Desktop Standard Corp. on Monday will fill a big hole in ITs ability to secure desktops when it releases an upgrade to its PMAS (Policy Maker Application Security) software.
Version 2.0 of the Microsoft Active Directory Group Policy extension enables desktop administrators to execute the notion of Least Privilege on Windows desktops and notebooks. It does that by allowing administrators to raise and lower permissions on a specific basis.
Many current and legacy Windows-based applications require raised permissions to install and execute.
Most IT organizations respond by giving users running those applications local administrator rights, rather than the more restricted user rights. But local administrator privileges also allow users to change their machines configurations and install software.
“The ability to define access policies against applications that may require some level of local administrative privileges, while still maintaining the concept of least privileges, is a problem that many organizations face,” said Amrit Williams, industry analyst with Gartner Inc. in San Jose, Calif.
Desktop Standards CTO Eric Voskuil estimated that 70 percent to 80 percent of malware assumes the user will have local administrator rights.
Using Microsofts Group Policy Management Console and the add-on PMAS, administrators can raise or lower permissions on a per-application or per-task basis.
It eliminates the requirement to give users complete local administrator rights in order to run applications that require that privilege level to run.
“Ideally youd like users to run with user privileges so that you can prevent them from compromising their own security by adding software thats not allowed,” said Peter Firstbrook, research director at Gartner Inc. in Toronto, Canada.
“By giving software more rights than the user needs, any malicious program they accidentally run makes it easier to deeply infect the machine at the kernel level.”
The problem is compounded by the fact that most legacy applications only run with administrator privileges, and many applications providers write their programs assuming that privilege level, according to Desktop Standard user Keith Brown, network administrator at Gwinnett Health System in Lawrenceville, GA.
“Depending on how it was written, a typical application works off the most privilege. Just to install an application these days requires that the user have local administrator privileges—full access to all locations on the PC and services,” he said.
“It addresses two scenarios: Raising permissions [for applications that require it] and reducing permissions for local administrators when youre doing things you dont need administrative access for,” said Voskuil.
In that context, administrators can allow users to install approved ActiveX controls while they are running Internet Explorer in restricted user privileges.
At the same time, it can reduce awkward, time-consuming workarounds for real administrators working on general applications such as Microsoft Outlook by eliminating the requirement to log out, and then log in as a different user and run the Windows RunAs utility to work under a second user account.
Gwinnett Health Systems Brown believes Desktop Standard is unique in providing such granular permission levels.
“No one else out there is doing anything close to what theyre doing. FullArmor is similar, but they dont tie it into the Group Policy Management Console the same way Desktop Standard is.”
“The ability to tie it into a single console makes it much easier to manage,” Brown said.
PMAS 2.0 is available now starting at $27 per managed desktop.
Editors Note: This story was updated to include the comments of Gartner Inc. analyst Amrit Williams.