Review: BeyondTrust's Privilege Manager 4.0 Offers Prompt-Free UAC

Whatever.

No matter the reason, it is still a nuisance for many. Home users may opt to shut off the feature, but for businesses the hesitancy to leave a desktop in a state where users can perform administrative tasks is quite understandable -- many programs and desktop troubleshooting tactics require Administrator-level rights to run. The number of programs and utilities that require elevated permissions is so vast, in fact, that a large number of corporate desktops are often operated with local Administrator or Power User accounts intact. This, of course, renders the machine more susceptible to malware and to potential problems caused by an end user making inadvertent system changes.

The question then becomes how to give the least-privileged user access while maintaining a desktop environment in which that user is not so locked down.

Allowing users to do things like install Active X controls (sometimes needed to view even corporate intranet sites), delete jammed printer queues, refresh IP addresses and change the system time can cut down the amount of support calls to a VAR or an IT department handling support calls.

In the case of Vista desktops, how can this level of access be deployed without those infernal UAC prompts?

New Hampshire-based BeyondTrust has a solution. According to the company, Privilege Manager 4.0 enables security restrictions to be tailored to an organization's needs without compromising protection.

So how does it work? With Privilege Manager, rules are defined to dictate which processes and applications an end user can run. The advantages to defining which applications and processes the user can run are that they can be run them without secondary account credentials (such as used with the Run As command), with processes isolated (using the vendor's ShatterProof technology) and with the elimination of the UAC prompt for Administrator login.

Privilege Manager uses the Group Policy framework within Windows and communicates these rules via Group Policy.

The software can be run on stand-alone Windows clients or deployed in a network environment integrated with domain policies. For our purposes in the Test Center, the 32-bit version of BeyondTrust was installed on a Vista SP1 stand-alone client.

Installation is simplified with a .Msi package and is a typical, vanilla-type of Windows program install, complete with user-friendly wizard. There were four components to the installation:

The client: installs group Policy client-side extensions. One note -- although the product integrates with Group Policy, rules are not initiated via a standard update command. Any network machine that is going to have Privilege Manager rules applied to it must have the client installed.

The Privilege Manager software: adds extensions to Group Policy Object Editor and RSoP (Resultant Set of Policy) snap-ins.

Internet Explorer Integration: for support of rules applied to Active X control installation.

GPMC Integration: provides support for the Group Policy Management Console and related functions like backup, restore, import and copy operations.

Prior to configuring Privilege Manager rules, a standard local user account was set up for testing. Reviewers initiated tasks that were restricted by UAC for a non-Administrator account, and rules were created in Privilege Manager to prevent UAC from restricting those tasks.

UAC, expectedly, prompted for elevation when initiating a host of tasks: disabling a network connection, releasing the IP address, turning on Windows Defender and creating a shared folder.

Program installation also was restricted. For example, attempting to install Microsoft's Silverlight UAC required administrator authentication as did the installation of the Active X control from Adobe's Web site for Reader.

Privilege Manager adds extensions to both "Computer" and "User" configuration items in GP Editor. Rules can be applied in several ways: targeting a specific application by file path or by the hash of its file and targeting applications in a specified folder. Installations can be targeted by specifying an .MSI file path or folder, and Active X installs can be targeted by source URL.

Reviewers set up rules to address some of the aforementioned restricted tasks:

A rule was set up to give elevated permission to run Windows Defender, a task our test account could not run without supplying Administrator credentials. A path rule targeting the Windows Defender executable -- MSASCui.exe was created. The rule was set up to give any user logged in BUILTIN/Administrator account access to run Defender.

Note: Specific users can be defined for the rule. If, for example, there are multiple users sharing one machine, rules can be filtered and applied to defined user accounts, groups and even specific operating systems. A second rule was configured to give elevated permissions to install the Active X control required to install Adobe reader.

Lastly, a rule was created to "Alter TCP/IP Settings." The Vista client was logged into with the restricted test account. Windows Defender fired up and was configured without any intervening by UAC, and Adobe's Active X control was installable, again without any prompts. However, UAC prompted for Admin credentials when trying to alter network settings. We were advised by the vendor that there is a workaround for this: creating a shortcut on the desktop to %systemroot%\system32\rundll32.exe and using the following parameters in the target line "polseccd.dll,NetCfgDlg" allows the restricted user to configure TCP/IP.

That worked.

This was not really an issue, however, as most network administrators would probably not want users, even super users, to have access to TCP/IP settings.

These simple tests really do not demonstrate the full capabilities of this product. With Privilege Manager, it is possible to grant access for very specific functions, from system settings to installs. The product can also provide controlling usage of CD/DVDs and has logging functionality for auditing. Users can run third-party applications or change the system time, a needed ability for mobile users who may travel internationally, for example.

Although the focus of this test was on controlling UAC, Privilege Manager is compatible not only on Vista but with XP, Windows 2000 and Windows Server 2003/2008. There is also a 64-bit version.

BeyondTrust is committed to further growth of its channel program and recently unveiled a major international channel expansion program. The vendor currently has a two-tiered channel program with 50 partners worldwide.

Privilege Manager 4.0 can provide peace of mind for network administrators and VARs responsible for network security by giving end-users just-enough access for uninterrupted workflow yet not compromise security.

The bottom line: this product comes with a hearty Test Center recommendation.