Application Rules

Application Rules are applied to Application Groups. Application Rules can be used to enforce allowlisting, monitoring, and assigning privileges to groups of applications. They are a set of rules that apply to the applications listed in the Application Group.

You must have an Application Group before you can create an Application Rule.

Application Rules are color coded in the interface, blue, green, and orange.

Application Rules are color coded in the interface:

  • Blue: A Power Rule is assigned to the Application Rule. This could be an allow or block action.
  • Green: The default action is allow.
  • Orange: The default action is block.

 

For more information, please see the following:

Insert an Application Rule

Click Application Rules to view, create, or modify the following for each Application Rule:

Option Description
Target Application Group

Select from the Application Groups list.
Run a Rule Script

This option allows you to assign a Rule Script that runs before the Application Rule triggers.

You need to use Manage Scripts from the dropdown to import your Rule Script before you can select it.

Select the Rule Script you want to use from the dropdown list.
Action Select from Allow Execution or Block Execution. This is what happens if the application in the targeted Application Group is launched by the end user.
End User Message Select whether a message will be displayed to the user when they launch the application. We recommend using messages if you blocking the execution of the application, so the end user has some feedback on why the application doesn't launch.
Password Safe Account Name

If you deploying the BeyondInsight management console, you can integrate Password Safe with Privilege Management for Windows. These features are detailed in the BeyondInsight Integration Guide.
Access Token

Select the type of token to pass to the target Application Group. You can select from:

  • Passive (no change): Doesn't make any change to the user's token. This is essentially an audit feature.
  • Enforce User's default rights: Removes all rights and uses the user's default token. Windows UAC always tries to add administration rights to the token being used so if the user clicks on an application that triggers UAC, the user cannot progress past the UAC prompt.
  • Drop Admin Rights: Removes administration rights from the user's token.
  • Add Full Admin (Required for installers): Standard Windows Admin token containing all Admin privileges.
  • Add Basic Admin Rights: Gives greater control over the privileges granted when targeting rules at actions. This excludes the following privileges: SeDebugPrivilege, SeLoadDriverPrivilege.
  • Privilege Management Support Token: Applies Add Full Admin privileges with tamper protection removed.
  • Keep Privileges - Enhanced: Keeps the same privileges of the process token and adds some additional context to it. Use the token with features such as Advanced Parent Tracking or Anti-tamper.
Auditing
Raise an Event

By default, user and computer information is included in all audit events. Events are forwarded to a local event log file.

To not include user and computer information in the audit, set Raise an Event to On (Anonymous).

Event fields that contain user directory information may still contain a username within the file path.
Run an Audit Script

This option allows you to select an audit script to run after the Application Rule.

You need to use Manage Scripts from the dropdown to import your audit script before you can select it.

Select the audit script you want to use from the dropdown list.
Privilege Monitoring Raises a privileged monitoring event.

McAfee ePO Reporting Options

This option is only available if you checked the McAfee integration box when you installed the Privilege Management Policy Editor.
ePO Threat Events Select this option to raise an ePO threat event. These are separate from Privilege Management reporting events.
Privilege Management Reporting (in ePO) Select this option to raise a Privilege Management reporting event. These are available in BeyondTrust Reporting.
   
BeyondInsight Reporting  
BeyondInsight Events When configured, sends BeyondInsight events to BeyondInsight.
Privilege Management Reporting When configured, sends Privilege Management reporting events to BeyondInsight.

For more information, please see the following:

Application Rule Precedence

If you add more than one Application Rule to a Workstyle, entries that are higher in the list have a higher precedence. Once an application matches an Application Rule, no further rules or Workstyles are processed. If an application can match more than one Workstyle or rule, then it is important that you order both your Workstyles and rules correctly. You can move Application Rules up and down to change the precedence.