FullArmor Seals Active Directory Rift

The administration tool provider's latest release of IntelliPolicy for Clients enhances security by allowing more granular application privileges in Microsoft's Group Policy function.

Desktop administration tool provider FullArmor Corp. next week will further extend the features of Microsoft Corp.s Active Directorys Group Policy function to reduce security vulnerabilities.

The latest release of IntelliPolicy for Clients fills a security gap in Active Directorys Group Policy by extending it to provide more granular application privileges than Group Policys basic local administrator, power user and user designations.

Because many legacy applications require local administrator rights to run properly in an Active Directory environment, "a lot of corporate customers were giving users access they shouldnt have, just to be able to run these legacy applications," said Danny Kim, chief technology officer of the Boston-based company.

In IntelliPolicy for Clients 1.5, "we let you specify the legacy applications, and we can elevate rights of the application dynamically through policy but allow the user to stay in as a nonprivileged user," Kim said.

That functionality competes with a similar capability provided by rival DesktopStandard Corp.s PolicyMaker Application Security utility.

Along with centrally assigning those specific privileges, the new release can allow IT administrators to assign applications that dont require restricted access to run under Group Policys least privilege.

For applications such as Microsofts Outlook and Internet Explorer, "you dont want those to run as local administrator; you just want to run the local context. That way, viruses can only infect the local machine and keep it from overwriting system files," said Kim.

Version 1.5 also allows IT operators to centrally define Outlook profiles to better lock down Outlook clients without having to write scripts or use Active Directory templates.

"You can point to all users or machines and say, Give these sets of users these profiles, or you can erase deleted items to save space, or you can create security policies for attachments—all configured through Group Policy," said Kim.

The new release also lets administrators lock down USB ports selectively by user and by group to better secure corporate data.

Finally, IntelliPolicy for Clients 1.5 allows administrators to automatically reset local administrator passwords.

The capability lets users set different passwords for different sets of users and store the passwords in a database for centralized management.

The release will be available this week and will start at $7 per managed PC running Windows 2000 or higher.