PIM/PAMSC All:PROGRAM class does not work on Windows 2016
Article ID: 129665
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
User tried to test for PROGRAM class rule. But it does not work on it. And also, audit log is not recorded access event.
Rules:
setoptions class+(PROGRAM)
er PROGRAM ('C:\Windows\System32\notepad.exe') owner(nobody) defacc(none) blockrun- audit(a)
authorize PROGRAM ('C:\Windows\System32\notepad.exe') access(EXECUTE) uid('hostname\\Administrator')
The rule is affected on another server which is running on 2012 R2.
Rules:
setoptions class+(PROGRAM)
er PROGRAM ('C:\Windows\System32\notepad.exe') owner(nobody) defacc(none) blockrun- audit(a)
authorize PROGRAM ('C:\Windows\System32\notepad.exe') access(EXECUTE) uid('hostname\\Administrator')
The rule is affected on another server which is running on 2012 R2.
Environment
OS: Windows Server 2016
Prod: CA Privileged Access Manager r14.0 CR1 for Endpoint
Prod: CA Privileged Access Manager r14.0 CR1 for Endpoint
Cause
I compared setting on normal and problematic server. Then I found FILE class is disabled at the problematic server.
When I check behavior with tracer's log, PROGRAM class check is triggered by FILE access.
It is not caused by difference between OS and PIM/PAMSC version.
When I check behavior with tracer's log, PROGRAM class check is triggered by FILE access.
It is not caused by difference between OS and PIM/PAMSC version.
Resolution
FILE class need to enable to work PROGRAM class.
Feedback
Yes
No
Powered by
