ScreenConnect Privileged Access quick-start guide
Introduction
ScreenConnect Privileged Access™ gives partners the tools to secure, monitor, and control access across their environment. This solution can handle User Agent Control (UAC) requests, and it also allows an end user to sign into Windows with administrator privileges. Privileged Access is part of the ScreenConnect remote support platform and utilizes its agent for managing endpoints.
Interactive demo
Learn how to get started with this short, interactive demo!
Requirements
Windows only
Currently Privileged Access is only for 64-bit Windows machines that also meet the system requirements of the ScreenConnect client ("access agent").
ScreenConnect Privileged Access extension
The Privileged Access extension is a required component that should be installed on your instance by default. If it isn't, download it from the extension marketplace.
Send a request for administrative privileges via UAC prompt
When a non-administrator user activates a UAC prompt, they'll see a UAC prompt with a new option and a new icon.
Note: By default, the logo here will be the ScreenConnect logo. However, if you’ve replaced your logos, especially ApplicationIconOpaque192, you’ll see your own logo instead.
They should click Request Elevation or Yes to submit an elevation request.
Important: If you already have ScreenConnect and have added Privileged Access, this feature only appears on your end users' machines when an administrator or technician connects to them. To turn on this feature for your end users, see our article on configuring end user elevation.
Handling an elevation request
Host page: Handling an elevation request
You can also approve or deny an elevation request from the Host page. When an elevation request is received, the request appears on the Messages tab. The request includes information such as:
- Program name
- Publisher name
- Certificate thumbprint
- File path
- File SHA-256
- User
- User groups
For each elevation prompt, there are three icons in the upper right hand corner of the block.
- The first icon shows the raw data of the elevation request.
- The second creates a new Privileged Access rule for auto approvals, auto elevations, and auto denials of different applications.
- The third is an integration with VirusTotal to help determine if a file is malicious.
Run a VirusTotal scan
Click the icon to link to a VirusTotal report.
The report will open in a separate tab. Review the report.
Approve or deny a request
After reviewing these request details, click Approve or Deny.
For each requested elevation prompt, there are two icons in the upper right hand corner of the block.
- The first creates a new Privileged Access rule for auto approvals, auto elevations, and auto denials of different applications.
- The second is an integration with VirusTotal to help determine if a file is malicious.
Note: By default, applications are granted elevated privileges to run as the Windows logged-in user.
ScreenConnect host client
If you purchased Privileged Access with ScreenConnect remote support software, you can respond to elevation requests while you're connected to a machine.
If you connect to a machine with a UAC request and you have the RespondToElevationRequest permission, you can approve, deny, or dismiss an elevation request yourself by clicking the banner in the ScreenConnect host client.
Using temporary administrator logon accounts
With this feature, no credentials are needed to use an administrative account. The user can simply request administrative privileges for a temporary logon account.
Request a temporary Windows administrator account
1. Select the ScreenConnect logo on the Windows lock or logon screen
From the Windows lock screen or logon screen, select the ScreenConnect logo.
Note: By default, the logo here will be the ScreenConnect logo. However, if you’ve replaced your logos, especially ApplicationIcon32, you’ll see your own logo instead.
2. Submit your request
Click the arrow or press the enter key to submit your request.
3. Wait for approval
Once you’ve submitted your request, your administrator will receive your message and approve or deny the request.
Handling temporary administrator account requests
From the ScreenConnect host client
If you purchased ScreenConnect, you’re connected to a remote machine, and you have the permissions, you can respond to an administrative logon request yourself by clicking the banner in the host client.
From the Host page
On the Host page, you’ll see a new message in the Messages tab that incudes the request for administrator privileges. Click Approve or Deny to handle the request.
Create auto-approve, auto-elevate, and auto-deny rules
For elevation requests, you can create auto-approve, auto-elevate, and auto-deny rules straight from the elevation prompt alert or the elevation request.
Important: Users must have the Administrator permission in order to create rules.
1. Click the second icon in the upper right hand corner of an Encountered Elevation Prompt block or Requested Elevation block.
This opens the Create Privileged Access Rule window.
2. Select an action
Select an action from the list.
- Auto-elevate – Automatically elevate an application without a user request
- Auto-approve – Automatically approve an elevation request
- Auto-deny – Automatically deny an elevation request
3. Select conditions for the rule
Click a condition to select it. For a full list of conditions, switch the view from Show Popular Conditions to Show All Conditions.
4. Name your rule
Use an automatically-generated name, or switch off the Auto-generate option to type in your own name.
5. Click Create
Click Create to finish your rule.
Tip: To edit or delete the rule, navigate to the Administration > Triggers page.
New default triggers
By default, Privileged Access can send emails whenever an administrative logon request or an elevation request is made. Privileged Access includes two new triggers on the Administration > Triggers page:
- Notify when an administrative logon request is sent
- Notify when an elevation is sent
These two triggers will send an email to the default "To" address on the Administration > Mail page.
Auditing elevation prompts, requests, and responses
From the Audit page, you can view each elevation event and its resulting data.
New session events
New session events are included in the Session Event Filter. Select the Session Event Filter menu and select from these new session events towards the bottom of the menu.
The new session events are:
|
Session event |
Definition |
Example data |
|---|---|---|
|
EncounteredElevationPrompt |
An elevation prompt appeared for the user |
Data: #command_line="C:\Users\Joe\Desktop\vlc-3.0.17.4-win64.exe" #file_path=C:\Users\Joe\Desktop\vlc-3.0.17.4-win64.exe #file_size=43524776 #file_sha256=fda8cbf2ee876be4eb14d7affca3a0746ef4ae78341dbb589cbdddcf912db85c #signature_valid=true #signature_publisher=VideoLAN #certificate_thumbprint=bcb40c7d23c9db41766c780b5388fb70f3d570bf
Process:Guest
Address:xxx.xx.xx.xx |
|
RequestedElevation |
The user requested elevation |
Process: Guest Address: xx.xxx.xx.xxx |
|
RequestedAdministrativeLogon |
The user requested to log in with administrator privileges |
Process: Guest Address: xx.xxx.xx.xxx |
|
ApprovedRequest |
A ScreenConnect user with the RespondToElevationRequest or RespondToAdministrativeLogonRequest permissions approved the request. |
Host:Cloud Account Administrator
Process:Unknown |
|
DeniedRequest |
A ScreenConnect user with the RespondToElevationRequest or RespondToAdministrativeLogonRequest permissions denied the request. |
Host:Cloud Account Administrator
Process:Unknown |
|
AbortedRequest |
The user canceled the elevation request. |
Process: Guest Address: xx.xxx.xx.xxx |
|
QueuedCredentialProviderProceed |
Automatically take an action without waiting for an elevation request |
|
Edit Privileged Access settings
To edit Privileged Access settings, navigate to the Administration > Privileged Access page. See our article on the Privileged Access extension for more information, or browse our knowledge base.
