Trusted App Protection (TAP) in Privilege Management for Windows (2023)

TAP (Trusted Application Protection) policies include work styles, application sets, and messages to provide an additional layer of malware protection for trusted business applications and protect them from exploit attempts.

TAP's policies apply increased protection to key business applications, including Microsoft Office, Adobe Reader, and web browsers, which are commonly exploited for malicious content. Prevent these apps from launching unknown payloads and potentially risky apps like PowerShell. It also provides protection by preventing these applications from loading untrusted DLL files, another common malware technique.

During our research, we discovered that malware attack chains often aim to remove and launch an executable or hijack a native Windows application such as PowerShell. Using a TAP policy prevents these attacks and complements existing anti-malware technologies by preventing an attack from being launched without relying on detection or reputation.

The trusted application protection policy that you choose is placed at the beginning of the work styles, so it is evaluated by default as the first work style. Once a work style action is activated, subsequent work styles in that process are not evaluated.

work styles

  • Reliable application protection – high flexibility (depending on the TAP policy you choose)
  • Trusted Application Protection: High security (depending on the TAP policy you choose)

application groups

  • Browser
  • Browsers: Trusted Exploitables
  • Browser: Untrusted Child Processes
  • content controller
  • Content Controller - Trusted Exploits
  • Content Handler: Untrusted Child Processes

Content controllers are used to store content and non-executable files.


  • block message

Summary of policies to protect trusted applications

TAP policies allow you to control which child processes can run TAP applications.

There are two policies to choose from:

  • high flexibility
  • high security

You should choose the highly flexible policy if you have users who need to download and install or update software. You should select the high security policy if your users do not need to download, install, or update any software.

Strong security policy verifies that all child processes have a trusted publisher, trusted owner, source URL, or abeyond trustZone ID tag, while the high flexibility policy only validates immediate child processes, allowing a wider range of installers to run. If the child processes do not meet any of these four criteria, their execution is blocked. Known vulnerabilities are also blocked by both TAP policies.

Installers that spawn additional child processes will be blocked by the TAP (high security) policy if those child processes use applications that are on the TAP ban list but can run with the TAP (high flexibility) policy. For more information, seeTrusted Application Protection Block List.

trusted publisher

  • A trusted publisher must be signed. Additionally, the issuer's certificate must be valid, current and not revoked.

trusted owner

  • A trusted owner is any owner who is in the standard Windows groupsadministrators,User of the system, otrusted installer.


  • The source URL must exist. This is browser specific.

beyond trustZone Identification Label

  • Thatbeyond trustThe zone mark must be present. This applies when the browser applies an Alternate Data Stream (ADS) tag. This is browser specific.

Also, all blacklisted processes are blocked, regardless of their publisher and owner.

The TAPpolicy model affects the following applications:

  • Microsoft Word
  • Microsoft Excel
  • Microsoft PowerPoint
  • Microsoft Editor
  • Adobe Reader 11 e inferior
  • Adobe Reader CC
  • Microsoft Outlook
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Microsoft Edge (versiones Legacy y Chromium)

TAP applications and their child processesmust meet all criteriawithin the configuration provided in the policy enforcement groups for the applicable TAP policy.

You can configure TAP process control by importing the TAP template. TAP also has reports.

For more information, see:

  • To get a list of blocked processes,Trusted Application Protection Block List
  • Trusted Application Protection Reports

Trusted Application Protection Priority

The TAPWorkstyle you choose will be placed at the top of your list of workstyles when you import the policy template. This is because it is better to run as a priority rule. This ensures that child processes of TAP applications (policy dependent) do not have a trusted publisher, trusted owner, source URL, orbeyond trustZone identifier tags are blocked from executing and known exploits are blocked.

The Trusted Application Protection work style is evaluated first by default. Once a work style action is activated, subsequent work styles in that process are not evaluated.

Change policies to protect trusted applications

Both Trusted Application Protection (TAP) policies (high flexibility and high security) protect against a variety of attack vectors. The approaches listed here can be used in any TAP policy if you need to change the TAP policy to address a specific use case that is blocked by a TAP policy.

The TAP (high security) policy is, by design, more secure and less flexible because it blocks all child processes of a trusted application that does not have a trusted owner, trusted publisher, source URL, orbeyond trustzone identifier For these reasons, a change is more likely to be required.

The TAP policy you choose should be based on your business needs and existing policies. If using a TAP policy results in a legitimate use case being blocked, there are a few things you can do to fix it.

Change the policy to Audit

You can change the application rules of the TAP (high security) policy.Plotforallow executionand change thetoken de accesoforApply default user rightsTo guaranteecreate an eventis set toAand clickOK.

Change the TAP policy toallow executioneffectively disables it. You will not be protected by a TAP policy if you make this change.

If you make this change to the four enforcement rules in the TAP (Strong Security) policy, TAP programs can run as if the TAP (Strong Security) policy had not been applied, but you can see which TAP and make events are fired based on a policy settings.

The event details include information about the application pool and TAPapplication. This allows you to collect details to understand if this is a legitimate use case. You can take some actions to bring up the legitimate use case for the TAP (high security) policy.

Use the high flexibility policy

Both TAP policies provide additional protection against a variety of attack vectors. If you are using the TAP (high security) policy, you can change to the TAP (high flexibility) policy. This is useful when you have a use case where additional child processes of TAP applications are blocked by TAP (high security) policy.

Edit match criteria

If your legitimate use case executes a specific command listed in the event, you can add it to the blocked application's match criteria. You can use the normprivilege managementfor windows match criteria likeexact matchoregular expressions.

WebEx uses a Google Chrome extension. We take this into account in the policy using matching criteria.

This criteria says:

If the parent process matches this(TAP)High Security - BrowserApplication group for all parent items in the tree.
The product description contains the stringWindows Command Processor
The command line does NOT contain\\.\tubería\chrome.nativeMessaging

The TAP (High Security) policy blocks the process.

Edit Trusted Exploit List

If your legitimate use case uses an application based onBrowsers: Trusted Exploitablesor theContent Controller - Trusted Exploitslist, you can delete them.

If you remove it from any of the lists, the TAP (high security) policy will not stop any browsers or content that uses this trusted exploit file to execute malicious content.

Remove the application from the trusted application pool

You can delete the app listed intrusted browsersoTrusted Content Controllersenumerate groups. This means that the application no longer benefits from the protection provided by any of the TAP policies.

Create a permission rule

You can also add aprivilege managementfor windowsTo allowgovern it and classify it above the TAP (High Security) policy. This allows your use case to run, but also overrides any subsequent rules that apply to that application. Therefore, it should be used with caution.

Trusted Application Protection Reports

Trusted Application Protection (TAP) is reported in reports. You can use the top-level TAP dashboard to view TAP incidents over time, broken down by TAP application type. In the same dashboard you can also see the number of incidents, targets, users and hosts for each TAP application.

Trusted Application Protection Block List

To view the list of applications that Trusted Applications cannot start when Trusted Application Protection (TAP) is enabled:

  1. ThereafterTAP High flexibilityohigh securityimported, right click on the top layerPermission Management Settingsnode and clickshow hidden groups.
  2. The list of applications can be found in the following groups:
    • (TAP) High Security – Browser – Trusted Exploitables
    • (TAP) Strong Security - Content Controller - Trusted Exploitables
    • (TAP) High flexibility – Browsers – Exploitable Reliable
    • (TAP) High flexibility – Content manager – Reliable exploitables

Use advanced parental tracking

With version 21.3 ofPermission Management for Windows, Advanced Parent Tracking (APT) tracks parent processes and increases the effectiveness of TAP policies while reducing false positives by reusing Windows PIDs.

  • If you areNoIf you are currently using a TAP policy, you must import the TAP template (high security or high flexibility) using the latest version to use this featurePermission Management for WindowsClient.
  • if you areesan existing TAP policy user and the policy was created withPermission Management for WindowsPolicy Editor 21.2 or earlier, so in order to use the APT feature you must add two new rules to the end of your TAP workstyle (high security or high flexibility).

high security

  • (TAP) High Security - Browser
    • Target Application Group: (TAP) High Security - Browsers
    • Access Token: Maintain Permissions - Advanced
  • (TAP) High security: content controller
    • Zielanwendungsgruppe: (TAP) High Security – Content Controller
    • Access Token: Maintain Permissions - Advanced

high flexibility

  • (TAP) High flexibility: browser
    • Target Application Group: Highly Flexible Browsers (TAP)
    • Access Token: Maintain Permissions - Advanced
  • (TAP) High flexibility: content controller
    • Target Application Group: (TAP) High Flexibility: Content Controller
    • Access Token: Maintain Permissions - Advanced

For each of these work styles, you should also uncheckApply standard user rights in file open/save dialogsfor each app in those app groups.

Activateshow hidden groupsto edit these work styles.


What is BeyondTrust privilege management for Windows? ›

BeyondTrust Privilege Management for Windows Servers reduces the risk of privilege misuse by assigning admin privileges to only authorized tasks that require them, controlling application and script usage, and logging and monitoring on privileged activities.

What does BeyondTrust Software do? ›

BeyondTrust (formerly Symark) is an American company that develops, markets, and supports a family of privileged identity management / access management (PIM/PAM), privileged remote access, and vulnerability management products for UNIX, Linux, Windows and macOS operating systems.

What is BeyondTrust PowerBroker for Windows? ›

PowerBroker for Windows is a privilege management solution that gives you unmatched visibility and control over physical and virtual desktops and servers. Download the white paper to learn how you can gain comprehensive control and auditing over privileged access in your Windows environment.

How do I turn off privilege management in BeyondTrust? ›

You can enable and disable Privilege Management for Unix & Linux Servers rules from the Create PowerBroker Server Policy Rules Properties dialog box. Check the Enable box to enable the rules you want to be active. Clear the Enable box to disable a rule.

Is BeyondTrust remote support spying? ›

BeyondTrust Remote Support protects data, provides oversight over all sessions, and prevents and mitigates account hijacking and lateral movement threats. The solution segments each remote support customer via single-tenant environments, so your data is never co-mingled with other customer data.

What is BeyondTrust session monitoring? ›

Session monitoring records the actions of a user while they access your password-protected managed systems. The actions are recorded in real time with the ability to bypass inactivity in the session. This allows you to view only the actions of the user.

Is BeyondTrust secure? ›

BeyondTrust has always been designed with security at the forefront. Not only is the product architecture superior from a security standpoint, the product itself includes a number of features that strengthen the security of your organization on a day to day basis.

How many companies use BeyondTrust? ›

Your Trusted Partner

We are the trusted partner for more than 20,000 customers in over 100 countries, including 75% of the Fortune 100, and a global partner community.

What is BeyondTrust privileged remote access? ›

BeyondTrust Privileged Remote Access provides visibility and control over third-party vendor access, internal remote access, and infrastructure. Organizations of all sizes leverage the solution to seamlessly extend access to important assets, while meeting rigorous security and compliance standards.

What is privilege management for Windows? ›

Privilege Manager for Windows is a 'sudo for Windows' solution that fortifies control and security of admin accounts on Windows systems. It features a number of configuration options for end-user access to the desktop admin account.

Is BeyondTrust remote support safe? ›

BeyondTrust Secure Remote Access is engineered with robust security controls and helps enable zero trust principles and architectures by enforcing least privilege, implementing segmentation, isolating assets, and monitoring and managing sessions.

Is BeyondTrust a privilege manager? ›

BeyondTrust's unified solutions offer the industry's broadest set of privileged access management capabilities with a flexible design that simplifies integrations, enhances user productivity, and maximizes IT and security investments.

What is privilege management app? ›

About Privilege Management

It ensures users have only the rights they need to fulfill their job and access the applications and controls they require, and nothing else, thus ensuring desktop stability, and improving security and productivity.

What protocol does BeyondTrust use? ›

Remote Desktop Protocol (RDP) Integrated in BeyondTrust

Natively, Microsoft Remote Desktop Protocol has no centralized management, limited identity management integration, no auditing or reporting, and no collaboration capabilities. In addition, RDP is designed for remote access on a local area network (LAN).

What is BeyondTrust support? ›

BeyondTrust Remote Support Software enables support organizations to access and support nearly any remote computer or mobile device. Troubleshoot PCs and servers, provide remote assistance, train remote employees, or perform system maintenance . . . all with the highest levels of security.

Does BeyondTrust monitor activity? ›

BeyondTrust Remote Support provides you with all the details you need for your next audit: Monitor support activity in real-time. Video recording of every remote session. Collect a detailed audit of each interaction.

How do you tell if your employer is monitoring your computer? ›

If you are curious about whether your employer-provided computer is surveilling you, one way to find out is by going to your computer's task manager or activity monitor and seeing if you can spot anything.
You and Your Computer
  1. Check your company's monitoring policy. ...
  2. Keep your work and personal devices separate.
Nov 15, 2022

Can my employer monitor my personal computer at home? ›

To monitor your home computer or a personal laptop, your employer has to obtain access. Access is required to install some kind of computer monitoring software. Remote desktop sessions do not grant any access without permission. Also your employer is not allowed to monitor your home computer without your consent.

How does BeyondTrust remote support work? ›

BeyondTrust connects support reps with remote desktops, servers, laptops and network devices wherever they are. Support reps can see the screen, control the mouse and work as if physically in front of the remote desktop, speeding time to resolution.

What is BeyondTrust remote support Jump client used for? ›

Jump Clients are used to establish a one-to-one connection between a B Series Appliance and a remote Windows, Mac, Android, or Linux system. A Jump Client must be installed on each remote system you want to access.

How does BeyondTrust Password Safe Work? ›

BeyondTrust Password Safe is an enterprise password manager software which ensures complete control and accountability over all privileged accounts within an organization. User access requests and authentications are routed through custom-defined approval rule sets.

Is BeyondTrust a VPN? ›

BeyondTrust allows you to give vendors access to your network without a VPN connection and enables security professionals to control, monitor, and manage access to critical systems by privileged users, including third-party vendors.

Is BeyondTrust Hipaa compliant? ›

Meet a Variety of Compliance Types

BeyondTrust can help your organization meet compliance requirements for a variety of types such as GDPR, PCI, HIPAA, SOX, and more!

Who owns BeyondTrust? ›

Who owns BeyondTrust? BeyondTrust is privately held by Francisco Partners, a leading technology-focused private equity firm.

Why choose BeyondTrust? ›

Control Permissions, Monitor Access, and Secure Passwords with a Centralized Platform. BeyondTrust unifies the industry's broadest set of privileged access capabilities with centralized management, reporting, and analytics, enabling leaders to take decisive and informed actions to defeat attackers.

What is BeyondTrust privileged identity? ›

BeyondTrust Privileged Identity (PI) is a password management solution that can function as a stand-alone application, or it can be integrated with BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS).

How does privileged access management work? ›

The Privileged Account Management portal stores the credentials of privileged accounts (such as their passwords) in a special-purpose and highly secure password vault. In addition to storing the credentials, the portal can also enforce policies regarding their conditions of access.

Why should I disable remote access? ›

Unfortunately, hackers can exploit Remote Desktop to gain control of remote systems and install malware or steal personal information. It's a good idea to keep the remote access feature turned off unless you actively need it. By default, the feature is disabled.

What are the benefits of privileged access management? ›

Privileged access management helps organizations make sure that that people have only the necessary levels of access to do their jobs. PAM also enables security teams to identify malicious activities linked to privilege abuse and take swift action to remediate risk. In digital business, privileges are everywhere.

Are remote access Trojans legal? ›

Law enforcement officials say that simply possessing a remote-access tool isn't illegal. In fact, remote-access tools are often used for IT support purposes in corporate environments. But using such tools - never mind purpose-built remote-access Trojans - for illegal purposes is a different story.

What is the purpose of privileged Access Management? ›

Privileged access management (PAM) is an identity security solution that helps protect organizations against cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources.

What is privileged identity management used for? ›

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

What is the risk of no privileged access management? ›

Without an identity management system to clearly partition roles and access requirements, one mismanaged account can put your entire system at risk. To make matters worse, a lack of a privileged access management system means that MSPs must worry about more than attacks from bad actors outside of the enterprise.

How are privileged accounts usually stolen? ›

How Privileged Account Passwords are Stolen. Up to 80 percent of breaches result from stolen passwords. Hackers' most preferred pathway to privilege exploitation is to steal account credentials. Hackers may use malware or social engineering to steal account information for gaining unauthorized access.

What is privileged access Windows? ›

Privileged access includes IT administrators with control of large portions of the enterprise estate and other users with access to business critical assets. Attackers frequently exploit weaknesses in privileged access security during human operated ransomware attacks and targeted data theft.

What actions are possible in privilege Manager? ›

See how Privilege Manager lets you…
  • Deploy a single agent. Discover applications with admin rights, even on non-domain machines, and apply policies.
  • Define flexible policies. ...
  • Manage / remove local admin rights. ...
  • Elevate applications. ...
  • Improve IT & end-user productivity.

How do I turn off Windows privileges? ›

Go to the Start menu (or press Windows key + X) and select Computer Management. Then expand to Local Users and Groups, then Users. Select the Administrator and then right-click and select Properties. Uncheck Account is disabled to enable it, or check it to disable it.

What are the six types of permissions in Windows? ›

There are six standard permission types which apply to files and folders in Windows: Full Control. Modify. Read & Execute.
  • create folders.
  • add new files.
  • delete files.
Sep 9, 2022

What is privileged user monitoring? ›

Monitoring Privileged Users

Track Privileged Access to Sensitive Data: Monitor all privileged user access to files and databases (including local system access), audit user creation and newly granted privileges, and restrict usage of shared-privileged accounts.

How do you access privileged Identity Management? ›

Sign in to the Azure portal. Select All services and find the Azure AD Privileged Identity Management service. Select the Privileged Identity Management Quick start. Select Pin blade to dashboard to pin the Privileged Identity Management Quick start page to the dashboard.

Which activities typically require privileged access? ›

Activities typically requiring privileged access include:
  • granting and revoking access for other users.
  • connecting to sensitive data, and.
  • configuring, provisioning, and managing infrastructure.

Should I allow remote assistance on my computer? ›

Remote access solutions could leave you vulnerable. If you don't have proper security solutions in place, remote connections could act as a gateway for cybercriminals to access your devices and data. Hackers could use remote desktop protocol (RDP) to remotely access Windows computers in particular.

Can remote access be hacked? ›

Even at home, you aren't always safe. Malicious hackers can easily hack your Wi-Fi network, take over remote access of your computer, or hack your passwords with phishing attacks. To protect your personal information, sensitive documents, and financial accounts, you need to secure your personal devices.

Can a remote be hacked? ›

Remote desktop hacks become a common way for hackers to access valuable password and system information on networks that rely on RDP to function. Malicious actors are constantly developing more and more creative ways to access private data and secure information that they can use as leverage for ransom payments.


Top Articles
Latest Posts
Article information

Author: Rev. Leonie Wyman

Last Updated: 14/12/2023

Views: 6101

Rating: 4.9 / 5 (79 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Rev. Leonie Wyman

Birthday: 1993-07-01

Address: Suite 763 6272 Lang Bypass, New Xochitlport, VT 72704-3308

Phone: +22014484519944

Job: Banking Officer

Hobby: Sailing, Gaming, Basketball, Calligraphy, Mycology, Astronomy, Juggling

Introduction: My name is Rev. Leonie Wyman, I am a colorful, tasty, splendid, fair, witty, gorgeous, splendid person who loves writing and wants to share my knowledge and understanding with you.