PIM/PAMSC All:PROGRAM class does not work on Windows 2016
search cancel

PIM/PAMSC All:PROGRAM class does not work on Windows 2016

book

Article ID: 129665

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

User tried to test for PROGRAM class rule. But it does not work on it. And also, audit log is not recorded access event.
Rules:
  setoptions class+(PROGRAM) 
  er PROGRAM ('C:\Windows\System32\notepad.exe') owner(nobody) defacc(none) blockrun- audit(a) 
  authorize PROGRAM ('C:\Windows\System32\notepad.exe') access(EXECUTE) uid('hostname\\Administrator')
The rule is affected on another server which is running on 2012 R2.

Environment

OS: Windows Server 2016
Prod: CA Privileged Access Manager r14.0 CR1 for Endpoint
 

Cause

I compared setting on normal and problematic server. Then I found FILE class is disabled at the problematic server.
When I check behavior with tracer's log, PROGRAM class check is triggered by FILE access.
It is not caused by difference between OS and PIM/PAMSC version.

Resolution

FILE class need to enable to work PROGRAM class.