Education
Abstract
Learn best practices with regard to Privilege Manager Policies. Read test case example in the content below.
Content
Problem
If you configure Privilege Manager policies incorrectly they could prevent services or programs from starting or running with the proper rights.
Policies are evaluated in order based on the Policy Priority value on the Policy. If a blocklist policy that denies applications is too broad and is set with too high a priority, that can prevent other applications from running or letting the user request approval to run.
Policies are evaluated in order based on the Policy Priority value on the Policy. If a blocklist policy that denies applications is too broad and is set with too high a priority, that can prevent other applications from running or letting the user request approval to run.
Solution
You can avoid conflicts resulting from incorrectly configured Privilege Manager policies by following these best practices.
- Always test policies on machines which mirror the production environment before rolling out to production.
- Assign policies that allow processes a lower policy priority number than policies that deny processes.
- Make sure your other policy enforcement settings check boxes are selected or cleared, depending on the aims of your policy.
- Policies that deny processes always exclude the following Application filters:
- LocalSystem and Service
- Signed Security Catalog
- You should (almost) never use wildcards in deny policies–they should be considered only after performing extensive testing.
Policy Priority Overview
In Privilege Manager your Policies are evaluated in a certain order for each application that runs. It is important to have an awareness of all policies that are defined and the order in which they are called by the agent. If one policy blocks an application and ends execution before a second policy that was intended to elevate privileges, then only the block will occur.
The Policy Priority setting can be found on the Policies main screen in the left column. By default, policies are ordered according to their priority. You can edit this setting under the General tab after clicking into a policy.
Example: Why Policy Priority Matters
To illustrate the way policies are applied in order, this use case will define two policies to 1) block MMC.EXE, but 2) allow a specific MMC Snap-in.
Deny MMC.EXE Policy setup
First, create a policy at a priority level of 50. This policy will block the execution of MMC.EXE.
First, create a policy at a priority level of 50. This policy will block the execution of MMC.EXE.
Privilege Manager provides a filter to identify the executable mmc.exe. This can be used in this policy to block mmc.exe.
Search for mmc.exe from the main screen search tool. Select the filter named Microsoft Management Console (mmc.exe)
Review how the Filter is set up. Note that both File Name and File Path parameters are used.
Next, create the deny mmc.exe policy.
Next, create the deny mmc.exe policy.
From the home page, navigate to ADMIN | Policies | Add New Policy, Select Windows as a platform, Show All Templates, then Other: Empty Policy as the Template Type.
Name the policy Deny Launching MMC Console Application Control Policy. Add a description. Click Create.
Enable the policy by clicking the Enabled check box.
Enable the policy by clicking the Enabled check box.
Set the Policy Priority value to 50. (This level is not required, only defined for this use case.)
Click the Conditions tab.
Click + Add Application Target. Search for the MMC.EXE filter mentioned above. Click Add.
Click + Add Application Target. Search for the MMC.EXE filter mentioned above. Click Add.
You can also set an exception filter to not have this policy apply to Administrators. Search for and select the filter named Administrators (Include Disabled). Click Add.
Click Add Action under the Actions to apply to the application section. Search for the Application Denied Notification Action. Click Add.
Click Save. This saves the policy to the policy list accessed from the Home screen – click Policies to view. Once the policy is delivered to the endpoint agent, mmc.exe will be denied execution for all users without administrator credentials on all target computers.
See details on how to deliver policies to the endpoint in the Sending Policies to Endpoints section.
Once the policy is delivered to the endpoint, test running mmc.exe to see the results.
Click Save. This saves the policy to the policy list accessed from the Home screen – click Policies to view. Once the policy is delivered to the endpoint agent, mmc.exe will be denied execution for all users without administrator credentials on all target computers.
See details on how to deliver policies to the endpoint in the Sending Policies to Endpoints section.
Once the policy is delivered to the endpoint, test running mmc.exe to see the results.
Allow specific MMC Snap-in
Next, we will create a policy that has a priority of less than 50 and it will allow specific MMC snap-ins. Having a priority less than 50 means this policy will be examined before the Deny MMC Console Application Control Policy.
Next, we will create a policy that has a priority of less than 50 and it will allow specific MMC snap-ins. Having a priority less than 50 means this policy will be examined before the Deny MMC Console Application Control Policy.
As a short cut to this use case, start by making a copy of the policy we just created. Accomplish this on the General tab of the policy by clicking Create a Copy. Name the new policy Allow Print Management Plug-in Application Control Policy.
Enable the policy by clicking Edit, then the Enabled check box.
Set the Policy Priority value to less than 50. (This level is not required, only defined for this use case.)
This means that this policy will be examined prior to the policy that blocks the mmc console. If the conditions are met, printmanagement.msc will run with elevation.
Click the Conditions tab. Do not remove the Microsoft Management Console (mmc.exe) filter under Application Targets.
Privilege Manager provides a filter to identify the MMC snap-in for Print Management. This can be used in this policy to elevate printmanagement.msc. Select Add Inclusion Filter and search for the printmanagement.msc Commandline Filter. Click Add, then Save.
This filter will identify the mmc.exe file ONLY if the printmanagement.msc is run.
Click the Actions tab. Edit. Then delete the existing Application Denied Notification Action by clicking the trash can icon on the right side. Click Confirm Remove.
Select Add Action under the Actions to apply to the application section. Search for and add Add Administrative Rights action. Click Save. You will now see your two policies in your Policies List:
Select Add Action under the Actions to apply to the application section. Search for and add Add Administrative Rights action. Click Save. You will now see your two policies in your Policies List:
Once this policy is delivered to the endpoint agent, printmanagement.msc will be elevated with administrative rights.
To test this use case:
1. Run MMC.EXE from an endpoint where the user is not an administrator. This MMC.EXE execution will be denied execution.
2. Next, run printmanagement.msc from an endpoint where the user is not an administrator. This MMC snap-in will run with elevation.
1. Run MMC.EXE from an endpoint where the user is not an administrator. This MMC.EXE execution will be denied execution.
2. Next, run printmanagement.msc from an endpoint where the user is not an administrator. This MMC snap-in will run with elevation.
However, if you change the Policy Priority of your “Allow Print Management Plug-in Application Control Policy” to be set at Priority 51 rather than priority 49, when you return to your endpoint and run printmanagement.msc, the application will be blocked despite your elevation policy. This is why it is crucial to keep the priority levels that are set for your policies in mind and adjust them to meet your intended system requirements.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWHLP","label":"IBM Security Secret Server"},"Component":"","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
18 March 2021
UID
ibm11072162