Full Armor Extends Security of Microsofts Group Policy

IntelliPolicy for Clients 1.5 fills a security gap in Active Directory's Group Policy by extending it to provide more granular application privileges than Group Policy's basic local administrator, power user and user designations.

Desktop administration tool provider Full Armor Corp. next week will further extend the features of Microsoft Corp.s Active Directory Group Policy function to reduce security vulnerabilities.

The latest release of IntelliPolicy for Clients fills a security gap in Active Directorys Group Policy by extending it to provide more granular application privileges than Group Policys basic local administrator, power user and user designations.

Because many legacy applications require local administrator rights in order to run properly in an Active Directory environment, "a lot of corporate customers were giving users access they shouldnt have, just to be able to run these legacy applications," said Danny Kim, chief technology officer of the Boston-based company.

In IntelliPolicy for Clients 1.5, "we let you specify the legacy applications and we can elevate rights of the application dynamically through policy, but allow the user to stay in as a non-privileged user," he said.

That functionality competes with a similar capability provided by rival DesktopStandard Corp. in its PolicyMaker Application Security utility.

Along with centrally assigning those specific privileges, the new release can allow IT administrators to assign applications that dont require restricted access to run under Group Policys least privilege.

For applications such as Outlook, Internet Explorer and Office, "you dont want those to run as local administrator, you just want to run the local context. That way viruses can only infect the local machine and keep it from overwriting system files," said Kim.


For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Version 1.5 also allows IT operators to centrally define Outlook profiles to better "lock down" Outlook clients without having to write scripts or use Active Director templates. "You can point to all users or machines and say, Give these sets of users these profiles, or you can erase deleted items to save space, or you can create security policies for attachments—all configured through Group Policy," said Kim.

The new release also allows administrators to lock down USB ports selectively by user and by group to better secure corporate data.

Finally, IntelliPolicy for Clients 1.5 now allows administrators to automatically reset local administrator passwords. The capability allows users to set different passwords for different sets of users and store the passwords in a database for centralized management.

The release will be available on Tuesday and will start at $7 per managed PC running Windows 2000 or higher.


Check out eWEEK.coms for the latest security news, reviews and analysis.