Flexibility to fine-tune on the fly

By Andrew Garcia  |  Posted 2006-04-03 Print this article Print

Protection Manager offers four modes of operation for every Role, allowing administrators to put policies in place while maintaining the flexibility to fine-tune them on the fly.

Disabled mode does not enforce policy at all and is strictly for use while building a Role; Silent and Interactive modes provide the ability to enforce some rules while logging activity (either silently or interactively); on the draconian end of the scale, Enforced mode applies defined rules and blocks untrusted applications, which are simply applications not specifically named in the Roles File Set.

Click here to read about Microsoft's recent bevy of security betas.

From the users perspective, application privilege escalation occurs seamlessly behind the scenes. And when a user tries to engage an application blocked by policy, the user is shown a pop-up explaining what happened and is given a chance to send a policy exemption request to the Roles Delegator.

Delegators are administrators defined with dominion over a particular Role. When a user interacts with an untrusted application, the Delegator is automatically notified by an icon in the system tray that an application has been identified for action in a File Set. When getting started with Protection Manager, Delegators can expect a lot of notifications. (Seriously, it started getting annoying.)

Delegators can engage the console interface no matter what workstation they are currently sitting at. The only management difference we could discern when working at a remote workstation was that the contents of the Application Browser were not displayed.

We noticed an unfortunate side effect for remote workers tied to a role in Silent or Interactive modes, however. In these modes, whenever an off-site user started an untrusted application, the client agent attempted to contact the central console to check one last time for an updated policy.

Since the agent cannot contact the console, the user experienced a delay of application launch for 20 to 30 seconds. There is no warning that this will occur, so this problem is sure to lead to a flood of support calls from users complaining about system performance.

As some companies may leverage Protection Manager specifically for its ability to raise an applications permissions within a Least Privilege User Authority environment, we feel Winternals should add support for a fifth deployment mode that enforces specified rules while ignoring the use of untrusted applications. Winternals officials said they are considering this feature for future revisions.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel