When you remove administrative rights for applications using the Remove Administrative Rights action, there is an advanced feature that allows you to apply restricted Security Identifiers (SIDs), further restricting access to securable objects.
When you specify any Restricted SID then not only does the Security Descriptor need to allow access to the user, but also allow access explicitly to the Restricting SID.
[[Who should use this advanced feature?]]
Our restricted process option leverages the Windows functionality that prevents restricted SID's from having Write access to protected resources. (For more details, go to Restricted Tokens on the Windows Dev Center.) Another benefit of this is that Restricted Processes do not have rights to open any network-based resource, such as file servers.
Apply Restricted SID
To apply restricted SID, do the following steps:
- In the Security Manager Console, click the Policies tab.
- In the file library in the left pane, navigate to Arellia Solutions > Application Control > Actions > Process Rights > Remove Administrative Rights.
- In the right pane under Action Type, select the Apply Restricted SID (advanced) check box.
- Click the Save button.
Related Links
What is this thing called SID?