The principle of least privilege is the concept that any user, program, or process should have only the bare minimum privileges needed to complete a job. We often see customers that are practicing this principle face challenges such as:

  • A non-privileged user requires a privilege to complete a task in a specific tool, timeslot, or file location.
  • A normal user wants to install software to help optimize their work streams.
  • A non-privileged program or process needs to access or save data in a specific location that requires privilege.

For situations like these, IT admins often end up going to the user’s desk (or connecting via a remote session) and using their own credentials to help the user complete the task. This can be time consuming and create security risks.

To help customers better manage privileges without compromising security, Citrix has introduced privilege elevation for Citrix Workspace Environment Management (WEM). With this feature, all end users can be assigned a minimum level of privilege, and Citrix WEM admins can elevate that privilege to enable users to get specific tasks done. Every elevation execution is recorded to support auditing.

How to Enable Privilege Elevation in Citrix WEM

To enable privilege elevation in Citrix WEM, go to the WEM service console and choose Security → Privilege Elevation. The screenshot below shows the console for user-elevation control. By clicking Process Privilege Elevation Settings, you can enable or disable the feature. For customers who want to keep elevation only for desktop OSs, select Do Not Apply to Windows Server OSs. That leaves unchanged the rules assigned to users connecting to Windows Server machines.

Configure for Elevation Control

To configure privilege elevation in your organization, we recommend using the wizards shown below. The basic option in Citrix WEM includes:

  • Three types of elevation rules that can be based on path, publisher, and file hash.
  • To provide the flexibility to control the inheritance of elevation, the Apply to Child Processes option lets you choose whether the elevation can be inherited by child processes.
  • Start Time and End Time provide the flexibility to only allow privilege elevation during a specific period of time.

Let’s look at these options:

File-based rules are the simplest because the only input needed is the path of the executable.

For a publisher rule, an asterisk (*) with any item means that item — publisher, product name, file name, file version, etc. — will match anything with that same name. For example, if you configure the file name as shown in the screenshot below, the elevation will happen for items that share the same name and will ignore the details like publisher, product name, and file version.

For rules based on file hash, the file name, and the hash value are the basic inputs. Tools like AppInfoViewer can create the hash from a selected file or folder.

Auditing Privileged Elevation Actions

To ensure every privilege elevation is tracked, Citrix WEM provides a log for the elevations to support auditing. Go to Administration → Logging and apply “ElevationControl” in “Action”. You’ll have access to the entire privilege elevation execution history. The screenshot below shows where to find the log (click the image to view larger).

To learn more about the latest features in Citrix WEM, including the new privilege elevation feature, check out our product documentation, and please share your feedback in the comments below.