BeyondTrust keeps Windows users from abusing privileges
Solution reduces security risks by limiting admin powers granted to end-usersFollow @rogeragrimes
The Privilege Manager group policy snap-in must be installed on one or more computers that will be used to edit the related GPOs. Client-side and GPO management software comes in both 32- and 64-bit versions.
Installation instructions are clear and accurate, with just enough screenshots. Installation is simple and unproblematic but requires a reboot (which is a consideration when installing on servers). The required client-side install software package is stored on the installation computer in default folders to aid in distribution.
After the installation, administrators will find two new OUs (organizational units) when editing a GPO. One is called Computer Security under the Computer Configuration leaf; the other is called User Security under the User Configuration node.
Administrators create new rules based on a program's path, hash, or folder location. You can also point to specific MSI paths or folders, designate a particular ActiveX control (by URL, name, or class SID), select a particular control panel applet, or even designate a specific running process. Permissions and privileges can be added or removed.
Each rule can be additionally filtered to apply only to machines or users which fit a certain criteria (computer name, RAM, disk space, time range, OS, language, file match, etc.). This filtering is in addition to the normal WMI (Windows Management Interface) filtering of Active Directory GPOs, and can apply to pre-Windows XP computers.
A common rule, one most organizations would find immediately useful, grants the ability to copy all authorized application-installation files to a shared, common company folder. Then using Privilege Manager, you can create a rule that runs any program stored in the folder in the Administrator context for easy installs. Elevated permissions can be given only during the program's initial installation or anytime it is executed. If a process fails to run, the system can present a customized link that opens an already filled-in e-mail containing relevant facts to the incident, which the end-user can send to the help desk.
A common concern among security analysts with similar elevation programs is the potential risk for an end-user to start a defined elevated process and then use the elevated process to gain additional unauthorized and unintended access. BeyondTrust has spent considerable effort to ensure that elevated processes stay isolated. By default, child processes started in the context of elevated parent processes do not inherit the parent's elevated security context (unless specifically configured to do so by the administrator).
My limited tests at gaining elevated command prompts, drawn from 10 years of penetration-testing experience, did not work. I tested more than a dozen different rule types and recorded the resulting security context and privileges using Microsoft's Process Explorer utility. In every instance, the expected security result was confirmed.
But suppose that there are limited instances in which Privilege Manager can be used for unauthorized privilege escalation. In the environments that specifically would benefit from this product, everyone is probably already logged in as administrator without a product of this type. Privilege Manager decreases that risk by allowing only the very skilled few a chance to gain administrator access.
My only negative comment applies to the pricing model. First it is separated by user or computer, then by licensed container, and finally the seat pricing is per active object in a covered OU, whether or not the object is impacted by Privilege Manager. Plus the license count is checked and updated daily. It's the only thing overly complicated in an otherwise unblemished product. (Pricing starts at $30 per active computer or user object in the licensed container and sub-containers.)
If you want the strongest security possible, don't allow your users to be logged in as Administrator or to run elevated tasks (including using Privilege Manager). However, for many environments Privilege Manager is a solid, quick solution for decreasing the risks associated with regular end-users acting as administrators.