Ranger for Networks conflict with RRC's Web and Application dialogs

Question

How do you configure Ranger for Networks to ignore particular Ranger Remote Control applications and/or dialogues?

Symptoms

Problem 1:
When a secured staff user tries to add an application to the banned/allowed list in RRC Tutor, Ranger for Networks considers the action as a security violation and removes the path to the executable causing the entry to fail.

 
Problem 2:
When the RRC client denied web page comes up saying you are not permitted to access this site, Ranger for Networks closes the page down as it is loading from the secured location of "c:program files/ranger remote control" which by default is an illegal path .

Cause

Of Problem 1:
Dialogue boxes when Rangers Active Drive security is enabled. Using RRC Tutor requires secured staff users to have slightly higher privileges in order for the software to fully function for example add applications to the banned list. In the past (pre Ranger for Networks 5.5x) if drive security was enabled, when the secure staff user tried to enter a path Ranger for Networks would strip it out preventing the application from being added to the list.


Of Problem 2:
Again if Ranger for Networks Active Drive security is enabled it denies access to c:. As the web page is loaded from the local c: with the path to file showing, when the denied web page is displayed the path is picked up by Ranger closing it down as a security violation.

Resolution

New in Ranger for Networks 5.5 onwards, the local security monitor can be instructed to ignore certain applications or dialogs. This new functionality provides a way to make the two products co-exist fully.

1. Configure Ranger to ignore RRC's ban application dialogue box by adding it as an exception.
   Changes need to be made in the ranger.dat file on the server.
   
2. Add an Explorer exception to Ranger, for the path c:program filesranger remote control

Instructions

Step 1: Edit the Ranger.dat file

• Add the following line "WindowMonitorExceptionscustom" to the Security Monitor Definitions section.
• Next, create a section as shown below: "WindowMonitorExceptions".
• Add your exceptions under this new section (x denotes the exception index):

          * To ignore an entire application: xApp
          * To ignore a class name: xClass
          * To ignore a particular window only: xText

The system works by checking for the existence of each part defined in the exception list, so if you ignore the app and text then both would have to be true for the program/dialogue to be ignored.

Solution Text (This sample can be copied into your copy of ranger.dat):

WindowMonitorExceptions
Count1
1AppPCINSSUI.exe
1TextApplication Properties

The above example makes Ranger ignore the "Applications Properties" dialogue box from within RRC Tutor (PCINSSUI.exe).

We would recommend, that if you have a particular dialog you want to ignore, try and find out as much information about it as possible (preferably the exename, windowclass and windowtext) and then create an exception to match on all three criteria to ensure your keep the exceptions to a minimum.

Step 2:  Add an exception to Ranger for networks title checks

• Open Ranger Administrator
• Go to EditSettingsand select the "General" tab
• Add the full path to be excluded, see example.

Example: "c:program files\ranger remote control"

Testing

Get a member of staff or someone with access to Ranger Remote Control(RRC) Tutor but who has drive security enabled. See if they can now add a banned application such as "c:windows/notepad.exe" to RRC's Banned or Allowed Application List.