Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Privilege Guard 2.7 and Enhanced UAC Integration

October 20, 2017

  • Blog
  • Archive

Privilege Guard (Edit: now Defendpoint) first introduced UAC (User Account Control) integration in version 2.5, which enables rules to be defined that trigger when an application requires administrator privileges in order to run. Further enhancements to the UAC rule in version 2.7 now allow you to elevate applications that may trigger UAC after the application has already launched. For instance, disk defragmenter and task manager are two applications that launch with standard user rights and only trigger UAC when the user attempts to perform an operation that requires administrator privileges.

The rules in Privilege Guard are extremely flexible and can be used to elevate specific applications that trigger UAC or elevate all applications that trigger UAC. For instance, the screenshot below shows an application definition that will only fire when task manager attempts to launch with UAC.

To capture all applications you would simply change the file name to *.exe and remove the publisher rule. Leaving the publisher rule in place would allow all operating system applications that trigger UAC to be elevated. Privilege Guard’s integration with Windows security catalogs enables the publisher rule to be used for operating system files, which are not signed directly by Microsoft. This topic was covered in a previous post.

Privilege Guard can optionally prompt the user before elevating or running an application. In many situations you may want an application to elevate silently, without notifying the user. However, when the user is making a conscious decision to elevate an application it is often a good idea to prompt the user first. The screenshot below shows a policy that has been defined to elevate task manager when it triggers UAC.

In this example the task manager application has been added to an application group named All Signed UAC Apps. This would allow you to show a different prompt for signed and unsigned applications, as you may want the warning to be more severe for unsigned applications. You may even decide that a user is not allowed to elevate unsigned applications and instead show the user a blocking message, which will prevent the application from launching.

The policy we have defined in this example will not elevate task manager until the user triggers a feature in task manager that requires administrator privileges, such as clicking the Show processes from all users button. When the user attempts to access an administrator feature in task manager then they will first be prompted with a message, as shown below. You may fully customize this message and even replace the banner with a corporate image. All of the text in the message is configurable, including full multi-lingual support. You may optionally ask the user for a reason or force them to re-authenticate, which have both been included in the example message below.

The UAC rule is an extremely effective way of configuring specific or generic rules that only trigger elevation when an application requires administrator privileges. This effectively replaces UAC with a more flexible solution that is configured and mananged centrally through policy, without giving the user access to a local administrator account. Combined with the end user messaging capabilities in Privilege Guard the UAC rule can be used in a wide range of scenarios to elevate, block or monitor access to privileged applications and tasks on Windows 7 (or any other Windows operating system that supports UAC).

Mark Austin

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.