New Feature Highlights - PowerBroker for Windows 7.3

Improve Security with User-Based Rules and Policy

Central Policy, also referred to as BeyondInsight or Web Services Mode, enables customers to manage their PowerBroker for Windows rule set outside of Microsoft Group Policy. Until now this mode only allowed for targeting assets/computers. By following and targeting policy to a user, [in addition to machine based policy],on whatever PowerBroker for Windows-managed device they log into, companies can better ensure a consistent security model and user experience throughout their networks.

Ensure Consistency of Rules with Triggers Based on PBW Parent

Properly controlling when and how a PowerBroker for Windows rule is executed is critical to any deployment. With PowerBroker for Windows version 7.3, you can control whether or not a rule applies, based on its parent process being managed by PowerBroker for Windows. As an example, Application Control is a critical part of defense-in-depth security. If you apply a “deny” rule at the folder level, and a PowerBroker for Windows-managed application spawns a child app to that folder, you can suppress the deny rule. This option also allows you to enforce a rule at the start and ignore any rule it may see downstream. This works well with the Shell or UAC rules, as well as rules based on installers.

Improve Efficiency by Elevating Privileges from Trusted Sources

A common use case for PowerBroker for Windows is to elevate all installers or applications from a particular network share. However, when files are moved from their original folders, end users lose the ability to properly execute applications requiring elevated permissions. With PowerBroker for Windows version 7.3, an option is available to track programs that are copied from the original, ‘Trusted’ folder, making it easy for end users to execute elevated applications, regardless of the files’ location on the network or local system. In addition to creating rules which track the original, trusted sources of elevated folders, PowerBroker for Windows version 7.3 prevents a rule from applying to application launched from an untrusted location, (e.g. Web, Removable Media). This is mostly applicable to the PowerBroker for Windows Shell or UAC rules, to prevent the elevation of unknown software an end-user downloaded from the Internet.

Streamline ‘RunAs’ Rules for All Users

PowerBroker for Windows 7.3 now supports the use of environment variables in the ‘RunAs’ field when using PowerBroker Password Safe-managed credentials to launch an application. This eases the need for multiple ‘RunAs’ rules on the same application launched by different people. For example, you may want your users to launch AD Users & Computers or Visual Studio using their respective admin account. Previously, you would require as many rules as you had end-users you wanted to have this functionality. With PowerBroker for Windows version 7.3, you can create a single rule and use something like, (a.%username% or %username%_adm). This is a very effective method for elevating applications that require remote elevation or in rare cases, cannot be elevated with a standard PowerBroker for Windows rule without exposing the credentials being used.

Prioritize Shell Rules Based on Precedence

Prior to PowerBroker for Windows version 7.3, the Shell Rule—the ability for an end-user to self-elevate an application—could be placed at any order in a policy with no effect on rule precedence. If the application the Shell Rule was called on had a rule, that rule would always apply. With this enhancement, IT admins have the flexibility to apply priority to the Shell Rule, or favor a rule on a particular application, even if the Shell Rule was used to call it. In other words, the results are dependent on the order number of the shell rule. For instance, if the Shell Rule is placed at order 1 and the called application also had a direct rule at a higher order number, that application’s rule will still apply. If the Shell Rule’s order number is higher than that of the called application, the Shell Rule will win. It is still recommended to maintain the Shell Rule at a low rule order to ensure direct rules still apply as intended.

Canonical Name (CN=) included with Publisher Rules

In PowerBroker for Windows version 7.3, the Publisher rules now include the Canonical Name as part of newly created rules on signed application. The Canonical name can help limit the scope of a publisher rule rather than applying to all signed files based on the organization. For example, applying a rule based on, ‘CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US’ or ‘CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US’, only the CN differentiates the two.

Customer-requested Enhancements

In addition to the above new features, there are several customer-related fixes and enhancements available in PowerBroker for Windows version 7.3. For a full list or to download the latest version, please visit the customer portal.