AppSense Application Manager Product Guide

AppSense Application Manager

Version 8.2 | Product Guide

BOOKTITLEii

© AppSense Limited, 2011

All rights reserved. No part of this document may be produced in any form (including photocopying or storing it in any medium) for any purposes without the written permission of AppSense Limited, except in accordance with applicable law. Furthermore, no part of this document may be sold, licensed or distributed. The doing of an unauthorized act in relation to a copyright work may result in both a civil claim for damages and criminal prosecution.

The information contained in this document is believed to be accurate at the time of printing and may be subject to change without notice. Any reference to a manufacturer or product does not constitute an endorsement of, or representation or warranty (whether express, implied or statutory) in respect of, the manufacturer or product or the use of the product with any AppSense software.

This document does not grant any right or license to you in respect of any patents, patent applications, trademarks, copyrights, or other intellectual property rights in or relating to the subject matter of this document. Where relevant, any AppSense software provided pursuant to or otherwise related to this document shall only be licensed to you on and subject to the end user license agreement which shall be displayed and which you shall be required to accept prior to accessing or using the software.

AppSense is a registered trademark of AppSense Holdings Limited or its affiliated companies in the United Kingdom, the United States and/or other countries, Microsoft, Windows and SQL Server are all registered trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual products and companies mentioned in this document may be the trademarks of their respective owners.

Patents

AppSense Performance Manager includes patented technology. All rights reserved.

C O N T E N T S

Welcome ix

About this Document ix

Terms and Conventions x

Feedback x

Section 1 About Application Manager 1

About Application Manager 1

Key Benefits 2

Feature Summary 2

Architecture 6

Console 7

Software Agent 8

Configuration 11

iii

APPLICATION MANAGER PRODUCT GUIDEiv

Section 2 General Features 13

Trusted Owners 14

Whitelists 17

Extension Filtering 17

Options 19

Application Termination 21

Application Termination Options 24

Customize Application Termination Message 25

Message Settings 26

Access Denied 26

Application Limits Exceeded 28

Time Limits 30

Self-Authorization 32

Network Connections 34

Archiving 36

Archiving Settings 37

Global Properties 37

File Options 38

Folders 39

APPLICATION MANAGER PRODUCT GUIDEv

Section 3 Security Methods 41

Introduction 41

Method 1 - Trusted Ownership 42

Application Manager and Trusted Ownership 43

Trusted Ownership Rule 44

Method 2 - Digital Signatures 44

Signature Wizard 45

Method 3 - Trusted Vendors 46

Certificate Verification 47

Advanced Options 47

Method 4 - Whitelist vs. Blacklist vs. Trusted Ownership 49

Whitelist Model 49

Blacklist Model 49

Application Manager and Whitelists 50

Access Times 52

Application Limits 53

Security Method Recommendation 54

Section 4 Configuration 56

Configuration Files 56

Default Configuration 57

Protection 57

Default Settings 58

Configuration Elements 59

Rule Matching 60

Customize a Configuration 61

Define Users 62

Specify Group and User Rule Items 64

Specify Device, Custom, Scripted, and Process Rules 68

Example Configuration Procedures 69

Configuration Profiler 73

APPLICATION MANAGER PRODUCT GUIDEvi

Section 5 User Rights Management 77

Overview 77

Least Privilege 78

Common Tasks that Require Administrative Privileges 79

User Rights Management v Run As 79

User Rights Management Benefits 80

Use Cases 81

Technology 81

User Rights Management Mechanism 82

Configuring User Rights Management 83

Example Configurations 96

Web Installations 102

Snippets 112

Section 6 Application Network Access Control 115

Overview 115

About Application Network Access Control 116

Technology 117

Define Network Access Policies and Rules 118

Auditing 119

Configuring Application Network Access Control 120

Section 7 Endpoint Analysis 128

Endpoint Analysis Overview 128

Endpoint Analysis Scans 130

Endpoint Scan 130

Application Usage Scan 130

Order of Scans 131

Working with Endpoint Analysis 131

Adding Files to a Configuration 137

APPLICATION MANAGER PRODUCT GUIDEvii

Section 8 Auditing 139

Overview 139

Logging 141

Windows Application Event Log 141

AppSense Event Log 141

Anonymous Logging 141

Local Log File 141

Local Event Filter 142

Event Filtering 143

Section 9 Rules Analyzer 144

About Rules Analyzer 144

The Console 145

Working with Rules Analyzer 147

Log Files 148

APPLICATION MANAGER PRODUCT GUIDEviii

Section 10 Scripting 152

Overview 152

Sample Scripting Reference 153

Loading and Saving Configurations 154

Default Rules 154

Group Rules 156

User Rules 157

Device Rules 159

Custom Rules 161

Scripted Rules 163

Process Rules 165

Rule List Items 167

Configure Properties 175

Network Connections 176

User Rights Management (URM) 178

Object Types 188

Configuration Object 188

Configuration Helper Object 209

Section 11 Licensing 212

Licensing 212

About License Manager 213

Managing Licenses 214

Streamed Applications 2

Glossary 3

W E L C O M E

In this Section:

About this Document on page ix

Terms and Conventions on page x

Feedback on page x

ABOUT THIS DOCUMENT

This product guide is for use by AppSense Application Manager administrators. It provides information on how Application Manager works and describes its components and architecture.

The aim of the guide is to enable the administrator to optimize the effectiveness of Application Manager and assist in troubleshooting any issues that may arise.

Document Information

Document Version AM Product 8.2 2011/04/01

ix

APPSENSE PRODUCT MANAGER USER GUIDE WELCOMETerms and Conventions x

TERMS AND CONVENTIONS

The following table shows the textual and formatting conventions used in this document:

FEEDBACK

The AppSense Documentation team aim to provide accurate and high quality documentation to assist you in the installation, configuration and ongoing operation of AppSense products.

We are constantly striving to improve the documentation content and value any contribution you wish to make based on your experiences with AppSense products.

Please send any comments to the following email address:

[email protected]

Thanks in advance,

The AppSense Documentation team

Table iii.1 Terms and Conventions

Convention Use

Bold Highlights items you can select in Windows and the product interface, including nodes, menus items, dialog boxes and features.

Code Used for scripting samples and code strings.

Italic Highlights values you can enter in console text boxes and titles for other guides and Helps in the documentation set.

Green + underlined Indicates a Glossary link.

> Indicates the path of a menu option. For example, “Select File > Open" means "click the File menu, and then click Open."

Note — Highlights important points of the main text or provides supplementary information.

Tip — Offers additional techniques and help for users, to demonstrate the advantages and capabilities of the product.

Caution/Warning — Provides critical information relating to specific tasks or indicates important considerations or risks.

Further Information — Provides links to further information which include more detail about the topic, either in the current document or related sources.

mailto:[email protected]

1A b o u t A p p l i c a t i o n M a n a g e r

In this Section:

About Application Manager on page 1

Key Benefits on page 2

Feature Summary on page 2

Architecture on page 6

ABOUT APPLICATION MANAGER

Application Manager provides centralized management of corporate application control, eliminating unauthorized application usage and controlling application network access enterprise wide. Protective measures such as blocking the execution of all unauthorized software is provided and extensive options for creating rules to manage production application usage.

Application Manager also includes User Rights Management. User Rights Management allows the administrator to create reusable user rights policies which can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, application groups and

1

APPLICATION MANAGER PRODUCT GUIDE 1 ABOUT APPLICATION MANAGERKey Benefits 2

Control Panel applets. User Rights Management enables users with no administrative privileges to have elevated rights for specified applications. Similarly it can restrict access to specified applications for users that do have administrative rights.

Application Manager is part of a closely integrated system of management components and can be centrally configured and deployed to desktops, servers and Terminal Servers throughout the enterprise using the AppSense Management Center.

KEY BENEFITS

There are several key benefits to using Application Manager.

Protects against malicious code.

Controls role based application usage.

Elevates and reduces user rights for applications and Control Panel components and Management Snapins.

Terminates applications based on trigger points.

Allows child applications to run from authorized applications.

Contains out-of-the-box protection against all unauthorized application usage.

Stops unauthorized device license usage.

Applies time restrictions on when applications can or cannot be run.

Manages control of network access from within applications.

Manages control of network access based on location.

License management

Maintain the enviroment in the desired state.

Increased visibility into application landscape.

Enforce licensing, ensure compliance.

Reduces support calls.

User acceptance.

FEATURE SUMMARY

Application Manager provides the following key features for application control:

User Rights Management

User Rights Management allows you to create reusable User Rights policies which can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, application groups, and Control Panel components. A more granular level of control allows you to assign specific privileges for debugging or installing software.

User Rights Management contains four primary functions:

For more information on the Management Center see the AppSense Management Center Help and the AppSense Management Center Product Guide.

APPLICATION MANAGER PRODUCT GUIDE 1 ABOUT APPLICATION MANAGERFeature Summary 3

Elevating user rights for applications

Elevating user rights for Control Panel components and Management Snapins.

Reducing user rights for applications

Reducing user rights for Control Panel components and Management Snapins.

Trusted Ownership

By default, only application files owned by an administrator or the local system are allowed to execute. Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run. Application Manager automatically blocks any file where ownership cannot be established, such as files located on non-NTFS drives, removable storage devices, or network locations. These files can optionally be allowed to run either by specifying them as Accessible Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured to suit each environment.

Rules: User, Group, Device, Custom, Scripted and Process

Extend application accessibility by applying rules based on username, group membership, computer, or connecting device, scripts and parent processes, or combinations of these. Accessible Items and Prohibited Items, Trusted Vendors and User Rights Management can be specified in each rule, and are applied to a user session based on the environment in which the user operates.

Scripted Rules

Scripted Rules allow administrators to Apply Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management policies based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer.

Process Rules

Process rules apply to parent processes to manage access to child processes to the level required. Process rules include Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management.

Trusted Vendors

Allow authentic applications to run which have certificates for trusted sources, and which are otherwise prohibited by Trusted Owneship checking. Define a list of Trusted Vendor certificates for each User, Group, Device, Custom, Scripted, and Process rule in the configuration.

For more information see User Rights Management on page 77.

For more information see Security Methods on page 41.


Application Termination

Application Manager provides the ability to shutdown an application, complete with various shutdown options, based on trigger point such as a change to an IP address, connecting device, or application access entitlement configuration.

Network Connections

Block access to certain applications via IP, UNC or host name. Application Manager has the ability to manage access based on the location of the requester, for example, if they are connecting via VPN or directly to the network.

Digital Signatures

SHA-1 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists.

Endpoint Analysis

Allows an administrator to browse to any endpoint and retrieve a list of applications that have been installed on that device. Application Manager records which applications are started and by whom. The recording of data is started and stopped by the administrator.

Organize the files into authorized and unauthorized groups to quickly create a policy. The configurations can be deployed to a user, a group of users, a machine, or a group of machines.

Endpoint Analysis is on demand and inactive by default.


For more information see General Features on page 13.

For more information see Application Network Access Control on page 115.


For more information see Endpoint Analysis on page 128.


Offline Entitlement

Users are increasingly mobile. Thus, it is important that entitlement rules are enforced when the user is not connected to the corporate network. Application Manager ensures users only access the applications and resources they have permission to when offline by using entitlement rules on the endpoint device.

Passive Monitoring

Application Manager can monitor application usage without preventing users from running applications. Passive monitoring can be enabled or disabled on a per user, device, group basis and provides a tool to track user behavior prior to full implementation or to understand application usage for software license management.

Self-Authorizing Users

Provides the option for users to execute applications that they have introduced into the system. Applications can be added to a secure machine whilst outside of the office without relying on IT support. A comprehensive audit can detail information such as application name, time and date of execution and device. Additionally, a copy of the application can be taken and stored centrally for examination.

Application Limits and Time Restrictions

Apply a policy to control the number of application instances a user can run, along with at what times it can run. A policy can be created to control or enforce licensing models by controlling application limits on a per device basis.

AppSense Configuration Templates

AppSense provides a number of best practice configuration templates, for example that can be imported into Application Manager. Application Manager can import a number of configuration files and use these in combination.

Auditing

Events are raised by Application Manager according to the default Event Filtering configuration and audited directly to a local log file or the Windows Event Log. Altenatively, events can be forwarded to the AppSense Management Center via the Client Communications Agent (CCA). The Application Manager audit event reports available in the Management Center can also be used to provide details of current application usage across the enterprise.

Windows Scripting Host Validation

The default configuration in Application Manager validates all Windows Scripting (WSH) scripts, such as VBS, against configuration rules. This ensures that users can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that contain viruses or malicious code.

The Validation settings can be disabled in the console., along with validation of .bat files, self-extracting files, registry files, and Windows Installed (MSI) files.

For more information see Auditing on page 139.

APPLICATION MANAGER PRODUCT GUIDE 1 ABOUT APPLICATION MANAGERArchitecture 6

Functionality Cut-Off Settings

Enable and disable certain features in Application Manager either if not in use or when troubleshooting issues in your configurations. The functionality which you can manage in this way includes:

Application Access Control

Application Network Access Control


ARCHITECTURE

This section provides details on the architecture of Application Manager.

Console on page 7

Software Agent on page 8

Configuration on page 11

For more information see General Features on page 13

For more information see General Features on page 13


Figure 1.1 Application Manager Architecture

Console

The Application Manager console launches when the link is selected in the Start > All Programs > AppSense menu.

The console enables you to create, view, edit and save configurations for Application Manager. The console includes the Configuration Profiler which you can use to review the probable effect of the configuration on users. The Rules Analyzer function allows you to record the actual effect of the configuration on users on an endpoint which has the Application Manager agent installed and running. The Endpoint Analysis tool allows you to record application usage, and to catalog installed application usage on an endpoint that has the Application Manager agent installed.


Figure 1.2 Application Manager Console

Console Installer

The console installer is a MSI package that contains all the files needed to install the console on a computer. Both 32-bit and 64-bit installers are provided.

Software Agent

Application Manager is installed and run on endpoints using a lightweight agent. The agent is installed directly onto the local computer.

Both agents and configurations are constructed as Windows Installer MSI packages and so can be distributed using any third party deployment system which supports the MSI format.The installers are delivered in separate 32-bit and 64-bit Microsoft Installer (MSI) packages.

For Application Manager to function the agent must be installed on the client machine together with an associated configuration. The installation may be manually performed or by means of a deployment system such as the AppSense Management Center. Since agents and configurations are installed and stored locally on the endpoint, they continue to operate when the endpoint is disconnected or offline.

The Application Manager agent installs a Windows Service (the AppSense Application Manager Service), a filter driver, and a hook. The hook sits above the driver and intercepts all executables. It does not intercept DLLs, unlike the driver. If an executable is not intercepted by the hook it is intercepted by the driver.

The driver intercepts execution requests that are made within the operating system that pass from the I/O Manager to the drive and the device subsystems for example, NFTS.SYS or the LanMan Redirector for Microsoft Networking Services. The driver does not intercept ordinary file access such as the opening of a document or text file.


Every intercepted create process request is intercepted by the hook. When the request is intercepted by the hook the request is passed on to the Application Manager Agent Service for validation against the configuration settings, which returns an execution granted or denied response which is dealt with by the hook or driver, depending on which sent the request. If the response is granted, then the request is passed on to the relevant file system driver to continue with the application loading from disk.

In the case of a denied executable or script, the agent replaces the original path with Application Manager’s customizable message box (AMMessage). This effectively blocks access to the original requested excecutable and instead displays a message to the user.

In the event of a DLL being blocked, no message is displayed and the default operating system message is displayed.

Agent Service

The Application Manager Agent Service runs as a SYSTEM service on each computer that is to be controlled using the Application Manager component. The agent provides the intelligence for dealing with the execution requests passed from the Application Manager kernel level driver and the hook. Each and every execution request is validated against the configuration settings that are held on each local machine containing the Application Manager agent software. Along with the details of the application request, the agent service checks who the user is and which computer the request originates from so that this can be processed at the same time to enable user / group / client / custom rules to function as expected.

The configuration is stored in a local configuration file for performance and control reasons. This means that all requests can be turned around in minimum time and perhaps more importantly without the need for a network link to a central server, and hence also ensuring that unconnected machines, such as laptops, remain secured even when not physically connected to the Local Area Network.

Agent Assist

Agent Assist provides support for the agent. Instances of Agent Assist are started on-demand by the agent and run using the SYSTEM account. Each Agent Assist is specific to a user session. If Agent Assist is initiated, no more than one instance runs in a session. Once started, Agent Assist typically remains running until the session logs off or the agent is stopped.

Agent Assist does the following:

Enforces time limits on applications

Prompts Self Authorizing Users to confirm whether to allow prohibited DLLs (Applications are handled by Agent Assist).

Performs auditing for the events, 9006, 9007, 9017.

9006 - Self-authorization decision by user.

9007 - Self-authorized execution request.

9017 - An application has been terminated by Application Manager.

On 64-bit systems, Agent Assist can start the 32-bit DLL component which installs the 32-bit Application Hook into 32-bit applications running in the same user session.


DLL Injection Assist

DLL Injection Assist is a 32-bit component which is only installed on 64-bit systems. It is used solely by Agent Assist to install the 32-bit application hook into 32-bit applications running in the same user session.

Filter Drivers

The agent intercepts, then validates all application execution requests against the configuration. It then either grants or denies access to the executable content. The agent also triggers auditing events which are collected by the AppSense Client Communications Agent.

The driver only intercepts execution requests placed against the Operating System since it is connected between the I/O Manager (in the Executive Services) and the actual device drivers for the file systems themselves (for example, NTFS.SYS, CDROM.SYS, or LanMan Redirector for Microsoft Networking Services). The driver does not intercept ordinary file access such as the opening of a text file, document or presentation.

Every intercepted request is subsequently passed on to the Application Management Agent Service for validation against the current configuration. The agent service returns an allowed or denied response which is dealt with by the filter driver. If the response is allowed, then the request is passed on to the relevant file system driver to continue with the application loading from disk. On the other hand, if the request is denied, then the filter driver replaces the request with Application Manager’s error handling system which is responsible for the display of a fully customized message box to the end user. This error handling effectively blocks access to the requested executable code by advising the originating process that all is successful, and the AppSense customized message box is displayed in place of the expected executable code. This prevents the Operating System from displaying a ’File not Found’ or ’Access Denied’ message.

The driver is a lightweight driver which filters file system requests for files, but not folders, with the Execute, Overwrite and Rename permissions requests. The driver sends requests to the Application Manager agent for authorization. Depending on the response from the agent, the driver allows, redirects, or denies the request.

When it redirects, the driver redirects to one of the Message Box applications.

The filter driver can dynamically start but cannot be stopped without a reboot.

This can be found in %systemdrive%\Program Files\ApplicationManager\Agent\AmFilterInstall and is called AMFilterDriver.sys.

For more information on the Client Communications Agent see the AppSense Management Center Product Guide.

The driver only redirects as a fallback, if the request is missed by the hook.


Mini Filter Driver

The mini filter driver is a lightweight driver which filters file system requests for both files and folders on UNC paths, but not for local drives. The driver sends requests to the agent for authorization. Depending on the response from the agent, the driver allows or denies the request.

%systemdrive%\Program Files\ApplicationManager\Agent\AmMiniFilterInstall and is called AMMiniFilterDriver.sys.

The mini filter driver can be dynamically started and stopped.

Application Hook

This is a DLL which is loaded into every user process.

The Application Hook sends create process and network requests to the agent for authorization. In the event of a blocked executable, the original request is replaced with a request for AMMessage. In the event of a blocked network request, access to the network resource is denied.

If any token modification is required, as part of User Rights Management, an appropriate request is sent to the agent. The agent sends back a modified token which is used to launch the requested process.

Where Application Network Access Control (ANAC) is concerned, because requests for network traffic is high, the results provided by the agent are cached in the memory of the application. This is essential to avoid a dramatic performance degradation to network traffic.

Configuration

AppSense Application Manager configuration files (.aamp files) contain the rule settings for securing your system. The agent checks the configuration rules to determine the action to take when intercepting file execution requests.

Configurations are stored locally in the All Users profile and are protected by NTFS security. In standalone mode, configuration changes are written directly to the file system from the Application Manager console. In Enterprise mode, configurations are stored in the AppSense Management Center database, and distributed in MSI format using the AppSense Management Center console.

Configurations can also be exported and imported to and from MSI file format using the Application Manager console. This is useful for creating templates or distributing configurations using third party deployment systems.

For more informatiom on ANAC see Application Network Access Control on page 115.



After creating or modifying a configuration you must save the configuration (and deploy if necessary) to ensure that they are actioned.

2G e n e r a l F e a t u r e s

In this Section:

Trusted Owners on page 14

Extension Filtering on page 17

Options on page 19

Application Termination on page 21

Message Settings on page 26

Archiving on page 36

13

APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESTrusted Owners 14

TRUSTED OWNERS

During the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that the ownership of the items is matched with the list of Trusted Owners specified in the default configuration.

For example, if a match is made between the file you want to run and an Accessible Item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with, or if a file which contains a security threat has been renamed to resemble an accessible file, Trusted Ownership checking identifies the irregularity and prevents the file execution.

Trusted Ownership checking is not necessary for items with digital signatures as these cannot be imitated.

The list of Trusted Owners is maintained in the Trusted Owners dialog box available from the General Features ribbon page > Default Restrictions group.

Figure 2.1 Trusted Owners Dialog Box

Application Manager trusts all local administrators and system owned applications by default. You can extend this list to include other users or groups.

The Enable Trusted Ownership checking option within the dialog box is selected by default, thus enabling Trusted Ownership from the outset.


When the Change a file’s ownership when it is overwritten or renamed option is selected, Application Manager selectively changes the NTFS file ownership of executable files when they are overwritten or renamed.

If a user who is not a Trusted Owner attempts to overwrite a file which is accessible due to Trusted Ownership or an Accessible Item rule, it could constitute a security threat if the file contents have changed. Application Manager changes the ownership of an overwritten file to the user performing the action, making the file un-trusted and ensuring the system is secure.

Likewise, attempts to rename a prohibited file to the name of an Accessible Item could constitute a security threat. Application Manager also changes the ownership of these files to the user who performs the rename action and ensures the file remains un-trusted.

To ignore Trusted Ownership for individual files, deselect the Trusted Ownership option for an Accessible Item.

Figure 2.2 Trusted Ownership Checking

If you choose to ignore Trusted Ownership it is recommended to assign Self-Authorization status to allow the user to decide whether or not to allow a file to run.

Overwrite and rename actions are both audited. For more information on auditing see Auditing on page 139.


Set the Self-Authorizing level for a Group, User, Device, Custom, Scripted, or Process rule.

Figure 2.3 Self-Authorizing Security Level for a User Rule

APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESExtension Filtering 17

Whitelists

You can use a whitelist approach where nothing is allowed to run by default, other than the executables contained in the whitelist. Deselect the Make local drive accessible by default option in the Options dialog box available from the General Features ribbon page > Default Restrictions group.

Figure 2.4 Make local drives accessible by default option

If you do use the whitelist approach, ensure that you allow important system files to run, by adding all of the relevant files or folders to the Accessible Items for the Everyone group. Otherwise, many crucial executable files and .dll files, such as those stored in the system32 directory, can be prevented from running and adversely affect core system functions.

EXTENSION FILTERING

The Extension Filtering feature is used to determine if the configuration should check certain file types or if it should ignore certain file types. This feature is disabled by default.

The Extension Filtering dialog box is available from the General Features ribbon page > Default Restrictions group.

For more information on Trusted Ownership, Whitelist methods and security see Security Methods on page 41.

APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESExtension Filtering 18

Figure 2.5 Extension Filtering Dialog Box

For example, to only check .exe files and .vbs files, select the Enable extension filtering and Only check files with extensions in the list below options. Use the Add button to add the file extensions. Once the configuration is saved, the Application Manager agent only checks the files with the specified extensions against the rules when execution requests occur against the computer that the configuration is deployed to.

Use the Exclude files with extensions in the list below option to not check files with particular extensions, for example, to not check any .dll files.

The default configuration within Application Manager does not have any extension filtering configured. Therefore, all executable code, irrespective of its file extension, is checked. This is the most secure option since nothing can get past the agent unless it has been expressly configured in the remainder of the rules.

APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESOptions 19

OPTIONS

Various options for Application Manager are provided in the Options dialog box available from the General Features ribbon page > Default Restrictions group.

Figure 2.6 Options Dialog Box

The various options are split into three categories:

General Features

Validation

Functionality

These options provide general Application Manager settings to apply to all application and process requests. Options are also available for enabling and disabling functionality. For example, you can run Application Manager using User Rights Management functionality only.

The following table describes each option in the Options dialog box and identifies whether the feature is selected by default.

By default, all functionality options are enabled.

APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESOptions 20

Table 2.1 Application Manager General Options

Option Description Enabled

General Features

Make local drives accessible by default

Select this option to make Application Manager configurations blacklists. Everything on the local drive is allowed unless it is specified in the Prohibited Items list, or it fails trusted ownership.Deselect this option to make the configuration a whitelist. Everything on the local drive is blocked unless it is specified in the Accessible Items list.Note: A whitelist configuration is the most secure. However, this type of configuration is time consuming to configure and can affect the endpoint stability as all unspecified applications are blocked.

Allow cmd.exe for batch files It is expected that cmd.exe is prohibited by administrators. The Allow cmd.exe for batch files option allows cmd.exe to run provided it is executing an allowed batch file with the /c command line switch. This particular switch ensures that the cmd.exe application is shut down after completing the batch file run.

Ignore restrictions during logon

During logon the computer may execute a number of essential applications. Blocking these can cause the computer to function incorrectly, or not at all. Hence, this option is selected by default.

Extract self-extracting ZIP files

A self-extracting ZIP file is an executable, with a .exe extension, that contains a number of compressed files and a small application to extract them. Self-extracting ZIP files are often used as an alternative to distributing and installing an application by a MSI file as typically the executable is smaller in size.The Extract self-extracting ZIP files option allows the compressed file contents to be decompressed and extracted to disk, even if the parent file would be normally be prohibited, so that the contents of the file can be accessed. Once the contents have been extracted, any executable content it contains is still subject to the normal Trusted Ownership checks and is prevented from executing if the user is not a Trusted Owner. This is useful for scenarios where the self-extracting ZIP file may contain non-executable content such as a document that the user requires.If this option is deselected, then the self-extracting ZIP file is treated as a standard executable and can be prevented from executing (and hence extracting its contents) subject to the normal rule processing.

Ingnore Restictions during Active Setup

By default, all applications which run during Active Setup are subject to the Application Manager rules. Select this option to make these applications exempt from ruless checks during Active Setup phase.

Validation

Validate System processes Select this option to validate any files executed by the system user. Note that it is not recommended to select this option as it increases the amount of validation occurring on the endpoint computer and can block crucial applications from running.Selecting this option means all executables launched by the system are subject to rule validation.

Validate WSH (Windows Script Host) scripts

Selecting this option specifies that the command line contents of scripts run using wscript or cscript are subject to rule validation. Note: Scripts can introduce viruses and malicious code. It is recommended to validate WSH scripts.

APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESApplication Termination 21

APPLICATION TERMINATION Application Termination allows you to control triggers, behavior and warning messages for terminating applications on managed computers. You can terminate applications gracefully allowing the user to save work before closing or to force a termination. Notification messages for each type of trigger can be edited individually.

Three triggers cover the range of possible scenarios when this might be a necessary action to take.

Validate (MSI Windows Installer) packages

MSI files are the standard method of installing Windows applications. It is recommended that the user is not allowed to freely install MSI applications. Selecting this option means all MSIs are subject to rule validation.Deselecting this option means that only the Windows installer itself, msiexec.exe, is validated by the Application Manager rule processing, and not the MSI file that it is trying to run.

Validate Registry files Select this option to enable rule validation for regedit.exe and regini.exe Note: It is not recommended to allow users to access the registry or registry files.

Functionality

Enable Application Access Control

Select to enable Application Access Control. Deselect to not validate or block executables.

Enable Application Network Access Control

Select to enable the Application Network Access Control feature. Deselect to not validate or block outbound network connections.

Enable User Rights Management

Select to enable the User Rights Management feature. Deselect to not apply any User Rights policies.

Table 2.1 Application Manager General Options

Option Description Enabled


Figure 2.7 Application Termination Mechanism

The triggers for terminating an application include when a new configuration is applied, when the IP address of the computer changes, or when the connecting device changes.


When a trigger is activated, processes are evaluated against the rules to determine if an application requires terminating. Rules with Self-Authorizing and Audit Only security levels are not evaluated because Self-Authorizing rules allow user discretion over application control and Audit Only rules do not apply Application Manager control.

Application Termination is available from the General Features ribbon page > Default Restrictions group. This feature is disabled by default. Select the Enable Application Termination option in the Application Termination dialog box to enable this feature.

Figure 2.8 Application Termination Triggers

The triggers for Application Termination are as follows:

Configuration applied - Terminate the application according to the configuration that is applied.

Computer IP address changed - Terminate the application when the IP address has changed, for example, when moving between secure and insecure environments.

Connecting device changed - Terminate the application when the connecting device has changed, for example, changing between a laptop and a desktop in the same session.


Application Termination Options

After specifying the triggers that you want to use you can decide how you want to terminate the application.

Figure 2.9 Application Termination Options

Display an initial warning message - Specifies to display an initial warning message. The message can be customized on the Configuration Applied Message, IP Address Changed Message and Connecting Device Changed Message tabs. Use in conjunction with the Close application and Terminate application options. If you do not use this in conjunction with these options, only a message is displayed and application does not close.

Close the application - Closes the application allowing the user to save their work. Select along with the Display an initial warning message option.

Terminate the application - Terminate the application without allowing the user to save their work. Choose to select the Display an initial warning message or not, the application terminates regardless.

Wait ... seconds between options - Specify the time period in seconds between actions, and between closing and terminating. The maximum is 9999 seconds.


Customize Application Termination Message

As previously mentioned, you can customize the message that is displayed according to the configuration that is applied, when the IP address has changed and when the connecting device has changed. Use the Configuration Applied Message, IP Address Changed Message and Connecting Device Changed Message tabs. Each tab has the same settings.

Figure 2.10 Configuration Applied Termination Message

Caption - The text to display at the top of the warning and termination messages. For example, you can change the default caption, Application Manager, so that the user is not aware that Application Manager has intervened.

Message body - The text to display in the body of the message.

You can audit Application Termination. The auditing event is 9017. See Auditing on page 139 for more information.

APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESMessage Settings 26

Click here to see how the message will appear to users - Displays the message with the caption and body specified in the above options.

Figure 2.11 Example Warning Message

MESSAGE SETTINGS

The Message Settings dialog box is used to configure the information displayed in messaging that occurs when a particular user attempts to launch an application in violation of the defined configuration. You can specify messages for when access is denied, application limits are exceeded, for self-authorization, and for blocked network connections. Time limits and application behavior, for example, terminating the application, can be specified with warning and denied messages.

The Message Settings dialog box is available from the General Features ribbon page > Properties group.

Access Denied

Access to applications can be denied for a user. For example, all applications defined in the Prohibited Items list within the configuration can be denied. Prohibited Items are specified in the Group, User, Device, Custom, Scripted, and Process rules.

Environment variables are supported for both the caption and the message. In addition to system environment variables it also supports %ExecutableName%, %DirectoryName% and %FullPathName% for each file.

The message caption must not be left empty, be a single line, and can contain up to 100 characters.

The message body must not be left blank, can contain zero or more line breaks, and can contain up to 1000 characters.

A separate message box must be used for each trigger type.


Figure 2.12 Access Denied Message Settings






Figure 2.13 Example Access Denied Message

Application Limits Exceeded

The number of running of occurrences of an application can be limited in Application Manager. A message can be displayed once a user exceeds this limit. Similar to Access Denied you can specify a caption and the body of the message.

Time limits and application behavior, for example terminating the application, can be specified with warning messages for Time Limits and Application Limits Exceeded Limits. See Time Limits on page 30 for more information.

For more information on application limits see Application Limits on page 53.


Figure 2.14 Application Limits Exceeded Message Settings






Figure 2.15 Example Application Limits Exceeded Message

Time Limits

Access time limits to applications can be specified in Application Manager. For example, certain applications can only be allowed to run between 9 am and 5 pm, Monday to Friday. There are two messages that can be displayed. One to inform the user if they are attempting to run the application outside of those hours. Another to inform the user if the time period has expired whilst the application is still running.

You can specify whether the user is allowed to save their work before closing the application, or to just close the application upon the warning.

Time limits and application behavior, for example terminating the application, can be specified with warning messages for Access Denied and Application Limits Exceeded Limits. See Time Limits on page 30 for more information.

For more information on access times for an application see Access Times on page 52.


Figure 2.16 Time Limits Message Settings

Similar to the Application Termination feature you can specify how the application closes. The following options describe the ways.

Display an initial warning message - Specifies to display an initial warning message. Use in conjunction with the Close application and Terminate application options. If you do not use this in conjunction with these options, only a message is displayed and application does not close.

Close the application - Closed the application allowing the user to save their work. Select along with the Display an initial warning message option.

Terminate the application - Terminate the application without allowing the user to save their work. Choose to select the Display an initial warning message or not, the application will terminate regardless.

Wait ... seconds between options - Specify the time period, in seconds, between actions, and between closing and terminating. The maximum is 120 seconds.


As previously mentioned you can configure two messages. The Warning Message is for when an application is continuing to run outside of the specified access times, for example, if a user is working later.

Figure 2.17 Example Warning Message for an Application Running outside of Specified Time

The Denied Message is for when a user attempts to run an application outside of the specified time.

Figure 2.18 Example Warning for Attempts to Run an Application outside of Specified Time

Self-Authorization

Self-authorization is a security level within Application Manager. Certain applications can require self-authorization by a user before they are allowed to run. You can specify the message displayed when a user runs an application. The caption and body can be defined for the initial message and the response.

For more information on security levels see Application Manager has the ability to assign four distinct security levels to the group rules. on page 62.


Figure 2.19 Self-Authorization Message Settings






Figure 2.20 Example Self-Authorizing Warning Message

Figure 2.21 Example Self-Authorizing Response Message

Network Connections

Application Network Access Control can be used to block network connections. All Network Connection Items within Prohibited Items for a Group, User, Custom, Scripted, and Process rule can be prohibited, and therefore, blocked. You can choose to display a message when a connection is blocked, or you can choose not to. The default setting is to display a message.

You can also specify how often to display a message, and the caption and body for the message.

For more information on network access see Application Network Access Control on page 115.


Figure 2.22 Network Connections Message Settings

Display a message box for blocked network connections - Displays a message box for all blocked network connections. This option is enabled by default.

Display a warning on every connection attempt - Displays a warning message every time a connection is attempted.

Display a warning message once - Displays a message only on the first attempt per application within the same session.

Wait ... seconds between messages - Specifies the number of seconds to wait before a new message is issued. Only one message displays per application within the specified period. No message displays for any subsequent attempts within the same period.



APPLICATION MANAGER PRODUCT GUIDE 2 GENERAL FEATURESArchiving 36


Figure 2.23 Example Warning Message for a Blocked Network Connection

ARCHIVING

Archiving allows you to copy any denied executables into a secure folder. When a user attempts to run an unauthorized executable, or an executable specified in the Prohibited Items list, Application Manager can take a copy of each application that attempted to execute and place them in a secured file system or archive. This information can be used by an administrator to inspect the kinds of executable content that Application Manager has blocked access to by taking a complete copy for the administrator.

It is often found that blocked applications are files with false names such as winword.exe. Unfortunately, the name alone does not tell the administrator a great deal as these are typically other executables that have been simply renamed in an attempt by the user to get the application to run on the computer. By having a specific copy of each executable, the administrator can accurately assess each application and what impact they would have on the enterprise had they been allowed to run.

Archiving is disabled by default. You can enable archiving in the Archiving Settings dialog box available from the General Features ribbon page > Properties group.

It is recommended that archived executables be checked in a secure environment so as to minimize the threat from viruses and malware.


Figure 2.24 Archiving Settings Dialog Box - Global Properties

Archiving Settings

Use archiving - Enables the Archiving feature. This option is disabled by default.

Global Properties

The following are the global properties for archiving:

Do not archive administrator owned files - Select to not take an archive of applications owned (NTFS) by the administrator. An example of this is when a user tries to execute regedit.exe and is blocked by the Application Manager agent. It is unlikely you would require an archive of this file. However, it is useful to archive when the user attempts to execute their own copy of regedit.exe to determine what the application is and what effect it could have on the enterprise if it were to execute.

Do not archive if the file already exists - Select to not take an archive of an unauthorized executable if a copy of the file already exist. The Application Manager agent does not try to copy it over again. This helps to save space, although it may result in inaccurate archiving as only one copy of an executable with the same name is ever retained.

Enable anonymous archiving - Some locations have restriction laws in place, forbidding administrators to record which user attempted to execute unauthorized applications. Select this option to prevent the Application Manager agent from using any %username% file


paths. The agent removes the percentage sign (%) leaving simply username. An example can be where an application is executed from a home directory that has the username as the folder name. Application Manager replaces the username with the text, username, so as to protect the user’s identity in accordance with the local restriction laws.

Maximum archive size for all users combined - The maximum size in Mb that Application Manager allows the archive to reach before it stops archiving for all users combined together.

Maximum archive size per-user - The maximum size in Mb that a single user archive is allowed to reach before it stops archiving. For example, if an archive path is specified as C:\archive\%username% then every user on the computer would have a separate archive under the C:\archive directory. It is this user archive that is subject to the user limit.

File Options

The second tab in the Archiving Settings dialog box is the File Options tab.

Figure 2.25 Archiving Settings Dialog - File Options


Only archive files smaller than - This option allows you to specify the maximum file size to archive. By selecting this option and inserting a file size, you can ensure large executables are not copied to the archive. As an example, a user may well attempt to execute a service pack or other similarly large file which you typically would not want to copy over the network into an archive.

When a user’s archive is full allow the oldest files to be overwritten - Instead of simply stopping archiving when either the Total Limit or User Limit options are invoked, select this option to overwrite the oldest files. This is an easy way to ensure that the enterprise captures the most up to date information without utilizing huge data space for unauthorized applications.

Folders

The third tab in the Archiving Settings dialog box is the Folders tab.

Figure 2.26 Archiving Settings Dialog Box - Folders tab

Use the Folders tab to configure the location into which you want the archive files to go. The default location is to place all archived files into:

%SystemDrive%\AppSenseLogs\ApplicationManager\%UserName%

This has the effect of placing all archived files for a specific user in the same folder and the folder is named after the user making it easier to manage.


Additional folders can be added to the list by using the Add Folder button. The location can be either typed in or browsed to on the local computer or local network by using the Browse button.

The order of the archive list is important as Application Manager attempts to copy the file to the first relevant archive in the list. If this copy fails then it attempts to copy the file to the second archive location, and so on. If the copy succeeds, Application Manager does not use any of the remaining archives. Use the Move Up and Move Down buttons to order any new folders ensuring you have the correct default folder at the top.

If the Use anonymous archiving option is selected the folder is named username and all archived files for all users are placed in the same folder.

3S e c u r i t y M e t h o d s

In this Section:

Introduction on page 41

Method 1 - Trusted Ownership on page 42

Method 2 - Digital Signatures on page 44

Method 3 - Trusted Vendors on page 46

Method 4 - Whitelist vs. Blacklist vs. Trusted Ownership on page 49

Security Method Recommendation on page 54

INTRODUCTION

Application Manager has a number of security methods to allow you to protect a system without complex lists and constant management. These include Trusted Ownership, Digital Signatures, Trusted Vendor, Whitelists, and Blacklist. You can choose whichever method and use a hybrid approach. The following sections describe the various methods and culminates in a recommendation.

41

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSMethod 1 - Trusted Ownership 42

METHOD 1 - TRUSTED OWNERSHIP Application Manager uses secure filter drivers and Microsoft NTFS security policies to intercept all execution requests. Execution requests go though the Application Manager hook and any unwanted applications are blocked. Application entitlement is based on the ownership of the application, with default trusted ownership typically being for administrators. By using this method, current application access policy is enforced without the need for scripting or list management. This is called Trusted Ownership. In addition to executable files, Application Manager also manages entitlement to application content such as VBScripts, batch files, MSI packages and registry configuration files.

Trusted Ownership is the default method of controlling access to applications within Application Manager. It makes use of the Discretionary Access Control (DAC) model. It examines the owner attribute of the file and compares it to a predefined list of trusted owners. If the owner of the file appears in the list then execution of the file is granted, otherwise it is denied. The decision is made independently of the user actually trying to execute the file.

An important feature of this security method is the ability to not consider the file contents itself. In this way Application Manager is able to control both known and unknown applications. Conventional security systems such as anti-virus applications compare file patterns against those in a known list to identify potential threats. Therefore, the protection it offers is directly proportional to the accuracy of the list it uses for comparison. Many malware applications are either never identified, or at best, identified only after a period of time while systems are left vulnerable.

Application Manager, by default, allows ALL locally installed executable content to execute IF the owner of the executable is listed in the Trusted Owners list in the configuration. The administrator must then supply a list of applications that they do not want to execute from the local disk subsystem, which would typically be administrative applications such as mmc.exe, eventvwr.exe, setup.exe, and so on.

If this approach is taken, then the administrator does not have to find out the full details of every piece of executing code required for the application set to function, as the Trusted Ownership model allows / denies access as appropriate.

Although Application Manager is able to stop any executable script based malware as soon as it is introduced to a system it must be noted that Application Manager is not intended to be a replacement for existing malware removal tools, but should act as a complementary technology sitting alongside them. For example, although Application Manager is able to stop the execution of a virus it is not able to clean if off the system.

For information on the Trusted Ownership rule see Trusted Ownership Rule on page 44.

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSMethod 1 - Trusted Ownership 43

Application Manager and Trusted Ownership

Application Manager maintains a trusted owners list which is defined in the Trusted Owners dialog box. This dialog box is found on the General Features ribbon page > Default Restrictions group > Trusted Owners.

Figure 3.1 Trusted Owners

Users and groups can be deleted or added as required.

In the NTFS system a file may be owned by either a user or a group and therefore both may be added. When the check for Trusted Ownership is performed the System Identifier (SID) of the file owner is determined and this is checked against the list of SIDs within the trusted owner configuration. Application Manager does not evaluate a group or determine users of a group. This ensures that Application Manager continues to function correctly when machines are not connected to a network and this information is not available.

There are two options within the Trusted Owners dialog box:

Enable Trusted Ownership checking

Select to switch on Trusted Ownership checking. If this is not selected Application Manager does not perform any Trusted Ownership checking and other security methods must be configured to give the desired security.

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSMethod 2 - Digital Signatures 44

Change a file’s ownership when it is overwritten or renamed

The default for certain Operating Systems is to retain file ownership when a file is overwritten or renamed. This can be seen as a security flaw as if NTFS permissions allow, a user may overwrite a legitimate file with a file that would otherwise be blocked. Select this option to ensure that if a legitimate file is compromised in this way the ownership changes to that of the user and Trusted Ownership prevents the file from being executed

Trusted Ownership Rule

Trusted Ownership does not need to take into account the logged on user. It does not matter whether the logged on user is a Trusted Owner, administrator, or not.

Trusted Ownership revolves around which user (or group) owns a file on the disk. This is typically the user who created the file.

It is common to see the group BUILTIN\Administrators within the Application Manager console as the File Owner. It is also possible to find that the file owner is an individual administrator’s account, This gives the following situations:

The file owner is the group BUILTINAdministrators and this group is a Trusted Owner. Trusted Ownership allows the file to execute.

The file owner is an individual administrator and the individual administrator is a Trusted Owner. Trusted Ownership allows the file to execute.

The file owner is an individual administrator and the individual administrator is not a Trusted Owner, but the BUILTIN/Administrators group IS a Trusted Owner. Trusted Ownership does not allow the file to execute.

In the last case, even though the administrator who owns the file is in the Administrators group, the file owner is not trusted. The group is not expanded to find out whether the individual owner should be trusted. In this case, to allow the file to execute, the file’s ownership must be changed to that of the BUILTIN/Administrators.

METHOD 2 - DIGITAL SIGNATURES

Digital Signatures provide a means to accurately identify a file according to the actual contents of the file itself. Each file is examined and according to its contents, a digital hash, which may be likened to a fingerprint, is produced. Application Manager makes use of the industry standard SHA-1 hashes. If the file is altered in any way then the SHA-1 hash is also altered. Digital hashing is seen as the ultimate security method as it is accurate. lt identifies each file independently of all other factors other than the file itself. For example, an administrator takes a digital hash of all executables on a computer system and records them. A user then tries to execute an application, the digital hash of the application is calculated and then compared to the recorded values. If there is a match the application is granted execution, otherwise it is denied. This methodology also provides zero-day protection as not only does it stop new applications from being introduced, it also blocks any applications which have been infected with malware.

Although digital signatures provide a similar protection to Trusted Ownership one must also consider the time and management involved with respect to maintaining the security systems in place. Applications are constantly being updated with service packs, bug fixes and vulnerability patches. This means that all associated files are also constantly being updated. So if, for

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSMethod 2 - Digital Signatures 45

example, a service pack is applied to Microsoft Office then for the updated parts to work new digital hashes of the updated files must now be taken. Care must be taken to ensure that these are available when the update is available to ensure no downtime is seen. Additionally it is recommended that the old signatures should be removed.

Signature Wizard

Application Manager has a Signature Wizard that allows you to apply digital signatures either to an individual file or a group. Digital signatures can be grouped in one of two ways, by means of scanning folders and subfolders, or by examining a running process.

The Signature Wizard is available from the Groups ribbon page > Advanced group when you select a group beneath the Library > Group Management node.

Figure 3.2 Signature Wizard

The Search Folders option within the Signature Wizard scans all executable and script based files, for the selected folder, automatically and calculates the digital hashes. The Examine a running process option allows you to select a process that is currently running. The process, along with all executable files it has currently loaded, is scanned and digital hashes calculated.

If a file is found for which the signature has already been calculated a notification of a duplicate is displayed. There is no need for a duplicate hash in a configuration.

If the files are updated by means of, for example, a service pack, you can select the signature file group and choose to re-scan. All of the digital signatures are automatically updated and the new configuration can be deployed.

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSMethod 3 - Trusted Vendors 46

METHOD 3 - TRUSTED VENDORS

Trusted Vendors can be specified in each Application Manager rule node. Trusted Vendors are used for listing valid digital certificates. A digital certificate is a electronic document that uses a digital signature to bind together a public key with an identify. This includes information such as the name of a person or organization, address, and so on. The certificate is used to verify that a public key belongs to an individual. Digital certificates are issued by a certificate authority.

An increasing number of applications are being signed with digital certificates. A digital certificate is supplied with a public key and this may be used to verify the authenticity of the application. If Trusted Ownership fails then providing the file is not explicitly blocked within the Application Manager configuration then it is allowed to execute if it has a valid digital signature.

Right-click in the Trusted Vendor’s work area to display the following commands for adding certificates to the list.

From Signed-File - Specify a known file that has already been signed by the vendor who you wish to trust. Application Manager identifies the vendor’s specific signature to identify additional code from that same vendor.

From File-Based Store - Browse to the specific digital certificate if available. Use this option to choose the files you require. The Import File-Based Store imports all files.

Import File-Based Store - Import a digital certificate for use in setting up a Trusted Vendor rule. Use this option to import all files.

Figure 3.3 Add Certificate to Trusted Vendor List


Certificate Verification

You can also verify a certificate. Application Manager displays a message if there are any warnings for the certificate, for example, if it is not possible to determine whether a certificate has been revoked. The following graphic show an example warning. The Verify Certificates command is available from Rule Items ribbon page > Trusted Vendors group.

The following shows a message displayed for a certificate with warnings.

Figure 3.4 Certificate Verification Warning

Advanced Options

Advanced options allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes. The certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate. The advanced options are available from the Advanced Options dialog box.

The Advanced Options dialog box is available from the Rule Items ribbon page > Trusted Vendors group.


Figure 3.5 Advanced Options

Ignore CTL revocation errors - Ignores that the certificate trust list (CTL) revocation is unknown when determining certificate verification.

Ignore CA revocation errors - Ignores that the certificate authority revocation is unknown when determining certificate verification.

Ignore end Certificate revocation errors - Ignores that the end certificate, that is the user certificate, revocation is unknown when determining certificate verification.

Ignore root revocation errors - Ignores that the root revocation is unknown when determining certificate verification.

Ignore CTL not time valid errors - Ignores that the certificate trust list is not valid, for example, the certificate may have expired, when determining certificate verification.

Ignore time nesting errors - Ignores that the certificate authority (CA) certificate and the issued certificate have validity periods that are not nested when verifying the certificate. For example, the CA certificate may be valid from January 1st to December 1st , and the issued certificate from January 2nd to December 2nd. This means that the validity periods are not nested.

Ignore basic constraint errors - Ignores that the basic constraints are not valid when determining certificate verification.

Ignore invalid name errors - Ignores that the certificate has an invalid name when determining certificate verification.

Ignore invalid policy errors - Ignores that the certificate has an invalid policy when determining certificate verification.

Ignore invalid usage errors - Ignores that the certificate was not issued for the current use when determining certificate verification.

Allow untrusted roots - Ignores that the root cannot be verified due to an unknown certificate authority.

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSMethod 4 - Whitelist vs. Blacklist vs. Trusted Ownership 49

The Click here to test these settings link helps to validate the certificate based on the options you have selected and, where relevant, are dependent on connectivity with the appropriate certification authority.

METHOD 4 - WHITELIST VS. BLACKLIST VS. TRUSTED OWNERSHIP

There are two key approaches that can be used in Application Manager that differ from Trusted Ownership, namely whitelisting and blacklisting.

Whitelist Model

The whitelist approach dictates that every single piece of executable content must be predefined prior to the user making the request for the application on the Operating System. Details of all the content identified in this way is kept on a whitelist which has to be checked each time an execution request occurs. If the executable file is on the whitelist it is permitted otherwise it is denied.

There are a small number of security technologies that work in this way, but they often experience issues with the level of administration required once implemented. This is due to the necessity of adding and maintaining all patches, service packs and upgrades to the whitelist.

Application Manager fully supports this model of control, and adds significant steps to enable additional security in the model. Such an addition is the ability to include SHA-1 digital signatures (hash), so that not only must the application name match up but so must the SHA-1 signature of that executable to that of a signature in the database. Furthermore, Application Manger also adds the full path of the executable to the list to ensure that all three items match prior to application execution:

Filename - for example, winword.exe.

File Path - for example, C:\Program Files\Microsoft Office\Office\SHA-1 digital signature

To take the technology into the next stage of control, Application Manager does not only take the details of the executables but also requests that the administrator specify specific .dll’s as well as all other executable content such as ActiveX controls, Visual Basic Scripts and Command Scripts.

Blacklist Model

In contrast to whitelists, blacklists are a potential low security measure. A list is generated and then maintained which contains the applications that are to be denied execution. This is the main failing of this method, as it presumes that all dangerous applications are actually known about. This is of little use in most enterprises, specifically with e-mail and internet access and / or where the user can introduce files and applications without administrator intervention.

Application Manager does not need to actively maintain a list of denied applications, as any applications not installed, and therefore owned by the administrator, are denied by use of Trusted Ownership.

One of the main reasons for prohibition of applications via a blacklist is to enable Trusted Ownership to be used for license management by not allowing even known (and therefore trusted and owned) applications to run, until the administrator can later explicitly allow access to that very same application by defining a certain user / group or client rule. This protection needs no configuration, except to allow an outside application.


Additionally, a blacklist is useful for denying access to files owned by trusted owners by that may be deemed security risks. For example, regedit.exe, ftp.exe, and so on.

Application Manager and Whitelists

Whitelists are defined with Application Manager as Accessible Items.

Figure 3.6 Accessible Items

Items within the Accessible Items list may be:

File

If the filename alone is specified, for example, myapp.exe, then all instances of this are allowed regardless of the location of the application.

If the file is specified with the full path, for example, \\servername\sharename\myapp.exe, then only this instance of the application is allowed / not allowed. Other instances of this application need to satisfy other Application Manager rules to be granted execution.

Folder

A complete folder may be specified, for example, \\servername\servershare\myfolder, and all applications within this folder, and all subfolders if required, are allowed to execute. Select Include subdirectories to include all directories beneath the specified directory.


Drive

A complete drive may be specified, for example, W, and all the applications on this drive, including subfolders are allowed to execute.

Signature Item

A file may be added along with a digital hash of the file. This ensures that only that particular file may be executed but from any location.

Network Connection Item

A Network Connection Item can be specified. All files on the network are allowed to run.

No checks are made on the files within the folder and as such any file copied into this folder will be allowed to execute.

To automatically apply environment variables select Substitute environment variables where possible for a file or folder. This makes the paths more generic for applying on different machines. Wildcard support provides an additional level of control for specifying generic file paths.

No checks are made on the files within the drive so any file copied into any folder on this drive is allowed to execute.


Figure 3.7 Add a Network Connection Dialog Box

Group

Groups can contain any number and combination of items, for example, all the File, Folder, Drive, Signature, and Network for a particular application. All files are allowed to execute.

Trusted Ownership

This option must be selected in the Accessible Items work area if you want to perform trusted ownership checking on the defined Accessible Item. If this option is not selected the file is allowed to execute regardless of the owner.

Access Times

It is possible to define what times and on what days a particular application is allowed to execute. The Access Times dialog box is available on the Rule Items ribbon page > Accessible & Prohibited Items group.

For more information see Application Network Access Control on page 115.

Access times can only be applied to Accessible Items within the Group, User, Device, Custom, Scripted, and Process rules.


Figure 3.8 Access Times Specified between 8am and 6pm, Monday to Friday

Application Limits

It is also possible to define the number of occurrences of an application that can run at one time. The Application Limits dialog box is available on the Rule Items ribbon page > Accessible & Prohibited Items group.

A message can be displayed when a user attempts to access an application outside of the specified time limits. Another message can be displayed if the time limit expires whilst the application is still running. You can configure this message. See Time Limits on page 30.

Application limits can only be applied to Accessible Items within the Group, User, Device, Custom, Scripted, and Process rules.

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSSecurity Method Recommendation 54

Figure 3.9 Application Limits Dialog Box

SECURITY METHOD RECOMMENDATION

In order to get the most value out of an Application Manager configuration, it is recommended to utilize a hybrid approach where the most suitable components from each security method can be combined to provide the optimum security model, whilst minimizing the overall management and configuration overheads.

The Trusted Ownership approach enables new applications to be installed by Trusted Owners without any changes required to the Application Manager configuration, yet still provides full security against unknown application and script content introduced by non-trusted end users. It is therefore recommended that this security method be used for the basis of most Application Manager configurations and is the reason why this functionality is enabled by default in all new Application Manager configurations.

As stated previously, the whitelist approach is the most secure, yet it is an administrative intensive security model. If an enterprise does not utilize NTFS security on their file systems, then the use of a whitelist is the recommended option since Trusted Ownership relies on the file owner information that is only found within NTFS.

Trusted Ownership is only appropriate for locally installed executable content, that is applications that exist on local fixed drives within a computer. Any executable or script content that resides on network locations or on removable media, such as a CD or a DVD-ROM, is automatically considered as un-trusted, and hence is immediately blocked from executing.

Any such application which is required to be executed by a user must be specifically added to the Accessible Items whitelist within the Application Manager configuration, with a full UNC path to the relevant executable. It is possible to optionally disable Trusted Ownership checking on these items if necessary or to optionally select to take a SHA-1 signature to check the file at run-time. It is considered good practice to use SHA-1 digital signature checking for network or removable media based applications since these files tend to be outside of the control of the administrator responsible for the organization's endpoint devices.

A message can be displayed for a user when application limits have been exceeded. You can configure this message. See Application Limits Exceeded on page 28.

APPLICATION MANAGER TECHNICAL GUIDE 3 SECURITY METHODSSecurity Method Recommendation 55

Trusted Vendor checking is recommended for development and test environments where end users may need to constantly install and test different versions of company owned application and script content. By signing the desired executables with a digital certificate, Trusted Vendor checking can be configured to allow all signed components to be executed as and when needed.

Finally, Prohibited Items should be configured to create a blacklist preventing specific user access to applications that would typically be installed and hence owned by Trusted Owners, including parts of the operating system such as registry editing tools, file sharing tools and access to Control Panel components. This blacklist of Prohibited Items can additionally be used to cater for application license management, when used in conjunction with Accessible Items whitelists and the Application Limits functionality.

4C o n f i g u r a t i o n

In this Section:

Configuration Files on page 56

Default Configuration on page 57

Customize a Configuration on page 61

Example Configuration Procedures on page 69

Configuration Profiler on page 73

CONFIGURATION FILES

Application Manager configuration files (.aamp) contain the rule settings for securing your system. The Application Manager agent checks the configuration rules to determine the action to take when intercepting file execution requests.

Configurations are stored locally in C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration for Windows XP and Server 2003. For Vista and above they are stored in C:\ProgramData\AppSense\Application Manager\Configuration. Configurations are protected by NTFS security.

56

APPLICATION MANAGER PRODUCT GUIDE 4 CONFIGURATIONDefault Configuration 57

In Standalone mode, configuration changes are written directly to the local .aamp file from the Application Manager console. In Enterprise mode, configurations can be created and stored centrally in the AppSense Management Center database, and distributed to endpoints in MSI format via the AppSense Management Server.

Configurations can also be exported and imported to and from MSI file format, which is useful for creating templates or distributing configurations using third-party deployment systems.

After creating or modifying a configuration, you must save the configuration with the latest settings to ensure that they are implemented.

DEFAULT CONFIGURATION

Application Manager is ready to manage your security as soon as you install the agent and a configuration on managed endpoints. A default configuration loads when you run the console and can be used for immediate protection on all client computers to which the configuration is deployed. This configuration blocks any file with an un-trusted owner and non administrative users from accessing executables on non-secure locations, including network locations, and removable media.

The default configuration can be saved directly in Standalone mode to the local computer via the console or saved to the database of the AppSense Management Center when operating in Enterprise mode, ready for deployment.

Protection

All application and process execution requests are checked against the Application Manager Rules before access is granted.

All application and process Network access requests are prohibited unless allowed by Application Manager Rules.

Members of the Local Administrators group are granted unrestricted access to applications.

Members of non-administrative user groups are granted restricted access to applications.

MSI, WSH and Registry Files are validated against the Application Manager Rules.

Windows Installer (msiexec.exe) is allowed to run all child processes with the DLL and EXE extensions.

ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.

For more information on Trusted Ownership see Security Methods on page 41.

APPLICATION MANAGER PRODUCT GUIDE 4 CONFIGURATIONDefault Configuration 58

Default Settings

Table 4.1 Default Configuration Settings

Setting Value Description

General Features Options General Features Make local drives accessible by

default Ignore restrictions during logon Allow cmd.exe for batch files Allow self-extracting ZIP files Ignore restrictions during Active

Setup

Ignore restrictions at logon delays the implementation of the Application Manager rules until logon is complete to avoid any disruption or prevention of the logon process completing. This option allows logon scripts to run.

While cmd.exe and self-extracting zip files are usually blocked as potential loopholes for attempts to breach security, this option allows CMD and ZIP files to run for legitimate files.

Validation Validate MSI (Windows Installer)

Packages Validate WSH (WIndows Script

Hosts) Validate registry files Validate system processes

System process validation can affect performance and is disabled by default. Application Manager validates MSIs, Registry

files and WSH against the rules by default. Otherwise, they are ignored unless they are specified in the rules themselves.

Turn these options off only if you trust these types of files running or you have adequate protection in place in the Application Manager rules or by some other method.

Functionality Enable Application Access Control Enable Application Network

Access Control Enable User Rights Management

All Application Manager functionality is enabled by default but you can disable any of these as part of any troubleshooting process.

Application Termination Settings for closing and terminating applications.Set triggers, warning message behavior to users and warning message notifications.

Disabled by default.

Libraries Group Management Node For creating reusable groups of applications to assign to Rules.

No default settings.

User Rights Policies Reusable User Rights Policies which elevate or restrict user privileges. For assigning to files, folders, signatures, drives and application groups in Rules.

No default settings.

Rules Administrator Local Administrator Group Rule for managing access to applications for local administrators.

Security level set to Unrestricted. No other default settings are applied.

Everyone Group Rule for all system users unless a user matches other rules with higher priority settings.

Security level set to Restricted. AppSense Program Files Directories are added

to Accessible Items. No other default settings are applied.

Process Windows Installer (msiexec.exe) *.EXE *.DLL

All EXE and DLL files are allowed to run when spawned by msiexec.exe.

This rule does not manage access to msiexec.exe. You must manage access to this file in another rule.

APPLICATION MANAGER PRODUCT GUIDE 4 CONFIGURATIONConfiguration Elements 59

CONFIGURATION ELEMENTS

The Application Manager console provides configuration settings in the following key areas:

Library

Rules

Library

The Library nodes provides the following:

Group Management

The Group Management node allows you to group a number of items such as Files. Folders, Drives, Signature Files, and Network Connections. For example, for one particular application. You can then add this group to the Accessible and Prohibited Items lists.

User Rights Policies

The User Rights Policies node allows you to add User Rights Policies to selectively promote or demote administrative rights for individual applications.

Rules

Rule nodes provide default settings for handling file executions and specific settings which apply to particular users, groups or devices.

Group, User, Device, Custom, Scripted, and Process Rules

Allow you to specify Security Level settings that specify restrictions which apply to users, groups or devices matching the rule. Custom rules target combinations of particular users or groups operating on specific collections of devices. Scripted rules allow administrators to apply Accessible Items and Prohibited Items to users based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer. Process rules allow you to manage access for the application to run child processes which might otherwise be managed differently in other rules. You can add Accessible Items, Prohibited Items, Trusted Vendors, and User Rights to the rule.

Accessible / Prohibited Items - Sub-node lists within each rule which you can populate and maintain with specific files, folders, drives, and digital signatures to provide an additional level of granularity for controlling file execution requests.

For example, items which Trusted Ownership checking normally prohibits can be made accessible for the users or devices targeted in the rule. Likewise, files which would normally be accessible can be prohibited.

Trusted Vendors - A sub-node list in each rule which you can populate with digital certificates issued by trusted sources. Files which fail Trusted Ownership checking are checked for the presence of digital certificates and are allowed to run when a match is made with the Trusted Vendors list.

For example, a highly restricted user might be prohibited under normal rule conditions from introducing executable files on the system but may be required to download and run software updates from a particular source, from time to time. If the downloaded file includes a digital certificate which matches a certificate in the Trusted Vendors list, the file is allowed to run.

APPLICATION MANAGER PRODUCT GUIDE 4 CONFIGURATIONConfiguration Elements 60

User RIghts - A sub-node list in each rule which you can populate with applications, components and web installations for you to apply User Rights Policies to. User Rights Policies allow you to selectively promote or demote administrative rights for individual applications, components and web installations.

Rule Matching

Rule matching takes place when Application Manager intercepts a file execution request and checks the configuration policy to determine whether a file is allowed to run.

Applying Rule Policies

The most lenient security policy is applied to a user profile which is affected by more than one rule. For example, a user who matches both a User rule assigned Restricted security level and also a Group rule which assigns the Self Authorizing level, is granted self-authorizing privileges for all decisions and application use.

Matching Files and Rules

The Application Manager agent applies rules by making a suitable match for the file type.

Figure 4.1 Rule Matching

Matching is based on a three stage approach which considers security, matching order and policy decisions:

APPLICATION MANAGER PRODUCT GUIDE 4 CONFIGURATIONCustomize a Configuration 61

1. Security:

Is the user restricted?

Is ownership of the executable item trusted?

Where is the executable loaded?

2. Matching:

Does the executable match a signature?

Does the executable match and Accessible or Prohibited Item?

3. Policy:

Is Trusted Ownership checking enabled?

Is there a timed exception?

Is there an Application Limit?

Trusted Ownership Checking

During the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that ownership of the items is matched with the list of trusted owners in the default rule configuration.

For example, if a match is made between the file you want to run and an accessible item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with or a file which is a security threat has been renamed to resemble an accessible item, Trusted Ownership checking identifies the irregularity and prevents file execution.

Trusted Ownership checking is not necessary for items with digital signatures as these cannot be imitated.

Trusted Vendors

Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking.

Application Manager queries each file execution to detect the presence of a digital certificate. If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendor list, the file is allowed to run, and overrides any Trusted Ownership checking.

CUSTOMIZE A CONFIGURATION

As previously mentioned, the default configuration is ready to use as soon as you install the agent and the configuration on the managed endpoints. However, all enterprises are different and thus it is possible to edit or create a configuration more suitable to the environment.

For more information on Trusted Ownership see Security Methods on page 41.


Define Users

The first step in creating a configuration is to determine the users that you want to apply rules to, for example, the users that you want to restrict certain applications for. Rules can be applied to all users within a group or to individual users. Users can belong to more than one group.

By default there are two existing Group rules:

BUILTIN\Administrators

Everyone

Users within BUILTIN\Administrators have an Unrestricted security level whilst users in the Everyone group have a Restricted security level.

Select a rule to display the security level.

Figure 4.2 Security Level Slider

Application Manager has the ability to assign four distinct security levels to the group rules.

You can use Endpoint Analysis to determine the applications on a user’s endpoint and what applications are used. You can use this information to simplify the creation of a configuration. The results of the analysis can be dragged and dropped into an existing configuration. See Endpoint Analysis on page 128 for more information.


By default, the BUILTIN\Administrators group rule has a security level of Unrestricted. The Everyone group rule and all additional group rules have a security level of Restricted.

Table 4.2 Security Levels

Security Level Description

Restricted Select to restrict users, groups, and devices, enabling them to run only authorized applications. These include files owned by members of the Trusted Owners list and files listed in the Accessible Items node only. If access to an executable is denied for the user then execution of it will be blocked and the user does not have the ability to override the decision. This is the most secure setting and it is recommended that most users are configured this way.This, essentially, turns on the Application Manager protection for those that meet the group, user, device or scripted rule criteria.

Self-Authorizing Select to prompt users, groups and devices in the rule to decide whether to allow execute requests for each unauthorized file. Unauthorized files either do not belong to the Trusted Owners list or are not specified in the Accessible Items list of a given rule.A Self-Authorizing user prompt includes the following:Remember my decision for this session onlyThe authorization decision is upheld for the current session only. The user is prompted again for an authorization decision when attempting to run an application in any future sessions.Remember my decision permanentlyThe user decision is upheld for all future sessions.If neither of the above options are selected, the decision is upheld only for the current instance the user is attempting to run. The Self-Authorization prompt is reissued for any future attempts to run instances of the application.AllowAllows the application to run.BlockPrevents the application from running.When a DLL file is allowed to run, a message notifies the user that the application which uses the DLL may need to be restarted. The default message which displays can be modified on the General Features page > Properties group > Message Settings. For more information see Trusted Owners on page 14.Once the decision has been made the setting is stored within a registry key. This can be one of two keys. If the user authorizes per session the signature is stored in the HKCU\Software\AppSense Technologies\Application Manager\SIGS-NATIVE\Session\X (where X is the session ID). If the user authorizes permanently the signature is stored in HKCU\Software\AppSense Technologies\Application Manager\SIGS-NATIVE\Always.Once allowed, the file is recorded with a digital signature therefore ensuring the integrity of the file itself. If the file should change the user will once again be prompted. Auditing events allow administrators to keeptrack of all files which are self authorized by the user. See Auditing on page 139 for more information.

Audit Only This setting applies the rules in a defined configuration but does not enforce them. An audit record is created for monitoring purposes, according to policy settings in the Auditing component. Auditing results are useful in determining what to add to the Application Manager configuration. No applications are blocked from executing. See Auditing on page 139 for more information.

Unrestricted Use this setting to permit all actions without logging or auditing.While this may be desirable, it also means that the malware control afforded by Application Manager will be bypassed.This, essentially, turns off the Application Manager protection for those that meet the group, user, device or scripted rule criteria.


All users, including administrators are part of the Everyone group. This means administrators are part of two group rules, the BUILTIN\ADMINISTRATORS group which is unrestricted and the Everyone group that is restricted. Application Manager uses the least restrictive rules, therefore all administrator requests are unrestricted.

The BUILTIN\Administrators group is for managing access to the applications for local administrators, whilst the Everyone group is for all other users unless a user matches other group or user rules with higher priority settings.

Typically, you specify all the files, folders, drives, signature items, network connection items, and groups to prohibit for Everyone. You can then create a new group or user and specify the items you want to be accessible for that group or user. This enables you to control what users have access to.

PROHIBIT FILES AND FOLDERS FOR EVERYONE

1. Expand the Group > Everyone node.

2. Select the Prohibited Items node.

3. Right-click the within the work area and select Add > File or Add > Folder. Add the files or folders to prohibit

CREATE A NEW GROUP OR USER

1. Right-click the Group node or the User node.

2. Select Add Group Rule or Add User Rule.

3. Add a group or add a user.

Specify Group and User Rule Items

The next step in creating a configuration is to specify the following rule items:

Accessible Items on page 65

Prohibited Items on page 65

Trusted Vendors on page 67

User Rights on page 67

When an application is prevented from running a dialog box is displayed to inform the user. You can customize the message shown in this dialog box. For more information see Message Settings on page 26.

For information on making Network Connection Items accessible or prohibited see Application Network Access Control on page 115.


Accessible Items

Accessible Items are available in each group or user rule. These are rule items for granting access to specific files, folders, drives, signature item, network connection item, and group item for the users, groups or devices matching the rule.

Prohibited Items

Prohibited Items are available in each group or user rule. These are rule items for restricting access to specific files, folders, drives , signature item, network connection item, and group item for the users, groups or devices matching the rule.

When an application is prohibited a warning message is displayed. This warning message can be customized using the Message Settings dialog box. This dialog box is available from the General Features ribbon page > Properties group.

By default the Trusted Ownership option is selected for all Accessible Items. Therefore, an application must always pass trusted ownership checking if it is enabled, even if the application is an Accessible Item. Although the Trusted Ownership option can be disabled, this is not recommended as it weakens the default security.


Figure 4.3 Message Settings Dialog Box

For more information on configuring Message Settings see Trusted Owners on page 14.


Trusted Vendors

The Trusted Vendor node is available in each group or user rule and is used to list valid digital certificates. An increasing number of applications are being signed by vendors with a digital signature. A digital certificate is supplied with a public key and this may be used to verify the authenticity of the application. If trusted ownership fails then providing the file is not explicitly blocked within the Application Manager configuration then it may be allowed to execute if it has a valid digital signature.

Advanced options allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes, the certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate. A test option helps to validate the certificate based on the options you have selected and, where relevant, are dependent on connectivity with the appropriate Certification Authority.

The following options are available for adding Trusted Vendors:

From signed file

You can specify a known file that has already been signed by the vendor who you wish to trust. Application Manager can then identify the vendor’s specific signature to identify additional code from that same vendor.

From file-based store

You can browse to the specific digital certificate if available.

Import file-based store

Allows you to import a digital certificate for use in setting up a trusted vendor rule.

User Rights

The User Rights node is used to apply User Rights Policies to files, folders, signatures, groups, and Windows components when the rule is matched. User Rights Policies are used to elevate or restrict user privileges. For example, many organizations are restrictive on what users are allowed to use and many applications require administrator rights. A User Rights Policy can be used to elevate a user or group of users from standard user rights to administrator rights for a particular application or Control Panel component.

For more information on Trusted Vendors see Method 3 - Trusted Vendors on page 46.

For more information on User Rights see User Rights Management on page 77.


Specify Device, Custom, Scripted, and Process Rules

The base configuration consists of defined users, Accessible Items, Prohibited Items, Trusted Vendors, and User Rights, as required. For a more comprehensive configuration you can specify the following:

Table 4.3 Rules

Rule Description

Device The Device rules node allows you to match security control rules with specific devices within the enterprise. Device rules can apply the rule settings either to the device hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host.The Device node provides the ability to perform Per Seat license management in a server based computing environment.For example, a configuration rule can allow certain applications to run on a server but prohibit the application from running when launched by users operating from specific devices listed in the rule as connecting devices to the host server.For an example of a Device rule see Control Microsoft Software Licensing in a Virtualized Desktop Infrastructure (VDI) Environment on page 69.

Custom The Custom rule node allows you to match security control settings with combinations of specific users or groups and devices within the enterprise. The rule can apply settings to devices hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host.For example, a rule that targets computer IP address 192.168.0.2 as a connecting device and domain\user, allows you to apply security controls when the specific user logs on from the specified device through terminal services to the computer hosting the Application Manager agent and configuration.For an example of a Custom rule see Prohibit Starting Applications from a Connecting Device on page 72.

Scripted The Scripted rules node allows you to create rules based on custom VB Scripts which run whenever a user logs on. The success or failure of a VB Script determines whether the security level, Accessible Items and Prohibited Items, which are part of the rule, apply to the user.Scripted rules can take advantage of any interface accessible via VB Script, such as COM and WMI, and allow the administrator to define Application Manager policy based on any computer user, registry, file or system property. Scripted rules also allow integration with the other third party solutions, such as Microsoft Active Directory and Citrix Advanced Access.Scripted rules can run for each new session in the context of the user or in the context of the SYSTEM. Alternatively, Scripted Rules can run once per computer and the result is applied to all user sessions.Scripted rules are re-evaluated when a new configuration is deployed to the computer.Scripts run when the Application Manager agent starts up or when the configuration changes.For an example of a Scripted rule see Determine if a User is a Member of a Certain OU on page 70.

Process The Process node allows you to match security control rules with specific requesting processes.Process rules allow you to manage access for an application to run child processes which might otherwise be managed differently in other rules. You can add Accessible Items, Prohibited Items, Trusted Vendors and User Rights Management to the rule. You can add files, folders, drives, signature items, network connection items and application groups as managed items into the Accessible Items and Prohibited Items lists of a process rule. The Process Rule manages all levels of child process run by the application. The Process does not manage the application. This must be managed by other rules unless the application is managed as a child process in another Process Rule. For an example of a Process rule see Prohibit Child Processes Running from a Parent Process on page 73.


Example Configuration Procedures

The following procedures address common issues you may want to solve:

Control Microsoft Software Licensing in a Virtualized Desktop Infrastructure (VDI) Environment

In a VDI environment, users logon to a desktop session which is delivered from a central point, based on a template. Many Microsoft applications including Office, Visio and Project are licensed per device. In VDI environments, the user can potentially access the desktop and applications from multiple devices requiring each connecting device to have a license.

Application Manager can restrict access to applications by device name and IP address allowing you to manage and control the number of licenses, and in some cases reduce them. You can create a rule which explicitly states which connecting machines are allowed and which are prohibited from running Microsoft Office applications. Licenses are only required for those machines which are explicitly allowed.

The following procedures show how to create an Application Manager Device Rule which manages licenses for Microsoft Office products.

EVALUATE WHICH DEVICES ACCESS MICROSOFT OFFICE APPLICATIONS

1. Click Endpoint Analysis in the navigation pane and add endpoints by domain/workgroup or by browsing a Management Center Deployment group. Add all existing desktops you wish to manage.

2. Once endpoints are added, run scans of all endpoints or just selected endpoints to identify what the usage is for Microsoft Office applications. From these results you can potentially cut license costs by removing unused licenses.

SETUP DEVICE RULES TO PROHIBIT AND ALLOW DEVICES

1. Click the Configuration button in the navigation pane.

2. Navigate to Group Management in the Library node and create a new Group Management entry called Microsoft Office.

3. Click Add Item in the Items ribbon group and select Folder.

Browse to Program Files to locate and add the relevant folder for the Microsoft Office product executable files.

4. Create a Device Rule called Cannot Use Office.

5. Right-click in the work area for the Device Rule and select Add Client Device.

Enter and asterisk (*) in the text field, click Add and select the Connecting Device type. This ensures that all devices are blocked by this rule.

If necessary, run an Installed Applications scan to identify on which devices Microsoft Office Applications are installed to establish where licenses are required and also ensure to make those applications available on the correct devices based on where the key users or groups operate.


6. Add the Microsoft Office application group to the Prohibited Items folder to ensure that all the specified devices in this rule are blocked from accessing the applications in the Office group.

7. Create another Device Rule called Can Use Office .

8. Right-click in the work area and select Add Client Device.

9. Browse the network or Active Directory. Add all the devices which are allowed to access the Office products.

10. Add the Microsoft Office application group to the Accessible Items folder to ensure that all the specified devices in this rule are allowed to access the applications in the Office group.

Determine if a User is a Member of a Certain OU

You can create a scripted rule to access information about the username of the user logging on to the system, and match with a specific domain and organizational unit.

CREATE A SCRIPTED RULE

1. Right-click the Scripted rule node in the navigation tree and select Add Scripted Rule.

2. Right-click the new rule and select Rename. Enter an intuitive name for the rule, for example, Users in OU.

3. Right-click the rule and select Edit Script. The Scripted Rule dialog box displays.

4. Enter the following example script.

5. 9Select the correct Entry Function. In the example above this is MyScript. This is the main function that is called when the script run and evaluates the outcome of the rule.

6. Click OK.

The results of the running applications scan you performed in the previous task can be used to determine on which devices Microsoft Office is used. You can select multiple devices to add simultaneously.


Figure 4.4 Scripted Rule

Options Tab

The Options tab contains the following:

Run script once per logon session as the logged on user

The script runs for each user logging on. Settings are only applied for the duration of the user session.

Run script once per logon session as the SYSTEM user

The script runs with SYSTEM account permissions once for each user logging on. Settings are only applied for the duration of the user session.

Run script once per computer as the SYSTEM user

The script runs with SYSTEM account permission once at computer startup. Settings are applied to all user sessions until the computer restarts, the Application Manager agent restarts or there is a configuration change.


Do not execute script until user logon is complete

Select to prevent the script from running until user logon is complete.

Wait for <n> seconds before script timeout

Allows you to specify the number of seconds to allow a script to continue running before the script times out. A setting of zero (0) seconds prevents the script timeout. If a timeout occurs the result is fail and settings cannot be applied.

Prohibit Starting Applications from a Connecting Device

You can create a Custom rule to prevent users from running applications on a remote computer that has the Application Manager agent installed when connecting from a particular device.

CREATE A CUSTOM RULE

1. Right-click the Custom rule node in the navigation tree and select Add Custom Rule.

2. Right-click the User/Group Name column in the work area and select Set Account. The Account Selection dialog box displays.

3. Add the user or group to prohibit access to an application when connecting from a specified device.

4. Right-click the new rule and select Rename.

5. Enter an intuitive name for the rule.

6. Right-click in the work area and select Add Client Device.The Add a Client Device dialog box is displayed.

7. Enter the computer name or IP address of the computer users are connecting from and click Add.

8. Select the Connecting Device option in the Device Type column.

9. Expand the rule and select the Prohibited Items node.

10. Right-click in the work area and select Add > File. The Add a File dialog box displays.

11. Enter the name of the application or browse to it using the Browse button and click Add.

12. Save the configuration and deploy to managed endpoints.

Running scripts as the SYSTEM user can cause serious damage to your computer and should only be enabled by experienced script authors.

APPLICATION MANAGER PRODUCT GUIDE 4 CONFIGURATIONConfiguration Profiler 73

Prohibit Child Processes Running from a Parent Process

You can create a Process rule to prohibit child processes running from a parent process. For example, a user may be able to run Internet Explorer from the Start menu. However, you can create a Process rule to prevent the user from running Internet Explorer from another process, that is, a parent process.

CREATE A PROCESS RULE

1. Right-click the Process rule node in the navigation tree and select Add Process Rule.

2. Right-click the new process and select Rename.

3. Enter an intuitive name for the process rule.

4. With the process rule selected, right-click the work area and select Add > File. The Add a File dialog box is displayed.

5. Enter the name of the application to be the parent process.

6. Expand the new rule and select the Prohibited Items node.

7. Right-click the work area and select Add > File. The Add a File dialog box is displayed.

8. Enter the name of the application to prohibit from running from the parent process.

9. Save the configuration and deploy to the managed endpoints.

How to Drop User Rights for Changing the System Date and Time

Sometimes it is prudent to limit local Administrator rights to avoid the risk of disruption to system integrity. For example, local changes to the system date and time can prevent scheduled scripts from running. In a domain, the System date and time is usually best managed by the domain controller.

DROP LOCAL ADMINISTRATOR USER RIGHTS FOR CHANGING SYSTEM DATE AND TIME

1. Expand the BUILTIN\Administrators group.

2. Select User Rights node.

3. Select the Components tab.

4. Right-click the Components tab and select Add Component.

5. Select the Date and Time component in the list and select Add.

6. When the component is added to the Components tab list, ensure that the User rights Policy of the Date and Time component is set to Builtin Restrict or open the drop-down to select that option.

Local administrative users are now prohibited from modifying the system date and time.

CONFIGURATION PROFILER The Configuration Profiler, available from the Home ribbon page > Common group, allows administrators to produce detailed reports on configurations. This can be done whether they are stored locally or in the central database. The reports can be a general study of the overall configuration or can be aimed at how it interacts with a specific user, group of users or specific file.


Use general reports to assist auditing and compliance requirements such as Sarbanes Oxley or HIPAA. Use custom reports to highlight specific elements to assist in troubleshooting a large configuration.

In order to create a Configuration Profiler report, the configuration in question must be loaded into the Application Manager console. It does not need to be deployed for this to be achieved.

Complete reports can be created using the Configuration Profiler or based on specific criteria such as the File, Folder, Network Connection, User, Group, and Device rule items.

Figure 4.5 Configuration Profiler

The following graphic shows a report of the default configuration that comes with Application Manager. This is a complete report and specifies that the Everyone group rule and the Windows Installer process rules have a restricted security level. The remaining rules in Application Manager are not displayed because there is no configuration set up for them. Both the Everyone group rule and the Windows Installer process rules have Accessible Items listed. The path for the Windows Installer process rule is also given.

Use Rules Analyzer to examine problems with a configuration deployed to endpoints. See Rules Analyzer on page 144.


No Prohibited Items, Trusted Vendors or User Rights are listed because none are configured. The configuration properties are shown. These include details about Archiving, the default rules specified in the Options dialog box available from the General Features ribbon page > Default Restrictions group, details about Trusted Owners, and the Extension Filtering property.


5U s e r R i g h t s M a n a g e m e n t

In this Section:

Overview on page 74

User Rights Management Benefits on page 77

Use Cases on page 78

Technology on page 78

Configuring User Rights Management on page 80

Web Installations on page 99

Snippets on page 109

OVERVIEW

Many user environments are very restrictive in order to limit user access to sensitive data and key applications. Application Manager secures and protects many corporate desktops by controlling application and network access. Application Manager 8.1 extends policy management capabilities by providing comprehensive User Rights Management functionality.

77

APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTOverview 78

User Rights Management enables enterprise IT departments to reduce access control privileges on a per user, group, application, or business rule basis. It ensures users have only the rights they need to fulfil their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, improving security and productivity.

The perfect balance between user productivity and security is to control user rights, not at a session or account level, but at an application or individual task level.

With User Rights Management, access to applications and tasks is managed dynamically by managing user rights, on demand, in response to user actions. For example, administrator rights can be applied to a named application or Control Panel component for a particular user or user group, by either elevating the privileges of a standard user to an administrator level, or dropping the rights of an administrator to that of a standard user account.

By controlling user rights throughout the user session, IT can provide users with the accessibility they require to perform their job, while protecting the desktop and the environment and reducing management costs.

User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment.

User Rights Management allows you to create a library of reusable policies which can be associated with any available Application Manager rules, to assign the relevant privileges to files, folders, signatures, and application groups. User Rights Policies include domain user group membership and a range of administrative privileges which you can apply to each policy.

Least Privilege

Many users run their computer with administrative privileges. It is evident that users running with these privileges can introduce viruses, malware and spyware. Inevitably this can affect the entire enterprise, causing security breaches and downtime. Access to private data can also be at risk.

User Rights Management allows the application of the principle of least privilege. This principle requires that users are provided the minimum rights to do their job, without giving the user full administrator rights. The experience is seamless to the user.

With User Rights Management any downtime, coupled with the number of calls made to IT support due to viruses and so on, are greatly reduced because computers are made secure against the problems that occur when a user has full administrative rights. This means IT

You can run Application Manager in User Rights Management mode only. See Options on page 19.

For the complete definition of least privilege refer to the Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28.STD), also known as the Orange Book. This is located at http://csrc.nist.gov/publications/history/dod85.pdf.

APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTOverview 79

Support can focus on more important tasks as opposed to spending large amounts of time troubleshooting computers to find out the problem. Licensing is also easier to control, for example, by allowing users to only install authorized applications.

Common Tasks that Require Administrative Privileges

There are a number of common tasks users may be required to perform in order to fulfil their role that may need administrative privileges. A solution must be provided to allow these tasks to be performed, else the user must satisfy their role without accomplishing these specific tasks. These tasks may include:

Installation of printers

Installation of certain hardware

Installation of particular applications

Operation of applications that require administrative privileges

Change of system time

Legacy applications

User Rights Management allows the user to perform these tasks by elevating a user to have specific administrative privileges.

User Rights Management v Run As

Many users, particularly knowledge workers use the Run as command to run applications. Users can perform their daily tasks running with least privilege but can also, as required, use the Run as command to elevate their credentials, thus performing a task under the context of a different user. This, however, requires that a user has two accounts, that is, one for least privileges and one for elevation.

A common problem within an enterprise is the communication of the administrative password throughout an enterprise. For example, an administrator may communicate the administrator password to a user enabling them to use the Run as command to fix a problem with their computer. Unfortunately the password commonly gets passed around causing unforeseen security risks.

Additionally, a problem with Run as is how software actually interacts with it. Run as executes an application or process under the context of a different user. Therefore, that application or process does not have access to the correct HKEY_CURRENT_USER hive in the registry. This hive is where all the profile data is stored and is protected space. Because of this, the application or process running under the context of a different user cannot read or write to this source, causing some applications to not function. Running under the context of a different user can also cause problems reading and writing to a network share. This is because network shares are based on the account under the context you are running. Thus, your local account and the Run as account may not have the same access to resources.

Run as and UAC

Windows XP, Windows Vista and Windows 7 have certain features that allow a user to run applications or process’ without administrative rights. These are the Run as command in Windows XP and Windows 7 and User Account Control (UAC) in Windows Vista.

APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTUser Rights Management Benefits 80

Although these features do allow users to run without administrative rights they still require the user to have access to an administrator account to perform administrative tasks. Unfortunately, this limitation means these features are more appropriate for administrators. It enables them to logon as a standard user and use the administrator account to perform administrative tasks only.

As the user must provide the credentials for a local administrator to use Run as and UAC this creates a number of concerns. For example:

A user with access to an administrator account must be trusted not to abuse these privileges.

Applications running with administrative rights are now running under the context of a different user. This can cause problems, for example, these particular applications do not have access to the actual user’s profile or network shares, as stated in the User Rights Management v Run As section above.

Two passwords are required. One for the standard account and one for the administrator account. The user must remember both. Security required for one account is challenging, and for two accounts more so.

USER RIGHTS MANAGEMENT BENEFITS

The main benefits of User Rights Management are:

Elevation of User Privileges for Running Applications

Use User Rights Management to specify the application to be run with administrative credentials. The user does not have administrative credentials but is able to run the application.

Elevation of User Privileges for Running Control Panel Components

Many users need to do various tasks that need administrative rights. For example, to install printers, to change network and firewall settings, change the time and date and to add and remove programs. All of these tasks require Control Panel components as administrator.

Use User Rights Management to elevate privileges for individual components so that the non-administrative standard user can make the changes to perform their role.

Reducing Privileges to Restrict Application Rights

By default, users have certain administration credentials, but are enforced to run specific applications as non-administrator. By running certain applications as an administrator, for example, Internet Explorer, the user is able to change many undesirable settings, install

UAC also applies to Windows 7. However, it is an addition to the Run as command and not a replacement.

These features also apply to Server 2003 and Server 2008 versions.

APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTUse Cases 81

applications and potentially open up the desktop to the Internet. Use User Rights Management to restrict an administrator level user from running, for example, Internet Explorer in a standard user mode, thus safe-guarding the desktop.

Reducing Privileges to Restrict Access to System Settings

Use User Rights Management to give a higher level system administrator the ability to stop an administrative user from altering settings that they should not change, for example, firewalls and certain services. Use User Rights Management to reduce administrative privileges for certain processes. Although the user has administrative rights, the system administrator retains control of the environment.

USE CASES

User Rights Management has many use cases and solves problems that many enterprises have until now been unable to address. A small number of scenarios are given below:

Organizations that use local administrator accounts for their users may need to lock down elements of the desktop, such as the Control Panel component, Add Hardware, or Add and Remove Programs \ Programs and Features. By dynamically dropping the user account from administrator to a standard user for specific controls, the user is now prohibited from accessing the control and executing an unwanted task.

Some applications require administrator rights as the application itself interacts with certain parts of the desktop operating system or registry. However, the organization does not wish to provide users with full administrator accounts. User Rights Management can elevate the user rights for the named application to an administrator level, enabling the user to run their application while protecting the desktop.

Automatic update elements of some applications can require administrator rights to perform the update actions and therefore not function in the context of a standard user. User Rights Management can enable the named application to run under the context of an administrator account while all other applications remain in standard user context.

Mobile users may need to manually change their IP address, configure a wireless network, or change date and time properties, all of which require administrative rights. User Rights Management can elevate the user rights to administrator level for named tasks, enabling the user to make the changes they require.

TECHNOLOGY

In a Microsoft Windows computing environment, as part of the application launch process, when an execution request is made, the application requests a security token as part of the application launch approval process. This token details the rights and permissions given to the application and these rights can be used to interact with the operating system or other applications.

When Users Rights Management is configured to manage an application, the security token that is requested is dynamically modified to have permissions elevated or restricted, therefore allowing the application to be run or blocked.

APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTTechnology 82

User Rights Management Mechanism

The User Rights Management mechanism controls access for users and applications, as shown in the figure below.

Figure 5.1 User Rights Management Mechanism

The User Rights Management mechanism handles process startup requests as follows:

1. A User Rights Policy is defined in the configuration rule and applies to applications or components.

The Application list can include files, folders, signatures or application groups.

The Components list can include Control Panel components.

2. When a process is created by the launch of an application or other executable, the Application Manager hook intercepts the process and queries the Application Manager agent whether elevated or restricted rights are required to run the process.

3. The agent confirms whether the configuration assigns elevated or restricted rights and if required, the agent requests a modified user token from the Windows Local Security Authority (LSA).

4. The hook receives the modified user token from the Windows LSA granting the necessary privileges. Otherwise, the process runs with the existing user token according to the definitions of the normal user rights.

APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTConfiguring User Rights Management 83

CONFIGURING USER RIGHTS MANAGEMENT

Standard users typically have no administrative rights. The following scenario demonstrates how to create an administrator membership rule and describes how to allow a standard user to run Task Manager as an administrator. Additionally the membership rule is applied to a particular Control Panel component allows the user to run the component as an administrator.

User Rights Management provides the ability to add membership to a selected group or to drop membership. The first step in creating the configuration is to create a User Rights Policy and to specify the membership, in this case, to add membership.

CREATE A USER RIGHTS POLICY FOR ADMINISTRATORS

1. Right-click the User Rights Policies node in the navigation pane and select Add Policy.

2. Right-click the policy and select Rename.

3. Enter an intuitive name for the policy, for example, Elevate to Admin.

4. Right-click the Group Membership tab in the work area and select Add Group Action. The Account Selection dialog box displays.

5. Enter or navigate to the administrators group and click OK.

6. Click in the Action column and select Add Membership. This is the default setting.

The Add Membership option allows users to run an application as if they were part of the specified group. The Drop Membership option does not allow users to run an application.


Figure 5.2 Membership Rule

Merging Policies

A configuration can contain a number of User Rights Policies. These can be applied to many files, folders, signatures, and groups in the various rules. If any of the files, folders, signatures, or groups in the rules match, and their policies are relevant, Application Manager merges the polices and the least restictive policy takes precedence.

Application Manager also applies rule ordering against the polices to determine which policy takes precendence.

The rule ordering and precedence is as follows:

Signature with arguments

Signature

File with arguments

File

Folder

Signature with arguments takes the highest precedence.

Taking the above into account, when an application is specified both as a file and by its signature, only the policy for the signature is applied because a signature has higher precedence over a file.


Privileges

A privilege is the right of a user account to perform a particular system-related operation, such as shutting down the computer or changing the system time. You can use the User Rights Management feature to enable, disable or remove privileges.

Figure 5.3 Privilege Options

No change - Leaves the privilege as it is with its original token.

Enabled - Sets the flag in the token to enabled.

Disabled - Sets the flag in the token to disabled. Use the Enabled option to re-enable the privilege.

Remove - Removes the privilege from the token. You cannot undo this option.

The following table list the privileges that only apply to specific operating systems. The remaining privileges apply across all operating systems.


APPLY POLICY TO ALLOW TASK MANAGER TO RUN WITH ADMINISTRATIVE PRIVILEGES

1. Expand the applicable Group rule in the navigation pane and select the User Rights node.

2. Select the Applications tab in the work area.

3. Right-click the work area and select Add > Add File. The Add a File for User Rights Management dialog box displays.

4. Browse to the Task Manager executable, taskmgr.exe, and click Add.

5. Select the policy you created in the above procedure (Elevate to Admin) in the User Rights Policy column.

6. Save the configuration.

Now that the Administrator Membership rule is applied to Task Manger using User Rights Management, Task Manager runs under the context of administrator privileges for that group.

Table 5.1 Privileges

Privilege User Right

XP

2003

Vista

W7

2008

2008 R2

SeCreateSymbolicLinkPrivilege Create symbolic links No

SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation

Server Only Server Only

SeIncreaseWorkingSetPrivilege Increase a process working set Not Applicable

SeRelabelPrivilege Modify an object label

2008 R2 Only

SeTimeZonePrivilege Change the time zone Not Applicable

SeTrustedCredManAccessPrivilege Access credential manager as a trusted caller

2008 R2 Only

SeUndockPrivilege Remove computer from a docking station

Desktop Only Desktop Only

SeUnsolicitedInputPrivilege Receive unsolicited data from a terminal device

2008 R2 Only

An empty default User Rights Policy is created if one does not exist.


Figure 5.4 Task Manager Application

Applications Tab

The following columns and options appear on the Applications tab.

Item - Specifies the location of a file, folder or signature and the name of a group.

Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field.

Apply to Child - Applying a User Rights Policy to an application / process can launch child processes. This implies that the application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.

Arguments are only applicable to files and signatures. Note that files are the application / process.

Arguments support environment variables and wildcards. Environment variables make the path more generic for applying on different machines. Wildcard support provides an additional level of control for specifying generic file paths.


Include subdirectories - Select to include all directories beneath the specified directory. User Rights Management is applied to all subdirectories. Deselect to only apply User Rights Management to the current folder.

Install as Trusted Owner - Select this option to make all files created by the defined application owned by the local administrator. This option has no affect if it is not an installer, such as setup.exe.

Signature - Displays the actual signature for a signature file.

User Rights Policy - Specifies the User Rights Policy for the file, folder, signature, or group. Select the drop-down arrow in the column to select a policy.

This column is only applicable to files, folders and signatures.

This column is only applicable to folders.

This column is only applicable to signature files.

Use the Library > User Rights Polices node to create a User Rights policy.


Figure 5.5 Applications tab for User Rights

Applications and Components

You can apply User Rights Policies to files, folders, signatures, and groups. These are specified on the Applications tab. Components are specified on the Components tab.

Right-click the Applications tab for a User Rights node and select Add > Add File, Add Folder, Add Signature, or Add Group.

Right-click the Components tab and select Add Component.

File

The following are the options available in the Add a File for User Rights Management dialog box.


Figure 5.6 Add a File for User Rights Management Dialog Box

File - The file path of the file / process. Enter the file path into this field or use the Browse button to locate the file.

Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument.

Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.


Substitute environment variables where possible - For example, replaces the Windows directory with the generic environment variable %SystemRoot%.

Folder

The following are the options in the Add a Folder for User Right Management dialog box.

Application Manager only supports one level of inheriting the token.

Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths.


Figure 5.7 Add a Folder for User Rights Management Dialog Box

Folder - The name of the folder. Enter the name of the folder into this field or use the Browse button to locate the folder.

Include subdirectories - Select to include all directories beneath the specified directory. User Rights Management is applied to all subdirectories. Deselect to only apply User Rights Management to the current folder.

Substitute environment variables where possible - For example, replaces the Windows directory with the generic environment variable %SystemRoot%.

Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application in the specified folder is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.


Signature

The following are the options in the Add a Signature File for User Rights Management dialog box.

Environment variables make the path more generic for applying on different machines. Wildcards are also support and provides an additional level of control for specifying generic file paths.


Figure 5.8 Add a Signature File for User Rights Management Dialog box

File - The file path of the signature file for an application / process. Enter the file path into this field or use the Browse button to locate the file.

Arguments - Specifies the arguments to provide to the application / process you are starting, that is the application specified in the File path field. For example, %SystemRoot%\system32\mmc.exe may be the application and %SystemRoot%\system32\dfrg.msc c: the argument.

Apply policy to child processes - By default, the User Rights Policy applied to an application or process does not get inherited by child processes launched by the parent process. The application specified in the File path field is the parent process. Select this option to apply the policy to the direct child of the parent process. The child process inherits the new token. Deselect this option to allow the child process to use the original token that has not been altered by User Rights Management.


Group

You can add a group to User Rights. Groups are used to hold and manage a logical collection of files, folders, drives, signature files, and network connection items. Use the Library > Group Management node to create a group.

Application Manager only supports one level of inheriting the token.


Figure 5.9 Group Selection for <Group name> Dialog Box

Components

Control Panel components and Network Adaptor features and functions are typically controlled by explorer.exe. Elevating explorer.exe to run in the context of a Local Administrator is not ideal as this can open up a range of security issues. To resolve this and enable the user to access the said functionality under the context of an administrator without opening the entire explorer shell, User Rights Management places the AppSense Contol Panel components in the Windows Contol Panel alongside existing components. These can now be controlled at an access level specific to the function, without changing any rights associated with explorer.exe.

Use the filter in the Select Components dialog box to filter components by operating system.


Figure 5.10 Select Components Dialog Box

The following table gives a list of components that are specific to particular operating systems. The remaining components are available for all operating systems.

Table 5.2 Components

Component Name Type Operating System

Add Plug and Play Control Panel XP, 2003

Backup and Restore Center Control Panel Vista

BitLocker Enable Control Panel Vista, 2008, W7

Calibrate Color Control Panel Vista, 2008, W7

Clear Type Text Control Panel W7

Desktop DPI Control Panel XP, 2003, Vista, 2008

Disk Management Management Snapin Vista, 2008, W7

Display Control Panel XP, 2003


Easy Transfer Control Panel Vista, W7

Install/Uninstall Languages Management Snapin Vista, 2008, W7

iSCSI Initiator Control Panel Vista, 2008, W7

Offline Files Control Panel Vista, 2008

Power Options Control Panel XP, 2003

Recovery Disc Control Panel Vista, 2008, W7

Recovery Restore Control Panel Vista, 2008, W7

Server Manager Management Snapin 2008

System (pre-Vista) Control Panel XP, 2003

System Configuration Control Panel Vista, 2008, W7

System Properties, Advanced Control Panel Vista, 2008, W7

System Properties, Computer Name Control Panel Vista, 2008, W7

System Properties, Performance Control Panel Vista, 2008, W7

System Properties, Protection Control Panel Vista, 2008, W7

System Properties, Remote Control Panel Vista, 2008, W7

Task Scheduler Management Snapin Vista, 2008, W7

Troubleshoot Control Panel Vista, 2008, W7

Trusted Platform Management Snapin W7

Windows Features Control Panel Vista, 2008, W7

Windows Firewall Advanced Settings Management Snapin Vista, 2008, W7

Table 5.2 Components

Component Name Type Operating System


APPLY A USER RIGHTS POLICY TO A CONTROL PANEL COMPONENT

1. Expand the applicable Group rule in the navigation pane and select the User Rights node.

2. Select the Components tab in the work area.

3. Right-click the work area and select Add Component. The Select Components dialog box displays.

4. Select the components you want the user to run as an administrator.

5. In the User Right Policy select the Builtin Elevate policy to elevate privileges for the component. Select the Builtin Restrict policy to restrict privileges for the component.

6. Click Add.


Example Configurations

The following section consists of a number of example configurations for User Rights Management.

RESTRICT USERS FROM STARTING AND STOPPING SERVICES

Use User Rights Management to reduce privileges for the Services component so that the administrator cannot start and stop services.

1. Select the User Rights node beneath the BUILTIN\Administrators rules node.

2. Select the Components tab within the work area.

3. Right-click within the work area and select Add Component. The Select Components dialog box displays.

4. Select the Services component and click Add.

5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Restrict policy.


The Select Components dialog box displays a list of Control Panel and Management Snapin tools. You can choose to elevate or restrict privileges for each component. See Components on page 90for a list of the components that are specific to a particular operating system.

One or more Control Panel and Management Snapin components can be selected in the Select Components dialog box. This provides access only to the selected components and not the whole Control Panel and Management Snapins. Strepsils representing the components are displayed in the Control Panel dialog box.

Use the filter at the top of the Select Components dialog box to filter by operating system.


Figure 5.11 Restrict Administrators s from Starting and Stopping Services

ALLOW USERS TO PERFORM WINDOWS UPDATE

1. Select the User Rights node beneath the applicable rules node.

2. Select the Components tab within the work area.

3. Right-click within the work area and select Add Component. The Select Components dialog box displays.

4. Select the Automatic\Windows Update component and click Add.

5. Select the drop-down arrow in the User Rights Policy column and select the Builtin Elevate policy.



Figure 5.12 Allow Users to Perform Windows Update


ALLOW USERS TO DEFRAGMENT DISKS

1. Select the User Rights node beneath the applicable rules node.

2. Select the Components tab in the User Rights work area.

3. Right-click within the work area and select Add Component. The Select Components dialog box is displayed.

4. Select the Defragment option, and click Add.

5. Select the drop-down arrow in the User Rights Policy and select the Builtin Elevate policy.


Figure 5.13 Allow Users to Defragment Disks


ALLOW USERS TO RUN VISUAL STUDIO AND DEBUG APPLICATIONS

Step 1 - Create a Policy to Elevate User Privileges

1. Select the Library > User Rights Policies node.

2. Select Add Policy on the User Rights ribbon page > Manage Policy group.

3. Right-click the new policy and select Rename.

4. Enter an intuitive name for the policy, for example, Elevate Visual Studio.

5. Right-click the Group Membership tab in the Policy Contents work area and select Add Group Action. The Account Selection dialog box displays.

6. Enter the account into the Account field or use the Browse button to browse to the account.

7. Ensure Add Membership is selected in the Action column.

Figure 5.14 Policy to Elevate User Privileges


Step 2 - Allow Users to Run Visual Studio and Debug Applications

1. Select the Library > User Rights Policies node.

2. Select Add Policy on the User Rights ribbon page > Manage Policy group.

3. Right-click the new policy and select Rename.

4. Enter an intuitive name for the policy, for example, Run Debug.

5. Select the Privileges tab. The Privileges work area displays.

6. Click the Action column for the debugging privilege, SeDebugPrivilege, and select Enable.

Figure 5.15 Enable the Debugging Privilege

APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTWeb Installations 102

Step 3 - Create a Group Rule

1. Select Rules > Group in the navigation pane.

2. Select the Add Rule drop-down arrow on the Rules ribbon page > Manage group and select Group Rule. The Add Group Rule dialog box is displayed

3. Enter the domain name into the Add Group Rule dialog box and click Add.

Step 4 - Apply the Elevate Visual Studio Policy to the Rule

1. Select the User Rights node beneath the rule you have created. The User Rights work area displays.

2. Right-click within the work area and select Add > Add File. The Add a File for User Rights Management dialog box displays.

3. Browse to the Visual Studio application file.

4. Select the Apply policy to child processes option and click Add.

5. Select the Elevate Visual Studio policy in the User Rights column. This is the policy created in one of the above procedures.

Step 5 - Apply the Run Debug Policy to the Rule

1. Right-click within the User Rights work area and select Add > Add File.

2. Enter * in the File path field. This is to allow for all debug applications.

3. Click Add.

4. Select the Run Debug policy in the User Rights column. This is the policy created in one of the above procedures.

Step 6 - Save the Configuration


WEB INSTALLATIONS

A number of Web Installations require the end user to have administrative rights. For example, an ActiveX control such as Adobe Flash Player or a web download such as Microsoft Silverlight.

A common scenario is whereby a standard user may attempt to download and install Adobe Flash Player. This requires administrative rights. When an attempt is made the User Account Control (UAC) dialog box is displayed requesting the user enter an administrative password. Most organizations will not want to give their users administrative rights.

The Web Installation feature of User Rights Management allows elevation to administrative rights for ActiveX installers from a particular domain. You can create a simple configuration whereby you enter the name of the domain only, or you can create an advanced configuration by specifying the CAB file for an item, its Class ID and the minimum and maximum version numbers. You can also specify that only signed controls from the domain can be installed.

A CAB file is the Microsoft Windows compressed archive format. This format supports compression and digital signing and is used in a variety of Microsoft installation engines.


CREATE A CONFIGURATION FOR ALLOWING THE INSTALL OF ADOBE FLASH PLAYER

1. Select the User Rights node for a particular group, for example, the Everyone group.

2. Select the Web Installations tab.

3. Right-click within the work area and select Add Web Installation. The Add new Web Installation dialog box displays.

4. Enter a name for the Web Installation in the Name field, for example, Adobe Flash.

5. Enter the URL in the Website URL field. For example, adobe.com, to allow installations from all of adobe.com.

6. Ensure the Only allow signed controls option is selected.

7. Click Add.

8. Ensure the default Builtin Elevate policy is selected in the User Rights Policy column.

9. Save the configuration. All downloads that are signed and are from the specified website are allowed.

Along with the above procedure other configurable items need to be considered. For example, for an ActiveX installation you would need to allow the ActiveX file to run, and any executables that the control calls. You need to consider Process rules, Trusted Vendors, any Digital Certificates, Accessible Items, Elevated items, and so on.

Application Manger consists of a number of snippets to assist in the creation of configurations for Web Installations. See Snippets on page 109 for more information.


Figure 5.16 Basic Web Installation Configuration


CREATE A CONFIGURATION TO ALLOW THE DOWNLOAD OF MICROSOFT SILVERLIGHT

Step 1 - Create a Policy to Elevate to Administrator

1. Right-click the Library > User Rights Policies node and select Add Policy.

2. Right-click the new policy beneath the User Rights Policies node and select Rename.

3. Enter an intuitive name for the policy, for example, Elevate.

4. Right-click within the Group Membership tab work area and select Add Group Action.

5. Enter the name of the administrator user group or use the Browse button to navigate to the account.

6. Click Add.

7. Ensure Add Membership is selected in the Action column.

Figure 5.17 Elevate Policy for a Web Installation


Step 2 - Add the Application to the User Rights Node.


2. Select the Applications tab.

3. Right-click the Applications tab work area and select Add > Add File. The Add a File for User Rights Management dialog box displays.

4. Enter the name of the web installation you want to add in the File field for example silverlight.exe or use the Browse button to locate the file.

5. Select the Apply policy to child processes option.

6. Select the Install as Trusted Owner option.

7. Click Add.

8. Ensure the policy created in the first step procedure, Elevate, is selected in the User Rights Policy column.

For information on the Apply policy to child processes and Install as Trusted Owner options see Applications and Components on page 86.


Figure 5.18 Silverlight Added to the Configuration

Step 3 - Add a Signature for the Web Installation to the Accessible Items

1. Select the Accessible Items node for the same group.

2. Right-click in the work area and select Add > Add Signature Item. The Select Accessible Signature File dialog box displays.

3. Navigate to the web installation and click Open.





Figure 5.19 Silverlight Added to the Accessible Items List

CREATE A GRANULAR CONFIGURATION FOR INSTALLING GOTOMEETING

You can create a granular configuration for a web installation. You can refer to the specific CAB file, the Class ID and also the minimum and maximum versions.

Use the Application Manager auditing events to gather information such as the name of the CAB file. Use the 9021 auditing event. See Auditing on page 139 for more information.




3. Right-click within the work area and select Add Web Installation. The Add new Web Installation dialog box displays.

4. Enter a name for the Web Installation in the Name field, for example, GoToMeeting.

5. Select the Use advanced settings option.

6. Enter the location of the installer URL and the CAB file of the Web Installation in the Installer URL field. For example, https://www2.gotomeeting.com/default/applets/g2mdlax.cab.

7. Enter the Class ID in the Class ID field and, if required, enter the version numbers or leave blank to ignore.

The details for the CAB file, Class ID and version numbers can also be found in the source view for the web installer download page. Navigate to the download page and select View > Source.


Figure 5.20 Advanced Details for a Web Installation


8. Click Add.

9. Ensure that Builtin Elevate selected in the User Rights Policy column.


Figure 5.21 Web Installation Added



APPLICATION MANAGER PRODUCT GUIDE 5 USER RIGHTS MANAGEMENTSnippets 112

SNIPPETS

Snippets give Application Manager the ability to import and merge partial configurations into a currently open configuration in the console.

This is particularly useful for Web Installations because along with creating the Web Installation part of the configuration a number of other configurable items need to considered. These include Process Rules, Accessible Items, Trusted Vendors, any Digital Certificates, Elevated items, and so on.

Application Manager consists of a number of snippets to help with the creation of the Web Installation configurations such as the configurations given in the previous section, Web Installations on page 99.

The following example uses the Create a Granular Configuration for Installing GoToMeeting procedure. The snippet contains all the extra configurable items for the configuration.

ADD A SNIPPET TO A GOTOMEETING WEB INSTALLATION CONFIGURATION

1. Complete the Create a Granular Configuration for Installing GoToMeeting procedure.

2. Select the User Rights node for the group.


4. Right-click the work area and select Import Snippet. The Import Snippet dialog box displays.

5. Select the en_gotomeeting_4_5 snippet and click Add.

6. To view what is included in the snippet click the View the items that will be added to the configuration link. A configuration report is displayed.

7. Click Continue. The snippet is imported and you can view the items in the various nodes in the console.

Use the Configuration Profiler available from the Home ribbon page to view a configuration report for the full configuration.


Figure 5.22 Imported Snippet

Default Snippets

The following snippets are available:

en_adobe_flash_10_2

en_adobe_reader_10_0_1

en_adobe_shockwave_11_5_9_620

wave_11_5_9_620

en_akamai_download_manager_2_2_5_7

en_gotomeeting_4_5

en_itunes_10_1_2

en_quicktime_7_6_9

en_silverlight_4_0_60129_0


The default location for snippets is C:\Program Files\AppSense\Application Manager\Console\Snippets.

6A p p l i c a t i o n N e t w o r k A c c e s s C o n t r o l

In this Section:

Overview on page 115

About Application Network Access Control on page 116

Define Network Access Policies and Rules on page 118

Auditing on page 119

Configuring Application Network Access Control on page 120

OVERVIEW

Application Manager automatically controls application access on a per user or per device basis, without the overhead of scripts or lists. Application Network Access Control (ANAC) manages network access on a per user or per device basis.

You can use Application Manager to restrict and monitor application network access via the Application Manager console using the ANAC functionality.

115

APPLICATION MANAGER PRODUCT GUIDE 6 APPLICATION NETWORK ACCESS CONTROLAbout Application Network Access Control 116

ABOUT APPLICATION NETWORK ACCESS CONTROL

Application Network Access Control provides the ability to control outbound network connections by IP address, Host name, URL, UNC, or Port, based on the outcome of rules processing.

It is designed to control access within a company network infrastructure. This control is achieved by intercepting application requests made through the Winsock layer, for example, HTTP, FTP and RDP. Within Application Manager access to these resources is controlled by adding a Network Connection Item beneath a specific rule. Network Connection Items can be created individually or as part of a group which logically defines groups of items based on, for example, common criteria, for ease of management and configuration.

Groups and Network Connection Items can be applied to any rule in the Accessible Items rules to allow access, or applied to the Prohibited Items rules to deny access. Application Manager intercepts and blocks access if requests are made to prohibited network resources. The execution of applications is not controlled.

You can run Application Manager in ANAC mode only. Select Enable Application Network Access Control only in the Options dialog box available from the General Features ribbon page > Default Restrictions group.

Access is allowed to all network resources until actively prohibited.

APPLICATION MANAGER PRODUCT GUIDE 6 APPLICATION NETWORK ACCESS CONTROLAbout Application Network Access Control 117

Figure 6.1 Application Network Access Control

Technology

The following describes the basic technology for the ANAC functionality.

Mini Filter Driver

ANAC uses a mini filter driver to intercept and control requests made to network UNC locations. The driver is loaded dynamically by Application Manager (AM) Agent Service only when its functionality is required, that is, when the configuration contains Network Connection Items that specify Network Share as its Connection Type. When a user makes a file request for a shared folder, subfolder or file on a network location the I/O manager sends a create request to Application Manager’s mini filter driver. The mini filter driver gathers information about this request, the file name and location, user, process, thread data, and so on, and passes this to the AM Agent Service for processing. After the AM Agent Service has processed the request the mini filter driver responds back to the I/O manager with the result. If the request is denied then an access denied error is returned, otherwise the request is left unaltered.

APPLICATION MANAGER PRODUCT GUIDE 6 APPLICATION NETWORK ACCESS CONTROLDefine Network Access Policies and Rules 118

Application Hook

Application Manager’s hook uses Microsoft’s Detours technology to hook a subset of the Winsock API functions. In hooking these functions Application Manager reads and gathers information about the network location the application is attempting to connect to. This information is then passed to the AM Agent Service for further processing. If the request is allowed the hook permits the application to continue using the Winsock API otherwise the hook is denied access to the Winsock API. An error code is returned to the application to indicate the request has failed.

DEFINE NETWORK ACCESS POLICIES AND RULES

By default, Application Manager processes rules and grants access to the least restrictive rule. Or, in other words, the most flexible allow rule granted to a user after the rules have been processed applies.

Allow rules, known as Accessible Items in Application Manager, have a higher priority over the deny rules, also known as Prohibited Items. For example, an Accessible Network Connection Item with a Path takes priority over a Prohibited Network Connection Item with a Path. Both take priority over an Accessible Network Connection Item with No Path, and last is a Prohibited Item with No Path.

Network Connection Rule Items are configured in a similar way. There are different rules that can be customized for devices (or groups of devices) by user, and by groups of users.

This flexibility provides a number of ways of configuring network access within an enterprise, locking down the physical device, defined user groups, or both.

Given the above, the best practice for defining a Network Access Policy and configuring the associated rule is a two stage approach:

1. Prohibit network access for controlled users and devices.

2. Granularly allow and make accessible specific network resources on a case by case basis.

This may be somewhat familiar if you have configured a network firewall. This is essentially the same. However, it is easiest to consider this as an outward bound firewall living on the endpoints.

It is important to mention, unlike configuring a firewall, when using Application Network Access Controls you only define the denied application on a port by port and \ or server by server basis, as opposed to defining all network accessing systems and services for the endpoint workstation or server as you might on a firewall.

A list of commonly used application ports is included within the Application Manager console as shown below.

Application Network Access Control is an addition to firewalls. It is not a replacement.

APPLICATION MANAGER PRODUCT GUIDE 6 APPLICATION NETWORK ACCESS CONTROLAuditing 119

Figure 6.2 Common Ports

AUDITING

Application Manager has a comprehensive set of in-built auditing and reporting which can give granular information on how, when, and by whom, network resources and applications are accessed.

This auditing can be placed in an Audit Only mode to silently monitor security restrictions or can generate events when users attempt to access denied locations and are blocked.

Auditing events are available from the Auditing dialog box. This is found on the Home ribbon page > Common group. The events that are specific to Application Network Access Control are 9013 and 9014.

APPLICATION MANAGER PRODUCT GUIDE 6 APPLICATION NETWORK ACCESS CONTROLConfiguring Application Network Access Control 120

Figure 6.3 Auditing Dialog Box

CONFIGURING APPLICATION NETWORK ACCESS CONTROL

PROHIBIT AN IP ADDRESS OR HOST

1. Expand the group that you want to prohibit an IP Address or Host for, for example, the Everyone group.


3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box displays.

4. Select the IP Address or Host Name option.

For more information about auditing see Auditing on page 139.


5. Enter the IP Address or Host Name in the Host field.

6. Do one of the following:

To block access to the whole IP Address or Host, click Add.

To block only a part of the IP Address or Host, for example, a certain folder, enter the folder or path the Path field and click Add.


The following graphic shows the Add a Network Connection dialog box and specifies the Host Name as www.abc.co.uk and the Path as Finance. This means that all users in the specified group can access www.abc.co.uk but not the Finance area.

Figure 6.4 Network Connection Details for a Host Name

PROHIBIT A NETWORK SHARE

1. Expand the group that you want to prohibit an Network Share for, for example, the Everyone group.



4. Select the Network Share option.


5. Enter the Network Share in the Host field.

6. To include any subdirectories, select the Include subdirectories option.


To block access to the whole Network Share, click Add.

To block only a part of the Network Share, enter the folder or path in the Path field and click Add.


The following graphic shows the Add a Network Connection dialog box and specifies the Network Share as managementdata and the Path as personnel. This means that all users in the specified group can access managementdata but not the personnel area.

Figure 6.5 Network Connection Details for a Network Share

PROHIBIT RDP SESSIONS TO AN IP ADDRESS OR HOST THROUGH A PORT

1. Expand the group that you want to prohibit RDP sessions for, for example, the Everyone group.



4. Select the IP Address or Host Name option.


5. Enter the IP Address of Host Name in the Host field.

6. Click the Ports button.

7. Select the port 3389 Microsoft Terminal Server (RDP) port and click Add.

8. Click Add in the Add a Network Connection dialog box.


The following graphic shows the Add a Network Connection dialog box and specifies the Host Name as sql.testing.local and the Port as 3389. This means that all users in the specified group cannot create an RDP session to sql.testing.local.

Figure 6.6 Network Connection Details to Block RDP


MANAGE NETWORK CONNECTIONS USING FTP

1. Right-click the Library > Group Management node in the navigation pane and select Add Group. A new group is created.

2. Right-click the new group, select Rename and enter an intuitive name for the group, for example, FTP Software.

Figure 6.7 FTP Software Group

3. Right-click the work area and select Add > Network Connection Item. The Add a Network Connection dialog box is displayed.

4. Enter the wildcard expression *.*.*.* into the Host field.

5. Select the Ports button. The Common Ports dialog box is displayed.

6. Select port 21 and click Add. This is the FTP - Control Port.


Figure 6.8 Network Connection Details

7. Expand the Everyone group in the navigation pane and select the Prohibited Items node.

8. Right-click the work area and select Add > Group. The Group selection for <group name> dialog box is displayed.

9. Select the group created previously, for example, FTP Software, and click OK. This prohibits all users from accessing any IP Address using FTP applications.

ALLOW ACCESS TO ONLY A PARTICULAR FOLDER ON A SHARE

1. Expand the group that you want to provide access to particular folder, for example, a group called Accounts.




5. Enter the name of the network share in the Host field. For example, \\managementdata.

6. Enter the name of the path in the Path field. That is the path to prohibit but also contains the folder to provide access to.

7. Ensure the Include subdirectories option is selected. This prohibits access to any subdirectories on the share.


8. Click Add.

The following graphic shows the Add a Network Connection dialog box for a Prohibited Item and specifies the network share as managementdata and the path as scratch. This means that all users in the specified group cannot access the scratch folder on the managementdata network share.

Figure 6.9 Network Connection Details for a Prohibited Network Share

9. Select the Accessible Items node.



12. Enter the name of the network share in the Host field. For example, \\managementdata.

13. Enter the name of the path to prohibit in the Path field, that is the path for the folder to provide access to, for example, \scratch\Accounts.

14. Deselect the Include subdirectories option.

15. Click Add.


The following graphic shows the Add a Network Connection dialog for an Accessible Item and specifies the network share as managementdata and the path as scratch\Accounts. This means that all users in the specified group can only access the scratch\Accounts folder on the managementdata network share. All other folders are prohibited.


Figure 6.10 Network Connection Details for an Accessible Folder

7E n d p o i n t A n a l y s i s

This section contains:

Endpoint Analysis Overview on page 128

Endpoint Analysis Scans on page 130

Working with Endpoint Analysis on page 131

Adding Files to a Configuration on page 137

ENDPOINT ANALYSIS OVERVIEW

Endpoint Analysis (EPA) allows you to scan single or multiple endpoints, to provide a list of applications that are present and that have run on a particular computer. Endpoint Analysis helps to simplify the creation of an appropriate Application Manager configuration. This feature is utilized on demand and is inactive by default.

For Endpoint Analysis to function the following must be installed.

Checklist

Application Manager agent installed on the endpoint.

License installed on the endpoint.

128

APPLICATION MANAGER PRODUCT GUIDE 7 ENDPOINT ANALYSISEndpoint Analysis Overview 129

Application Manager configuration installed on the endpoint.

Administrative share rights to the endpoint.

Remote registry access to the endpoint.

TEST THAT THE APPLICATION MANAGER AGENT IS INSTALLED ON THE ENDPOINT

1. On the Start menu select Control Panel.

2. Select Administrative Tools.

3. Double-click Services.

4. Locate the AppSense Application Manager Agent.

TEST THAT THE LICENSE IS INSTALLED ON THE ENDPOINT

1. Launch the Registry Editor on the managed endpoint.

2. Locate the license under HKLM\Software\AppSense Technologies\Licensing.

TEST THAT THE CONFIGURATION IS INSTALLED ON THE ENDPOINT

Configurations are stored in the following location:

1. For Windows XP and Server 2003, navigate to C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration.

2. For Vista and above, navigate to C:\ProgramData\AppSense\Application Manager\Configuration.

TEST THAT THE ENDPOINT HAS ADMIN SHARE RIGHTS

1. Open Windows Explorer on the computer that has the Application Manager console installed.

2. In the Address bar enter \\<computername>\c$ and press Enter. If you can browse the folders you have access rights. If not, you are prompted for user credentials which allows access.

TEST THAT REMOTE REGISTRY ACCESS IS AVAILABLE

1. Open the Registry Editor on the computer that has the Application Manager console installed.

2. Select File > Connect Network Registry. The Select Computer dialog box is displayed.

3. Locate the computer and click OK. If you can see the registry keys, you have access.


On remote computers running Microsoft Vista and above, File Sharing and Remote Registry Service are disabled by default and must be enabled.

Turn on File Sharing in Start > Control Panel > Network and Sharing Center. Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.

APPLICATION MANAGER PRODUCT GUIDE 7 ENDPOINT ANALYSISEndpoint Analysis Scans 130

ENDPOINT ANALYSIS SCANS

There are two types of Endpoint Analysis scans. These are:

Endpoint Scan

Application Usage Scan

Endpoint Analysis files for a given endpoint are stored on the computer that has the Application Manager console installed under the following locations:

For Windows XP and Server 2003, C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis.

For Vista and above, C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.

Endpoint Scan

The Endpoint Scan searches the endpoint for any applications that are present. These applications may have been officially installed by an administrator, or be an esoteric piece of virus-ridden freeware installed by an unsuspecting end user.

The following directory and registry locations are scanned:

HKLM\SOFTWARE\Microsoft\Windows\Current\CurrentVersion\Installer\Folders

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Program Files

Application Usage Scan

The Application Usage Scan is used to detect applications in use that have not been installed using the Windows Installer technology and therefore not detected by the Endpoint Scan.

When an Application Usage Scan is in progress, all execute requests are passed through for Endpoint Analysis processing once the standard Application Manager rules checking has been performed on that request. The details of requests are held in memory. When the scan has stopped all the request data is saved to file.

If the endpoint is rebooted while a scan is in progress, for example, if a user takes their laptop from the workplace and switches it on at home, the Endpoint Analysis runtime detects that it should be recording application usage and restarts the recording. This is done on agent startup.

An Endpoint Scan can several minutes. The reason for this is that Application Manger not only scans the Program Files folder and the registry keys, but also each dependent file and digital signatures. Application Manager records all this information.

During an Endpoint Scan,100% of the CPU on the endpoint can be used. However, if user tasks need to be performed, the Application Manager agent utilizes built-in smart scheduling technology to allow tasks to take precedence over the scan itself, thus not affecting the end-user perception of performance.

APPLICATION MANAGER PRODUCT GUIDE 7 ENDPOINT ANALYSISWorking with Endpoint Analysis 131

Order of Scans

Typically, the Endpoint Scan is run first to determine which applications are installed on the endpoint. This can be followed by the Application Usage Scan to track the applications that have been run on an endpoint over a period of time.

By highlighting which applications are being used and which are not, unlicensed software can be identified and restricted and unlicensed software can be removed.

WORKING WITH ENDPOINT ANALYSIS

Endpoint Analysis is available from the Application Manager console. This feature provides the ability to perform the aforementioned scans and to show all loaded files (child processes) for scanned applications and any digital certificates for the discovered applications.

It is recommended to include all loaded files in the configuration for an Accessible Item so that the application functions correctly. It is also useful to add any digital certificates to the Trusted Vendors in your configuration.

The first step in using Endpoint Analysis is to add one or more endpoints, that is the endpoint that you want to scan.

ADD AN ENDPOINT TO ENDPOINT ANALYSIS

1. Select the Endpoint Analysis button in the navigation pane.

2. Right-click the Endpoint node in the navigation tree and select Add Endpoint.

3. Select either Browse Deployment Group or Browse Domain/Workgroup depending on the location of the endpoint you want to add.

Browse Deployment Group displays the Select Management Server dialog box.

Browse Domain/Workgroup displays the Active Directory Select Computers dialog box.

4. Locate the required endpoint and click Add. A new node is created for the selected endpoint under the Endpoints node in the navigation tree.

5. Select the new endpoint node and view the Endpoint Summary. Application Manager searches for the computer and connects. Ensure that Application Manager has connected to the endpoint.

The Application Usage Scan can detect applications in use that have not been installed using the Windows Installer technology and therefore not detected in the Installed Applications Scan, for example, Firefox or Shareware.


Figure 7.1 Connected Endpoint

Endpoint Summary

The Endpoint Analysis Summary displays whether Application Manager is connected to the endpoint, whether an Installed Applications Scan is running, and whether an Application Usage Scan is running.

If an Installed Applications Scan is running the percentage of the completion of the scan is shown.


Figure 7.2 Percentage of Completion

The summary also displays information about the operating system and processor for the endpoint and information about the data files which includes:

Number of data files. These are the data files created for each Application Usage Scans.

Total size of data files

Installed Applications updated. That is the last date the Installed Applications Scan ran.

Once you have added one or more endpoints you can run an Installed Applications Scan for one or all endpoints. You can also run an Application Usage Scan for each individual endpoint.

RUN AN ENDPOINT SCAN


Select an endpoint and select Run Endpoint Scan on the Endpoint Analysis ribbon page > Installed Applications group. The Endpoint Summary displays the percentage of completion.

Select Run Scan for all Endpoints on the Endpoint Analysis ribbon page > Installed Applications group. The Endpoint Summary displays the percentage of completion.

2. Select the Installed Applications node for an endpoint to see all applications installed by the administrator and users.


Figure 7.3 Applications Installed on the APPUKTECHPUBS2 Endpoint

The Installed Application data is stored in an xml file. The xml file has the format EndpointNameÎnstalled.xml.

On Windows XP and Server 2003 the files are located at C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis.

On Vista and above the files are located at C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.



RUN AN APPLICATION USAGE SCAN

1. Select an endpoint and select Start Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage Scans group.

2. Allow a period of time for the scan and then select Stop Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage Scans group. The File dialog box displays.

3. Enter an intuitive name for the file. The file is displayed beneath the Recorded Data node in the navigation tree.

Figure 7.4 XML File for an Application Usage Scan

The Application Usage data is stored in an xml file. The xml file has the format EndpointName^FileName.xml.

On Windows XP and Server 2003 the files are located at C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Endpoint Analysis.

On Vista and above the files are located at C:\ProgramData\AppSense\Application Manager\Endpoint Analysis.


As previously mentioned, when you perform a scan you can also show all the loaded files (child processes) and digital certificates for discovered applications. It is recommended to add all loaded files to the Accessible Items to allow specified applications to function correctly.

It is also useful to add any digital signatures to the Trusted Vendors in the configuration.

SHOW ALL LOADED FILES FOR DISCOVERED APPLICATIONS

1. Select either the Installed Applications node or an xml file beneath the Recorded Data node.

2. Select Show Loaded Files on the Endpoint Analysis ribbon page > Application Data group. The Loaded files dialog is displayed.

Figure 7.5 Loaded Files for an Application Usage Scan

SHOW DIGITAL CERTIFICATES FOR A DISCOVERED APPLICATION

1. Select a discoverd application in the work area.

2. Select Show Digital Certificates on the Endpoint Analysis ribbon page > Application Data group. The Certificates dialog box displays.


APPLICATION MANAGER PRODUCT GUIDE 7 ENDPOINT ANALYSISAdding Files to a Configuration 137

Figure 7.6 Digital Certificates for an Application Usage Scan

ADDING FILES TO A CONFIGURATION

Once you have performed a scan you can add any of the applications or associated files or certificates to a configuration by dragging and dropping.

If you drag and drop files into any of the Accessible or Prohibited Items lists they are dropped in as files.

If files are placed in Accessible Items, any associated loaded files are automatically included.

If files are placed in Prohibited Items, any associated loaded files are not included, only the main application executable.

To add a certificate to any of the Trusted Vendors you can either drag and drop a file on to a Trusted Vendors node, if any certificates exist for that file they are added or you can select Show Digital Signatures on the Endpoint Analysis ribbon page > Application Data group to display the Certificates dialog box. You can then drag and drop from that dialog box into the configuration.

When you drag and drop files from Endpoint Analysis to the Accessible Items and Prohibited Items node you must drag, hover the mouse over the Configuration button in the navigation pane to display the configuration, and then drop onto the node.

APPLICATION MANAGER PRODUCT GUIDE 7 ENDPOINT ANALYSISAdding Files to a Configuration 138

When you drag and drop files into a configuration, the digital signature for the file is always copied over as this is the most secure method for authenticating an application. See Security Methods on page 41 for more information.

8A u d i t i n g

In this Section:


Logging on page 141

Local Event Filter on page 142

Event Filtering on page 143

OVERVIEW

Auditing allows you to define rules for the capture of auditing information and to raise events. There are multiple places to raise events and include:

Windows Application event log

AppSense event log

Anonymous

Local log

In addition there is an event filter for specifying the type of files to include in the audit log for particular events.

139

APPLICATION MANAGER PRODUCT GUIDE 8 AUDITINGOverview 140

The Auditing dialog box is available from the Home ribbon page > Common group.

Figure 8.1 Auditing Dialog Box

In Enterprise installations, events can be forwarded to the AppSense Management Center via the Client Communications Agent (CCA). When using this method for auditing, event data storage and filtering is configured through the Management Center console.


APPLICATION MANAGER PRODUCT GUIDE 8 AUDITINGLogging 141

LOGGING

There are a number of ways of capturing events using the Auditing dialog box. These are covered in the following sections.

Windows Application Event Log

Many applications store events in the Application event log. You can choose to store AppSense events in the same log. This log is located in the Event Viewer in the Windows Logs folder.

AppSense Event Log

Application Manager records many events. You can choose to store events in the AppSense event log making them easier to manage. This log is located in the Event Viewer in the Applications and Service Logs folder.

Anonymous Logging

Anonymous logging can be performed when auditing. Anonymous logging does not record the computer name or the user name. This form of logging searches the file path for any instances where a directory matches the username and replaces the directory name with the string USERNAME.

Local Log File

Events can be written to a local file in CSV and XML format. By default, the local log file is located at

%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%.xml

(or csv if the CSV file log format is selected).

Storing events in a local log file is useful for exchanging the information in the log and for merging information. You can choose to save the logs in xml or csv file format. For example, you can open a csv file in Microsoft Excel allowing you to easily analyze the data, create graphs, and so on.

You can only send events to the Application event log or the AppSense event log and not both.

APPLICATION MANAGER PRODUCT GUIDE 8 AUDITINGLocal Event Filter 142

LOCAL EVENT FILTER

Application Manager contains a number of events. Some of the events are selected by default.

The following table shows all the events available in Application Manager and indicates whether they are selected by default.

Table 8.1 Local Events

ID Name Description Default

9000 Denied execution Prohibited execution request.

9001 Allowed execution Allowed execution request.

9002 Overwrite changed owner Overwrite of an allowed executable.

9003 Renamed changed owner Rename of a prohibited executable.

9004 Application limit denial Application limit denial.

9005 Time limit denial Time limit denial.

9006 Self-authorization Self-authorization decision by user.

9007 Self-authorized allow Self-authorized execution request.

9009 Scripted rule timeout Script execution timed out.

9010 Scripted rule fail Script failed to complete.

9011 Scripted rule success Script completed successfully.

9012 Trusted Vendor denial Digital Certificate failed Trusted Vendor check.

9013 Network Item denied Prohibited Network Item request.

9014 Network Item allowed Allowed Network Item request.

9015 Application started An allowed application started running.

9016 Unable to change ownership The file’s ownership could not be changed,

9017 Application Termination An application has been terminated by Application Manager.

9018 Application User Rights changed The application’s user rights have been changed.

9019 Web Installation allowed Allowed Web Installation request.

9020 Web Installation restricted Restricted Web Installation request.

9021 Web Installation restricted Windows Restricted Web Installation request.

9022 Web Installation fail Web Installation failed to complete

9095 Not configured AppSense Application Manger has not been configured.

9099 Agent not licensed AppSense Application Manager is not licensed.

APPLICATION MANAGER PRODUCT GUIDE 8 AUDITINGEvent Filtering 143

EVENT FILTERING

Event Filtering allows you to filter the file types that you want to audit. This is particularly useful if you choose a high volume event. For example, if you choose event 9001, 9007, 9014 or 9015, which are high volume events, it may be useful to only select only certain file types to audit.

To audit all file types, according to the events that are selected in the Auditing dialog box, deselect the Enable event filtering option. This option is selected by default.

Figure 8.2 Event Filter

Ensure when you select an event that the event is also selected in Event Filtering, or the file types for the particular event.

9R u l e s A n a l y z e r

This section provides details on Application Manager Rules Analyzer and includes the following:

About Rules Analyzer on page 144

The Console on page 145

Working with Rules Analyzer on page 147

ABOUT RULES ANALYZER

Standard AppSense auditing can be used to track unauthorized application usage or to track when users are overwriting / renaming applications. It is a simple mechanism to use and can function without interaction. The standard auditing mechanism advises you when an application has not, for example, been allowed to execute but does not advise why this was the case. Therefore an additional tool is required so you can analyze the rules base in real time, and determine exactly why an application is or is not allowed to execute.

For more information on the auditing feature see Auditing on page 139.

144

APPLICATION MANAGER PRODUCT GUIDE 9 RULES ANALYZERThe Console 145

Rules Analyzer provides you with a graphical interface that can be used to manually troubleshoot and fine tune Application Manager configurations in real time anywhere across the enterprise. All that is required is a network link to a remote Application Manager managed endpoint so the Rules Analyzer can connect to the agent software and start logging on the local endpoint.

When the logging has completed you can use the Rules Analyzer to automatically pull the log file across the network back to the computer where the analysis is occurring, for investigation. All logging information is held in xml format and each execution request that the Application Manager agent processed is listed along with the details of what occurred during processing, including if the process was allowed to execute or not and the reason for the outcome.

THE CONSOLE

The Rules Analyzer is accessed from the navigation pane within the Application Manager console and is used to create, retrieve and examine the log files.

An Endpoint node allows you to control logging on to a specific managed endpoint to retrieve the log files. Below each Endpoint node is a node for each Retrieved Log Files node.

You can review a summary page, view all requests, or view the requests for a specific user. You can restrict the view to the denied or allowed requests. Within the analysis panel you can navigate to a specific request and view the full details of that request, including which rules were applied by Application Manager.

You must be logged on with an account that allows read and write access to the registry of any managed endpoint for which you wish to generate logs for using Rules Analyzer, and have read and write access to the local registry of the computer on which the console operates.

Checklist

You must have the following to use Rules Analyzer:

Application Manager agent installed on the endpoint.

License installed on the endpoint.

Application Manager configuration installed on the endpoint.

Administrative share rights to the endpoint.

Remote registry access to the endpoint.

TEST THAT THE APPLICATION MANAGER AGENT IS INSTALLED ON THE ENDPOINT

1. On the Start menu select Control Panel.

2. Select Administrative Tools.

3. Double-click Services.

4. Locate the AppSense Application Manager Agent.

TEST THAT THE LICENSE IS INSTALLED ON THE ENDPOINT

1. Launch the Registry Editor on the managed endpoint.

2. Locate the license under HKLM\Software\AppSense Technologies\Licensing.

APPLICATION MANAGER PRODUCT GUIDE 9 RULES ANALYZERThe Console 146

TEST THAT THE CONFIGURATION IS INSTALLED ON THE ENDPOINT

Configurations are stored in the following location:

1. For Windows XP and Server 2003, navigate to C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Configuration.

2. For Vista and above, navigate to C:\ProgramData\AppSense\Application Manager\Configuration.

TEST THAT THE ENDPOINT HAS ADMIN SHARE RIGHTS

1. Open Windows Explorer on the computer that has the Application Manager console installed.

2. In the Address bar enter \\<computername>\c$ and press Enter. If you can browse the folders you have access rights. If not, you are prompted for user credentials which allows access.

TEST THAT REMOTE REGISTRY ACCESS IS AVAILABLE

1. Open the Registry Editor on the computer that has the Application Manager console installed.

2. Select File > Connect Network Registry. The Select Computer dialog box is displayed.

3. Locate the computer and click OK. If you can see the registry keys, you have access.

The Rules Analyzer console allows you to diagnose Application Manager problems by connecting directly to computers managed by Application Manager, and includes:

Creating Log Files – You can create log files on managed endpoints.

Examining Log Files – You can retrieve and examine log files to view the requests processed by Application Manager. In particular you can see which rules were applied to each request and whether the request was allowed or denied.


On remote computers running Microsoft Vista and above, File Sharing and Remote Registry Service are disabled by default and must be enabled to ensure Rules Analyzer can access or create log files.

Turn on File Sharing in Start > Control Panel > Network and Sharing Center. Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.

APPLICATION MANAGER PRODUCT GUIDE 9 RULES ANALYZERWorking with Rules Analyzer 147

WORKING WITH RULES ANALYZER

The Rules Analyzer console has various options that you can use during operations. The first thing that is required is to add an endpoint to the list of endpoints that the Rules Analyzer can interact with.

ADD AN ENDPOINT

1. Select the Rules Analyzer button in the navigation pane. The Rules Analyzer navigation tree displays.

2. Click the Add Endpoint button on the Rules Analyzer ribbon page > Endpoint Management group.

3. Select either Browse Deployment Group or Browse Domain/Workgroup depending on the location of the endpoint you want to add.

Browse Deployment Group displays the Select Management Server dialog box.

Browse Domain/Workgroup displays the Active Directory Select Computers dialog box.

4. Locate the required endpoint and click Add.

A new node is created for the selected endpoint under the Endpoints node in the navigation tree.

Once the endpoints have been added you can right-click on a specific computer and select any of the following options:

Start Logging

Stop Logging - Only enabled once logging is started.

Import

Remove Endpoint

START AND STOP LOGGING

1. Select the endpoint in the navigation tree.

2. Select Start Logging on the Rules Analyzer ribbon page > Data Acquisition group.

3. When required, for example, after you have recreated a problem on the endpoint, select Stop Logging on the Rules Analyzer ribbon page > Data Acquisition group.The File dialog box is displayed.

4. Enter a name for the log file and click OK. The XML file is displayed in the navigation tree.

All log files for a given computer are stored on the local machine during logging and are temporarily stored in the following location:

C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\RulesAnalyzerLog.xml

Rules Analyzer files can be large so this feature should only be used when a problem manifests itself and investigation is required.


When logging is stopped on the specific endpoint, the log file is closed and transferred to the computer that is running the Rules Analyzer, where it is stored in the cache for the endpoint in question. The cache is held in the following location:

C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\

The naming convention for the files is ComputerNameênteredname. For example, C:\Documents and Settings\All Users\Application Data\AppSense\Application Manager\Rules Analyzer\APPUKTECHPUBS2^Regedit.xml.

The computer name is the name of the endpoint as it is entered in the User Interface. Therefore, if it is an IP address it is stored as IPAddressênteredname.xml.

The entered name is the name given to the XML file in the Rules Analyzer.

Log Files

The Rules Analyzer console displays the information regarding execution requests in several different ways to enable easy access to the details.

Log File Contents Summary

The Summary page displays when you select a log file in the navigation tree.

It shows the number of requests processed by Application Manager. The top row of the table shows the total number of requests for all users. The remaining rows show the number of requests for each user. The Total column shows the total number of requests, allowed and denied. The Allowed and Denied column shows the number of allowed or denied requests.

Click on any link to display the Log File Contents Request List.

For Windows Vista and above, this and the following files are stored in the allusersprofile folder in ProgramData. ProgramData is a hidden folder. Open up explorer and type C:\ProgramData in the Address bar. Press Enter to open the folder.


Figure 9.1 Rules Analyzer Summary Page

Log File Contents Request List

The Request List page displays a list of Application Manager requests when you click a link in the Summary page.

The requests are listed in the order in which they were processed by Application Manager.

Each request displays a green tick or red cross to indicate whether the request was allowed or denied.

Click on a request link to display the Log File Contents Request Details.

To export the log file in XML format select the Export ribbon button.

You can select View the requests by processing time on the Summary page to display a Request List page showing requests sorted with the longest running request first.


Figure 9.2 Rules Analyzer Log File Contents Request List

Log File Contents Request Information

The Request Information page displays details of a particular request when you click a request in the Request List page.

The Request Information page displays each rule applied by Application Manager in processing the request. The rules are listed in the order applied. The last rule in the list determines the final result – allow or deny. The rule information includes links which, when selected, display popup messages providing an explanation for the rule item.


Figure 9.3 Rules Analyzer Log File Contents Request Details

Use the Return link at the top of the page to navigate to the previous page and the Summary link to return to the Summary page. The Back button on the console toolbar is for navigating the navigation tree.

Use the shortcut keys Ctrl+F to search within the request pages.

1 0S c r i p t i n g

In this section:


Sample Scripting Reference on page 153

Object Types on page 188

Configuration Helper Object on page 209

OVERVIEW

This chapter provides a reference to the AppSense Application Manager COM interface object architecture and Visual Basic script samples.

152

APPLICATION MANAGER PRODUCT GUIDE 10 SCRIPTINGSample Scripting Reference 153

SAMPLE SCRIPTING REFERENCE

This section details Visual Basic script examples showing common operations that can be performed with the Application Manager scriptable interface and includes:

Loading and Saving Configurations

Default Rules

Group Rules

User Rules

Device Rules

Custom Rules

Scripted Rules

Process Rules

Rule List Items

Configure Properties

Network Connections

User Rights Management (URM)


Loadi

Create

Xml

Create

Defau

ng and Saving Configurations

Create a New Configuration and Save to File

Create a New Configuration and Save to Live Configuration

a New Configuration and Save to File'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the default configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.DefaultConfigurationConfiguration.ParseXML ConfigurationXmlConfigurationHelper.SaveLocalConfiguration "C:\Configuration.aamp",Configuration.Set ConfigurationHelper = NothingSet Configuration = Nothing

a New Configuration and Save to Live Configuration'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the default configurationConfiguration.ParseXML ConfigurationHelper.DefaultConfiguration'Save the blank configuration to file.ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

lt Rules

Edit a Default Rules Configuration


Edit a

wner")

e. This means that some group names and other hich can result in the configuration not being

om the product console on a native operating e the configuration scripting will be performed. ltConfiguration( ). This will produce the same

Default Rules Configuration'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXmlConfiguration.DefaultRules.AllowCMDForBatchFiles = TrueConfiguration.DefaultRules.ValidateSystemProcesses = False'Add a trusted owner to the configurationDim theTrustedOwnerSet theTrustedOwner = Configuration.ManufactureInstanceFromClassName("AM.TrustedOtheTrustedOwner.DisplayName = "%COMPUTERNAME%\Guest"theTrustedOwner.SID = "S-1-5-Domain-501"Configuration.DefaultRules.TrustedOwners.Add theTrustedOwner.Xml'Save the configuration to file.ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

The DefaultConfiguration( ) method only returns a configuration in the English languagtext in the configuration may not be in the native language of the operating system, wapplied correctly.

For non-English operating systems it is necessary to export the default configuration frsystem. This can be stored as a file on the network or distributed to the machine wherOnce this is done, use the LoadLocalConfiguration( ) method in place of the the Defauconfiguration but in the correct native language.


Group

Create

Edit a

Rules

Create a Group Rule

Edit a Group Rule

Delete a Group Rule

a Group RuleDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")Dim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXmlDim GroupRuleSet GroupRule = Configuration.ManufactureInstanceFromClassName("AM.GroupRule")GroupRule.DisplayName = "BUILTIN\Remote Desktop Users"GroupRule.SID = "S-1-5-32-555"Set GroupRule = Configuration.GroupRules.Add(GroupRule.Xml)Set GroupRule = Configuration.ManufactureInstanceFromClassName("AM.GroupRule")GroupRule.DisplayName = "Everyone"GroupRule.SID = "S-1-5-Domain"Set GroupRule = Configuration.GroupRules.Add(GroupRule.Xml)ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Group Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Change the SID of the Everyone groupConfiguration.GroupRules.Item("Everyone").SID = "S-1-1-0"


Delete

User R

Create

'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a Group Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create the group ruleDim GroupRuleSet GroupRule = Configuration.ManufactureInstanceFromClassName("AM.GroupRule")GroupRule.DisplayName = "BUILTIN\Remote Desktop Users"GroupRule.SID = "S-1-5-32-555"Configuration.GroupRules.Add GroupRule.Xml'Delete the ruleConfiguration.GroupRules.Remove "BUILTIN\Remote Desktop Users"ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

ules

Create a User Rule

Edit a User Rule

Delete a User Rule

a User RuleDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")Dim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXml


Edit a

Delete

ConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create and add the new user ruleDim UserRuleSet UserRule = Configuration.ManufactureInstanceFromClassName("AM.UserRule")UserRule.DisplayName = "%COMPUTERNAME%\Guest"UserRule.SID = "S-1-5-Domain-501"Configuration.UserRules.Add UserRule.Xml'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

User Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Modify the user ruleDim UserRuleSet UserRule = Configuration.UserRules.Item("%COMPUTERNAME%\Guest")UserRule.SID = "S-1-5-Domain-501"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a User Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfiguration


Devic

Create

Configuration.ParseXML ConfigurationXml'Remove the user ruleConfiguration.UserRules.Remove "%COMPUTERNAME%\Guest"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

e Rules

Create a Device Rule

Edit a Device Rule

Delete a Device Rule

a Device Ruleconst AM_DeviceType_Computer = 0const AM_DeviceType_ConnectingDevice = 1' Constant definitions for the AM.HostNameType enumeration.const AM_HostNameType_HostName = 0const AM_HostNameType_IPAddress = 1'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create a device ruleDim DeviceRuleSet DeviceRule = Configuration.ManufactureInstanceFromClassName("AM.DeviceRule")DeviceRule.Name = "Device Rule (1)"Configuration.DeviceRules.Add DeviceRule.Xml'Add a device to the ruleDim DeviceSet Device = Configuration.ManufactureInstanceFromClassName("AM.Device")Device.Host = "192.168.0.1"Device.NameType = AM_HostNameType_IPAddressConfiguration.DeviceRules.Item("Device Rule (1)").Devices.Add Device.Xml'Add another device to the rule


tType = AM_DeviceType_ConnectingDevice

Edit a

_AuditOnly

Delete

Dim AnotherDeviceSet AnotherDevice = Configuration.ManufactureInstanceFromClassName("AM.Device")AnotherDevice.Host = "192.168.0.2"AnotherDevice.NameType = AM_HostNameType_IPAddressConfiguration.DeviceRules.Item("Device Rule (1)").Devices.Add AnotherDevice.XmlConfiguration.DeviceRules.Item("Device Rule (1)").Devices.Item("192.168.0.2").Hos'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Device Rule' Constant definitions for the AM.SecurityLevel enumeration.const AM_SecurityLevel_Restricted = 0const AM_SecurityLevel_SelfAuthorizing = 1const AM_SecurityLevel_Unrestricted = 2const AM_SecurityLevel_AuditOnly = 3'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create a device ruleDim DeviceRuleSet DeviceRule = Configuration.ManufactureInstanceFromClassName("AM.DeviceRule")DeviceRule.Name = "Device Rule (1)"Configuration.DeviceRules.Add DeviceRule.XmlConfiguration.DeviceRules.Item("Device Rule (1)").Name = "My Device Rule"Configuration.DeviceRules.Item("My Device Rule").SecurityLevel = AM_SecurityLevel'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a Device Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")


Custo

Create

'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Remove "Device Rule(1)"Configuration.DeviceRules.Remove "Device Rule (1)"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

m Rules

Create a Custom Rule

Edit a Custom Rule

Delete a Custom Rule

a Custom Rule' Constant definitions for the AM.SecurityLevel enumeration.const AM_SecurityLevel_Restricted = 0const AM_SecurityLevel_SelfAuthorizing = 1const AM_SecurityLevel_Unrestricted = 2const AM_SecurityLevel_AuditOnly = 3' Constant definitions for the AM.HostNameType enumeration.const AM_HostNameType_HostName = 0const AM_HostNameType_IPAddress = 1'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create the custom rule and add it to the configuration.Dim CustomRuleSet CustomRule = Configuration.ManufactureInstanceFromClassName("AM.CustomRule")


Edit a

rators"

l_Unrestricted

Delete

CustomRule.Name = "Custom Rule (1)"Configuration.CustomRules.Add CustomRule.Xml'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Custom Rule' Constant definitions for the AM.SecurityLevel enumeration.const AM_SecurityLevel_Restricted = 0const AM_SecurityLevel_SelfAuthorizing = 1const AM_SecurityLevel_Unrestricted = 2const AM_SecurityLevel_AuditOnly = 3' Constant definitions for the AM.HostNameType enumeration.const AM_HostNameType_HostName = 0const AM_HostNameType_IPAddress = 1'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Set the account for the rule.Configuration.CustomRules.Item("Custom Rule (1)").DisplayName = "BUILTIN\AdministConfiguration.CustomRules.Item("Custom Rule (1)").SID = "S-1-5-32-544"'Add a device to the ruleDim DeviceSet Device = Configuration.ManufactureInstanceFromClassName("AM.Device")Device.Host = "192.168.0.1"Device.NameType = AM_HostNameType_IPAddressConfiguration.CustomRules.Item("Custom Rule (1)").Devices.Add Device.XmlConfiguration.CustomRules.Item("Custom Rule (1)").SecurityLevel = AM_SecurityLeve'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a Custom Rule' Constant definitions for the AM.SecurityLevel enumeration.


Script

Create

const AM_SecurityLevel_Restricted = 0const AM_SecurityLevel_SelfAuthorizing = 1const AM_SecurityLevel_Unrestricted = 2const AM_SecurityLevel_AuditOnly = 3' Constant definitions for the AM.HostNameType enumeration.const AM_HostNameType_HostName = 0const AM_HostNameType_IPAddress = 1'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Remove the ruleConfiguration.CustomRules.Remove "Custom Rule (1)"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

ed Rules

Create a Scripted Rule

Edit a Scripted Rule

Delete a Scripted Rule

a Scripted Rule' Constant definitions for the AM.ExecutionContext enumeration.const AM_ExecutionContext_PerSessionAsUser = 0const AM_ExecutionContext_PerSessionAsSystem = 1const AM_ExecutionContext_PerComputerAsSystem = 2'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configuration


e")

ule()" & Chr(10) & "'Test scripted rule"

le"

xt_PerSessionAsSystem

Edit a

e")

Dim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create the scripted rule.Dim ScriptedRuleSet ScriptedRule = Configuration.ManufactureInstanceFromClassName("AM.ScriptedRulScriptedRule.Name = "Scripted Rule (1)"Configuration.ScriptedRules.Add ScriptedRule.XmlConfiguration.ScriptedRules.Item("Scripted Rule (1)").WaitForLogin = TrueConfiguration.ScriptedRules.Item("Scripted Rule (1)").Script = "Function ScriptedR& Chr(10) & "ScriptedRule=TRUE" & Chr(10) & "End Function"Configuration.ScriptedRules.Item("Scripted Rule (1)").EntryFunction = "ScriptedRuConfiguration.ScriptedRules.Item("Scripted Rule (1)").Timeout = 6Configuration.ScriptedRules.Item("Scripted Rule (1)").Context = AM_ExecutionConte'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Scripted Rule' Constant definitions for the AM.ExecutionContext enumeration.const AM_ExecutionContext_PerSessionAsUser = 0const AM_ExecutionContext_PerSessionAsSystem = 1const AM_ExecutionContext_PerComputerAsSystem = 2'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create the scripted rule.Dim ScriptedRuleSet ScriptedRule = Configuration.ManufactureInstanceFromClassName("AM.ScriptedRulScriptedRule.Name = "Scripted Rule (1)"Configuration.ScriptedRules.Add ScriptedRule.XmlDim CurrentScriptedRuleFor Each CurrentScriptedRule in Configuration.ScriptedRulesIf CurrentScriptedRule.Name = "Scripted Rule (1)" ThenCurrentScriptedRule.Timeout = 7End If


Delete

Proce

Create

Next'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a Scripted Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Remove the scripted rule.Configuration.ScriptedRules.Remove "Scripted Rule (1)"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

ss Rules

Create a Process Rule

Edit a Process Rule

Delete a Process Rule

a Process Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml


)

ess.Xml

ile.Xml

Edit a

el_AuditOnly

'Create a process ruleDim ProcessRuleSet ProcessRule = Configuration.ManufactureInstanceFromClassName("AM.ProcessRule"ProcessRule.Name = "Process Rule (1)"Configuration.ProcessRules.Add ProcessRule.Xml'Add a file process to the ruleDim FileProcessSet FileProcess = Configuration.ManufactureInstanceFromClassName("AM.File")FileProcess.Path = "c:\windows\system32\notepad.exe"FileProcess.CommandLine = "c:\windows\system32\notepad.exe"Configuration.ProcessRules.Item("Process Rule (1)").FileProcessItems.Add FileProc'Add another file to the ruleDim AnotherFileSet AnotherFile = Configuration.ManufactureInstanceFromClassName("AM.File")AnotherFile.Path = "c:\windows\system32\cmd.exe"AnotherFile.CommandLine = "c:\windows\system32\cmd.exe"Configuration.ProcessRules.Item("Process Rule (1)").FileProcessItems.Add AnotherF'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Process Rule' Constant definitions for the AM.SecurityLevel enumeration.const AM_SecurityLevel_Restricted = 0const AM_SecurityLevel_SelfAuthorizing = 1const AM_SecurityLevel_Unrestricted = 2const AM_SecurityLevel_AuditOnly = 3'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXmlConfiguration.ProcessRules.Item("Process Rule (1)").Name = "My Process Rule"Configuration.ProcessRules.Item("My Process Rule").SecurityLevel = AM_SecurityLev'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing


Delete

Rule L

a Process Rule'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Remove "Process Rule(1)"Configuration.ProcessRules.Remove "Process Rule (1)"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

ist Items

Add a File

Edit a File

Delete a File

Add a Folder

Edit a Folder

Add a Digital Signature

Add a Digital Signature

Editing a Digital Signature

Deleting a Digital Signature

Add and Delete Drives

Add a Trusted Vendor

Edit a Trusted Vendor

Delete a Trusted Vendor


Add a

Edit a

dOwnershipChecking = FalseationLimit = 5

File'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Add a file to the list of accessible files.Dim AccessibleFileSet AccessibleFile = Configuration.ManufactureInstanceFromClassName("AM.File")AccessibleFile.Path = "calc.exe"AccessibleFile.Commandline = "calc.exe"Configuration.GroupRules.Item("Everyone").AccessibleFiles.Add AccessibleFile.Xml'Add a file to the list of prohibited files.Dim ProhibitedFileSet ProhibitedFile = Configuration.ManufactureInstanceFromClassName("AM.File")ProhibitedFile.Path = "regedit.exe"ProhibitedFile.CommandLine = "regedit.exe"Configuration.GroupRules.Item("Everyone").ProhibitedFiles.Add ProhibitedFile.Xml'Save the live configuration.ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

File'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Edit calc.exe.Configuration.GroupRules.Item("Everyone").AccessibleFiles.Item("calc.exe").TrusteConfiguration.GroupRules.Item("Everyone").AccessibleFiles.Item("calc.exe").Applic'Save the live configuration.


Delete

Add a

)

Xml

)

Xml

ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a File'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Remove filesConfiguration.GroupRules.Item("Everyone").AccessibleFiles.Remove "calc.exe"Configuration.GroupRules.Item("Everyone").ProhibitedFiles.Remove "regedit.exe"'Save the live configuration.ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Folder'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXmlDim AccessibleFolderSet AccessibleFolder = Configuration.ManufactureInstanceFromClassName("AM.Folder"AccessibleFolder.Path = "%ALLUSERSPROFILE%"Configuration.GroupRules.Item("Everyone").AccessibleFolders.Add AccessibleFolder.Dim ProhibitedFolderSet ProhibitedFolder = Configuration.ManufactureInstanceFromClassName("AM.Folder"ProhibitedFolder.Path = "%SystemDrive%\Utilities"Configuration.GroupRules.Item("Everyone").ProhibitedFolders.Add ProhibitedFolder.'Save the live configuration.


Edit a

E%").Recursive = FalseE%").AccessTimes.MondayTimeRangeCollectio

E%").AccessTimes.TuesdayTimeRangeCollecti

E%").AccessTimes.WednesdayTimeRangeCollec

E%").AccessTimes.ThursdayTimeRangeCollect

E%").AccessTimes.FridayTimeRangeCollectio

E%").AccessTimes.SaturdayTimeRangeCollect

E%").AccessTimes.SundayTimeRangeCollectio

E%").AccessTimes.MondayTimeRangeCollectio

E%").ApplyAccessTimes = True

Delete

ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Folder'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXmlConfiguration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILConfiguration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILn.Clear()Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILon.Clear()Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILtion.Clear()Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILion.Clear()Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILn.Clear()Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILion.Clear()Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILn.Clear()Dim TimeRangeSet TimeRange = Configuration.ManufactureInstanceFromClassName("AM.TimeRange")TimeRange.StartHour = 9TimeRange.EndHour = 13Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFILn.InsertBefore TimeRange.Xml, 0Configuration.GroupRules.Item("Everyone").AccessibleFolders.Item("%ALLUSERSPROFIL'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a Folder'Create the configurationDim Configuration


ILE%"

\Utilities"

Add a

ile")edit.exe")

Xml

Editing

Set Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Remove the accessible folderConfiguration.GroupRules.Item("Everyone").AccessibleFolders.Remove "%ALLUSERSPROF'Remove the prohibited folderConfiguration.GroupRules.Item("Everyone").ProhibitedFolders.Remove "%SystemDrive%'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Digital Signature'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Create new signature itemDim SignatureFileSet SignatureFile = Configuration.ManufactureInstanceFromClassName("AM.SignatureFSignatureFile.SHA1Hash = ConfigurationHelper.ReadSha1HashFromFile("C:\WINDOWS\regSignatureFile.Path = "C:\WINDOWS\regedit.exe"SignatureFile.CommandLine = SignatureFile.SHA1Hash'Add the signature to the ruleConfiguration.GroupRules.Item("Everyone").AccessibleSignatures.Add SignatureFile.'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a Digital Signature'Create the configuration


the hash value to access the required

lyAccessTimes = False

Deleti

e required item.

Add a

Dim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Digital signatures are keyed by CommandLine, containing the SHA1 hash, so obtainitem.Dim sha1Hashsha1Hash = ConfigurationHelper.ReadSha1HashFromFile("C:\WINDOWS\regedit.exe")Configuration.GroupRules.Item("Everyone").AccessibleSignatures.Item(sha1Hash).App'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

ng a Digital Signature'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Digital signatures are keyed by SHA1 hash, so obtain the hash value to access thDim sha1Hashsha1Hash = ConfigurationHelper.ReadSha1HashFromFile("C:\WINDOWS\regedit.exe")Configuration.GroupRules.Item("Everyone").AccessibleSignatures.Remove sha1Hash'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

nd Delete Drives'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")


Add a

nternet Explorer\iexplore.exe", 0)

alCertificate")

ficate".Add(DigitalCertificate.Xml)

'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Add first driveDim FirstDriveSet FirstDrive = Configuration.ManufactureInstanceFromClassName("AM.Drive")FirstDrive.Path = "H"Configuration.GroupRules.Item("Everyone").AccessibleDrives.Add FirstDrive.Xml'Add a second driveDim SecondDriveSet SecondDrive = Configuration.ManufactureInstanceFromClassName("AM.Drive")SecondDrive.Path = "I"Configuration.GroupRules.Item("Everyone").AccessibleDrives.Add SecondDrive.Xml'Remove the first drive that was addedConfiguration.GroupRules.Item("Everyone").AccessibleDrives.Remove "H"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Trusted Vendor'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Use the helper object to read the certificate from the signed fileDim CertificateDataCertificateData = ConfigurationHelper.ReadCertificateFromFile("C:\Program Files\IDim DigitalCertificateSet DigitalCertificate = Configuration.ManufactureInstanceFromClassName("AM.DigitDigitalCertificate.RawCertificateData = CertificateDataDigitalCertificate.Description = "Microsoft Corporation - Internet Explorer CertiSet DigitalCertificate = Configuration.GroupRules.Item("Everyone").TrustedVendors


Edit a

nternet Explorer\iexplore.exe", 0)forceExpiryDate = True

Delete

nternet Explorer\iexplore.exe", 0)


Trusted Vendor'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Use the helper object to read the certificate from the signed fileDim CertificateDataCertificateData = ConfigurationHelper.ReadCertificateFromFile("C:\Program Files\IConfiguration.GroupRules.Item("Everyone").TrustedVendors.Item(CertificateData).En'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

a Trusted Vendor'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Use the helper object to read the certificate from the signed fileDim CertificateDataCertificateData = ConfigurationHelper.ReadCertificateFromFile("C:\Program Files\IConfiguration.GroupRules.Item("Everyone").TrustedVendors.Remove CertificateData'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = Nothing


Config

Messa

les"

""ized."

Once

ication Network Access Control"

Set Configuration = Nothing

ure Properties

Message Settings

Archive Options

ge Settings' Constant definitions for the AM.ANACMessageFrequencyType enumeration.const AM_ANACMessageFrequencyType_EveryConnectionAttempt = 0const AM_ANACMessageFrequencyType_Once = 1const AM_ANACMessageFrequencyType_UseDelayBetweenMessages = 2'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Modify the message settingsConfiguration.MessageSettings.AccessDeniedMessageCaption = "Warning"Configuration.MessageSettings.AccessDeniedMessageBody = "File has been blocked"Configuration.MessageSettings.ApplicationLimitsExceededMessageCaption = "Warning"Configuration.MessageSettings.ApplicationLimitsExceededMessageBody = "Too many fiConfiguration.MessageSettings.DisplayInitialWarningMessage = FalseConfiguration.MessageSettings.CloseApplication = FalseConfiguration.MessageSettings.TerminateApplication = FalseConfiguration.MessageSettings.WaitTime = 120Configuration.MessageSettings.TimeLimitsWarningMessageCaption = "Warning"Configuration.MessageSettings.TimeLimitsWarningMessageBody = "Out of time"Configuration.MessageSettings.TimeLimitsDeniedMessageCaption = "Warning"Configuration.MessageSettings.TimeLimitsDeniedMessageBody = "Wrong time"Configuration.MessageSettings.SelfAuthorizationMessageCaption = "Warning"Configuration.MessageSettings.SelfAuthorizationMessageBody = "Needs authorizationConfiguration.MessageSettings.SelfAuthorizationResponseCaption = "Authorized FileConfiguration.MessageSettings.SelfAuthorizationResponseBody = "File is now authorConfiguration.MessageSettings.ANACMessageBoxEnabled = TrueConfiguration.MessageSettings.ANACMessageFrequency = AM_ANACMessageFrequencyType_Configuration.MessageSettings.ANACMessageDelayBetweenMessageBoxes = 60Configuration.MessageSettings.ANACMessageBoxCaption = "Application Manager - Appl


ied access to %NetworkLocation%."

Archiv

der")

rchiveFolder.Xml, 1)

Netw

Configuration.MessageSettings.ANACMessageBoxBody = "%ExecutableName% has been den'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

e Options'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Modify the archiving settingsDim ArchiveFolderSet ArchiveFolder = Configuration.ManufactureInstanceFromClassName("AM.ArchiveFolArchiveFolder.Path = "C:\ArchiveBackup"Set ArchiveFolder = Configuration.ArchivingSettings.ArchiveFolders.InsertBefore(AConfiguration.ArchivingSettings.ArchivingEnabled = TrueConfiguration.ArchivingSettings.AnonymousEnabled = TrueConfiguration.ArchivingSettings.UserLimit = 26Configuration.ArchivingSettings.TotalLimit = 51Configuration.ArchivingSettings.NoAdminOwnedFiles = TrueConfiguration.ArchivingSettings.OverwriteExistingFiles = FalseConfiguration.ArchivingSettings.ArchiveLessThanEnabled = TrueConfiguration.ArchivingSettings.OverwriteOldest = TrueConfiguration.ArchivingSettings.ArchiveLessThanAmount = 10'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

ork Connections

Add Network Connections

Edit Network Connections

Delete Network Connections


Add N

nnection")

ibleConn.Xml

nnection")

itedConn.Xml

Edit N

etwork Connections'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Add a connection to the list of accessible connections.Dim AccessibleConnSet AccessibleConn = Configuration.ManufactureInstanceFromClassName("AM.NetworkCoAccessibleConn.Path = "www.google.com:80/foo/*"AccessibleConn.Address = "www.google.com"AccessibleConn.Port = 80AccessibleConn.Resource = "/foo/*"AccessibleConn.UseWildcards = TrueAccessibleConn.AddressType = 0Configuration.GroupRules.Item("Everyone").AccessibleNetworkConnections.Add Access'Add a connection to the list of prohibited connections.Dim ProhibitedConnSet ProhibitedConn = Configuration.ManufactureInstanceFromClassName("AM.NetworkCoProhibitedConn.Path = "www.facebook.com"ProhibitedConn.AddressType = 0ProhibitedConn.Description = "www.facebook.com"Configuration.GroupRules.Item("Everyone").ProhibitedNetworkConnections.Add Prohib'Save the live configuration.ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

etwork Connections'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfiguration


google.com:80/foo/*").Port = 8080

Delete

w.facebook.com"

User R

Configuration.ParseXML ConfigurationXml'Modify the port number of the network connectionConfiguration.GroupRules.Item("Everyone").AccessibleNetworkConnections.Item("www.'Save the live configuration.ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

Network Connections'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'Remove network conenctionConfiguration.GroupRules.Item("Everyone").ProhibitedNetworkConnections.Remove "ww'Save the live configuration.ConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

ights Management (URM)

Create URM Policies

Edit URM Policies

Delete URM Policies

Add a User Rights File

Edit a User Rights File

Delete a User Rights File


Create
URM Policies'URM Group Action optionsconst AM_URMGroupAction_Add = 0const AM_URMGroupAction_Drop = 1'URM Privilegesconst AM_URMPrivilegeConstant_SeAssignPrimaryTokenPrivilege = 0const AM_URMPrivilegeConstant_SeAuditPrivilege = 1const AM_URMPrivilegeConstant_SeBackupPrivilege = 2const AM_URMPrivilegeConstant_SeChangeNotifyPrivilege = 3const AM_URMPrivilegeConstant_SeCreateGlobalPrivilege = 4const AM_URMPrivilegeConstant_SeCreatePagefilePrivilege = 5const AM_URMPrivilegeConstant_SeCreatePermanentPrivilege = 6const AM_URMPrivilegeConstant_SeCreateSymbolicLinkPrivilege = 7const AM_URMPrivilegeConstant_SeCreateTokenPrivilege = 8const AM_URMPrivilegeConstant_SeDebugPrivilege = 9const AM_URMPrivilegeConstant_SeEnableDelegationPrivilege = 10const AM_URMPrivilegeConstant_SeImpersonatePrivilege = 11const AM_URMPrivilegeConstant_SeIncreaseBasePriorityPrivilege = 12const AM_URMPrivilegeConstant_SeIncreaseQuotaPrivilege = 13const AM_URMPrivilegeConstant_SeIncreaseWorkingSetPrivilege = 14const AM_URMPrivilegeConstant_SeLoadDriverPrivilege = 15const AM_URMPrivilegeConstant_SeLockMemoryPrivilege = 16const AM_URMPrivilegeConstant_SeMachineAccountPrivilege = 17const AM_URMPrivilegeConstant_SeManageVolumePrivilege = 18const AM_URMPrivilegeConstant_SeProfileSingleProcessPrivilege = 19const AM_URMPrivilegeConstant_SeRelabelPrivilege = 20const AM_URMPrivilegeConstant_SeRemoteShutdownPrivilege = 21const AM_URMPrivilegeConstant_SeRestorePrivilege = 22const AM_URMPrivilegeConstant_SeSecurityPrivilege = 23const AM_URMPrivilegeConstant_SeShutdownPrivilege = 24const AM_URMPrivilegeConstant_SeSyncAgentPrivilege = 25const AM_URMPrivilegeConstant_SeSystemEnvironmentPrivilege = 26const AM_URMPrivilegeConstant_SeSystemProfilePrivilege = 27const AM_URMPrivilegeConstant_SeSystemtimePrivilege = 28const AM_URMPrivilegeConstant_SeTakeOwnershipPrivilege = 29const AM_URMPrivilegeConstant_SeTcbPrivilege = 30const AM_URMPrivilegeConstant_SeTimeZonePrivilege = 31const AM_URMPrivilegeConstant_SeTrustedCredManAccessPrivilege = 32const AM_URMPrivilegeConstant_SeUndockPrivilege = 33const AM_URMPrivilegeConstant_SeUnsolicitedInputPrivilege = 34'URM Privilege actionsconst AM_URMPrivilegeAction_NoChange = 0const AM_URMPrivilegeAction_Enable = 1const AM_URMPrivilegeAction_Disable = 2


aviour")

viour.Xml

lege")

on.Xml

on.Xml

on.Xml

const AM_URMPrivilegeAction_Remove = 3'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'create a new URMPolicyDim URMPolicySet URMPolicy = Configuration.ManufactureInstanceFromClassName("AM.URMPolicy")URMPolicy.Name = "Add Administrator"Configuration.URMPolicies.Add URMPolicy.Xml'Add a Group Behaviour ActionDim URMBehaviourSet URMBehaviour = Configuration.ManufactureInstanceFromClassName("AM.URMGroupBehURMBehaviour.DisplayName = "BUILTIN\Administrators"URMBehaviour.SID = "S-1-5-Domain-544"URMBehaviour.Action = AM_URMGroupAction_AddConfiguration.URMPolicies("Add Administrator").GroupMembershipActions.Add URMBeha

'Set up the privilege actionsDim PrivilegeActionSet PrivilegeAction = Configuration.ManufactureInstanceFromClassName("AM.URMPriviPrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeAssignPrimaryTokenPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeAssignPrimaryTokenPrivilegeConfiguration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeAuditPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeAuditPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeBackupPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeBackupPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeChangeNotifyPrivilege"


on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeChangeNotifyPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeCreateGlobalPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateGlobalPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeCreatePagefilePrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreatePagefilePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeCreatePermanentPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreatePermanentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeCreateSymbolicLinkPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateSymbolicLinkPrivilegeConfiguration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeCreateTokenPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeCreateTokenPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeDebugPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeDebugPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeEnableDelegationPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeEnableDelegationPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeImpersonatePrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeImpersonatePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChange


ge on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

ge on.Xml

on.Xml

PrivilegeAction.Name = "SeIncreaseBasePriorityPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseBasePriorityPrivileConfiguration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeIncreaseQuotaPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseQuotaPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeIncreaseWorkingSetPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeIncreaseWorkingSetPrivilegeConfiguration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeLoadDriverPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeLoadDriverPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeLockMemoryPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeLockMemoryPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeMachineAccountPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeMachineAccountPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeManageVolumePrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeManageVolumePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeProfileSingleProcessPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeProfileSingleProcessPrivileConfiguration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeRelabelPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRelabelPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi


on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

on.Xml

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeRemoteShutdownPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRemoteShutdownPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeRestorePrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeRestorePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeSecurityPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSecurityPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeShutdownPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeShutdownPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeSyncAgentPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSyncAgentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeSystemEnvironmentPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemEnvironmentPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeSystemProfilePrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemProfilePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeSystemtimePrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeSystemtimePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeTakeOwnershipPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTakeOwnershipPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi


on.Xml

on.Xml

ge on.Xml

on.Xml

on.Xml

Edit U

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeTcbPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTcbPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeTimeZonePrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTimeZonePrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeTrustedCredManAccessPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeTrustedCredManAccessPrivileConfiguration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeUndockPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeUndockPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi

PrivilegeAction.Action = AM_URMPrivilegeAction_NoChangePrivilegeAction.Name = "SeUnsolicitedInputPrivilege"PrivilegeAction.Privilege = AM_URMPrivilegeConstant_SeUnsolicitedInputPrivilege Configuration.URMPolicies("Add Administrator").PrivilegeActions.Add PrivilegeActi


RM Policies'URM Group Action optionsconst AM_URMGroupAction_Add = 0const AM_URMGroupAction_Drop = 1'URM Privilege actionsconst AM_URMPrivilegeAction_NoChange = 0const AM_URMPrivilegeAction_Enable = 1const AM_URMPrivilegeAction_Disable = 2const AM_URMPrivilegeAction_Remove = 3'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helper


e").Action = AM_URMPrivilegeAction_Enableministrators").Action =

Delete

Add a

Dim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXmlConfiguration.URMPolicies("Add Administrator").PrivilegeActions("SeBackupPrivilegConfiguration.URMPolicies("Add Administrator").GroupMembershipActions("BUILTIN\AdAM_URMGroupAction_Drop'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

URM Policies'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXmlConfiguration.URMPolicies.Remove "Add Administrator"'Save the live configurationConfigurationHelper.SaveLiveConfiguration Configuration.XmlSet ConfigurationHelper = NothingSet Configuration = Nothing

User Rights File'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'create a new FileItem


y")

l

Edit a

exe").Application = File.Xmlexe").KeyPath = File.CommandLine

Dim FileSet File = Configuration.ManufactureInstanceFromClassName("AM.File")File.Path = "notepad.exe"File.CommandLine = "notepad.exe"Dim URMItemSet URMFile = Configuration.ManufactureInstanceFromClassName("AM.URMRuleItemPolicURMFile.KeyPath = "notepad.exe"URMFile.Policy.Policy = Configuration.URMPolicies.Item("Add Administrator").NameURMFile.Application = File.Xml

Configuration.GroupRules.Item("Everyone").UserRightsRules.URMFiles.Add URMFile.xm


User Rights File'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml'create a new FileItem

Dim FileSet File = Configuration.ManufactureInstanceFromClassName("AM.File")File.Path = "notepad.exe"File.Arguments = "test.txt"File.CommandLine = "notepad.exe test.txt"Configuration.GroupRules.Item("Everyone").UserRightsRules.URMFiles.Item("notepad.Configuration.GroupRules.Item("Everyone").UserRightsRules.URMFiles.Item("notepad.



Delete

d.exe test.txt"

a User Rights File'Create the configurationDim ConfigurationSet Configuration = CreateObject("AM.Configuration.2")'Create the configuration helperDim ConfigurationHelperSet ConfigurationHelper = CreateObject("AM.ConfigurationHelper.1")'Load the live configurationDim ConfigurationXmlConfigurationXml = ConfigurationHelper.LoadLiveConfigurationConfiguration.ParseXML ConfigurationXml

Configuration.Grouprules.Item("Everyone").UserRightsRules.URMFiles.Remove "notepa


APPLICATION MANAGER PRODUCT GUIDE 10 SCRIPTINGObject Types 188

OBJECT TYPES

This section covers the Application Manager Object Types and Includes the following:

Configuration Object

Configuration Helper Object

Configuration Object

The Configuation object represents the Application Manger configuration. It is solely concentrated on data and contains no business logic.

Generic Base Types for Collections

Map

Methods:

Add(ValueType item)

Description: Adds a new item into the collection.

Parameters: item - The value to be added.

Remove(KeyType kt)

Description: Removes the value with the given key from the collection.

Parameters: kt - The key of the value to remove from the collection.

Item(KeyType kt)

Description: Accessor for a value within the collection

Returns: The item (value) with the given key.

Parameters: kt - The key of the requested value.

Array

Methods:

Add(ValueType item)

Description: Adds a new item into the collection.

Parameters: item - the value to be added.

Remove(LONG index)

Description: Removes the item at the given position within the collection.

Parameters: index - The 0-based index of the value to remove.

Item(LONG index)

Description: Accessor for the item (value) at the given position within the collection.

Parameters: index - The 0-based index of the requested value.


Strongly-Typed Collections

Collection: ArchiveFolderCollection

BaseType: Array

ValueType: ArchiveFolder

Collection: AuditEventFilterDictionary

BaseType: Map

ValueType: AuditEventFilter

Key: File

Collection: ApplicationGroupDictionary

BaseType: Map

ValueType: ApplicationGroup

Key: Path

Collection: CustomRuleDictionary

BaseType: Map

ValueType: CustomRule

Key: Name

Collection: DeviceDictionary

BaseType: Map

ValueType: Device

Key: Host


Collection: DeviceRuleDictionary

BaseType: Map

ValueType: DeviceRule

Key: Name

Collection: DriveCollection

BaseType: Map

ValueType: Drive

Key: Path

Collection: EngineeringKeyCollection

BaseType: Array

ValueType: EngineeringKey

Collection: FileCollection

BaseType: Map

ValueType: File

Key: CommandLine

Collection: FileExtensionDictionary

BaseType: Map

ValueType: FileExtension

Key: Name

Collection: FolderCollection

BaseType: Map

ValueType: Folder

Key: Path

Collection: GroupRuleDictionary

BaseType: Map

ValueType: GroupRule

Key: DisplayName

Collection: NetworkConnectionCollection

Base Type: Map

Value Type: NetworkConnection

Key: Path


Collection: ProcessRuleDictionary

Base Type: Map

Value Type: ProcessRule

Key: Name

Collection: ScriptedRuleDictionary

BaseType: Map

ValueType: ScriptedRule

Key: Name

Collection: SignatureFileCollection

BaseType: Map

ValueType: SignatureFile

Key: CommandLine

Collection: TimeRangeCollection

BaseType: Array

ValueType: TimeRange

Collection: TrustedApplicationCollection

BaseType: Array

ValueType: TrustedApplication

Collection: TrustedOwnerDictionary

BaseType: Map

ValueType: TrustedOwner

Key: DisplayName

Collection: UserRuleDictionary

BaseType: Map

ValueType: UserRule

Key: DisplayName

Collection: URMPolicyDictionary

BaseType: Map

ValueType: URMPolicy

Key: Name


Collection: URMGroupBehaviourDictionary

BaseType: Map

ValueType: URMGroupBehaviour

Key: DisplayName

Collection: URMPrivilegeDictionary

BaseType: Map

ValueType: URMPrivilege

Key: Name

Collection: URMRuleItemDictionary

BaseType: Map

ValueType: URMRuleItem

Key: KeyPath

Collection: URMRuleItemPolicyDirectory

BaseType: Map

ValueType: URMRuleItemPolicy

Key: KeyPath

Object Definitions

Object: AccessTimes

Property Type Description

MondayTimeRangeCollection TimeRangeCollection A collection of time ranges that are applied on Mondays.

TuesdayTimeRangeCollection TimeRangeCollection A collection of time ranges that are applied on Tuesdays.

WednesdayTimeRangeCollection TimeRangeCollection A collection of time ranges that are applied on Wednesdays.

ThursdayTimeRangeCollection TimeRangeCollection A collection of time ranges that are applied on Thursdays.

FridayTimeRangeCollection TimeRangeCollection A collection of time ranges that are applied on Fridays.

SaturdayTimeRangeCollection TimeRangeCollection A collection of time ranges that are applied on Saturdays.

SundayTimeRangeCollection TimeRangeCollection A collection of time ranges that are applied on Sundays.


Object: ApplicationGroup

Object: ArchiveFolder

Object: ArchivingSettings


Path BSTR The name of the Application Group.

Description BSTR The description of the group.

Files FileCollection Collection of files contained within this group.

Folders FolderCollection Collection fo folders contained within this group.

SignatureFiles BSTR Collection of signature files contained within this group.

NetworkConnections BSTR Collection of network connections contained within this group.

Drives BSTR Collection of drives contained within this group.


Path BSTR Full path to folder.


ArchivingEnabled VARIANT_BOOL Specify whether to use archiving.Default = False

NoAdminOwnedFiles VARIANT_BOOL Enable administrator-owned files to be ignored.Default = False

OverwriteExistingFiles VARIANT_BOOL Specify whether files copied to the archive should overwrite existing files.Default = True

AnonymousEnabled VARIANT_BOOL Specify whether file should have any user information stripped.

TotalLimit LONG The maximum size of the archive in MB.Default = 50.

UserLimit LONG The maximum size of a user’s archive in MB.Default = 25.

ArchiveLessThanEnabled VARIANT_BOOL Specify whether only files smaller than a certain size will be archived.Default = False.


Object: AuditEventFilter

Object: AuditEventFiltering

Object: Configuration

ArchiveLessThanAmount LONG The maximum size of a file that will be copied to the archive.Default = False.

OverwriteOldest VARIANT_BOOL Specify whether the oldest file in the archive are overwritten when the archive is full.Default = False.

ArchiveFolders ArchiveFolderCollection A list of archive folder locations, the first location in the list will be given preference, the last location given the lowest preference.


File BSTR The file name/extension to which this filter will be applied.

Events BSTR A semi-colon delimited list of events e.g 9005;9006;9008


Enabled VARIANT_BOOL Specify whether event filtering is enabled.Default = True

Files AuditEventFilterDictionary The list of event filters.


Info ConfigurationInfo Configuration metadata.

DefaultRules DefaultRules Default rules settings.

MessageSettings MessageSettings Settings to allow customization of AM generated message boxes.

ArchivingSettings ArchivingSettings Options for files that are archived.

UserRules UserRuleDictionary Collection of configured user rules.

ApplicationGroups ApplicationGroupDictionary Library of Application Groups.

ProcessRules ProcessRuleDictionary Collection of configured Process Rules.

GroupRules GroupRuleDictionary Collection of configured group rules.



Object: ConfigurationInfo

Object: CustomRule

DeviceRules DeviceRuleDictionary Collection of configured device rules.

CustomRules CustomRuleDictionary Collection of configured custom rules.

ScriptedRules ScriptedRuleDictionary Collection of configured scripted rules.

EngineeringKeys EngineeringKeyCollection Collection of engineering keys.

EnableTrustedApplications VARIANT_BOOL Enable Trusted Applications functionality.Default = True

URMPolicies URMPolicyDictionary Library of User rights policies.

AuditEventFilteringSettings AuditEventFiltering Options relating to which audit events are reported.


Name BSTR The name of the configuration.

UniqueIdentifier‘ BSTR The unique ID for the configuration.

Version LONG The configuration version.

Notes BSTR Any appropriate notes.

RevisionLevel LONG The configuration revision number.


DisplayName BSTR The account name.

SID BSTR The account SID.

Devices DeviceDictionary Collection of devices to which this rule applies.

Name BSTR The name of the rule.

SecurityLevel SecurityLevel The level of restriction applied to this rule.

AccessibleApplicationGroups ApplicationGroupReferenceDictionary

Collection of accessible Application Groups.

AccessibleFiles FileCollection Collection of accessible files.

AccessibleFolders FolderCollection Collection of accessible folders.

AccessibleDrives DriveCollection Collection of accessible drives.



Object: DefaultRules

AccessibleSignatures SignatureFileCollection Collection of accessible signatures.

AccessibleNetworkConnections NetworkConnectionCollection Collection of accessible network connections.

ProhibitedApplicationGroups ApplicationGroupReferenceDictionary

Collection of prohibited Application Groups.

ProhibitedFiles FileCollection Collection of prohibited files.

ProhibitedFolders FolderCollection Collection of prohibited folders.

ProhibitedDrives DriveCollection Collection of prohibited drives.

ProhibitedSignatures SignatureFileCollection Collection of prohibited signatures.

ProhibitedNetworkConnections NetworkConnectionCollection Collection of prohibited network connections.

TrustedVendors DigitalCertificateCollection Collection of trusted vendors’ digital certificates.

UserRightsRules URMRules Configured settings for User rights rules.


TrustedOwnershipChecking VARIANT_BOOL Enable trusted ownership checking.Default = True

ChangeFileOwnershipOnOverwriteOrRename

VARIANT_BOOL Enable a change of file ownership when a file is overwritten or renamed.Default = True

TrustedOwners TrustedOwnerDictionary A collection of configured Trusted Owners.

LocalDrivesAccessible VARIANT_BOOL Specify whether the local drives are accessible by default.Default = True

IgnoreRestrictionsDuringLogon VARIANT_BOOL Allows restrictions to be ignored until the logon process is complete.

AllowCMDForBatchFiles VARIANT_BOOL Allows cmd.exe to run if it is run via execution of a batch file.Default = True

ExtractSelfExtractingZIPFiles VARIANT_BOOL Specify whether Application Manager should extract self extracting .ZIP files.Default = True

ValidateSystemProcesses VARIANT_BOOL Specify whether system process will be subject to AM rules processing.Default = False

ValidateMSI VARIANT_BOOL Specify whether Windows Installer (.MSI) packages are validated.



Object: Device

ValidateWSH VARIANT_BOOL Specify whether Windows Script Host (.WSH) files are validated.Default = True

ValidateREG VARIANT_BOOL Specify whether Windows Registry (.REG) files are validated.Default = True

DoExtensionFiltering VARIANT_BOOL Enable extension filtering.Default = False

ExtensionFilteringScope FileExtensionFilteringScope Specify whether the file extensions in the FileExtensions property are included or excluded from rules processing.Default = Exclude

FileExtensions FileExtensionDictionary A list of extensions used for extension filtering.

TrustedAppsCheckAll VARIANT_BOOL Specify whether all denied requests are passed through the Trusted Applications checking routine. True = Check all, False = only check requests denied by Trusted Ownership.Default = True

ApplicationAccessEnabled VARIANT_BOOL Specify whether Application Access Control is enabled. Default = True.

ANACEnabled VARIANT_BOOL Specify whether Application Network Access control is enabled. Default = True.

URMEnabled VARIANT_BOOL Specify whether User Rights Management is enabled. Default = True.


Host BSTR The host address.

HostType DeviceType Specify whether the address refers to a computer or a connecting device.Default = Computer

NameType HostNameType Specify whether the address is a host name of IP address.Default = HostName



Object: DeviceRule

Object: DigitalCertificate


Devices DeviceDirectory Collection of devices to which this rule applies.

Name BSTR Than name of the rule.
















TrustedVendors Digital CertificateCollection Collection of trusted vendors’ digital certificates.



Path BSTR Unused for this object.

Description BSTR The description of the digital certificate.

EnforceExpiryDate VARIANT_BOOL Specify whether the expiry date verification will be applied to this certificate.Default = False

RawCertificateData BSTR The base64 encoded digital certificate.


ErrorIgnoreFlags

CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x00000001

CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x00000002

CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x00000004

CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x00000008

CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x00000010

CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x00000020

CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x00000040

CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x00000080

CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x00000100

CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x00000200

CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x00000400

CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x00000800

Object: Drive

Object: File

ExpiryDate BSTR The certificate expiry date.

IssuedTo BSTR The name of the certificate owner.

ErrorIgnoreFlags LONG A bitwise OR operation of the values below.Default = 0


Path BSTR Full path to drive.

Description BSTR The drive description.


Path BSTR Full path to file.

Description BSTR The file description.

Arguments BSTR The commandline arguments used for spawning a process.

CommandLine BSTR The full commandline (Path + Arguments) when a file is run.

ApplyAccessTimes VARIANT_BOOL Specify whether access times are to be applied.Default = False



Object: FileExtension

Object: Folder

AccessTimes AccessTimes Collection of access times to be applied.

TrustedOwnershipChecking VARIANT_BOOL Specify whether the file is subject to Trusted Ownership checking.Default = True

ApplicationLimit LONG The number of concurrent instances of this file that can be executed (0 means unlimited).Default = 0



Description BSTR The folder description.

ApplyAccessTimes VARIANT_BOOL Specify whether access time are to be applied.Default = False


TrustedOwnershipChecking VARIANT_BOOL Specify whether the folder is subject to Trusted Ownership checking.Default = True

Recursive VARIANT_BOOL Whether the rules are applied to subfolder.Default = True



Description BSTR The folder description.

ApplyAccessTimes VARIANT_BOOL Specify whether access times are to be applied.


TrustedOwnershipChecking VARIANT_BOOL Specify whether the folder is subject to Trusted Ownership cheching.Default = True

Recursive VARIANT_BOOL Whether rules are applied to subfolders.Default = True



Object: GroupRule

Object: MessageSettings




















TrustedVendors DigitalCertificateCollection Collection of trusted vendors’ digital certificates.



DisplayInitialWarningMessage VARIANT_BOOL Determines if the user should be warned that an application is about to be closed due to its allowed time having expired.

CloseApplication VARIANT_BOOL Determine if an application with an expired allowed time should be sent a WM_CLOSE to allow the user chance to save work.

TerminateApplication VARIANT_BOOL Determine if an application with an expired allowed time should be forcefully terminated.


Object: NetworkConnection

WaitTime LONG The delay period between warning the user, sending a WM_CLOSE and terminating the application. This value is in seconds.

AccessDeniedMessageCaption BSTR The caption for the denied message box.

AccessDeniedMessageBody BSTR The text for the denied message box.

ApplicationLimitsExceededMessageCaption

BSTR The caption for the message box that is displayed when an application has reached its application limit.

ApplicationLimitsExceededMessageBody

BSTR The text for the message box that is displayed when an application has reached its application limit.

TimeLimitsWarningMessageCaption

BSTR The caption for the message box that is displayed when an application has reached the end of its allowed time.

TimeLimitsWarningMessageBody

BSTR The text for the message box that is displayed when an application has reached the end of its allowed time.

TimeLimitsDeniedMessageCaption

BSTR The caption for the message box that is displayed when an application is denied due to a time restriction.

TimeLimitsDeniedMessageBody BSTR The text for the message box that is displayed when an application is denied due to a time restrcition.

SelfAuthorizationMessageCaption

BSTR The caption for the message box that is displayed when user authorization is required to run a file.

SelfAuthorizationMessageBody BSTR The text for the message box that is displayed when user authorization is required to run a file.

SelfAuthorizationResponseCaption

BSTR The text for the message box that is displayed when the user has previously self-authorized a file to run.

SelfAuthorizationResponseBody BSTR The caption for the message box that is displayed when the user has previously self-authorized a file to run.


Path BSTR Full path to network resource.

Description BSTR The description of the network resource.

Address BSTR The address of the network resource (e.g. www.bbc.co.uk).



Object: ProcessRule

Resource BSTR The resource path (e.g. \weather).

Port BSTR The port to which this network connection applies (if appropriate).

UseWildcards VARIANT_BOOL Specify whether any part of the whole network location contains wildcards.

AddressType NetworkConnectionType The connection type.Default = False

Recursive VARIANT_BOOL Specify whether child resources are included as part of this connection.









AccessibleNetworkConnections NetworkConnectionCollection

Collection of accessible network connections.







ProhibitedNetworkConnections NetworkConnectionCollection

Collection of prohibited network connections.

TrustedVendors DigitalCertificateCollection

Collection of trusted vendors digital certificates.




Object: ScriptedRule

FileProcessItems FileCollection Collection of processes for which this rule applies.

SignatureProcessItems SignatureProcessItems Collection of processes for which this rule applies, defined by signature.


EntryFunction BSTR The function that will be executed when the script is launched.

Script BSTR The body of the script.

Context ExecutionContext The context in which the script executed.Default = PerSessionAsUser.

WaitForLogin VARIANT_BOOL Specify whether the execution of the script will be delayed until the login process is complete.Default = False

Timeout LONG The timeout period a script is given before being terminated.



















Object: SignatureFile

Object: TimeRange

Object: TrustedOwner

ProhibitedNetworkConnections NetworkConnectionCollection

Collection of prohibited network connections.

TrustedVendors DigitalCertificateCollection Collection of trusted vendors digital certificates.



Path BSTR Full path to the file.

Description BSTR The file description.

Arguments BSTR The commandline arguments used for spawning a process.

SHA1 Hash BSTR The SHA1 hash of the file.

CommandLine BSTR The full commandline (Sha1Hash + Arguments) when a file is run.

Version BSTR The file version information.

ApplyAccessTimes VARIANT_BOOL Specify whether access time are to be applied.Default = False



StartHour LONG The hour at which the time range starts.

EndHour LONG The hour at which the time range ends.




Description BSTR The account description.



Object: URMGroupBehaviour

Object: URMPolicy

Object: URMPrivilege

Object: URMRuleItem


DisplayName BSTR The name of the group.

SID BSTR The group's SID

Action URMGroupAction The action to perform with this group. Default = Add


Name BSTR Name of the Policy

Description BSTR A description for the policy.

GroupMembershipActions URMGroupBehaviourDictionary

collection of configured URM Group Behaviour actions.

PrivilegeActions URMPrivilegeDictionary A collection of configured URM Privilege actions.


Name BSTR Textual description of the privilege.

Privilege URMPrivilegeConstant The privilege being set. default = SeAssignPrimaryTokenPrivilege

Action URMPrivilegeAction The action to perform on the privilege. Default = NoChange.


KeyPath BSTR The keypath used in collections of URMRuleItems

Application RuleItem The application forwhich to apply the User Rights setting. Can be of type File, Folder, SignatureFile or ApplicationGroup

ApplyToChildren VARIANT_BOOL setting to specify if the user rights setting should be applied to any child processes. Default = False.


Object: URMRuleItemPolicy

Object: URMRules

Object: UserRule


KeyPath BSTR The keypath used in collections of URMRuleItems

Application RuleItem The application forwhich to apply the User Rights policy. Can be of type File, Folder, SignatureFile or ApplicationGroup

ApplyToChildren VARIANT_BOOL setting to specify if the user rights policy should be applied to any child processes. Default = False.

Policy URMPolicyReference The URM Policy to apply to the application.


URMFiles URMRuleItemPolicyDictionary

Collection of Files and URM Policies to apply to them.

URMSignatures URMRuleItemPolicyDictionary

Collection of SignatureFiles and URM Policies to apply to them.

URMFolders URMRuleItemPolicyDictionary

Collection of Folders and URM Policies to apply to them.

URMApplicationGroups URMRuleItemPolicyDictionary

Collection of ApplicationGroups and URM Policies to apply to them.

URMWellKnowncontrolPanelApplets

URMRuleItemDictionary

Cannot currently be scripted.


DisplayName BSTR The accout name.











Enumerations

Name: Device Type

Computer = 0

ConnectingDevice = 1

Name: ExecutionContext

PerSessionAsUser = 0

PerSessionAsSystem = 1

PerComputerAsSystem = 2

Name: FileExtensionFilteringScope

Exclude = 0

Include = 1

Name: HostNameType

HostName = 0

IPAddress = 1

Name: LocalEventLogging

None = 0

WindowsApplication = 1

ApplicationManager = 2









TrustedVendors DigitalCertificateCollection Collection of trusted vendors digital certificates.




Name: NetworkConnectionType

HostAddress = 0

IPAddress = 1

UNCPath = 2

Name: SecurityLevel

Restricted = 0

SelfAuthorizing = 1

Unrestricted = 2

AuditOnly = 3

Configuration Helper Object

The Configuration Helper object provides useful functionality that is not provided by the configuration model, such as the ability to load and save configurations.

The methods listed below provide error reporting as a HRESULT which can be tested for in VBScript using the Err object.

Success is reported as S_OK which is 0. In case of error, most of the time the Configuration Helper Object returns the error code 2147500037 which is 0x80004005 in hex and defined as E_FAIL in COM.

The other most common error is 2147942405 which is 0x80070005 in hex and defined as E_ACCESSDENIED in COM. This error occurs if the user the script is running as does not have access to a file, folder or registry key used by the Configuration Helper Object.

LoadLiveConfiguration (method)

Returns

BSTR - the xml representation of the live configuration.

HRESULT - Returns S_OK if successful.

SaveLiveConfiguration (method)

Returns


Parameters

BSTR - the xml representation of the configuration loaded from disk.

LoadLocalConfiguration (method)

Returns

BSTR - the xml representation of the configuration loaded from disk.



Parameters

BSTR - the full file path of the configuration to load.

SaveLocalConfiguration (method)

Parameters

BSTR - the full file path of the configuration to load.

BSTR - the xml representation of the configuration to save.

ReadNumCertificatesFromFile (method)

Returns

LONG - the number of certificates used to sign the specified executable file.

Parameters

BSTR - the full file path of the executable file used in determining the certificate count.

ReadCertificateFromFile (method)

Returns

BSTR - the raw certificate data.

Parameters

BSTR - the full file path of the executable file from which the certificate will be read.

LONG - the index of the certificate to read.

ReadSha1HashFromFile (method)

Returns

BSTR - the hash value.


Parameters

BSTR - the full file path of the file for which the has will be generated.

DefaultConfiguration (property)

This BSTR property contains the xml representation of the default configuration.


The DefaultConfiguration( ) method only returns a configuration in the English language. This means that some group names and other text in the configuration may not be in the native language of the operating system, which can result in the configuration not being applied correctly.

For non-English operating systems it is necessary to export the default configuration from the product console on a native operating system. This can be stored as a file on the network or distributed to the machine where the configuration scripting will be performed. Once this is done, use the LoadLocalConfiguration( ) method in place of the the DefaultConfiguration( ). This will produce the same configuration but in the correct native language.

1 1L i c e n s i n g

In this Section:

Licensing on page 212

About License Manager on page 213

Managing Licenses on page 214

LICENSING

The AppSense License Manager allows you to create and manage AppSense product licenses.

This section provides details about using the console and describes the following processes:

Add and Activate a License on page 214

To Import a License File on page 215

To Export a License File on page 215

212

APPSENSE PRODUCT MANAGER USER GUIDE 11 LICENSINGAbout License Manager 213

ABOUT LICENSE MANAGER

AppSense License Manager allows you to manage individual AppSense product licenses, full Management Suite licenses and evaluation licenses for computers operating in Standalone mode.

The console allows you to:

Manage licenses for single products, the AppSense Management Suite or Evaluation licenses.

Export license packages to MSI file format for saving to the AppSense Management Center or other computers which can be remotely accessed.

Import and manage licenses from MSI file format.

When License Manager is launched, details of current licenses are displayed in the console.

Figure 11.1 Licensing Console

For information about Enterprise license management and deployment, see the AppSense Management Center Product Guide.

It is recommended to use the Management Center Enterprise Licensing for Enterprise installations.

APPSENSE PRODUCT MANAGER USER GUIDE 11 LICENSINGManaging Licenses 214

An installation requires one of the following licenses:

MANAGING LICENSES

The following procedures show how to add and activate a new license, import and export licenses to Microsoft Windows Installer files (*.msi) or to backup a set of licenses.

ADD AND ACTIVATE A LICENSE

1. Click Add to create a new entry in the license grid.

2. Enter the license code in the License Code entry box.

You can manually enter each digit or copy and paste the license in to the entry box.

When a license entry is highlighted, a description displays in the bottom section of the console and includes the following details:

License Code

License State - Not Activated, Valid, Invalid.

Expiry Date - The date that the license runs out.

Description – The type of license and the product and version it relates to.

A license is invalid until an Activation Code is entered.

3. Click Activate and enter the activation code in to the Activation Code entry box, and click Enter.

The license details in the bottom section of the console are updated to match the license.

Once a license is active, the icon changes to indicate the current license state.

4. Close the Licensing console. All the settings are automatically saved.

License Description

AppSense Management Suite Full Suite license. Requires activation using the activation code sent from AppSense with the

license code.

Application Manager Single product license. Requires activation using the activation code sent from AppSense with the

license code.

Evaluation Full Suite or single product licenses. Evaluation licenses are available during the first installation of the product and

do not require activation. They are valid for 21 days.

APPSENSE PRODUCT MANAGER USER GUIDE 11 LICENSINGManaging Licenses 215

TO IMPORT A LICENSE FILE

1. Click Import to display the file Open dialog box and navigate to the location of the license MSI file.

2. Click Open to load the license file in the Management Suite Licensing Console.

TO EXPORT A LICENSE FILE

1. Click Export to display the file Save As dialog box and browse to the location for saving the license MSI file.

2. Provide a name for the file and click Save to save the file.

You can copy this file to any network location and load the file in Application Manager or in Management Center Enterprise Licensing.

A P P E N D I X E S

This section provides additional or supporting information about topics covered in the guide and includes:

Streamed Applications

1

APPSENSE PRODUCT MANAGER USER GUIDE 3 STREAMED APPLICATIONSCitrix XenApp 2

3S t r e a m e d A p p l i c a t i o n s

CITRIX XENAPP

To set up Citrix XenApp streaming applications to work with certain elements of Application Manager you need to specify certain exclusions, as follows:

1. Navigate to Citrix Streaming Profiler for Windows.

2. Open the Application Profile.

3. Highlight the relevant Target and select the Edit menu.

4. Select Target Properties. The Target Properties screen displays.

5. Select Rules. The Rules work area displays on the right hand side.

6. Click Add in the Rules work area. The New Rule Select Action and Objects dialog box displays.

7. In the Action section leave the default setting as Ignore.

8. In the Object section select Named Objects and click Next. The New Rule Select Objects dialog box displays.

9. Select Some Named Objects and click Add. The Choose Named Object dialog box displays.

10. Add \??\pipe\AppSense* and click OK. This displays in Named Objects on the New Rule Select Objects dialog box.

11. Click Next to display the New Rule Name Rule dialog box.

12. Enter a name for the rule or accept the default and click Finish.

13. Click OK. The Target Properties screen re-displays and the Ignore all named objects rule is now listed in the work area on the right hand side.

14. Save the profile.

15. Repeat for each application profile as required.

G L O S S A R Y

AAC

Accessible Items

Agent

Application Limit

Audit Only

CCA

Configuration

Configuration File

Configuration Profiler

Console

DAC

Deploy

DFS

Digital Signature

3

APPSENSE PRODUCT MANAGER USER GUIDE GLOSSARY AACAccessible Items 4

DLL

DNS

DLL

Event

Fast User Switching

Group Management

GUID

LSA

NetBIOS


Node

OU

Prohibited Items

Process Rules

Rule

Security Identifier

Security Level

Self-Authorizing User

SHA-1

SID

Time Limits

Trusted Ownership

Trusted Vendors

UNC


Wildcards

AAC

Citrix Advanced Access Control.

Accessible Items

Accessible Items are files, folders, drives or digitally signed files or groups of files in an Application Manager configuration Rule which are allowed to run when file execution requests are matched with the rule security settings and would otherwise be prohibited by other configuration settings.

See also: Prohibited Items, Trusted Vendors, User Rights Management

APPSENSE PRODUCT MANAGER USER GUIDE GLOSSARY AGENTConsole 5

Agent

A proactive software component which implements the product configuration rules. For example, the Application Manager Agent is software that runs as a Windows service to validate execute requests according to the rules in the configuration installed on a computer.

Application Limit

Application Limits specify the number of instances of an application a user can run. An application limit can be applied to an item in the Accessible Items node.

Audit Only

Security Level assigned to users, groups or devices in an <product name> Rule which audits events according to the Auditing Configuration without applying the rule. Used for passive monitoring in evaluations to assess application usage on the host environment.

CCA

Client Communications Agent. Installed on computers operating in an Enterprise installation to provide a link between the product agent running on a managed computer and the AppSense Management Center.

The CCA sends event data generated by the product agents to the Management Server and also polls the Management Server to manage the download and installation for software configuration, agent and package updates.

The CCA can be downloaded and installed directly on managed machines from the Management Server website.

Configuration

The Application Manager configuration consists of lists of files/folders that you have decided should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also contains optional settings and text to be displayed to the user. A configuration is created and managed using the Application Manager Console and used by the Application Manager Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration settings to determine whether or not an execute request is to be denied.

Configuration File

An Application Manager configuration exported from the Console and saved to Windows Installer MSI file format. The file can be installed on any computer and the configurations rules applied when an Application Manager Agent is present and running as a service on the computer.

Configuration Profiler

Generates reports detailing the current settings in the Configuration. Filtering options allow you to query settings affecting specific users or groups, devices, and files or folders.

Console

AppSense Application Manager software interface.

APPSENSE PRODUCT MANAGER USER GUIDE GLOSSARY DACEPA 6

DAC

Discretionary Access Control.

Deploy

To deliver a configuration or AppSense software component to one or more computers, which can include the local machine.

Digital Signature

Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely identify files.

The signature can be used as a security measure when adding files as Accessible Items, Prohibited Items and Trusted Vendors.

Signatures can also be used for allowing applications on non-NTFS formatted drives to run, which Application Manager would otherwise block by default. Add the digital signatures to the Accessible Items list and disable trusted ownership checking for the individual files. Signature Group Management provides easier administration for large groups of signatures.

Accessible Items with digital signatures can be used to verify that the file which the user is attempting to run is actually the file permitted by the administrator.

Prohibited Items with digital signatures can be used to ensure the file is always prevented from executing, even when the user renames the file.

DLL

Dynamic link library. This is a collection of small programs which may be called upon when needed by an executable that is running. The DLL lets the executable communicate with a specific device such as a printer or may contain source code to do particular functions.

DFS

Distributed File System. A DFS is any file system that allows access to files from multiple hosts sharing via a computer network. This makes it possible for multiple users on multiple machines to share files and storage resources.

DNS

Domain Name System. This is a database system that translates a computer’s fully qualified domain name into an IP address. Networked computers use IP addresses to locate and connect to each other. However, IP addresses are difficult to remember. For example, on the web it is easier to remember the domain name www.AppSense.com than its corresponding IP address. DNS allows you to connect to another networked computer or remote service by using its user-friendly domain name rather than its numerical IP address.

EPA

Endpoint Analysis.

See Endpoint Analysis for more information.

APPSENSE PRODUCT MANAGER USER GUIDE GLOSSARY EVENTOU 7

Event

An Event is generated by Application Manager to report file execution requests, overwrites or renames and Self-Authorizing User decisions. The event number indicates the outcome of the request. Events are logged according to the method set up in the Auditing node.

Fast User Switching

The Fast User Switching feature in Microsoft Windows enables multiple user accounts to logon to a computer simultaneously. With this feature users can switch sessions without closing Windows, programs, and so on.

For example, User A is logged on and is browsing the Internet, User B wants to logon to their user account and check their email account. User A can leave their programs running while User B logs on and checks their email account. User A can then return to their session where their programs would still be running.

Group Management

Group Management is a library for compiling reusable groups of files, folders, drives, signatures and network connections which can be associated with rules in the configuration. For example, Groups can be used to manage licenses for a suite of software or common sets of applications for assigning to certain user groups.

GUID

Globally Unique Identifier.

LSA

Local Security Authority. This is an important required component of Windows that deals with login authentication and security policies. It verifies users logging on to a Windows computer or server and handles password changes.

NetBIOS

Network Basic Input/Output System. This is a program that allows applications on different computers to communicate within a within a local area network (LAN)


Network Connection identify.

Node

A node is a term used in the Application Manager Console to represent a branch in the navigation tree.

OU

Organizational Unit. A Microsoft Active Directory container that includes users and computers.

APPSENSE PRODUCT MANAGER USER GUIDE GLOSSARY PROHIBITED ITEMSSelf-Authorizing User 8

Prohibited Items

Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an Application Manager Rule which are not allowed to run when file execution requests are matched with the rule security settings and would otherwise be allowed by other Configuration settings.

See also: Accessible Items and Trusted Vendors

Process Rules

Process rules allow you to manage access for a parent process to run child processes which might be managed differently in other rules. Process Rules include settings for adding Prohibited Items, Accessible Items, Trusted Vendors and User Rights Management.

Rule

A Configuration rule assigns a Security Level to the specified users or groups, devices and combinations of these and contains control lists for Accessible Items, Prohibited Items, Trusted Vendors and Process Rules. The Application Manager agent intercepts kernel level file execution requests and matches these with the Configuration rules to implement security controls.

Security Identifier

(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Likewise Application Manager also refers to a user or group SID unless the SID could not be found when added to the configuration.

Security Level

Application Manager configuration Rule settings include security levels which specify how to manage requests to run unauthorized applications by the users, groups or devices which a rule matches.

Restricted — Only authorized applications can run. These include files owned by members of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted Ownership.

Self-Authorizing — Users are prompted for decisions about blocking or running unauthorized files on the host device.

Audit only — All actions are permitted but events are logged and audited, for monitoring purposes.

Unrestricted — All actions are permitted without event logging or auditing.

Self-Authorizing User

User, group or device granted control to choose whether to block or run an unauthorized application on the host computer. The Self-authorizing Security Level can be assigned in an <product name> Rule to match a file execute request for users, groups or devices.

APPSENSE PRODUCT MANAGER USER GUIDE GLOSSARY SHA-1UNC 9

SHA-1

Secure Hash Identifier

SID

See Security Identifier.

Time Limits

Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application Manager Rule which determine day and time ranges when the controls apply.

For example, an entry in the Prohibited Items node of a rule can restrict use of the local web browser to users except between the hours of 12pm and 2pm on specific days of the week.

Trusted Ownership

Trusted Ownership checking is a secure method Application Manager uses to prevent users running unauthorized applications is. On NTFS formatted drives, files have owners and Application Manager is configured, by default, to only allow files to be executed if the file owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by a trusted owner, the execute request is denied and a message notifies the user. Any files downloaded from the internet or received in email are owned by the user, so those files are not permitted to run unless ownership is held by members of the trusted owner list.

By default, Application Manager blocks execution requests for all applications on non-NTFS formatted drives.

Trusted Vendors

Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking allows applications which fail Trusted Ownership checking to match digital certificates with the Trusted Vendors list.

A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted Rule of the configuration.

Application Manager queries each file execution which fails Trusted Ownership checking to detect the presence of a digital certificate. If the file has a digital certificate which is signed by a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run.

Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking and Trusted Application checking.

UNC

Universal Naming Convention. This is a NetBIOS naming format for identifying the location of servers, printers, and other resources on a local area network (LAN). Almost all LANs are based on NetBIOS, making a NetBIOS naming format an easy and compatible way to access files and resources across a network.

UNC begins with two backslashes (\\) and takes the form:

\\Computer_name\Share_name

APPSENSE PRODUCT MANAGER USER GUIDE GLOSSARY USER RIGHTS MANAGEMENTWildcards 10


User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment.

Wildcards

Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the Application Manager Console. The asterisk represents one or more characters, excluding the back slash (\) character, whilst the question mark wildcard represents one character, excluding the forward slash (/) character. Both of the wildcard characters can be used in any part of a file path, including the drive letter for local paths.

For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the question mark can only replace one character, it does not match c:\sample path\test100. The only limitation imposed by Application Manager on the use of wildcards is that the asterisk cannot be used to match more than one subdirectory.