In a large scale deployment of Avecto Privilege Guard in conjunction with a new OS rollout, it’s not uncommon to have multiple engineers working on adding new rules to auto-elevate applications and installers. The problem is, McAfee ePO doesn’t have any decent method of locking a policy that is being edited by someone. Consider the following:

  • Engineer #1 starts to edit the current policy and adds new rules
  • Engineer #2 starts to edit the current policy and few minutes later and adds new rules
  • Engineer #1 saves the policy
  • Engineer #2 saves the policy a few minutes later, wiping out the changes by Engineer #1

At my current client, I’m seeing this happen on a near daily basis due to the fact that it’s a massive deployment, with 5 dedicated engineers working on adding new Avecto rules and troubleshooting issues. Since we’re decentralised, it’s not as easy as shouting out ‘everyone stop editing, I’m making some changes’ and people don’t read emails in a timely enough manner for that to be effective either. So I looked into how we could solve this technically. Here’s what I’ve come up with…

The following PowerShell script will monitor Internet Explorer every 5 seconds for an open Avecto policy. If one is in use, it writes the current engineer’s username to a file which should be stored on a location that all of the engineers have read / write access to. If another engineer opens a policy, they are warned via a dialog on screen that a policy is already being edited by another engineer. When the original engineer closes the policy, the file is deleted and the warning message no longer appears.

Power

To configure, modify the line $lockFile = “xxxxxxxxxxxxx” to point to a UNC path that all engineers have access to.

To run, set up a scheduled task on all the Privilege Guard engineer’s machines. It should run at every user login, and the command line is: PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File “Monitor-AvectoPolicy.ps1”

It’s a crude solution but it works well. The only downside is that will create the lockfile / display warning on the editing of *any* Avecto policy. This is because there’s no way to match the URL to a specific policy name. Still, if all your engineers are working on the one policy this shouldn’t be a problem.

And here’s the script itself: Monitor-AvectoPolicy

Hope this helps 🙂

Dan