Expanding the Reach of Least User Privilege

For several years, I've been a big proponent of operating Windows-based desktop computers in a Least User Privilege mode, removing Administrator (or Power User) rights from end users so they cannot install unapproved applications (or unwanted malware). However, instituting such a policy throughout an enterprise is not the easiest thing

For several years, I've been a big proponent of operating Windows-based desktop computers in a Least User Privilege mode, removing Administrator (or Power User) rights from end users so they cannot install unapproved applications (or unwanted malware). However, instituting such a policy throughout an enterprise is not the easiest thing in the world because many applications still require administrative rights to run correctly and some power users need to do more (unpredictable) things to their computers than the average user.

BeyondTrust addressed the first problem a few years ago with its Privilege Manager application (formerly known as DesktopStandard's PolicyMaker Application Security), which helps administrators change the privileges token of a process or application via centralized policy-based controls. This allows, in a nutshell, a limited rights user to run certain preapproved applications with administrative rights on those applications only.

In the years since the product first came to market, BeyondTrust has heard about the second problem many times. According to a survey the company conducted among its customers, two-thirds of those asked had been able to remove administrator privileges from 90 to 100 percent of the users in their organization. Of the remaining third of its customers, however, BeyondTrust found that special use cases -- users such as system administrators or developers, or laptop computer users -- were generating too many support calls to be effectively pulled into the Least User Privilege initiative.

As a response, the latest iteration of Privilege Manger looks to squarely address those special use cases, as Version 4.0 adds a series of new features aimed at easing administration amid the unpredictability generated by these users.

First of all, Privilege Manager adds another way for administrators to batch-approve software from a particular vendor. Administrators can approve rights escalation for applications or installation packages based on the digital certificate used to sign the code. An administrator can simply allow the system to escalate rights for any Microsoft signed application, for instance.

With Privilege Manager 4.0, administrators can also approve privilege escalation for software that comes from a particular CD or DVD, as administrators can approve the serial number of a particular piece of media. This allows administrators to control the flow of new software installations in remote instances, sending out a preapproved disk full of new applications or updated versions of existing ones.

The best news for users, however, is that Privilege Manger 4.0 allows approved users to perform on-the-fly exemptions at their discretion. Users can right-click an application or installation package, and see a new context menu item that allows a temporary privilege escalation. Administrators can audit the use of this exemption by asking the user to type in a reason for the request and by requiring the user to enter a password before the escalation can take place.

Privilege Manager 4.0 also looks to extend some of the native features of Windows Vista. BeyondTrust already did some work in Version 3.5 to tone down the chattiness of Vista's User Access Control feature, and now in Version 4.0, BeyondTrust has extended the security afforded by Vista Integrity Levels to applications other than Internet Explorer. In essence, with Vista Integrity Levels, a process with Low Integrity cannot interact with processes rated Medium or High Integrity (but a High Integrity process can interact with anything with a lower rating). According to BeyondTrust representatives, a standard Vista user will normally run all applications with a Medium Integrity level -- except for Internet Explorer, which operates with a Low Integrity level (enabling IE Protected Mode).

In a WebEx demonstration, BeyondTrust engineers showed me that the Integrity Level protection could be extended via policy to any other Internet-facing application, so administrators could lock down the behavior of Mozilla's Firefox browser in the same way that IE is protected.