Advanced Rules: File & Publisher Certificate Identification Criteria
Gain a better understanding of how to organize and manage rules effectively with expert guidance.
Table of Contents
When Rules are created as part of a Real-Time Privilege Request (from either the AutoElevate Notify mobile app or from the Admin Portal), the identification criteria used is always the file's MD5 hash. Advanced Rules can be developed by selecting additional File and Publisher Certificate Identification Criteria when editing an existing MD5 rule or creating a new one from an Event.
Edit an Existing Rule from the Rules screen (in the Admin Portal - https://msp.autoelevate.com) by clicking the Edit (pencil icon) next to the Rule.
Create a New Rule from the Events screen (in the Admin Portal - https://msp.autoelevate.com) by checking the box next to an Event and selecting Convert to Rule from the Actions menu.
Using File and Publisher Certificate Identification Criteria Combinations
Advanced Rules can be set up to match as many combinations of the File and/or Publisher Certificate identification criteria as you desire by selecting the checkboxes next to the elements from the Event that you would like the Rule to match. If a match is found when a UAC Event takes place, the AutoElevate Agent then carries out the defined action of either Approved, Denied, or Ignored. For the Rule to be applied to an event, it must match ALL of the selected identification criteria.
File Identification Criteria
File Identification Criteria can be selected in any combination of 5 options: Product Name, File Path, File Name, Original File Name, MD5 Hash. The default values of these criteria are set to what was read from the actual file from the local computer where the original Event happened. Wildcard characters can specify dynamic elements (* ? [a-z]).
Product Name: A value specified by the software publisher and embedded in the file's binary. It can be blank if the file does not contain version information.
File Path: The full path of the file's location on the local machine, including the file's name. The agent will expand any Windows environment variables when processing the File Path. Click HERE for more information on Windows env vars.
Currently, the agent cannot process env vars that include local user information (i.e., %LOCALAPPDATA%). This will be adjusted in a future update.
- Currently, the agent cannot process env vars that include local user information (i.e., %LOCALAPPDATA%). This will be adjusted in a future update.
File Name: The file name extracted from the path.
Original File Name: The name the file was created with. It can be blank if the file does not contain version information.
MD5 Hash: The MD5 hash of the file.
Publisher Identification Criteria
Publisher Identification Criteria can be set to 1 of 2 options: Subject Elements or Certificate Hash.
Subject Elements: These are the different parts of the Subject distinguished name found in the publisher certificate. Any combination of elements can be selected. However, it's good to note that each software publisher can use many certificates. Targeting fewer subject elements will allow for a wider range of software matching the identification criteria selected.
Certificate Hash: This is the thumbprint of the certificate used to sign the file. It is very specific to that certificate only. Typically, publisher certificates expire after a year or 2. This means publishers need to get new certificates with new thumbprints frequently. Targeting the certificate hash may mean that you will need to create new Rules to account for these new certificates when they are issued.
Where do we get the Publisher Identification Info?
You will see an expandable section of information about the publisher certificate along with the publisher options. This data is generated from the file examined on the local machine that the Event originated from.
Whether the file is marked as Verified or not depends on whether the certificate chain on the local machine was verified. Verified certs are where the certificate and/or its issuer are in the local certificate authority (CA) on the local machine and whether the Signing Time falls between the Valid From to Valid To time stamps.
The defined rules are encrypted and stored in a secure registry area at each check-in and will continue to work with or without connectivity to the Internet and/or our services.
We default to a security position and allow the UAC to come up for anything that doesn't have a rule.
We also recommend creating a break-the-glass local admin on each system (perhaps only management can access the credentials) for rare cases like these.
Make sure your agents are at v2.4+. Only events generated from a machine running version agent v2.4+ will be able to define a rule using publisher certificate & file info. Additional information is required to make publisher certificate rules that the previous Agent versions did not capture. Only Agent versions 2.4+ can interpret and process the identification criteria set on these new Rules.
If you see agents still stuck on v2.3.8, check that they have at least .NET v4.7, which is required. If the machine does not have version 4.7, the Agent will not install and should remain at the previous version.
Powershell v3.0+ is also required to process any rules with wildcard characters.
- Only users in the Administrators and Technician (Level 3) roles have permission to edit & set the identification criteria on Rules.
Publisher certificate verification has been built into agent v2.4+ to ensure the safety and security of making rules based on publisher certificate criteria.
The AutoElevate rules engine does this verification, like most security tools do, using information from the local certificate authority store (CA) on each machine. Microsoft updates the local certificate authority stores. Security and mitigation of threats to the local certificate store on each machine strongly depend upon users only having standard user privileges.