QuickStart for Windows Template Policy Configuration

The QuickStart policy contains Workstyles, Application Groups, Messages, and Custom Tokens configured with Privilege Management and Application Control. The QuickStart policy has been designed from BeyondTrust’s experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend your thoroughly test this configuration to ensure it complies with the requirements of your organization.

This template policy contains the following elements:

Workstyles

  • All Users
  • High Flexibility
  • Medium Flexibility
  • Low Flexibility

Application Groups

  • Add Admin - General (Business Apps)
  • Add Admin - General (Windows Functions)
  • Add Admin - High Flexibility
  • Add Admin - Medium Flexibility
  • Allow - Approved Standard User Apps
  • Allow - Allowlisted Functions & Apps
  • Block - Blocklisted Apps
  • Control - Restricted Functions
  • Control - Restricted Functions (On-Demand)

Messages

  • Allow Message (Authentication)
  • Allow Message (Select Reason)
  • Allow Message (Support Desk)
  • Allow Message (Yes / No)
  • Block Message
  • Block Notification
  • Notification (Trusted)

Custom Tokens

  • BeyondTrust Corporation Support Token

QuickStart Policy Summary

By using and building on the QuickStart policy, you can quickly improve your organization's security without having to monitor and analyze your users' behavior first and then design and create your Privilege Management for Windows configuration.

After the QuickStart policy is deployed to groups within your organization, you can start to gather information on your users' behavior. This provides you with a better understanding of the applications used within your organization, and whether they require admin rights, need to be blocked, or need authorizing for specific users.

This data can then be used to further refine the QuickStart policy to provide a more tailored Privilege Management for Windows solution for your organization.

Workstyles

The QuickStart policy contains four Workstyles that should be used together to manage all users in your organization.

All Users

This Workstyle contains a set of default rules that apply to all standard users regardless of the level of flexibility they need.

The All Users Workstyle contains rules to:

  • Block any applications in the Block - Blocklisted Apps group
  • Allow Privilege Management for Windows Support tools
  • Allow standard Windows functions, business applications, and applications installed through trusted deployment tools to run with admin rights
  • Allow approved standard user applications to run passively

High Flexibility

This Workstyle is designed for users that require a lot of flexibility, such as developers.

The High Flexibility Workstyle contains rules to:

  • Allow known business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights.
  • Allow users to run unknown applications with admin rights once they confirm that the application should be elevated.
  • Allow applications that are in the Add Admin – High Flexibility group to run with admin rights.
  • Allow unknown business application and operating system functions to run on-demand.

Medium Flexibility

This Workstyle is designed for users that require some flexibility, such as sales engineers.

The Medium Flexibility Workstyle contains rules to:

  • Allow known business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights once they confirm that the application should be elevated.
  • Prompt users to provide a reason before they can run unknown applications with admin rights.
  • Allow applications that are in the Add Admin – Medium Flexibility group to run with admin rights.
  • Allow unknown business application and operating system functions to run on-demand.
  • Restricted OS functions that require admin rights are prevented and require support interaction.

Low Flexibility

This Workstyle is designed for users that don't require much flexibility, such as helpdesk operators.

The Low Flexibility Workstyle contains rules to:

  • Prompt users to contact support if a trusted or untrusted application requests admin rights.
  • Prompt users to contact support if an unknown application tries to run.
  • Allow known approved business applications and operating system functions to run (Windows only).

Application Groups

The Application Groups prefixed with (Default) or (Recommended) are hidden by default and do not need to be altered.

  • (Default) Authorize - System Trusted: Contains operating system functions that are authorized for all users.
  • (Default) General - Any Application: Contains all application types and is used as a catch-all for unknown applications.
  • (Default) General - Any Application Requiring Authorization: This group contains applications types that request admin rights.
  • (Default) Passive - System Trusted: This group contains system applications that are allowed for all users.
  • Any Other Sudo Commands: Contains all sudo commands and is used as a catch-all for unknown sudo commands.
  • Authorize - High Flexibility: Contains the applications that require authorization that should only be provided to the high flexibility users.
  • Authorize - Controlled OS Functions: This group contains OS functions that are used for system administration and trigger an authorization prompt when they are executed.
  • Authorize - General Business Applications: Contains applications that are authorized for all users, regardless of their flexibility level.
  • Authorize - Low Flexibility: Contains the applications that require authorization that should only be provided to the low flexibility users.
  • Authorize - System Preferences: This group contains system preferences that trigger an authorization prompt when they are executed.
  • Authorize Sudo Commands: General. Contains sudo commands that are allowed for all users.
  • Authorize Sudo Commands: High Flexibility. Contains sudo commands that should only be provided to the high flexibility users.
  • Block - Applications: This group contains applications that are blocked for all users.
  • Passive - General Business Applications: This group contains applications that are allowed for all users

Messages

The following messages are created as part of the QuickStart policy and are used by some of the Application Rules:

  • Allow Message (Authentication): Asks the user to provide a reason and enter their password before the application runs with admin rights.
  • Allow Message (Select Reason): Asks the user to select a reason from a dropdown menu before the application runs with admin rights.
  • Allow Message (Support Desk): Presents the user with a challenge code and asks them to obtain authorization from the support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request.
  • Allow Message (Yes / No): Asks the user to confirm that they want to proceed to run an application with admin rights.
  • Block Message: Warns the user that an application has been blocked.
  • Block Notification: Notifies the user that an application has been blocked and submitted for analysis.
  • Notification (Trusted): Notifies the user that an application has been trusted.

Custom Token

A custom token is created as part of the QuickStart policy. The custom token is called Privilege Management Support Token and is only used to ensure an authorized user can gain access to Privilege Management for Windows troubleshooting information.

We do not recommend using the Privilege Management Support Token for any other Application Rules in your Workstyles.

Customize the QuickStart Policy

Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to the standard template.

At a minimum you need to:

  • Configure the users or groups that can authorize requests that trigger messages.
  • Assign users and groups to the high, medium, and low flexibility Workstyles.
  • Populate the Block - Blocklisted Apps Application Group with any applications that you want to block for all users.
  • Set your shared key so you can generate a Privilege Management for Windows Response code.