BeyondTrust is all about solving problems that perplexed me six years ago. And I mean that as a compliment, since no one else has really addressed those problems in all this time.
Before I came to eWEEK in 2003, I worked at an IT consulting firm serving small businesses in and around San Francisco. One of our hallmarks was an early encouragement of the practice that later became known as “Least Privileged User.” Basically, we persuaded a lot of clients to have their users run only with local User permissions, rather than with Administrator rights.
As a result, our customers had a lot less trouble with viruses, spyware or unwanted applications. Of course, we also had to make work all the applications they needed to use on a day-to-day basis–and we ran into hundreds of applications that wanted Administrator rights, often for pretty banal reasons (“We write our preferences file in the c:Windows directory!”)
Identifying those applications that would have a permissions problem was kind of a crapshoot and I spent hundreds of (nonbillable) hours poking around various apps and watching other people over their shoulders. It was hardly an effective way to identify troublesome apps, but there wasn’t a tool to do it, and it was bad PR for a customer to find them before we did.
And I don’t even want to talk about the various things we did to actually fix the permissions problems once we discovered them. Kludgy does not even begin to describe that process.
Of course, BeyondTrust (along with a couple other companies that don’t really exist anymore) helped solve the “fix” problem a couple years ago with its Privilege Manager product (formerly known as Desktop Standard’s PolicyMaker Application Security). And now, finally, BeyondTrust is trying to solve the identification and location problem with a new product called BeyondTrust Application Rights Auditor.
Of course, Microsoft has offered a tool kit for a while that allows individual scanning of applications for permissions issues, but that solution didn’t really scale well for companies with a large application base, particularly one already deployed and in use.
With Applications Rights Auditor, BeyondTrust is looking to fill that gap. And it’s free (as in beer).
The product gets deployed to a representative sample of desktops throughout an enterprise, for a two-pronged search for applications needing administrative rights. The client software first performs an inventory to identify all executable applications on each machine. The findings are then transmitted to BeyondTrust’s repository, where the found applications are compared against a database of known applications and versions.
For applications that are not already in BeyondTrust’s database, the client software continuously monitors an unknown application as it is being used, recording and flagging specifically when (and what) Administrator privilege is required.
Administrators can then look at the inventory results of the two types of scans and run reports for individual clients or the collective to see what applications will need permissions help in a move to Least Privilege. Because all the data is stored on BeyondTrust’s network, there is no need to install a local database or application server, so it should be pretty easy to get started quickly.
The hosted model scared me a little bit, for security and privacy reasons, but the folks at BeyondTrust assured me that each customer has its own unique certificate that gets generated when the customer first acquires the code. All of the agents deployed within a company transmit their data with the certificate, so all the information should be isolated from other companies’ data.
Unfortunately, BeyondTrust has not yet decided to take the additional steps to make Application Rights Auditor even more valuable. Since it is collecting information specific to applications that are already in use, it makes sense that one should be able to automatically create policies based on the information provided by Auditor in order get going quickly with Privilege Manager. But of course, you can’t yet do that.