Page 2

By Andrew Garcia  |  Posted 2006-10-06 Print this article Print

Administrators also can enable virtualization via Group Policy as a catchall for applications that need elevated permissions to write files or registry settings to protected parts of the file system, like the Program Files directory or the HKLM registry hive. Virtualization fools the operating system by instead writing these files or keys to a walled garden in the users directory. Microsoft views virtualization as a stopgap measure, with good cause. Virtualization does not solve compatibility problems for applications that may require other kinds of elevated permissions that cant be met by faking out the file system. So, while Microsoft ramps up its Vista logo program to teach application developers how to conform to Vistas security parameters going forward, it has been creating tools to help administrators and coders get ready for UAC.
This summer, Microsoft released SUA (Standard User Analyzer), a handy GUI that works with the companys Application Verifier to help developers and administrators understand exactly where legacy applications will run afoul of UAC.
What is the real compatibility picture for Windows Vista? Click here to read David Morgensterns view. For instance, during tests, when we used SUA to evaluate an application that we knew required some administrative privileges—SysInternals FileMon—SUA alerted us to a few files temporarily copied to a protected disk location, as well as a pair of required administrator privileges that FileMon needs to run (SeDebug Privilege and the SeLoadDriverPrivilege). Since virtualization is not an option here, and handing out administrative credentials to all application users defeats the value of UAC in the enterprise, administrators must look elsewhere for a solution. Administrators can deal with offending applications one by one via SUAs Compatibility tab, by clicking on the Run As Program as Administrator button. However, this solution can be unwieldy across a large number of desktops and is not guaranteed to work, as the executable may be blocked from that capability. Earlier this year, we reviewed a pair of solutions that offer a more elegant approach to policy-based privilege escalation for applications and processes. Both Desktop Standards PMAS (PolicyMaker Application Security) and Winternals Software Protection Manager allow administrators to selectively elevate a processs or applications security privileges according to user, group or host computer. In this way, administrators can allow standard users to run poorly coded applications that require various elevated privileges or attempt to write files or registry settings to restricted areas of the file system via policy without having the user present administrative credentials. We prefer the PMAS solution because of its tight integration with Group Policy, although we felt Protection Manager had slightly superior rights delegation, filtering and process identification capabilities. But Protection Managers agent architecture proved sluggish and unwieldy in some circumstances, while PMAS snapped right into Group Policy. Which operating system will be a better deal—Vista or Linux? Click here to read more. Interestingly, Microsoft purchased both companies within the last few months, although PMAS was not included in the Desktop Standard acquisition. Instead, PMAS is now sold and maintained by BeyondTrust, previously a spinoff subsidiary of Desktop Standard, while Microsoft is the proud owner of a series of Group Policy-based configuration and security settings to add to its burgeoning arsenal for the forthcoming Windows Longhorn Server. Microsoft should be able to meld these technologies into Group Policy to form a powerful solution to help administrators unlock legacy applications in a scalable, organized fashion while it awaits Vista-compliant code from ISVs. Unfortunately, it is likely too late to see this functionality in the Windows Longhorn Server release time frame. We would hope to see such capability at the top of the list of new features for subsequent Longhorn Server service packs, however. Technical Analyst Andrew Garcia can be reached at Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel