Security

These settings let you control user activities within Workspace Environment Management (WEM).


Application Security

Important:

To control which applications users can run, use the Windows AppLocker interface or WEM to manage Windows AppLocker rules. You can switch between these approaches at any time. We recommend that you do not use both approaches at the same time.

These settings let you control the applications that users are permitted to run by defining rules. This functionality is similar to Windows AppLocker. When you use WEM to manage Windows AppLocker rules, the agent converts Application Security tab rules into Windows AppLocker rules on the agent host. If you stop the agent processing rules, they are preserved in the configuration set. AppLocker continues running by using the last set of instructions processed by the agent.

Application Security

This tab lists the application security rules in the current WEM configuration set. Use Find to filter the list according to a text string.

When you select the top-level item “Application Security” in the Security tab, the following options become available:

Process Application Security Rules. When selected, the Application Security tab controls are enabled and the agent processes rules in the current configuration set, converting them into AppLocker rules on the agent host. When not selected, the Application Security tab controls are disabled and the agent does not convert rules into AppLocker rules. (In this case, AppLocker rules are not updated.)

Note:

This option is not available if the WEM administration console is installed on Windows 7 SP1 or Windows Server 2008 R2 SP1 (or earlier versions).

Process DLL Rules. When selected, the agent converts DLL rules in the current configuration set into AppLocker DLL rules on the agent host. This option is available only when you select Process Application Security Rules.

Important:

If you use DLL rules, you must create a DLL rule with “Allow” permission for each DLL that is used by all the allowed apps.

Caution:

If you use DLL rules, users might experience sluggish performance. This issue happens because AppLocker checks each DLL that an app loads before the app is allowed to run.

Rule collections

Rules belong to AppLocker rule collections. Each collection name indicates how many rules it contains, for example (12). Click a collection name to filter the rule list to one of the following collections:

  • Executable Rules. Rules that include files with the .exe and .com extensions associated with an application.
  • Windows Rules. Rules that include installer file formats (.msi, .msp, .mst) controlling the installation of files on client computers and servers.
  • Script Rules. Rules that include files of the following formats: .ps1, .bat, .cmd, .vbs, .js.
  • Packaged Rules. Rules that include packaged apps, also known as Universal Windows apps. In packaged apps, all files within the app package share the same identity. Therefore, one rule can control the entire app. WEM supports only publisher rules for packaged apps.
  • DLL Rules. Rules that include files of the following formats: .dll, .ocx.

When you filter the rule list to a collection, the Rule enforcement option is available to control how AppLocker enforces all rules in that collection on the agent host. The following rule enforcement values are possible:

Off (default). Rules are created and set to “off,” which means they are not applied.

On. Rules are created and set to “enforce,” which means they are active on the agent host.

Audit. Rules are created and set to “audit,” which means they are on the agent host in an inactive state. When a user runs an app that violates an AppLocker rule, the app is allowed to run and the information about the app is added to the AppLocker event log.

To add a rule

  1. Select a rule collection name in the sidebar. For example, to add an executable rule select the “Executable Rules” collection.

  2. Click Add Rule.

  3. In the Display section, type the following details:

    • Name. The display name of the rule as it appears in the rule list.

    • Description. Additional information about the resource (optional).

  4. In the Type section, select an option:

    • Path. The rule matches a file path.

    • Publisher. The rule matches a selected publisher.

    • Hash. The rule matches a specific hash code.

  5. In the Permissions section, select Allow or Deny. The selection controls whether to allow or prohibit applications from running.

  6. To assign this rule to users or user groups, in the Assignments pane, choose users or groups to which you want to assign this rule. The “Assigned” column shows a “check” icon for assigned users or groups.

    Tip:

    • You can use the usual Windows selection modifier keys to make multiple selections, or use Select All to select all rows.
    • Users must already be in the WEM Users list.
    • You can assign rules after the rule is created.
  7. Click Next.

  8. Specify the criteria the rule matches, depending on the rule type you choose:

    • Path. Type the path to the file or folder to which you want to apply the rule. The WEM agent applies the rule to an executable according to the executable file path.

    • Publisher. Fill out the following fields: Publisher, Product name, File name, and File version. You cannot leave any of the fields empty, but you can type an asterisk (*) instead. The WEM agent applies the rule according to publisher information. If applied, users can run executables that share the same publisher information.

    • Hash. Click Add to add a hash. In the Add Hash window, type the file name and the hash value. You can use the AppInfoViewer tool to create a hash from a selected file or folder. The WEM agent applies the rule to identical executables as specified. As a result, users can run executables that are identical to the specified one.

  9. Click Next.

  10. Add any exceptions you require (optional). In Add exception, choose an exception type and then click Add. (You can edit or remove exceptions if needed.)

  11. To save the rule, click Create.

To assign rules to users

Select one or more rules in the list and then click Edit in the toolbar or context menu. In the editor, select the rows containing the users and user groups you want to assign the rule to and then click OK. You can also unassign the selected rules from everyone using Select All to clear all selections.

Note: If you select multiple rules and click Edit, any rule assignment changes for those rules apply to all users and user groups you select. In other words, existing rule assignments are merged across those rules.

To add default rules

Click Add Default Rules. A set of AppLocker default rules is added to the list.

To edit rules

Select one or more rules in the list and then click Edit in the toolbar or context menu. The editor appears, letting you adjust settings that apply to the selection you made.

To delete rules

Select one or more rules in the list and then click Delete in the toolbar or context menu.

To back up application security rules

You can back up all application security rules in your current configuration set. Rules are all exported as a single XML file. You can use Restore to restore the rules to any configuration set. In the ribbon, click Backup then select Security Settings.

To restore application security rules

You can restore application security rules from XML files created by the Workspace Environment Management backup command. The restore process replaces the rules in the current configuration set with those rules in the backup. When you switch to or refresh the Security tab, any invalid application security rules are detected. Invalid rules are automatically deleted and listed in a report dialog, which you can export.

During the restore process, you can choose whether you want to restore rule assignments to users and user groups in your current configuration set. Reassignment only succeeds if the backed-up users/groups are present in your current configuration set/active directory. Any mismatched rules are restored but remain unassigned. After restore, they are listed in a report dialog which you can export in CSV format.

  1. In the ribbon, click Restore to start the restore wizard.

  2. Select Security settings, then click Next twice.

  3. In Restore from folder, browse to the folder containing the backup file.

  4. Select AppLocker Rule Settings, then click Next.

  5. Confirm whether you want to restore rule assignments:

    • Yes. Restores rules and reassigns them to the same users and user groups in your current configuration set.

    • No. Restores rules and leaves them unassigned.

  6. To start restoring, click Restore Settings.


Process Management

These settings let you whitelist or blacklist specific processes.

Process Management

Enable Process Management. This option toggles whether process whitelists and blacklists are in effect. If disabled, none of the settings on the Process BlackList and Process WhileList tabs take effect.

Note:

This option works only if the agent is running in the user’s session. To enable the agent to run in the session, use the Advanced Settings > configuration > Main Configuration tab to enable the Launch Agent options (at Logon / at Reconnect / for Admins) and set Agent Type to UI. These options are described in Advanced Settings.

Process BlackList

These settings let you blacklist specific processes.

Enable Process Blacklist. This option enables process blacklisting. Add processes by using their executable names (for example, cmd.exe).

Exclude Local Administrators. Excludes local administrator accounts from the process blacklist.

Exclude Specified Groups. Lets you exclude specific user groups from the process blacklist.

Process WhiteList

These settings let you whitelist specific processes. Process blacklists and process whitelists are mutually exclusive.

Enable Process Whitelist. This option enables process whitelisting. Add processes by using their executable names (for example, cmd.exe).

Note:

If enabled, Enable Process Whitelist automatically blacklists all processes not in the whitelist.

Exclude Local Administrators. Excludes local administrator accounts from the process whitelist (they can run all processes).

Exclude Specified Groups. Lets you exclude specific user groups from the process whitelist (they can run all processes).


Privilege elevation

The privilege elevation feature lets you elevate the privileges of non-administrative users to an administrator level necessary for some executables. As a result, the users can start those executables as if they are members of the administrators group.

Privilege Elevation

When you select the Privilege Elevation pane in Security, the following options appear:

  • Process Privilege Elevation Settings. Controls whether to enable the privilege elevation feature. When selected, enables agents to process privilege elevation settings and other options on the Privilege Elevation tab become available.

  • Do Not Apply to Windows Server OSs. Controls whether to apply privilege elevation settings to Windows Server operating systems. If selected, rules assigned to users do not work on Windows Server machines. By default, this option is selected.

  • Enforce RunAsInvoker. Controls whether to force all executables to run under the current Windows account. If selected, users are not prompted to run executables as administrators.

This tab also displays the complete list of rules that you have configured. You can use Find to filter the list. The Assigned column displays a “check mark” icon for assigned users or user groups.

Executable Rules

This tab lets you configure rules for executables to which you want to apply privilege elevation. The Actions section displays the following actions available to you:

  • Edit. Lets you edit an existing executable rule.

  • Delete. Lets you delete an existing executable rule.

  • Add Rule. Lets you add an executable rule.

To add an executable rule

  1. Navigate to Executable Rules and click Add Rule. The Add Rule window appears.

  2. In the Display section, type the following:

    • Name. Type the display name of the rule. The name appears in the rule list.
    • Description. Type additional information about the rule.
  3. In the Type section, select an option.

    • Path. The rule matches a file path.
    • Publisher. The rule matches a selected publisher.
    • Hash. The rule matches a specific hash code.
  4. In the Settings section, configure the following if needed:

    • Apply to Child Processes. If selected, applies the rule to all child processes that the executable starts.
    • Start Time. Lets you specify a time for agents to start applying the rule. The time format is HH:MM. The time is based on the agent time zone.
    • End Time. Lets you specify a time for agents to stop applying the rule. The time format is HH:MM. From the specified time onward, agents no longer apply the rule. The time is based on the agent time zone.
  5. In the Assignments section, select users or user groups to which you want to assign the rule. If you want to assign the rule to all users and user groups, select Select All.

    Tip:

    • You can use the usual Windows selection modifier keys to make multiple selections.
    • Users or user groups must already be in the list displayed on the Administration > Users tab.
    • You can choose to assign the rule later (after the rule is created).
  6. Click Next.

  7. Do either of the following. Different actions are needed depending on the rule type you selected in the preceding page.

    Important:

    WEM provides you with a tool named AppInfoViewer to obtain the following information and more from executable files: publisher, path, and hash. Fore more information, see Tool to obtain information for executable files.

    • Path. Type the path to the file or folder to which you want to apply the rule. The WEM agent applies the rule to an executable according to the executable file path.
    • Publisher. Fill out the following fields: Publisher, Product name, File name, and File version. You cannot leave any of the fields empty, but you can type an asterisk (*) instead. The WEM agent applies the rule according to publisher information. If applied, users can run executables that share the same publisher information.
    • Hash. Cilck Add to add a hash. In the Add Hash window, type the file name and the hash value. You can use the AppInfoViewer tool to create a hash from a selected file or folder. The WEM agent applies the rule to identical executables as specified. As a result, users can run executables that are identical to the specified one.
  8. Click Create to save the rule and to exit the window.

To assign rules to users

Select one or more rules in the list and then click Edit in the Actions section. In the Edit Rule window, select users or user groups to which you want to assign the rule and then click OK.

To delete rules

Select one or more rules in the list and then click Delete in the Actions section.

To back up privilege elevation rules

You can back up all privilege elevation rules in your current configuration set. All rules are exported as a single XML file. You can use Restore to restore the rules to any configuration set.

To complete the backup, use the Backup wizard, availble in the ribbon. For more information about using the Backup wizard, see Ribbon.

To restore privilege elevation rules

You can restore privilege elevation rules from XML files exported through the Workspace Environment Management Backup wizard. The restore process replaces the rules in the current configuration set with those rules in the backup. When you switch to or refresh the Security > Privilege Elevation pane, any invalid privilege elevation rules are detected. Invalid rules are automatically deleted and listed in a report that you can export. For more information about using the Restore wizard, see Ribbon.

Security