Flexibility to fine-tune on the fly
Protection Manager offers four modes of operation for every Role, allowing administrators to put policies in place while maintaining the flexibility to fine-tune them on the fly. Disabled mode does not enforce policy at all and is strictly for use while building a Role; Silent and Interactive modes provide the ability to enforce some rules while logging activity (either silently or interactively); on the draconian end of the scale, Enforced mode applies defined rules and blocks untrusted applications, which are simply applications not specifically named in the Roles File Set.From the users perspective, application privilege escalation occurs seamlessly behind the scenes. And when a user tries to engage an application blocked by policy, the user is shown a pop-up explaining what happened and is given a chance to send a policy exemption request to the Roles Delegator. Delegators are administrators defined with dominion over a particular Role. When a user interacts with an untrusted application, the Delegator is automatically notified by an icon in the system tray that an application has been identified for action in a File Set. When getting started with Protection Manager, Delegators can expect a lot of notifications. (Seriously, it started getting annoying.) Delegators can engage the console interface no matter what workstation they are currently sitting at. The only management difference we could discern when working at a remote workstation was that the contents of the Application Browser were not displayed. We noticed an unfortunate side effect for remote workers tied to a role in Silent or Interactive modes, however. In these modes, whenever an off-site user started an untrusted application, the client agent attempted to contact the central console to check one last time for an updated policy. Since the agent cannot contact the console, the user experienced a delay of application launch for 20 to 30 seconds. There is no warning that this will occur, so this problem is sure to lead to a flood of support calls from users complaining about system performance. As some companies may leverage Protection Manager specifically for its ability to raise an applications permissions within a Least Privilege User Authority environment, we feel Winternals should add support for a fifth deployment mode that enforces specified rules while ignoring the use of untrusted applications. Winternals officials said they are considering this feature for future revisions.
Click here to read about Microsoft's recent bevy of security betas.