TKTK

 
 
By Andrew Garcia  |  Posted 2006-03-20
 
 
 

End-User Furlough


DesktopStandards PolicyMaker Application Security 2.5 provides outstanding tools to help companies solve the problem of application compatibility in restricted desktop environments. However, the Microsoft Group Policy-based management structure could prove confining in large, complex domains, and the manual approach to finding and restricting applications could easily become unwieldy.



Click here to read the full review of PolicyMaker Application Security 2.5.

2


DesktopStandards PolicyMaker Application Security 2.5 provides outstanding tools to help companies solve the problem of application compatibility in restricted desktop environments. However, the Microsoft Group Policy-based management structure could prove confining in large, complex domains, and the manual approach to finding and restricting applications could easily become unwieldy.

PMAS 2.5 presents a clean and elegant solution to the problem of getting legacy applications to work for users who dont have administrative rights on the desktop.

Rather than raising permissions via a "Run as" command that requires users to know and input an administrator user name and password, or requiring administrators to jury-rig file system and registry ACL (Access Control List) commands to get troublesome applications working, PMAS modifies an applications security token on the fly, elevating process permissions without altering the rest of the user session or security settings.

Click here to read about Microsofts recent bevy of security betas.

With great success, eWEEK Labs tested PMAS 2.5 against a number of applications known to founder without administrative rights. By simply adding the built-in administrator account to an application token via policy, we quickly were able to get Microsofts AntiSpyware Beta 1, various Lenovo ThinkPad management tools, Intuits TurboTax (and its AutoUpdate feature), Nero 7 Ultra Edition and an older version of Jascs Paint Shop Pro operational.

In each case, the application process is still owned by the user with restricted rights, but the local administrator rights were seamlessly added to the security token.

To define applications whose permissions we wanted to elevate, we could identify executables in several ways: by name; by folder; or, to ensure that an application had not been unexpectedly altered, by hash.

Getting Sysinternals DiskMon to work for a restricted user, however, required additional steps: We had to explicitly add Debug and Load Drivers privileges, but this was easily accomplished through the policy interface .

The PMAS management console is fully integrated into the Windows Group Policy management framework, and administrators may add PMAS policies to either User or Computer Group Policy objects . We simply installed the PMAS snap-ins, security driver and client-side extensions on our Group Policy management workstation, and the PolicyMaker license and configuration data was then automatically stored in the domain SYSVOL (System volume).

Administrators will need to deploy the security driver and client-side extensions to managed workstations to enable the workstations to see and execute PMAS policy, but PMAS includes a small MSI (Management System Information) installer package that can be deployed via Group Policy.

Our tests showed that there are both advantages and disadvantages to PMAS management being contained entirely within the Group Policy framework. Domain administrators already familiar with the ins and outs of Group Policy and the Group Policy editor (or the newer, more robust Group Policy Management Console) will be quite at home with PMAS management.

However, the Group Policy construct could limit flexibility in complex networks. Group Policies can be applied only to containers (the domain, site or Organizational Unit) or at the local machine (with the latter greatly complicating centralized management).

Unfortunately, application distribution likely will not mirror the Organizational Unit, or OU, container structure in Active Directory, as a user in accounting may need access to the same application as a user in human resources. To address this shortcoming, PMAS offers filtering capabilities, allowing administrators to limit policy execution to, among other things, certain Windows Security Groups.

Next Page: How it stacks up

TKTK


Competing products, such as Winternals Protection Manager 1.0, would not suffer from this drawback, as management and policy deployment are outside the Group Policy framework.

PMAS also falls short with its ability to help administrators identify what applications are in use. While we found it quite straightforward to leverage PMAS capabilities when we explicitly knew what applications we wanted to fix, we cant imagine it will be simple to create a useful rule base in a large organization that runs hundreds or thousands of individual applications.

Microsofts Bill Gates outlines a vision of a "trust ecosystem" and promises technology to untangle the password-management clutter. Click here to read more.

Meanwhile, Winternals competing product allows administrators to set the client agent in a monitor-only mode that can report back to a central store what applications are being used on a particular machine. While this does not provide insight into applications that require elevated permissions, it will help administrators get a wide view of all applications used across the network.

Pricing for PMAS 2.5, which started shipping in February, starts at $27 per managed computer. PMAS eases the transition to least-privilege computing, which may save enterprises money by reducing the need for additional optional desktop security expenses such as stand-alone anti-spyware services, but the PMAS price still seems exorbitant.

DesktopStandard does offer a discounted bundle price of $36.40 per workstation if you also purchase the companys other Group Policy-based tools: PolicyMaker Standard Edition, PolicyMaker Share Manager and the PolicyMaker Update software patching service.

Sh-sh-sh-shattered

PMAS 2.5 also introduces process Isolation to protect hosts against shatter attacks. Exploiting a flaw in the Win32 messaging system that allows processes to send messages to each other (no matter what level of permissions each process may have), shatter attacks could allow restricted users to escalate rights. PMAS tackles shatter attacks by isolating different processes to deny them the ability to message each other.

With Process Isolation enabled, PMAS forces new processes to start within an unnamed Win32 job. During tests, when we examined such a job using Sysinternals ProcessExplorer 10.06, we noted that for each subprocess within the job, PMAS explicitly disabled many privileges allowed by the operating system under normal operating conditions.

The downside to Process Isolation is that some functionality may break. When we enabled Process Isolation on a workstation, for example, we could no longer cut and paste text between applications, and we noticed some programs help files did not work correctly. Because of the potential to cause disruption, administrators are advised to heavily test Process Isolation before deploying.

Next page: Evaluation Shortlist: Related Products.

Page 4


FullArmors IntelliPolicy product line In addition to controlling application rights, security and desktop configuration via Group Policy extensions, FullArmors products can manage computers outside Active Directory (www.fullarmor.com)

Winternals Softwares Protection Manager Unlike its competitors, Protection Manager does not operate within a Group Policy framework, which could lead to more management complexity but superior policy flexibility (www.winternals.com)

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Rocket Fuel