Elevation of particular actions in Windows Vista and beyond is controlled by a new mechanism that involves COM Elevation monikers [cite MS reference]. ACS allow the automatic elevation of configured actions by non-administrative users. This functionality requires that "ShellExecuteHooks" be enabled which ACS does by default. This configuration could be overridden by Group Policy.
Setting up a Demo
- Need to download the three attachments
- Replace the existing agent packages in C:\Program Files\Altiris\Arellia\ApplicationControl\Agents\7.1 with the attached
- Update the version number of the ACS packages under the configuration tab to 7.1.1635
- Clone existing update rollout packages to allow upgrade (rename to include reference to the 1635 agent build)
- Agent machines will require explorer restart (logoff/logon or reboot) for the shell execute hook to become active
- Import the attached configuration into a ACS folder
Configuration
- This process is controlled by intercepting requests to elevate COM components via DCOM and setting up a Admin proxy via DCOM pointing to a (newly) created DCOM host "COMElevateHost" instead of the standard "DllHost" DLL surrogate host.
- ACS steps in and potentially elevated the DCOM host ("COMElevateHost") if commandline options match a particular elevatable COM component (Eg "Network Adapter Elevate Attempt" filter)
- If the COMElevateHost is running as an administrator then requests to it will deliver an elevated COM component, otherwise it will return an access denied failure
- If the shell evexecute process does not receive an elevated COM component it will default to standard processing which will go through standard UAC mechanisms (ppotentially displaying UI).
The additional policies included allow greater insight into the process (debugging) as well and identifiying necessary parameters for configuring additional filters.