Custom Access Tokens in a Workstyle
Access tokens (and Custom Tokens) are assigned to an application, or when content is being edited, to modify the privileges of that activity. Within an access token is a collection of settings that specify the group memberships, associated privileges, integrity level, and process access rights.
Privilege Management for Windows includes a set of built-in access tokens that can be used to add administrator rights, remove administrator rights, or enforce the users default privileges. A passive access token is also available that does not change the privileges of the activity, but still applies anti-tamper protection.
Access tokens are assigned to applications or content through rules within a Workstyle. For more advanced configurations, Custom Tokens can be created where group memberships, privileges, permissions, and integrity can be manually specified. You can optionally define any number of Custom Tokens.
Create Custom Tokens
To create a Custom Token:
- Expand the relevant Workstyle in the left pane.
- Select the Custom Tokens node. The right pane displays the All Custom Tokens page.
- In the right pane, select Actions > Add Token. The Create New Custom Tokens dialog box appears.
- Select a token type and enter a Name and a Description.
- Click OK.
The new Custom Token is displayed beneath the Custom Tokens node. Click the new token to display the Token Summary.
You may now define the Groups, Privileges, Integrity Level, and Process Access Rights for the Custom Token.
After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have Trellix Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.
Edit a Custom Token in a Workstyle
Groups
The Groups section of the Custom Token specifies the groups to be added or removed from the token.
To insert a group:
- Select Groups in the left pane. The Token groups appear in the right pane.
- In the right pane, select Actions > Add.
- The Add Group to Token dialog box appears.
- Enter a Group Name and a Security Identifier (SID). Select whether to Add Account or Remove Account and click OK.
- By default, when you insert a group, the Add Account box is checked, and the group is added to the Custom Token. If you want to remove the group from the Custom Token, then uncheck the Remove Account box for the relevant group.
- Domain and well-known groups display a Security Identifier (SID). The SID is used by Privilege Management for Windows, which avoids account lookup operations. For local groups the name is used by Privilege Management for Windows, and the SID is looked up when the Custom Token is created by the client. Local Account appears in the SID column of the groups list for local groups.
Alternatively, you can click Actions > Browse to browse Active Directory using LDAP for Groups to add, or to browse for BuiltIn Groups. Please note that you need to have created an LDAP Server in ePO Configuration > Registered Servers to browse AD for Groups.
Setting the Token Owner
By default, the owner of a Custom Token that includes the administrators group has the owner set to the administrators group. If the administrators group is not present in the Custom Token, then the user is set as the owner.
If you want the user to be the owner, regardless of the presence of the administrators group, then check the Ensure the User is always the Token Owner box, located at the top of the Token Groups page.
Anti-Tamper Protection
By default, Privilege Management for Windows prevents elevated processes from tampering with the files, registry and service that make up the client installation. It also prevents any elevated process from reading or writing to the local Privilege Management for Windows policy cache.
If you want to disable anti-tamper protection, then uncheck the Enable anti-tamper protection box, located at the top of the Token Groups page.
Under normal circumstances, this option should remain enabled, except in certain scenarios in which elevated tasks require access to protected areas. For instance, if you are using an elevated logon script to update the local Privilege Management for Windows policy.
Privileges
The Privileges section of the Custom Token specifies the privileges that are to be added to or removed from the Custom Token.
If you want to add a privilege to the Custom Token, check the Add box for the relevant privilege.
If you want to remove a privilege from the Custom Token, check the Remove box for the relevant privilege.
If you want to reset the default state of a privilege, click the No Change option for the relevant privilege.
To reset, add, or remove multiple privileges, check the relevant privileges and select Actions > Set <action> (or use the adjacent buttons).
To clear all of the privileges in the Custom Token before applying privileges, check the Remove all existing privileges in access token before applying privileges box. If this box is unchecked, then the privileges are added or removed from the user’s default Custom Token.
Integrity Level
The Integrity Level section of the Custom Token specifies the integrity level for the Custom Token.
To set the integrity level:
- Select the Integrity Level node in the left pane. The integrity levels appear in the right pane as radio buttons.
- Set the appropriate integrity level.
The integrity level should be set as follows:
| Integrity Level | Description |
|---|---|
| System | Included for completion and should not be required |
| High | Set the integrity level associated with an administrator |
| Medium | Set the integrity level associated with a standard user |
| Low | Set the integrity level associated with protected mode (an application may fail to run or function in protected mode) |
| Untrusted | Included for completion and should not be required |
Process Access Rights
The Process Access Rights section of a Custom Token allows you to specify which rights other processes have over a process launched with that Custom Token.
Tokens that include the administrators group have a secure set of access rights applied by default, which prevent code injection attacks on elevated processes initiated by processes running with standard user rights in the same session.
Enabling or Disabling an Access Right
Use the Enable / Disable options to enable or disable a specific access right.
To enable or disable multiple access rights, check the relevant access rights and select Actions > Set <action> (or use the adjacent buttons).
The access rights should be set as follows:
| Access Rights | Description |
|---|---|
| GENERIC_HEAD | Read access |
| PROCESS_CREATE_PROCESS | Required to create a process |
| PROCESS_CREATE_THREAD | Required to create a thread |
| PROCESS_DUP_HANDLE | Required to duplicate a handle using DuplicateHandle |
| PROCESS_QUERY_INFORMATION | Required to retrieve certain information about a process, such as its token, exit code, and priority class |
| PROCESS_QUERY_LIMITED_INFORMATION | Required to retrieve certain information about a process |
| PROCESS_SET_INFORMATION | Required to set certain information about a process, such as its priority class |
| PROCESS_SET_QUOTA | Required to set memory limits using SetProcessWorkingSetSize |
| PROCESS_SUSPEND_RESUME | Required to suspend or resume a process |
| PROCESS_TERMINATE | Required to terminate a process using TerminateProcess |
| PROCESS_VM_OPERATION | Required to perform an operation on the address space of a process |
| PROCESS_VM_READ | Required to read memory in a process using ReadProcessMemory |
| PROCESS_VM_WRITE | Required to write to memory in a process using WriteProcessMemory |
| READ_CONTROL | Required to read information in the security descriptor for the object, not including the information in the SACL |
| SYNCHRONIZE | Required to wait for the process to terminate using the wait functions |
