Get Started with Power Rules

This section takes you through creating an example Power Rule, adding it to an Application Rule and seeing it work in Privilege Management for Windows.

You need a Privilege Management for Windows 5.6 or later environment to run this script.

Example Script

This script will override a Default rule block for all applications where the PG_PROG_PATH variable does not contain cmd.exe.

Create the Power Rule Script

  1. On the machine where you installed the Privilege Management Policy Editor, open Windows Notepad and paste the following code.
    $ExecutingProgramPath = Get-PRVariable -Name "PG_PROG_PATH"
    $ProgramNameToMatch = 'cmd.exe'
    Show-PRMessageDialog -Title 'Rule Script Dialog' -LabelHeader "You just ran: $ExecutingProgramPath. This script will block $ProgramNameToMatch" -ButtonOK 'OK' 
    if($ExecutingProgramPath.Contains($ProgramNameToMatch))
    {
      Set-PRRuleProperty -Action 'Block' 
    }
      else
    {
      Set-PRRuleProperty -Action 'Allow'
    }
  2. Save the file as test-rulescript.ps1, ensuring you specify the ps1 extension.

You can use the Privilege Management Policy Editor or the Privilege Management ePO Extension to apply the rule script in policy.

Apply the Rule Script in Policy

This summary is intended for those who are familiar with editing policy in Privilege Management Policy Editor. If you need more information, please see the Administration Guide.

Privilege Management Policy Editor

These instructions apply to the Privilege Management Policy Editor.

In the Policy Editor:

  1.  Create a Block Message called Test Power Rule Block Message. This message will be displayed if the rule script doesn't run.
  2. Create an Application Group called Test Power Rule Applications and add both mspaint.exe and cmd.exe as the File or Folder Name in the matching criteria.
  3. Create a Workstyle called Test Power Rules Applications and add an Application Rule.

In the Application Rule:

  1.  Set the Application Group to Test Power Rule Applications from the Target Application Group dropdown list.
  2. From the Run a Rule Script dropdown list, select Manage Scripts.
  3. From the Rule Scripts node, click Import Script.
  4. Navigate to test-rulescript.ps1 and click Open.
  5. Click Close on the Script Manager dialog box.
  6. Set the Default Action to Block Execution and set the Default End User Message to Test Power Rule Block Message that you created earlier. The default action you choose should always be more restrictive than your Power Rule script.
  7. Set Raise an Event to On.
  8. Click OK to finish configuring the Application Rule.

You have now configured a Workstyle containing an Application Rule, which in turn targets an Application Group, containing both cmd.exe and mspaint.exe as matching criteria on the File or Folder Name. The Application Rule is configured to run the Power Rule, which blocks the application if the file or folder name contains cmd.exe; otherwise it allows it.

If the Power Rule does not run, the default action is Block, and the Privilege Management block message you configured will be displayed.

The next section includes the core integration script on the endpoint.

Privilege Management ePO Extension

These instructions apply to the Privilege Management ePO Extension.

In the Policy Editor:

  1. Create a Block Message called Test Power Rule Block Message. This message is displayed if the rule script does not run.
  2. Create an Application Group called Test Power Rule Applications and add both mspaint.exe and cmd.exe as the File or Folder Name in the matching criteria.
  3. Create a Workstyle called Test Power Rules Applications and add an Application Rule.

In the Application Rule:

  1. Set the Application Group to Test Power Rule Applications from the Target Application Group dropdown list.
  2. From the Run a Rule Script dropdown list, select test-rulescript.ps1.
  3. Set the Default Action to Block Execution and set the Default End User Message to the Test Power Rule Block Message that you created earlier. The default action you choose should always be more restrictive than the Power Rule script.
  4. Set Raise an Event to On.
  5. Click OK to finish configuring the Application Rule.

You have now configured a Workstyle containing an Application Rule, which in turn targets an Application Group, containing both cmd.exe and mspaint.exe as matching criteria on the File or Folder Name. The Application Rule is configured to run the Power Rule, which blocks the application if the file or folder name contains cmd.exe; otherwise it will allow it.

If the Power Rule does not run, the default action is Block, and the Privilege Management block message you configured is displayed.

The next section takes you through testing the core integration script on the endpoint.

For more information, please see the following:

Run the Power Rule Script at the Endpoint

You can now use your endpoint Privilege Management environment to see the results of your Power Rule.

  1. Ensure the policy is applied, and you have a valid license.

Privilege Management for Windows Rule Script dialog box

  1. From the Start menu, type cmd.exe and press Return. The Rule Script Dialog is displayed.

 

  1. When you click OK, cmd.exe does not run because the script stops it. The Default rule properties you set in the script editor are not used because you do not see the Privilege Management block message.
  2. Run mspaint.exe. You will see the message from the script, but it will run successfully.

If you see the Privilege Management block message, ensure the Workstyle is enabled, has a valid license, and is configured correctly.