The Elevation Control feature in Workspace Environment Management (WEM) helps customers to secure their delivery infrastructure. With it, IT admins can minimize the privileges they have to assign to users and groups, including admin privileges.

Among the feedback and suggestions we heard from customers since launching the feature was that it could only target executional binaries, not command line parameters. This was usually needed only when we want to elevate a process like cmd.exe to run known scripts, but not other scripts or the cmd.exe shell.

With our recent WEM cloud release, the Elevation Control feature now provides the flexibility to allow matching processes to be elevated with the target binaries and the command line parameters. With this enhancement, IT admins can simply use a rule to allow users to run specified scripts, but not the script shell itself. This empowers end users with standard user rights to execute approved scripts to achieve their business goals. For example, an admin can enable users to run a script named SecureScripts.bat at $SOME_WHERE_SAFE, which generates reports as cmd.exe $SOME_WHERE_SAFE\ SecureScripts.bat.

WEM GUI to provision elevation rules with parameters

Another challenge IT admins faced was around allowing users to install MSI-based software. The Elevation Control feature initially targeted only executional binaries, even though all MSI packages are installed by the same binary — msiexec.exe. With the our most recent update, we introduced Elevation Control for MSI, enabling users to create rules that only apply to the identified MSI packages (similar to the executional binaries). This adds more flexibility for the end user to install their own software in a format other than executional binaries.

New WEM tab under Privilege Elevation for MSI package rules

The MSI-based rule allows admins to create rules that only pertain to the target MSI package, in the same ways as for executional binaries, as Path, Hash and Publisher. The existing time restriction still applies to the rule for the defined applicable time frame for the elevation action (for example, only for office hours).

WEM GUI to provision elevation rules for MSI package

With these updates, customers can make more efficient use of the Elevation Control feature as they apply their enterprise security policies and further strengthen their security posture. And more is in store as we work on other features to expand the toolset for IT admins even further.

Your suggestions and feedback are critical to helping us add even more value to WEM. If you haven’t tried Workspace Environment Management, please check it out in the Citrix Virtual Apps and Desktops service or as an on-premises offering.