Windows QuickStart

The QuickStart for Windows policy contains Workstyles, Application Groups, messages, and custom tokens configured with Endpoint Privilege Management and Application Control. The QuickStart policy is designed from BeyondTrust’s experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend you thoroughly test this configuration to ensure it complies with the requirements of your organization.

 

As of release 5.5, all releases of this product are signed with BeyondTrust Corporation, rather than Avecto, as the software publisher name. If prior to 5.5 you used the QuickStart Policy Template as a starting point, it is likely that your configuration will include Application Groups which target our own applications based on a publisher match to Avecto. An upgrade to 5.5 or beyond requires you to update your configuration so that it continues to match the versions of the applications and tools that you use. We recommend one of the following two options:

Option 1

Add a copy of any existing application definitions which target Avecto and update those copies to target BeyondTrust Corporation instead; the presence of both sets of application definitions ensure they continue to match both new and existing versions during the implementation of 5.5. This option has an advantage over Option 2, in that it also targets any application definitions that you may have created yourself that target the Avecto publisher.

Option 2

You may copy fragments of the QuickStart policies in version 5.5 to your existing application definitions.

For either option, it is critical that you roll out your configuration changes before you update your Endpoint Privilege Management for Windows software to version 5.5 or later.

This template policy contains the following elements:

Workstyles

  • All Users
  • High Flexibility
  • Medium Flexibility
  • Low Flexibility

Application Groups

  • Add Admin - All Users (Business Apps)
  • Add Admin - All Users (Windows Functions)
  • Add Admin - High Flexibility
  • Add Admin - Medium Flexibility
  • Add Admin - Low Flex (added)
  • Add Admin - Protected Operations
  • Allow - Allowed Functions & Apps
  • Block - Blocked Apps
  • Passive - High Business Apps
  • Passive - Medium Business Apps
  • Passive - Low Business Apps
  • Passive - All Users Functions & Apps

Hidden Application Groups

  • (Default) Any Application
  • (Default) Any Trusted & Signed UAC Prompt
  • (Default) Any UAC Prompt
  • (Default) Endpoint Privilege Management Tools
  • (Default) Child Processes of TraceConfig.exe
  • (Default) Signed UAC Prompt
  • (Default) Software Deployment Tool Installs
  • (Recommended) Restricted Functions
  • (Recommended) Restricted Functions (On-Demand)
  • (Default) Trusted Parent Processes

Messages

  • Allow Message (Authentication & Reason)
  • Allow Message (Select Reason)
  • Allow Message (Support Desk)
  • Allow Message (Yes / No)
  • Block Message
  • Block Notification
  • Notification (Trusted)

Custom Tokens

  • BeyondTrust Support Token

For information on how to upgrade Avecto signed application definitions, please see Upgrade Endpoint Privilege Management for Windows

Windows QuickStart Policy Summary

By using and building on the QuickStart policy, you can quickly improve your organization's security without having to monitor and analyze your users' behavior first and then design and create your Endpoint Privilege Management for Windows configuration.

After the QuickStart policy is deployed to groups within your organization, you can start to gather information on your users' behavior. This provides you with a better understanding of the applications used within your organization, and whether they require admin rights, need to be blocked, or need authorizing for specific users.

This data can then be used to further refine the QuickStart policy to provide a more tailored Endpoint Privilege Management for Windows solution for your organization.

Windows Workstyles

The QuickStart policy contains five Workstyles that should be used together to manage all users in your organization.

All Users

This Workstyle contains a set of default rules that apply to all standard users regardless of the level of flexibility they need.

The All Users Workstyle contains rules to:

  • Block any applications in the Block - Blocklisted Apps group
  • Allow Endpoint Privilege Management for Windows Support tools
  • Allow standard Windows functions, business applications, and applications installed through trusted deployment tools to run with admin rights
  • Allow approved standard user applications to run passively

High Flexibility

This Workstyle is designed for users that require a lot of flexibility, such as developers.

The High Flexibility Workstyle contains rules to:

  • Allow known business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights.
  • Allow users to run unknown applications with admin rights once they confirm that the application should be elevated.
  • Allow applications that are in the Add Admin – High Flexibility group to run with admin rights.
  • Allow unknown business application and operating system functions to run on-demand.

Medium Flexibility

This Workstyle is designed for users that require some flexibility, such as sales engineers.

The Medium Flexibility Workstyle contains rules to:

  • Allow known business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights once they confirm that the application should be elevated.
  • Prompt users to provide a reason before they can run unknown applications with admin rights.
  • Allow applications that are in the Add Admin – Medium Flexibility group to run with admin rights.
  • Allow unknown business application and operating system functions to run on-demand.
  • Restricted OS functions that require admin rights are prevented and require support interaction.

Low Flexibility

This Workstyle is designed for users that don't require much flexibility, such as helpdesk operators.

The Low Flexibility Workstyle contains rules to:

  • Prompt users to contact support if a trusted or untrusted application requests admin rights.
  • Prompt users to contact support if an unknown application tries to run.
  • Allow known approved business applications and operating system functions to run (Windows only).

Windows Workstyle Parameters

The Endpoint Privilege Management for Windows settings include a number of features allowing customization of text and strings used for end user messaging and auditing. If you want to include properties relating to the settings applied, the application being used, the user, or the installation of Endpoint Privilege Management for Windows, then parameters may be used which are replaced with the value of the variable at runtime.

Parameters are identified as any string surrounded by brackets ([ ]), and if detected, the Endpoint Privilege Management client attempts to expand the parameter. If successful, the parameter is replaced with the expanded property. If unsuccessful, the parameter remains part of the string. The table below shows a summary of all available parameters and where they are supported.

Parameter Description
[PG_ACTION] The action which the user performed from an end user message
[PG_AGENT_VERSION] The version of Endpoint Privilege Management for Windows
[PG_APP_DEF] The name of the Application Rule that matched the application
[PG_APP_GROUP] The name of the Application Group that contained a matching Application Rule
[PG_AUTH_METHODS] Lists the authentication and/or authorization methods used to allow the requested action to proceed
[PG_AUTH_USER_DOMAIN] The domain of the designated user who authorized the application
[PG_AUTH_USER_NAME] The account name of the designated user who authorized the application
[PG_COM_APPID] The APPID of the COM component being run
[PG_COM_CLSID] The CLSID of the COM component being run
[PG_COM_NAME] The name of the COM component being run
[PG_COMPUTER_DOMAIN] The name of the domain that the host computer is a member of
[PG_COMPUTER_NAME] The NetBIOS name of the host computer
[PG_CONTENT_DEF] The definition name of the matching content
[PG_CONTENT_FILE_DRIVE_TYPE] The drive type of the matching content
[PG_CONTENT_FILE_HASH] The SHA-1 hash of the matching content
[PG_CONTENT_FILE_IE_ZONE] The Internet Zone of the matching content
[PG_CONTENT_FILE_NAME] The file name of the matching content
[PG_CONTENT_FILE_OWNER] The owner of the matching content
[PG_CONTENT_FILE_PATH] The full path of the matching content
[PG_CONTENT_GROUP] The group name of a matching content definition
[PG_DOWNLOAD_URL] The full URL from which an application was downloaded
[PG_DOWNLOAD_URL_DOMAIN] The domain from which an application was downloaded
[PG_EVENT_TIME] The date and time that the policy matched
[PG_EXEC_TYPE] The type of execution method: Application Rule or shell rule
[PG_GPO_DISPLAY_NAME] The display name of the GPO (Group Policy Object)
[PG_GPO_NAME] The name of the GPO that contained the matching policy
[PG_GPO_VERSION] The version number of the GPO that contained the matching policy
[PG_IDP_AUTH_USER_NAME] The value given by the Identify Provider as the user who successfully authenticated to allow the requested action to proceed. Maps to the OIDC "email" scope.
[PG_MESSAGE_NAME] The name of the custom message that was applied
[PG_MSG_CHALLENGE] The 8 digit challenge code presented to the user
[PG_MSG_RESPONSE] The 8 digit response code entered by the user
[PG_POLICY_NAME] The name of the policy
[PG_PROG_CLASSID] The ClassID of the ActiveX control
[PG_PROG_CMD_LINE] The command line of the application being run
[PG_PROG_DRIVE_TYPE] The type of drive where application is being executed
[PG_PROG_FILE_VERSION] The file version of the application being run
[PG_PROG_HASH] The SHA-1 hash of the application being run
[PG_PROG_HASH_SHA256] The SHA-256 hash of the application being run
[PG_PROG_NAME] The program name of the application
[PG_PROG_PARENT_NAME] The file name of the parent application
[PG_PROG_PARENT_PID] The process identifier of the parent of the application
[PG_PROG_PATH] The full path of the application file
[PG_PROG_PID] The process identifier of the application
[PG_PROG_PROD_VERSION] The product version of the application being run
[PG_PROG_PUBLISHER] The publisher of the application
[PG_PROG_TYPE] The type of application being run
[PG_PROG_URL] The URL of the ActiveX control
[PG_SERVICE_ACTION] The action performed on the matching service
[PG_SERVICE_DISPLAY_NAME] The display name of the Windows service
[PG_SERVICE_NAME] The name of the Windows service
[PG_STORE_PACKAGE_NAME] The package name of the Windows Store App
[PG_STORE_PUBLISHER] The package publisher of the Windows Store app
[PG_STORE_VERSION] The package version of the Windows Store app
[PG_TOKEN_NAME] The name of the built-in token or Custom Token that was applied
[PG_USER_DISPLAY_NAME] The display name of the user
[PG_USER_DOMAIN] The name of the domain that the user is a member of
[PG_USER_NAME] The account name of the user
[PG_USER_REASON] The reason entered by the user
[PG_USER_SID] The SID of the user
[PG_WORKSTYLE_NAME] The name of the Workstyle

Windows Application Groups

The Application Groups that are prefixed with (Default) or (Recommended) are hidden by default and do not need to be altered.

  • Add Admin – General (Business Apps): Contains applications that are approved for elevation for all users, regardless of their flexibility level.
  • Add Admin – General (Windows Functions): Contains operating system functions that are approved for elevation for all users.
  • Add Admin – High Flexibility: Contains the applications that require admin rights that should only be provided to the high flexibility users.
  • Add Admin – Low Flexibility: Contains the applications that require admin rights that should only be provided to the low flexibility users.
  • Add Admin – Medium Flexibility: Contains the applications that require admin rights that should only be provided to the medium flexibility users.
  • Add Admin – Protected Operations: Contains the applications that require admins rights that should only be provided to the protected operations users.
  • Passive - High Business Apps
  • Passive - Medium Business Apps
  • Passive - Low Business Apps
  • Block - Blocklisted Apps: This group contains applications that are blocked for all users.
  • Passive - All Users Functions & Apps: Contains trusted applications, tasks and scripts that should execute as a standard user.
  • (Default) Any Application: Contains all application types and is used as a catch-all for unknown applications.
  • (Default) Any Trusted & Signed UAC Prompt: Contains signed (trusted ownership) application types that request admin rights.
  • (Default) Any UAC Prompt: This group contains application types that request admin rights.
  • (Default) Endpoint Privilege Management Tools: This group is used to provide access to a BeyondTrust executable that collects Endpoint Privilege Management for Windows troubleshooting information.
  • (Default) Child Processes of TraceConfig.exe 
  • (Default) Signed UAC Prompt: Contains signed (trusted ownership) application types that request admin rights.
  • (Default) Software Deployment Tool Installs: Contains applications that can be installed by deployment tools such as System Center Configuration Manager (SCCM).
  • (Recommended) Restricted Functions: This group contains OS applications and consoles that are used for system administration and trigger UAC when they are executed.
  • (Recommended) Restricted Functions (On Demand): This group contains OS applications and consoles that are used for system administration.
  • (Default) Trusted Parent Processes

Windows Messages

The following messages are created as part of the QuickStart policy and are used by some of the Application Rules:

  • Allow Message (Authentication): Asks the user to provide a reason and enter their password before the application runs with admin rights.
  • Allow Message (Select Reason): Asks the user to select a reason from a dropdown menu before the application runs with admin rights.
  • Allow Message (Support Desk): Presents the user with a challenge code and asks them to obtain authorization from the support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request.
  • Allow Message (Yes / No): Asks the user to confirm that they want to proceed to run an application with admin rights.
  • Block Message: Warns the user that an application has been blocked.
  • Block Notification: Notifies the user that an application has been blocked and submitted for analysis.
  • Notification (Trusted): Notifies the user that an application has been trusted.

Windows Custom Token

A custom token is created as part of the QuickStart policy. The custom token is called Endpoint Privilege Management Support Token and is only used to ensure an authorized user can gain access to Endpoint Privilege Management for Windows troubleshooting information.

We do not recommend using the Endpoint Privilege Management Support Token for any other Application Rules in your Workstyles.

Customize the Windows QuickStart Policy

Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to the standard template.

At a minimum you need to:

  • Configure the users or groups that can authorize requests that trigger messages.
  • Assign users and groups to the high, medium, and low flexibility Workstyles.
  • Populate the Block - Blocklisted Apps Application Group with any applications that you want to block for all users.
  • Set your shared key so you can generate an Endpoint Privilege Management for Windows Response code.