Versions Compared

Old Version 6

changes.mady.by.user Max Pinion

Saved on

compared with

New Version Current

changes.mady.by.user Max Pinion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When you remove administrative rights for applications using the Remove Administrative Rightsremove administrative rights action, there is an advanced feature that allows you to apply restricted Security Identifiers (SIDs), which further restricting restricts access to securable objects.

When you specify any Restricted SID then not only does the Security Descriptor need to allow access to the user, but also allow access explicitly to the Restricting SID.

[[Who should use this advanced feature?]]

 

[[Adjust Process Rights Improvements

Adjust Process Security is an action that allows a process to be protected from tampering by users. ==> how does this apply to Adjust Process Security rather than Remove Admin Rights?]]

[[How does this work in the Console?]]

 

Image Removed

 

Our restricted process option leverages the Windows functionality that prevents restricted SID's from having Write access to protected resources. (For more details, go to Restricted Tokens on the Windows Dev Center.)

Image Removed

 

...

What is a restricted SID?

A restricted ID is an access token that modifies a user's access to securable objects and controls a user's ability to perform various system-related operations on the local computer.

When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricted SIDs. Access is granted only if both access checks allow the requested access rights. (For more information about restricted SIDs, go to the Microsoft Developer Network Library at https://msdn.microsoft.com/en-us/library/windows/desktop/aa379316(v=vs.85).aspx.)

When to use restricted ID

Use a restricted SID to further restrict the applications in the sandbox, which you can use as another method of orangelisting. In other words, this is a way to protect yourself against unknown applications if you don't want to implement blacklisting. 

The restricted SID will allow only Read access to the user registry but not to the local machine registry. Also, restricted processes do not have rights to open any network-based resource, such as file servers. As a result, the restricted SID will be able to do very little and apps may not work correctly under this model. Ultimately, apps in the sandbox that have restricted SID applied to them will be severely locked down.
 

Process Rights

Adjust Process Security

Create Application Actions

Security Descriptors

What is this thing called SID?

Image Added

Apply restricted SID

To apply restricted SID, do the following steps:

  1. In the Thycotic Security Manager, click the Policies tab.
  2. In the file library in the left pane, navigate to Thycotic Solutions > Application Control > Actions > Process Rights > Remove Administrative Rights.
  3. In the right pane under Action Type, select the Apply Restricted SID (advanced) check box.
  4. Click the Save button.

Image Added

Process rights

Graylisting