PolicyPak bolsters ScriptLogic Privilege Authority

ScriptLogic / Quest Privilege Authority customers really only have HALF the solution they need to manage and control their applications and be truly locked down. ScriptLogic / Quest Privilege Authority does a great job with handing the privilege management part. But even running as a STANDARD USER, that user can mess up and modify their settings, causing headaches and working around your set security policies. With PolicyPak, the lockdown cycle is complete. ScriptLogic / Quest Privilege Authority enables you to run your applications with STANDARD USER rights, and PolicyPak enables you to guarantee those settings to the user and lock those settings down — even when the user goes offline or tries to work around your settings. Check out this video to see how ScriptLogic / Quest Privilege Authority and PolicyPak fit together perfectly.

Bolsters Script Logic

Hi, this is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, we’re going to talk about if you’ve got ScriptLogic’s Privilege Authority, either the free version or the pay version, that you’re not quite as secure as you could be. I’m going to show you the better together story with PolicyPak and ScriptLogic’s Privilege Authority.

Let’s just get started right away. I’m logged in right now as a standard user. His name is “eastsalesuser3.” There’s no Privilege Authority magic turned on at this point. I’m just going to go ahead and run “Adobe Reader X.” If I go ahead and go to “Edit/Preferences…” here, there are a lot of settings here that a standard user can change that will negatively impact security.

For instance, if a user has this checkbox checked of “Enable Acrobat JavaScript,” that actually could be an attack vector for the bad guys to use on this system. Sure it would be great if you could tell all the users to uncheck that checkbox, but how could you be sure. That’s exactly what we’re going to deliver first using PolicyPak.

Second thing we want to do is to talk about “Security (Enhanced).” Again, if they uncheck this checkbox here, that puts you in a bad place. There’s absolutely nothing saying that a user can’t click “OK” and say yes, and that’s it. You’ve now negatively impacted your security just like that. Again, that’s a standard user doing that.

If you go to “Edit/Preferences…” if we click on “Updater,” you might want to set the Updater properties for one population to “Automatically install updates” and another set of the population to “Do not download or install updates automatically.” But there’s really no way to enable the user to do both. I’m going to show you how to do that.

The default here that I have for this demonstration is that it’s set to “Automatically install updates.” If I set it to “Do not download or install updates automatically” and click “OK,” I get thrown a big UAC – “User Account Control” – box in my face. That’s not a very pleasant experience for the user if you want to enable them to change that setting.

The better together story is that PolicyPak can deliver the settings inside the application and also prevent users from changing things. But the ScriptLogic Privilege Authority part of it enables the UAC prompts to go away because you’re injecting the correct privilege to the right process.

Let’s go ahead and see that here. Let’s go right to my Group Policy editor here. Against my “East Sales Users” I’m going to “Create a GPO in this domain, and Link it here…” I’m going to call it “Manage Acrobat with PolicyPak.” I’m going to right click, click “Edit…” here, and we’re just doing the PolicyPak magic on this part first.

We’ll dive down under “PolicyPak/Applications/New/Application.” The three I’ve got locked and loaded for this particular demonstration right now is “PolicyPak for Mozilla Firefox,” “PolicyPak for WinZip 14 and 15” and “PolicyPak for Foxit Reader 3.0,” which are not the ones I wanted.

Let me go ahead and add the additional ones. I’ve got those hanging out here under my “PreConfigured PolicyPaks.” What we’ll do here is I’ll just – there they are. There’s my big list. We have a lot of preconfigured PolicyPaks on the website. What we’re going to do is throw these into the “PolicyPak/Extensions” folder on our machine here.

Let’s see, for this demonstration I want to do “Acrobat 10,” so that’s “pp-Acrobat-Reader-x.dll.” We’re also going to talk about “Flash,” talk about “pp-Flash.dll” next here. There’s another Pak that I want to do a little later with region and language options, so I’ll go ahead and “Move here” “pp-region-and-language-win7.dll.”

Now I’ve locked and loaded the PolicyPak preconfigured Paks I’m going to use for this demonstration. Let me go ahead and re-“Edit…” that Group Policy Object here. Under “PolicyPak/Applications/New/Application,” and there’s “PolicyPak for Acrobat Reader X” just like we wanted to. There’s “PolicyPak for Firefox” and “PolicyPak for Flash Player,” and there’s “PolicyPak for Region and Language.” We’re going to use those guys a little later.

I’ll click on “Acrobat Reader X” for now. We’re just delivering PolicyPak settings. Let’s go right for “JavaScript” and we’re going to uncheck “Enable Acrobat JavaScript.” Now we can deliver that setting, but it’s much more interesting if we can right click and – check this out – “Disable corresponding control in target application.” PolicyPak can deliver the check or uncheck and also gray out the UI so the user can’t screw it up. So we’re literally going to change the UI.

Let’s go over to “Security (Enhanced).” If the user has unchecked that checkbox, we want to recheck the checkbox. We’re going to guarantee that checkbox is always checked. While we’re here, we’ll also “Disable corresponding control in target application.”

Let’s go to “Updater” as well. For these East Sales Users, let’s change the default for them from “Automatically install updates” to “Do not download or install updates automatically.” We’ll go ahead and do that and click “OK.” Again, all we’ve done so far is just PolicyPak magic.

We’ll go ahead and run “gpupdate” on our client machine here. While you’re waiting for GPUpdate, remember you could be logging off and logging back on. You could be changing machines. You could get a new VDI session or a new terminal server session or changing job roles. Anything where Group Policy refreshes, that’s when get applied.

We’ll go ahead and rerun “Acrobat Reader X” here. Go to “Edit/Preferences…” and we’ll jump right to the “JavaScript” one here. Look what we did. We unchecked that checkbox, and we’re guaranteeing that setting. And look, we’ve grayed out the UI so a user can’t possibly screw that up. How cool is that?

We’ll dive down under “Security (Enhanced),” and we’ve guaranteed that checkbox. Before we left, the user had unchecked that checkbox. Now we’re guaranteeing that on.

Now let’s finish up by talking about “Updater.” Cool. We’ve changed the setting for Updater. We’re guaranteeing that it’s “Do not download or install updates automatically.” But what if you want the users in this particular OU or whatever to be able to do that? If they click on “Automatically install updates” and click “OK,” big old UAC prompt right in our face.

This is where ScriptLogic’s Privilege Authority is going to help out. So far just the PolicyPak stuff. Now we’re going to bring on the Privilege Authority stuff. Privilege Authority has its own console to manage its own rules. I’ve pre-created three rules into three different GPOs to accelerate our little demonstration here. I’ve got a rule “_PAUTH Allow Acrobat Reader to Update.” I’ve got another one later for “_PAUTH Allow Flash to Update.” I have a third one later for “_PAUTH Allow Region and Lang Settings UAC Bypass.”

I’ve already done the work inside Privilege Authority. I’ve created the Group Policy Objects here. What I’m going to do for Acrobat Reader, I’m simply going to drag and drop the pre-created GPO that I’ve got from Privilege Authority to allow Acrobat Reader to update. I’ve got the PolicyPak one here; I’ve got the Privilege Authority one here. It doesn’t matter really what order they’re in.

Now back on our user station we can run “gpupdate” again. We could log off or log back on, get a new machine, start a new VDI session. Anything like that will prompt Group Policy to refresh.

As soon as Group Policy is done refreshing, we can rerun “Adobe Acrobat X.” Let’s go ahead and do that now. Dive down under “Edit/Preferences…” and not a whole lot changes. But again just to be super clear, PolicyPak is delivering the settings here. It’s delivering the security settings there. It’s delivering the security settings under “Security (Enhanced).”

Now for “Updater,” here’s where the better together story comes in when you’ve got ScriptLogic Privilege Authority working with you here. If a user now clicks on “Automatically install updates,” no more UAC prompt. We’ve eliminated the UAC prompt.

It’s great if you’ve got a privilege management tool like ScriptLogic Privilege Authority. It really helps to allow the user to run as a standard user while minimizing the UAC prompts. But it just doesn’t have anything to do with dealing with the critical security settings within the application.

Let’s do another one just for fun. Let’s go ahead and close that out. What I’m going to do is let’s talk about Flash Player. Let me show you a very interesting website called “www.testmycam.com.” Now this is very interesting. This uses the Flash Player, and a regular user – I’m not an admin at this point, I’m just “eastsalesuser3” – a regular user at this point could just click “Allow” and bingo. You’re on camera. Here I am making this video right now looking right at you.

Here’s the story. You do not want a regular user to be able to do things like this. You want to be able to manage where a user can and can’t do things like this. The problem is that there’s nothing like that in Flash Player. If you’re user is able to click OK and now they’re using a web cam like this where the microphone is surreptitiously turned on, you don’t want those corporate secrets to walk out the door. That’s exactly what PolicyPak helps to fix.

Not to mention if you right click over and go to “Settings” or “Global Settings…” here, there are a whole lot of things that a user can click on that are really confusing and probably you don’t want them clicking on at all.

For instance, you may not want Flash Player to “Check for updates automatically.” Here is where you would set that, but you don’t want to run around to every desktop to make that magic happen.

Meanwhile, “Camera and Mic,” sure it’s great if you could teach one user to “Block all sites from using the camera and microphone.” It’s yet another thing to deliver the setting and lock it down so a user can’t possibly work around it.

Let’s go ahead and use PolicyPak to do just that. I’ll go ahead and switch gears back over to my management station. I’ll “Create a GPO” called “Manage Flash with PolicyPak.”

I’ll now right click over, go to “Edit…” here. We’ll dive down under “PolicyPak/Applications/New/Application,” and there’s “PolicyPak for Flash Player.” Now PolicyPak is way, way more than an ADM template. We are not an ADM template actually. We are a true application management system.

If we want to “Block all sites from using the camera and microphone,” that’s great. We can deploy that setting and also right click and “Disable corresponding control in target application,” literally gray out those radio buttons so a user can’t mess that setting up. We can also for this whole “Camera and Microphone Settings by Site…” we can also “Disable corresponding control in target application.”

Let’s go over to “Advanced” where we can force it to “Never check for updates.” Even though it’s not recommended, it’s not recommended by Flash. The idea is that if you have a corporate way to deploy Flash for updates, then it is recommended to never check for updates.

However, like I said, if there are instances where you want a user population to be able to download and install their own Flash updates without getting prompted, that is where the better together story, as we’re going to see with ScriptLogic Privilege Authority, is coming right around the bend.

We’ll leave the “Check Now” button, but this other thing – this “Trusted Location Settings…” – actually kind of a little scary. That can let a user bypass everything and act as an administrator. We’re going to “Disable corresponding control in target application.” Actually, let’s just hide the whole button altogether. That’s even more fun, “Hide corresponding control in target application.”

Under “Playback,” we’ll leave it the way it is, but we can “Disable whole tab in target application.” We’ve done all that stuff. We’re just doing PolicyPak magic for starters. We’ll go ahead and click “OK” here.

Now what we’ll do is on our client machine here, we will simply run “gpupdate.” When we run GPUpdate, we’re getting the settings from PolicyPak through Group Policy to deliver those settings that we said and also lock down the UI so a user can’t possibly change it. OK, that’s done.

Let’s go ahead and rerun that web page “www.testmycam.com,” and look at that. No camera. That’s the whole point. We’ve actually delivered the setting and locked it down so a user can’t work around it. If they go back to “Global Settings…” here, even as a standard user it looks like they can change some of the settings. Well, if we’re not dictating them through PolicyPak, they are changeable.

So if a user would like to do these things, they can do that but not, for instance, this “Camera and Mic” item where what we are doing – I know it doesn’t look like it because the UI doesn’t show that we are – but it’s clear that we are in fact “Block all sites from using the camera and microphone” because otherwise you would see my picture here again but you don’t. It’s grayed out. That’s PolicyPak delivering the setting and locking the UI out so a user can’t work around it.

Look, this button’s grayed out too. PolicyPak did that. PolicyPak also delivered a gray tab for “Playback.” Let’s go to “Advanced.” Oh, you know what I forgot to do? I forgot to right click and set it so that a user can’t change this setting. Let’s go ahead and do that, because that’s kind of fun. Let me just go ahead and do that. I forgot to do that. Let’s go ahead and do that.

We’ll go to “Advanced,” right click over that and “Disable corresponding control in target application.” We’re going to make sure that they can’t change this “Updater” button here. We’ll go ahead and go over there. We’ll rerun “gpupdate.” My bad. I meant to do that earlier. OK, that’s done.

Let’s go ahead and rerun “www.testmycam.com.” There we go. Right click, go to “Global Settings…” Yep, I’m just a standard user. Go ahead and click on “Advanced.” Look at that. We’re delivering graying out of that radio button. Underneath the hood, it really is set to “Never check for updates.” Even though the UI doesn’t quite show that, it really is.

But we’ve left that “Check Now” button. Now for regular users, that could be kind of confusing. In fact, if they click “Check Now” and they go to download the latest version of Flash. Let’s go ahead and do that as a user. Let’s play pretend and download this as a regular user.

We’ll click “Download now” and we’ll “Save” it first. I know there are a bunch of different ways you can possibly do this. I’m just showing you one example here. As you expected, you get a UAC prompt because as a regular standard user, you don’t have rights to do that.

Let’s assume you wanted to grant rights to the user to make that change. How would you do that? Well, PolicyPak doesn’t do that. PolicyPak delivers all those settings we just talked about. What we are going to do is I created in advance a Privilege Authority rule called “_PAUTH Allow Flash to Update.” I’ve already created that one.

I’m going to take that Privilege Authority rule here, “_PAUTH Allow Flash to Update,” I’m going to link it over to my East Sales Users. That’s it. Now what I’m going to do is I’m going to run “gpupdate” here. It will be downloading the Privilege Authority rule that we’ve linked over to the Group Policy Object. It’s going to go ahead and download it. As soon as it’s done, we can try to rerun it.

In fact, while that’s working, I can go and “View Downloads.” There it is. There’s my “install_flashplay…exe.” Now that Group Policy’s done, before when I clicked “Run” I got a UAC prompt in my face. Now when I click run, what do we get? It’s bypassed, exactly what we expected. I’m going to go ahead and quit that here. We don’t need that. We’ll go ahead and say “YES” we’re done with that.

Alright, I’m going to close out all these windows. We’ve got one more better together story that I want to cover, which is let’s talk about a standard application that a user might use. I don’t happen to have one that I’m particularly fond of, so I’ve decided to do this demonstration using the “Region and Language” options that are in Windows 7.

First and foremost, there’s a lot of stuff that a user can do wrong to possibly screw things up here. There might be some corporate settings that you to guarantee for a certain collection of users. Like what’s the “First day of week” for my East Sales Users? Well, maybe it’s not “Sunday.” Maybe it’s “Tuesday.” What happens if they change it and it’s the wrong thing?

Well long story short, again PolicyPak’s job is to deliver the settings and lock things down. But then a tool like ScriptLogic’s Privilege Authority is going to help you whenever you have applications that have these scary old UAC prompts. What happens if we click on one of these UAC buttons? We get a UAC prompt as you might expect. Same thing with these other two guys here, “Copy settings…” and “Change system locale…” As soon as you go ahead and click on any of these buttons here, you get the big old UAC prompt in your face.

Now that’s not what PolicyPak does. PolicyPak’s job is to help deliver the settings and guarantee them locked down. Let’s go ahead and do both in one shot. Back over on our management station, I actually already have a rule with Privilege Authority set up. I’ll switch back here to my management console, and I will go ahead and link that one first, “_PAUTH Allow Region and Lang Settings UAC Bypass.” I’ve already got that GPO set up.

I’ll “Create a GPO” called “Manage Lang and Reg options using PolicyPak.” I’ve got the Privilege Authority rule set up already for the UAC bypass part, and now I’m going to manage the regional options using PolicyPak. I’ll dive down under “PolicyPak/Applications/New/Application” and we’ll go ahead and pick “PolicyPak for Region and Language.” I created this Pak using our free PolicyPak Design Studio. It took about five whole minutes to do.

I’ll go ahead and configure this and make that “First day of week” “Tuesday” like we talked about. I’ll right click and “Disable corresponding control in target application.”

That “Additional settings…” button that’s here for users, maybe that’s too much for them to handle. We can right click and “Disable corresponding control in target application.” Actually rather “Hide corresponding control in target application.” That’s what I want to do, literally rip the button right off the page there. I’ll hide that.

Let’s see, for any of these other ones here, maybe for “Location” we’ll right click and “Disable whole tab in target application” as well, just for fun. But we’ll leave everything else the way it is, because as we know this guy and this guy and this other guy here all have UAC prompts on them.

But maybe it is too much for a user to handle this “Install/uninstall languages” thing. We can, again, “Disable corresponding control in target application.” We’ll go ahead and click “OK.”

Let’s make sure we’ve got it straight. We’re delivering the settings and locking things down using PolicyPak, but we’re also using Privilege Authority to allow Region and Language settings UAC bypass.

Let’s go ahead and run “gpupdate” here. Again, we could just wait for Group Policy to kick in, or we could log off and log back on and get these settings. That’s the best part about being part of the operating system. Whatever technology you’re using for desktops or laptops or VDI just happens to work awesome, because Group Policy is part of the operating system.

As soon as this is done, we can go ahead and run “Region and Language” options here. Let’s see the PolicyPak stuff work first. There we go. We’re delivering “First day of week” is locked into “Tuesday.”

Look at that. We’ve locked the “Location” down. The tab there is locked down. The button that was there for “Additional settings…” just ripped right off the page. PolicyPak does that.

If we go to the other UAC prompts here, well, look what we did here. PolicyPak also, even though this Region and Language options is now running as an administrator, we’re now able to gray out settings so even administrators can’t run that tool. That’s pretty high-tech stuff.

If we click on any of these UAC prompt buttons here, well, if we’ve got the Privilege Authority rule set up in place and it’s linked to the right place, the next time we click on one of these buttons what should happen? No more UAC prompt, exactly right. That’s the whole point.

I think you’ve got it together. The better together story should be super clear now. PolicyPak’s job, deliver settings, lock them down, because if the application is important enough to deploy and use, it’s important enough to manage.

A tool like ScriptLogic Privilege Authority and other privilege management tools, their job is to help you run your users as a standard user. Like I said, this guy “eastsalesuser3” is just a standard user. But if you have a UAC prompt and you want them to be able to bypass it, that is what a Privilege Authority style tool will do for you.

If you’re ready to deliver your settings using PolicyPak and truly lock stuff down, we are ready for you. Just go ahead and make contact with us on our web page by clicking on the big old download button or the webinar button on our web page, or just pick up the phone and make contact. We’ll give you the bits, and you’ll be up and running in PolicyPak in really under 10 minutes, I promise.

So with that in mind, thanks so much. Remember with PolicyPak, what you set is what they get. Thanks so much. Take care.

 

Back