatin t the cnfiguratin Dim DigitalCertificate Set DigitalCertificate = Cnfiguratin.CreateInstanceFrmClassName("AM.DigitalCertificate") DigitalCertificate.RawCertificateData = CertificateData DigitalCertificate.Descriptin = "Micrsft Crpratin - Internet Explrer Certificate" DigitalCertificate.ExpiryDate = dtmydate Set DigitalCertificate = Cnfiguratin.GrupRules.Item("Everyne").TrustedVendrs.Add(DigitalCertificate.Xml) 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit a trusted vendr 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Use the helper bject t read the certificate frm the signed file Dim CertificateData CertificateData = CnfiguratinHelper.ReadCertificateFrmFile("C:\Prgram Files\Internet Explrer\iexplre.exe", 0) Cnfiguratin.GrupRules.Item("Everyne").TrustedVendrs.Item(CertificateData).Enfr ceexpirydate = True 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete a trusted vendr 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Use the helper bject t read the certificate frm the signed file Dim CertificateData CertificateData = CnfiguratinHelper.ReadCertificateFrmFile("C:\Prgram Files\Internet Explrer\iexplre.exe", 0) Cnfiguratin.GrupRules.Item("Everyne").TrustedVendrs.Remve CertificateData 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Page 271 f 344

272 Grup Management Add Library grups 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create a new Grup in the Library Dim LibraryGrup Set LibraryGrup = Cnfiguratin.CreateInstanceFrmClassName("AM.ApplicatinGrup") LibraryGrup.Path = "Cmmn Applicatins" Dim CmmnFile Set CmmnFile = Cnfiguratin.CreateInstanceFrmClassName("AM.File") CmmnFile.Path = "calc.exe" CmmnFile.Cmmandline = "calc.exe" LibraryGrup.Files.Add CmmnFile.Xml Dim NtepadFile Set NtepadFile = Cnfiguratin.CreateInstanceFrmClassName("AM.File") NtepadFile.Path = "ntepad.exe" NtepadFile.Cmmandline = "ntepad.exe" LibraryGrup.Files.Add NtepadFile.Xml Cnfiguratin.ApplicatinGrups.Add LibraryGrup.Xml 'Save the cnfiguratin t file. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Use Library grups 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'use an existing Library Grup in the Rules Dim GrupReference Set GrupReference = Cnfiguratin.CreateInstanceFrmClassName("AM.ApplicatinGrupReference") GrupReference.Grup = "Cmmn Applicatins" GrupReference.TrustedOwnershipChecking = "True" GrupReference.Path = "Cmmn Applicatins" Cnfiguratin.GrupRules.Item("Everyne").PrhibitedApplicatinGrups.Add GrupReference.Xml 'Save the cnfiguratin t file. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing User Privileges Management Edit UPM plicies 'URM Grup Actin ptins Page 272 f 344

273 cnst AM_URMGrupActin_Add = 0 cnst AM_URMGrupActin_Drp = 1 'URM Privilege actins cnst AM_URMPrivilegeActin_NChange = 0 cnst AM_URMPrivilegeActin_Enable = 1 cnst AM_URMPrivilegeActin_Disable = 2 cnst AM_URMPrivilegeActin_Remve = 3 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins("SeBackupPrivilege").Actin = AM_URMPrivilegeActin_Enable Cnfiguratin.URMPlicies("Add Administratr").GrupMembershipActins("BUILTIN\Administratrs").Actin = AM_URMGrupActin_Drp 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete UPM plicies 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.URMPlicies.Remve "Add Administratr" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add a user privileges file Edit a user privileges file Delete a user privileges file Delete user privileges cmpnent 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMWellKnwnCntrlPanelApplets.Remve "cplclck" 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Page 273 f 344

274 Set Cnfiguratin = Nthing Auditing Save t file with auditing file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the default cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.DefaultCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Dim AuditingFile AuditingFile = "c:\auditing.xml" CnfiguratinHelper.SaveLcalCnfiguratinWithAuditingFile "C:\Cnfiguratin.aamp",Cnfiguratin.Xml,AuditingFile Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Save t live with auditing file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the default cnfiguratin Cnfiguratin.ParseXML CnfiguratinHelper.DefaultCnfiguratin 'Save the blank cnfiguratin t file. Dim AuditingFile AuditingFile = "c:\auditing.xml" CnfiguratinHelper.SaveLiveCnfiguratinWithAuditingFile Cnfiguratin.Xml,AuditingFile Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Lad file with auditing 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Dim AuditingXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratinWithAuditing(AuditingXml) Cnfiguratin.ParseXML CnfiguratinXml 'Edit sme settings Cnfiguratin.DefaultRules.AllwCMDFrBatchFiles = False Cnfiguratin.DefaultRules.ValidateSystemPrcesses = False 'Save the cnfiguratin t file. CnfiguratinHelper.SaveLiveCnfiguratinWithAuditing Cnfiguratin.Xml, AuditingXml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Lad live with auditing 'Create the cnfiguratin Dim Cnfiguratin Page 274 f 344

275 Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Dim AuditingXml CnfiguratinXml = CnfiguratinHelper.LadLcalCnfiguratinWithAuditing("c:\Cnfiguratin.aamp",Audit ingxml) Cnfiguratin.ParseXML CnfiguratinXml 'Edit settings Cnfiguratin.DefaultRules.AllwCMDFrBatchFiles = False Cnfiguratin.DefaultRules.ValidateSystemPrcesses = False 'Save the cnfiguratin t file. CnfiguratinHelper.SaveLcalCnfiguratinWithAuditing "C:\UpdatedCnfiguratin.aamp",Cnfiguratin.Xml, AuditingXml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Additinal Lad and Save functins Lad lcal cnfiguratin handle with auditing 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Dim AuditingXml Dim FileHandle 'Applicatin Managers cnfiguratin files have the aamp file extensin. This file cntains many different files which tgether 'becme ur Cnfiguratin file. One f these is the CnfiguratinXml. This is the file where all f AM's rules are cnfigured. 'Hwever the aamp file cntains ther files which play a smaller part in the cnfiguratin. 'We are nw prviding a Save/Lad rutine cmbinatin which will allw the user t verwrite the cnfiguratinxml whilst preserving the 'ther files unchanged in the aamp file. The nrmal Lad/Save rutines wuld cause a new file t be created cntaining nly the cnfiguratinxml 'Calling the LadLcalCnfiguratinHandleWithAuditing rutine passes back the cnfiguratin xml as the return value, but als the Auditing xml ' and a FileHandle. 'use this file handle in the equivalent save rutine and it will preserve any nncnfiguratin files - in the aamp file. CnfiguratinXml = CnfiguratinHelper.LadLcalCnfiguratinHandleWithAuditing("c:\temp\cnfiguratin.aamp", AuditingXml, FileHandle) Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.DefaultRules.AllwCMDFrBatchFiles = True Cnfiguratin.DefaultRules.ValidateSystemPrcesses = True 'Saves the CnfiguratinXml and Auditing xml t the cnfiguratin aamp file whilst preserving any ther existing files cntained in it. CnfiguratinHelper.SaveLcalCnfiguratinHandleWithAuditing "c:\temp\cnfiguratin.aamp", Cnfiguratin.Xml, AuditingXml, FileHandle Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Lad live cnfiguratin handle with auditing 'Create the cnfiguratin Page 275 f 344

276 Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Dim AuditingXml Dim FileHandle 'Applicatin Managers cnfiguratin files have the aamp file extensin. This file cntains many different files which tgether 'becme ur Cnfiguratin file. One f these is the CnfiguratinXml. This is the file where all f AM's rules are cnfigured. 'Hwever the aamp file cntains ther files which play a smaller part in the cnfiguratin. 'We are nw prviding a Save/Lad rutine cmbinatin which will allw the user t verwrite the cnfiguratinxml whilst preserving the 'ther files unchanged in the aamp file. The nrmal Lad/Save rutines wuld cause a new file t be created cntaining nly the cnfiguratinxml 'Calling the LadLiveCnfiguratinHandleWithAuditing rutine passes back the live cnfiguratin xml as the return value, but als the Auditing xml ' and a FileHandle. 'use this file handle in the equivalent save rutine and it will preserve any nncnfiguratin files - in the aamp file. CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratinHandleWithAuditing( AuditingXml, FileHandle) Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.DefaultRules.AllwCMDFrBatchFiles = True Cnfiguratin.DefaultRules.ValidateSystemPrcesses = True 'Saves the CnfiguratinXml and Auditing xml t the live cnfiguratin whilst preserving any ther existing files. CnfiguratinHelper.SaveLiveCnfiguratinHandleWithAuditing Cnfiguratin.Xml, AuditingXml, FileHandle Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Lad lcal cnfiguratin handle withut auditing 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Dim AuditingXml Dim FileHandle 'Applicatin Managers cnfiguratin files have the aamp file extensin. This file cntains many different files which tgether 'becme ur Cnfiguratin file. One f these is the CnfiguratinXml. This is the file where all f AM's rules are cnfigured. 'Hwever the aamp file cntains ther files which play a smaller part in the cnfiguratin. 'We are nw prviding a Save/Lad rutine cmbinatin which will allw the user t verwrite the cnfiguratinxml whilst preserving the 'ther files unchanged in the aamp file. The nrmal Lad/Save rutines wuld cause a new file t be created cntaining nly the cnfiguratinxml 'Calling the LadLcalCnfiguratinHandle rutine passes back the cnfiguratin xml as the return value, but als a FileHandle. 'use this file handle in the equivalent save rutine and it will preserve any nncnfiguratin files - in the aamp file. CnfiguratinXml = CnfiguratinHelper.LadLcalCnfiguratinHandle("c:\temp\cnfiguratin.aamp", FileHandle) Cnfiguratin.ParseXML CnfiguratinXml Page 276 f 344

277 Cnfiguratin.DefaultRules.AllwCMDFrBatchFiles = True Cnfiguratin.DefaultRules.ValidateSystemPrcesses = True 'Saves the CnfiguratinXml t the specified cnfiguratin whilst preserving any ther existing files frm the FileHandle. CnfiguratinHelper.SaveLcalCnfiguratinHandle "c:\temp\cnfiguratin.aamp", Cnfiguratin.Xml, FileHandle Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Lad live cnfiguratin handle withut auditing 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Dim AuditingXml Dim FileHandle 'Applicatin Manangers cnfiguratin files have the aamp file extensin. This file cntains many different files which tgether 'becme ur Cnfiguratin file. One f these is the CnfiguratinXml. This is the file where all f AM's rules are cnfigured. 'Hwever the aamp file cntains ther files which play a smaller part in the cnfiguratin. 'We are nw prviding a Save/Lad rutine cmbinatin which will allw the user t verwrite the cnfiguratinxml whilst preserving the 'ther files unchanged in the aamp file. The nrmal Lad/Save rutines wuld cause a new file t be created cntaining nly the cnfiguratinxml 'Calling the LadLiveCnfiguratinHandle rutine passes back the live cnfiguratin xml as the return value, but als a FileHandle. 'use this file handle in the equivalent save rutine and it will preserve any nncnfiguratin files - in the aamp file. CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratinHandle(FileHandle) Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.DefaultRules.AllwCMDFrBatchFiles = True Cnfiguratin.DefaultRules.ValidateSystemPrcesses = True 'Saves the CnfiguratinXml t the live cnfiguratin whilst preserving any ther existing files. CnfiguratinHelper.SaveLiveCnfiguratinHandle Cnfiguratin.Xml, FileHandle Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Adding files and flders with metadata Add files and flders with metadata 'Create a File Item with Metadata which will be used later in the script ' Set FileWithMetadata = Cnfiguratin.CreateInstanceFrmClassName("AM.File") 'Set the actual file FileWithMetadata.Path = "MetadataFile.exe" 'Set a unique key fr this item in the cllectin it is added t FileWithMetadata.Cmmandline = "MetadataFile.exe" 'Set sme metadata prperties FileWithMetadata.Metadata.PrductVersinMinimum = "*.*.*.*" FileWithMetadata.Metadata.PrductVersinMinimumEnabled = True FileWithMetadata.Metadata.PrductVersinMaximum = "*.*.*.*" FileWithMetadata.Metadata.PrductVersinMaximumEnabled = True FileWithMetadata.Metadata.FileVersinMinimum = "*.*.*.*" FileWithMetadata.Metadata.FileVersinMinimumEnabled = True FileWithMetadata.Metadata.FileVersinMaximum = "*.*.*.*" FileWithMetadata.Metadata.FileVersinMaximumEnabled = True FileWithMetadata.Metadata.VendrName = "VEND" Page 277 f 344

278 FileWithMetadata.Metadata.VendrNameEnabled = True FileWithMetadata.Metadata.PrductName = "PROD" FileWithMetadata.Metadata.PrductNameEnabled = True FileWithMetadata.Metadata.CmpanyName = "COMP" FileWithMetadata.Metadata.CmpanyNameEnabled = True FileWithMetadata.Metadata.FileDescriptin = "DESC" FileWithMetadata.Metadata.FileDescriptinEnabled = True 'Create a Flder Item with Metadata which will be used later in the script ' Set FlderWithMetadata = Cnfiguratin.CreateInstanceFrmClassName("AM.Flder") 'Set a unique key fr this item in the cllectin it is added t FlderWithMetadata.ItemKey = "c:\metadataflder" 'Set the actual flder FlderWithMetadata.Path = "c:\metadataflder" 'Set sme metadata prperties FlderWithMetadata.Metadata.VendrName = "VEND" FlderWithMetadata.Metadata.VendrNameEnabled = True 'Add a file t the list f accessible files. Cnfiguratin.GrupRules.Item("Everyne").AccessibleFiles.Add FileWithMetadata.Xml 'Add the file item t a URM Rule ' 'Create the URM Item Set URMFile = Cnfiguratin.CreateInstanceFrmClassName("AM.URMRuleItemPlicy") 'Cnfigure the URM Item with the details f the Accessible File created earlier URMFile.KeyPath = FileWithMetadata.Cmmandline URMFile.Applicatin = FileWithMetadata.Xml 'Set the URM Plicy t Apply URMFile.Plicy.Plicy = "Add Administratr" 'Add the URM item Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMFiles.Add URMFile.xml 'Add a flder t the list f accessible flders. Cnfiguratin.GrupRules.Item("Everyne").AccessibleFlders.Add FlderWithMetadata.Xml 'Add the flder item t a URM Rule ' 'Create the URM Item Set URMFlder = Cnfiguratin.CreateInstanceFrmClassName("AM.URMRuleItemPlicy") 'Cnfigure the URM Item with the details f the Accessible Flder created earlier URMFlder.KeyPath = FlderWithMetadata.ItemKey URMFlder.Applicatin = FlderWithMetadata.Xml 'Set the URM Plicy t Apply URMFlder.Plicy.Plicy = "Add Administratr" 'Add the URM item Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMFlders.Add URMFlder.xml 'Prcess Rule with Metadata Cnfiguratin n the specific prcess ' 'Create a new Prcess Rule Set PrcessRule = Cnfiguratin.CreateInstanceFrmClassName("AM.PrcessRule") PrcessRule.Name = "Prcess Rule With Metadata" 'Add a file prcess t the rule PrcessRule.FilePrcessItems.Add FileWithMetadata.Xml 'Add the prcess rule Cnfiguratin.PrcessRules.Add PrcessRule.Xml 'Save the live cnfiguratin. ' CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Windws Stre Apps Add Windws Stre app cnst AM_VersinMatching_andabve = 0 cnst AM_VersinMatching_andbelw = 1 Page 278 f 344

279 cnst AM_VersinMatching_exactly = 2 cnst AM_VersinMatching_allversins = 3 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Prhibit all windws stre apps Dim BlckAllApps Set BlckAllApps = Cnfiguratin.CreateInstanceFrmClassName("AM.WindwsStreApp") BlckAllApps.DisplayName = "* * All installed apps * *" BlckAllApps.PackageName = "*" BlckAllApps.PublisherID = "*" BlckAllApps.Publisher = "*" BlckAllApps.PackageVersin = " " BlckAllApps.VersinMatch = AM_VersinMatching_allversins BlckAllApps.Path = "*_*_ " Cnfiguratin.GrupRules.Item("Everyne").PrhibitedWindwsStreApps.Add BlckAllApps.Xml 'Add a Windws Stre App t the list f accessible cnnectins. Dim AccessibleApp Set AccessibleApp = Cnfiguratin.CreateInstanceFrmClassName("AM.WindwsStreApp") AccessibleApp.DisplayName = "Skype" AccessibleApp.PackageName = "Micrsft.SkypeApp" AccessibleApp.PublisherID = "kzf8qxf38zg5c" AccessibleApp.Publisher = "CN=Skype Sftware Sarl, O=Micrsft Crpratin, L=Luxemburg, S=Luxemburg, C=LU" AccessibleApp.PackageVersin = " " AccessibleApp.VersinMatch = AM_VersinMatching_andabve AccessibleApp.Path = "kzf8qxf38zg5c_micrsft.skypeapp_ " Cnfiguratin.GrupRules.Item("Everyne").AccessibleWindwsStreApps.Add AccessibleApp.Xml 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit Windws Stre app cnst AM_VersinMatching_andabve = 0 cnst AM_VersinMatching_andbelw = 1 cnst AM_VersinMatching_exactly = 2 cnst AM_VersinMatching_allversins = 3 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the Versin Matching Cnfiguratin.GrupRules.Item("Everyne").AccessibleWindwsStreApps.Item("kzf8qxf38zg5c_ Micrsft.SkypeApp_ ").VersinMatch = AM_VersinMatching_allversins 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Page 279 f 344

280 Delete Windws Stre app 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Remve Skype Cnfiguratin.GrupRules.Item("Everyne").AccessibleWindwsStreApps.Remve "kzf8qxf38zg5c_ Micrsft.SkypeApp_ " 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing System Cntrls Adding system cntrls 'BuiltinActins cnst AM_CntrlPanelURMPlicy_BuiltinElevate = 0 cnst AM_CntrlPanelURMPlicy_BuiltinRestrict = 1 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Dim AuditingXml Dim FileHandle CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratinHandle(FileHandle) Cnfiguratin.ParseXML CnfiguratinXml Dim UninstallItem Set UninstallItem = Cnfiguratin.CreateInstanceFrmClassName("AM.UninstallCntrl") UninstallItem.Path = "AppSense Applicatin Manager" UninstallItem.DisplayName = "AppSense Applicatin Manager" UninstallItem.Publisher = "AppSense" UninstallItem.Versin = "8.9.*" Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMUninstallCntrls.Add UninstallItem.Xml Dim EventlgItem Set EventlgItem = Cnfiguratin.CreateInstanceFrmClassName("AM.EventlgCntrl") EventlgItem.Path = "Applicatin" EventlgItem.LgName = "Applicatin" EventlgItem.Plicy = AM_CntrlPanelURMPlicy_BuiltinElevate Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMEventlgCntrls.Add EventlgItem.Xml Dim ServiceItem Set ServiceItem = Cnfiguratin.CreateInstanceFrmClassName("AM.ServiceCntrl") ServiceItem.Path = "AppSense Applicatin Manager Agent" ServiceItem.ServiceDisplayName = "AppSense Applicatin Manager Agent" ServiceItem.ServiceName = "*" Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMServiceCntrls.Add ServiceItem.Xml 'Save the cnfiguratin t file. CnfiguratinHelper.SaveLiveCnfiguratinHandle Cnfiguratin.Xml, FileHandle Set CnfiguratinHelper = Nthing Page 280 f 344

281 Set Cnfiguratin = Nthing Self-Elevatin Files Adding self-elevatin files 'Cnstant definitins fr the AM.SelfElevatinFilterMde enumeratin. cnst AM_SelfElevatinFilterMde_AllwAllExcept = 0 cnst AM_SelfElevatinFilterMde_DenyAllExcept = 1 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the default cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.DefaultCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Create a file t add t Self-Elevatin files fr the "Everyne" grup Dim SelfElevatinFile Set SelfElevatinFile = Cnfiguratin.CreateInstanceFrmClassName("AM.File") SelfElevatinFile.Path = "calc.exe" SelfElevatinFile.Cmmandline = "calc.exe" 'Add a file t the Self-Elevatin tab under User Rights, fr the "Everyne" grup Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.SelfElevatinFiles.Add SelfElevatinFile.Xml 'Enable Self-Elevatin Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.SelfElevatinEnabled = true 'Set Self-Elevatin t nly apply t items in the list Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.Filtermde = AM_ SelfElevatinFilterMde_DenyAllExcept 'Make files Accessible Items Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.MakeAccessible = true 'Apply User Rights fr child prcesses Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.ApplyTChildPrcesses = true 'Allw file t run even if nt wned by a Trusted Owner Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.TrustedOwnershipChecking= true 'Apply t Cmmn Dialgs Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.ApplyTOpenSave = true 'Install as Trusted Owner Cnfiguratin.GrupRules.Item("Everyne").SelfElevatinRules.ChangeOwnershipTAdmin = true 'Save Cnfigurati n t disk CnfiguratinHelper.SaveLcalCnfiguratin "C:\Cnfiguratin.aamp",Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Plicy Change Requests Cnfiguring plicy change request settings 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml Page 281 f 344

282 CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Mdify the Demand Cnfig Change Settings 'Enable the glbal feature Cnfiguratin.OnDemandCnfigChangeSettings.OnDemandEnabled = True 'Enable the Requests Cnfiguratin.OnDemandCnfigChangeSettings. RequestsEnabled = True Cnfiguratin.OnDemandCnfigChangeSettings.MailTAddress = "sample@cmpany.cm" 'Enable the Emergency Requests Cnfiguratin.OnDemandCnfigChangeSettings.EmergencyRequestsEnabled = True Cnfiguratin.OnDemandCnfigChangeSettings.HelpDeskPhneNumber = " " Dim key key = CnfiguratinHelper.EncryptSharedKey("hell chris") Cnfiguratin.OnDemandCnfigChangeSettings.SharedKey = key 'Cnfigure a link frm the AMMessage Cnfiguratin.OnDemandCnfigChangeSettings.RequestMethds.AllwLinkFrmAMDenied = True Cnfiguratin.OnDemandCnfigChangeSettings.RequestMethds.AMDeniedLinkText = "Click here t submit a change request" 'Cnfigure a Shell cntext menu Cnfiguratin.OnDemandCnfigChangeSettings.RequestMethds.ShwShellMenu = True Cnfiguratin.OnDemandCnfigChangeSettings.RequestMethds.ShellMenuText = "Submit a change request" 'Cnfigure the desktp link Cnfiguratin.OnDemandCnfigChangeSettings.RequestMethds.ShwDesktpIcn = True Cnfiguratin.OnDemandCnfigChangeSettings.RequestMethds.DesktpIcnText = "Request Plicy Change" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing MSIs in the COMCnfiguratinHelper Open MSIs Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadMsiCnfiguratin("C:\msi\AM8.6.msi") Cnfiguratin.ParseXML CnfiguratinXml 'Wscript.Ech CnfiguratinXml 'Save the blank cnfiguratin t file. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Save MSIs 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'Save the blank cnfiguratin t file. CnfiguratinHelper.SaveMsiCnfiguratin "C:\msi\AMut.msi",CnfiguratinXml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Page 282 f 344

283 User Rights Management Add user rights file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'create a new FileItem Dim File Set File = Cnfiguratin.CreateInstanceFrmClassName("AM.File") File.Path = "ntepad.exe" File.CmmandLine = "ntepad.exe" Dim URMItem Set URMFile = Cnfiguratin.CreateInstanceFrmClassName("AM.URMRuleItemPlicy") URMFile.KeyPath = "ntepad.exe" URMFile.Plicy.Plicy = Cnfiguratin.URMPlicies.Item("Add Administratr").Name URMFile.Applicatin = File.Xml Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMFiles.Add URMFile.xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Edit user rights file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'create a new FileItem Dim File Set File = Cnfiguratin.CreateInstanceFrmClassName("AM.File") File.Path = "ntepad.exe" File.Arguments = "test.txt" File.CmmandLine = "ntepad.exe test.txt" Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMFiles.Item("ntepad.exe").Applicatin = File.Xml Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMFiles.Item("ntepad.exe").KeyPath = File.CmmandLine 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Delete user rights file 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Page 283 f 344

284 Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Cnfiguratin.Gruprules.Item("Everyne").UserRightsRules.URMFiles.Remve "ntepad.exe test.txt" 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Add user rights file using built-in elevate 'URM BuiltinElevate Plicy cnst BuiltinElevate_Plicy = "516A5D5B-685C-49C3-A4FC-3A54BF6CC392\BUILTINADMIN" 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin 'Dim CnfiguratinXml 'CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin 'Cnfiguratin.ParseXML CnfiguratinXml 'Lad the default cnfiguratin Cnfiguratin.ParseXML CnfiguratinHelper.DefaultCnfiguratin 'create a new FileItem Dim File Set File = Cnfiguratin.CreateInstanceFrmClassName("AM.File") File.Path = "ntepad.exe" File.CmmandLine = "ntepad.exe" Dim URMItem Set URMFile = Cnfiguratin.CreateInstanceFrmClassName("AM.URMRuleItemPlicy") URMFile.KeyPath = "ntepad.exe" URMFile.Plicy.Plicy = BuiltinElevate_Plicy URMFile.Applicatin = File.Xml 'Please Nte that ApplyTOpenSave is incrrectly named - the meaning has been "flipped" ' ApplyTOpenSave = False => Apply t Cmmn Dialgs ' ApplyTOpenSave = True => D NOT apply t Cmmn Dialgs. URMFile.ApplyTOpenSave = False URMFile.ApplyTChildPrcesses = True URMFile.ChangeOwnershipTAdmin = True Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMFiles.Add URMFile.xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Sample Script: Create UPM Plicies The fllwing VB script creates a user privileges management plicy: 'URM Grup Actin ptins cnst AM_URMGrupActin_Add = 0 cnst AM_URMGrupActin_Drp = 1 'URM Privileges cnst AM_URMPrivilegeCnstant_SeAssignPrimaryTkenPrivilege = 0 cnst AM_URMPrivilegeCnstant_SeAuditPrivilege = 1 cnst AM_URMPrivilegeCnstant_SeBackupPrivilege = 2 cnst AM_URMPrivilegeCnstant_SeChangeNtifyPrivilege = 3 cnst AM_URMPrivilegeCnstant_SeCreateGlbalPrivilege = 4 cnst AM_URMPrivilegeCnstant_SeCreatePagefilePrivilege = 5 cnst AM_URMPrivilegeCnstant_SeCreatePermanentPrivilege = 6 cnst AM_URMPrivilegeCnstant_SeCreateSymblicLinkPrivilege = 7 cnst AM_URMPrivilegeCnstant_SeCreateTkenPrivilege = 8 Page 284 f 344

285 cnst AM_URMPrivilegeCnstant_SeDebugPrivilege = 9 cnst AM_URMPrivilegeCnstant_SeEnableDelegatinPrivilege = 10 cnst AM_URMPrivilegeCnstant_SeImpersnatePrivilege = 11 cnst AM_URMPrivilegeCnstant_SeIncreaseBasePrirityPrivilege = 12 cnst AM_URMPrivilegeCnstant_SeIncreaseQutaPrivilege = 13 cnst AM_URMPrivilegeCnstant_SeIncreaseWrkingSetPrivilege = 14 cnst AM_URMPrivilegeCnstant_SeLadDriverPrivilege = 15 cnst AM_URMPrivilegeCnstant_SeLckMemryPrivilege = 16 cnst AM_URMPrivilegeCnstant_SeMachineAccuntPrivilege = 17 cnst AM_URMPrivilegeCnstant_SeManageVlumePrivilege = 18 cnst AM_URMPrivilegeCnstant_SePrfileSinglePrcessPrivilege = 19 cnst AM_URMPrivilegeCnstant_SeRelabelPrivilege = 20 cnst AM_URMPrivilegeCnstant_SeRemteShutdwnPrivilege = 21 cnst AM_URMPrivilegeCnstant_SeRestrePrivilege = 22 cnst AM_URMPrivilegeCnstant_SeSecurityPrivilege = 23 cnst AM_URMPrivilegeCnstant_SeShutdwnPrivilege = 24 cnst AM_URMPrivilegeCnstant_SeSyncAgentPrivilege = 25 cnst AM_URMPrivilegeCnstant_SeSystemEnvirnmentPrivilege = 26 cnst AM_URMPrivilegeCnstant_SeSystemPrfilePrivilege = 27 cnst AM_URMPrivilegeCnstant_SeSystemtimePrivilege = 28 cnst AM_URMPrivilegeCnstant_SeTakeOwnershipPrivilege = 29 cnst AM_URMPrivilegeCnstant_SeTcbPrivilege = 30 cnst AM_URMPrivilegeCnstant_SeTimeZnePrivilege = 31 cnst AM_URMPrivilegeCnstant_SeTrustedCredManAccessPrivilege = 32 cnst AM_URMPrivilegeCnstant_SeUndckPrivilege = 33 cnst AM_URMPrivilegeCnstant_SeUnslicitedInputPrivilege = 34 'URM Privilege actins cnst AM_URMPrivilegeActin_NChange = 0 cnst AM_URMPrivilegeActin_Enable = 1 cnst AM_URMPrivilegeActin_Disable = 2 cnst AM_URMPrivilegeActin_Remve = 3 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml 'create a new URMPlicy Dim URMPlicy Set URMPlicy = Cnfiguratin.CreateInstanceFrmClassName("AM.URMPlicy") URMPlicy.Name = "Add Administratr" Cnfiguratin.URMPlicies.Add URMPlicy.Xml 'Add a Grup Behaviur Actin Dim URMBehaviur Set URMBehaviur = Cnfiguratin.CreateInstanceFrmClassName("AM.URMGrupBehaviur") URMBehaviur.DisplayName = "BUILTIN\Administratrs" URMBehaviur.SID = "S-1-5-Dmain-544" URMBehaviur.Actin = AM_URMGrupActin_Add Cnfiguratin.URMPlicies("Add Administratr").GrupMembershipActins.Add URMBehaviur.Xml 'Set up the privilege actins Dim PrivilegeActin Set PrivilegeActin = Cnfiguratin.CreateInstanceFrmClassName("AM.URMPrivilege") PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeAssignPrimaryTkenPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeAssignPrimaryTkenPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeAuditPrivilege" Page 285 f 344

286 PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeAuditPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeBackupPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeBackupPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeChangeNtifyPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeChangeNtifyPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeCreateGlbalPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeCreateGlbalPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeCreatePagefilePrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeCreatePagefilePrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeCreatePermanentPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeCreatePermanentPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeCreateSymblicLinkPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeCreateSymblicLinkPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeCreateTkenPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeCreateTkenPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeDebugPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeDebugPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeEnableDelegatinPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeEnableDelegatinPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeImpersnatePrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeImpersnatePrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeIncreaseBasePrirityPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeIncreaseBasePrirityPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeIncreaseQutaPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeIncreaseQutaPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange Page 286 f 344

287 PrivilegeActin.Name = "SeIncreaseWrkingSetPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeIncreaseWrkingSetPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeLadDriverPrivilege PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeLadDriverPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeLckMemryPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeLckMemryPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeMachineAccuntPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeMachineAccuntPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeManageVlumePrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeManageVlumePrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SePrfileSinglePrcessPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SePrfileSinglePrcessPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeRelabelPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeRelabelPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeRemteShutdwnPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeRemteShutdwnPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeRestrePrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeRestrePrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeSecurityPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeSecurityPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeShutdwnPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeShutdwnPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeSyncAgentPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeSyncAgentPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeSystemEnvirnmentPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeSystemEnvirnmentPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml Page 287 f 344

288 PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeSystemPrfilePrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeSystemPrfilePrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeSystemtimePrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeSystemtimePrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeTakeOwnershipPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeTakeOwnershipPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeTcbPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeTcbPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeTimeZnePrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeTimeZnePrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeTrustedCredManAccessPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeTrustedCredManAccessPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeUndckPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeUndckPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml PrivilegeActin.Actin = AM_URMPrivilegeActin_NChange PrivilegeActin.Name = "SeUnslicitedInputPrivilege" PrivilegeActin.Privilege = AM_URMPrivilegeCnstant_SeUnslicitedInputPrivilege Cnfiguratin.URMPlicies("Add Administratr").PrivilegeActins.Add PrivilegeActin.Xml 'Save the live cnfiguratin CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Sample Script: Add User Privileges Cmpnent The fllwing VB Script adds a user privileges cmpnent: cnst AM_URMCntrlPanelCnstant_mmcCmputerManagement = 0 cnst AM_URMCntrlPanelCnstant_cplAddHardware = 1 cnst AM_URMCntrlPanelCnstant_cplAddRemvePrgrams = 2 cnst AM_URMCntrlPanelCnstant_cplAddPlugPlay = 3 cnst AM_URMCntrlPanelCnstant_cplAutmaticUpdatesSettings = 4 cnst AM_URMCntrlPanelCnstant_cplClck = 5 cnst AM_URMCntrlPanelCnstant_cplDesktpDPI = 6 cnst AM_URMCntrlPanelCnstant_cplDisplay = 7 cnst AM_URMCntrlPanelCnstant_cplInternetOptins = 8 cnst AM_URMCntrlPanelCnstant_cplPwerOptins = 9 cnst AM_URMCntrlPanelCnstant_cplReginal = 10 cnst AM_URMCntrlPanelCnstant_cplSystem = 11 cnst AM_URMCntrlPanelCnstant_cplFirewallSettings = 12 cnst AM_URMCntrlPanelCnstant_mmcFirewallAdvanced = 13 Page 288 f 344

289 cnst AM_URMCntrlPanelCnstant_mmcDeviceManager = 14 cnst AM_URMCntrlPanelCnstant_mmcDiskManagement = 15 cnst AM_URMCntrlPanelCnstant_cplIndexingOptins = 16 cnst AM_URMCntrlPanelCnstant_cplWindwsFeatures = 17 cnst AM_URMCntrlPanelCnstant_mmcLcalSecurityPlicy = 18 cnst AM_URMCntrlPanelCnstant_mmcPerfrmanceMnitr = 19 cnst AM_URMCntrlPanelCnstant_cplLanguages = 20 cnst AM_URMCntrlPanelCnstant_mmcServices = 21 cnst AM_URMCntrlPanelCnstant_mmcDefrag = 27 cnst AM_URMCntrlPanelCnstant_cplBackupRestre = 28 cnst AM_URMCntrlPanelCnstant_cpliScsiInitiatr = 29 cnst AM_URMCntrlPanelCnstant_cplOfflineFiles = 30 cnst AM_URMCntrlPanelCnstant_cpladaptrs = 31 cnst AM_URMCntrlPanelCnstant_cplprinters = 32 cnst AM_URMCntrlPanelCnstant_mmcServerManager = 33 cnst AM_URMCntrlPanelCnstant_cplSystemCnfig = 34 cnst AM_URMCntrlPanelCnstant_cplClearTypeText = 35 cnst AM_URMCntrlPanelCnstant_cplCalibrateClr = 36 cnst AM_URMCntrlPanelCnstant_mmcCmpServices = 37 cnst AM_URMCntrlPanelCnstant_cplRecveryDisc = 38 cnst AM_URMCntrlPanelCnstant_mmcCertManager = 39 cnst AM_URMCntrlPanelCnstant_cplDataSurces = 40 cnst AM_URMCntrlPanelCnstant_cplRecveryRestre = 41 cnst AM_URMCntrlPanelCnstant_mmcTasksSchedule = 42 cnst AM_URMCntrlPanelCnstant_mmcTrustedPlatfrm = 43 cnst AM_URMCntrlPanelCnstant_cplTrubleSht = 44 cnst AM_URMCntrlPanelCnstant_cplBitLckerEnable = 45 cnst AM_URMCntrlPanelCnstant_mmcEventViewer = 46 cnst AM_URMCntrlPanelCnstant_cplEasyTransfer = 47 cnst AM_URMCntrlPanelCnstant_cpladaptrsAdvancedSharing = 48 cnst AM_URMCntrlPanelCnstant_cpladaptrsWirelessPrfile = 49 cnst AM_URMCntrlPanelCnstant_cpladaptrsWirelessPrpertiesChars = 50 cnst AM_URMCntrlPanelCnstant_cpladaptrsWirelessPrpertiesCpyUSB = 51 cnst AM_URMCntrlPanelCnstant_cpladaptrsNetwrkCnnectinPrperties = 52 cnst AM_URMCntrlPanelCnstant_cpladaptrsNetwrkDisableCnnectin = 53 cnst AM_URMCntrlPanelCnstant_cplFirewallSettingsCntrlPanel = 54 cnst AM_URMCntrlPanelCnstant_cplFirewallSettingsActinCenter = 55 cnst AM_URMCntrlPanelCnstant_cplPrblemReprting = 56 cnst AM_URMCntrlPanelCnstant_cplAddRemvePrgramsChange = 57 cnst AM_URMCntrlPanelCnstant_cplAddRemvePrgramsUninstallUpdate = 58 cnst AM_URMCntrlPanelCnstant_cplWindwsDefender = 59 cnst AM_URMCntrlPanelCnstant_cplDefaultLcatin = 60 cnst AM_URMCntrlPanelCnstant_cplAccessCenter = 61 cnst AM_URMCntrlPanelCnstant_cplExplrer = 62 cnst AM_URMCntrlPanelCnstant_cplExplrerCheckDisk = 63 cnst AM_URMCntrlPanelCnstant_cplExplrerEditGrupUser = 64 cnst AM_URMCntrlPanelCnstant_cplExplrerPermissins = 65 cnst AM_URMCntrlPanelCnstant_cplExplrerQuta = 66 cnst AM_URMCntrlPanelCnstant_cplExplrerAdvancedSharing = 67 cnst AM_URMCntrlPanelCnstant_cplIndexingOptinsAdvanced = 68 cnst AM_URMCntrlPanelCnstant_cplIndexingOptinsShwAllLcatins = 69 cnst AM_URMCntrlPanelCnstant_cplIndexingOptinsPause = 70 cnst AM_URMCntrlPanelCnstant_cplMediaSharing = 71 cnst AM_URMCntrlPanelCnstant_cplUserAccunts = 72 cnst AM_URMCntrlPanelCnstant_cplUserAccuntsUserAccuntCntrl = 73 cnst AM_URMCntrlPanelCnstant_cplUserAccuntsManageUserAccunts = 74 'BuiltinActins cnst AM_CntrlPanelURMPlicy_BuiltinElevate = 0 cnst AM_CntrlPanelURMPlicy_BuiltinRestrict = 1 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Page 289 f 344

290 Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Dim Applet Set Applet = Cnfiguratin.CreateInstanceFrmClassName("AM.WellKnwnCntrlPanelApplet") Applet.Path = "cplclck" Applet.CntrlPanelId = AM_URMCntrlPanelCnstant_cplClck Applet.PlicyActin = AM_CntrlPanelURMPlicy_BuiltinElevate Dim DateTimeCmpnent Set DateTimeCmpnent = Cnfiguratin.CreateInstanceFrmClassName("AM.URMRuleItem") DateTimeCmpnent.KeyPath = Applet.Path DateTimeCmpnent.Applicatin = Applet.Xml Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMWellKnwnCntrlPanelAp plets.add DateTimeCmpnent.Xml Applet.Path = "mmcservices" Applet.CntrlPanelId = AM_URMCntrlPanelCnstant_mmcServices Applet.PlicyActin = AM_CntrlPanelURMPlicy_BuiltinElevate DateTimeCmpnent.KeyPath = Applet.Path DateTimeCmpnent.Applicatin = Applet.Xml Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMWellKnwnCntrlPanelAp plets.add DateTimeCmpnent.Xml 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Set Cnfiguratin = Nthing Sample Script: Edit User Privileges Cmpnent The fllwing VB script edits a user privileges cmpnent: cnst AM_URMCntrlPanelCnstant_mmcCmputerManagement = 0 cnst AM_URMCntrlPanelCnstant_cplAddHardware = 1 cnst AM_URMCntrlPanelCnstant_cplAddRemvePrgrams = 2 cnst AM_URMCntrlPanelCnstant_cplAddPlugPlay = 3 cnst AM_URMCntrlPanelCnstant_cplAutmaticUpdatesSettings = 4 cnst AM_URMCntrlPanelCnstant_cplClck = 5 cnst AM_URMCntrlPanelCnstant_cplDesktpDPI = 6 cnst AM_URMCntrlPanelCnstant_cplDisplay = 7 cnst AM_URMCntrlPanelCnstant_cplInternetOptins = 8 cnst AM_URMCntrlPanelCnstant_cplPwerOptins = 9 cnst AM_URMCntrlPanelCnstant_cplReginal = 10 cnst AM_URMCntrlPanelCnstant_cplSystem = 11 cnst AM_URMCntrlPanelCnstant_cplFirewallSettings = 12 cnst AM_URMCntrlPanelCnstant_mmcFirewallAdvanced = 13 cnst AM_URMCntrlPanelCnstant_mmcDeviceManager = 14 cnst AM_URMCntrlPanelCnstant_mmcDiskManagement = 15 cnst AM_URMCntrlPanelCnstant_cplIndexingOptins = 16 cnst AM_URMCntrlPanelCnstant_cplWindwsFeatures = 17 cnst AM_URMCntrlPanelCnstant_mmcLcalSecurityPlicy = 18 cnst AM_URMCntrlPanelCnstant_mmcPerfrmanceMnitr = 19 cnst AM_URMCntrlPanelCnstant_cplLanguages = 20 cnst AM_URMCntrlPanelCnstant_mmcServices = 21 cnst AM_URMCntrlPanelCnstant_mmcDefrag = 27 cnst AM_URMCntrlPanelCnstant_cplBackupRestre = 28 cnst AM_URMCntrlPanelCnstant_cpliScsiInitiatr = 29 cnst AM_URMCntrlPanelCnstant_cplOfflineFiles = 30 cnst AM_URMCntrlPanelCnstant_cpladaptrs = 31 cnst AM_URMCntrlPanelCnstant_cplprinters = 32 cnst AM_URMCntrlPanelCnstant_mmcServerManager = 33 cnst AM_URMCntrlPanelCnstant_cplSystemCnfig = 34 Page 290 f 344

291 cnst AM_URMCntrlPanelCnstant_cplClearTypeText = 35 cnst AM_URMCntrlPanelCnstant_cplCalibrateClr = 36 cnst AM_URMCntrlPanelCnstant_mmcCmpServices = 37 cnst AM_URMCntrlPanelCnstant_cplRecveryDisc = 38 cnst AM_URMCntrlPanelCnstant_mmcCertManager = 39 cnst AM_URMCntrlPanelCnstant_cplDataSurces = 40 cnst AM_URMCntrlPanelCnstant_cplRecveryRestre = 41 cnst AM_URMCntrlPanelCnstant_mmcTasksSchedule = 42 cnst AM_URMCntrlPanelCnstant_mmcTrustedPlatfrm = 43 cnst AM_URMCntrlPanelCnstant_cplTrubleSht = 44 cnst AM_URMCntrlPanelCnstant_cplBitLckerEnable = 45 cnst AM_URMCntrlPanelCnstant_mmcEventViewer = 46 cnst AM_URMCntrlPanelCnstant_cplEasyTransfer = 47 cnst AM_URMCntrlPanelCnstant_cpladaptrsAdvancedSharing = 48 cnst AM_URMCntrlPanelCnstant_cpladaptrsWirelessPrfile = 49 cnst AM_URMCntrlPanelCnstant_cpladaptrsWirelessPrpertiesChars = 50 cnst AM_URMCntrlPanelCnstant_cpladaptrsWirelessPrpertiesCpyUSB = 51 cnst AM_URMCntrlPanelCnstant_cpladaptrsNetwrkCnnectinPrperties = 52 cnst AM_URMCntrlPanelCnstant_cpladaptrsNetwrkDisableCnnectin = 53 cnst AM_URMCntrlPanelCnstant_cplFirewallSettingsCntrlPanel = 54 cnst AM_URMCntrlPanelCnstant_cplFirewallSettingsActinCenter = 55 cnst AM_URMCntrlPanelCnstant_cplPrblemReprting = 56 cnst AM_URMCntrlPanelCnstant_cplAddRemvePrgramsChange = 57 cnst AM_URMCntrlPanelCnstant_cplAddRemvePrgramsUninstallUpdate = 58 cnst AM_URMCntrlPanelCnstant_cplWindwsDefender = 59 cnst AM_URMCntrlPanelCnstant_cplDefaultLcatin = 60 cnst AM_URMCntrlPanelCnstant_cplAccessCenter = 61 cnst AM_URMCntrlPanelCnstant_cplExplrer = 62 cnst AM_URMCntrlPanelCnstant_cplExplrerCheckDisk = 63 cnst AM_URMCntrlPanelCnstant_cplExplrerEditGrupUser = 64 cnst AM_URMCntrlPanelCnstant_cplExplrerPermissins = 65 cnst AM_URMCntrlPanelCnstant_cplExplrerQuta = 66 cnst AM_URMCntrlPanelCnstant_cplExplrerAdvancedSharing = 67 cnst AM_URMCntrlPanelCnstant_cplIndexingOptinsAdvanced = 68 cnst AM_URMCntrlPanelCnstant_cplIndexingOptinsShwAllLcatins = 69 cnst AM_URMCntrlPanelCnstant_cplIndexingOptinsPause = 70 cnst AM_URMCntrlPanelCnstant_cplMediaSharing = 71 cnst AM_URMCntrlPanelCnstant_cplUserAccunts = 72 cnst AM_URMCntrlPanelCnstant_cplUserAccuntsUserAccuntCntrl = 73 cnst AM_URMCntrlPanelCnstant_cplUserAccuntsManageUserAccunts = 74 'BuiltinActins cnst AM_CntrlPanelURMPlicy_BuiltinElevate = 0 cnst AM_CntrlPanelURMPlicy_BuiltinRestrict = 1 'Create the cnfiguratin Dim Cnfiguratin Set Cnfiguratin = CreateObject("AM.Cnfiguratin.5") 'Create the cnfiguratin helper Dim CnfiguratinHelper Set CnfiguratinHelper = CreateObject("AM.CnfiguratinHelper.1") 'Lad the live cnfiguratin Dim CnfiguratinXml CnfiguratinXml = CnfiguratinHelper.LadLiveCnfiguratin Cnfiguratin.ParseXML CnfiguratinXml Dim Applet Set Applet = Cnfiguratin.CreateInstanceFrmClassName("AM.WellKnwnCntrlPanelApplet") Applet.Path = "cplclck" Applet.CntrlPanelId = AM_URMCntrlPanelCnstant_cplClck Applet.PlicyActin = AM_CntrlPanelURMPlicy_BuiltinRestrict Cnfiguratin.GrupRules.Item("Everyne").UserRightsRules.URMWellKnwnCntrlPanelAp plets.item("cplclck").applicatin = Applet.Xml 'Save the live cnfiguratin. CnfiguratinHelper.SaveLiveCnfiguratin Cnfiguratin.Xml Set CnfiguratinHelper = Nthing Page 291 f 344

292 Set Cnfiguratin = Nthing Cnfiguratin Object The Applicatin Cntrl Object Types include the Cnfiguratin bject and the Cnfiguratin Helper bject. The Cnfiguratin bject represents the Applicatin Cntrl cnfiguratin. It is slely cncentrated n data and cntains n business lgic. Generic Base Types fr Cllectins Map Methds: Add(ValueType item) Descriptin: Adds a new item int the cllectin. Parameters: item - The value t be added. Remve(KeyType kt) Descriptin: Remves the value with the given key frm the cllectin. Parameters: kt - The key f the value t remve frm the cllectin. Item(KeyType kt) Descriptin: Accessr fr a value within the cllectin Returns: The item (value) with the given key. Parameters: kt - The key f the requested value. Array Methds: Add(ValueType item) Descriptin: Adds a new item int the cllectin. Parameters: item - the value t be added. Remve(LONG index) Descriptin: Remves the item at the given psitin within the cllectin. Parameters: index - The 0-based index f the value t remve. Item(LONG index) Descriptin: Accessr fr the item (value) at the given psitin within the cllectin. Parameters: index - The 0-based index f the requested value. Page 292 f 344

293 Strngly Typed Cllectins Cllectin: ArchiveFlderCllectin BaseType: Array ValueType: ArchiveFlder Cllectin: AuditEventFilterDictinary BaseType: Map ValueType: AuditEventFilter Key: File Cllectin: ApplicatinGrupDictinary BaseType: Map ValueType: ApplicatinGrup Key: Path Cllectin: CustmRuleDictinary BaseType: Map ValueType: CustmRule Key: Name Cllectin: DeviceDictinary BaseType: Map ValueType: Device Key: Hst Cllectin: DeviceRuleDictinary BaseType: Map ValueType: DeviceRule Key: Name Cllectin: DriveCllectin BaseType: Map ValueType: Drive Key: Path Cllectin: EngineeringKeyCllectin BaseType: Array Page 293 f 344

294 ValueType: EngineeringKey Cllectin: FileCllectin BaseType: Map ValueType: File Key: CmmandLine Cllectin: FileExtensinDictinary BaseType: Map ValueType: FileExtensin Key: Name Cllectin: FlderCllectin BaseType: Map ValueType: Flder Key: Path Cllectin: GrupRuleDictinary BaseType: Map ValueType: GrupRule Key: DisplayName Cllectin: NetwrkCnnectinCllectin Base Type: Map Value Type: NetwrkCnnectin Key: Path Cllectin: PrcessRuleDictinary Base Type: Map Value Type: PrcessRule Key: Name Cllectin: ScriptedRuleDictinary BaseType: Map ValueType: ScriptedRule Key: Name Page 294 f 344

295 Cllectin: SignatureFileCllectin BaseType: Map ValueType: SignatureFile Key: CmmandLine Cllectin: TimeRangeCllectin BaseType: Array ValueType: TimeRange Cllectin: TrustedApplicatinCllectin BaseType: Array ValueType: TrustedApplicatin Cllectin: TrustedOwnerDictinary BaseType: Map ValueType: TrustedOwner Key: DisplayName Cllectin: UserRuleDictinary BaseType: Map ValueType: UserRule Key: DisplayName Cllectin: URMPlicyDictinary BaseType: Map ValueType: URMPlicy Key: Name Cllectin: URMGrupBehaviurDictinary BaseType: Map ValueType: URMGrupBehaviur Key: DisplayName Cllectin: URMPrivilegeDictinary BaseType: Map ValueType: URMPrivilege Key: Name Page 295 f 344

296 Cllectin: URMRuleItemDictinary BaseType: Map ValueType: URMRuleItem Key: KeyPath Cllectin: URMRuleItemPlicyDirectry BaseType: Map ValueType: URMRuleItemPlicy Key: KeyPath Object Definitins Object: Access Times Prperty Type Descriptin MndayTimeRangeCllectin TimeRangeCllectin A cllectin f time ranges that are applied n Mndays. TuesdayTimeRangeCllectin TimeRangeCllectin A cllectin f time ranges that are applied n Tuesdays. WednesdayTimeRangeCllectin TimeRangeCllectin A cllectin f time ranges that are applied n Wednesdays. ThursdayTimeRangeCllectin TimeRangeCllectin A cllectin f time ranges that are applied n Thursdays. FridayTimeRangeCllectin TimeRangeCllectin A cllectin f time ranges that are applied n Fridays. SaturdayTimeRangeCllectin TimeRangeCllectin A cllectin f time ranges that are applied n Saturdays. SundayTimeRangeCllectin TimeRangeCllectin A cllectin f time ranges that are applied n Sundays. Object: ApplicatinGrup Prperty Type Descriptin Path BSTR The name f the Applicatin Grup. Descriptin BSTR The descriptin f the grup. Page 296 f 344

297 Prperty Type Descriptin Files FileCllectin Cllectin f files cntained in this grup. Flders FlderCllectin Cllectin f flders cntained in this grup. SignatureFiles SignatureFileCllectin Cllectin f signature files cntained in this grup. NetwrkCnnectins NetwrkCnnectinCllectin Cllectin f netwrk cnnectins cntained within this grup. Drives DriveCllectin Cllectin f drives cntained within this grup. Object: ArchiveFlder Prperty Type Descriptin Path BSTR Full path t flder. Object: ArchivingSettings Descriptin Type Descriptin ArchivingEnabled VARIANT_BOOL Specify whether t use archiving. Default = False NAdminOwnedFiles VARIANT_BOOL Enable administratr-wned files t be ignred. Default = False OverwriteExistingFiles VARIANT_BOOL Specify whether files cpied t the archive shuld verwrite existing files. Default = True AnnymusEnabled VARIANT_BOOL Specify whether file shuld have any user infrmatin stripped. TtalLimit LONG The maximum size f the archive in MB. Default = 50. UserLimit LONG The maximum size f a user s archive in MB. Default = 25. ArchiveLessThanEnabled VARIANT_BOOL Specify whether nly files smaller than a Page 297 f 344

298 Descriptin Type Descriptin certain size will be archived. Default = False. ArchiveLessThanAmunt LONG The maximum size f a file that will be cpied t the archive. Default = False OverwriteOldest VARIANT_BOOL Specify whether the ldest file in the archive are verwritten when the archive is full. Default = False. ArchiveFlders ArchiveFlderCllectin A list f archive flder lcatins, the first lcatin in the list will be given preference, the last lcatin given the lwest preference. Object: AuditEventFilter Prperty Type Descriptin File BSTR The file name/extensin t which this filter will be applied. Events BSTR A semi-cln delimited list f events. Fr example, 9005;9006;9007. Object: AuditEventFiltering Prperty Type Descriptin Enabled VARIANT_BOOL Specify whether event filtering is enabled. Default = True. Files AuditEventFilterDictinary The list f event filters. Object: Cnfiguratin Descriptin Type Descriptin Inf CnfiguratinInf Cnfiguratin metadata DefaultRules DefaultRules Default rules settings. MessageSettings MessageSettings Settings t allw custmizatin f Applicatin Cntrl generated message bxes. ArchivingSettings ArchivingSettings Optins fr files that are archived. Page 298 f 344

299 Descriptin Type Descriptin UserRules UserRuleDictinary Cllectin f cnfigured user rules. ApplicatinGrups ApplicatinGrupDictinary Library f Applicatin Grups. PrcessRules PrcessRuleDictinary Cllectin f cnfigured Prcess Rules GrupRules GrupRuleDictinary Cllectin f cnfigured grup rules. DeviceRules DeviceRuleDictinary Cllectin f cnfigured device rules. CustmRules CustmRuleDictinary Cllectin f cnfigured custm rules. ScriptedRules ScriptedRuleDictinary Cllectin f cnfigured scripted rules. EngineeringKeys EngineeringKeyCllectin Cllectin f engineering keys. URMPlicies URMPlicyDictinary Library f User rights plicies. AuditEventFilteringSettings AuditEventFiltering Optins relating t which audit events are reprted. OnDemandCnfigChangeSettings OnDemandCnfigChangeSettings Optins relating t Plicy Change Requests Object: CnfiguratinInf Prperty Type Descriptin Name B STR The name f the cnfiguratin. UniqueIndentifier BSTR The unique ID fr the cnfiguratin. Versin LONG The cnfiguratin versin. Ntes BSTR Any apprpriate ntes. RevisinLevel LONG The cnfiguratin Page 299 f 344

300 Object: CustmRule Descriptin Type Descriptin DisplayName BSTR The accunt name. SID BSTR The accunt SID. Devices DeviceDictinary Cllectin f devices t which this rule applies. Name BSTR The name f the rule. SecurityLevel SecurityLevel The level f restrictin applied t this rule. AccessibleApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f allwed Applicatin Grups. AccessibleFiles FileCllectin Cllectin f allwed files AccessibleFlders FlderCllectin Cllectin f allwed flders. AccessibleDrives DriveCllectin Cllectin f allwed drives. AccessibleSignatures SignatureFileCllectin Cllectin f allwed signatures. AccessibleNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f accessible netwrk cnnectins. PrhibitedApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f denied Applicatin Grups. PrhibitedFiles FileCllectin Cllectin f denied files. PrhibitedFlders FlderCllectin Cllectin f denied flders. PrhibitedDrives DriveCllectin Cllectin f denied drives. PrhibitedSignatures SignatureFileCllectin Cllectin f denied signatures. PrhibitedNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f denied Page 300 f 344

301 Descriptin Type Descriptin netwrk cnnectins. TrustedVendrs DigitalCertificateCllectin Cllectin f trusted vendrs digital certificates. UserRightsRules URMRules Cnfigured settings fr user privileges rules. Object: DefaultRules Descriptin Type Descriptin TrustedOwnershipChecking VARIANT_BOOL Enable trusted wnership checking. Default = True ChangeFileOwnershipOnOverwriteOrRename VARIANT_BOOL Enable a change f file wnership when a file is verwritten r renamed. Default = True TrustedOwners TrustedOwnerDictinary A cllectin f cnfigured Trusted Owners. LcalDrivesAccessible VARIANT_BOOL Specify whether the lcal drives are allwed by default. Default = True IgnreRestrictinsDuringLgn. VARIANT_BOOL Allws restrictins t be ignred until the lgn prcess is cmplete AllwCMDFrBatchFiles VARIANT_BOOL Allws cmd.exe t run if it is run via executin f a batch file. Default = True ExtractSelfExtractingZIPFiles VARIANT_BOOL Specify whether Page 301 f 344

302 Descriptin Type Descriptin Applicatin Cntrl shuld extract selfextracting.zip files. Default = True ValidateSystemPrcesses VARIANT_BOOL Specify whether system prcess will be subject t Applicatin Cntrl rules prcessing. Default = False ValidateMSI VARIANT_BOOL Specify whether Windws Installer (.MSI) packages are validated. ValidateWSH VARIANT_BOOL Specify whether Windws Script Hst (.WSH) files are validated. Default = True ValidateREG VARIANT_BOOL Specify whether Windws Registry (.REG) files are validated. Default = True DExtensinFiltering VARIANT_BOOL Enable extensin filtering. Default = False ExtensinFilteringScpe FileExtensinFilteringScpe Specify whether the file extensins in the FileExtensins prperty are included r excluded frm rules prcessing. Default = Exclude FileExtensins FileExtensinDictinary A list f extensins Page 302 f 344

303 Descriptin Type Descriptin used fr extensin filtering. ApplicatinAccessEnabled VARIANT_BOOL Specify whether Applicatin Access Cntrl is enabled. Default = True. ANACEnabled VARIANT_BOOL Specify whether Applicatin Netwrk Access cntrl is enabled. Default = True. URMEnabled VARIANT_BOOL Specify whether User Privileges Management is enabled. Default = True. IgnreRestrictinsDuringActiveSetup VARIANT_BOOL Ignre restrictins during active setup. Default = False. PrhibitFilesOnRemvableMedia VARIANT_BOOL Prhibit files n remvable media. Default = True. Object: Device Prperty Type Descriptin Hst BSTR The hst address. HstType DeviceType Specify whether the address refers t a cmputer r a cnnecting device. Default = Cmputer NameType HstNameType Specify whether the address is a hst name f IP address. Default = HstName Object: DeviceRule Descriptin Type Descriptin Devices DeviceDirectry Cllectin f devices t Page 303 f 344

304 Descriptin Type Descriptin which this rule applies. Name BSTR The name f the rule. SecurityLevel SecurityLevel The level f restrictin applied t this rule. AccessibleApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f accessible Applicatin Grups. AccessibleFiles FileCllectin Cllectin f allwed files. AccessibleFlders FlderCllectin Cllectin f allwed flders. AccessibleDrives DriveCllectin Cllectin f allwed drives. AccessibleSignatures SignatureFileCllectin Cllectin f allwed signatures. AccessibleNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f allwed netwrk cnnectins PrhibitedApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f denied Applicatin Grups. PrhibitedFiles FileCllectin Cllectin f denied files. PrhibitedFlders FlderCllectin Cllectin f denied flders PrhibitedDrives DriveCllectin Cllectin f denied drives. PrhibitedSignatures SignatureFileCllectin Cllectin f denied signatures. PrhibitedNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f denied netwrk cnnectins. Page 304 f 344

305 Object: DigitalCertificate Prperty Type Descriptin Path BSTR Unused fr this bject. Descriptin BSTR The descriptin f the digital certificate. EnfrceExpiryDate VARIANT_ BOOL Specify whether the expiry date verificatin will be applied t this certificate. Default = False RawCertificateData BSTR The base64 encded digital certificate. ExpiryDate BSTR The certificate expiry date. ErrrIgnreFlags LONG A bitwise OR peratin f the ErrrIgnreFlags values belw. Default = 0 ErrrIgnreFlags CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x Object: Drive Prperty Type Descriptin Path BSTR Full path t drive. Descriptin BSTR The drive descriptin. Page 305 f 344

306 Object: File Prperty Type Descriptin Path BSTR Full path t file. Descriptin BSTR The file descriptin. Arguments BSTR The cmmand line arguments used fr spawning a prcess. CmmandLine BSTR The full cmmand line (Path + Arguments) when a file is run. ApplyAccessTimes VARIANT_ BOOL Specify whether access times are t be applied. Default = False AccessTimes AccessTimes Cllectin f access times t be applied. TrustedOwnershipChecking VARIANT_ BOOL Specify whether the file is subject t Trusted Ownership checking. Default = True ApplicatinLimit LONG The number f cncurrent instances f this file that can be executed (0 means unlimited). Default = 0 Object: FileExtensin Prperty Type Descriptin Name BSTR File Extensin. Object: FileMetaData Descriptin Type Descriptin PrductVersinMaximum BSTR The maximum prduct versin number t match. PrductVersinMaximumEnabled VARIANT_ BOOL Enables/Disables the use f the PrductVersinMaximum prperty. PrductVersinMinimum BSTR The minimum prduct versin number t match. PrductVersinMinimumEnabled VARIANT_ BOOL Enables/Disables the use f the PrductVersinMinimum prperty. FileVersinMaximum BSTR The maximum file versin number t match. FileVersinMaximumEnabled VARIANT_ BOOL Enables/Disables the use f the FileVersinMaximum prperty. Page 306 f 344

307 Descriptin Type Descriptin FileVersinMinimum BSTR The minimum file versin number t match. Frmat is <majr>.<minr>.<build>.<revisin> where each element is a number r the '*' wildcard character t match anything. FileVersinMinimumEnabled VARIANT_ BOOL Enables/Disables the use f the FileVersinMinimum prperty. VendrName BSTR The Vendr Name t match against. Wildcard characters '*' and '?' are supprted t match any substring r single character. VendrNameEnabled VARIANT_ BOOL Enables/Disables the use f the VendrName prperty. PrductName BSTR The Prduct Name t match against. Wildcard characters '*' and '?' are supprted t match any substring r single character. PrductNameEnabled VARIANT_ BOOL Enables/Disables the use f the PrductName prperty. CmpanyName BSTR The Cmpany Name t match against. Wildcard characters '*' and '?' are supprted t match any substring r single character. CmpanyNameEnabled VARIANT_ BOOL Enables/Disables the use f the CmpanyName prperty. FileDescriptin BSTR The File Descriptin t match against. Wildcard characters '*' and '?' are supprted t match any substring r single character. FileDescriptinEnabled VARIANT_ BOOL Enables/Disables the use f the FileDescriptin prperty. ObjectFlder Prperty Type Descriptin Path BSTR Full path t flder. Descriptin BSTR The flder descriptin. ApplyAccessTimes VARIANT_ BOOL Specify whether access times are t be applied. Page 307 f 344

308 Prperty Type Descriptin AccessTimes AccessTimes Cllectin f access times t be applied. TrustedOwnershipChecking Recursive VARIANT_ BOOL VARIANT_ BOOL Specify whether the flder is subject t Trusted Ownership checking. Default = True Whether rules are applied t sub-flders. Default = True Object: GrupRule Descriptin Type Descriptin DisplayName. BSTR The accunt name SID. BSTR The accunt SID Name BSTR. The name f the rule SecurityLevel SecurityLevel The level f restrictin applied t this rule. Grups ApplicatinGrupReferenceDictinary Cllectin f allwed Applicatin Grups. AccessibleFiles FileCllectin Cllectin f allwed files. AccessibleFlders FlderCllectin Cllectin f allwed flders. AccessibleDrives DriveCllectin Cllectin f allwed drive. AccessibleSignatures SignatureFileCllectin Cllectin f allwed signatures. AccessibleNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f allwed netwrk cnnectins. PrhibitedApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f denied Applicatin Grups. PrhibitedFiles FileCllectin Cllectin f denied files. PrhibitedFlders FlderCllectin Cllectin f denied flders. Page 308 f 344

309 Descriptin Type Descriptin PrhibitedDrives DriveCllectin Cllectin f denied drives. PrhibitedSignatures SignatureFileCllectin Cllectin f denied signatures. PrhibitedNetwrkCnnectins NetwrkCnnectinsCllectin Cllectin f denied netwrk cnnectins. TrustedVendrs DigitalCertificateCllectin Cllectin f trusted vendrs digital certificates. UserRightsRules URMRules Cnfigured settings fr User Privileges rules. Object: MessageSettings Prperty Type Descriptin DisplayInitialWarningMessage VARIANT_ BOOL Determines whether the user shuld be warned that an applicatin is abut t be clsed due t its allwed time having expired. ClseApplicatin TerminateApplicatin VARIANT_ BOOL VARIANT_ BOOL Determine whether an applicatin with an expired allwed time shuld be sent a WM_CLOSE t allw the user chance t save wrk. Determine whether an applicatin with an expired allwed time shuld be frcefully terminated. WaitTime LONG The delay perid between warning the user, sending a WM_CLOSE and terminating the applicatin. This value is in secnds. AccessDeniedMessageCaptin BSTR The captin fr the denied message bx. AccessDeniedMessageBdy BSTR The text fr the denied message bx. ApplicatinLimitsExceededMessageCaptin BSTR The captin fr the message bx that Page 309 f 344

310 Prperty Type Descriptin is displayed when an applicatin has reached its applicatin limit. ApplicatinLimitsExceededMessageBdy BSTR The text fr the message bx that is displayed when an applicatin has reached its applicatin limit. TimeLimitsWarningMessageCaptin BSTR The captin fr the message bx that is displayed when an applicatin has reached the end f its allwed time. TimeLimitsWarningMessageBdy BSTR The text fr the message bx that is displayed when an applicatin has reached the end f its allwed time. TimeLimitsDeniedMessageCaptin BSTR The captin fr the message bx that is displayed when an applicatin is denied due t a time restrictin. TimeLimitsDeniedMessageBdy BSTR The text fr the message bx that is displayed when an applicatin is denied due t a time restrictin. SelfAuthrizatinMessageCaptin BSTR The captin fr the message bx that is displayed when user authrizatin is required t run a file. SelfAuthrizatinMessageBdy BSTR The text fr the message bx that is displayed when user authrizatin is required t run a file. SelfAuthrizatinRespnseCaptin BSTR The text fr the message bx that is displayed when the user has previusly self-authrized a file t run. SelfAuthrizatinRespnseBdy BSTR The captin fr the message bx that is displayed when the user has previusly self-authrized a file t run. Object: NetwrkCnnectin Prperty Type Descriptin Path BSTR Full path t netwrk resurce. Page 310 f 344

311 Prperty Type Descriptin Descriptin BSTR The descriptin f the netwrk resurce. Address BSTR The address f the netwrk resurce, fr example, Resurce BSTR The resurce path, fr example \weather. Prt BSTR The prt t which this netwrk cnnectin applies, if apprpriate. UseWildcards VARIANT_BOOL Specify whether any part f the whle netwrk lcatin cntains wildcards. AddressType NetwrkCnnectinType The cnnectin type. Default = False Recursive VARIANT_BOOL Specify whether child resurces are included as part f this cnnectin. Object: OnDemandCnfigChangeSettings Prperty Type Descriptin OnDemandEnabled VARIANT_BOOL Glbal On/Off fr Plicy Change Request. Default = False RequestsEnabled VARIANT_BOOL Enables the Request functinality fr Plicy Change Requests. Default =True. MailTAddress BSTR BSTR Specifies the Recipient Address EmergencyRequestsEnable d VARIANT_BOOL Enables the Immediate Change Request functinality. Default = True. HelpDeskPhneNumber BSTR Specifies the phne Page 311 f 344

312 Prperty Type Descriptin number fr the Help Desk. SharedKey BSTR Specifies the salt fr use in encryptin algrithms. Must use ASCII characters and match the key used by the Help Desk. This is t be used in cnjunctin with the CnfiguratinHelpe r bject. Fr further infrmatin, see Plicy Change Request. RequestMethds OnDemandCnfigChangeUserInteractinSet up Cnfigures the request methds. Object: OnDemandCnfigChangeUserInteractinSetup Prperty Type Descriptin AllwLinkFrmAMDenied VARIANT_ BOOL Enable link thrugh frm AMDenied Message. Default = True. AMDeniedLinkText BSTR Specify the text displayed in the AMDenied. Message dialg link. ShwShellMenu VARIANT_ BOOL Enables the right-click cntext ptin menu. Default = True. ShellMenuText BSTR Specify the text displayed in the right-click cntext menu. ShwDesktpIcn VARIANT_ BOOL Enables the Plicy Change Request desktp icn. Default = True. DesktpIcnText BSTR Specify the text displayed n the Plicy Change Request desktp icn. Page 312 f 344

313 Object: PrcessRule Prperty Type Descriptin SecurityLevel SecurityLevel The level f restrictin applied t this rule. AccessibleApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f allwed Applicatin Grups. AccessibleFiles FileCllectin Cllectin f allwed files. AccessibleFlders FlderCllectin Cllectin f allwed flders. AccessibleDrives DriveCllectin Cllectin f allwed drive. AccessibleSignatures SignatureFileCllectin Cllectin f allwed signatures. AccessibleNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f allwed netwrk cnnectins. PrhibitedApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f denied Applicatin Grups. PrhibitedFiles FileCllectin Cllectin f denied files. PrhibitedFlders FlderCllectin Cllectin f denied flders. PrhibitedDrives DriveCllectin Cllectin f denied drives. PrhibitedSignatures SignatureFileCllectin Cllectin f denied signatures. PrhibitedNetwrkCnnectins NetwrkCnnectinsCllectin Cllectin f denied netwrk cnnectins. TrustedVendrs DigitalCertificateCllectin Cllectin f trusted vendrs digital certificates. UserRightsRules URMRules Cnfigured settings fr User Privileges rules. Page 313 f 344

314 Prperty Type Descriptin FilePrcessItems FileCllectin Cllectin f prcesses t which this rule applies. SignaturePrcessItems SignaturePrcessItems Cllectin f prcesses t which this rule applies, defined by signature. Object: ScriptedRule Prperty Type Descriptin EntryFunctin BSTR The functin that will be executed when the script is launched. Script BSTR The bdy f the script. Cntext ExecutinCntext The cntext in which the script executed. Default = PerSessinAsUser. WaitFrLgin VARIANT_BOOL Specify whether the executin f the script will be delayed until the lgin prcess is cmplete. Default = False Timeut LONG The timeut perid a script is given befre being terminated. Name BSTR The name f the rule. SecurityLevel SecurityLevel The level f restrictin applied t this rule. AccessibleApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f allwed Applicatin Grups. AccessibleFiles FileCllectin Cllectin f allwed files. Page 314 f 344

315 Prperty Type Descriptin AccessibleFlders FlderCllectin Cllectin f allwed flders. AccessibleDrives DriveCllectin Cllectin f allwed drive. AccessibleSignatures SignatureFileCllectin Cllectin f allwed signatures. AccessibleNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f allwed netwrk cnnectins. PrhibitedApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f denied Applicatin Grups. PrhibitedFiles FileCllectin Cllectin f denied files. PrhibitedFlders FlderCllectin Cllectin f denied flders. PrhibitedDrives DriveCllectin Cllectin f denied drives. PrhibitedSignatures SignatureFileCllectin Cllectin f denied signatures. PrhibitedNetwrkCnnectins NetwrkCnnectinsCllectin Cllectin f denied netwrk cnnectins. TrustedVendrs DigitalCertificateCllectin Cllectin f trusted vendrs digital certificates. UserRightsRules URMRules Cnfigured settings fr User Privileges rules. FilePrcessItems FileCllectin Cllectin f prcesses t which this rule applies. SignaturePrcessItems SignaturePrcessItems Cllectin f prcesses t which this rule applies, defined by signature. Page 315 f 344

316 Object: SignatureFile Prperty Type Descriptin Path BSTR Full path t the file. Descriptin BSTR The file descriptin. Arguments BSTR The cmmand line arguments used fr spawning a prcess. SHA1 Hash BSTR The SHA1 hash f the file. CmmandLine BSTR The full cmmand line (Sha1Hash + Arguments) when a file is run. Versin BSTR The file versin infrmatin. ApplyAccessTimes VARIANT_ BOOL Specify whether access time are t be applied. Default = False AccessTimes AccessTimes Cllectin f access times t be applied. Object: TimeRange Prperty Type Descriptin StartHur LONG The hur at which the time range starts. EndHur LONG he hur at which the time range ends. Object: TrustedOwner Prperty Type Descriptin DisplayName BSTR The accunt name. SID BSTR The accunt SID. Descriptin BSTR The accunt descriptin. Object: URMGrupBehaviur DisplayName B STR The name f the grup. SID BSTR The grup's SID. Actin URMGrupActin The actin t perfrm with this grup. Default = Add Page 316 f 344

317 Object: URMPlicy Prperty Type Descriptin Name BSTR Name f the plicy. Descriptin BSTR A descriptin fr the plicy. GrupMembershipActins URMGrupBehaviurDictinary A cllectin f cnfigured UPM (User Privilege Management) Grup Behavir actins. PrivilegeActins URMPrivilegeDictinary A cllectin f cnfigured UPM Privilege actins. Object: URMPrivilege Prperty Type Descriptin Name BSTR Textual descriptin f the privilege. Privilege URMPrivilegeCnstant The privilege being set. Default = SeAssignPrimaryTkenPrivilege Actin URMPrivilegeActin The actin t perfrm n the privilege Default = NChange. Object: URMRuleItem Prperty Type Descriptin KeyPath BSTR The keypath used in cllectins f URMRuleItems. Applicatin RuleItem The applicatin fr which t apply the User Rights setting. Can be f type File, Flder, Signature File r Applicatin Grup. ApplyTChildren VARIANT_ BOOL Setting t specify whether the user rights setting shuld be applied t any child prcesses. Default = False. Object: URMRuleItemPlicy Prperty Type Descriptin KeyPath BSTR The keypath used in cllectins f URMRuleItems. Applicatin RuleItem The applicatin t which t apply the User Rights plicy. Can be f type File, Flder, Signature File r Applicatin Grup. ApplyTChildren VARIANT_BOOL Setting t specify whether the user rights plicy shuld Page 317 f 344

318 Prperty Type Descriptin be applied t any child prcesses. Default = False. Plicy URMPlicyReference The URM Plicy t apply t the applicatin. Object: URMRules Prperty Type Descriptin URMFiles URMRuleItemPlicyDictinary Cllectin f files and User Privileges Management (UPM) plicies t apply t them. URMSignatures URMRuleItemPlicyDictinary Cllectin f signature files and UPM plicies t apply t them. URMFlders URMRuleItemPlicyDictinary Cllectin f flders and UPM plicies t apply t them. URMApplicatinGrups URMRuleItemPlicyDictinary Cllectin f Applicatin Grups and UPM plicies t apply t them. Object: UserRule Prperty Type Descriptin DisplayName BSTR The accunt name. SID BSTR The accunt SID. Name BSTR The name f the rule. SecurityLevel SecurityLevel The level f restrictin applied t this rule. AccessibleApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f allwed Applicatin Grups. AccessibleFiles FileCllectin Cllectin f allwed files. AccessibleFlders FlderCllectin Cllectin f allwed flders. AccessibleDrives DriveCllectin Cllectin f allwed drive. AccessibleSignatures SignatureFileCllectin Cllectin f allwed Page 318 f 344

319 Prperty Type Descriptin signatures. AccessibleNetwrkCnnectins NetwrkCnnectinCllectin Cllectin f allwed netwrk cnnectins. PrhibitedApplicatinGrups ApplicatinGrupReferenceDictinary Cllectin f denied Applicatin Grups. PrhibitedFiles FileCllectin Cllectin f denied files. PrhibitedFlders FlderCllectin Cllectin f denied flders. PrhibitedDrives DriveCllectin Cllectin f denied drives. PrhibitedSignatures SignatureFileCllectin Cllectin f denied signatures. PrhibitedNetwrkCnnectins NetwrkCnnectinsCllectin Cllectin f denied netwrk cnnectins. TrustedVendrs DigitalCertificateCllectin Cllectin f trusted vendrs digital certificates. UserRightsRules URMRules Cnfigured settings fr User Privileges rules. Enumeratins Name: Device Type Cmputer = 0 CnnectingDevice = 1 Name: ExecutinCntext PerSessinAsUser = 0 PerSessinAsSystem = 1 PerCmputerAsSystem = 2 Name: FileExtensinFilteringScpe Exclude = 0 Page 319 f 344

320 Include = 1 Name: HstNameType HstName = 0 IPAddress = 1 Name: NetwrkCnnectinType HstAddress = 0 IPAddress = 1 UNCPath = 2 Name: ScriptingLanguage VBScript = 0 PwerShell = 1 Name: SecurityLevel Restricted = 0 SelfAuthrizing = 1 Unrestricted = 2 AuditOnly = 3 Cnfiguratin Helper Object Abut the Cnfiguratin Helper Object The Cnfiguratin Helper bject prvides useful functinality that is nt prvided by the cnfiguratin mdel, such as the ability t lad and save cnfiguratins. The methds listed belw prvide errr reprting as a HRESULT which can be tested fr in VBScript using the Err bject. Success is reprted as S_OK which is 0. In case f errr, mst f the time the Cnfiguratin Helper Object returns the errr cde which is 0x in hex and defined as E_FAIL in COM. The ther mst cmmn errr is which is 0x in hex and defined as Cnfiguratin Helper Object Methds LadLiveCnfiguratin (methd) Returns: BSTR - The xml representatin f the live cnfiguratin. HRESULT - Returns S_OK if successful. Page 320 f 344

321 SaveLiveCnfiguratin (methd) Returns: HRESULT - Returns S_OK if successful. Parameters: BSTR - The xml representatin f the cnfiguratin laded frm disk. LadLcalCnfiguratin (methd) Returns: BSTR - The xml representatin f the cnfiguratin laded frm disk. HRESULT - Returns S_OK if successful. Parameters: BSTR - The full file path f the cnfiguratin t lad. SaveLcalCnfiguratin (methd) Parameters: BSTR - The full file path f the cnfiguratin t lad. BSTR - The xml representatin f the cnfiguratin t save. ReadNumCertificatesFrmFile (methd) Returns: LONG - The number f certificates used t sign the specified executable file. Parameters: BSTR - The full file path f the executable file used in determining the certificate cunt. ReadCertificateFrmFile (methd) Returns: BSTR - The raw certificate data. Parameters: BSTR - The full file path f the executable file frm which the certificate will be read. LONG - The index f the certificate t read. ReadSha1HashFrmFile (methd) Returns: BSTR - The hash value. HRESULT - Returns S_OK if successful. Page 321 f 344

322 Parameters: BSTR - The full file path f the file fr which the hash will be generated. DefaultCnfiguratin (prperty) This BSTR prperty cntains the xml representatin f the default cnfiguratin. The DefaultCnfiguratin( ) methd nly returns a cnfiguratin in the English language. This means that sme grup names and ther text in the cnfiguratin may nt be in the native language f the perating system, which can result in the cnfiguratin nt being applied crrectly. Fr nn-english perating systems it is necessary t exprt the default cnfiguratin frm the prduct cnsle n a native perating system. This can be stred as a file n the netwrk r distributed t the machine where the cnfiguratin scripting will be perfrmed. Once this is dne, use the LadLcalCnfiguratin( ) methd in place f the DefaultCnfiguratin( ). This will prduce the same cnfiguratin but in the crrect native language. LadLcalCnfiguratinWithAuditing (methd) Returns: BSTR - The xml representatin f the live cnfiguratin BSTR - The xml representatin f the live Auditing cnfiguratin HRESULT - Return S_OK if successful Parameters: BSTR - The full file path f the cnfiguratin t lad SaveLcalCnfiguratinWithAuditing (methd) Parameters: BSTR - The full file path f the cnfiguratin t save BSTR - The xml representatin f the cnfiguratin t save BSTR - The xml representatin f the auditing cnfiguratin t save SaveLcalCnfiguratinWithAuditingFile (methd) Parameters: BSTR - The full file path f the cnfiguratin t save BSTR - The xml representatin f the cnfiguratin t save BSTR - The full file path f the Auditing.xml t save LadLiveCnfiguratinWithAuditing (methd) Returns: BSTR - The xml representatin f the live cnfiguratin Page 322 f 344

323 BSTR - The xml representatin f the live Auditing cnfiguratin HRESULT - Return S_OK if successful SaveLiveCnfiguratinWithAuditing (methd) Parameters: BSTR - The xml representatin f the cnfiguratin t save BSTR - The xml representatin f the auditing cnfiguratin t save SaveLiveCnfiguratinWithAuditingFile (methd) Parameters: BSTR - The xml representatin f the cnfiguratin t save BSTR - The full file path f the Auditing.xml t save EncryptSharedKey (methd) Parameters: BSTR - The shared key used in Plicy Change Requests Returns: BSTR - Encrypted versin f the shared key HRESULT - Return S_OK if successful LadLcalCnfiguratinHandle Parameters: BSTR - The full file path f the cnfiguratin t lad Returns: VARIANT - Opened file handle BSTR - The xml representatin f the cnfiguratin HRESULT - Return S_OK if successful LadLiveCnfiguratinHandle Returns: VARIANT - Opened file handle BSTR - The xml representatin f the live cnfiguratin HRESULT - Return S_OK if successful LadLcalCnfiguratinHandleWithAuditing Parameters: Page 323 f 344

324 BSTR - The full file path f the cnfiguratin t lad Returns: BSTR - The xml representatin f the cnfiguratin BSTR - The xml representatin f the auditing cnfiguratin VARIANT - Opened file handle HRESULT - Return S_OK if successful LadLiveCnfiguratinHandleWithAuditing Returns: BSTR - The xml representatin f the cnfiguratin BSTR - The xml representatin f the auditing cnfiguratin VARIANT - Opened file handle HRESULT - Return S_OK if successful SaveLcalCnfiguratinHandle Parameters: BSTR - The full file path f the cnfiguratin t save BSTR - The xml representatin f the cnfiguratin VARIANT - Opened file handle SaveLiveCnfiguratinHandle Parameters: BSTR - The xml representatin f the cnfiguratin VARIANT - Opened file handle SaveLcalCnfiguratinHandleWithAuditing Parameters: BSTR - The full file path f the cnfiguratin t save BSTR - The xml representatin f the cnfiguratin BSTR - The xml representatin f the auditing cnfiguratin VARIANT - Opened file handle SaveLiveCnfiguratinHandleWithAuditing Parameters: BSTR - The xml representatin f the cnfiguratin Page 324 f 344

325 BSTR - The xml representatin f the auditing cnfiguratin VARIANT - Opened file handle Imprt and Exprt Scripted Rules The Scripted Rule imprt and exprt feature cpies PwerShell and VBScripts frm ne Applicatin Cntrl cnsle t anther and enables yu t imprt a script that has been written in anther editr. Exprt a Scripted Rule 1. Navigate t the Scripted Rule nde and select the rule t be exprted. 2. In the Current Script sectin f the wrk area, select Click here t edit script. The Cnfigure this Scripted Rule dialg displays 3. Ensure the script displayed is crrect. 4. Click Exprt. 5. Navigate t where yu want the script t be exprted and click Save. 6. Click OK. Imprt a Scripted Rule When yu imprt a script, any existing script displayed in the Cnfigure this Scripted Rule dialg is verwritten. 1. Navigate t the Scripted Rule nde and select where the rule is t be imprted. 2. In the Current Script sectin f the wrk area, select Click here t edit script. The Cnfigure this Scripted Rule dialg displays 3. Click Imprt. 4. Navigate t where yu saved the script and click Open. 5. Click OK. Page 325 f 344

326 Appendix Citrix XenApp T set up Citrix XenApp streaming applicatins t wrk with certain elements f Applicatin Cntrl, yu need t specify certain exclusins, as fllws: 1. Navigate t Citrix Streaming Prfiler fr Windws. 2. Open the Applicatin Prfile. 3. Highlight the relevant Target and select the Edit menu. 4. Select Target Prperties. The Target Prperties screen displays. 5. Select Rules. The Rules wrk area displays. 6. Click Add in the Rules wrk area. The New Rule Select Actin and Objects dialg displays. 7. In the Actin sectin leave the default setting as Ignre. 8. In the Object sectin select Named Objects and click Next. The New Rule Select Objects dialg displays. 9. Select Sme Named Objects and click Add. The Chse Named Object dialg displays. 10. Add\??\pipe\Appsense* and click OK. This displays in Named Objects n the New Rule Select Objects dialg. 11. Click Next t display the New Rule Name Rule dialg. 12. Enter a name fr the rule r accept the default and click Finish. 13. Click OK. The Target Prperties screen displays and the Ignre all named bjects rule is listed in the wrk area. 14. Save the Prfile. Repeat fr each Applicatin Prfile as required. Page 326 f 344

327 Applicatin Cntrl Web Services Cnfiguratin Prerequisites The system requirements fr Applicatin Cntrl Web Services are: Micrsft.NET Framewrk 4.0 Full (x86 and x64) Micrsft Visual C x86 Redistributable package. This is required fr bth x64 and x86 versins f Applicatin Cntrl. Fr further infrmatin n required utilities and cmpnents, see the DesktpNw Install and Upgrade Guide. Applicatin Cntrl Web Services Prt Cnfiguratin The Applicatin Cntrl Web Service prvides tw cmmunicatin rutes: With machines hsting the Applicatin Cntrl Agent t allw reprting f data. With the Applicatin Cntrl Cnsle t allw querying f cllected data. Cmmunicatin with the Applicatin Cntrl Web Service is via HTTP r ptinally Secure HTTP (HTTPS), defaulting t the standard TCP prts 80 fr HTTP and 443 fr HTTPS. It is recmmended that yu use the default values, as these prts are already well knwn by firewall prducts and shuld prvide the mst truble-free installatin. Hwever, shuld yu find yu have prt cnflict with ther sftware, fllw the steps t cnfigure the Applicatin Cntrl Web Service t use prts that are free. Cnfigure Applicatin Cntrl Web Services t use SSL This prcess describes hw t cnfigure the Applicatin Cntrl Web Services t use secure sckets fr cmmunicatin. 1. Click Start > Run and enter MMC. The Micrsft Management Cnsle displays. Page 327 f 344

328 2. Click File > Add/Remve Snap-in... The Add r Remve Snap-ins dialg displays. 3. Select Certificates and click Add. Page 328 f 344

329 4. Frm the Certificates snap-in dialg, select Cmputer accunt and click Next. 5. Click Finish and then OK. The snap-in is added t the MMC. 6. Frm the navigatin tree, select Certificates (Lcal Cmputer) > Persnal. 7. Right-click Persnal and select All Tasks > Imprt... The Certificate Imprt Wizard displays. 8. Click Next. Page 329 f 344

330 9. Click Brwse and change select All Files in the Open dialg. 10. Navigate t, and select, the required PFX file and click Open. 11. Click Next. Page 330 f 344

331 12. Enter the passwrd fr the private key and click Next. Page 331 f 344

13. Select Autmatically select the certificate stre based n the type f certificate ptin and click Next. 14. Click Next then OK t cmplete the imprt and clse the wizard. 15.

332 13. Select Autmatically select the certificate stre based n the type f certificate ptin and click Next. 14. Click Next then OK t cmplete the imprt and clse the wizard. 15. Refresh the MMC. The certificate displays in the Persnal > Certificates stre. 16. Right-click n the machine certificate and select Open. 17. Select the Details tab. Page 332 f 344

18. Select Thumbprint t display the value in the text bx belw. 19. Cpy the value and paste it int a text editr, such as Ntepad. 20. Remve any spaces frm the value.

333 18. Select Thumbprint t display the value in the text bx belw. 19. Cpy the value and paste it int a text editr, such as Ntepad. 20. Remve any spaces frm the value. This will be used fr the certhash value in the cmmands entered in step Click OK t clse the certificate. 22. Clse MMC withut saving. 23. Stp Applicatin Cntrl Web Services. 24. Frm an elevated Ntepad, pen the fllwing file: %PrgramFiles (x86)%\appsense\applicatinmanager\analysisservice\analysisservicecre.dll.cnfig 25. In the file, change t and save. Page 333 f 344

26. Frm an elevated CMD n the server, run the fllwing cmmands, replacing the certhash values with yur thumbprint value frm step 20: netsh http add sslcert hstnameprt=lcalhst:443

334 26. Frm an elevated CMD n the server, run the fllwing cmmands, replacing the certhash values with yur thumbprint value frm step 20: netsh http add sslcert hstnameprt=lcalhst:443 certhash=d3a081a09fbde478ecf58b a5daeb87e4 appid= { } certstrename=my netsh http add sslcert hstnameprt=lb-svr2012-r2-5:443 certhash=d3a081a09fbde478ecf58b a5daeb87e4 appid= { } certstrename=my 27. Start Applicatin Cntrl Web Services. 28. Frm a brwser, text the cnnectin t the web service using https: lb-svr2012- r2-5/ndemand 29. Authenticate with a valid user. Cnfiguring TCP prt numbers used fr Cmmunicatin Fr the tw cmmunicatin rutes yu can independently cnfigure the prts used fr HTTP and HTTPS, meaning up t fur different prt numbers culd be cnfigured. Page 334 f 344

Product Guide. Version 10.1 FR1

Product Guide. Version 10.1 FR1 Prduct Guide Versin 10.1 FR1 Cpyright Ntice This dcument cntains the cnfidential infrmatin and/r prprietary prperty f Ivanti, Inc. and its affiliates (referred t cllectively as Ivanti ), and may nt be