<img alt="" src="https://secure.inventive52intuitive.com/789747.png" style="display:none;">
Using AppSense User Rights Management and Web Installations

Using AppSense User Rights Management and Web Installations

Posted by HTG

Enabling your users to get their jobs done without unnecessary disruption is one of the major drivers behind most of the AppSense Management Suite. But sometimes there are things users may need to do that would involve them needing administrative rights. However, as we all know by now, giving administrative rights to users is a serious no-no if you care in any way about the integrity of your environment. AppSense Application Manager, though, can let you elevate (or de-elevate) user rights on the fly to allow your users administrative rights only for certain tasks that you define. User Rights Management provides a granular approach to delegating administrative rights to users and applications by assigning rights according to merit. This level of control can be deployed to elevate or restrict privileges on a case by case basis according to the preferred approach taken in the environment.

In order to demonstrate how the User Rights elevation works we will also delve into another feature of Application Manager called Web Installations. A number of web-based plugins or controls require the end user to have administrative rights in order to install the various components and add-ons into the browser of choice. Examples include an ActiveX control such as Adobe Flash Player or a web download such as Microsoft Silverlight. When a standard user attempts to download and install these the User Account Control (UAC) dialog is displayed requesting the user to enter an administrative password (if enabled). If UAC is not enabled, the installation will simply fail.

First we will need to actually create a policy to elevate the user to administrator.

  1. Right-click the Library | User Rights Policies node and select Add Policy.
  2. Right-click the new policy beneath the User Rights Policies node and select Rename.
  3. Enter an intuitive name for the policy, for example, Elevate standard user to administrator.
  4. Right-click within the Group Membership tab work area and select Add Group Action.
  5. Enter the name of the Administrators user group or use the Browse button to navigate to the group account.
  6. Click Add.
  7. Ensure Add Membership is selected in the Action column. If you wished to remove membership from a group, you would use the Drop Membership option.

Now you can use this elevation policy wherever required to elevate users’ rights temporarily. Any rule you configure has a User Rights tab where this can be used in a variety of ways. Have a look – you’ll find a huge variety of things that can be done, which we will cover in future posts in a bit more detail.

Now let’s have a quick look at one of these features in particular, the Web Installation part. Generally, you use the Web Installation tab to allow elevation for ActiveX installers from a particular domain. You can put together a straightforward configuration where you simply enter the name of the domain only, or get more advanced by specifying the CAB file (the Microsoft compressed archive format), class ID and minimum/maximum version numbers. It is good practice to only allow signed controls from the domain.

To create a simple Web Installation to allow the install of the Adobe Flash Player plugin

  1. Select the User Rights node for a particular group, for example, the Everyone group.
  2. Select the Web Installations tab.
  3. Right-click within the work area and select Add Web Installation. The Add new Web Installation dialog displays.
  4. Enter a name for the Web Installation in the Name field, for example, Adobe Flash.
  5. Enter the URL in the Website URL field. For example, adobe.com, to allow installations from all of adobe.com.
  6. Ensure the Only allow signed controls option is selected.
  7. Click Add.
  8. Ensure the default Builtin Elevate policy is selected in the User Rights Policy column.
  9. Save and deploy the configuration.

Now, the above example is quite simple, but in reality there’s a lot more to consider for Web Installations. Quite a few other configurable items need to be considered. For example, for an ActiveX installation you would need to allow the ActiveX file to run, and any executables that the control calls. You need to consider Process Rules, Trusted Vendors, any Digital Certificates, Accessible Items, Elevated items, and so on.

This sounds like hassle, yes? Luckily, the good folks at AppSense have considered the possible headaches involved and come up with a solution to help you out with the most common ones – Snippets. Snippets allow Application Manager the ability to import and merge partial configurations into a currently open configuration in the console. The snippets are available for download from myappsense.com, which needs a support contract to access, but I’m assuming if you’ve got the software, you’ll usually have a contract too 🙂

Log into MyAppSense and go to the AppSense Exchange section, where you need to select Tools and Configs. In the Search for items box, change the type to Snippet and click Search. You’ll see a nice list of Snippets covering such things as GoToMeeting, iTunes, QuickTime and a few others. When you click on them to download, save them to %ProgramFiles%\AppSense\Application Manager\Console\Snippets (you may need to adjust the permissions on this directory to write them). Extract the files into the folder.

If you then right-click in the Web Installations tab you will see an Import Snippet option

Click on this and choose the Browse button. It will take you to your unpacked XML file. We have chosen the Silverlight snippet as an example. Click on OK and all the configuration components will be loaded into your configuration.

In this case, a number of applications are configured to run with elevated permissions

and a certificate is added to the Trusted Vendors section, allowing the signed files to run as they will probably fail Trusted Owner checking

You can use these snippets to quickly build up Web Installations for commonly-used controls, allowing you to deploy configurations quickly and easily.

One final word – a lot of people would simply install all the required controls into their base images, and avoid having to configure any of this at all. However, this demonstrates one of the main mantras of the AppSense community – “just in time, not just in case”. If a user may never need to use a control, why should it be loaded into the base image? Master images are best kept simple, and any changes done with care. If a user only utilizes a control once a year, why does it need to be repeatedly loaded for the six months prior to them actually requiring to use it? And why not allow your users to feel that they’re actually trustworthy enough to be able to load a control if they find they need to use it? Using Web Installations and all the other features attached to User Rights Management doesn’t just make life simpler and easier, it can also make your users much more positively disposed towards the IT department. I will cover more of the possible uses of User Rights Management in the very near future.

Contact

Want to partner with us?

Get in touch to learn more about our services or arrange a free 30-minute consultation with one of our Secure Cloud Experts.

Get in touch
HTG - Contact CTA