How Elevation Control Works

Overview

This article covers the technical details of how the ThreatLocker agent works between the Portal and the local computer to elevate an application’s permissions as configured in respective Allowlisting policies. Also covered are the technical details of how the ThreatLocker agent enforces Elevation Control policies (not Allowlisting policies) dictating local administrator account removal.

What Does Elevation Control Do?

Elevation Control extends across two major functions:

1. Elevating permissions: ThreatLocker elevates permissions selectively for certain applications or files by applying Elevation Control to Allowlisting policies. Policies can be directly configured with Elevation Control or indirectly modified as a response to Elevation requests. Additionally, the Elevation Mode device Maintenance Mode may be applied to a computer, granting elevated privileges to all applications executed within the Maintenance Mode’s time frame.
2. Local administrative account management: ThreatLocker provides Portal users visibility into administrator user accounts on their ThreatLocker enabled computers among their Organizations (through the dedicated Elevation Control Portal page, not as Elevation Control conditions on Allowlisting policies). Administrator accounts visible through the Portal can then be removed from their respective local administrator user groups individually. Alternatively, policies may be configured to automatically remove all local administrator accounts on a computer except for those specifically excluded.

Elevating Permissions

The ThreatLocker service calls a custom binary file, instead of the native Windows system binary consent.exe, every time an attempt is made to execute an application with administrative privileges. This continues the User Account Control (UAC) process with ThreatLocker now responsible for brokering the consent process, in place of Windows. The custom binary gathers the requested application’s path and the requesting user’s SID, which the ThreatLocker service uses to compare against existing Allowlisting policies. Elevation attempts that do not match an Allowlisting policy incite the agent to serve a custom UAC prompt so the user may submit an Elevation Request.

Once approved, the custom binary will create a Windows administrator access token to replace the user’s standard Windows access token. The ThreatLocker service will use the token to continue the UAC consent process on the user’s behalf. The administrative token will remain valid for as long as the application remains open. A new administrative token will be generated and granted each time the application is executed with administrative privileges as long as the time frame specified in the Elevation approval request or associated Allowlisting policy has not expired.

Local Administrative Account Management

Local administrator user objects displayed within the Local Administrators tab of the Elevation Control module are updated automatically as a component of an agent’s regular check-ins to the Portal. Changing the contents of the local administrators user group will generate certain Windows system event logs, which trigger the ThreatLocker service to enumerate the contents of the group. The service sends those changes to the Portal.

When removing an administrator account through the Elevation Control Portal page's Local Administrators tab or the Policies tab, the Portal instructs the associated agent to enumerate the contents of the local administrators group and compare them against the Portal's updated list of administrator accounts. Any accounts that do not match the updated list of accounts in the Portal are removed if they meet eligibility requirements.

Eligibility requirements include:

• The account to be removed from the administrators group is in at least one other group with the "Allow log on locally" GPO right.
• The account is not the domain administrator.
• The account is not the built-in administrator account.