“Principle of least privilege” is the information security concept in which end users are granted the lowest/minimum level of permission that is essential to perform their day-to-day job. Unfortunately, we still see a considerable number of applications challenging this concept which introduces security risks when end users have to be temporarily (often not temporary) granted elevated access to complete certain functions/updates. Citrix WEM Privileged Elevation feature helps address these challenges.
Article Content
Overview of Privileged Elevation
Enabling Citrix WEM Privileged Elevation
Overview of Privileged Elevation
Privileged elevation is a new feature that has just been released that allows specific executables to be run under administrative privilege without the end user holding those permissions. It can be granularly assigned to specific end users/security groups limiting the elevation to a unique set of users whilst maintaining the security concept of “principle of least privilege”.
Pre-Requisites
The following perquisites are required to take advantage of the Citrix WEM Provide Elevation feature:-
Citrix Workspace Environment Management Service (Cloud)
- Citrix Workspace Environment Management Service (Citrix Cloud provided WM Agent 2012)
Citrix Workspace Environment Management Infrastructure (On-Premises)
- Citrix Workspace Environment Management (2112)
As Citrix is delivering Cloud First, the cloud feature was made available on 2012 (Dec 2020) and was later delivered to on-premises customers on 2112 (Dec 22) a full 12 months later.
Agent
- Minimum agent version required: 2010.2.0.1
Rule Types
The following different Rule types are available:-
- Path
- Publisher
- File Hash
Path
Allows you to add either file path of the executable that you like to elevate (i.e c:\test\admin.exe”) or folder path where executables will exist (i.e C:\test”) which would enable all EXE’s within that folder to run elevated. Folder path would be the least preferred method of the two options
Publisher
Allow you to specify rule based on publishing information available for the executables.
- Publisher
- Product Name
- File Name
- File Version
An * Asterisk indicates any value is accepted against the field. For example you can specify the file name (TESTAPP.EXE) and publisher, product name & version will be ignored in the evaluation and any executable matching TESTAPP.EXE will run elevated regardless of the other fields.
Enabling Citrix WEM Privileged Elevation
- Login to Citrix Cloud
2. Click Manage “Workspace Environment Management”
3. Under Security Select “Privilege Elevation”
4. Ensure “Process Privilege Elevation Settings” is ticked to enable the feature.
Some additional settings-
- Do Not Apply to Windows Server OSs – if ticked will only apply to Desktop OS agent deployed on your Site.
- Enforce RunAsInvoker – Controls whether to force all executables to run under the current Windows account. If selected, users are NOT prompted to run executables as administrators. It is worth noting this means the executables specified in the rules and not all executables on the operating system I recommend enabling this option
RunAsInvoker prevents the UAC Prompt from appearing (if UAC is enabled) during the execution if the operating system dictates that it required a UAC. An example would be the following prompt appearing when launching an EXE.
Adding a New Rule
- Under Security Section | Privileged Elevation, Select Executable Rules
2. Click “Add Rules” located at bottom right of console
3. Enter the rule required. I have used SQL Server Client Network Utility as an example
Some additional options are now available under the setting:-
- Apply to Child Processes – the same rule is applied to any child processes generated by the executable. I ticked this option for the example.
- Start Time/End Time – not surprisingly this indicates that it can be time bound. default values have been used here
- Assignment – you can choose to assign to everyone, or existing assignment specified in site which will allow you to limit it user groups. I has assigned to all assignments for initial rule.
4. Enter the Path of the EXE/Folder and click “Create”
Additionally, Citrix has provided a tool called App Info Viewer that provides you detailed information on the executables that will allow you to complete rules , such as file hash and publisher information
It can be located here:
C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AppInfoViewer.exe
Testing Privileged Elevation
A few tests will be performed to showing the Privilege Elevation working in
- Test 1: Launching Executable without Elevation Rule Added.
- Test 2: Launching Executable with Elevation Rule Added.
- Test 3 : RunAsInoker Disabled, then Launching Executable
- Test 4 : RunAsInoker Enabled, then Launching Executable
Test 1
- Launching C:\windows\system32\cliconfg.exe
- Executable Loads as expected
3. Accessing Alias tab requires elevated permission and it shows the below message indicating the end user does not hold this permission.
Test 2:
- Launching C:\windows\system32\cliconfg.exe
- Executable Loads as expected
3. Accessing Alias Tab does not display any message indicating no permission issues indicating the executable is now running with elevated privileges.
SUCCESS!!
Test 3
Launching C:\windows\system32\cliconfg.exe, prompts end user to provide administrator credentials to launch application.
NOTE: This message will still appears if rule has been added for that executable if “RunAsInvoker” is not enabled.
Test 4
Launching C:\windows\system32\cliconfg.exe launching straight to the application without any UAC Prompts
Conclusion
This is very welcome feature additional to Citrix WEM that has been missing for a long time compared to other competitor products, but this may unlock a key missing gap that existed allowing for more transition to Citrix WEM.
I have managed to test a dozen applications that in the past i had elevation issues with and all have tested successfully. No issues so far but wider i am sure will bring a wider scope of tests and challenging apps to test the new feature.
It will be telling how long the new feature set will take to reach the on-premises version as some interest outside of WEM Service (Citrix Cloud) has already been shown.
This is just what I was looing for. Nice write up.
glad it helped you.