Avecto Privilege Guard 2.6 makes it easier for Windows
administrators to maintain locked-down desktops among the workforce,
obviating the need for users to have local administrative rights, while
at the same time suppressing the barrage of User Account Control
warnings that often annoy users working in such strictures.
When I first looked at a pair of Windows privilege management solutions back in 2006—Winternals Protection Manager (since acquired by Microsoft) and Desktop Standard PolicyMaker Application Security (progenitor of the competing BeyondTrust solution)—both products were heavily geared toward enabling
insecurely written applications to run on Windows XP-based desktops run
by users with limited local rights.
Although that capability is still applicable for any faulty
applications in 2011, modern products such as Avecto Privilege Guard or
the revamped BeyondTrust PowerBroker Desktops offer more compelling
usage for modern operating systems—making it easier to run as a
standard user without inducing a barrage of security warnings and login
boxes during day-to-day operation.
Temporarily escalating the privilege of policy-defined processes and
applications, these products now provide their greatest benefit
quelling UAC (User Account Control) warnings and prompts generated by
standard (limited) rights users on Windows 7 or Windows Vista-based
computers. By automatically giving limited rights users temporary and
targeted privilege elevation, the users can run applications that would
otherwise require administrator credentials in order to proceed.
Therefore, IT implementers can leverage these products to crank up UAC
settings to the fullest security settings, providing greater
protection against accidental or malicious changes to system files,
while surreptitiously masking that detail from their users.
Avecto Privilege Guard 2.6 adds a number of new features over its
predecessor, providing more granular controls that allow administrators
to refine rule sets used within the policies that define which
processes and applications receive escalated privilege level. The new
version also adds time controls over privilege escalation, plus
customizable messaging that allows administrators to personalize any
related messaging presented to users throughout the elevation
process.
Version 2.6, which shipped in November, is available for $30 per
workstation. Last year, Avecto also announced new 24/7 support plans,
which may be licensed at an additional, unspecified cost.
Privilege Guard consists of two elements. The Privilege Guard Client is
a client-side installation package for Windows 7, Windows Vista or
Windows XP-based workstations (there are both 32-bit and 64-bit
versions for Win 7/Vista). Meanwhile, the Privilege Guard Console is
the management element, a snap-in for the Group Policy Management
Console or Group Policy Editor that needs to be installed on workstations used to create and edit Avecto policies.
While customers will undoubtedly use Active Directory-based Group
Policy to create and apply Avecto policies in a corporate setting, I
performed the bulk of my testing using the Local Policy on a single
Windows 7-based virtual machine.
I found the new application rule sets quite helpful. Whereas the
previous versions of Privilege Guard allowed administrators to create
elevation rules according to a combination of file name, file hash,
command line or publisher, version 2.6 provides further flexibility. I
found I could now create more sophisticated policies that account for
product name or description, file or product versions, and file
ownership. I could also create pattern matching rules to clump similar
applications together within a similar rule.
I also liked that Privilege Guard thwarts common privilege escalating
workarounds. For instance, I could block elevated access to Windows
Explorer functionality through the managed application’s File/Save
dialog, which could keep users from saving to unauthorized locations
or deleting files they should not be able to delete.
The new messaging features allow administrators to customize any
messaging that is shown to a user during a privilege escalating
event. With this customized text, I could identify points of contact to
correct problems or change policies, or I could explicitly state
corporate rules governing the need for elevation. I could also add a
corporate logo to the pop-up boxes, although I thought the image
scaling was a little wonky, as small images seem to dominate the
resulting pop-up messages. Suggested sizing details in the Privilege
Guard message creation interface would be much appreciated down the
road.
I also found that customized messaging sometimes slowed down the user’s
interactive experience. While operating as a standard user in such
cases, I occasionally found myself waiting between 20 and 30 seconds for the
customized message box to appear on an otherwise greyed out and
inaccessible background. I did not experience this lag in cases where
privilege escalation occurred silently, with no messaging.
The policy expiration templates were also quite helpful, allowing me to
define times of the day and week when privilege escalation rules would
be enforced. Administrators can easily select applicable days and times
from the Console interface, choosing whether to enforce time according
to the user’s local time zone or against the UTC time period.
Windows & Interoperability News & Reviews 
