Competing products, such as Winternals Protection Manager 1.0, would not suffer from this drawback, as management and policy deployment are outside the Group Policy framework. PMAS also falls short with its ability to help administrators identify what applications are in use. While we found it quite straightforward to leverage PMAS capabilities when we explicitly knew what applications we wanted to fix, we cant imagine it will be simple to create a useful rule base in a large organization that runs hundreds or thousands of individual applications.Meanwhile, Winternals competing product allows administrators to set the client agent in a monitor-only mode that can report back to a central store what applications are being used on a particular machine. While this does not provide insight into applications that require elevated permissions, it will help administrators get a wide view of all applications used across the network. Pricing for PMAS 2.5, which started shipping in February, starts at $27 per managed computer. PMAS eases the transition to least-privilege computing, which may save enterprises money by reducing the need for additional optional desktop security expenses such as stand-alone anti-spyware services, but the PMAS price still seems exorbitant. DesktopStandard does offer a discounted bundle price of $36.40 per workstation if you also purchase the companys other Group Policy-based tools: PolicyMaker Standard Edition, PolicyMaker Share Manager and the PolicyMaker Update software patching service. Sh-sh-sh-shattered PMAS 2.5 also introduces process Isolation to protect hosts against shatter attacks. Exploiting a flaw in the Win32 messaging system that allows processes to send messages to each other (no matter what level of permissions each process may have), shatter attacks could allow restricted users to escalate rights. PMAS tackles shatter attacks by isolating different processes to deny them the ability to message each other. With Process Isolation enabled, PMAS forces new processes to start within an unnamed Win32 job. During tests, when we examined such a job using Sysinternals ProcessExplorer 10.06, we noted that for each subprocess within the job, PMAS explicitly disabled many privileges allowed by the operating system under normal operating conditions. The downside to Process Isolation is that some functionality may break. When we enabled Process Isolation on a workstation, for example, we could no longer cut and paste text between applications, and we noticed some programs help files did not work correctly. Because of the potential to cause disruption, administrators are advised to heavily test Process Isolation before deploying. Next page: Evaluation Shortlist: Related Products.
Microsofts Bill Gates outlines a vision of a "trust ecosystem" and promises technology to untangle the password-management clutter. Click here to read more.