Rollout: BeyondTrust Privilege Manager 3.0

Perhaps the simplest way to prevent malware from infecting user PCs is to operate those machines under the principle of least privilege. Least privilege restricts programs to only those system resources they need and only when they need them. It also means new programs can't self-install (or be installed by users), effectively locking out most malware.

However, using Windows machines with least privilege can be painful. Users tend to run as administrator because many applications require administrator rights to function, and because users have a legitimate need to perform tasks that require elevated privileges.

Enter BeyondTrust's Privilege Manager 3.0. This software provides rules-based privilege elevation. These rules are deployed over Microsoft's Group Policy and let administrator-defined programs and settings run with elevated privileges as needed on Windows Vista, XP, 2003 and 2000.

Privilege Manager isn't the only option for least privilege, but other methods lack management capabilities and require a high degree of user cooperation.The Privileged Class

The greatest hurdle to implementing least privilege on the Windows platform is the number of applications that run only with administrative privileges. Also, users often need to install ActiveX controls or application add-ons that only function with full rights. And let's not forget mobile users who need to connect to secure wireless networks, install printers or--heaven forbid--change their power-management settings.

Privilege Manager 3.0, a kernel-mode driver, gets around these problems by adjusting privileges on the fly according to administrator-defined rules. Changes to privileges are transparent to the user; there's no need to change accounts or respond to a pop-up window.

New to the software is compatibility with 32- and 64-bit versions of Windows. And because the software supports multiple Windows OSs, Privilege Manager can serve as a unified user-rights elevation program. Note that you must use Active Directory to deploy and manage rules.

Administrators create rules for client deployment using an extension installed into the Group Policy Object Editor. Active Directory administrators familiar with Group Policy should have no problem creating and deploying rules. Rules also can be based on a specific path to an executable, the hash of a file or by folder. The folder rule is quite useful for creating a bucket where administrators can place approved installation software. The user's rights are subsequently elevated to allow installs.Privilege Manager can filter administrator-defined rules based on myriad conditions. This gives IT great flexibility for how and when the elevated privileges should be applied. Administrators can set a rule that lets mobile users adjust the time zone settings on their notebooks when they are disconnected from the corporate network, for instance.

To help administrators enumerate which command-line process launches any one of the multitude of system and control panel settings in XP and Vista, Privilege Manager's path rule includes a command-builder that lists obscure runndll.exe commands. However, this means BeyondTrust is always playing catch-up to the ever-growing set of system settings and changes released with every Microsoft service pack.

In prior versions of Privilege Manager, if the setting you wanted to configure wasn't on the list, you had to figure it out on your own. Now the latest version includes a useful utility called Policy Monitor. Administrators can run Policy Monitor interactively on domain workstations to discover the command name and arguments required to launch a system settings dialog, which can then be used to create a rule in the Group Policy editor.

Second BestThere are other options for implementing least privilege, but each has significant drawbacks.

Windows Vista includes a new privilege-elevation feature, User Account Control (UAC), which starts users with limited privileges, then elevates those privileges as required. UAC indicates that Microsoft is taking the least-privilege issue seriously. Eventually--perhaps with Longhorn--we'll see a greater degree of manageability. But, for now, the technology lacks granularity; administrators can't specify by user which tasks should receive elevated privileges. Users also have to confirm privilege changes by responding to pop-up dialog boxes, which may confuse, alarm or annoy them. And UAC simply isn't an option for organizations that haven't migrated to the new OS.

Windows XP includes a Run As utility that lets users create accounts with different privilege levels, but they must switch from one account to another manually.

Freeware, such as Process Explorer, from Windows experts Mark Russinovich and Bryce Cogswell, will run programs with limited rights. But Process Explorer requires that the user explicitly choose to run programs with limited privileges. DropMyRights, from Microsoft developer Michael Howard, lets users or administrators designate a set of applications to run with limited rights and applies those settings each time the user launches the applications. However, neither of these options can be centrally managed.

Other programs mimic sudo, a Unix program that lets users run programs with superuser privileges. Sudowin, for example, elevates the rights of a user based on the settings in an XML file stored on the user's desktop. But users must reauthenticate to execute the elevated command, and Sudowin lacks administrative management.Elevation

We're implementing least privilege here at the School of Information Studies. We used to have at least one malware infection every week. We haven't had one since we took away administrator rights six weeks ago.

Of course, restricting privileges, regardless of the tool, will always be a work in progress. Administrators must balance security with user productivity, and be prepared to tweak rules--or explain the concept of least privilege--when users call the helpdesk.

That said, if your organization wants to get serious about managing user rights, check out BeyondTrust's Privilege Manager 3.0. At around $30 per user for a perpetual license, it provides IT with a manageable and affordable solution for enabling least privilege.

Michael Fudge Jr. is a systems administrator for the Ischool at Syracuse University. Write to him at [email protected].0