Privilege Manager earns administrators' trust

 

Connecting state and local government leaders

GCN Lab Review: BeyondTrust Privilege Manager lets administrators set policies for automated control over user permissions.

Network managers want to have their cake and eat it, too. Basically, we want to protect our users from malware by not giving them administrator rights, yet we know we have to give them these rights to run the programs they need to do their jobs.With Vista, Microsoft introduced User Access Control, which prompts users to grant themselves the necessary rights to run specific applications.This works fairly well for home users, but it allows users in enterprise environments to accidentally approve malware, potentially infecting entire networks.BeyondTrust Privilege Manager lets a network manager set policies that automatically elevate permissions for approved programs on client computers. It also provides an interface integrated with Microsoft's Group Policy Management Console (GPMC) to create and manage those policies. BeyondTrust elevates permissions only when a previously specified application is run.The information provided with the software states that policies can be developed and validated on a single computer, then manually moved to an Active Directory domain at the appropriate time.Because the management software must be installed on a computer used to edit Group Policy Objects, we decided to install the Privilege Manager on a laptop PC running Windows XP Professional. The Privilege Manager can integrate with Windows' GPMC, so we first attempted to install GPMC on the laptop.But the install program balked, saying we had to install Microsoft .NET Framework.This was a surprise, because .NET Framework Versions 2.0 and 3.0 were already on the laptop. After some head-scratching, we discovered that GPMC has to run on Version 1.1 of .NET Framework. We hope Microsoft will clarify the error message.With GPMC running, we installed BeyondTrust from a single file. After rebooting, we found no heavy management console executable, only a small administrative plug-in to the GPMC. The client install executable automatically appeared on our management computer during the brief installation process, so we used it to install the client on a user's Windows Vista computer.The client installation took less than two minutes, plus time for a reboot. The client installs as a driver ' there is no tray icon, and the user should not be aware that the client is running. We noticed no degradation in performance. We installed the client on Vista and Windows XP machines, but it also works on Windows Server 2003 and Windows 2000.Once installed, the product is deceptively simple. The administrative interface is uncomplicated.Despite the few choices and easy navigation, all the promised features were implemented. BeyondTrust gets a big thumbs-up for simplicity. We were able to master the product's features and understand all our options in less than 15 minutes.Seldom do we encounter a product with such robust features and simple implementation.To define a policy in the management interface, the manager starts by defining the path of the program. We found it easier to run the program and then select it from the list of processes running on the machine.Next, we defined the user groups that should be added or removed from the security token. That is all that was required to define an application security policy.To keep things as simple as possible, our first test involved elevating the permissions on Notepad.exe to those of an administrator. In our management console, we defined a policy that specified Notepad as the application to elevate permissions for, and we specified that the application's permissions should be elevated to those of the administrator's group. Next, we logged in as a user from the users group and ran Notepad. We verified that we were able to write to the C:\Windows\System32 directory using Notepad ' not WordPad. This simple test demonstrated the product's basic functionality.The Notepad test was fine for demonstrating that the product can elevate write access to a directory, but what about something that might actually be useful? Using the built-in Microsoft program to defragment a hard drive requires administrative permissions.Our second test configured the product to allow a user to run the Disk Defragment Management Console under administrative permissions.This presented a small problem because the program cannot be run directly; it must be run from the Microsoft Management Console. We did not want to simply elevate permissions for the MMC executable because this would mean that any MMC process the user started ' User Manager, Disk Management ' would be run with full administrative permissions.To isolate the Disk Defragment Management Console, we specified that only Management Console executables that started with specific parameters ' in this case, C:\WINDOWS\ system32\dfrg.msc ' would be elevated. Additionally, to ensure that the defragment program received the necessary permissions, we structured the policy to elevate all further processes spawned by the application. To make our scheme work, we had to modify the shortcut to the MMC to be recognized as the process to be elevated by the BeyondTrust driver.Next, we logged in as a standard user. This user was not able to use the elevated functionality in other MMC instances and normally would not have been allowed to defragment the hard drive under permissions derived from the users group.But with BeyondTrust, the defragment operation proceeded as if it had been started by an administrator.In most of our tests, we applied the policy for all users and only to the local machine.In practice, the policy would be applied to any machine and user where a group policy applies.Likewise, both local and Active Directory groups can be added to the security token.Elevation occurs for the entire application. That is, all the application's features are available with elevated permissions.But it might be possible in some cases to alter or customize an application or an interface that provides the user with only specific functionality to be elevated.BeyondTrust includes a Policy Monitor located by default under C:\Program Files\BeyondTrust\ Privilege Manager\PolMon.exe.This utility provides detailed information on policies in use. We found this program useful in determining whether the BeyondTrust driver was properly installed. If the driver is not functioning properly, this tool will report the error.We give the product high marks. It's simple, elegant and flexible in its solutions. The implementation is so simple that at times we wondered why Microsoft did not include this functionality with the operating system.The learning curve for using this product should be less than one day, and planning a complete scheme for implementation should pair well with any well-thought-out group policy implementation.We recommend this product for any organization that desires to restrict operating permissions to its users while still allowing elevated permissions when necessary.BeyondTrust is only part of a well-designed security implementation, but it can apply a twist to the screw in tightening an organization's network security.








Getting started

























Next level



























Why not part of the operating system?









BeyondTrust, (603) 610-4255, http://www.beyondtrust.com

NEXT STORY: Biometrics registry proposed

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.