Product documentation
Workspace Environment Management
Service Current Release 2407 2402 2311 2308 2305 2303 2212 2209 2206 2203
View PDF

Security

November 14, 2024
Contributed by: 
C C

Application security

Application security feature allows you to define rules to control which applications and files the users can run. You can configure application security rules in the web console and provide a tool to retrieve information needed for rule configuration. Also, you can use this feature to create assignment groups with security rules.

Configuration

When the Process application rules and Process DLL rules are enabled, the Overwrite mode is turned on by default. In Overwrite mode, the rules that are processed in the end overwrite rules that were processed earlier. We recommend that you apply this mode to only single-session machines. This feature also allows you to create the following rules:

  • Executable rules
  • Windows installer rules
  • Script rules
  • Packaged app rules
  • DLL rules

Note:

Before creating rules, we recommend that you first add the default rules to ensure that important system files can run.

  • Process application rules. When selected, the Application Security tab controls are enabled and the agent processes rules in the current configuration set, converting them into AppLocker rules on the agent host. When not selected, the Application Security tab controls are disabled.

    Note:

    This option is not available if the Workspace Environment Management administration console is installed on Windows 7 SP1 or Windows Server 2008 R2 SP1 (or earlier versions).

  • Process DLL Rules. When selected, the agent processes DLL rules in the current configuration set. This option is only available when you select Process Application Security Rules.

    Important:

    If you use DLL rules, you must create a DLL rule with Allow permission for each DLL that is used by all the allowed apps.

    Caution:

    If you use DLL rules, users may experience a reduction in performance.

  • The Overwrite and Merge settings let you determine how the agent processes application security rules.

    • Overwrite. Lets you overwrite existing rules. When selected, the rules that are processed last overwrite rules that were processed earlier. We recommend that you apply this mode only to single-session machines.
    • Merge. Lets you merge rules with existing rules. When conflicts occur, the rules that are processed last overwrite rules that were processed earlier. If you need to modify the rule enforcement setting during merging, use overwrite mode because merge mode keeps the old value if it differs.

Rule collections

Each collection name indicates how many rules it contains, for example (12). Click a collection name to filter the rule list to one of the following collections:

  • Executable Rules. Rules which include files with the .exe and .com extensions that are associated with an application.
  • Windows Rules. Rules which include installer file formats (.msi, .msp, .mst) which control the installation of files on client computers and servers.
  • Script Rules. Rules which include files of the following formats: .ps1, .bat, .cmd, .vbs, .js.
  • Packaged Rules. Rules which include packaged apps, also known as Universal Windows apps. In packaged apps, all files within the app package share the same identity. Therefore, one rule can control the entire app. Workspace Environment Management supports only publisher rules for packaged apps.
  • DLL Rules. Rules which include files of the following formats: .dll, .ocx.

When you filter the rule list to a collection, the Rule enforcement option is available. The following rule enforcement values are possible:

Off (default). Rules are created and set to off, which means they are not applied.

On. Rules are created and set to enforce, which means they are active on the agent host.

Audit. Rules are created and set to audit, which means they are on the agent host in an inactive state.

Create Windows installer rule

This includes two menu items, Basic information and Exceptions. To create a Windows installer rule, complete the following steps under Basic information and Exceptions:

  • Selecting Create rule leads you to the Create Windows installer rule page.
  • Enter the name and an optional description.
  • Choose the desired Action.
  • Select the Criteria type such as Path, Publisher, or File hash from the drop-down list.
  • Selecting Open File info Viewer directs you to the WEM Tool Hub. Use the WEM Tool Hub** to quickly get the required information. For more information, see File Info Viewer.
  • Optionally, you can add exceptions to include files that are normally included in the rule based on the primary criteria. To perform this task, select Add exception.
  • Go to WEM Tool Hub to copy data from one of the specified criteria under File Info Viewer and then click Paste from File Info Viewer.
  • Click Done.
  • Select Continue to assignment to update the assignments as required in the Manage assignments page.
  • Select Assignment targets (users and groups) to assign this item to. Use filters to contextualize the assignment. Filters you specify are effective only in the Overwrite mode and are supported only on agent versions 2406 or later.
  • Enter an asterisk if you need a specific rule to be applied to all files.

Privilege elevation

This feature defines rules to run certain programs with administrator privileges. You can elevate the privileges of non-administrative users to an administrator level necessary for some executables. As a result, the users can start those executables as if they are members of the administrators group.

Privilege elevation options

  • Process privilege elevation rules: When selected, enables agents to process privilege elevation settings and other options on the Privilege Elevation tab become available.

  • Apply to Windows Server OSs: Controls whether to apply privilege elevation settings to Windows Server operating systems. If selected, rules assigned to users work on Windows Server machines. By default, this option is disabled.

  • Enforce RunAsInvoker: Controls whether to force all executables to run under the current Windows account. If selected, users are not prompted to run executables as administrators.

This pane also displays the complete list of rules that you have configured. Click Executable Rules, Windows Installer Rules, or Self-elevation to filter the rule list to a specific rule type. You can use Find to filter the list. The assigned column displays a check mark icon for assigned users or user groups.

Supported rules

You can configure privilege elevation using two types of rules: executable rules and Windows installer rules.

  • Executable Rules: Rules that include files with .exe and .com extensions associated with an application.

  • Windows Installer Rules: Rules that include installer files with .msi and .msp extensions associated with an application. When you add Windows installer rules, consider the following scenario:

    • Privilege elevation applies only to Microsoft’s msiexec.exe. Make sure that the tool you use to deploy .msi and .msp Windows installer files is msiexec.exe.
    • Suppose that a process matches a specified Windows installer rule and its parent process matches a specified executable rule. The process cannot get elevated privileges unless the Apply to Child Processes setting is enabled in the specified executable rule.

  • Self-elevation: When enabled, the Run with administrator privileges option is available in the context menu when you right-click a file. After selecting this option, you are prompted to provide a reason for the elevation. The elevation is then either allowed or denied, based on the criteria you specify. To configure the rule, you can use the WEM Tool Hub > File Info Viewer to quickly get the information required such as, path, publisher, and hash values. You can also specify the time period, choose the day of the week, and also optionally set the criteria to determine the machines on which the rule is effective. When the Self-elevation toggle is enabled for the first time in a configuration set, the self-elevation rule is created and can be found in the rule list when managing assignments for an assignment target. The rule is never removed after creation.

You can specify the time period during which the rule is effective. Also, you can optionally set the criteria to determine on which machines the rule applies. You can choose to match all or any of the following criteria:

  • Machine catalog name
  • Delivery group name
  • Device name
  • IP address
  • OS platform type
  • OS version
  • Persistent machine status

After you select the Executable Rules, the Windows Installer Rules, or the Self-elevation rules, the Actions section displays the following actions available to you:

  • Edit. Lets you edit an existing executable rule.

  • Delete. Lets you delete an existing executable rule.

  • Create Rule. Lets you create an executable rule. To create an executable rule, follow the wizard instructions.

Security
November 14, 2024
Contributed by: 
C C
November 14, 2024
Contributed by: 
C C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.