Viewfinity GPO 4.2
Viewfinity’s 4.2 version triggers the tipping point for broad adoption to lock down endpoints due to our breakthrough automated method by which administrative rights are managed. With this new level of automation, there is no reason for users to have administrative rights.
Here is a summary of what’s new in the current 4.2 GPO snap-in version:
One-time Run Authorization
In addition to the typical management of user privileges with Viewfinity Privilege Management policies (distributed either by Group Policy or sent by E-Mail), a user can be authorized for a “one-time use” of an application. This can be used to allow an application to run for users on-the-go with no network access and thus with no ability to update policies. In such instances, if One-time Run Authorization is enabled, a user can submit a request to the administrator and get a one-time authorization. The request is a code (Request ID) to be provided by the user, and in turn the user will be provided with an Authorization Code that should be entered in the Viewfinity One-time Run Authorization dialog in order to launch the application. The authorization access code ensures that access is matched with the requested application. All usage of one time access is audited and reported.
Ease of Use - Policy Organization
Policies are organized in a logical manner which saves time, reduces the chance of error, and provides an enterprise-wide view of what policies are being managed. Because the arrangement offered in Windows Outlook is familiar to most, we provide an “Inbox” style folder organization. Events are categorized into predefined policy folders: Elevate, Trusted Sources, Do Not Elevate, and Block
Selectively elevates rights only for those applications that truly require administrative rights. This option is used when a company wants to elevate all applications signed by a specific software publisher that require administrative rights but not those applications which do not require elevated rights. For example, Microsoft’s Notepad does not require admin rights so Viewfinity would not elevate privileges for Notepad – it would remain locked down. Another example of this trusted sources technique can be applied for elevating all applications signed by Google which require admin rights such as browser toolbars, and eliminating exposure to the security risk loophole that occurs when elevate permissions are granted to an application that does not require them, such as the Google browser. After silently discovering common user privilege needs and aggregating these events, administrators can assign trusted publishers and automatically generate policies for hundreds of applications from a central management console.
Control and Manage Policy Proliferation
The ability to aggregate privilege policies based on similar user needs so the number of policies that need to be managed are reduced by an order of magnitude. The product intelligently scans a Windows environment and identifies common user privilege needs across the organization, and automatically aggregates these privilege needs and creates a single policy for a collective group of users.
Privilege Control for Data
Extends our privilege management policies to control permissions by controlling permissions on shares, folders, files and registry. Privilege Data Control Policies allow administrators to centrally control client file and registry access permissions. Combining a strict data access restriction via a policy with Viewfinity's elevation control will ensure maximum security for your organization.
Built-in Agent Protection
Viewfinity built an extra layer of protection into the Viewfinity agent in order to protect Viewfinity files, policies and the agent from malicious attacks. Viewfinity agent files are automatically encrypted and cannot be edited when accessed inside corporate network or when policies are cached offline. Any elevated processes cannot be used to modify Viewfinity agent files, folders, and registry. No manual intervention is required to protect the operating system from elevated processes. The policy files and all other Viewfinity files cannot be modified even if the Viewfinity software is disabled (e.g. boot from CD). The Viewfinity agent can be configured to prevent administrators and/or standard users from uninstalling the agent.
New Dashboard and Audit reports such as Summary if Active/Inactive Policies, Policy Usage, Policy Automation, and Policy change history summary are now available.
Application Group Policies are designed to handle the majority of cases by using broad, generalized rules. Specific exceptions to these, or highly granular rules, can be defined and handled in advanced policies. Advanced policies allow you to custom tailor the policy to the exact needs, without interrupting the more generalized workflow establish by application group policies. Further customization on the behavior and presentation of the Viewfinity agent can be achieved by changing the settings, using advanced targeting and customizing the dialogs & messages.
Viewfinity Privilege Management for Servers
We have decoupled the server capabilities from the flagship product and the product is now available as two individual offerings: (1) Privilege Management for Endpoints; and (2) Privilege Management for Servers.
End-User Customization/UI, Multi Language Support
Viewfinity provides very flexible end–user dialog boxes and balloons which can be branded to specific company requirements. This includes the ability to suppress the native Windows UAC dialog box and replace it with customized Viewfinity dialog boxes. End-user UI messages can be customized to include company logo, URL, Email, rich text and variables. User Justification dialogs can be set up to mandate a minimum character length within the “justification reason” in End-user dialogs. Viewfinity supports more than 250 languages to display messages to end-users.
Policy Revision History
In organizations where multiple administrators are managing policies, we provide the ability to audit and track who has made policy changes such as policy settings updates, policy creation, removal, etc.
Viewfinity’s Video Audit feature provides an option to capture a screen recorded video of user activity based upon a particular application or policy. IT Administrators can gain an understanding of how particular applications are being used by end users. IT Administrators can elect to record user actions based upon specific policies and/or applications. This feature has wide-spread applicability and appeal considering the type of information that can be recorded and used for policy auditing purposes. For example, you can monitor a user session during which the user has elevated permissions to install an application for troubleshooting purposes or it can be used for monitoring suspicious user activity.
Sending Policies by Email
Viewfinity allows Administrators to export Viewfinity Policies in a GPO and send an encrypted, password protected policy file by email. This feature is particularly helpful for sending new and/or updated policies to user that are currently disconnected from corporate AD and VPN.
Help Desk Systems Integration
Viewfinity provides the ability to capture end-user requests to elevate privileges to access a particular program or task. As a part of the end user request, the program can be configured to collect information about user, host, application vendor, version and end-user justification. Administrators can create an agnostic help desk template which automatically generates a help desk ticket in the help desk system containing the details about the requested application and user.
Elevation support for COM objects
Microsoft Component Object Model technology in the Microsoft Windows-family of Operating Systems enables software components to communicate. In the Windows operating system, some internal program functions call a DLL which requires administrative privileges, even while the calling program itself does not require it. A common example is clicking on the ‘Advanced File Sharing’ via Windows Explorer, which in Windows 7 and 8 requires UAC program elevation. Viewfinity now offers a new type of policy for COM object elevation support.
Parent Process Elevation
Viewfinity supports conditional elevation based on Parent Process. This condition allows you to apply the policy rule to an application only if it is launched by a specified parent process. This policy can be used in specific scenarios when someone wants to conditionally allow the execution of child processes.
Elect to apply a policy based on the result of a script execution. For example, you may want to check for the presence of application A before elevating application B or any other conditions which you can define in a custom script.
Support for Windows Security Catalog
Support for an additional file signature source. Some applications do not contain digital file signature but rather are stored in catalog files. Microsoft has many of these type of applications. Viewfinity can automatically recognize these applications and apply the relevant policies.