Too many organizations are still allowing most of their end-users full-time administration privileges in Windows. If you ask why the taboo practice is continuing, administrators will respond that they must allow regular end-users to install software and to make basic system configuration changes. Yet these very tasks also put end-users at risk for malicious exploitation.

The Bottom Line BeyondTrust Privilege Manager 3.0 BeyondTrust, http://beyondtrust.com Excellent  9.3 criteria score weight User access control 9 40% Management 10 20% Scalability 10 20% Setup 9 10% Value 10 8% Cost: Starts at $30 per active computer or user object in the licensed container and sub-containers Platforms: Fully patched versions of Windows 2000 or later Bottom Line: If you're a Windows shop that insists on the insecure practice of granting users Administrator privileges so they can install software and make configuration changes, BeyondTrust Privilege Manager 3.0 is a great solution for keeping their activities in check. It not only boasts granular controls for defining elevated tasks, it also integrates well with Active Directory. The only real drawback is the pricing model. About our Reviews and Scoring Methodology

[ BeyondTrustPrivilege Manager 3.0 was selected for an InfoWorld Technology of the Year award. See the slideshow to view all the winners in the security category. ]

Click for larger view.

The vast majority of today's malware attacks work by inducing the end-user to run a rogue executable, via file attachments, embedded links, and other associated social engineering tricks. Although privileged access isn't always needed to accomplish rogue behavior, it makes the job significantly easier, and the vast majority of malware is written to require it.

Vista brings some new security tools to the table, most notably UAC (User Access Control), but even with that feature end-users need privileged credentials to accomplish administrative tasks such as installing software, changing system configuration, and the like. And what to do about previous Windows versions?

Enter BeyondTrust'sPrivilege Manager, which bridges the gap by allowing many network administrators to enforce stronger best practice security standards across Windows 2000, 2003, and XP. The software lets administrators define various elevated tasks that end-users can perform without needing elevated credentials. It can also reduce the privileges given to users, including administrators, when they run selected processes (Outlook, Internet Explorer), mimicking the functionality of Vista's UAC or Internet Explorer 7's Protected Mode (albeit using different mechanisms).

Privilege Manager works as a group policy extension (which is great because you can manage it with your normal Active Directory tools) by executing predefined processes with an alternate security context, assisted by a kernel-mode, client-side driver. The driver and client-side extensions are installed using a single MSI (Microsoft installer) package, which can be installed manually or via another software-distribution method.

A user-mode component intercepts client process requests. If the process or application is previously defined by a Privilege Manager rule stored within an effective GPO (Group Policy Object), the system replaces the process or application's normal security access token with a new one; alternatively, it can add to or remove from the token SIDs (security identifiers) or privileges. Beyond those few changes, Privilege Manager does not modify any other Window security process. In my opinion, this is a brilliant way to manipulate security because it means administrators can rely on the rest of Windows to function normally.

The Privilege Manager group policy snap-in must be installed on one or more computers that will be used to edit the related GPOs. Client-side and GPO management software comes in both 32- and 64-bit versions.

Installation instructions are clear and accurate, with just enough screenshots. Installation is simple and unproblematic but requires a reboot (which is a consideration when installing on servers). The required client-side install software package is stored on the installation computer in default folders to aid in distribution.

After the installation, administrators will find two new OUs (organizational units) when editing a GPO. One is called Computer Security under the Computer Configuration leaf; the other is called User Security under the User Configuration node.

Administrators create new rules based on a program's path, hash, or folder location. You can also point to specific MSI paths or folders, designate a particular ActiveX control (by URL, name, or class SID), select a particular control panel applet, or even designate a specific running process. Permissions and privileges can be added or removed.

Each rule can be additionally filtered to apply only to machines or users which fit a certain criteria (computer name, RAM, disk space, time range, OS, language, file match, etc.). This filtering is in addition to the normal WMI (Windows Management Interface) filtering of Active Directory GPOs, and can apply to pre-Windows XP computers.