Privilege Management Content Rules

Content Rules define the actions Privilege Management for Windows takes when content, such as a file, is launched by the user.

You need a Content Group before you can create a Content Rule.

For more information, please see Content Groups.

Insert a Content Rule

  1. Click Content Rules to view, create or modify the following for each Application Rule:
Option Description
Target Content Group Select from the Content Groups list.

Action

Select from Allow Modification or Block Access. This is what occurs if the user tries to access the content.
End User Message Select whether a message is displayed to the user when they try to access the content. We recommend using Messages if you're blocking content from being accessed, so the user has some feedback.
Access Token

Select the type of token to be passed to be used for the target Application Group. You can select from:

Passive (no change): Doesn't make any change to the user's token. This is essentially an audit feature.

Enforce User's default rights: Removes all rights and uses the user's default token. Windows UAC always tries to add administration rights to the token being used so if the user clicked on a application that triggers UAC, the user would not be able to progress past the UAC prompt.

Drop Admin Rights: Removes administration rights from the user's token.

Add Admin Rights: Adds administration rights to the user's token.

Auditing
Raise an Event Whether or not you want an event to be raised if this content rule is triggered. This will forward to the local event log file.
Run a Script You can choose to run an audit script, if required.
McAfee ePO Reporting Options

ePO Threat Events

Select this option to raise an ePO threat event. These are separate from Privilege Management Reporting events.
Privilege Management Reporting Select this option to raise a Privilege Management Reporting event. These are available in Privilege Management Reporting in BeyondInsight.

After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have McAfee Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.

For more information, please see the following: