In Unix it is important that there be multiple levels of administrator rights, and managing that with group permissions is pretty awkward. I recall wondering why there was not such a utility for Windows since, arguably, Windows has the same challenges with administrator rights in spades.
Well, there is just exactly that program. It comes from BeyondTrust and is called Privilege Manager. The solution does exactly what I wanted a product such as this to do: allow assignment of specific admin privileges on a very granular basis.
In a nutshell, BeyondTrust Privilege Manager enables the enforcement of least privilege, one of the mainstays of information assurance.
First, and most noticeable, is that this product truly is an enterprise-wide implementation. It is policy driven and the policy management is simple. Policies that apply down to the individual application level are easy to setup and deploy. When you set a policy for managing an application – which includes allowing the application to run at whatever privilege level it needs to without requiring the user to have that level of user rights – you can defeat application spoofing by identifying the application based on a SHA-1 hash instead of the filename.
Policies can apply to installers, updaters or folders, as well as applications. This includes specific ActiveX installations. It is possible to allow specific ActiveX programs to be installed without allowing all ActiveX programs to install. The user need not have the rights to install ActiveX programs. This feature can improve security at the endpoint markedly.
Probably the most impressive features in Privilege Manager center on Vista’s user account control (UAC). My knee-jerk reaction was that since Vista does some of the things that Privilege Manager does, why do I need Privilege Manager? The answer is pretty straightforward. So straightforward, in fact, that even Microsoft has praised the product for adding significant functionality to Vista.
The answer is that the tool adds important functionality to UAC. Most significant is that without Privilege Manager, UAC cannot let non-administrators perform administrator tasks without upgrading their privilege levels by having access to administrator credentials. That capability is the heart and soul of the BeyondTrust product.
The tool consists of two pieces: the Privilege Manager and the Privilege Manager Client. Documentation addresses both the ongoing management of the system and the initial deployment. The user guide covers routine management, such as policy development. A nice feature of the user guide is the troubleshooting section. I particularly liked the section on what to do if the rules are not working. In my experience, this can be one of the most frustrating aspects of policy driven products. You go to the trouble of creating policies and then the product behaves as if the new policy simply is not there.
Privilege Manager is the flagship product of BeyondTrust and is priced very reasonably given what it does. The company has an excellent website with lots of information to help users and prospective buyers alike. In addition to sales information, current users can download product documentation and the current release of the software.
Support is excellent. In addition to a support forum and a knowledge base, users can open a trouble ticket online or contact the vendor directly.
If you are managing a large Windows deployment – whether Win 2K, XP or Vista – your organization can benefit from BeyondTrust Privilege Manager. Once the product is deployed, you no longer will need to sacrifice security for a manageable workload at the help desk.
Product: Privilege Manager v. 3.5
Company: BeyondTrust, www.beyondtrust.com
Price: Starts at $30 per seat
What it does: Enforces least privilege in a Microsoft Windows environment
What we liked: The idea of enforcing least privilege is of key importance in securing
the enterprise. This product provides that capability for Windows, and even adds
functionality to Vista.
What we didn’t like: Nothing. The product tested well, was easy to deploy and manage, and is priced reasonably.