Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Reviews

    Expanding the Reach of Least User Privilege

    By
    Andrew Garcia
    -
    May 6, 2008
    Share
    Facebook
    Twitter
    Linkedin

      For several years, I’ve been a big proponent of operating Windows-based desktop computers in a Least User Privilege mode, removing Administrator (or Power User) rights from end users so they cannot install unapproved applications (or unwanted malware). However, instituting such a policy throughout an enterprise is not the easiest thing in the world because many applications still require administrative rights to run correctly and some power users need to do more (unpredictable) things to their computers than the average user.

      BeyondTrust addressed the first problem a few years ago with its Privilege Manager application (formerly known as DesktopStandard’s PolicyMaker Application Security), which helps administrators change the privileges token of a process or application via centralized policy-based controls. This allows, in a nutshell, a limited rights user to run certain preapproved applications with administrative rights on those applications only.

      In the years since the product first came to market, BeyondTrust has heard about the second problem many times. According to a survey the company conducted among its customers, two-thirds of those asked had been able to remove administrator privileges from 90 to 100 percent of the users in their organization. Of the remaining third of its customers, however, BeyondTrust found that special use cases — users such as system administrators or developers, or laptop computer users — were generating too many support calls to be effectively pulled into the Least User Privilege initiative.

      As a response, the latest iteration of Privilege Manger looks to squarely address those special use cases, as Version 4.0 adds a series of new features aimed at easing administration amid the unpredictability generated by these users.

      First of all, Privilege Manager adds another way for administrators to batch-approve software from a particular vendor. Administrators can approve rights escalation for applications or installation packages based on the digital certificate used to sign the code. An administrator can simply allow the system to escalate rights for any Microsoft signed application, for instance.

      With Privilege Manager 4.0, administrators can also approve privilege escalation for software that comes from a particular CD or DVD, as administrators can approve the serial number of a particular piece of media. This allows administrators to control the flow of new software installations in remote instances, sending out a preapproved disk full of new applications or updated versions of existing ones.

      The best news for users, however, is that Privilege Manger 4.0 allows approved users to perform on-the-fly exemptions at their discretion. Users can right-click an application or installation package, and see a new context menu item that allows a temporary privilege escalation. Administrators can audit the use of this exemption by asking the user to type in a reason for the request and by requiring the user to enter a password before the escalation can take place.

      Privilege Manager 4.0 also looks to extend some of the native features of Windows Vista. BeyondTrust already did some work in Version 3.5 to tone down the chattiness of Vista’s User Access Control feature, and now in Version 4.0, BeyondTrust has extended the security afforded by Vista Integrity Levels to applications other than Internet Explorer. In essence, with Vista Integrity Levels, a process with Low Integrity cannot interact with processes rated Medium or High Integrity (but a High Integrity process can interact with anything with a lower rating). According to BeyondTrust representatives, a standard Vista user will normally run all applications with a Medium Integrity level — except for Internet Explorer, which operates with a Low Integrity level (enabling IE Protected Mode).

      In a WebEx demonstration, BeyondTrust engineers showed me that the Integrity Level protection could be extended via policy to any other Internet-facing application, so administrators could lock down the behavior of Mozilla’s Firefox browser in the same way that IE is protected.

      Avatar
      Andrew Garcia
      Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at [email protected]

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×