Privilege Guard (Edit: now Defendpoint) first introduced UAC (User Account Control) integration in version 2.5, which enables rules to be defined that trigger when an application requires administrator privileges in order to run. Further enhancements to the UAC rule in version 2.7 now allow you to elevate applications that may trigger UAC after the application has already launched. For instance, disk defragmenter and task manager are two applications that launch with standard user rights and only trigger UAC when the user attempts to perform an operation that requires administrator privileges.
The rules in Privilege Guard are extremely flexible and can be used to elevate specific applications that trigger UAC or elevate all applications that trigger UAC. For instance, the screenshot below shows an application definition that will only fire when task manager attempts to launch with UAC.
Task Manager Elevated
To capture all applications you would simply change the file name to *.exe and remove the publisher rule. Leaving the publisher rule in place would allow all operating system applications that trigger UAC to be elevated. Privilege Guard’s integration with Windows security catalogs enables the publisher rule to be used for operating system files, which are not signed directly by Microsoft. This topic was covered in a previous post.
Privilege Guard can optionally prompt the user before elevating or running an application. In many situations you may want an application to elevate silently, without notifying the user. However, when the user is making a conscious decision to elevate an application it is often a good idea to prompt the user first. The screenshot below shows a policy that has been defined to elevate task manager when it triggers UAC.
In this example the task manager application has been added to an application group named All Signed UAC Apps. This would allow you to show a different prompt for signed and unsigned applications, as you may want the warning to be more severe for unsigned applications. You may even decide that a user is not allowed to elevate unsigned applications and instead show the user a blocking message, which will prevent the application from launching.
The policy we have defined in this example will not elevate task manager until the user triggers a feature in task manager that requires administrator privileges, such as clicking the Show processes from all users button. When the user attempts to access an administrator feature in task manager then they will first be prompted with a message, as shown below. You may fully customize this message and even replace the banner with a corporate image. All of the text in the message is configurable, including full multi-lingual support. You may optionally ask the user for a reason or force them to re-authenticate, which have both been included in the example message below.
UAC Replacement Message
The UAC rule is an extremely effective way of configuring specific or generic rules that only trigger elevation when an application requires administrator privileges. This effectively replaces UAC with a more flexible solution that is configured and mananged centrally through policy, without giving the user access to a local administrator account. Combined with the end user messaging capabilities in Privilege Guard the UAC rule can be used in a wide range of scenarios to elevate, block or monitor access to privileged applications and tasks on Windows 7 (or any other Windows operating system that supports UAC).
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.