Avecto Privilege Guard Tames Windows UAC Security Prompts
Avecto Privilege Guard 2.6 makes it easier for Windows administrators to maintain locked-down desktops among the workforce, obviating the need for users to have local administrative rights, while at the same time suppressing the barrage of User Account Control warnings that often annoy users working in such strictures.
When I first looked at a pair of Windows privilege management solutions back in 2006-Winternals Protection Manager (since acquired by Microsoft) and Desktop Standard PolicyMaker Application Security (progenitor of the competing BeyondTrust solution)-both products were heavily geared toward enabling insecurely written applications to run on Windows XP-based desktops run by users with limited local rights.
Although that capability is still applicable for any faulty applications in 2011, modern products such as Avecto Privilege Guard or the revamped BeyondTrust PowerBroker Desktops offer more compelling usage for modern operating systems-making it easier to run as a standard user without inducing a barrage of security warnings and login boxes during day-to-day operation.
Temporarily escalating the privilege of policy-defined processes and applications, these products now provide their greatest benefit quelling UAC (User Account Control) warnings and prompts generated by standard (limited) rights users on Windows 7 or Windows Vista-based computers. By automatically giving limited rights users temporary and targeted privilege elevation, the users can run applications that would otherwise require administrator credentials in order to proceed. Therefore, IT implementers can leverage these products to crank up UAC settings to the fullest security settings, providing greater protection against accidental or malicious changes to system files, while surreptitiously masking that detail from their users.
Avecto Privilege Guard 2.6 adds a number of new features over its predecessor, providing more granular controls that allow administrators to refine rule sets used within the policies that define which processes and applications receive escalated privilege level. The new version also adds time controls over privilege escalation, plus customizable messaging that allows administrators to personalize any related messaging presented to users throughout the elevation process.
Version 2.6, which shipped in November, is available for $30 per workstation. Last year, Avecto also announced new 24/7 support plans, which may be licensed at an additional, unspecified cost.
Privilege Guard consists of two elements. The Privilege Guard Client is a client-side installation package for Windows 7, Windows Vista or Windows XP-based workstations (there are both 32-bit and 64-bit versions for Win 7/Vista). Meanwhile, the Privilege Guard Console is the management element, a snap-in for the Group Policy Management Console or Group Policy Editor that needs to be installed on workstations used to create and edit Avecto policies.
While customers will undoubtedly use Active Directory-based Group Policy to create and apply Avecto policies in a corporate setting, I performed the bulk of my testing using the Local Policy on a single Windows 7-based virtual machine.
I found the new application rule sets quite helpful. Whereas the previous versions of Privilege Guard allowed administrators to create elevation rules according to a combination of file name, file hash, command line or publisher, version 2.6 provides further flexibility. I found I could now create more sophisticated policies that account for product name or description, file or product versions, and file ownership. I could also create pattern matching rules to clump similar applications together within a similar rule.
I also liked that Privilege Guard thwarts common privilege escalating workarounds. For instance, I could block elevated access to Windows Explorer functionality through the managed application's File/Save dialog, which could keep users from saving to unauthorized locations or deleting files they should not be able to delete.
The new messaging features allow administrators to customize any messaging that is shown to a user during a privilege escalating event. With this customized text, I could identify points of contact to correct problems or change policies, or I could explicitly state corporate rules governing the need for elevation. I could also add a corporate logo to the pop-up boxes, although I thought the image scaling was a little wonky, as small images seem to dominate the resulting pop-up messages. Suggested sizing details in the Privilege Guard message creation interface would be much appreciated down the road.
I also found that customized messaging sometimes slowed down the user's interactive experience. While operating as a standard user in such cases, I occasionally found myself waiting between 20 and 30 seconds for the customized message box to appear on an otherwise greyed out and inaccessible background. I did not experience this lag in cases where privilege escalation occurred silently, with no messaging.
The policy expiration templates were also quite helpful, allowing me to define times of the day and week when privilege escalation rules would be enforced. Administrators can easily select applicable days and times from the Console interface, choosing whether to enforce time according to the user's local time zone or against the UTC time period.