BeyondTrust keeps Windows users from abusing privileges

Too many organizations are still allowing most of their end-users full-time administration privileges in Windows. If you ask why the taboo practice is continuing, administrators will respond that they must allow regular end-users to install software and to make basic system configuration changes. Yet these very tasks also put end-users at risk for malicious exploitation.

[ BeyondTrustPrivilege Manager 3.0 was selected for an InfoWorld Technology of the Year award. See the slideshow to view all the winners in the security category. ]

The vast majority of today's malware attacks work by inducing the end-user to run a rogue executable, via file attachments, embedded links, and other associated social engineering tricks. Although privileged access isn't always needed to accomplish rogue behavior, it makes the job significantly easier, and the vast majority of malware is written to require it.

Vista brings some new security tools to the table, most notably UAC (User Access Control), but even with that feature end-users need privileged credentials to accomplish administrative tasks such as installing software, changing system configuration, and the like. And what to do about previous Windows versions?

Enter BeyondTrust'sPrivilege Manager, which bridges the gap by allowing many network administrators to enforce stronger best practice security standards across Windows 2000, 2003, and XP. The software lets administrators define various elevated tasks that end-users can perform without needing elevated credentials. It can also reduce the privileges given to users, including administrators, when they run selected processes (Outlook, Internet Explorer), mimicking the functionality of Vista's UAC or Internet Explorer 7's Protected Mode (albeit using different mechanisms).

Privilege Manager works as a group policy extension (which is great because you can manage it with your normal Active Directory tools) by executing predefined processes with an alternate security context, assisted by a kernel-mode, client-side driver. The driver and client-side extensions are installed using a single MSI (Microsoft installer) package, which can be installed manually or via another software-distribution method.

A user-mode component intercepts client process requests. If the process or application is previously defined by a Privilege Manager rule stored within an effective GPO (Group Policy Object), the system replaces the process or application's normal security access token with a new one; alternatively, it can add to or remove from the token SIDs (security identifiers) or privileges. Beyond those few changes, Privilege Manager does not modify any other Window security process. In my opinion, this is a brilliant way to manipulate security because it means administrators can rely on the rest of Windows to function normally.

The Privilege Manager group policy snap-in must be installed on one or more computers that will be used to edit the related GPOs. Client-side and GPO management software comes in both 32- and 64-bit versions.

Installation instructions are clear and accurate, with just enough screenshots. Installation is simple and unproblematic but requires a reboot (which is a consideration when installing on servers). The required client-side install software package is stored on the installation computer in default folders to aid in distribution.

After the installation, administrators will find two new OUs (organizational units) when editing a GPO. One is called Computer Security under the Computer Configuration leaf; the other is called User Security under the User Configuration node.

Administrators create new rules based on a program's path, hash, or folder location. You can also point to specific MSI paths or folders, designate a particular ActiveX control (by URL, name, or class SID), select a particular control panel applet, or even designate a specific running process. Permissions and privileges can be added or removed.

Each rule can be additionally filtered to apply only to machines or users which fit a certain criteria (computer name, RAM, disk space, time range, OS, language, file match, etc.). This filtering is in addition to the normal WMI (Windows Management Interface) filtering of Active Directory GPOs, and can apply to pre-Windows XP computers.

A common rule, one most organizations would find immediately useful, grants the ability to copy all authorized application-installation files to a shared, common company folder. Then using Privilege Manager, you can create a rule that runs any program stored in the folder in the Administrator context for easy installs. Elevated permissions can be given only during the program's initial installation or anytime it is executed. If a process fails to run, the system can present a customized link that opens an already filled-in e-mail containing relevant facts to the incident, which the end-user can send to the help desk.

A common concern among security analysts with similar elevation programs is the potential risk for an end-user to start a defined elevated process and then use the elevated process to gain additional unauthorized and unintended access. BeyondTrust has spent considerable effort to ensure that elevated processes stay isolated. By default, child processes started in the context of elevated parent processes do not inherit the parent's elevated security context (unless specifically configured to do so by the administrator).

My limited tests at gaining elevated command prompts, drawn from 10 years of penetration-testing experience, did not work. I tested more than a dozen different rule types and recorded the resulting security context and privileges using Microsoft's Process Explorer utility. In every instance, the expected security result was confirmed.

But suppose that there are limited instances in which Privilege Manager can be used for unauthorized privilege escalation. In the environments that specifically would benefit from this product, everyone is probably already logged in as administrator without a product of this type. Privilege Manager decreases that risk by allowing only the very skilled few a chance to gain administrator access.

My only negative comment applies to the pricing model. First it is separated by user or computer, then by licensed container, and finally the seat pricing is per active object in a covered OU, whether or not the object is impacted by Privilege Manager. Plus the license count is checked and updated daily. It's the only thing overly complicated in an otherwise unblemished product. (Pricing starts at $30 per active computer or user object in the licensed container and sub-containers.)

If you want the strongest security possible, don't allow your users to be logged in as Administrator or to run elevated tasks (including using Privilege Manager). However, for many environments Privilege Manager is a solid, quick solution for decreasing the risks associated with regular end-users acting as administrators.

InfoWorld Scorecard	Setup (10.0%)	User access control (40.0%)	Value (8.0%)	Scalability (20.0%)	Management (20.0%)	Overall Score (100%)
BeyondTrust Privilege Manager 3.0	9.0	9.0	10.0	10.0	10.0	9.3