|
|
|
Miscellaneous
The miscellaneous access rights are set up in a similar manner to the access rights for services. Select Miscellaneous in the middle pane for the Administrator Tool to display the selected application group's access rights in the pane on the right.
Seven access types are available for the selected application groups. To change a setting for an access type, right click and select the required action on the pop-up menu. When the access type is displayed in gray it is turned off and cannot be altered. To turn it on please go to the Execution Settings (on page ) in the Edit Menu and switch the appropriate feature on.
Action |
Activity |
Allow |
All access will be granted |
Monitor |
All access requested of this type will be monitored |
Ask User |
The user will be asked before granting or blocking access |
Prevent |
All access requests will be automatically blocked and monitored. |
In addition to the six access types you can also set a memory and a Windows number limit.
System shutdown
When this option is set, no system shutdown requests will be allowed to the selected application
System low level access
When this option is set, a number of unusual application requests are not allowed from the selected application.
The following functions are blocked every time, if system low level access is prevented:
- AdjustTokenPrivileges
- SetFileSecurity
- SetKernelObjectSecurity
- SetServiceObjectSecurity
- SetSecurityInfo
- SetNamedSecurityInfo
- SetUserObjectSecurity
- CreateProcessAsUser
- CreateProcessWithLogonW
- SHCreateProcessAsUserW
The following function calls are blocked should they target different then current process:
- WriteProcessMemory
- CreateRemoteThread
- VirtualAllocEx
- VirtualProtectEx
Dangerous device access
When this option is set, access rights requests, (e.g. reformat hard drive) are not allowed from the selected application.
Following device accesses are blocked:
- Dismount volume
- Lock volume
- Set compression
- Unlock volume
- Disk eject media
- Disk format tracks
- Disk load media
- Disk media removal
- Disk reassign blocks
- Disk set drive layout
- Disk set partition info
- Disk verify
- Serial lsrmst insert
Clipboard access
This option can prevent an application to copy data into or paste from the clipboard
Simulate Keystrokes
This option can prevent an application from simulating keystrokes, and thereby causing destructive actions on the computer.
Forced process / thread termination
With this option is enabled all thread and process manipulation of the selected application group is restricted in accordance with the set policy.
Memory limit
With this number you can limit the amount of memory the selected application can allocate for its use. The number you enter here is the number of bytes that the particular application will be allowed to allocate before TPF will reject further requests for memory allocation from the program in question.
Limiting the amount of memory an application is allowed to use can protect against various denial of service attacks.
Window number limit
With this security option, you can limit the number of windows the selected application can open. The number you enter is the number of windows or controls, which the application will be allowed to open before TPF will reject further requests to open new windows from the program.
Limiting the number of windows an application is allowed to open will protect a program against various denials of service attacks.
Activating of changes / settings
Memory and Windows quotas become active after the application in question is restarted.