Policies and templates
A policy is made up of one or more items from the following groups. Each of these groups can be a node in Endpoint Privilege Management Settings:
- Workstyles: A Workstyle is part of a policy. It's used to assign Application Rules for users. You can create Workstyles by using the WorkStyle Wizard or by importing them.
- Application Groups: Application Groups are used by Workstyles to group applications together to apply certain Endpoint Privilege Management for Windows behavior.
- Content Groups: Content groups are used by Workstyles to group content together to apply certain Endpoint Privilege Management for Windows behavior.
- Messages: Messages are used by Workstyles to provide information to the end user when Endpoint Privilege Management for Windows has applied certain behavior that you've defined and need to notify the end user.
- Custom Tokens: Custom tokens are used by Workstyles to assign custom privileges to content or Application Groups.
Users
Disconnected users are fully supported by Endpoint Privilege Management. When receiving policies from McAfee ePO, Endpoint Privilege Management automatically caches all the information required to work offline, so the settings are still be applied if the client is not connected to the corporate network. Any changes made to the policy do not propagate to the disconnected computer until the McAfee Agent reestablishes a connection to the ePO Server.
Policies
Policies are applied to one or more endpoints. The Policy Summary screen summaries for the number of Workstyles, Application Groups, target URL groups, target Content Groups, messages, tokens and licenses in the policy. As this is a blank policy, all summaries will be zero.
Each item summary includes an Edit `Item` button, which allows you to jump to that section of the policy.
Endpoint Privilege Management incorporates an autosave, autosave recovery, and concurrent edit awareness feature to reduce the risk or impact of data loss and prevent multiple users from overwriting individual polices.
A template is a configuration that is merged with your existing policy. A template also consists of any number of Workstyles, Application Groups, Content Groups, messages, and custom tokens.
Edit group policy
To edit policy, we recommend you use the Group Policy Management snap-in. Once you install the Endpoint Privilege Management Policy Editor, the Endpoint Privilege Management for Windows settings are available in the Group Policy Management snap-in. The Group Policy Management snap-in can be accessed from the Microsoft Management Console or Group Policy Management editor.
Note
If you want to create local policy to administer your endpoints, you can use the Endpoint Privilege Management snap-in in the Microsoft Management Console or the Local Group Policy Editor. This creates a local policy only.
Templates can be imported into your Endpoint Privilege Management settings. You can choose to merge them into your existing policy; otherwise, the template overwrites your existing policy.
Note
Be careful when merging policies with production policies. If No is selected, then the existing policy settings and license information are removed. If Yes is selected, then the template is added to the existing policy.
Privilege Management settings
Right-click the Privilege Management Settings node to access the following commands.
You can click Tools in the right-hand panel to access the Response Code Generator.
By default, Auto Commit Settings is selected. This means any changes are saved and applied using Group Policy. Alternatively, you can clear Auto Commit Settings and select Commit Settings when you specifically want those settings to apply.
Create
Creates a policy. This will delete any existing policy for all operating systems. If you have an existing policy, you are prompted to remove all existing settings when you click Create. Click Yes to delete your existing policy and create a new one or No to keep your existing policy.
Delete
Deletes your existing policy. You are prompted to remove all existing settings when you click Delete. Click Yes to delete your existing policy or No to keep your existing policy.
Delete items and conflict resolution
Some items in Privilege Management Settings are referenced in other areas, such as Application Groups and Messages. These items can be deleted at any time, and if they are not referenced elsewhere, they delete without any further action required.
When an item is deleted, the Policy Editor checks for any conflicts which may need to be resolved. If the item you attempt to delete is already in use elsewhere in your settings, then a conflict will be reported and must be resolved.
You can review each detected conflict and observe the automatic resolution which will take place if you proceed. If more than one conflict is reported, use the Next conflict and Previous conflict links to move between conflicts.
If you want to proceed, click Resolve All to remove the item from the areas of your Privilege Management Settings where it is currently in use.
Export
Policies can be imported to and exported from Group Policy as XML files, in a format common to other editions of Endpoint Privilege Management, such as the Endpoint Privilege Management ePO Extension. This allows for policies to be migrated and shared between different deployment mechanisms.
To export a policy, click Export and give the file a name. Click Save.
Import
Policies can be imported to and exported from Group Policy as XML files, in a format common to other editions of Endpoint Privilege Management, such as the Endpoint Privilege Management ePO Extension. This allows for policies to be migrated and shared between different deployment mechanisms.
To import a policy, click Import, navigate to the policy XML, and click Open.
Import template
Allows you to import template policies.
Save report
You can obtain a report of your policy which can be saved locally, if required.
Set challenge/response shared key
This allows you to set the Challenge/Response Shared Key for the policy. This is encrypted once you have set it. This key is then required by the challenge/response generator to generate response codes. The only way to change the Challenge/Response Shared Key is by setting a new one.
Show hidden groups
You can show or hide Application Groups.
To show groups that have been hidden by default, right-click on the Privilege Management Settings node and select Show Hidden Groups. You can hide the groups again by clearing Show Hidden Groups.
View
This allows you to view the Workstyles Editor (default).
You can review each detected conflict and observe the automatic resolution which will take place if you proceed. If more than one conflict is reported, use the Next conflict and Previous conflict links to move between conflicts.
If you want to proceed, click Resolve All to remove the item from the areas of your Privilege Management Settings where it is currently in use.
License
Endpoint Privilege Management for Windows and Mac requires a valid license code to be entered in the Policy Editor. If multiple policies are applied to an endpoint, you need at least one valid license code for one of those policies.
For example, you could add the license to a policy that is applied to all managed endpoints, even if it doesn't have any Workstyles. This ensures all endpoints receive a valid license if they have Endpoint Privilege Management for Windows and Mac installed. If you are unsure, then we recommend you add a valid license when you create the policy.
To insert a license:
- Click No License. Click to enter a license code to enter a license if one doesn't already exist, or Valid License if you want to enter an additional license code.
- Paste your Endpoint Privilege Management for Mac license code and click Add. The license details are shown.
Response code generator
The Response Code Generator allows you to generate a response code using the PGChallengeResponseUI utility.
To generate a response code from Privilege Management Settings:
- Click the Tools link from the right-hand panel of Privilege Management Settings.
- Click Launch Response Code Generator.
- Enter your shared key and the challenge code. The response code is shown in the third text field.
Templates (macOS)
QuickStart for macOS
The QuickStart for macOS policy contains Workstyles, Application Groups, and Messages configured with Endpoint Privilege Management for Mac and Application Control. The QuickStart policy has been designed from BeyondTrust’s experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend you thoroughly test this configuration to ensure it complies with the requirements of your organization.
This template policy contains the following elements:
Workstyles
- All Users
- High Flexibility
- Medium Flexibility
- Low Flexibility
Application Groups
- (Default) Any Application
- (Default) Any Authorization Prompt
- (Default) Any Signed Authorization Prompt
- (Default) Any Sudo Command
- (Default) Any Trusted & Signed Authorization Prompt
- (Default) Authorize - Delete from /Applications
- (Default) Authorize - Install to /Applications
- (Default) Authorize - System Trusted
- (Default) Passive - System Trusted
- (Default) Endpoint Privilege Management Tools
- (Recommended) Restricted Functions
- Authorize - All Users (Business Apps)
- Authorize - All Users (macOS Functions)
- Authorize - High Flexibility
- Authorize - Medium Flexibility
- Authorize - Low Flexibility
- Block - Blocked Apps
- Passive - Allowed Function & Apps
- Passive - High Flexibility (Business Apps)
- Passive - Low Flexibility (Business Apps)
- Passive - Medium Flexibility (Business Apps)
Messages
- Allow Message (Authentication & Reason)
- Allow Message (Support Desk)
- Allow Message (Yes / No)
- Allow Message (select Reason)
- Block Message
QuickStart policy summary
By using and building on the QuickStart policy, you can quickly improve your organization's security without having to monitor and analyze your users' behavior first and then design and create your Endpoint Privilege Management for Mac configuration.
After the QuickStart policy has been deployed to groups within your organization, you can start to gather information on your users' behavior. This will provide you with a better understanding of the applications being used within your organization, and whether they require admin rights, need to be blocked, or need authorization for specific users.
This data can then be used to further refine the QuickStart policy to provide more a tailored Endpoint Privilege Management for Mac solution for your organization.
Workstyles
The QuickStart policy contains four Workstyles that should be used together to manage all users in your organization.
All users
This Workstyle contains a set of default rules that apply to all standard users regardless of what level of flexibility they need.
The All Users Workstyle contains rules to:
- Block any applications that are in the Block Applications group.
- Allow BeyondTrust Support tools.
- Allow approved standard user applications to run passively.
- Allow and authorize the install and delete of bundles to the /Applications/ directory.
High flexibility
This Workstyle is designed for users that require a lot of flexibility such as developers.
The High Flexibility Workstyle contains rules to:
- Allow known allowed business applications and operating system functions to run.
- Allow users to run signed applications with admin rights.
- Allow users to run unknown applications with admin rights once they have confirmed the application should be elevated.
- Allow unknown business application and operating system functions to run on-demand.
Medium flexibility
This Workstyle is designed for users that require some flexibility such as sales engineers.
The Medium Flexibility Workstyle contains rules to:
- Allow known allowed business applications and operating system functions to run.
- Allow users to run signed applications with admin rights once they have confirmed the application should be elevated.
- Prompt users to provide a reason before they can run unknown applications with admin rights.
- Allow unknown business application and operating system functions to run on-demand.
- Restricted OS functions that require admin rights are prevented and require support interaction.
Low flexibility
This Workstyle is designed for users that don't require much flexibility such as helpdesk operators.
The Low Flexibility Workstyle contains rules to:
- Prompt users to contact support if a trusted or untrusted application requests admin rights.
- Prompt users to contact support if an unknown application tries to run with support authorization.
- Allow known approved business applications and operating system functions to run.
Workstyle parameters
You can customize text and strings used for end user messaging and auditing.
Parameters are identified as any string surrounded by brackets ([ ]), and if detected, the Endpoint Privilege Management client attempts to expand the parameter. If successful, the parameter is replaced with the expanded property. If unsuccessful, the parameter remains part of the string. The table below shows a summary of available parameters.
| Parameter | Description |
|---|---|
| [PG_APP_DEF] | The name of the Application Rule that matched the application |
| [PG_APP_GROUP] | The name of the Application Group that contained a matching Application Rule |
| [PG_COMPUTER_NAME] | The NetBIOS name of the host computer |
| [PG_PROG_CMD_LINE] | The command line of the application being run |
| [PG_PROG_NAME] | The program name of the application |
| [PG_PROG_PATH] | The full path of the application file |
| [PG_PROG_PROD_VERSION] | The product version of the application being run |
| [PG_PROG_PUBLISHER] | The publisher of the application |
| [PG_PROG_TYPE] | The type of application being run |
| [PG_WORKSTYLE_NAME] | The name of the Workstyle |
Application Groups
- (Default) Any Application: Contains all application types and is used as a catch-all for unknown applications.
- (Default) General - Any Authorization Prompt: This group contains application types that request admin rights regardless of trust or code signature.
- (Default) General - Any Signed Authorization Prompt: This group contains application types that request admin rights and meet macOS code signature requirements
- (Default) General - Any Trusted & Signed Authorization Prompt: This group contains macOS built-in applications that request admin rights and meet macOS code signature requirements
- (Default) Passive - System Trusted: This group contains system applications that are allowed for all users.
- (Default) Authorize - System Trusted: This group contains system applications requiring authorization that are allowed for all users.
- (Default) Any Sudo Commands: Contains all sudo commands and is used as a catch-all for unknown sudo commands.
- (Default) Privilege Management Tools: Contains BeyondTrust binaries and application bundles used to gather logging or otherwise modify Endpoint Privilege Management for Mac settings.
- (Default) Authorize - System Trusted: Contains operating system functions that are authorized for all users.
- (Recommended) Restricted Functions: This group contains OS functions that are used for system administration and trigger an authorization prompt when they are executed.
- Authorize – All Users (Business Apps): Contains applications such as line-of-business applications that are authorized for all users, regardless of their flexibility level.
- Authorize – All Users (macOS Functions): This group is designed to contain system preferences and other built-in macOS functions that trigger an authorization prompt when they are executed, regardless of the user’s flexibility level.
- Authorize - High Flexibility: Contains the applications that require authorization that should only be provided to high flexibility users.
- Authorize - Low Flexibility: Contains the applications that require authorization that should only be provided to low flexibility users.
- Authorize - Medium Flexibility: Contains the applications that require authorization that should only be provided to medium flexibility users.
- Block – Blocked Apps: This group contains applications that are blocked for all users.
- Passive – Allowed Functions & Apps: This group contains applications that are allowed for all users.
- Passive – High Flexibility (Business Apps): This group contains applications that are allowed for High Flexibility users without providing admin authorization.
- Passive – Low Flexibility (Business Apps): This group contains applications that are allowed for Low Flexibility users without providing admin authorization.
- Passive – Medium Flexibility (Business Apps): This group contains applications that are allowed for Medium Flexibility users without providing admin authorization.
Messages
The following messages are created as part of the QuickStart policy and are used by some of the Application Rules:
- Allow Authorize (Authentication & Reason): Asks the user to enter their password and provide a reason before the application is authorized to run.
- Allow Message (Yes / No): Asks the user to confirm that they want to proceed to authorize an application to run.
- Allow Message (Select Reason): Asks the user to select a reason from a drop-down list before the application is authorized to run.
- Allow Message (Support Desk): Presents the user with a challenge code and asks them to obtain authorization from the support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request.
- Block Message: Warns the user that an application has been blocked.
Multiple Mac policies
For Mac estates being managed by ePO, multiple policies being applied simultaneously is supported, for example:
- epo.xml
- epo001.xml
- epo002.xml
In the example above, if the policy precedence is set for ePO policies, then rules processing will first check the rules in epo.xml. If no rules are found for the process in this policy, then it will go through the epo001.xml. Each policy is processed in an alpha-numeric/C locale order. This continues until the process hits a rule or the dppolicyserverd reads all of the policies without finding a match.
If multiple policies are loaded, only one of them requires an Endpoint Privilege Management for Mac license. We recommend you do not use multiple licenses in this configuration. Each policy can have a different Challenge-Response key.
Copy and pasted policies with altered rules are still processed, the dppolicyserverd log outputs whether it replaced GUIDs when loading them into memory if it was a duplicate.
Application templates
Endpoint Privilege Management for Mac ships with some standard application templates to simplify the definition of applications that are part of the operating system. The standard application templates are split into categories:
- System Preference Panes
- Bundles
- Binaries
Each category then has a list of applications for that category. Picking an application will cause the application to be prepopulated with the appropriate information.
Add Endpoint Privilege Management for Mac settings to a Mac client computer
Endpoint Privilege Management for Mac settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XML file from the MMC. To prevent any invalid permissions being applied, we recommend this file be replaced using the following command. In this example, the source XML file is located on your Desktop:
sudo cp ~/Desktop/local.xml /etc/defendpoint/local.xml
Endpoint Privilege Management for Mac will apply the new settings immediately, and does not require a restart.
Note
If all policies are deleted, the local.xml policy is regenerated. The regenerated local.xml policy will not contain any license or rules.
Sudo command arguments
The following arguments are not supported by Endpoint Privilege Management for Mac when you're using sudo:
| Option (single dash) | Option (double dash) | Description |
|---|---|---|
| -A | --askpass | use a helper program for password prompting |
| -C num | --close-from=num | close all file descriptors >= num |
| -E | --preserve-env | preserve user environment when running command |
| -g group | --group=group | run command as the specified group name or ID |
| -H | --set-home | set HOME variable to target user's home dir |
| -h host | --host=host | run command on host (if supported by plugin) |
| -K | --remove-timestamp | remove timestamp file completely |
| -k | --reset-timestamp | invalidate timestamp file |
| -l | --list | list user's privileges or check a specific command; use twice for longer format |
| -n | --non-interactive | non-interactive mode, no prompts are used |
| -P | --preserve-groups | preserve group vector instead of setting to target's |
| -p prompt | --prompt=prompt | use the specified password prompt |
| -U user | --other-user=user | in list mode, display privileges for user |
| -u user | --user=user | run command (or edit file) as specified user name or ID |
| -v | --validate | update user's timestamp without running a command |
Use Centrify
If you are using Centrify to bind macOS endpoints to Active Directory, contact BeyondTrust Technical Support for assistance.
Templates (Windows)
The QuickStart for Windows policy contains Workstyles, Application Groups, messages, and custom tokens configured with Endpoint Privilege Management and Application Control. The QuickStart policy is designed from BeyondTrust’s experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend you thoroughly test this configuration to ensure it complies with the requirements of your organization.
Important
As of release 5.5, all releases of this product are signed with BeyondTrust Corporation, rather than Avecto, as the software publisher name. If prior to 5.5 you used the QuickStart Policy Template as a starting point, it is likely that your configuration will include Application Groups which target our own applications based on a publisher match to Avecto. An upgrade to 5.5 or beyond requires you to update your configuration so that it continues to match the versions of the applications and tools that you use. We recommend one of the following two options:
Option 1Add a copy of any existing application definitions which target Avecto and update those copies to target BeyondTrust Corporation instead; the presence of both sets of application definitions ensure they continue to match both new and existing versions during the implementation of 5.5. This option has an advantage over Option 2, in that it also targets any application definitions that you may have created yourself that target the Avecto publisher.
Option 2You may copy fragments of the QuickStart policies in version 5.5 to your existing application definitions.
For either option, it is critical that you roll out your configuration changes before you update your Endpoint Privilege Management for Windows software to version 5.5 or later.
This template policy contains the following elements:
Workstyles
- All Users
- High Flexibility
- Medium Flexibility
- Low Flexibility
Application groups
- Add Admin - All Users (Business Apps)
- Add Admin - All Users (Windows Functions)
- Add Admin - High Flexibility
- Add Admin - Medium Flexibility
- Add Admin - Low Flex (added)
- Add Admin - Protected Operations
- Allow - Allowed Functions & Apps
- Block - Blocked Apps
- Passive - High Business Apps
- Passive - Medium Business Apps
- Passive - Low Business Apps
- Passive - All Users Functions & Apps
Hidden application groups
- (Default) Any Application
- (Default) Any Trusted & Signed UAC Prompt
- (Default) Any UAC Prompt
- (Default) Endpoint Privilege Management Tools
- (Default) Child Processes of TraceConfig.exe
- (Default) Signed UAC Prompt
- (Default) Software Deployment Tool Installs
- (Recommended) Restricted Functions
- (Recommended) Restricted Functions (On-Demand)
- (Default) Trusted Parent Processes
Messages
- Allow Message (Authentication & Reason)
- Allow Message (Select Reason)
- Allow Message (Support Desk)
- Allow Message (Yes / No)
- Block Message
- Block Notification
- Notification (Trusted)
Custom tokens
- BeyondTrust Support Token
QuickStart policy summary
By using and building on the QuickStart policy, you can quickly improve your organization's security without having to monitor and analyze your users' behavior first and then design and create your Endpoint Privilege Management for Windows configuration.
After the QuickStart policy is deployed to groups within your organization, you can start to gather information on your users' behavior. This provides you with a better understanding of the applications used within your organization, and whether they require admin rights, need to be blocked, or need authorizing for specific users.
This data can then be used to further refine the QuickStart policy to provide a more tailored Endpoint Privilege Management for Windows solution for your organization.
Workstyles
The QuickStart policy contains five Workstyles that should be used together to manage all users in your organization.
All users
This Workstyle contains a set of default rules that apply to all standard users regardless of the level of flexibility they need.
The All Users Workstyle contains rules to:
- Block any applications in the Block - Blocklisted Apps group
- Allow Endpoint Privilege Management for Windows Support tools
- Allow standard Windows functions, business applications, and applications installed through trusted deployment tools to run with admin rights
- Allow approved standard user applications to run passively
High flexibility
This Workstyle is designed for users that require a lot of flexibility, such as developers.
The High Flexibility Workstyle contains rules to:
- Allow known business applications and operating system functions to run.
- Allow users to run signed applications with admin rights.
- Allow users to run unknown applications with admin rights once they confirm that the application should be elevated.
- Allow applications that are in the Add Admin – High Flexibility group to run with admin rights.
- Allow unknown business application and operating system functions to run on-demand.
Medium flexibility
This Workstyle is designed for users that require some flexibility, such as sales engineers.
The Medium Flexibility Workstyle contains rules to:
- Allow known business applications and operating system functions to run.
- Allow users to run signed applications with admin rights once they confirm that the application should be elevated.
- Prompt users to provide a reason before they can run unknown applications with admin rights.
- Allow applications that are in the Add Admin – Medium Flexibility group to run with admin rights.
- Allow unknown business application and operating system functions to run on-demand.
- Restricted OS functions that require admin rights are prevented and require support interaction.
Low flexibility
This Workstyle is designed for users that don't require much flexibility, such as helpdesk operators.
The Low Flexibility Workstyle contains rules to:
- Prompt users to contact support if a trusted or untrusted application requests admin rights.
- Prompt users to contact support if an unknown application tries to run.
- Allow known approved business applications and operating system functions to run (Windows only).
Workstyle parameters
The Endpoint Privilege Management for Windows settings include a number of features allowing customization of text and strings used for end user messaging and auditing. If you want to include properties relating to the settings applied, the application being used, the user, or the installation of Endpoint Privilege Management for Windows, then parameters may be used which are replaced with the value of the variable at runtime.
Parameters are identified as any string surrounded by brackets ([ ]), and if detected, the Endpoint Privilege Management client attempts to expand the parameter. If successful, the parameter is replaced with the expanded property. If unsuccessful, the parameter remains part of the string. The table below shows a summary of all available parameters and where they are supported.
| Parameter | Description |
|---|---|
| [PG_ACTION] | The action which the user performed from an end user message |
| [PG_AGENT_VERSION] | The version of Endpoint Privilege Management for Windows |
| [PG_APP_DEF] | The name of the Application Rule that matched the application |
| [PG_APP_GROUP] | The name of the Application Group that contained a matching Application Rule |
| [PG_AUTH_METHODS] | Lists the authentication and/or authorization methods used to allow the requested action to proceed |
| [PG_AUTH_USER_DOMAIN] | The domain of the designated user who authorized the application |
| [PG_AUTH_USER_NAME] | The account name of the designated user who authorized the application |
| [PG_COM_APPID] | The APPID of the COM component being run |
| [PG_COM_CLSID] | The CLSID of the COM component being run |
| [PG_COM_NAME] | The name of the COM component being run |
| [PG_COMPUTER_DOMAIN] | The name of the domain that the host computer is a member of |
| [PG_COMPUTER_NAME] | The NetBIOS name of the host computer |
| [PG_CONTENT_DEF] | The definition name of the matching content |
| [PG_CONTENT_FILE_DRIVE_TYPE] | The drive type of the matching content |
| [PG_CONTENT_FILE_HASH] | The SHA-1 hash of the matching content |
| [PG_CONTENT_FILE_IE_ZONE] | The Internet Zone of the matching content |
| [PG_CONTENT_FILE_NAME] | The file name of the matching content |
| [PG_CONTENT_FILE_OWNER] | The owner of the matching content |
| [PG_CONTENT_FILE_PATH] | The full path of the matching content |
| [PG_CONTENT_GROUP] | The group name of a matching content definition |
| [PG_DOWNLOAD_URL] | The full URL from which an application was downloaded |
| [PG_DOWNLOAD_URL_DOMAIN] | The domain from which an application was downloaded |
| [PG_EVENT_TIME] | The date and time that the policy matched |
| [PG_EXEC_TYPE] | The type of execution method: Application Rule or shell rule |
| [PG_GPO_DISPLAY_NAME] | The display name of the GPO (Group Policy Object) |
| [PG_GPO_NAME] | The name of the GPO that contained the matching policy |
| [PG_GPO_VERSION] | The version number of the GPO that contained the matching policy |
| [PG_IDP_AUTH_USER_NAME] | The value given by the Identify Provider as the user who successfully authenticated to allow the requested action to proceed. Maps to the OIDC "email" scope. |
| [PG_MESSAGE_NAME] | The name of the custom message that was applied |
| [PG_MSG_CHALLENGE] | The 8 digit challenge code presented to the user |
| [PG_MSG_RESPONSE] | The 8 digit response code entered by the user |
| [PG_PROG_CLASSID] | The ClassID of the ActiveX control |
| [PG_PROG_CMD_LINE] | The command line of the application being run |
| [PG_PROG_DRIVE_TYPE] | The type of drive where application is being executed |
| [PG_PROG_FILE_VERSION] | The file version of the application being run |
| [PG_PROG_HASH] | The SHA-1 hash of the application being run |
| [PG_PROG_HASH_SHA256] | The SHA-256 hash of the application being run |
| [PG_PROG_NAME] | The program name of the application |
| [PG_PROG_PARENT_NAME] | The file name of the parent application |
| [PG_PROG_PARENT_PID] | The process identifier of the parent of the application |
| [PG_PROG_PATH] | The full path of the application file |
| [PG_PROG_PID] | The process identifier of the application |
| [PG_PROG_PROD_VERSION] | The product version of the application being run |
| [PG_PROG_PUBLISHER] | The publisher of the application |
| [PG_PROG_TYPE] | The type of application being run |
| [PG_PROG_URL] | The URL of the ActiveX control |
| [PG_SERVICE_ACTION] | The action performed on the matching service |
| [PG_SERVICE_DISPLAY_NAME] | The display name of the Windows service |
| [PG_SERVICE_NAME] | The name of the Windows service |
| [PG_STORE_PACKAGE_NAME] | The package name of the Windows Store App |
| [PG_STORE_PUBLISHER] | The package publisher of the Windows Store app |
| [PG_STORE_VERSION] | The package version of the Windows Store app |
| [PG_TOKEN_NAME] | The name of the built-in token or Custom Token that was applied |
| [PG_USER_DISPLAY_NAME] | The display name of the user |
| [PG_USER_DOMAIN] | The name of the domain that the user is a member of |
| [PG_USER_NAME] | The account name of the user |
| [PG_USER_REASON] | The reason entered by the user |
| [PG_USER_SID] | The SID of the user |
| [PG_WORKSTYLE_NAME] | The name of the Workstyle |
Application Groups
The Application Groups that are prefixed with (Default) or (Recommended) are hidden by default and do not need to be altered.
- Add Admin – General (Business Apps): Contains applications that are approved for elevation for all users, regardless of their flexibility level.
- Add Admin – General (Windows Functions): Contains operating system functions that are approved for elevation for all users.
- Add Admin – High Flexibility: Contains the applications that require admin rights that should only be provided to the high flexibility users.
- Add Admin – Low Flexibility: Contains the applications that require admin rights that should only be provided to the low flexibility users.
- Add Admin – Medium Flexibility: Contains the applications that require admin rights that should only be provided to the medium flexibility users.
- Add Admin – Protected Operations: Contains the applications that require admins rights that should only be provided to the protected operations users.
- Passive - High Business Apps
- Passive - Medium Business Apps
- Passive - Low Business Apps
- Block - Blocklisted Apps: This group contains applications that are blocked for all users.
- Passive - All Users Functions & Apps: Contains trusted applications, tasks and scripts that should execute as a standard user.
- (Default) Any Application: Contains all application types and is used as a catch-all for unknown applications.
- (Default) Any Trusted & Signed UAC Prompt: Contains signed (trusted ownership) application types that request admin rights.
- (Default) Any UAC Prompt: This group contains application types that request admin rights.
- (Default) Endpoint Privilege Management Tools: This group is used to provide access to a BeyondTrust executable that collects Endpoint Privilege Management for Windows troubleshooting information.
- (Default) Child Processes of TraceConfig.exe
- (Default) Signed UAC Prompt: Contains signed (trusted ownership) application types that request admin rights.
- (Recommended) Restricted Functions: This group contains OS applications and consoles that are used for system administration and trigger UAC when they are executed.
- (Recommended) Restricted Functions (On Demand): This group contains OS applications and consoles that are used for system administration.
- (Default) Trusted Parent Processes
Messages
The following messages are created as part of the QuickStart policy and are used by some of the Application Rules:
- Allow Message (Authentication): Asks the user to provide a reason and enter their password before the application runs with admin rights.
- Allow Message (Select Reason): Asks the user to select a reason from a dropdown menu before the application runs with admin rights.
- Allow Message (Support Desk): Presents the user with a challenge code and asks them to obtain authorization from the support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request.
- Allow Message (Yes / No): Asks the user to confirm that they want to proceed to run an application with admin rights.
- Block Message: Warns the user that an application has been blocked.
- Block Notification: Notifies the user that an application has been blocked and submitted for analysis.
- Notification (Trusted): Notifies the user that an application has been trusted.
Custom token
A custom token is created as part of the QuickStart policy. The custom token is called Endpoint Privilege Management Support Token and is only used to ensure an authorized user can gain access to Endpoint Privilege Management for Windows troubleshooting information.
Note
We do not recommend using the Endpoint Privilege Management Support Token for any other Application Rules in your Workstyles.
Discovery
The Discovery policy contains Workstyles, Application Groups, and messages to allow the discovery of applications that need administrative privileges to execute. This must be applied to administrator users and includes a preconfigured exclusion group (false positives) maintained by BeyondTrust.
This template policy contains the following configurations:
Workstyles
- Discovery Workstyle
Application groups
- (Default Rule) Any Application
- (Default Rule) Any UAC Prompts
- Approved Standard User Apps
- Passive - All Users & Apps
Messages
- Allow Message (Yes / No)
Trusted App Protection (TAP)
The Trusted App Protection (TAP) policies contain Workstyles, Application Groups, and messages to offer an additional layer of protection against malware for trusted business applications, safeguarding them from exploitation attempts.
The TAP policies apply greater protection to key business applications including Microsoft Office, Adobe Reader, and web browsers, which are often exploited by malicious content. It works by preventing these applications from launching unknown payloads and potentially risky applications, such as PowerShell. It also offers protection by preventing untrusted DLLs being loaded by these applications, another common malware technique.
In our research, we discovered that malware attack chains commonly seek to drop and launch an executable or abuse a native Windows application such as PowerShell. Using a TAP policy prevents these attacks and compliments existing anti-malware technologies by preventing an attack from launching without relying on detection or reputation.
The Trusted Application Protection policy you have chosen is inserted at the top of the Workstyles, so it is, by default, the first Workstyle to be evaluated. Once a Workstyle action is triggered, subsequent Workstyles aren't evaluated for that process.
Workstyles
- Trusted Application Protection - High Flexibility (depends on the TAP policy you have chosen)
- Trusted Application Protection - High Security (depends on the TAP policy you have chosen)
Application Groups
- Browsers
- Browsers - Trusted Exploitables
- Browsers - Untrusted child processes
- Content Handlers
- Content Handlers - Trusted Exploitables
- Content Handlers - Untrusted child processes
Note
Content Handlers are used to hold content rather than executables.
Messages
- Block Message
Trusted Application Protection policies summary
The TAP policies allow you to control the child processes which TAP applications can run.
There are two policies to choose from:
- High Flexibility
- High Security
You should choose the High Flexibility policy if you have users who need to download and install or update software. You should choose the High Security policy if your users don't need to download and install or update software.
The High Security policy checks that all child processes have either a trusted publisher, a trusted owner, a source URL, or a BeyondTrust Zone Identifier tag, whereas the High Flexibility policy only validates the immediate child processes allowing a wider range installers to run. If child processes don't have any of these four criteria, they are blocked from execution. Known exploits are also blocked by both TAP policies.
Note
Installers that spawn additional child processes are blocked by the TAP (High Security) policy if those child processes are using applications that are on the TAP blocklist, but would be allowed to run using the TAP (High Flexibility) policy. For more information, see Trusted Application Protection block list.
Trusted publisher
- A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date, and not revoked.
Trusted owner
- A trusted owner is any owner that is in the default Windows groups Administrators, SystemUser, or TrustedInstaller.
SourceURL
- The source URL must be present. This is specific to browsers.
BeyondTrust Zone Identifier tag
- The BeyondTrust Zone Identifier tag must be present. This is applied when the browser applies an Alternate Data Stream (ADS) tag. This is specific to browsers.
In addition, all processes on the blocklist are blocked irrespective of their publisher and owner.
The TAP policy template affects the following applications:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft Publisher
- Adobe Reader 11 and lower
- Adobe Reader DC
- Microsoft Outlook
- Google Chrome
- Mozilla Firefox
- Microsoft Internet Explorer
- Microsoft Edge (Legacy and Chromium versions)
Note
TAP applications and their child processes must match all the criteria within the definitions provided in the Application Groups of the policy for the TAP policy to apply.
You can configure TAP process control by importing the TAP template. TAP also has Reporting.
Note
For more information, see the following:
- For a list of blocked processes, [Trusted Application Protection block list](#block-list)
- [Trusted Application Protection reporting](#reporting)
Trusted Application Protection precedence
The TAP Workstyle you choose is placed at the top of your list of Workstyles when you import the policy template. This is because it runs best as a priority rule. This ensures child processes of TAP applications (policy dependent) that do not have a trusted publisher, trusted owner, a source URL, or a BeyondTrust Zone Identifier tag are blocked from execution and that known exploits are blocked.
The Trusted Application Protection Workstyle is the first to be evaluated by default. Once a Workstyle action is triggered, subsequent Workstyles aren't evaluated for that process.
Modify the Trusted Application Protection policies
Both the Trusted Application Protection (TAP) policies (High Flexibility and High Security) protect against a broad range of attack vectors. The approaches listed here can be used in either TAP policy if you need to modify the TAP policy to address a specific use case that is being blocked by a TAP policy.
The TAP (High Security) policy is, by design, more secure and less flexible, as it blocks all child processes of a Trusted Application that do not have a trusted owner, trusted publisher, source URL, or BeyondTrust Zone Identifier. It is for these reasons more likely to require modification.
The TAP policy that you choose should be based on your business requirements and existing policy. If using a TAP policy causes a legitimate use case to be blocked, there are some actions you can take to resolve this.
Change the policy to audit
You can change the TAP (High Security) policy Application Rules Action to Allow Execution and change the Access Token to Enforce User's Default Rights. Ensure Raise an Event is set to On and click OK.
Note
Changing the TAP policy to Allow Execution effectively disables it. You do not get any protection from a TAP policy if you make this change.
If you make this change for the four Application Rules in the TAP (High Security) policy, TAP programs are able to execute as if the TAP (High Security) policy wasn't applied, but you can see what events are being triggered by TAP and make policy adjustments accordingly.
The event details include information on the Application Group and TAP application. This allows you to gather details to understand if it's a legitimate use case. You can perform some actions to incorporate the legitimate use case into the TAP (High Security) policy.
Use the high flexibility policy
Both the TAP policies offer additional protection against a wide range of attack vectors. If you are using the TAP (High Security) policy you can change to the TAP (High Flexibility) policy. This is useful if you have a use case where additional child processes of TAP applications are being blocked by the TAP (High Security) policy.
Edit the matching criteria
If your legitimate use case is running a specific command that is detailed in the event, you can add this to the matching criteria of the application that's being blocked. You can use the standard Endpoint Privilege Management for Windows matching criteria, such as Exact Match or Regular Expressions.
Example
WebEx uses an extension from Google Chrome. We have catered for this in the policy using matching criteria.
This criteria says:
If the Parent Process matches the (TAP) High Security - Browsers Application Group for any parent in the tree.
and
The Product Description contains the string Windows Command Processor
and
The Command Line does NOT contain \.\pipe\chrome.nativeMessagingThe TAP policy (High Security) blocks the process.
Edit the Trusted Exploitable list
If your legitimate use case is using an application that is listed on either the Browsers - Trusted Exploitables or the Content Handlers - Trusted Exploitables list, you can remove it.
If you remove it from either list, any browsers or content using that trusted exploitable to run malicious content are not stopped by the TAP (High Security) policy.
Remove application from Trusted Application Group
You can remove the application that is listed in the Trusted Browsers or Trusted Content Handlers groups from the list. This means that the application no longer benefits from the protection offered by either of the TAP policies.
Create an Allow rule
You can also add an Endpoint Privilege Management for Windows Allow rule and place it higher in the precedence order than the TAP (High Security) policy. This allows your use case to run but it also overrides any subsequent rules that apply to that application. Therefore it should be used with caution.
Trusted Application Protection reporting
Trusted Application Protection (TAP) is reported in Reporting. You can use the top level TAP dashboard to view the TAP incidents over the time period, split by type of TAP application. In the same dashboard, you can also see the number of incidents, targets, users, and hosts for each TAP application.
Trusted Application Protection block list
To view the list of applications blocked from being launched by trusted applications when Trusted Application Protection (TAP) is enabled:
- After TAP High Flexibility or High Security is imported, right-click on the top-level Privilege Management Settings node, and click Show Hidden Groups.
- The list of applications can be found under the following groups:
- (TAP) High Security - Browsers - Trusted Exploitables
- (TAP) High Security - Content Handlers - Trusted Exploitables
- (TAP) High Flexibility - Browsers - Trusted Exploitables
- (TAP) High Flexibility - Content Handlers - Trusted Exploitables
Use advanced parent tracking
With version 21.3 of EPM-W, advanced parent tracking (APT) tracks parent processes and increases the effectiveness of TAP policies while also reducing false positives from Windows PID re-use.
When processing rules, EPM-W attempts to determine the parent of a process through APT first. Following that, EPM-W uses other rule properties (like child inheritance) to rely on the information provided by Windows.
To use the advanced parent tracking:
- If you are not currently using a TAP policy, import the TAP template (High Security or High Flexibility) using the latest version of the EPM-W client.
- If you are an existing TAP policy user and the policy was created using the EPM-W Policy Editor 21.2 or earlier, then add two new rules to the bottom of your TAP workstyle (High Security or High Flexibility).
High security
- (TAP) High Security - Browsers
- Target Application Group: (TAP) High Security - Browsers
- Access Token: Keep Privileges - Enhanced
- (TAP) High Security - Content Handlers
- Target Application Group: (TAP) High Security - Content Handlers
- Access Token:Keep Privileges - Enhanced
High flexibility
- (TAP) High Flexibility - Browsers
- Target Application Group: (TAP) High Flexibility- Browsers
- Access Token: Keep Privileges - Enhanced
- (TAP) High Flexibility - Content Handlers
- Target Application Group: (TAP) High Flexibility - Content Handlers
- Access Token: Keep Privileges - Enhanced
For either of these workstyles, you will also need to remove the check from the Force standard user rights on File Open/Save dialogs for each application in these Application Groups.
Note
Enable Show Hidden Groups to edit these workstyles.
Server Roles
The Server Roles policy contains Workstyles, Application Groups, and content groups to manage different server roles such as DHCP, DNS, IIS, and print servers.
This template policy contains the following elements:
Workstyles
- Server Role - Active Directory - Template
- Server Role - DHCP - Template
- Server Role - DNS - Template
- Server Role - File Services - Template
- Server Role - Hyper V - Template
- Server Role - IIS - Template
- Server Role - Print Services - Template
- Server Role - Windows General - Template
Application groups
- Server Role - Active Directory - Server 2008R2
- Server Role - DHCP - Server 2008R2
- Server Role - DNS - Server 2008R2
- Server Role - File Services - Server 2008R2
- Server Role - General Tasks - Server 2008R2
- Server Role - Hyper V - Server 2008R2
- Server Role - IIS - Server 2008R2
- Server Role - Print Services - Server 2008R2
Content groups
- AD Management
- Hosts Management
- IIS Management
- Printer Management
- Public Desktop
Customize the QuickStart policy
Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to the standard template.
At a minimum you need to:
- Configure the users or groups that can authorize requests that trigger messages.
- Customize the messaging with you company logo and wording
- Assign users and groups to the high, medium, and low flexibility Workstyles.
- Populate the Block Applications Application Group with any applications you want to block for all users.
- Set your shared key so you can generate an Endpoint Privilege Management for Mac Response code.
Updated 8 days ago