Applications: Getting to Yes

Review: Winternals Software's Protection Manager 1.0 successfully melds application execution protection with least-privilege-user controls.

Winternals Software's Protection Manager 1.0 merges application privilege escalation and execution control into a single package that allows companies to provide proactive security by thoroughly locking down the desktop.

As we've seen with products from DesktopStandard and FullArmor, Protection Manager modifies an application's security token, allowing legacy apps to run with administrative permissions while the user retains otherwise restricted permissions.

But Protection Manager also adds application execution controls that allow an administrator to create a whitelist of approved applications, while denying users the ability to run other unspecified applications-similar to functions provided by host intrusion-prevention products such as those from Bit9, yet more manageable and flexible than the Software Restriction Policies in Microsoft's Group Policy.

/zimages/6/28571.gifClick here to a review of DesktopStandard's PolicyMaker Application Security 2.5.

During tests, eWEEK Labs found that Protection Manager's privilege escalation functionality worked well, enabling us to run a number of applications that ordinarily don't play nicely for restricted users. Protection Manager also provided a good set of tools for creating an application execution whitelist. Implementing this practice across a large enterprise will be a daunting task, however, likely leading to a lot of administrative effort-especially at first.

Pricing for Protection Manager, which started shipping in March, starts at $25 per managed desktop or $250 per managed server. There is also a $69 charge for the management console.

Flexible solution

Unlike DesktopStandard's PMAS (PolicyMaker Application Security), Protection Manager operates outside Microsoft's Group Policy framework, allowing great flexibility in the way policy can be assigned.

Protection Manager does tie in to Active Directory, however, so we could create Roles that included existing Organizational Units, Users, Computers and Groups. This allowed us to assign application permissions as needed, without altering the fundamental structure of our directory.

We liked the tools provided to help create File Sets-logical groups of applications for which permissions can be enabled or blocked. Administrators can apply per-application rules to allow, deny, run as administrator or run with limited privileges.

Unlike PMAS, Protection Manager adds only the administrator security token; it does not provide the ability to assign and adjust specific privileges. We found Protection Managers broad strokes sufficient for the applications we tested against, but administrators are likely to find situations where PMAS-like granularity is needed or desired.

To help organize security across many Roles, we found it helpful to create a base line policy of all commonly acceptable applications in our base client image. We then created and applied additional, highly specific policies to deal with applications used by subsets of our user population.

An agent must be installed on each managed client (agents can be installed only on Microsoft Windows 2000-, Windows XP- and Windows Server 2003-based machines), and Protection Manager provides integrated tools to push the agent to workstations in the Active Directory domain-provided the workstation can be contacted on the common Microsoft networking ports. We also needed to make sure the agent and central console could communicate on TCP ports 52388 and 52389.

From the console, we triggered a desktop scan, which indexes each managed workstations hard drive to inventory all found executables. This scan causes significant disk and CPU utilization on the client and is best performed outside peak usage hours.

The results of the scan are coalesced in the console's Application Browser. During tests, the Application Browser offered multiple views of the thousands of executables found across our network, organizing applications according to file system location, company, signer, owner or host computer.

From the Application Browser, we could then click and drag groups of applications to a new File Set, specifying whether Protection Manager should identify applications by specific location, hash or signer. Unlike PMAS, Protection Manager does not offer privilege escalation for ActiveX controls or MSI (Microsoft System Installer) installation packages.