PURPOSE A Just-In-Time, Privilege Access Management software called Auto Elevate is being installed on users’ devices soon. This allows known software installations to occur, vet new installations against a virus database to ensure no known viruses are installed and prevents users from unknowingly letting a hacker into the Mister network. VIDEO PROCESS How it works: These tools are rules-based. Only actions that do not pass the rule are flagged and sent to an IT administrator for review. This reduces our security risk without getting in the way of users’ day-to-day business operations. There does need to be a response by an administrator in IT to approve a request that does not have a pre-set rule. Continue reading for some situations that users may encounter. When a program or function already has a rule in place User opens program or performs function. The User Account Control (UAC) prompt is intercepted by Auto Elevate to check for and find an existing rule that allows the process to continue. See below for an example prompt. Auto Elevate enters administrative credentials into the UAC prompt, requiring no user intervention. Once the above occurs, the program then opens, or the task continues. When a program or function does not have a rule in place User opens program or performs function. The UAC prompt is intercepted by Auto Elevate and checks for an existing rule that matches the request but does not find one. The user is presented with a confirmation dialog box, see below for an example. This allows the user to verify what is being attempted on their device (program or function). Selecting No: cancels the action Selecting Yes: sends a request to the Auto Elevate administrators. When a user selects yes, they are presented with a dialog box, see below for an example. The dialog box lets the user know that their request has been submitted and the program administrator is reviewing their request. If the timer reaches 0:00, the user is presented with the message below, reassuring them that their request has been submitted. When a users’ request is denied: If the request has been denied, the user is presented with the dialog box below informing them and providing next steps. When a users’ request is approved: If the request is allowed, the user is presented with the dialog box, see example below. The user must then select “OK” to launch the program or perform the function. When a program or function has a deny in place: If a user attempts to open a program or perform a function that has been denied in the past, they are presented with an immediate denial. See the dialog box below for an example message.

PURPOSE Provide users an FAQ document for the Auto Elevate program. PROCESS What is User Account Control (UAC)? User Account Control was introduced by Microsoft as a solution to the problem of giving all users administrative rights all the time. Users running with a ‘standard’ level of access can perform their day-to-day functions and can supply administrative account rights when required by specific processes. The separation means that if a standard user account is compromised or an attacker gets access to a system directly, they still should not have the access to make changes or install software. When would a user see a UAC prompt? Most actions that will cause a change to the way a system works will cause a UAC prompt. Most of these settings will have a yellow and blue shield icon to indicate that it will require elevation. EXAMPLE: See the date and time button with a shield icon The frequency with which each user is required to click though a UAC prompt varies by role. The normal user gets them infrequently, as our software installations and system settings change rarely. When would a user start to see Auto Elevate intercept UAC prompts? This will vary by use cases and departments. When Auto Elevate is initially installed, it will run in audit mode. This mode reports UAC events back to the administrators without preventing the actions of the users. We will monitor the events and create rules ahead of locking down the systems and processes they already use daily. Once we move to live mode, each user will see prompts and processes as described in the user experience guide found HERE. How does the administrator know what the user is trying to run? When a request is generated, the administrator is presented with the following information: Machine data Logged in user Process being run The administrator will use this information to allow or deny the software. What does a user do when they receive a denial when they try to install a new program or change a setting? There are two reasons they could be denied: The software has been previously denied and has a rule that it is not allowed to run. Denials by rules do not alert the Auto Elevate administrators. If you believe you need the setting changed or a program installed, submit a ticket through the service desk. An administrator denied the process as a one-time event Expect one of the Auto Elevate administrators to contact the user directly. A denial means that the admin found the process suspicious enough to stop it. The admin will help users fix the problem, or get the appropriate software installed.