Previous Topic: How CA ControlMinder Responds to User Impersonation RequestsNext Topic: Setting Up the Surrogate DO Facility


Enable User Impersonation Protection

User impersonation protection lets you set rules to permit or deny requests to impersonate specific users and groups.

To enable user impersonation protection

  1. (Optional) Enable kernel mode interception, as follows:
    1. Stop CA ControlMinder.
    2. Change the value of the following registry value to 1:
      HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\
      SeOSD\SurrogateInterceptionMode
      
    3. Restart CA ControlMinder.

    Note: User mode interception is enabled by default.

  2. Open a selang command prompt window.
  3. Enable the SURROGATE class:
    setoptions class+(SURROGATE)
    
  4. Define selang rules for SURROGATE records for your CA ControlMinder implementation.
  5. (Kernel mode interception only) Define a rule that lets the SYSTEM user impersonate the user that makes the impersonation request:
    auth SURROGATE USER.Administrator uid("NT AUTHORITY\SYSTEM") acc(R)
    

    Windows identifies many utilities and services (for example, Run As) as user "NT AUTHORITY\SYSTEM" and not as the user running the utility. You must define a rule for the SYSTEM user to let users who run these utilities impersonate another user.

Example: Permit Any Impersonation Request

The following selang rule lets any user impersonate another user, unless a record in the database explicitly prevents the impersonation:

editres SURROGATE _default defaccess(READ)

Example: Prevent Impersonation of a Specific User

The following selang rule prevents any user impersonating Administrator, unless a record in the database explicitly permits the user impersonation:

newres SURROGATE USER.Administrator defaccess(NONE)

Example: Permit a Group to Impersonate a User

The following rule permits members of the Administrators group to impersonate Administrator:

authorize SURROGATE USER.Administrator gid("Administrators")