News

Application Elevation, Allowlisting, and Ringfencing

Take local-admin rights away without breaking the work day. For Windows endpoints. Built for MSPs.

Local admin is the unlocked door.

Most ransomware doesn't need a zero-day. It needs a user with administrator rights and a moment of distraction. The right answer—take admin away from everyone—has been hard to deploy because removing admin breaks legitimate elevation needs: the QuickBooks update, the AutoCAD installer, the line-of-business app that touches %ProgramFiles% on every launch.

Lavawall® Application Elevation makes per-application the default unit of permission, not per-user. You build a list of what's allowed, you ringfence what's powerful, and you let your console approve everything else. Your users keep working. Your endpoints stop being the unlocked door.
14
vendor templates ready out of the box
< 50ms
cached-rule decision time on the endpoint
24h
offline grace by default — configurable
0
kernel drivers required

Three pillars, one console

Elevation, allowlisting, and ringfencing work together. None of them works alone.

Application Elevation

Replace UAC's all-or-nothing prompt with a real decision. Approve a specific binary, a specific signer, or a specific MSI. Approve once, approve for the day, or approve forever. Approve from your phone via a QR scan when you're not at the box.

Allowlisting

Built on AppLocker on Pro and Enterprise; fully software-defined on Server. Lavawall manages the policy — you manage the rules. Hashes, signers, paths, MSI ProductCodes. Audit first, enforce when you're ready.

Ringfencing

An elevated process is still a process. Prevent it from spawning child processes, touching files outside its install dir, or making outbound network connections it shouldn't. Stops the “legitimate installer downloads malware” chain cold.

How a request flows

From the user's click to your console — or a sub-second cached decision.

1
User attempts elevation

UAC prompt, MSI install, or a CLI tool requesting admin. Lavawall's helper intercepts before the prompt is rendered.

2
Local cache check

Cached rule says “allow this signer/hash/path”? Decision returned in <50ms. No network round-trip.

3
Console review (if needed)

No matching rule? Pings your console. You see the binary, signer, MSI metadata, parent-process chain, and a risk score.

4
Approve, deny, or rule-ify

One-time approval, an hour, a day — or convert to a permanent rule with one click. New bundle pushed to all endpoints.

What makes it different

Real MSI inspection

Most allowlisting tools see msiexec.exe running an MSI and call it a day — either approve every MSI or deny every MSI. Lavawall reads the MSI metadata: ProductCode, ProductName, Manufacturer, Authenticode signer. You can allow “Adobe Acrobat updaters by ProductCode” without allowing arbitrary MSIs from random vendors.

Phishing-chain detection

If a signed installer is launched by a browser or mail client, that's a phishing pattern, not a legitimate install. Rules can require the parent process to be a console or session manager, not Outlook or Chrome. Stops cert-abuse attacks where the binary is signed but the chain isn't.

Phone QR approval

Technician on a job site, user calls about an elevation prompt? Hit Ctrl+Shift+L on the user's machine. A QR appears. Technician scans it, signs in, approves. Five-minute window, HMAC-signed token, full audit.

Genuine offline grace

Endpoint can't reach the relay? Cached signed bundle keeps making decisions for up to 24 hours (configurable). Decisions log locally and replay when the connection comes back. No black hole, no bricked machines during a server outage.

Audit-first deployment

Mode 1: Audit only. Lavawall watches everything that would have been blocked, groups it by signer, surfaces the volume. You allowlist the obvious things, then flip the switch to Enforce. No flag-day disaster.

Vendor templates

Microsoft, Adobe, Google, Mozilla, Citrix, Intuit, Autodesk, Lenovo, Dell, HP, and more. Maintained by Lavawall. One click on each template you trust and your common-vendor approval flood is gone.

vs. the alternatives

Honest comparison — we'll tell you when something else fits better.

Lavawall Local admin (status quo) UAC alone Built-in AppLocker only
Per-application allowlisting Yes No No Yes
MSI metadata inspection Yes N/A No Path/publisher only
Multi-tenant console for MSP Yes No No Per-machine GPO
Ringfencing (no-child / no-net) Yes No No No
Phone QR technician approval Yes No No No
Audit-first deployment mode Yes N/A N/A Yes
Works offline Yes (signed bundle, 24h) Yes Yes Yes
Vendor template library 14 templates, more added regularly N/A N/A No
Attack-resistant (without local admin) Yes No Click-fatigue prone Yes (if rules are good)

Built right

Cryptographically signed rule bundles

Every endpoint verifies an Ed25519 signature before applying a rule update. The private key never leaves your Lavawall instance — encrypted at rest with the same key the rest of Lavawall uses. An attacker on the network cannot push you a fake bundle.

Tight trust boundary

The agent runs as LocalSystem — only it makes decisions. The user-session helper is a thin UI — it can't tamper with policy. If a user breaks the helper, they cannot bypass policy.

No kernel driver. Ever.

Windows ships AppLocker and WDAC for a reason. We layer on top of them rather than re-implementing in kernel space. Fewer crashes, fewer signed-driver incidents, faster boot, faster install, easier uninstall.

Honest about Windows Home

Windows Home doesn't have AppLocker. We can't fully enforce on Home; the agent runs in Audit mode there and the console flags it as "capability degraded." No marketing fiction, no false confidence.

Open audit trail

Every decision — cached, console-approved, auto-denied, technician QR — lands in ELV_AuditLog with full request facts. Your CSV export, your SIEM ingest, your compliance evidence.

Stop being the unlocked door.

Application Elevation is included with every Lavawall MSP plan. Your existing remote-support agent is the deployment vehicle — one installer, no extra endpoint footprint.

See all Lavawall features Talk to us