The guys at Viewfinity have the right idea (here’s a quote from their website).
Viewfinity Privilege Management offers IT Administrators a flexible approach for controlling its corporate desktop and laptop environment.
One of Viewfinity’s super-powers is to operate users with a least privilege account then elevate the application’s rights that require them.Getting to a “least privilege” desktop is, definitely a good idea.
But, even when least privilege accounts are all used, there’s still a ticking time bomb waiting for you: Standard users can still misconfigure the desktop, operating system (Control Panel), key applications (Flash, Acrobat, Java), or any desktop and business applications you have.
PolicyPak can help when you’ve already got Viewfinity Privilege Management in place and how to ensure your desktop and applications are truly locked down and secure.
Note: Viewfinity has two ways to implement least privilege – using Group Policy or using a cloud service. The video only shows the Group Policy way to use Viewfinity Privilege Management, but if you use their cloud service, PolicyPak will work with it just the same.
Once you’re managing your machines with Viewfinity Privilege Management, you still have some tough questions left:
- How are you able to guarantee key application and operating system settings for users?
- How can you prevent users from messing up their apps?
- How can you ensure users won’t work around your important security and operating system settings?
- How can you re-apply key application and operating systems settings when users are disconnected from the network?
A “Least Privilege” solution like Viewfinity isn’t trying to solve these problems.
That’s why there’s PolicyPak.
PolicyPak prevents users from manipulating important settings, but also quietly reapplies misconfigured settings if a user or application happens to work around them.
In short, PolicyPak enhances your Viewfinity investment. And PolicyPak protects your users from themselves.
PolicyPak was designed by Group Policy MVP Jeremy Moskowitz – who “wrote the book” on Group Policy, runs GPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.
PolicyPak complements Viewfinity Privilege Management Video Transcript
Hi, this is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you why you need PolicyPak even if you’re already using a privilege management tool like Viewfinity Privilege Management.
First things first, I’m running as a standard user here. You can see I’m running as a guy named “eastsalesuser1.” Let’s run a common application, “Adobe Reader X” here on my machine. Again as a standard user, there’s absolutely nothing preventing this standard user from trying to work around your security settings.
You can go to “Edit/Preferences…” here again. If we click on the “Security (Enhanced),” if you uncheck “Enable Enhanced Security” once again they can click “OK” and just work around your security settings. Not good.
Finally, they can go to “Edit/Preferences…” and click on “Updater,” by way of example, and you might have it set out of the box to “Do not download or install updates automatically.”But once that’s set, if a user tries to click on, say, “Automatically install updates” – that might be something you want to do – when they click “OK” here, they get prompted with the UAC“User Account Control” prompt.
Let’s do the PolicyPak magic first, and then we’ll add on the Viewfinity magic second. What we want to do first is we want to go to our Group Policy editor and against our “East Sales Users”we’re going to “Create a GPO in this domain, and Link it here…”We’ll call this “Manage Acrobat Reader using Group Policy and PolicyPak.”
We’ll right click, click “Edit…” here. Let’s ensure that those security settings are going to be guaranteed and not worked around. We’re going to go to “PolicyPak/Applications/New/Application.”You can see we’ve got a handful of applications already ready to go right on the PolicyPak website. Nothing that you need to do, they’re just going to work right out of the box. Here’s “PolicyPak for Adobe Reader X.” We’ll go ahead and click on it.
We’ll also use PolicyPak for the “Security (Enhanced).” We want to ensure that“Enable Enhanced Security” is enabled. If they try to uncheck it, it’s going to be checked. But while we’re here, we’re also going to “Disable corresponding control in target application.”Once again, make it so that a user can’t work around it.
Let’s go over to “Updater.” On that particular machine, that machine is set to “Do not download or install updates automatically.”Maybe you want to have a corporate mandate for “Automatically download updates, but let me choose when to install them.” Alright, that’s cool. Let’s go ahead and click “OK” here. Once we’ve done that, we’ve locked and loaded that into the directive.
We’ll go back to our machine, run “gpupdate” to get the latest, greatest settings that we just did from Group Policy. Again, if you change work stations, you’ve logged off or logged back on, if you got a new laptop, a new VDI session, anything like that, you would get these settings.
If we go to the “Security (Enhanced),” we’ve delivered the checkbox and there’s no way for a user to work around that. Now if we go to “Updater,” you can see we’ve set the middle item here to “Automatically download updates, but let me choose when to install them.” Again, this happened underneath the hood even though the user is logged on as a standard user.
As this standard user, if they want to “Do not download or install updates automatically”and click “OK” what happens? Well, they get the UAC prompt. Well, this is a perfect opportunity for a tool like Viewfinity Privilege Management, a privilege management style tool, to help you in just this scenario.
Before I got started on this demonstration, I actually created a Group Policy Object using the Viewfinity Privilege Management tool specifically for Acrobat Reader. I’ll just go ahead and show you quickly what that looks like here.
If I click “Edit…” here and I dive down under user side “Policies/ViewfinityPrivilegeManagement/Application Groups,”I’ve got an application group already set up with “Acrobat Reader.”I’ve got the privilege set up ready to go for that particular application. There’s a policy against that application group. It’s pretty easy to set up.
All I’m going to do, I’m going to take that GPO that I’ve pre-created for this demo and link it over to the “East Sales Users.” Now we’ve got the one-two combination. On the one hand, we’re delivering the application settings and locking things down using Group Policy and PolicyPak. On the other hand now, we’re using Viewfinity Privilege Management to specifically allow Acrobat Reader to run in elevated privileges.
Let’s go ahead and run “gpupdate.” The next time Acrobat Reader runs, we’ll see Viewfinity, which is right here in the bottom right here, turn on and demonstrate that the application is running with admin rights.
But let’s talk about “Updater.”Before when we changed this from any of these settings to, say, “Do not download or install updates automatically”and click “OK,” we used to get the UAC prompt. Now what happens when you’ve got Viewfinity Privilege Management, or any privilege management style tool installed, you click “OK” and that problem goes away. You can see that the Viewfinity popup box is launched, and you can see it did its magic. Excellent.
That is the first better together story. I’d love to share another better together story with you right here. Let me go ahead and show you this thing called “Region and Language” options. I’m just running again as a standard user. My name is “eastsalesuser1.”
You can see in this application here, there are a lot of things for a user to possibly mess up, make changes, do things they probably shouldn’t do. That’s the point of what PolicyPak does, deliver settings into applications and lock down the UI so users can’t work around it.
But inside this particular application, you can see there are also these buttons that have the UAC prompt on them. For instance, here’s “Install/uninstall languages…” and here is “Copy settings…” and “Change system locale…” Well, what do you think happens right now if I click on the “Copy settings…” button with the UAC prompt? Well, you’re going to click it and get a UAC prompt. Exactly.
So let’s do the same thing we did before, like a one-two punch. We’ll deliver important settings using PolicyPak. Like maybe we’ll change the “First day of week” from “Sunday” to “Tuesday,” which I know is weird, but we’ll do that anyway for demonstration.
We’ll also lock some things down and get rid of this “Additional settings…” button here too. Maybe this “Additional settings…” is too much for people to handle something like that. While we’re here, we’ll also use the Viewfinity Privilege Management tool to run in elevated rights and then enable us to use these UAC prompt items.
Let’s go ahead and go back here. I’ll “Create a GPO in this domain, and Link it here…”against my “East Sales Users” called “Manage Regional and Lang using Group Policy and PolicyPak.”
We’ll right click. We’ll click “Edit…” here. Now this particular PolicyPak is not one that you can download from us right now. But it took me a whole three minutes to create using our free PolicyPak Design Studio. If you haven’t seen the videos on how to create your own PolicyPaks using the Design Studio, you can go ahead and see that in the page for the PolicyPak professional product.
Let’s go ahead and change this “First day of week” to “Tuesday.” We’ll also right click and “Disable corresponding control in target application.”We’re going to lock it down to Tuesday.
While we’re here, for “Additional settings…,”remember all those additional settings that the user might screw up? We can right click and “Hide corresponding control in target application,”literally remove the button entirely so a user can’t work around it.
Let’s click on those other options here like “Install/uninstall languages…” If that’s too confusing for your users to handle, you can once again right click and rip the knob off by selecting “Hide corresponding control in target application.”
If we go over to these other guys, “Copy settings…” and “Change system locale…,” we’ll leave those there and let a user go ahead and use those with their elevated rights. We’ll go ahead and click “OK” here.
We’ll close this out. I once again created a “_Viewfinity Privilege Management Rule for Region and Language” just for this demonstration. Let me show you how I did that. It was really easy. Under “Policies/ViewfinityPrivilegeManagement/Policies” there’s actually a pre-created rule that you can utilize for this from Viewfinity called “Region and Language.” It was super easy to set up.
Now that that’s done, I’m going to go ahead and drag and drop that over to my “East Sales Users.” Now we’ve got a one-two punch at the same time. The first things that’s going to happen is that we’re going to be delivering the settings using PolicyPak. We’re setting the thing to Tuesday. We’re locking out some UI elements. Then we’re going to have Viewfinity Privilege Managementcome along and enable the elevated rights for that application.
Let’s go ahead and run “gpupdate” here and get those new directives from Group Policy. Again, you could have logged off or logged back on, or gotten a new machine, or started a new VDI or terminal server session. Any of these things is fine, because any Group Policy thing works as if it’s part of the operating system.
Let’s go ahead and run “Region and Language” here, and there we go. “First day of week” is now locked down to “Tuesday.”Remember that button that said “Additional settings…”? Well, that’s gone now.
Look at that. You can see Viewfinity has launched Region and Language with elevated privileges. I’ll just move those closer together so you can see that. Now PolicyPak has done its thing. We’ve delivered the first day of the week as Tuesday. We’ve removed the UI elements here.
Let’s go over to “Keyboards and Languages.” Look at that. PolicyPak has also literally removed the UI element again so users can’t be tempted to do things they shouldn’t do. Even with admin privileges, PolicyPak keeps on working.
If we go to “Administrative” here, there are two UAC prompts. But because Viewfinity Privilege Management tool is running now and elevating the application, if I click on a button with a UAC prompt, no more UAC prompt. Viewfinity Privilege Management has done exactly what it promises to do.
I hope this makes sense to you. When you’re ready to test out PolicyPak, we are here for you. Just click on the big old download button on the right or the “Webinar” button, or just pick up the phone and make contact. We’re here for you.
That’s it. Remember, with PolicyPak, what you set is what they get. Thank you very much. We’ll talk to you soon.