By Andrew Garcia  |  Posted 2006-03-20 Print this article Print

Competing products, such as Winternals Protection Manager 1.0, would not suffer from this drawback, as management and policy deployment are outside the Group Policy framework.

PMAS also falls short with its ability to help administrators identify what applications are in use. While we found it quite straightforward to leverage PMAS capabilities when we explicitly knew what applications we wanted to fix, we cant imagine it will be simple to create a useful rule base in a large organization that runs hundreds or thousands of individual applications.

Microsofts Bill Gates outlines a vision of a "trust ecosystem" and promises technology to untangle the password-management clutter. Click here to read more.
Meanwhile, Winternals competing product allows administrators to set the client agent in a monitor-only mode that can report back to a central store what applications are being used on a particular machine. While this does not provide insight into applications that require elevated permissions, it will help administrators get a wide view of all applications used across the network.

Pricing for PMAS 2.5, which started shipping in February, starts at $27 per managed computer. PMAS eases the transition to least-privilege computing, which may save enterprises money by reducing the need for additional optional desktop security expenses such as stand-alone anti-spyware services, but the PMAS price still seems exorbitant.

DesktopStandard does offer a discounted bundle price of $36.40 per workstation if you also purchase the companys other Group Policy-based tools: PolicyMaker Standard Edition, PolicyMaker Share Manager and the PolicyMaker Update software patching service.


PMAS 2.5 also introduces process Isolation to protect hosts against shatter attacks. Exploiting a flaw in the Win32 messaging system that allows processes to send messages to each other (no matter what level of permissions each process may have), shatter attacks could allow restricted users to escalate rights. PMAS tackles shatter attacks by isolating different processes to deny them the ability to message each other.

With Process Isolation enabled, PMAS forces new processes to start within an unnamed Win32 job. During tests, when we examined such a job using Sysinternals ProcessExplorer 10.06, we noted that for each subprocess within the job, PMAS explicitly disabled many privileges allowed by the operating system under normal operating conditions.

The downside to Process Isolation is that some functionality may break. When we enabled Process Isolation on a workstation, for example, we could no longer cut and paste text between applications, and we noticed some programs help files did not work correctly. Because of the potential to cause disruption, administrators are advised to heavily test Process Isolation before deploying.

Next page: Evaluation Shortlist: Related Products.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel