Privilege Elevation

With privilege elevation, administrators can now allow end users to run certain applications as administrators, as well as install their own applications if they meet the specified criteria. IT administrators can create rules that elevate privileges based on a file hash, a software publisher, or a path to a file or folder.

Overview

  • User Environment Manager administrators pre-define applications to run or install using elevated privileges.
  • Standard user accounts can run these applications as if they were a member of the local administrators group
  • This improves security by removing local administrator privilege from domains users, while enabling elevation for specific applications.

Use cases for Privilege Elevation

  1. Elevated Application
    • Use to elevate applications that are already installed
    • Used for legacy apps requiring local admin rights to run
  2. User Installed Applications
    • Use this to elevate application installers
    • Used for application installers requiring local admin rights to install
    • Create a repository from where users can install approved software

Privilege Elevation Overview

Privilege Elevation is disabled by default.  You must enable it manually, configure conditions to control the elevated applications, and define an elevation message.

Argument-Based Privilege Elevation

Configure executables to be elevated only if they are invoked with specific arguments. Elevation options now available:

  • Argument-based
  • Hash-based
  • Path-based
  • Publisher-based

The benefit is improved security when elevating certain EXEs and enable user to execute only specific scripts in the context of a local administrator.

With Argument-based Privilege Elevation, if the EXE is run with a matching argument, the EXE is elevated. If the EXE is run with any other arguments (or none), the EXE runs in context of the user.

Preparing for the Demo

We will be using some scripts to show the Argument Based Privilege Elevation.

  • PEdemo.vbs : This will be the Argument and refers to a vb script located in UEMScripts folder. This script invokes a second executable (legacyapp.exe)
  • legacyapp.exe : This executable is designed to show when it is run as a user or as an administrator
  • legacyapp.exe.config: config file for the executable

We need to move the scripts in order to use for Privilege Elevation.

Copy the PEdemo.vbs Script

First we will copy the PEdemo.vbs script to the Scripts directory of the UEMProd.

  1. Open the Windows File Explorer from the taskbar
  2. Navigate to C:\Tools\UEM-Lab
  3. Right click on the file PEdemo.vbs script
  4. Select Copy.

We are copying this file to be pasted in the script folder in the next step.

Put file in the Scripts Folder

We will create Scripts folder in C:\UEMProd\general\FlexRepository and copy our script into this folder for use later.

  1. Go to the C:\UEMProd\general\FlexRepository folder and right click.
  2. Select New and Folder
  3. Type Scripts and return
  4. And copy PEdemo.vbs file into this folder by Right Clicking on the newly created Scripts folder and select Paste.

We are putting the script we will be using into the UEM Scripts folder so that we can use it later.

Copy the Legacy App Files

We also need to copy the legacyapp.exe and the legacyapp.exe.config file into UEM custom file and folders to share with Desktop.

We will copy the two files here and will be pasting them in the next few steps from within the UEM Manager.

  1. Go into the C:\Tools\UEM-Lab folder on the Main Console
  2. Select both files: LegacyApp.exe and LegacyApp.exe.config.
  3. Right Click to Copy

Open up the UEM Management Console

From the Main Console, double-click the Management Console shortcut on the desktop.  This will open up the User Environment Manager Management Console.

If you have UEM still open from the previous lesson, then you can proceed to the next step.

You may need to minimize the Windows Explorer Windows or Chrome Browser so you can see the desktop.

Set up Files and Folders to Share Script to Desktop

We are going to add customer files to the user environment. We will set up the files to share on the User's Desktop upon login.

  1. Click on the User Environment
  2. Click on Files and Folders
  3. Click Create
  4. Enter PE Demo for the Name and Label
  5. Click on Create under Files and Folders Settings

We will paste those files to the User's Desktop by UEM when the user logs into the Windows 10 Instant Clone desktop.

Add Files for Windows 10

The window will pop up for the VMware UEM Profile Archive Settings.

Right click over the Desktop in the middle pane and select Paste to copy those files into the Desktop folder.

Complete Adding Custom File to Desktop

  1. Click X to close the Desktop window inside VMware UEM Profile Archive Settings
  2. Back on the Files and Folders Box, Click Done.  
  3. Click Save.

We have copied those two files into the Users Desktop through UEM for when you log in as a user.

Privilege Elevation

We are going to enable Privilege Elevation.  It is disabled by default.

  1. On the User Environment tab
  2. Select Privilege Elevation.
  3. Click Global Configuration.

Enable Privilege Elevation Overview

  1. Select Enable Privilege Elevation.  It is disabled by default.
  2. Select Also elevate all child processes to elevate child processes on a global level. If you select this option, all processes of a user-installed application run elevated.
  3. Click OK.

In this section you also have the ability to configure conditions to control the elevated applications. We are not going to configure any conditions in this lab. You also can add a Message to display with User-installed apps.  You would select Ask user to elevate in the Message section to display a message when a user launches an application that is configured for elevation. The user is presented with the option to run the application elevated or with the normal privileges of the user. We will not be doing that in this lab.

Warning for Privilege Elevation

The Privilege Elevation feature grants temporary administrator privileges to a user. The feature must be used only for specific use cases by administrators. It is not intended as a security feature. Use additional security measures to prevent malicious use.

Click OK.

Configure Argument-based Privilege Elevation

We are going to configure Argument-based Privilege Elevation.

  1. On the User Environment tab, select Privilege Elevation.
  2. Click Create.
  3. Enter a name for the setting definition: PE Demo
  4. Enter Label: PE Demo
  5. Click on Also elevate child processes
  6. Select the privilege elevation type from the Type drop-down under Privilege Elevation Settings: Argument-based elevated application
    • You can only use folders for user-installed applications.
    • If you are configuring path-based settings that reference network paths, specify UNC paths instead of drive letters. When users launch these applications, they should access them from the UNC path.
  7. Click Add in the Elevate section

Select Executable and Arguments to elevate

You can use the selection tool to highlight any text below and drag the hand to the lab to paste text instead of typing it in the demo environment.

  1. Select the folders or applications to add to the list:  (Use Click & Drag)
    • Executable: C:\Windows\System32\wscript.exe
    • We have to put in the entire path for the executable.
    • Argument: %UEMScripts%\PEdemo.vbs
    • This Argument refers to a vb script located in UEMScripts folder. The script invokes a second executable that is designed to show when it is run as a user or as an administrator.
  2. Verify that Case-sensitive arguments is enabled. We will demonstrate using correct case to run as elevated privilege or not.
  3. Click OK in the Select executable and arguments to elevate box
  4. Click Save for the Privilege Elevation box

Minimize the UEM Management Console

Minimize the UEM Management Console so we can launch a desktop.

Horizon HTML Access

Open Horizon HTML Access

If you have the Instant Clone Desktop still open from the previous lesson, then you can open the Instant Clone Desktop from the Chrome Browser for User2Mod1 and enter the password: VMware1!

  1. Open Chrome Browser
  2. Select the VMware Horizon bookmark
  3. Select VMware Horizon HTML Access

Login to VMware Horizon

Login To VMware Horizon

Login to Horizon HTML Access:

  1. Change username to: user2mod1
  2. Password: VMware1!
  3. Click Login

 

Launch the Instant Clone Desktop

Double Click the Instant Clone Pool to launch the desktop.  It will automatically log user2mod1 user into the desktop.

Confirm the Files are on the Users Desktop

The files we added to the UEM share are present on the users desktop upon login.

Notice LegacyApp.exe and LegacyApp.exe.config are on the desktop.

Note:  The files may not be together on the desktop.

Open run

  1. Right-click on the window in the bottom left corner
  2. Select Run from the menu

Run the wscript.exe with correct argument  

For this first test we will run wscript.exe executable with the argument that is formatted properly.  

Make sure to use case sensitive with the script paying particular attention to PEdemo.vbs case.

You can click on the text in step one below and drag with the handtool to the desktop instead of typing out the text.

In the Run window type in the Open box: (Use Click & Drag)

  1. C:\windows\system32\wscript.exe %UEMScripts%\PEdemo.vbs      
  2. Click on OK

Invoke Remote Executable message

Windows Script Host box pops up saying the VBScript will invoke a remote executable.

Click OK

Notice running as Admin

Observe that Privilege Elevation executed wscript.exe and the secondary application with administrative privileges.

Click X in the top right corner of the Demo Tool window to close the box.

Run the wscript.exe with incorrect argument

For this test we will run the wscript.exe executable with the argument improperly formatted.

Right click on the window and click Run.

In the Run box type with the argument pedemo.vbs in lower case letters. (Use Click & Drag)

  1. c:\windows\system32\wscript.exe %UEMScripts%\pedemo.vbs
  2. Click OK

Windows Script Host Box

Click OK to continue to the secondary script.

Notice runs as user

The second app now runs in the context of the user not as Administrator. wscript.exe was not elevated since argument case did not match that of the privilege elevation rule.

Click the X in the top right corner of the Demo Tool to close the window.

Lock the Desktop

  1. Click on the Window in the bottom left corner
  2. Click on the Person icon
  3. Click lock
  4. Close the Chrome Browser

Close UEM Management Console

Click the X in the top right corner of the UEM Management Console window.

This is the conclusion of this exercise.  In this lesson, we set up Argument-based Privilege Elevation where we configured executables to be elevated only if they are invoked with specific arguments.  We also customized the user desktop by adding custom files to the user environment to be on the desktop at login.