Privilege Manager earns administrators' trust
GCN Lab Review
- By Vincent Bishop, Earl Greer
- Feb 13, 2008
Network managers want to have their cake and eat it, too. Basically, we want to protect our users from malware by not giving them administrator rights, yet we know we have to give them these rights to run the programs they need to do their jobs.
With Vista, Microsoft introduced User Access Control, which prompts users to grant themselves the necessary rights to run specific applications.
This works fairly well for home users, but it allows users in enterprise environments to accidentally approve malware, potentially infecting entire networks.
BeyondTrust Privilege Manager lets a network manager set policies that automatically elevate permissions for approved programs on client computers. It also provides an interface integrated with Microsoft's Group Policy Management Console (GPMC) to create and manage those policies. BeyondTrust elevates permissions only when a previously specified application is run.Getting started
The information provided with the software states that policies can be developed and validated on a single computer, then manually moved to an Active Directory domain at the appropriate time.
Because the management software must be installed on a computer used to edit Group Policy Objects, we decided to install the Privilege Manager on a laptop PC running Windows XP Professional. The Privilege Manager can integrate with Windows' GPMC, so we first attempted to install GPMC on the laptop.
But the install program balked, saying we had to install Microsoft .NET Framework.
This was a surprise, because .NET Framework Versions 2.0 and 3.0 were already on the laptop. After some head-scratching, we discovered that GPMC has to run on Version 1.1 of .NET Framework. We hope Microsoft will clarify the error message.
With GPMC running, we installed BeyondTrust from a single file. After rebooting, we found no heavy management console executable, only a small administrative plug-in to the GPMC. The client install executable automatically appeared on our management computer during the brief installation process, so we used it to install the client on a user's Windows Vista computer.
The client installation took less than two minutes, plus time for a reboot. The client installs as a driver ' there is no tray icon, and the user should not be aware that the client is running. We noticed no degradation in performance. We installed the client on Vista and Windows XP machines, but it also works on Windows Server 2003 and Windows 2000.
Once installed, the product is deceptively simple. The administrative interface is uncomplicated.
Despite the few choices and easy navigation, all the promised features were implemented. BeyondTrust gets a big thumbs-up for simplicity. We were able to master the product's features and understand all our options in less than 15 minutes.
Seldom do we encounter a product with such robust features and simple implementation.
To define a policy in the management interface, the manager starts by defining the path of the program. We found it easier to run the program and then select it from the list of processes running on the machine.
Next, we defined the user groups that should be added or removed from the security token. That is all that was required to define an application security policy.
To keep things as simple as possible, our first test involved elevating the permissions on Notepad.exe to those of an administrator. In our management console, we defined a policy that specified Notepad as the application to elevate permissions for, and we specified that the application's permissions should be elevated to those of the administrator's group. Next, we logged in as a user from the users group and ran Notepad. We verified that we were able to write to the C:\Windows\System32 directory using Notepad ' not WordPad. This simple test demonstrated the product's basic functionality.Next level
The Notepad test was fine for demonstrating that the product can elevate write access to a directory, but what about something that might actually be useful? Using the built-in Microsoft program to defragment a hard drive requires administrative permissions.
Our second test configured the product to allow a user to run the Disk Defragment Management Console under administrative permissions.
This presented a small problem because the program cannot be run directly; it must be run from the Microsoft Management Console. We did not want to simply elevate permissions for the MMC executable because this would mean that any MMC process the user started ' User Manager, Disk Management ' would be run with full administrative permissions.
To isolate the Disk Defragment Management Console, we specified that only Management Console executables that started with specific parameters ' in this case, C:\WINDOWS\ system32\dfrg.msc ' would be elevated. Additionally, to ensure that the defragment program received the necessary permissions, we structured the policy to elevate all further processes spawned by the application. To make our scheme work, we had to modify the shortcut to the MMC to be recognized as the process to be elevated by the BeyondTrust driver.
Next, we logged in as a standard user. This user was not able to use the elevated functionality in other MMC instances and normally would not have been allowed to defragment the hard drive under permissions derived from the users group.
But with BeyondTrust, the defragment operation proceeded as if it had been started by an administrator.
In most of our tests, we applied the policy for all users and only to the local machine.
In practice, the policy would be applied to any machine and user where a group policy applies.
Likewise, both local and Active Directory groups can be added to the security token.
Elevation occurs for the entire application. That is, all the application's features are available with elevated permissions.
But it might be possible in some cases to alter or customize an application or an interface that provides the user with only specific functionality to be elevated.
BeyondTrust includes a Policy Monitor located by default under C:\Program Files\BeyondTrust\ Privilege Manager\PolMon.exe.
This utility provides detailed information on policies in use. We found this program useful in determining whether the BeyondTrust driver was properly installed. If the driver is not functioning properly, this tool will report the error.Why not part of the operating system?
We give the product high marks. It's simple, elegant and flexible in its solutions. The implementation is so simple that at times we wondered why Microsoft did not include this functionality with the operating system.
The learning curve for using this product should be less than one day, and planning a complete scheme for implementation should pair well with any well-thought-out group policy implementation.
We recommend this product for any organization that desires to restrict operating permissions to its users while still allowing elevated permissions when necessary.
BeyondTrust is only part of a well-designed security implementation, but it can apply a twist to the screw in tightening an organization's network security.BeyondTrust, (603) 610-4255, http://www.beyondtrust.com